HIPAABreachCyber SecurityHealthcare ITInformation SecurityPodcast

ProactiveIT Ep 7 – HIPAA Breaches, Rules & Fines..Oh My

By December 6, 2019 No Comments
How You Can Earn a Cool $5 Million, Plus HIPAA Breaches, Rules & Fines..Oh My

This is the ProactiveIT Podcast.  This Week: The latest in IT and Cyber Security news plus Attacks on Healthcare are on the Rise, are you ready?  A little HIPAA Education and Wanna make a cool $5 Million?

This is Episode SEVEN!  Bring in the music

Intro

 Hi Everyone and welcome to the Proactive IT Podcast.  Each week we talk about the latest in tech and cyber news, compliance and more.  We also bring you real-world examples to learn from so that you can better protect your business and identity. 

This podcast is brought to you by Nwaj Tech – a client-focused & security-minded IT Consultant located in Central Connecticut.  You can find us at nwajtech.com.

 

Patch Tuesday Update:

Firefox 71

No news on Patch Tuesday for MS yet

 Cyber Security News

https://threatpost.com/nebraska-medicine-breached-rogue-employee/150823/

https://threatpost.com/hackerone-breach-20000-bounty-reward/150846/

https://thehackernews.com/2019/12/counterfeit-piracy-websites.html

https://www.computerweekly.com/news/252474990/Hackers-primed-to-exploit-5G-to-Wi-Fi-handover-flaws

https://www.forbes.com/sites/daveywinder/2019/12/05/china-fires-great-cannon-cyber-weapon-at-the-hong-kong-pro-democracy-movement/#166c2e077c85

https://www.bleepingcomputer.com/news/microsoft/microsoft-starts-forced-feature-updates-on-windows-10-1809/ 

Topic 1:  https://www.hipaajournal.com/hipaa-compliance-can-help-covered-entities-prevent-mitigate-and-recover-from-ransomware-attacks/

Topic 2:  https://www.hipaajournal.com/healthcare-threat-detections-up-45-in-q3-2019-and-60-higher-than-2018/

Topic 3:  https://www.bleepingcomputer.com/news/security/us-govt-alerts-financial-services-of-ongoing-dridex-malware-attacks/

HIPAA Corner:

https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

https://www.hipaajournal.com/hipaa-breach-notification-requirements/

Connecticut Rule: Notice must be provided to the state attorney general and patients within 90 days, although healthcare providers are required to issue breach reports within 60 days under HIPAA Rules.Jul 3, 2015

HIPAA Breaches

https://www.hipaajournal.com/category/hipaa-breach-news/

How You Can Earn a Cool $5 Million, Plus HIPAA Breaches, Rules & Fines..Oh My Pin

 

Transcription (Unedited)

