HIPAABreachCyber SecurityHealthcare ITInformation SecurityPodcast

ProactiveIT Ep 16 – The Most Common HIPAA Breaches

By February 7, 2020 No Comments
Episode 16 the Most Common HIPAA Breaches

Episode 16 NIST Updates, What is Blockchain and How Will It Disrupt Business and the Most Common HIPAA Breaches

This is the ProactiveIT Podcast.  This Week: The latest in IT and Cyber Security news plus NIST Updates, What is Blockchain and How Will It Disrupt Business and the Most Common HIPAA Breaches

This is Episode 16!  

Intro

 Hi Everyone and welcome to the Proactive IT Podcast.  Each week we talk about the latest in tech and cyber news, compliance and more.  We also bring you real world examples to learn from so that you can better protect your business and identity. 

This podcast is brought to you by Nwaj Tech – a client-focused & security-minded IT Consultant located in Central Connecticut.  You can find us at nwajtech.com.

 Thanks for listening to this podcast.  Show us some love on Apple or Google Podcasts.  Subscribe and leave us some positive feedback. What are you waiting for?

Also, go join the Get HIPAA Compliance Facebook Group.  Search for Get HIPAA Compliance

Patch Tuesday Update:

Google Chrome 80.0.3987.87
Critical Cisco ‘CDPwn’ Flaws Break Network Segmentation

Cyber Security News

Ashley Madison Hack Returns To ‘Haunt’ Its Victims: 32 Million Users Now Watch And Wait

Ransomware Attacks Hit Three Law Firms in Last 24 Hours

Louisiana Criticizes MSP Industry’s Security Practices; Employs MSSP

New EmoCheck Tool Checks if You’re Infected With Emotet

These Highly Exploited Vulnerabilities Indicate Organizations are Still Failing to Apply Patches

DoD to Require Cybersecurity Certification From Defense Contractors

HOT TOPICS

Topic 1:  NIST Releases Draft Guidelines To Curb The Ransomware Epidemic

Topic 2:  How Blockchain Will Disrupt Business

Topic 3:  What’s in your network? Shadow IT and shadow IoT challenge technology sensibilities

HIPAA Corner: 

