This is the ProactiveIT Podcast. This Week: The latest in IT and Cyber Security news plus Weak Passwords, schools targeted by ransomware and HIPAA Right of Access Explained.
This is Episode NINE! Queue the entrance music
Hi Everyone and welcome to the Proactive IT Podcast. Each week we talk about the latest in tech and cyber news, compliance and more. We also bring you real-world examples to learn from so that you can better protect your business and identity.
This podcast is brought to you by Nwaj Tech – a client-focused & security-minded IT Consultant located in Central Connecticut. You can find us at nwajtech.com.
Patch Tuesday Update:
Apple and iOS
Drupal Should be Updated to address critical vulnerabilities. Latest release Drupal 7.69, 8.7.11, or 8.8.1 to prevent remote hackers from compromising web servers.
WordPress plugin 301 Redirects – Easy Redirect Manager to 3.45
Cyber Security News
New Orleans Suffers Ransomware Attack, Emergency Services Intact. Based on information uploaded to VirusTotal the attack appears to be the Ryuk Ransomware strain.
Emotet being circulated via Taylor Swift Pictures, Greta Thunberg Demonstration Invites and attackers posing as German Authorities.
Maze ransomware attacks responsible for attacks on Pensacola FL, Allied Universal and Andrew Agencies in Manitoba CA.
Topic 1: Dentists & HIPAA https://nwajtech.com/proof-that-dentists-need-hipaa-compliance-with-1-case/
Topic 2: Ring Cameras Hacked. Who is at Fault? https://nwajtech.com/ring-cameras-hacked-who-is-really-at-fault/
Topic 3: More than 1000 Schools in the US Hit With Ransomware in 2019 https://www.bleepingcomputer.com/news/security/ransomware-hit-over-1-000-us-schools-in-2019/
HIPAA Corner: HIPAA Right of Access Deep Dive
This is the ProactiveIT Podcast. This week the latest 19 cyber security news + weak password schools targeted by ransomware and Dipper right of access explained this is episode 9 Q the entrance music hi everyone and welcome to the proactive i t podcast each week to talk about the latest in Tech in Cyber News compliance and more we also bring your real world examples to learn from so you can better protect your business and identity this podcast is brought to you by now watch take a client focus and security minded it consultant located in Central Connecticut you can find us and wash check.com does NWA jtech. Com well it was inevitable I recorded the Patch Tuesday segment a couple days ago because the word new updates to report and there still aren’t for the operating systems but Google Chrome should be updated to dress a newborn so update you should be a virgin 79. I think it’s 3:45. 88 there is an update available for Drupal so if you’re using Drupal you’re going to want to update to either 7.6 98.7 .11 or 8.8.18 and that’s to address so I’ll be busy for the Packers to compromise web servers there is an update available for WordPress plugin 301 redirect season redirect manager to update that immediately because it is a vulnerability that allows any authenticated user included subscribers to be able to 3 Edit modify or delete 301 301 redirection obviously I can take your site down so you should be on 301 redirect easy read direct manager 3.45 and it was or there is an update for SharePoint out a few different versions of SharePoint so you’re going to want to make sure that you’re sure convergence is on the latest version there is any issue with some of the older version look at those are taking care of that’s going to do it for the Patch Tuesday segment let’s jump right into the news for the week and there is a lot of news on Chris are going to do is currently being circulated be a Taylor Swift pictures a Greta thunberg demonstration invite and they’re also attackers are supposing as German authorities now the evil Tech gang is changing attack tactics and just so this was reported on December 19th so it’s kind of late but I had of winter holidays approaching fast do authors if Equifax have made changes that may increase the revenue for the holidays one of the modification refers to the URI structure X used to check into command and control service another change the malware delivery method checking in to see to service in late November security researchers at email security company Colfax Labs notice that Imhotep quote on the client’s side no longer use Random House based on a word list of Connecticut. Introduced in early 2019 the structure was discarded and favor single Advantage strings of at least four characters or more careful look at this real the path was actually key from the key value here in the post form data They’re bringing back old tactics or following is summer break in Buckhead operators are started activity in September living emails with malicious attachment this was shifting tactic as previously they make basic mineral supplement ask that proved to be an efficient delivery method the researchers say they’re using linked based templates again probably an attempt to maximize victim count ahead of the winter holidays so ask for the pelo pelo trip out Remains the main course of the bacon Trojan is still so I could I chose in the recent campaigns Degreaser to say they observe heavy distribution which would indicate one last effort to make money for the winter break so that’s the key Motel Roundup in his Mayes Mayes Mayes ransomware is making up for something last week or so they are responsible for attacks on Pensacola Florida municipalities Allied Universal and Andrew agencies in Manitoba California those are the reported attacks just in the last week or next of 267 million Facebook users phone number to expose online not just phone numbers book phone numbers out of Sarah Baker serve research believed that criminals were able to obtain personal information from millions of Facebook users to some threatpost in this was not a Facebook database or before you start your own a Facebook again exposing Finance phone numbers in Facebook user IDs and millions of proper music was left unsecured on the web for nearly two weeks before it was remove security Richard researcher babichenko along with compare attacked discovered the unsecured elasticsearch database start a criminal organization as opposed to