ProactiveIT podcast this week the latest in it and cyber-security news plus a tax on Health Care on the rise are you ready a little help education and want to make a cool five million dollars This Is Episode 7 bring in the music hi everyone and welcome to the proactiveIT podcast each week to talk about the latest in Tech and Cyber News compliance and more will also bring your real world examples to learn from so you can better protect your business and I did this podcast is brought to you by now watch take a client focus and security minded it consultant located in Central Connecticut you can find us and watch check.com does NWA jtech. Com all right we’re going to kick this show off the same way we kick every other show off Patch Tuesday update there are no Patch Tuesday as yet for Microsoft in the month of December so no real news to report on that front Firefox did releasing update Firefox 71 and addresses of few vulnerabilities nothing severe nothing critical so the still get your Firefox updated if you listen to The cybersecurity Daily would have heard a conversation we had about a vulnerability with AVG and Avast the browser plugins for both of those and Chrome Firefox Firefox has disabled that plug in so make sure you update your browser first up in the news leaping computer.com Microsoft does force feature updates on Windows 10 1809 so this is an older version of Windows 10 if you have not updated you’re going to be Microsoft says that windows October 2018 update Windows 10 version 1809 home and pro editions keeping those devices supported and receiving the monthly updates that are critical to device Security in ecosystem Health microprocessor restarting this rollout process several months in advance of the end of service date to provide adequate time for a smooth update process to company ads on the Windows 10 help dashboard so you will so no updates for Windows 10 1809 after May 12th 2020 so you will if you’re on 1809 before smoke date I know I’ve had a few computers experience issues with more recent updates to Windows 10 so was hopefully those issues have been ironed out and we won’t see any of that also of note Windows 10 1803 device Auto updated in November so that probably will not be supported going forward we have to on Forbes I don’t usually go to Forest recycle security but this is kind of irrelevant China fires great Canon cyber weapon at the Hong Kong pro-democracy movement the great Canon of China doesn’t get fired very often but when it does the consequences for ever it is a shame that can be hard hitting operated from behind the great firewall of China and used sparingly as the negative press it generates a substantial is Canon doesn’t want physical projectiles but it’s a state operated distributed-denial-of-service cyber weapon and now it’s taking aim at an online form used by Pro democracy movement protesters in Hong Kong to help coordinate the anti-government demonstrations so what is the great Canon of China while not as well known as the low orbit ion cannon and DDOS tool puts a very effective used by the anonymous hacking group when attacking website supporting the Church of Scientology in later those opposed to WikiLeaks the great Canon has the potential to be much more significant threat it works by hijacking web traffic from uses within the boundaries of the government control great firewall of China and redirecting traffic to website external to it this is achieved by injecting malicious JavaScript code into the insecure HTTP connections of sites visited by Chinese users is interception allows this interception allows to offer cyber weapon to Target a chosen web resource with a DDOS attack and that the u.s. attack with you and I are a form used by the program ocracy protesters in Hong Kong so interesting that a government can that I shouldn’t say can of course the governments have to have the ability to but they are using it against their own people on computer weekly.com another source I don’t normally go to but hackers Prime to exploit 5G to Wi-Fi Handover flaws so we know 5G 5G LTE starting to roll out in some areas more densely populated areas primarily with 5G networks rapidly coming on stream Wireless carriers are creasing Lee handing off calls and data to Wi-Fi networks to say been with and laws in this process will allow attack Packers to compromise security say researchers at watchguard Technologies trail that interesting enough I used to work for a cable provider who tried to you to try to launch a cellular service using their Wi-Fi hotspots throughout the area that we were in the researchers believe attackers will find new vulnerabilities to access voice and data on 5G mobile phones that will be introduced across networks watchguard also predicts that 20 20 1/4 of all branches will have an outside the perimeter it as that although remote working can increase employee productivity and reduce burnout mobile staff off of work without any network perimeter security and mobile devices can make mask Telltale sign of a phishing attack and other security threats has 5G rolls out across large public areas like hotels shopping centers in airports uses voice and data information on the cellular enabled devices is communicated to both cell towers as well as Wi-Fi access point so let me know if you happen from a cell tower to Ayr and open Wi-Fi access point there that opens up the chances of you being compromised soap I don’t know I’d probably turn that feature off if that’s an option I don’t know if it will be because it sounds like the cellular companies are concerned about being with on The Hacker News europol shuts down over 3,500 piracy websites in the global operation so you’re opposed been quite busy my remember they shut down at a certain group last week so in a coordinator Global law enforcement operation your post taken down more than 3,500 websites for Distributing counterfeiting pirated items on the internet and arrested three subjects among other things to seize them is reportedly offered various counterfeit goods and Power Play services including pirated movies illegal television streaming music Electronics cracked software downloads counterfeit Pharmaceuticals in other illicit products however it should be noted that the Seas web domains do not include any major part websites on the internet so the Pirate Bay’s of the world have been spared at this point during the investigation international law enforcement official shut down a total of 30506 wheel domains arrested three suspects is 26000 luxury clothes in perfumes sees 363 L of alcoholic beverages and season on specific amount or number of Hardware device. Officials also identified afros more than 150,000 Euros I guess that is from several bank accounts and online payment platforms domains worst and arrests were made as part of an ongoing anti-piracy effort dubbed in in our sights X iOS X for short that europol launched in 2014 and ran with the help of European Union member States international law enforcement’s so your pool very busy so far in the last month or so hey I reported this on the cybersecurity daily with this morning I’ll report it again here cuz it’s pretty cool on threatpost hackerone breach least 20,000 Bounty reward $20,000 Bounty what’s Oaxaca one was a hacker one blue hat hacker that participates in hackerone website under the Alias of hack stuff for 04 okay 00 so it’s hack stuff for okay 00 found a flaw as a result of human error so what happened was a country as incoming reports for hacker one’s own bug body program according to happen with report on November 24th 2018 a security analyst tried to reproduce his submission to the hacker was program which failed the security analyst reply to the hacker accidentally including one of their own valid session cookies so then that hacker was father able to use that session cookie and show a