The Most Common HIPAA Violations You Should Be Aware Of

Breache Report

https://www.hipaajournal.com/category/hipaa-breach-news/

Episode 16 the Most Common HIPAA Breaches PIN

Transcription

This is the ProactiveIT podcast this week the latest 19 cybersecurity news plus NIST updates. What is blockchain? And how will it disrupt business and the most common HIPAA breaches? This is Episode 16 Hi everyone and welcome to the proactive it podcast. Each week we talk about the latest in tech and cyber news compliance and more. We also bring your real world examples to learn from so you can better protect your business and identity. This podcast is brought to you by and watch tech a client focused and security minded consultant located in Central Connecticut, you can find us at and watch tech com that’s NW Aj tech.com. You guys know how I like to kick off the show each and every week Patch Tuesday update. But before we get to that, I want to thank everybody listen to this podcast again. Make sure you show some love and Apple, Google wherever you listen to this podcast, we really would appreciate any feedback you give us. Even the negative stuff if you have something negative to say maybe I talk too fast. Some people do tell me that. And, you know, just go in and show some love would really really be appreciated. Also go join the HIPAA compliance Facebook group just go to Facebook and search for get a book compliance with thankfully you guys didn’t catch that sneeze. There’s not a lot to report for Patch Tuesday just yet. Of course Patch Tuesday is this coming Tuesday? The only updates that were put out so far a Google Chrome updated to address a bunch of vulnerabilities. I think there was a total of 56 vulnerabilities. And they’re also starting to roll out some new cookie features. So you should be on Google Chrome at point 0.398 7.87. And in critical, I’m sorry, Cisco put out some, some patches for some critical vulnerabilities, which we talked about on the sister site. So you’ll want to take care of those as well. As soon as you can. So I didn’t get any questions this week to address on the show, so we’re going to hop right into the news. First up, Ashley Madison, this was reported on Forbes and I think I talked about it Monday, Ashley Madison hack returns to haunt its victims. 32 million users now watch and wait so called sextortion campaigns are on the rise. The usual methods are simple and highly Effective speiser threatening email with some personal details usually an email address, username and password from a random data breach, and claim to have videos or photos which will be emailed to friends, family and colleagues unless a Bitcoin ransom is paid, which should be the first indication that it’s fake. The advice is to ignore those emails. The threats are empty, as I just said. But what if the attacker did have the right kind of data? Which with which to threaten victims? That’s what has happened with the latest sextortion campaign to hit the headlines. It appears that attackers have crafted crafted a campaign around data pulled from the infamous Ashley Madison hack in 2015. I can’t believe it’s been five years already. Back then hackers calling themselves the impact team stole 32 million records from users of the world’s leading extramarital affair. So as data sets go, this is one that’s tailor made for extortion. According to vade secure the Ashley Madison breach is coming back to haunt users in the form of highly personalized extortion scam. The email sent to victims of the breach are littered with personal data From breach yourself given the nature of the site, these emails are highly personal and embarrassing and revisit a scandal that led to feeling breakdowns and even suicides in the immediate aftermath. The victims are given a limited amount of time to pay a Bitcoin ransom worth around $1,000. The demand is the password protected PDF attached to the email, a document that has a unique QR code and additional details from the breach, all designed to force the victim to respond as January 31. Report vade secure says that in the last week alone, it has detected several hundred examples of the extortion scam primarily targeting users in the United States, Australia, India. I didn’t know Ashley Madison was a worldwide thing. So I mean, this again just goes to show you and I’ve seen in the past. So the the software we use to the service we use to check to see if a client has been breached in the past will come back and say what breach it was and you’ll see sometimes CEOs and C level executives have been breached through the Ashley, Ashley Madison breach, their information was included in that breach. And so I have to share this information with the client. I mean, I don’t know it’s you, you’re putting your foot in the fire if you go on sites like that, because you never know what could happen. And you never know the damage it will cause because that these type of things can cause a lot of damage in your personal life and your in your professional life. That being said, these emails are not uncommon. I’ve gotten these emails where they, you know, they claim to have personal details about me and threatened to release it to the public. And if I don’t pay up those emails or fake ignore them. They usually wind up in my spam folder, so I almost never see them anyway. The fishing or the fishing software catches it. But if you get them, ignore them This was on last sites. This was on Monday I reported this but so it’s a little dated in the sense that it says ransomware attack hit three law firms in the last 24 hours. That was late last week. So in total five US law firms three in the last 24 hours have been among the companies and organizations targeted by new round of ransomware attacks. In two of the cases, a portion of the firm stolen data has already been posted online, including client information. So if that is not a case, to secure your law firm even more than I don’t know what is this according to Brad Calloway threat analyst with me MC soft, a cyber security company that is also an associate partner in the no more ransomware project and initiative between multiple law enforcement agencies and the private sector. hackers have stolen data from at least five law firms using the threat of releasing the data to extort payment from the firm’s callo said in a two cases in which hackers already posted law firm data, they publish it to it, they publish it on the clear web where can be viewed by anybody and as you probably are aware, you are now going to be in a lot of trouble with with the Bar Association and anybody that oversees law firms. The hackers are using the so called mes ransomware, which we’ve talked about several times on the show, which was the subject of a warning issued to companies earlier this month by the FBI earlier this week, Ars Technica reported that victims of maize ransomware attacks have included a grocery chain a CPA firm in a college so known as safe. Hackers infiltrate a system to hackers infiltrate systems using email with malicious attachment again phishing, as 90% of all ransomware attacks to start callo said he does not know the exact nature of the emails being used against law firms, but he assumes they’re being crafted in such a way that lawyers are likely to open them or law firm staff. Their modus operandi is to initially name the companies they’ve hit on their website. And if that doesn’t convince the companies to pay to publish a small a small amount The data as proofs, this makes sense calissa. The more data that post and more sensitive data is, the less incentive an organization has to pay to prevent the