Facebook to check or went to the internet service provider managing the void I’m sorry the IP address of the service so that the access could be removed and fishing expand its Gaillard Via SMS according to the Thursday report Facebook users should be on the lookout for suspicious text messages even at the center knows your name or Service Commission about you be skeptical of any unsolicited unsolicited messages so if you’ve ever used text messaging for Facebook and you start getting them you should definitely more December 4th and was discovered by researchers on December 14th while the database is now unavailable on the IP address to a hacker Forum as download on December 12th out there now that being said little ad hoc here if you believe your your information is private and put your using social media you’re mistaken I know Facebook came to lesser extent some of the other social media platforms that really you know we’ll take talking to his taking it going to be at 2 if you’re on social media or not private your information is out there most likely your phone number and your email address maybe even just your home address fall out there a lot of people who believe their information is not found on the internet and I do a quick Google search and there it is and they’re Blown Away by that call that so at least for now I know there’s a regulations coming in for now don’t expect New Orleans update on the New Orleans ransomware attack I recorded the song Money it was reported last week and ran somewhere at this what I think it was reported after I did after I recorded baby. So you want me to get some for a ransomware attack they did not at first acknowledge that it was a ransomware attack they they they did not report anything but they did declare a state of emergency and shutdown Services the left Emergency Services up based on information that was uploaded to virustotal a little a little digging around and we were able to security Personnel were able to turn the medic was the writing ransomware strain there was still no indication as to whether or not there was a ransom request ever made or if it ever reached the City of New Orleans and if it did there is no indication as to what the amount rent requests at what was The Ransom of suggested to restore Services as of now it sounds like the ones is back up and running as expected. Louisiana is there really Louisiana getting hit with ransomware attacks what else can I tell you today we got New Jersey’s on threat was New Jersey’s largest hospital system pays up in ransomware attack so also know that dreads were attacked at Ashley did not get reported as a ransomware attack to said there was an outage so ransomware attack earlier this month Lego hospital system through schedule surgeries are in an appointment New Jersey’s largest hospital system said that has paid hackers a transom after ransomware attack disrupted IT services earlier this month Hackensack Meridian health is six billion dollar nonprofit Health provider system based in Edison New Jersey operate 17 hospital system told media outlets on Friday that was targeted by Cyber attack in December 2nd crippling his computer software systems for nearly five days so obviously we talked the previous podcast about the threat to human life when ransomware attacks like this occur and if the hospital attacks are going to a club and it is going to be with stop it there are ways to mitigate your risk and it does not sound like the hospital was doing anything to mitigate the risk there’s always going to be bad guys and if we’re not prepared for those bad guys then we’re going to his house in Aries like this Warehouse Fort Worth of Seventeen hospitals are down for five five days or more and that will create Potential Threat to life threat to human life instigation of shore because we don’t know if that has at this point if that it was was lost as well also talked about this during the week at post Alexa and Google home that was discovered earlier this year once after researchers to disclose a new way to explain a glove Alexa and Google Home Smart speakers to spy on users some say researchers have now warned at Amazon what are those things researchers now on the Amazon and Google have yet to create effective ways to prevent the he’s dropping back to the surface when October goes close the smart spies hack which enables he’s dropping Force fishing or using other voice other using people’s voice cues to determine passwords tour prep post this week that little has been done to prevent to ask when being launched nothing has changed part 2 notes manager director of security research lab rats are allowed for short by Shocking given more how many users are exposed to possible threats right now it’s been more than five months and she’s persistent so how does it work the vulnerability first disclosed months ago lies in your small apps created by Developers for devices to extend their capabilities skills for Alexa cause actions on Google home according to report bias fertilizer which is sufficient stop by the way the airport password through surgery said the Hackler verge of something called fall back content which is when the voice app cannot assign uses most recent spoken command to any other cat instead offers help or alexios of the researchers also Leverage The built-in stop and 10th which reacts to the user saying stop researchers first built in seemingly a. In Oculus app which was submitted to Amazon and Google review and published after the review researchers were able to change the welcome message up speakers to a fake error message and made your voice app set the character sequence in the stairs. You plus t801. Space with Chris the? With a fact since there’s sequences unpronounceable to speak remain silent while active making it our say the characters multiple times increases the length of the sourest intercept using the strip researchers were able to launch various attacks Quizlet questions user password by playing with tissue message after the science of eavesdropping on Jesus by faking to stop at content so interesting compromise you been no response from both Google and Amazon a message and obviously they have a corrected of course