flaw in the harbor one platform and as a result how can one paid out $20,000 so I talked about a few weeks ago how you there are millionaires Now using hackerone and similar similar platforms so they’re called blue hat hackers we do it a little bit here I don’t participate as often as I’d like to to time constraints so I’m not a millionaire by any stretch with that being said you can if you’re in hackerone actually has tutorials so you can learn how to do this get on their website and make some some money so no excuse not to make a little extra money on the side lamp figure something out by accident first of many HIPAA type stories we’re going to talk about today also I’m threatpost Nebraska medicine preach by Rogue employee so an employee or an ex-employee of Nebraska medicine had access to e-phi that they should not have had access to they grabbed or they at least viewed Social Security numbers and pii and medical records and so forth of some people and undisclosed number of people between July 11th 2018 and October 1st 2019 I’m someone we’re reporting HIPAA breaches typically it revolves around fishing ransomware Data Theft so forth this is an employee having an authorized access on this is access controls and not following the the least privilege. Least privilege privilege I learn how to talk to her so this will be interesting to see what the outcome is because they’re not disclosing how many people that did the school they did report as soon as they work became aware they reported notified effective patients and those patients are receiving credit monitoring Services it does not say how many people were impacted this was just reported to the media is what we’re going to talk about today the education today about reach notification rules specific to Connecticut as well so this was reported to the media two days December 4th so if you are a patient at Nebraska medicine which includes a hospital where is the name of Nebraska Medical Center you’re going to want to pay attention to that all right that’s going to do it for the newsflash next top top stories of the week alright we got a couple of HIPAA related items to talk about but we’re going to first talk about how you can make a cool five million dollars in that tongue and cheek of course this is on bleeping computer, but you can pretty much find it anywhere on the internet at this point US Government alerts Financial Services of ongoing drydex malware attacks the Department of Homeland Security today alerted institutions from the financial services sector of wrist stemming from ongoing drydex malware attacks targeting private-sector Financial firms to phishing email spam campaigns the alert was published by the cyber security infrastructure structure Security Agency system in the US national cyber awareness system a tool designed to provide industry and uses with info on current security topics and threats I can go to their website us. Cert you’ll see more information there as well because actors use a dry that’s not where and its derivatives continue to Target the financial services sector include financial institutions and customers the techniques tactics and procedures container in this report warrant renewed attention sister says Treasury and sister incursion network security specialist to incorporate these indicators into existing products related Network defense capabilities and plan it another issue today also comes with a list of previously unreported indicators of compromise derived from information reported to Sin Sin by Financial companies mitigation measures and Reporting our activities besides encouraging security admins to consider companies defense tools to detect drydex banking Trojan activity and avoid potential attacks sister also provides a list of mitigation measures to reduce according to Sister the medication recommendations listed below are designed to specifically address drydex tactics techniques and procedures so here we go as a big list ensuring systems are set by default to prevent execution macros which we talked about in the past inform and educate employees on a pier to fishing messages especially those used by hackers / distribution of malware in the past so if education of employees I am big on that and it needs to happen update intrusion detection and prevention system frequently to ensure latest variants of malware and downloaders are included end up making a backup app data and sharing backflips are protected from potential ransomware attack another big one exercise and put his response to fishing messages and authorize intrusion so long with the education close testing if there is any doubt about message but valid any validity sorry, I’ll call and confirm the message with the sender using a number or email address already on file Treasury and Sissy remind users and administrators to use the following best practice to strengthen the security posture of the organization systems maintain up-to-date end of our signatures and engine keep operating system patches up-to-date disable file and printer sharing Services if the services are required your strong passwords or active directory authentication restrict usability permissions to install and run unwanted software applications do not add user to local admin group unless required enforce a strong password policy requiring Mueller password exchanges or change it start and we talked Ad nauseam about password policies exercise caution when opening an email attachment to get the attachment is expected in the center of peers to be known enable personal firewall on workstations and configure to deny unsolicited connection request disable unnecessary services on agency workstations service service scan for and remove suspicious email attachments ensure their skin and attachments attachment is it’s true filetype I eat extension matches the file header monitor uses web browsing habits restrict access sites with unfavorable content exercise caution when using removable removable media on some companies with disable USB ports on it so that’s a good practice to have if there’s no need for you to speak for them to say about scan all software downloaded from the internet before executing maintain situational awareness of the latest threads Implement appropriate Access Control list sound familiar exercise cyber security procedures in continuity of operation plan to enhance and maintain ability to respond during and following a cyber incident the DHS also encourages organizations and users that have affected and effected in a drydex banker attack or suspect malicious activity related to draw a text to contacts you guys soon as possible using the following contact information so that’s below your sister is Sister service desk at HQ. Dhs.gov or 888-282-8070 FBI to local field office which can be found in fbi.gov site and FBI cyber division division which is Sci watch at fbi.gov or 855-292-3937 do dry deck spanking children drydex is an advance and modular banking Trojan first spotted in 2014 and continuously updated with just samples still being detected in campaigns Target targeting a wide array of targets from Europe and North America sister also Warrenton modules include Provisions for capturing screenshots acting as a virtual machine or incorporating the victim machine into a partner sister States through its history and development projects has used several exploits and methods for execution including the modification of directory files using system recovery to escalate Privileges and modification firewall rules to facilitate pure communication for extraction of dad and uses to still think you could uncials and it has been attributed to t a v o v threat group AKA evil group don’t have been actresses third quarter 2014 chievo vs also known for mainly focus on attacking retail companies and financial institutions using large size