remaining data being published is the equivalent of a kidnapper sending a pinky finger. If that’s an interesting analogy, if the organization still doesn’t pay the remaining, the remaining data is published sometimes on a staggered basis. This is the case with southwire right now and they were also hit with ransomware. So the southwire they demanded 6 million from southwire. Software said no and little by little there continue to release data for them. This is an mssp alert kind of a I mean, kind of a scathing comment on my industry msps but I’m sharing it because it does highlight something that needs to be highlighted. Louisiana criticizes MSP industry security practices, employs mssp so the difference so you know, MSP is managed service provider ssps managed, service managed security and services provider, I believe The focus is security managed security services provider. Yeah. And the reason they did this is because they felt like msps were not doing their job so I’ll read the article. Many msps that is managed well they put managed IT services provider are dropping the ball on cyber cyber security leaving elections open to the threat of cyber attacks Louisiana Secretary of State Kyle are don’t warn pure government leaders on January 31, or don’t call out MSP security weaknesses multiple times during a meeting of the National Association of Secretaries of State, according to state schools are doing the report says alleged that many msps aren’t properly emphasizing security to the government clients are and don’t properly secure the remote monitoring and management software tools. He specifically pointed to msps that fail to activate two factor authentication. I’m hoping at this point they all have but I don’t know amid the alleged MSP industry shortcomings dones statewide office leverages in mssp for prevention and detection services. Louisiana’s commitment to mssp engagement is easily explained, the state has offered multiple ransomware. And cyber security attacks across has suffered sorry, multiple ransomware and cyber security attacks across numerous municipalities and government agencies. And so that’s true Louisiana has been hit a couple times in the last year. New Orleans was hit. So that is true. And it is good possibility that whoever was helping them, MSP or whoever did not have two factor authentication or not. However, the statement that says, so I’m ad libbing now, the statement that says, aren’t properly emphasizing student cybersecurity to the government clientele. I can tell you from experience that a lot of times you will say we need to do this, this and that. And this is what it’s going to cost and the business or in this case, the municipality will balk at it and say, no, we’re not doing that. We can’t afford it. And municipalities, no tourism We don’t have a lot of money to spend. So they say, on on these types of things. And so if I go in and I say, you know, we need to do some fishing education, we need to turn on this kind of service and that kind of service, and they don’t want to do it. Some msps will walk away from it. Some of them some of them will not, and will take it because they want the income and you’re now putting your reputation at risk. So I’m there and then there’s some comment from Ryan weeks, who’s the Cisco at data, MSP industry improve or face new regulations. Although the MSP industry has made some progress on the cyber security front, more progress is needed according to data cisos Ryan week’s data is an MSP focused provider of data protection, networking, it monitoring and business automation solutions and we we are partnered with data so if you’re an MSP You Need to Know thyself know that data fooled and know that enemy weeks told mssp alert during a pochi con 2020 calm Last week in Tampa, Florida organized by purchased security and MSP work to gain that cyber security expertise. They must also all work to offer a unified industry front against attackers weeks at if the MSP industry doesn’t make more progress on the unified security front, the industry could wind up facing new government regulations and compliance requirements. Weeks also warns, and I can see that happening. So I could definitely see the government stepping in and it’ll take some time. But the government might step in and say what this needs to happen that needs to happen. You need to have these kind of certifications. As a matter of fact, I’m going to talk about something along those lines in a minute. Still week sees progress from vendors and MSP like for instance, data rolled out mandatory two factor authentication services to msps in January 2020 notes will share additional thoughts from our time with weeks soon. All right, I’m on bleeping computer, new email check tool checks if you’re infected with email tech. So we’ve talked a lot about email tell we even featured it Maybe two weeks ago or last week, I’m not sure but he will turn is probably the most dangerous malware infection that’s out there right now. And if we take ransomware out of the picture, this is probably the most dangerous so a new utility has been released by Japan CRT, CRT computer emergency response team that allows Windows users to easily check if they’re infected with email to Trojan email tetrode and was one of the most actively distributed malware that is spread through phishing emails and malicious Word document attachments. These emails pretend to be invoices, shipping notices account reports, holiday party invites and even information from Corona virus in the hopes that you will be enticed or tricked into opening the attachment. So I’m going to stop right here and tell you if you get an email in the subject line is something about the corona virus, delete it, the CDC and other agencies are not proactively sending out coronavirus alerts. Once installed, the motet will utilize the effective computer to send further spam to potential victims and also download other malware onto the computer emulator is particularly dangerous as it commonly downloads and installs the trick bot banking Trojan which still save credentials, cookies, browser history, SSH keys and more wallet attempts to spread to other computers on the network. If the network is of high value trip out will also open a reverse shell back to the ransomware operators who will encrypt the network as a final payload. Due to the severity it is important that victims quickly find to remove the email to children before it can download install other malware onto infected computers using email check to check for email tech Trojan when the motor is installed by malicious attachment it will be stored in a semi random folder under local data app. It is semi random because it will not use random characters but rather a folder named built out of two keywords from the following list and then there’s a list of keywords here. I’m not going to go through the whole list as you can see what was installed under the symbol guild folder, which is a combination of the words from the list above. So symbol, and then g UID. To check if your effect with imitate, you can download the image activity from the Japan cert. GitHub repository Once downloaded extract zip files. And so then there’s instructions on how to to run this tool. But I think it’s quite useful for enterprise businesses, small business, all businesses or anybody really, to just make sure you don’t have email to existing on your network or on your devices. Because it will cause a lot of damage if it’s not taken care of. And it will continue to spread. I’ve said it before and I’ll say it again, the only way we’re going to stop ransomware is to not