PodcastCyber SecurityHealthcare ITHIPAAInformation SecurityLaw Firm IT

ProactiveIT Ep 4 Is Google Collecting PHI & MFA Mistakes

By November 13, 2019 November 26th, 2019 No Comments
Ep 4 ProactiveIT Podcast is Google Collecting PHI & Why

This is Episode 4 of the ProactiveIT Podcast.  On the ProactiveIT podcast we discuss the latest in technology news, Cyber Security, and compliance.

In this episode we discuss recent Cyber Security News:

  1. FBI Issues E-Skimming Alert
  2. Texas Health and Human Services Fined $1.6 Million
  3. Emotet Activity Increases 730% In Recent Weeks

We discuss Google working with Ascension to Collect PHI on Millions of Americans, A new breach notification for a local Connecticut Physician’s Office, and our newest HIPAA Breach Case Study.  

 

episode 4 is Google Collecting PHI pinTranscription (unedited)

This Is the Proactiv it podcast this week the latest in cyber security news not having MFA enabled might cost one optometrist $100,000 or more Google collecting Phi and a local Connecticut Physician’s office hello everyone again this is Scott Caan bar the host of the proactive i t podcast this is episode for every every week we talk to you about the latest in Tech and Cyber News Appliance and More will also bring you real world examples to learn from so you can better protect your business and identity this podcast is brought to you by now watch check a hipaa-compliant client-focused it consultant located in frigid Central Connecticut you can find us and watch Tech., that’s NWA Jay tec.com all right so first up on the docket Patch Tuesday update patches did roll out yesterday for Microsoft I receive the alerts in the middle of the day for my clients and was able to test and roll them out for most of the clients yesterday so here’s what you can look forward to first of all hyper-v Passover months are dominated by patches around remote desktop protocol this month update has large number of hyper-v patches that address the following vulnerabilities Israel cve 2019 – 07 12-0 719-0721 1300 913-1013 80 913-9715 98 + 1399 one of the problems are a few of the repaired vulnerabilities fix a problem with hyper-v VM switch which is which in its pre-patch they might permit an attacker to execute code on the host operating system and then what Microsoft refers to as a failure to properly validate input from an authenticated user on a guest operating system and more often referred to as DM Escape where malicious code running on a VM can jump out of the virtual environment of the VM and onto the host machine so those are Pinterest with the most recent patch so if you are a hyper-v user do you have hyper-v in your environment on your servers you’re going to want to get that and get that updated Windows kernel patching so they found it fixed a few memory corruption vulnerabilities windows subsystem for Linux one patch roll out for that scripting engines again has Racine pretty much every month there’s been scripting engine patching for Internet Explorer Edge chakra and vbscript and then and that’s pretty much it so that’s your Microsoft it’s it’s a quieter month for Microsoft patching hopefully there’s no issues I have not run into any issues myself on any of my clothes at the cleaners on my own so we looked pretty good there a Microsoft Patch Tuesday rolled out again November 12th 2018 test it and then roll it out and as I mentioned last week take the Google Chrome vulnerability if you have not addressed that you need to address that so you need to update to Google Chrome 78. 0.390 4.87 all right in cyber-security news the FBI has warmed warned of a skimming Board of East skimming so bristly the FBI issued a warning against East giving threats in response to the increase of a tax on small and medium-sized businesses and government agencies this new form of attacks occur at this new form of attack occurs when malicious code is placed within a site that accepts payments so it’s the reason of called he’s giving you were probably all the way or give me which is the act of taking a credit card or happens a lot at ATMs in gas pumps you put a device in there that could skim the credit card information in the credit card information is called what now there’s an electronic version of the same thing how does it happen so like many other breaches it can originate with a phishing email on it we’re going to talk quite a bit about to die because there’s a local hack a local reach as I mentioned at the top of the show that involves fishing how are the car it often takes a while as it do many preachers takes awhile you know they eat the chips for years to to be found so sometimes it takes years before before the breaches discovered and how can you protect yourself of course education is is key but if you are protecting your business run code Integrity checks regularly to review any changes to code on your eCommerce site Monitor and you should have some type of monitoring on the website monitoring analyze web logs for any changes always make sure that your systems are updated and we’re going to talk about I believe we’re going to talk while we’re not going to talk about it I don’t have it here and was talk about it in the episode 2 of The Daily the side of the approximate e cybersecurity daily which is on anchor Ormond zonealarm was compromised because they were using outdated vbulletin software for the form so you can get details of all of that on my cybersecurity daily podcast which is on anchor and Spotify but this just goes to show that even security companies are vulnerable need to keep your software your web applications your operating systems all those things up to date so I