malicious spam campaigns watch using the Joker’s Necker’s botnet that I can do smell spam campaigns have been observed while Distributing remote access Trojan rats and now I don’t know download is that dropped the drydex and trick banking Trojans a secondary potatoes as well as La keep it paymer and Jeff Jeff rense wear on their Target’s computers since its initial appearance on the Mauer stage drydex office ever created with the very best functions like adobong injection technique but then jerks into Chrome and Microsoft zero-day exploit according to our analysis service any. Run more information on the capabilities of drydex now or in a list of indicators of compromise associate with the activity described in alert published today by the DHS are available on sisters report and then there’s links to download that report there but the reason I say need to make a cool 5 million dollars is because there is now a bounty on the people that created this they are Russian I’ll tell you right now so it’s B I put 5 million-dollar bounty in Russian hackers behind drydex banking hours if you want to drive over to Russia and joke and I know you can try but hop over the Russia and helped capture these guys the United States Department of Justice today disclosed their identities are two Russian hackers charge them for developing and distributing the dryer spanking children using which todoist or more than 100 million dollars over a. Of 10 years so the names are Maxim yakap it’s the leader of evil Corp hacking group and his co-conspirators igorrr tour showed primarily just inside drydex also known as blue got and cried X through multi-million email campaigns and targeted numerous organizations around the world so these two guys are now honored and now I’m Family Dollar bounty on their head they don’t put up with the 5 new units to educating and securing the banking infrastructure but instead we’re going to put a bounty on these guys heads chances are there’s more people behind him so I don’t know what good that are two except somebody will get 5 minutes. Should be interested in grabbing $5000000 go look for those two guys in Russia right next up my reported this earlier this week in a cybersecurity daily but I want to talk about it again cuz it’s really important on hit the djournal.com healthcare thread detections up 45% in third quarter and 60% higher than 2018 so cyber-attacks on Health Care organizations have increased frequency and severity in the past year according to recently published research for Malwarebytes on our plates in the credible anti-malware company and it’s a gold go to Tool from a lot of it people it’s latest report cyber crime tactics and techniques to 2019 state of health care Malwarebytes offer insights into the main threats that have played the healthcare industry over the past year and explains how hackers are penetrating the defenses of healthcare organizations to gain access to sensitive Healthcare data so cyber attacks are on Healthcare organizations can have severe consequences as we all know if you’re seen on several occasions this year at a screen cause severe disruption to day-to-day operations at hospitals often resulting and delays and Healthcare Provisions in at least two cases Healthcare organizations permanently closing their doors in Michigan where the healthcare provider closed instead of dealing with the ransom in the Fallout in a recent study has shown that cyberattacks contribute to an increase in heart attack mortality rates even though the attacks can cause considerable harm to patients attacks are increasing in frequency and severity so I had talked about in the daily the attack on MSP that impacted I don’t remember a large number of nursing homes and so now that the concern is that the care of the patients in those nursing homes Malwarebytes data shows the healthcare industry was the seventh most targeted industry sector from October 2018 to September 2019 but if the current attack Trends continue it is likely to be placed even higher next year so I don’t know what the top 7 are I’m sure banking is probably near the top financial banking Healthcare organizations are in a protracted Target for cybercriminals as a store large volume of valuable data in ehrs which is combined in many cases with the lack of sophisticated security mob I mean it’s not a sophisticated setup multi-factor authentication let’s start their Healthcare organizations also have a large attack surface to defend with large numbers of endpoints and other vulnerable network devices given the relatively poor defenses and high-value Healthcare data on the black market also known as the dark web it is no surprise that the industry so heavily targeted Jackson Healthcare in points were up 45% in quarter 3 of this year Christian from 14000 detections to Bob and quarter to two 20043 now that’s detections not that’s not actual breaches that just means it you know there was a detection of an attack of potential attack threat the Texans roster up 60% in the first three quarters of 2019 compared to all 2018 and 2019 the the second half of 2019 is definitely seen a lot more activity so would be surprised if by the end of your work with Donald last year many did the of the detections in 2019 were Trojans notably emote at an early 2019 followed by trickbot in Intercourse or are you going out again and just talked about that with the try that trick. Is a another baking soda and it is currently the biggest malware threat in the healthcare industry overall detections were up 82% in quarter 3/4 to in 2018 Detroit has given taxes to access to sensitive data but also download secondary malware payload such as the ryuk ransomware we’ve heard a lot about ryuk so we saw the Mexican Oil Company got hit with ryuk that was last week once data has been stolen ransomers off into putting out there hasn’t been a large number of this type of activity where the attacker The Ransom demand person attacker whatever you want to call it I don’t like to use the word hackers hackers has a negative connotation and it shouldn’t because I hacker really is just someone would take something apart to see how it works it’s really all the hackers I’m so they might do it for good hackers are on hacker one we talked about earlier those are also hackers are doing good there helping to strengthen the structure of a web application Hacker’s can also do that so it’s like anything else in this world you’re good you have that now so the what was what we saw one case and I think it was one of the cases recently where the attacker is taking the data before they launch the ransomware so then he wants the ranch and where the ransom wear this and Crips all the files that they say I want this much money to decrypt the files and if you refuse I’m going to release that data on the internet and in one case they’ve proven they do have the data and increase the ransom after the the first refusal so I don’t know what the status of that is yet I have to get back to you probably Monday on that but we’re going to see more of that where the attackers were threatened to release the data to the internet to to the public internet if you don’t Pony up now again paying the rent soon doesn’t guarantee that you’re going to get your files encrypted and doesn’t guarantee that they still won’t release the information but the hacker in that case has gone as far as saying I don’t care about the data we just want the money now take that as you will I never recommend that you pay the ransom paying Ransom makes you a Target again and again and again and again so don’t pay the ransom be prepared for the ransomware attack instead Trojan attack stent because industry sectors with large number of endpoints and less sophisticated security measures such as education machine that this year the government ways to not this year and Healthcare children’s