make it profitable for the people doing the ransomware attacks. So until that happens, then we’re not going to see any improvement and then if we’re not doing anything to stop It to stop the the profit from it, then we’re just contributing to the continued success of ransomware attacks and in what said is not ransomware. But as you heard it does, as a final payload install the right grant somewhere on site where these highly exclusive vulnerabilities indicate organizations are still failing to apply patches. So six of the highly explosive vulnerabilities from 2019 were repeated from the previous year, all the repeated exploited vulnerabilities affect various Microsoft products, which is not exactly true. I’m going to go through the list. So it’s interesting, isn’t it a list there’s 10 List of commonly excluded flaws. It doesn’t say that a top 10 but it says the 10 of the 10 of commonly excluded flaws. And it’s insane because as you’re going to hear, these are not new. There’s only one from 2019 that’s number five on the list, and that’s Microsoft Internet Explorer. And as I said, an Instagram posts The we should not be using Internet Explorer and you should be applying the patches as soon as they roll out. So you have Internet Explorer on your computer even though you should be using edge at this point. But you should be patching it but not using it, don’t use it. Then we go back to 2018 and suits those 2018 there’s one to two flaws for Adobe Flash Player. So why are we using Flash Player and another one for Microsoft and an explorer and then one for Microsoft windra Then we have 2017 Microsoft Office Microsoft Office 2015, Microsoft Internet Explorer again. Oh, and I’m sorry, in 2017, another one for Internet Explorer and in 2012. So we’re going eight years back we have one for Microsoft Office, which means you use an either office 2007 or 2010 unite in We’re in 2020 so you’re not using the latest version of Office and you’re you’re putting your your business your personal data at risk because I’m sure eight years later, the exploit for Microsoft Office CVE 2012 dash 0158 I’m sure is not a hard exploit to use. Alright, last bit of news we have do do require cyber security certification from defense contractors. So as I mentioned earlier, you might get to see more regulation. And here’s an example of that. So for department of defense contractors, they’re going to be requiring a cyber security certification for anybody who’s working with them and this is on bleeping computer. The United States Department of Defense announced that defense contractors will have to meet a basic level cybersecurity standards when replying to a government acquisition programs request proposal by 2026. So six you have six years to get this guy’s the cybersecurity Maturity Model certification framework version 1.0 was released on January 31. And it is unified security standard from the Department of Defense. Cyber cyber requirements for some crack church. Some contractors will appear later this year and by 2026, all new God contracts will come with a new CMC CMC requirements. Do these on Undersecretary of Defense for Acquisition and sustainment. Ellen M. Lord set with the introduction of CMC to God wants to enhance the protection of supply chain unify you supply chain unclassified information, federal contract information and controlled unclassified information. By increasing the defense industry industrial base subcontractors. Cyber Security readiness to CMC, provides the Department of Defense with the straightforward mechanism designed to make it easier to certify the cyber readiness of largest mall defense contractors using five levels of certification that focus on both cybersecurity practices and processes. So the article does link to the actual document for the CMC, you can go check that out is how many pages is this document? I don’t think it was that big pharma Yeah, 28 pages. So go check that out. It is available for your reading pleasure. If you saw our inclined learn something learn what the Department of Defense I mean even if you don’t contract to the department, defense, Department of Defense, then it’s it’s still a good thing to to see what they’re looking at because what they’re looking at is what what the whole industry should be looking at. So here are the five levels that measure so CMC model with five levels measures cybersecurity maturity, to have level one is performed basic cyber hygiene level two is documented intermediate cyber hygiene, hygiene and we should be documenting everything everybody, level three, manage good cyber hygiene. level four reviewed, proactive Which is where we should be proactive management not reactive, level five, optimizing, advanced and progressive. So again, go check that out and love to hear what your thoughts are on that. And that is going to do it for the news. So let’s jump into our hot topics in the first one is once again the NIST. So if you don’t know what news stands for its National Institute of Standards and Technology. Now they do a lot not just in technology that do not just in the IT world. They will also work with HHS on HIPAA stuff and I actually was going to review one of the documents from NIST as it relates to HIPAA, the HIPAA Security Rule and decided not to do it this week, because it’s a huge document. So I need to condense it somehow, but we’re going to talk about it Maybe next week. But they do a lot in the technology world. So again, it’s the National Cyber, I’m sorry, the National Institute of Standards, and technology. And that’s NIST and is team. So NIST released his draft guidelines to curb the ransomware epidemic. So you can see there are groups now that are working to sort of mitigate the problem with ransomware. I don’t know what is going to work again, as I’ve said, until we can make it not profitable for the attackers it’s going to continue. The first data are the first draft of data. In the first draft on data integrity and protection is a guide to better identify and protect it assets from data integrity attacks. The second document shares advice on improving the detection and mitigation of ransomware attacks. Recently, the National Institute of Standards and Technology unveiled practice guidelines to protect the confidentiality, integrity and availability. That’s known as the CI A triad of data in an enterprise NIST cyber National Cybersecurity Center of Excellence developed a to draft practices guidelines, which are linked in the article this articles on cyberware modern ransom where students can move around the system while interacting with applications such as Microsoft Active Directory, and encrypting backward backups today’s attacks prompt authorities to look at the entire network and enterprises and understand what their threat represents. NIST is in its draft has attempted to address current issues including how to implement vulnerability management as well as network protection and awareness throughout the entire IT infrastructure. So the the NIST draft guidelines were released in a view of increasing threats from ransomware in the adoption of new tactics by threat actors in the last couple of years. The drafts offer updated advice and best practices on how to minimize the impact of a ransomware attack. So NIST has earlier developer and software related guidance to the present drops focused on The entire lifecycle of a data integrity attack, and includes steps on how to implement backups tied to secure storage capabilities use network protection and inventory assessments. So that’s a really valid point. I know a CPA who was using you know, the, the external hard drive