if according to us are Labs so we’ll have to wait and see so using either one of those voice speakers voice activated speakers going to want to make sure you’re using well trusted skills price of the next story was sent to him by a listener of the show thank you Bill on vice.com researcher releases that are on 100,000 phishing attempt to teach you how to not get hot so this is actually pretty cool massive data set can help teaching understand fishing better at security researcher who specializes in track and government hacking attempts published 25 gigs of data on 100,000 phishing attacks on Monday the fishing attack is legitimate see me but fraudulent email or website that tricks a Target into sharing their personal information like username and password would that happen fishing is incredibly, when is tax people and carry-out cyber-espionage corporations fishing is the primary tax collector in 32% of all data breaches analyze the Verizon for anal data breach an incident-response report Claudio guarneri work says Amnesty International and has been tracking targeted attacks against dissidents and activist for almost a decade published the data set the help of the researchers track hackers and to help cybersecurity Educators use the Miz real world example so that’s really cool because fishing is such a dominant threat for targeted groups I normally work with I have been working with the last year’s on a number through 1 and services to me you didn’t respond to such attacks or nurse who has contributed All Aboard bro in a blog post where we shared a link to download the data set up here torrent guarneri explain the archive contains a data set data basa fish in your rolls their corresponding HTML data and future screenshots of the fishing page work with people to teach their child she recognized phishing email phishing websites and 90% of our Ransom attacks ransomware attacks begin with a phishing email so you’re going to want to share that share that information and maybe use it as a tool to teach your employees how to recognize a phishing attack and who knows your business and find the last bit of news there is a post on side where this came from a researcher at North pass called that so 25 most common passwords phone from preachers in 2019-2019 so here’s a list if you want to change in order from 1 to 25 1 2 3 4 5 1 2 3 4 5 6 1 2 3 4 5 6 7 8 9 test 1 1 2 3 4 5 7 8 0 underscore check out and check you spell Czech ASDF 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 uppercase and lowercase a 1 2 3 4 5 6 I love you all over kiss want you to for a b c 1 2 3 1 1 1 1 1 1 1 2 3 1 2 3 dubsmash test princess Sunshine uppercase D lowercase V test123 and then one one one one one if you’re using any of these passwords and sure the reason ring cameras are getting hacked and Disney Plus accounts getting hacked the number one password on it on the reach list is still one two three four five dad is a a big big big No-No that’s going to wrap it up for the news we’re going to move along to our top hot topics for the week so stay okay let’s talk about some hot topics it first thing I want to talk about so two of these are Broncos going to watch website.com go all the way to the bottom of the page will see the new Explorer post or from the top-right christiansborg and you’ll arrive at our blog post the most recent one is proof that dentist new HIPAA compliance with one case so I have spoken I speak to a lot of dentist in my area or audit Services IT services if they have a recent security risk analysis because a lot of things just don’t believe that they need to be under the umbrella this put it like that so I’ve had a couple of pushback on me one of them. Put it up there forms under what sign are can be compromised very easily SSL TLS on their website and so if any Phi would it be transmitted through that form then they text you put the patient at risk for email account Gmail or Hotmail. A joke I’ve seen all of these things just in Connecticut so a lot of Texas don’t believe that they need for the day fall into the hip bone broth and they were wrong and I can prove it and you’re so here’s my blog post does my dental practice need to be hipaa-compliant after speaking to me I can provide that the practices the consensus is dentist believe that they do not need to comply with HIPAA regulations so I thought it was time to discuss put an end to the date so that one of the biggest reasons I brought it up is because there have been at least three big britches this year involving dentist first one in the most recent one is a colorado-based MSP managed service provider was compromised by attackers and then the attackers use their remote support software to connect to more than a hundred dentist to launch ransomware attack so those 100 + dentist some of whom are still down where it reach some of them paid Ransom The Ransom request wasn’t just one Ransom request me to pay 1 and then there was another several layers of encryption that needed to be dealt with in the thought was that the attackers did this because they didn’t want the dentist to share that you need to cook in case to earlier this year too soft to dental software service provider we’re priests from the other attackers were able to launch ransomware I’m more than 400 Florida bus on one of the software companies provide a backup services for the dentist which meant they had no ability to restore from the back up now or let me talk about history so you know if your dental dentist you don’t want to pay attention PM Consultants which is an oregon-based name is cheap to providing IT consulting services to dental practices in their area kuta software updates backups backups they were a victim of ransomware attack in July it was reported that dental practice customers in Oregon and Washington were able to access patient files the company owners announced in late so PM Consultants of PA email to send an email saying they’re shutting down their business partially due to the ranch parents there was a partially do it was totally do they couldn’t handle the back glass that can’t help it couldn’t handle the financial responsibility and of course they’re their reputation took a big hit because