are primarily spread through fishing and social engineering attacks exploits of vulnerabilities on unpatched systems and as a result of system is configurations charges are by far the biggest threat but there have also been increases in detections of hijackers which route 90 per-cent of third-quarter score increase by 85% eyewear detections World by 34% and ransomware protection decreased by 15% Malwarebytes identified three key attack doctors that have been exploded in a mage majority of the attackers of majority of the tax on Health Care industry in the past year those are fishing negligence are you don’t like not having multi-factor authentication or not having complex passwords and third-party supplier vulnerabilities due to the high volume of email communication between Healthcare organizations doctors and other Healthcare staff you know one of the main attack vectors and phishing attacks are right email accounts also contain a considerable amount of sensitive data all the which can be accessed following response to phishing email they should not be the case there should not be sensitive data in email we should be using the ehrs near Mars to circumvent having this data in an email these attacks are easy to perform as they require no coat or hacking skills preventing phishing attacks as one of the key challenges faced by Healthcare organizations it is very easy to launch a phishing attack maybe one down I’ll show you how easy it is it continued use of Legacy systems that are often Sun support is also making a text far too easy unfortunately our grading system is difficult and expensive and some machines are devices and devices cannot be upgraded that’s primarily the the machine’s not the computers themselves the problem is likely to get worse with sport47 coming to an end in January 2020 The Rose slow rate of patching his wife now we’re by the still detecting wannacry ransomware infections in the healthcare industry many organizations have still not patched the S&P vulnerability that wannacry exploit switch is just crazy to me even though I attach was released in March of 2017 so almost 3 years ago and still not patched it’s that’s crazy to me get rid of Windows 7 guys so I know that what you can through Microsoft you can extend the support license it’s really not worth it just just I think I saw I think it’s about $50 I don’t know if there was $50 a month or one-time $50 payment but you know $400 you can upgrade a hundred something dollars and some kisses your negligence has 8 is also IQ problem often caused by the failure to prior to his cybersecurity on all levels of the of the organization and provide appropriate cyber security training to employees training education again and again and again that investment in cybersecurity is increasing but it often doesn’t extend to bring it in new IT staffing providing security awareness training as long as an unsupported Legacy systems remain unpatched and IT department like the appropriate resources to address phone abilities and provide and yours are cyber security training cyberattacks will continue and the healthcare industry would continue to experience High number of data breaches and it’s exactly what’s going to happen the situation could also get a lot worse before it gets better Malwarebytes ones that noon Edition such as cloud-based biometric genetic research and Vince isn’t Prosthetics and Patrician of the use of our information on the attack surface even further that will make it even harder for healthcare organization organization to prevent cyber text it is essential for these new technologies to have security baked into the design and implementation of for Barneveld will be found and exploited so kind of a grim outlook on the healthcare sector as it comes to threats cyber and it finally HIPAA compliance can help covered entities prevent mitigate and recover from ransomware attacks this is also on her paternal so I decided with this episode to focus on hip hop because it does relate to cybersecurity so it is important and in Logitech does provide compliance Consulting and taught in the case of healthcare we do HIPAA Audits and security audits so this is an epidural., as well ransomware attacks you is to be conducted in discriminately with file encrypted software most commonly distributed Mass spam email campaigns however since 2017 when is ransomware attacks have become far more targeted is now, for cybercriminals to select targets to attack where there is a higher-than-average probability of the ransom being paid as well as a big Ransom you know I seen ransomware attacks going back I don’t know no number of years a CPA friend of mine was hit a while back in their backup solution was a external hard drive attached by USP and of course that drive was also encrypted and it was really nothing they could do it in this was right before the end of tax season that year and so they they were at a loss at that point I know of extended family members that had ran somewhere on the family computer and we’re ready to pay the ransom fortunately for them they checked with me first but this was going back a number of years again probably close to ten years so it has been around it’s only more recently that they started targeting organizations and businesses because they realize organizations are businesses have the resources to pay up if there’s no other option so Healthcare Providers are a prime target for cybercriminals to have large quantities of sensitive data low tolerance for system downtime and hydatid requirements size we’re seeing with the the MSP that was compromised and subsequently all of their clients which were all nursing homes attacked and hit with ransomware those nursing homes are down and unable in some cases unable to care for patients because they don’t have the patient documentation at that point and if the ransom demand is 14 million dollars now nobody is able to pay that $14 we don’t know what the outcome will be yet but you can Devastation that will be left by that ransomware attack uses is pretty substantial attach increasing in severity and frequency Healthcare organizations need to ensure that their networks are well defended and they have policies and procedures in place to ensure a quick response in the event of an attack so policies and procedures like strong passwords multi-factor authentication education fishing education fishing prevention using stop using malishka job in a virus software antivirus security software that instead of signature-based is more anomaly paste things like that because preventing unauthorized executables back roads and things like that from running these are the two types of things that need to happen ransomware attacks are increasing in sophistication and new tactics and techniques are constantly being developed by cybercriminals to the trade networks and two player in somewhere but the majority of attacks still use tried-and-true methods to deliver the ransom or payload most common methods of gaining access to healthcare network is still fish and exploitation of in the exploitation of vulnerability such as far as that have not been patched applications in operating systems by finding and correcting vulnerabilities Healthcare Providers will be able to block all but the most sophisticated and determine attacker to keep the network security operational now and then stop. Most sophisticated organized cyber threats you still have medication so they’re still depressed is continuity disaster recovery software that exist that can have you back up and running in no time they’re still preventing access to file servers and so forth HR records without even more and I can tell you I mean it’s just say to me that an organization would choose to shut down rather than have a business continuity in place and it’s fall 2019 cybersecurity newsletter the Department