connected to USB to their computer to to as a backup, which is a good secondary backup, I guess. Just because it’s easily easier to restore from, but where they were hit with ransomware, and that drive was also encrypted. It also suggests how and what policies to create a to help ensure endpoints are safeguarded. Just researchers have reportedly referred to significant ransomware incidents from the past few years, including the wanna cry attacks of 2017 to map out protection tips for enterprises. So you may remember the wanna cry. outbreak in 2017 us didn’t really get it too bad but the rest of the world did you remember the resolution was somebody registering a domain. But anyway, an overview of practice guidelines. The first draft on data integrity in protection is a guide to better identify and protect it assets from data integrity attacks, including ransomware. It also contains two key insights or reference designed to acts as a technical blueprint for action items, and a guide to commercially available technologies that create more robust security controls for network. There’s a how to guide on implementing best practices as well. The second document shows advice on improving the detection and mitigation of ransomware along with other security issues within their infrastructure indicates how integrity monitoring, event detection, reporting capabilities, vulnerability management and mitigation and containment can be implemented within IT infrastructure. So I have downloaded the PDFs and we’ll be reviewing them. You should also do the same at some point because it will again it will help you strengthen your Standing within the technology world, they are not small documents. They’re very large documents. So let’s see, I’m looking at one now it’s 521 pages. And the other one is didn’t open for me. Oh, there’s a 565 pages. So you’re looking at 1100 pages of reading. So it’s not light reading, but check it out nonetheless. And of course, all this will be linked in the show notes so you’ll have access to it. Moving along, we have I have a couple of articles from Xena. I did not get a chance to do a blog post this week. It’s been a crazy week for me. So we’re going to use some content from Zd net. First one how blockchain will disrupt businesses so first of all, let’s define blockchain. blockchain is a growing list of records that they that are called blocks that are linked to using cryptography each block in cryptographic hash of the previous block at timestamp and transaction data by design in blockchain is resistant to modification of data. That is the Wikipedia definition. blockchain has the potential to rewrite the economy and change the balance of power across industries. It also has specific uses for enterprise. Research blockchain must overcome hurdles before becoming a mainstream technology. A recent tech Republic premium poll shows that while 87% of respondents think blockchain will positively positively impact the industry only 10% actively use it. And so I’m going to tell you I don’t actively use it myself at this point. But we like blockchain at least that’s the takeaway from a recent techrepublic Premium survey, where the majority of respondents 87% stated that blockchain will have a positive effect on the industry and 27% indicated a very positive effect. However thinking something and actually doing are two different actions despite the enthusiasm for the technology, only 10% of the respondents actively use blockchain at their company. blockchain appears at 13% of strategic roadmap for respondents organizations compared to 7% in 2018. So, which industries will blockchain most likely impact it and technology was chosen by 58% of respondents with professional services including finance, insurance, legal and consulting a close second of 56%. Rounding out the top five sided industries where logistics and transport healthcare and retail and wholesale what needs to happen for widespread adoption of blockchain? Two thirds of respondents indicated that the need for a clearly stated business use case a cryptocurrency operated by government entity was suggested by 35% in response, while company controlled crypto concern was currency was favored by 20%. And then there is a says the infographic below but there’s others a link to an infographic with blockchains and business. Where are we No predictions for the next decade. I’m sorry, that’s a link to an article. There is no it says there’s an infographic but there is not one. So, the point is, I think more there needs to be more understanding of what blockchain can do. And I think that’s where we’re at right now. There needs to be a better understanding among business owners and even those in technology of what it can do and how it can be utilized to benefit of the business and of our personal lives. And that’s, that’s that remains to be seen. You’re going to see it is going to continue to grow them. Next up, we have also NZD net what’s in your network shadow IT and I don’t know if you’ve ever heard the term shadow IT and shadow IoT challenge technology sensibilities so shadow it has been around for a little while. But shadow IT something a little, a little newer a couple years ago. I Oh, That is, a couple years ago, a survey found most CIOs thought they had roughly 30 to 40 apps running within their enterprises. But researchers a semantic estimated that the average enterprise actually had at least 1500 and 16 applications. So that’s a huge gap. And number that has doubled over three year period. So what that means is, you get a if you get a laptop from your business, your company you work for, and you have the applications, you’re required, let’s say, you know, Microsoft applications, couple of our internal applications you need for your job and so forth. But then you install an application on the laptop because it helps maybe do your job a little easier, or it helps you to, maybe you just install Pandora or something, you know, whatever. Those are, those are the shadow IT apps, those applications that the infrastructure the business might not be aware of. And it becomes a problem when there’s a vulnerability. It’s not the CIOs are naive. It’s just that shadow IT difficult thing to measure since employees pull down apps outside the official channels and off budget sheets to some degree, it’s even pop. Purposely overlooked, condoned, or even encourages employees need the right tools to do their jobs. And it can’t always be there. Now it appears CIOs are battling shadow it on two fronts. There’s the user initiated apps and clouds and there’s something more insidious shadow IoT. User initiated shadow it continues unabated. It may be hard to measure shadow it of course in one vendor. One password recently went outside of enterprises serving a representative sample of 2119 us adults who work in an office with an IT department. The certifying 64% of the respondents report they were that they have created at least one account in the past 12 months that their IT department doesn’t know about for close to one third 32% this was one shadow account. Well 52% report creating between two and five accounts that their IT department doesn’t know about for 16% itali exceeded five accounts Security is often an afterthought with passwords shared between end users in an informal fashion. The use of shadow it by business and users has mixed benefits. Since security issues abide. They may be empowering and productivity, enhancing, however IoT may not be so forgiving. So if you don’t know, IoT is Internet of Things. Those are like smart light bulbs and smart refrigerators and new Alexa and your Google