can FBI issues he’s giving warning you know there’s a trip protection that blocks fishing sites then more kudos to you you’re you’re a step ahead of a lot of people data breach costs Texas Health and Human Services Commission 1.6 million dollars in 2017 Texas Health and Human Services Commission which is comprised of child care and nursing facilities operations of supported living centers providing mental health and substance abuse services in also administering programs for people in need they were fined 1.6 million dollars in penalties from the office of civil rights dlcr do to HIPAA violations HIPAA act violations for activity dating back to 2015 that’s when your stats when the program called dad’s Department of Aging and Disability Services notified the OCR that 6617 records of for patients of the community living assistance and support services and deaf blind with multiple disabilities were exposed as a result of a software flaw the error occurred when access controls on applications and it systems were not properly replace Pur hit the requirements of a story came when an application was moved from a private to a public server or I would never heard that one before it’s Lana software code allowed not verified users to access patient information this information including the address of Social Security Medicaid numbers and treatment diagnosis need tails the large monetary fine was a result of the time that Texas HHS was out of compliance in regard to the HIPAA rules that failed to perform a security risk analysis at least yearly but it should be on going as we talked about in the previous episode within the deadline time frame of August 2016 and disregarded the importance of it additionally they acknowledge that they had only perform risk assessment activities on their service and applications I had never performed an agency-wide analysis so again the Texas Health and Human Services Commission find 1.6 million dollars for essentially ignoring best practices and ignoring the completion of a security risk analysis Imhotep activity increases by 730% remote as you know it or you may know is a trojan virus that spreads no more recently it was kind of on Hiatus I guess you could say and the security researchers to have at nuspire have uncovered that activity has increased by 730% in September alone the important aspect of the New England charging detected in September was it appeared with two other notorious malware dub trickbot and ryeowook these three more hours is a whole were used to cause the most damage to a network that also included additional features to steal the contents from victims in boxes and credentials for sending outbound emails so it is spreading through email want that is one one method of its Trojan spreading care.com seems to see my where.com the First Citizens of the treasures activity was noticing August of 2019 after researchers found command-and-control servers for emotes that we’re being revived by operators in mid-september the Trojan recorded his first attack campaign that sent me those with financial things that came the campaign was primarily targeted against organizations in Poland and Germany another new scam campaign that quickly to fake news about NSA whistleblower Edward Snowden new book permanent record as alert was reported within a week after the first attacks clicked on the link and worth potentially attacked in October that you must have gotten it was found using a new malicious attachment that is disguised as Microsoft Office activation wizard with Microsoft sending out emails now about their new agreements essentially that you need to activate multi-factor authentication people may get confusing click on on links and then with the start of the holiday season of course we talked about that last week The Operators leverage fake Halloween invitation emails to spread the malware email push that new templates to ask recipients to attend a neighborhood party so what’s the bottom line the bottom line is you need to educate your employees your family whoever whoever could be impacted and be ready for for attack alright so now to the meat of our show with have a few topics to discuss today so the first one is is Google collecting Phi and the second one Starling pharmacy located in Central and Northern Connecticut was breached and had information in their emails and it finally a Blog on the Nevada Test Site not having multi-factor authentication enabled might cost one optometrist $100,000 or more so let’s begin with Google collecting Phi Phi protected health information so I was as I was planning this week’s podcast to I realized I have been saying personal health care of personal health information it is protected health information just a Freudian slip I guess you could say but Google is working with Ascension allegedly to collect secret patient data this is according to a Wall Street Journal this was reported earlier this week this the project is called the project Nightingale and Google in Ascension which is a health system have been collecting and analyzing detailed medical records including names birth dates and health information this sauce ain’t no cause for concern here right nothing can go wrong from Google grabbing all this information and don’t get me wrong I’m I’m I’m a fan of Google I’ve done a lot with Google over the years and you know I’m a G Suite partner and certified in AdWords and Google analytics and been to Google Headquarters in Chino toilet facilities and learn from that but I just think there’s a at some point you have to draw a line and say enough is enough Google should not have access to protected health information because we