of Health and Human Services explains that is possible to prevent most ransomware attacks to the proper implementation of HIPAA security rule Provisions through HIPAA compliance Healthcare organizations will also be able to ensure that in the event of ransomware attack they will be able to recover in the shortest possible time frame there are several provisions of the HIPAA security rule that irrelevant protecting mitigating protecting mitigating and recovering from ransomware attack six of the most important thing now before I get into the six we’re going to talk about the security rule in future episodes so just just be on the lookout for that episode but here is a 6 most important things you have to have a cyber you have to have a security risk analysis a risk analysis when the most important provisions of the HIPAA security rule that allows Healthcare organizations to identify threats to the confidentiality integrity city of e p h i n d e p h is electronic protected Healthcare information which allows those threats to be medicated is commonly introduced to the exploitation of technical vulnerabilities such as unsecured open ports outdated software and pour access management provisioning it is essential that all possible attack vectors are going and vulnerabilities are identified risk management all risk identified during the risk analysis there is no foolproof way to prevent an attack however you can reduce that risk significantly if steps are taken that will make it much harder for taxes to succeed with manager includes the deployment of antivirus software intrusion detection systems spam filters web filters in Reverse backup systems if you ever talk to an IT consultant and they say that they can 100% prevent an attack don’t do business because they cannot that’s not possible but you can significantly reduce your exposure information system activity review if an organization’s defenses are breech and a hacker gain access to devices and information systems intrusions needs to be quickly detected by conducting information system activity reviews Healthcare organizations can detect a nominal anomalous activity and take steps to contain attacks and progress ransomware is not worth it. As soon as network access is game and any days weeks or even months we’ve seen that word I think it won’t get stinky attack of hung around for a year-and-a-half after a network is compromised before rinsing where is deployed solar system activity review May detect compromised before the attackers are able to declare instrument security information and event Management Solutions can be useful for conducting activity reviews and automating the analysis of activity logs some of the other things that will help mitigate that or the password policy requires password changes every you know 30-45 days I know people hate that but if you if that’s in place then anybody who may be in using a compromise password will then be out security awareness a training phishing attacks are often affected as the tarp as a target employees who are one of the weakest links security chain link that was one of the first blog post I ever wrote on the watch text cite the that your employees are the weakest link through regular security awareness training players will learn how to identify phishing emails and a mouse Pam and respond appropriately to buy recording of threats to security security incident procedures in the event of an attack if Fast Response can greatly limit the damage caused by ransomware written policies and procedures are required and these must be disseminated tall appropriate Workforce member so they know exactly how to respond in the event of an attack security procedures should also be tested to ensure they would be effective in the event of a security breach and then it considers you plant a contingency plan must be developed to ensure that in the event of a ransomware attack critical Services can continue and he Phi can be recovered that means that backups must be made of all Phi covered entities also test those backups to ensure that data can be recovered backup systems have been targeted by ransomware threat attackers threat actors to make it harder for covered entities to recover without paying rent at least one copy of that should be stored securely on an ion Network device or isolated system so there’s somewhat of an introduction to the security rule hopefully that helps some of your health care providers but we can’t fall asleep at the wheel he needs you need to act on these things and this this could starts at the one person practice I am working with a one person Healthcare professional who had zero their place and so we’re working to remedy that and there are even today or in a lot better position than you were just a couple weeks ago so that’s going to do it for this section of our podcast I’m introducing a new section shortly the HIPAA education so stay tuned all right before we get to your the education we were going to talk to about the breach notification rule the latest in Hip around up HIPAA breach news just reported today Southeastern Minnesota oral and Max maxillofacial surgery ransomware attack in packs 8000 patients Southeastern Minnesota oral and maxillo maxillofacial surgery try to say that Jesus Inn at the protected Health Care information of up to 80,000 patients was potentially compromising attack attack was detected on September 23rd 2019 the IT team responded and isolated the effect of server it took steps to restore the encrypted data is unclear whether the ransom was paid or if the IT team was able to restore restore from backup assistant Buy computer forensics experts we’re going to cause set mom’s SEMO Ms determine the effect of server contain names and a text and x-ray images and that the server had been accessed by an unauthorized individuals has no evidence was uncovered to suggest any patient information was accessed or exfiltrated by the attackers but the possibility of unauthorized Z Phi accessing data could not be discounted consequently notification letters have been sent to all individuals who protected health information was potentially compromised Healthcare administrative Partners fishing at a compact 17693 patience so good news that they did respond to a quickly resolved quickly and notified impact the people quickly yesterday Kalispell Regional Healthcare shoot over a hundred thirty thousand record data breach Kalispell Regional Healthcare in Montana is being sued over a phishing attack which hackers gain access to employee email accounts contained a protected health information of almost 130,000 patients be compromised email accounts contain patient information systems named contact information medical bill account number is medical and health insurance information approximately 250 individual individuals also have your social security number exposed phishing attack occurred in May 2018 but was not initially clear which if any patients had been affected it took until August for forensic investigators to determine that patient information had potentially been compromised all affected patients were notified and health systems are for 12 months of free credit credit monitoring and Identity Theft Protection Services to patients whose social security number has been compromised one of the patients whose personal and health information was compromised his now taking legal action over the data breach so this is another another another Avenue where Healthcare Providers needs to be aware that not having proper HIPAA rules in place hit the programs in place could cost you more money so young looking at a potential find from the OCR and now you’re being sued Nebraska medicine was reported a December 4th already talked about that earlier so Lara medical also on December 4th Solara medical supplies sued over 114,000 record data breach so