Home, things like that. And we’re just starting to comprehend the scope of it research from infoblox shows that most enterprises 78% had more than 1000 connected devices on their corporate networks in 2019. This may include laptops or tablets supplied or managed by the company. More than a quarter 28% of respondents reported having 1000 to 2000 devices connected well almost half 40% of organizations have between two and 10,000. About 80% of IT leaders revealed that they have identified shadow IT device IoT devices Such as unauthorized wireless access points, or that’s another big one. I’ve seen that in almost every job I’ve held over the last 20 years connected to the infrastructure at least 46% have discovered up to 20 shadow IoT devices on their networks over the past year, and more than a quarter 29% of organizations so I’m more than 20 some saw as many as 50 IoT devices present a huge attack source surface recently researchers at checkpoint identified smart light bulbs, I just mentioned that which are likely to installed in mass with little oversight from IT managers as an easy point of entry for hackers. So we reported that on the the product of it cyber security daily yesterday it that that there was a vulnerability discovered and most, it appears most organizations are taking a risk very seriously and as a result have put policies in place to safeguard against external threats 89% at least have some Some type of security policy in place for personal IoT devices connected to the network. The authors of the infoblox report also suggest under understand the changing ecosystem because the risk ecosystem is changing at such a rapid pace organizations must change their security habits to match it managers must stop and consider the wider changing needs of the business rethinking the approach to network security will ensure organizations are always one step ahead of cyber threats. So as an example, let’s say you do have smart light bulbs in your business, they need to be segmented, you could just start with that IoT devices should be segmented, if they’re being if you know they’re there. If they’re not there, then that’s where the policies come in place and you need to address it and nip it in the bud so to speak. Alright, that wraps up our news. We’re going to move on to our HIPAA education for the week. Alright, let’s get into our HIPAA education piece. And this week we’re going to talk about the most common HIPAA violations you should be aware of. And the reason I chose this this week is because if there’s some awareness, then you’ll have an idea of what to look for in your environment to help you stay HIPAA compliant. So here’s the 10 most common HIPAA violations number one snooping on healthcare records, accessing the health records of patients for reasons other than those permitted by the Privacy Rule, treatment payment and healthcare operations is a violation of patient privacy. snooping on healthcare records of family, friends, neighbors, co workers and celebrities is one of the most common HIPAA violations committed by employees. And we’ve talked about a few of those probably one of the most popular ones was Jason Pierre Paul, a few years ago when he he blew up a firework in his hand. But it does happen quite a bit. University California Los Angeles health system was fined 865,000. for failing to restrict access to medical records. The healthcare provider was investigated following the discovery that a physician had access to medical records of celebrities and other patients without authorization. Dr. cooping Zoo access to records of patients without authorization 323 times after learning that he would soon be dismissed doctors who became the first healthcare employee to be jailed for HIPAA violation, it was sentenced to four months in federal prison. Number two failure to perform an organization wide risk analysis and I see this a lot. Failure to perform an organization wide risk analysis is one of the most common HIPAA violations to result in financial penalty. If the risk is not performed regularly, organizations will not be able to determine whether any vulnerabilities to the confidentiality confidentiality, integrity and availability of pH I exist. risks are therefore likely to remain on addressed leaving the door wide open to hackers HIPAA settlements with the covered entities for failure. conduct an organization wide risk assessment include Oregon Oregon Health and Science University $2.7 million settlement for lack of enterprise wide risk analysis, cardio net 2.5 million for incomplete risk analysis and lack of risk management processes. cancer cure group 750,000 sentiment prefer to conduct an enterprise wide risk analysis in the hospital and Medical Center 850,000 sentiment for failure to conduct an organization wide risk assessment what other violations number three failure to manage security risk lack of risk management process kind of an extension of number two. Performing a risk analysis is essential but it could not but it is not just a checkbox item for compliance risks that are identified must then be subjected to risk management process they should be prioritized and addressed in a reasonable reasonable time frame knowing about risk to pH I and failing to address them are one of the most common HIPAA violations penalised by the Office of Civil Rights and your Here’s some of the settlements, Alaska Department of Health and Human Health and Social Services $1.7 million, the University of Massachusetts Amherst 650,000, Metro community provider network 400,000 in Anchorage, community mental health services 150,000, what is going on in Alaska? So I’m going to tied it up a little bit. So you do the risk analysis, you find the risks, then you manage and fix them. And then you have to do another risk analysis. So it’s you’re not done their failure to enter into HIPAA compliant business associate agreement, and we talked about this quite a bit. Don’t wait, the failure to enter into a HIPAA compliant business associate agreement with all vendors that are provided with or given access to pH eyes another The most common HIPAA violations. Even when business associate agreements are held for all vendors, they may not be HIPAA compliant, especially if they have not been revised from the omnibus final rule. And we’ve talked about the omnibus and another episode I will link it in the show notes. Notable settlements for those HIPAA violations rally Orthopedic Clinic, Pennsylvania. Pa of North Carolina 750,000 settlement further failure to execute a HIPAA compliant business associate agreement. North Memorial Student Health Center North Memorial healthcare of Minnesota 101.55 million settlement for failing to enter into a BA with a major contract with other HIPAA violations. Care New England health system 400,000 settlement for photo update business associate agreements insufficient GPH I access controls. HIPAA security rule requires covered entities and business associates to limit access to EPA Chai to authorized individuals failing to implement appropriate EPA access controls is also one of the most common HIPAA violations and one that has attracted several financial penalties. Those include anthem was fined $16 million for access control failures and other serious HIPAA violations. Memorial health care system 5.5 million for insufficient DPH access controls Texas Department of Aging and Disability Services 1.6 million for risk analysis failures access control failures in information system controls, monitoring failures. University of California Los Angeles health systems 865,004 failure to restrict access to medical records pagosa