seen before where information gets compromised and gets leaked now not to say that Google has leaked information but it’s been available on Google so Google didn’t really do much to protect it either so Google is apparently using the data to help inform its design of new artificial until age do artificial intelligence Ai and machine learning software for Ascension The Wall Street Journal reports that plays at different alphabet divisions alphabet is the parent company for Google including Google Play has access to the patient information until recently need a patient’s North Physicians knew that at least a hundred and fifty Google employees already have access to much of the data on tens of millions of patients across 21 states according to the Articles author Rob Copeland including lab results Dr diagnosis and hospitalization records among other categories include patient names and dates of birth but within hours of the Wall Street Journal report Ascension put out a press release explaining its work with Google and promising that work is HIPAA compliant and underpinned by a robust data security and protection effort and adherence to Ascension strict requirements for data handling now that being said if 150 employees at Google have access to Patient data diet and soft could be considered a HIPAA violation depending on what what information to have is that names and help me out detailed health information if it’s redacted or encrypted then then they’re not violating violating HIPAA laws is this your hip it does allow providers and others covered by the Privacy Law including health plans and clearinghouses to share protected Health Data with their vendors and business partners but only in certain cases covered entities which would be Ascension in this case may disclose protected health information to an entity and its role as a business associate only to help the covered entity carry out its Healthcare Function Smart for the business associates independent used for purposes except as needed for the proper management administration of the business associate according to the h h h h h s so I don’t know if you know what to talk about with the bigger picture and I’m sure we know what the bigger picture is Google trying to get into Healthcare we’ve heard stories of Amazon potentially trying to get into Healthcare in your insurance let’s be honest that’s where the money is Healthcare is not going anywhere it’s going to evolve you’re going to see more artificial intelligence you going to see a lot of technical technological based technologically based functions coming to the healthcare realm more than already exists but it’s just seems dangerous to have a hundred fifty people who aren’t in healthcare have access to these records and don’t they don’t directly impact ascension’s ability to do their job so they’re not it they’re not so you know their there they’re not maintenance they’re not h v a c so we’ll see what comes of this wood will follow us closely will update as as there are updates available again Ascension is working with Google Ascension is a healthcare Stat Health System working with Google on a secret patient data project called project Nightingale so you don’t come back for future episodes and we’ll see where we’re going with that second thing we’re going to talk about today second topic Connecticut Healthcare Group notifies patients of data security breach so starling Physicians located in to have offices in Enfield Connecticut I believe Newington Connecticut so essentially their Northern and Central Connecticut they notified patients yesterday as I’m recording I’m recording this on Wednesday early this week because of scheduling so Tuesday November 12th Starling Physicians notified patients notified patients that the company was Target of a phishing attack in February so first problem 9 months ago there were they were targeted the problem there is today where the attackers in the system for the last nine months and they just discovered this now or did they know about this nine months ago and if they knew about it 9 months ago that is a HIPAA violation you did not notify patients soon enough did not notify your clients soon enough per HIPAA compliance rules an investigation was conducted and on September 12th it was determined that the affected email accounts contain certain patients names addresses dates of birth passport numbers Social Security numbers medical information and health definition of health insurance or billing information so again on another red flag here we have social security numbers medical information health insurance information passport numbers dates of birth addresses name stored in email and I’ve said it time and time again email is not a storage system it’s the you not supposed to use email to store stuff now okay I’ll give you that occasionally use for a document in your email that you want to come back to later that document should not contain any sensitive information you should not contain Phi protected health information that should not contain pii personal I didn’t personally identifiable information so you know names addresses dad’s birthday is as dangerous stuff that have any mail Social Security numbers passport numbers why why are we collecting passport medical information health insurance information billing information so so many things that you’re not it’s not encrypted somebody got a hold of it so Starling Physicians is looking at probably a pretty hefty fine on a couple of fronts I does not indicate in because you know we were just notified yesterday this is I actually learned it at learned other 8 at 11 last night no indication as to what