they’re also being sued Solara medical supplies is facing legal action over a June 2019 data breach that saw the detective health information of more than a hundred fourteen thousand customers exposed and pet adoption and protection stolen by an unauthorized individuals who gain access to email system Solara medical supplies A supplier medical devices in disposable Medical Products discover the beach on June 28th 2018 while initially believed to be to involve one email account and investigation revealed several Office 365 I’ve been compromised for punitive around six weeks so they hung around and several email accounts starting on April 2nd 2018 two types of information exposes Resorts address is birthdates employee ID number Social Security number is health insurance information financial information credit card debit card numbers passport it to the state ID number is driver’s license number password login information claims data billing information in Medicare Medicaid IDs customers affected by breach were notified in November so this is a breach that they discovered in June to until November so the breach notification rule you failed and you’ll learn why in the moment and finally the last one this week phishing attacks announced by comprehensive sleep Care Center McLaren Health Plan and Ivy rehab physical therapy I reported these along the cyber-security daily earlier this week but so all three of those were compromised by phishing attacks again means most likely means that any of those practices that’s going to do it for the HIPAA Roundup this week stay tuned for at the education piece alright thank you for hanging around if you’re here then you want to know more about HIPAA in the three in this case the breach notification Rule now I will tell you that you could go to hhs.gov / HIPAA and you will get all the if you want for free I know their courses that you can take I know there are books you can buy but it’s all on hhs.gov HIPAA so if you’re so inclined you can hop over there and do a lot of reading and it is a lot of reading I intend I’m going forward to include a hip education pisani on the weekly podcast every week this week we’re going to talk about the breach notification will the reason I’m bringing up grease notification rules because of what I’ve noticed in the last few months is that a lot of the HIPAA breaches fail when it comes to following the notification rule the RN in one case the the OCR find the healthcare provider for for failing to follow the healthcare following the picture of the kitchen rope so it’s not complicated and I will edit the part about Connecticut in a moment so in reality for Connecticut going to end up following the rule as is in place by the government by FiOS rvhs so I’m going to read it from here to journal only because it’s a little more as soon as the easier to understand it is on hhs.gov so let’s start with all HIPAA covered entities must familiarize familiarize themselves with the HIPAA breach notification requirements and develop a breach response plan that can be implemented as soon as the breach of unsecured protected health information is discovered why most hipaa-covered entities should understand that the HIPAA breach notification requirements organizations that have yet to experience a data breach may not have a good working knowledge of the requirements of the breach notification rule of only just started serving Healthcare clients May similarly be unsure of the reporting requirements and actions that must be taken following a breach so the business associates like myself a lot of them are not going to be somebody with the breach notification wasn’t even going to be familiar with Hitler in general and where that becomes a problem is if they do and they probably will because they’re not familiar if they do breech cause a breach or breech themselves they’re not going to know what to do with that in most cases they probably won’t say anything in it that’s an even bigger issue so you going to want to work with a vendor who is familiar at least to some degree with HIPAA I don’t expect an HVAC vendor to be up to up to their head with you know their head filled with HIPAA rules but they should have some familiarity enough to know that they need a ba and that if they do somehow come across Phi Phi that they know what to do the issuing notifications following a breach of the unencrypted protected health information as it is an important element of HIPAA compliance to failure to comply with HIPAA breach notification requirements can result in a significant financial penalty we have seen this with this in mind we have compiled a summary of the HIPAA breach notification requirements for covered entities HIPAA djournal.com to HIPAA breach notification Rule and in the room numbers here requires covered entities and their business associates to report breaches of electronic protected health information and the physical property is protected health information so that’s the Privacy Rule on the security rule access use or disclosure of protected health information in a manner not permitted by HIPAA rules HIPAA breaches include on authorized access by employees as well as third parties and proper disclosures the exposure of protected health information and ransomware attacks exceptions include preachers of secured protected Health Information Specialist encrypted data so in the case of theft for example of laptops thumb drives which I don’t know why you have health data on a thumb drive but if those drives are encrypted then you’re okay and as long as the key is not so it’s not accessible to the person who steals any unintentional any unintentional acquisition access are you still protected health information by Workforce member or person acting under the authority of the covered entity or business associate so in other words if I as the business associate accidentally view protected health information that does not need to be reported however that’s assuming that I as the business associate don’t use it for anything else so if such acquisition act access or use was made in good faith and within the scope of authority in other words I’m resolving and an IT issue or even running off at the otter or hip assessment or security risk assessment does not result in further use of disclosure and it play Disclosure by person who is authorized to access Phi to another member of the workforce at an organization who is authorized to access Phi when the covered entity or business associate makes a disclosure has good faith belief that the information could not have been retained by the person to whom it was disclosed so those are the notifications are not in play in the event of a reportable HIPAA breach being experienced to hit the breach notification requirements are notify individuals impacted or potentially impacted by the bridge so you cannot just assumed that the 10 people in your email that you think are in your email that has been compromised are the only people that could be attacked and you need to notify anybody who could potentially be impacted that notification needs to be done with a certified Written Letter within 60 days of the discovery so what we’re seeing a lot of is that the healthcare provider wait until a complete assessment is done on a forensics assessment at forensics analysis is completed and storage needs to be 60 days after the discovery of the bridge unless a request to delay notifications has been made by law enforcement so that’s not doesn’t occur often but it could happen in such notice in such cases notification should be sent as soon as that request has expired while it is permissible to delay reporting of abuse to the HHS for breaches impact do the 500 individuals in the case of 500 individuals or less it is virtually under 500 for 60 days after the end of the calendar year they have a breach