Springs Medical Center $111,400 for failure to a terminal access to pH I afternoon ployed termination and a lack of business associate agreement. Failure to use encryption or equivalent measure to safeguard EPA Chai portable devices and we’ve talked about this extensively to one of the most common methods of preventing data breaches is to encrypt pH I breaches of encrypted pH I or not reportable security incidents unless they the key to decrypt that data is also stolen encryption is not mandatory under HIPAA rules, but it cannot be ignored. If the decision is taken not to use encryption and an alternative equivalent security measure must be used in a Police recent settlements for affiliate to safeguard pH I, Children’s Medical Center of Dallas 3.2 million civil monetary penalty for failing to take action to address known risks, including the failure to use encryption on portable devices, Catholic health care services of the Archdiocese of Philadelphia 650,000 for failure to use encryption to failure to conduct an enterprise wide risk analysis and to manage risk. If you do the risk analysis, then you find the devices that are not encrypted. you encrypt them, you’re managing the risks. So you see how those all tied together. I’m exceeding the 60 day headline for issuing breach notifications. This happens so often. The HIPAA Breach Notification rule requires covered entities to issue notifications of breaches without unnecessary delay and certainly no later than 60 days following the discovery of data breach. Exceeding that time frame is one of the most common type of others violations which has seen two penalties issued this year. So presence health was pending. Lies $475,000 and co pilot provider support services $130,000 settlement with New York Attorney General for delayed breach notifications. I think it was president self. I’m not 100% sure, but one one covered entity was going back and forth with who actually needed to be notified and that’s why it took them so long impermissible disclosures of protected health information. Any disclosure of protected health information that is not permitted under the HIPAA Privacy Rule can attract a financial penalty. This violation category includes disclosing pH to patients employer potential disclosures following the theft of or loss of own encrypted laptop computers careless handling of pH I disclosing pH I unnecessarily not adhering to the minimum necessary standard and closures of pH I disclosures of pH if to patient authorizations have expired. And here’s the list of some of those penalties Memorial Hermann health system $4 million for disclosing a patient’s PhD and a press release. NewYork Presbyterian 2.2 million penalty for filming patients without consent. Massachusetts General Hospital 550,000 515,000 for the same thing, Luke’s Roosevelt Hospital Center $387,000 for careless handling of pH I disclosure of patients HIV status to their employer, Brigham and Women’s Hospital 384,000 for filming patients without consent, Boston Medical Center for 100,000 for filming patients without consent. Improper disposal of pH I this just we just talked about one of these the other day when physical pH I and E pH are no longer required and retention periods have expired. HIPAA rules require the information to be securely and permanently destroyed for paper records. This should involve shredding or pulping and for a pH to securely wiping or destroying the electronic devices on which the pH I store to prevent permissible disclosures Parkview health hundred thousand four affiliate to securely disclose a paper records containing pH I or no prescription pharmacy a pharmacy got fined 125,000 for proper disposal of pH I file facts Inc 104 defunct business over improper disposal of medical records. Denying patients access to health records exceeding timescale for providing access we’ve talked about this one HIPAA rule provides gives patients the right to access their medical records and obtain copies on request. This allows patients to check the records for errors and share them with other entities and individuals denying patient copies of their health records overcharged for copies are failing to provide those records within 30 days as a violation of HIPAA. While this is not one of the most common HIPAA violations, which are the financial penalty OCR has stated it will be cracking down on on this aspect of non compliance in 2019. It’s now 2020. There may have been one or two cases the show not sure there’s one listed here Cigna health of Prince George’s County 404.3 million penalty for denying patients access to their medical records. Common HIPAA violations by healthcare employees snooping on healthcare records is fairly obvious HIPAA violation and one that all healthcare employees who have received HIPAA training should know is a violation of their employee policy and HIPAA rules, and yet it happened at least three or four times last year. Other common HIPAA violations often come as a result of misunderstanding about HIPAA requirements. While each of these common HIPAA violations affect far fewer number of patients than above violations, they can still cause a significant amount of harm to the patients evolved into their employer. It can also result in disciplinary action against the employee responsible, including termination in most cases that’s exactly what happens listed below and some of them have seen jail time now. This to blow are some of the common HIPAA violations committed by healthcare employees. So I’m just going to skim these emailing EPA China personal email accounts are moot and removing PhD from a healthcare facility leaving portable electronic devices and people were kind of tended releasing patient information to unauthorized individual reducing patient information without authorization, disclosures of Ph. Third parties after expiration of their authorization, impermissible disclosures, a patient health records, downloading pH onto unauthorized devices in providing unauthorized access to medical records. So those should give you an idea of what to look for in your environment and make sure that you’re not putting your healthcare practice at risk and you know, causing undue harm to your practice into your patients. Again, it is about patient care, not about the dollar. It’s about patient care. And we’re going to talk about our HIPAA breaches next. Alright, it’s time for the breach report. We have believed there were seven Total this week reported so let’s just go through the list no particular order village center of village center for cure DBA village care rehabilitative and nursing Center, the RNC and village Senior Services Corporation DBA village care Max vcm x VC max have fallen victim to a business email compromised. Attack bc attacks involved the impersonation of an executive is using the executives genuine email account compromised in a previous attack or by spoofing the executives email address and unauthorized individual pretending to be a member of the executive team requested sensitive information on VR and see patients and VC max members. believing the request to be legitimate the employer responded or provided the information as requested. vc maximum VR and C were alerted to potential bc attack on or around December 30 2019. The investigation confirm the request was not genuine and sensitive information on VR and see patients and VC max members had been impermissibly disclosed. information sent via email included the names of Medicaid ID numbers of 2600 45 Vc max members in the first and last names, dates of birth insurance provider names and insurance ID numbers of 674 Vrn. see patients. There have been no reports of misuse of personal information but all affected individuals individuals have been advised to be vigilant and check accounts, credit reports and Explanation of Benefits statements for signs of fraudulent activity. We see Max and br NC are reviewing and enhancing their policies and procedures to prevent further attacks of this nature in the future. 