numbers how many people were impacted from a potential people were impacted what is the recourse no mitigation world will Starling cyst Starling Physicians take not no indication at all I know that hired a forensic Ace forensic security person to take a look to see what’s going on I don’t know what they did Bianna the fact that somebody was able to compromise your email means they didn’t have multi-factor authentication turned on multiple email accounts were compromised once they did notice the breach Dave David locked on those email accounts but if this if this has been in the system for 9 months then and I’m leaning towards know that they knew about this and then just tried not to report it but if the attacker was in the system for 9 months and they didn’t report and they didn’t know the chances are they have more information then then is originally indicated by this report so you can you can bet my next HIPAA breach analysis my HIPAA breach case study will be on Starling Physicians probably next week and then finally we do have a HIPAA breach case study this one is a kiss for MFA so now we have to like that that one is even I would think I would think this one is even more you know the Starling Physicians is a little more relevant in this case says you’re going to learn so on watch check.com the last most recent blog post hip approach case study a case for multi-factor Authentication so what happened you told Valley Eye Center in Provo Utah reported on October 31st 2019 so just last week or two weeks ago sorry that they’re in scheduling system was the Compromise that occurred on June 18th so June 18th 2018 by the way not 2019 2018 so 15 months again was the system the whole time I don’t believe so I think it just took them that long to report it they talked to use the information they were able to gather to send phishing emails to the patient so they grabbed at the very least names and email accounts the attacker send emails disguised as PayPal emails to compromise PayPal accounts according to the Utah Valley Eye Center the attacker was able to obtain 5764 email addresses and other pie personally identifiable information such as a home address phone number and names it is reported that Phi protected health information was not accessed by the attacker however with that being said this is on the HIPAA Wall of Shame which means that OCR is investigating so even if Phi was was not compromised which if if yours has involved isn’t chance it was but even if it wasn’t you can bet that you’ll see I was going to review and HIPAA audit part policies the security risk analysis policies everything that they’re supposed to be doing under HIPAA and if they find flaws in their HIPAA compliance program is going to be more fine so we’re going to go to the fines in a moment Utah Valley Eye Center did report to preach to the required authorities and did send notification to all 20418 patients alerting them to the attack as a precaution patients were a fraud alert on your credit file a financial advisor in almost every single financial advisor I put a freeze on your credit report it so I will get a financial advisor on the show at some point so that you can hear it straight from them so I don’t want you to take that from me if you have a financial advisor you should speak to them so what could have been done differently there are two things that could have been handled differently in this case the first is multi-factor authentication so you have an online scheduling system why is there no more for multi-factor authentication so it’s not clear that the option was available with the scheduling system but it absolutely should be especially if you’re dealing with health care if it is if it was the eye doctor should have been able to and this would have most likely prevented the breach an if it was not then if it was not available then they should have been switching to a different provider for the online scheduling because that should not happen today II a big gap in time from compromised notification to preach occurred on June 18th 2018 but was not recorded in until October 31st 2019 that’s more than 16 months it’s not clear when the eye doctor became aware of the compromise but if the attack was in your system for 16 months they would probably have gotten a lot more than 5764 email addresses it’s important to understand that notification of breaches need to be reported in a reasonable amount of time so now this was in Utah I don’t know what the time I tried to find it I couldn’t find it I don’t know what the required time frame is in Connecticut it’s 90 days for any breach if it involves Phi then it’s 60 days Most states most a reasonable time and then give you a what that time should be if it just says reasonable time you know usually within a few months 16 months is not a reasonable time you talk can’t find $2,500 per consumer up to $100,000 and that’s only if it’s if it’s pii in this case Utah Valley Eye Center is looking at the maximum penalty because you know 2500 per consumer 5700 consumers it’s more than a hundred thousand. So the $100,000 fine because the records include more than one personally identifiable piece of information Utah Valley Eye Center is subject to the rules of notification and fines if it was only one piece of pie that’s pretty funny one piece in the back if it was if it was only then they would not be required to report but because of multiple pieces name and email addresses they are required the potential cost so they will be on the most likely be on the hook for $100,000 by the state of Utah from the state of Utah since the bridge was just reported it fine has not been delivered