notification requirements for letters including writing in plain language which one or is it a meeting from epidural instead HHS this is obviously a little more legalistic so it’s a little harder to understand explaining what has happened what information has been exposed stolen providing a brief explanation of what the covered entities do has done in response to the bridge to mitigate that the harm dividing a summary of the actions that would be taken to prevent future Bridges and giving instructions on how breached victims can limit harm restrictions should also be provided with a toll-free number to contact the 3 stand to team for further information together with a postal address and an email address hey you must also notify the HHS notifications must be issued to the Secretary of Department of Health and Human Services via the OCR breaching reporting to him the requirements differ depending on how many individuals have been impacted by the bridge so if there is more than 500 the maximum permitted time for issuing a notification to the HHS is 60 days from the discovery of reach Farm although three sentences should be issued without unnecessary DeLay So language used to say in a reasonable amount of time so they now instead of reasonable amount of time because some people think reasonable amount of time is months or years they say you have up to 60 days but if you should really use the 60 days in this case of preachers and packing fewer than 500 individuals HIPAA breach notification requirements are for nerds are for notifications to be issued to the HHS within 60 days of the end of the calendar year was discovered notify the media so you’re not off the hook yet it’s a breach notification requirements include using a notice to the media issuing a notice to the media that have experienced Texas Health Information notify DHHS relevant State Attorney General and patience and Health Plan members impacted by the bridge but failed to issue a media knows a violation of the HIPAA breach notification so simply reporting to the media could violate you and apparently that happens quite often your breach of unsecured protected health information packet more than 500 individuals must be reported to a prominent media Outlet two prominent me all the states and jurisdictions where the bridge victims reside this is an important requirement as up-to-date contact information may not be held on Aldrich victim so in other words we may not see your healthcare provider may not have the most up-to-date contact information for your patient and I would imagine in this is probably why they always do every 6 months and last update my information even if it has a change will help to ensure that all Greece victims are made aware of the potential exposure of sensitive information as with the notification to the HHS and Bridge victims the media notification must be issued within 60 days of the discovery of the post a substitute teacher Asia 3 chatzis website in the event that up-to-date contact information is not held on 10 or more individuals was not that many that have been impacted by the breeze to cover identity is required to upload a substitute notice to their website and link to the notice from the homepage so I checked now I don’t know if if the the healthcare provider did not have up-to-date contact information on 10 or more individuals but I checked it recently changed Connecticut and they did not have this on your homepage the link to the breach notice should be displayed prominently and should remain on the website for. Of 90 consecutive days in cases were fewer than 10 individuals contact information is not up to date alternative means can be used with substitute notice such as written notice or notification by telephone data breaches experience by HIPAA business associates so yes business associates you’re not off the hook business associate of HIPAA covered entities must comply with the HIPAA breach notification requirements and can be fined directly by the HHS as I’m sure we’re going to see in the case of the NSP who was compromised and then their clients all nursing home subsequently compromised and State’s Attorney General for a HIPAA breach notification rule violation any breach of unsecured protected health information must be reported to the covered entity within 60 days of the discovery of the breach while this is the absolute deadline business associates must not delay notification unnecessarily because remember that is covered entity who will have to report most likely will have to report and I’ll get to that in a second also has six days while this is the absolute deadline businesses must not delay notification on the Sara Lee unnecessary delay notification is a violation of the HIPAA breach notification another words you need to report immediately it is usually the covered entity that will issue personification to affected individuals so any breach notification will need to be accompanied with details of the individuals impacted is it good practice to issue a breach notification to covered entity May rapidly and to provide further information on the individual impact wants to this location has been completed under the terms of the HIPAA compliant physicist a business associate may be required to make notifications to affected individuals timeline for showing breach notification breach notification should be issued as soon as possible and no later than 6 days after the discovery of the breach except one and delays requested by law enforcement investigating a breach of protected health information can take some time but once all the necessary information has been obtained to allow push notifications beside that should be mail hipaa-covered entities must not delay sending breach notification letters it is possible to receive a HIPAA violation penalty for delay notifications even if they’re sent within 60 days to discover the priests there have been several recent cases of hitching HIPAA breach notification requirements not being filed with the appropriate time frame which can potentially result in financial penalties notice must be provided to the State Attorney General patients within 90 days although Healthcare Providers are required to issue reach reports within 60 days under HIPAA rules so that’s the Connecticut so you have to follow the 60-day rule in Connecticut penalties for violations of HIPAA breach notification requirements if it were covered entities must ensure HIPAA breach notification requirements are Falls or they risk your Current financial penalties from the state attorney general and HHH office for civil rights in 2017 presence Health became the first hipaa-covered entity to sell a kiss with the office of civil rights only for a HIPAA breach notification rule violation after exceeded the 60-day maximum time frame for the shooting of breach notification presence Health took three months from the discovery of the breach to issue medication so they took 90 days so I don’t know where presence out this button Connecticut that would be acceptable except you have to fall HHS room a delay that cost of Health System point and $475,000 maximum penalty for HIPAA breach notification rule is 1.5 million or more if you delay is more than 12 months so you could be fined up to one and a half million in this case this presence health system was fined for hit 25,000 now depending on the healthcare provider that might be a drop in the bucket but a 10-pack 10-person practice real 10 person mini you have nurse your doctor you have administrative staff and so forth 10-person practice for in the $475,000 it is a big chunk of change so that’s the breach notification rule under HIPAA Rule and that is going to do it for this episode of proactive our team until next week stay safe and secure 

Scott Gombar

Author Scott Gombar

More posts by Scott Gombar

Leave a Reply