1800 and 60 individuals impacted by phishing attack on Phoenix Children’s Hospital. email accounts have seven employees. Seven is a lot of employees to be fish that means there’s no fishing program in place there. A Phoenix Children’s Hospital have compromised have been compromised as a result of targeted phishing campaign between September 5 and September 20 of 2019. Upon discovered the breach, a leading computer forensic firm was engaged investigate, investigate the extent of the breach. The hospital learned on the Number 15 that compromised accounts containing the pH information of 1800 and 60. current and former patients, which may have been viewed or obtained by attackers. The accounts were found to contain patient names personal information and some individuals limited health information and social security numbers. On January 14, Phoenix Children’s Hospital started notifying effective patients by mail, compliment and credit monitoring and identity theft. protection services have been offered to patients whose social security numbers were potentially compromised. We have on November 21 2019, funding orthopedic group in association of private orthopedic surgeon surgery practitioners in Houston and surrounding areas experienced a cyber attack that affected certain parts of its IT system and its substitute breach notice posted on its website the incident was described as malware attack that damaged the medical records of certain patients prompt action was taken to contain the infection and its symptom system We’re restored however the medical records corrupted by the malware could not be recovered and have been permanently lost. encrypted records including patient name, address, phone numbers, health insurance, information and diagnosis and treatment information all patients affected by the incident work. current or former patients of Dr. k Matthew warrant Warnock third party forensic as third party forensic investigators were engaged to assist with the investigation of found no evidence of unauthorized data access or exfiltration of data. Fondren orthopaedic group is reviewing data security policies and procedures and will be enhancing its security protocols to improve resilience to malware attacks affected patients have been notified in form that they need to complete new patient forms and supply details of their medical histories when they next visit Dr. Warnock the cyber attack has been reported to HHS. OCR the breach summary shows up to 30,049 patients have been affected. And right here in good old Connecticut access health care netiquette notifies the 1100 about unspecified data breach. So access LCT the Health Insurance Marketplace in Connecticut has notified approximately 1100 consumers that some of their pH was exposed in a data breach and its substitute breach notice Access Health CT apologize for any inconvenience caused by the breach. Instead affected individuals have been offered free access to services to help them protect their personal information. The breach notice did not contain the nature of the breach when it when it occurred and or the types of information that were compromised. Notice states several effects. Several efforts to improve security are already in place with longer term initiatives of initiatives planned regarding system changes and more frequent information IT security training and to improve data protection and security awareness. And in another one in Connecticut, Manchester, ophthalmology and Connecticut has experienced a cyber attack in which the attackers may have gained access to patient information. Care Provider became aware of cyber attack on November 25 2019. When employees notice unusual activity on a network assisted by third party technology firm. It was determined later that day that hackers had gained access to it systems and attempted to deploy ransomware. Access was first granted first gained to network on November 22, and continued until November 25. Remote Access was rapidly terminated before information was encrypted. Well, that means they had three days on the system, so I don’t know maybe amateur hour for the ransomware attackers. investigation found no evidence to suggest any patient information was accessed or downloaded by the attackers but during the investigation, it was determined that certain patient information had not been backed up and could not be recovered. The types of data loss included names pack patient created medical histories, and details of the care those patients received at Manchester ophthalmology. Patients have been advised to exercise question and monitor counts and experts nation of benefit statements for any sign of fraudulent use of their information. Manchester ophthalmology has provided further training to employees to ensure the proper backup of all information. breach reports submitted to the Department of Health and Human Services Office of Civil Rights indicates 6846 patients were affected by the breach. United Healthcare alerts patients about 2019 data breach on January 1 January 31 2022 minutes honka Minnesota health insurer United Healthcare announced it was the victim of a data breach in 2019 and was the private information of some of its customers of South Carolina was potentially compromised. United Healthcare was notified about the data breach in December 10 2019 into turn and determined that at some point between January 30 to November 13, and unauthorized individual gained access to the health information and of certain members through its member portal. Only remember his first name last names, health plan information and medical claims data was compromised and health care said it is a system with law enforcement investigation and steps have been taken to prevent further breaches of this of this nature in the future. The HHS offices over rates portal indicates 934 individuals were affected 2713 individuals informed of Cook County Health mailing era we’ve seen a lot of mailing errors lately too. So Chicago, Illinois based Cook County Health has started notifying 2713 individuals that some of their protected health information was sent to a third party vendor in air information related to individuals participating in keeping it light hashtag keeping it light study that was sent to a vendor who was due to assist with the mailing study information. List of study participants which was limited to names addresses and email justice was sent before a business associate agreement was in place so there’s where your your fine is probably going to come into place. A business associate agreement confirms that a vendor satisfactory Data vendor agrees to implement safeguards to ensure the privacy and security of any information without to be a satisfactory assurances that those safeguards were in place. But had not received by quote but had not been received by Cook County. action has now been taken to ensure similar errors are prevented in the future. Of course a little too little too late. So that is going to do it for the breach report. And that is going to do it for this week’s episode of the proactive it podcast. Until next week, Everybody stay secure

Transcribed by https://otter.ai

Scott Gombar

Author Scott Gombar

More posts by Scott Gombar

Leave a Reply