yet equipment that should be fine for delayed notification and that’s under HIPAA as well as Utah has laws regarding the time frame for notification of a search of a preach it’s not clear if pH I wasn’t acted according to them it was not but if it was and as I stated earlier that you know the fact that it’s on that the Wall of Shame means that OCR is investigating if it was included you’re looking at it much more significant find based on the number of records that were involved Utah Utah Valley Eye Center could be on the hook for over $1000000 fines and costs to mitigate chances are it won’t cost that much and you know he’s not going to find out so I will tell you that it’s they’re not it’s not about the fines it’s about making sure that patient information is not disclosed without the patient’s knowledge it’s it’s about the patient care so it probably wouldn’t cost 8 million dollars but the potential exists there you can or else you’re investigating music going to audit your HIPAA compliance program at the very least told us the lesson here they attack based on the information available a week password a little social engineering and lack of multi-factor authentication and anyone can easily compromised and online Portal from the other TI I personally identifiable information so freely available tools on the internet to create phishing emails disguised as PayPal they even help you clean the PayPal stuff to avoid all this the following should have been in place use complex passwords or past phrases I know there’s two schools of thought here as far as a security world is concerned but either one should have upper lower uppercase lowercase numbers special in special characters and they should be long 15 20 characters that’s what a lot of people are using is lyrics movie titles things like that movie quotes staff on social engineering and maybe I’ll do a special episode on social engineering at some point we need to do something because people are engineered everyday daily everyday and you’re falling for scams you know you’re pleased if only for skins left and right it needs to stop fishing is a form of social engineering if your employees at a healthcare provider clicking on links think before you click then you are feeling your not educating your stuff enable multi-factor authentication and if if you do a voice text messaging as the option for multi-factor authentication some platforms will offer you the choice between a soft token or SMS which is text messaging avoid text messaging it can be it can be bypassed in a way we talked about that last week Jack dorsey’s account and the case we had last week so enable multi-factor authentication if you go to use soft tokens make sure the device that you use for tokens on also has a passcode or it preferably a barometric like a thunder or a retina scan a facial skin enable logins from specific locations in IP addresses so if this is something I have set up on websites that I protect you only certain IP addresses are able to log into those websites so you go to the website if your website if your IP address is not on the waitlist you’re not going to be able to login and then one day I will show everybody the amount of attempted logins that come from all over the world in the account so if you’re using things like admin or any more things like that people are or even if you use in you know the blogs author’s name as your login change it you just change it to something random that decreases the chances that your your site will be compromised but attempt to login it’s so you need to move on from that if that’s the case why there’s no other evidence that Phi was involved in the speech the OC are still investigating even if they determine that no Phi was breached they will likely scrutinize Utah Valley Eye Center is HIPAA compliance program other Healthcare Providers have been fined by the OCR for lacks compliance programs in the past Utah Valley Eye Care Eye Center could be on the hook for more than $100,000 fine for having pii breach so that’s that that’s all that’s a kiss for multi-factor Authentication I know I know you know if you follow follow North 2nd social media to listen to me at all in the past and talk about multi-factor authentication at nauseam I talked about not storing data in email at noisy and it just continues to happen in a baffles me that any health care provider would store so much information so much sensitive information in email it’s just unbelievable to me on so that’s Utah Utah Valley Eye Center will wait to see what happens with Starling Physicians here in Connecticut and what exactly you know how many how many records were breached how many patients were impacted and what the fine looks like and what medication looks like so as soon as I can report on that I will once again we wrapped up pretty quickly so again thank you for tuning in this week I’m uploading a little bit earlier this week because I need to be in a client site and I will be doing the same thing next week I need to be on client site to normal record on Fridays the next couple weeks a little tough to do for that as always any questions concerns comments or if you want to be a guest on the show if I would be looking for an insurance agent who specializes aspired cyber liability I would be looking for anybody in healthcare or legal that can educate our clients are on our clients are listeners anything related to it and cybersecurity so you can email me that Escobar Aetna wash. Tackett NWA J. Tech and I will take us there until next week everyone have a great week and stay secure 

Scott Gombar

Author Scott Gombar

More posts by Scott Gombar

Leave a Reply