it did happen through the the Escape as of October 28th three months after the attack PM Consultants website continues to go offline and the phone is disconnected of course I pulled this from armors website so 1, theme in all these tax was the lack of security for the place by the embassy and is peeing mostly in the form of multi-factor authentication. What am I talkin about if you using any type of remote support software so obviously you want to try to minimize the amount of on-site time because that’s extremely expensive so we all use remote support software that remote support software allows large computers and help is needed to the patching when when you know businesses is closed, just fix it remotely that software should have multi-factor authentication so it should be one or two things you should either be somebody on the other side giving you a code to put in to be able to access that device which is not always easy to deal with because a noise there 24/7 and be sometimes it’s difficult to walk to the end user through that process take a knee take stop or you use some type of secondary authentication to connect so in the case of water tech we use by Biometrics so the both section gets initiated a thumbprint needs to be put in to connect and there’s only certain people that have that ability to use that thought so dentists are obviously targeted big targets okay why are you so important to bring these up a dental practice are being attacked and could conceivably be held liable under the regulations especially if there’s no business associate agreement that is helping you with your computer or network your device is your supposed to have a business associate agreement in place with them in that business associate agreement is responsible for this is what any contractors to be vendor might have a responsibility for this is what the back of vendor is responsible for and on and on and on the reporting rules will be in this document on your Odyssey have to follow HIPAA guidelines for reporting but they’re there may be more guidelines in the paa all of these things need to be in agreement signed between the it vendor in a dentist to put that they’re providing service to through your work come in contact with Phi protected health information yes dentist how protected health information many Texas worried that they’re not helped to HIPAA standards for patient privacy I asked first signs of weak security and your lack of pick up those practices without even a security risk assessment p.m. to do so I know there was just taking a look up quick look I’m able to see HIPAA violations things I’ve seen include in just the last two months using free email accounts on Gmail Yahoo Hotmail and one case they are not having a secured website I have a secured website even if there is no communication so if you have communications transforms and so forth your website is supposed to be supposed to have a TLS certificate are in smethwick Google I don’t even say at this point Google volume of the Porsche website on Google search results if they do is won’t you won’t be very high in the search results leaving work stations are unlocked and unattended go back to the security if your website doesn’t have a TLS certificate which is for the most part pretty easy to install then it tells me you’re not taking the necessary precautions in your practice either, because it’s a simple fix and if it’s not done you sending a message of a short I saw one dentist website that was just a complete disaster I don’t even know how anybody can navigate to say finally leaving work stations unlocked and unattended I did witness this early on a weekday morning walk ins with interest there was a reception area was three or four computers nobody was there was early nobody was sitting in the front by the reception area the reception area is kind of a walk around so you can see it’s not not your normal reception area that’s kind of blocked off this one was not blocked off Zolo countertops and every computer was on. Nobody was there dentist will insist they don’t need to follow HIPAA best practices I even have wanted this tummy flat out that they don’t fall under HIPAA guidelines and then you have no intention of doing anything about so how do you know dentist are required to be hipaa-compliant well it is really simple there was a HIPAA penalty early this year a fine it was a lot of fun is $10,000 / what’s more important is that they were fine by your starfrit providers violation was they responded to a Yelp review with Phi original interview file the complaint with a violation that was just one more complaint and you’ll see our was investigated now if you are busy dental practice $10,000 coming out of his heel but I was going to be breathing down your throat and they’re going to be looking into you or Hippa or HIPAA program make sure they’re going to check to see if you have a serious security risk assessment and have you had one in each of the last 5 6 7 years I did that a check to see if there is any education going on in regards to HIPAA and they’re going to check to make sure you’re safe guard efficient information and if you’re not doing these things important to start once this is going back in the burg years but they had a wide-open Wi-Fi network no password on it at all they said all this is the only want to keep it open for I guess but the problem is that same Wi-Fi router was connected to their internal Network and so there for anybody to Pacific so that one $10,000 penalty tells you that there was you are good that Dentistry following Under the Umbrella you need to have in Hip Hop now if you’re not if you don’t have a plan in place and you’re completely being negligent and you could be fined up to $50,000. How many records do you have so you need to get it together dentist you really do and I feel free if you are in Tennessee to come and share it with you get this practice in your area I would kind of tend to stay away from that maybe I don’t know maybe if they have a hundred plus dentist check to use make sure there was an MFA authentication check to see if check to see if if you want just give me a call give me a call the numbers on the website and I’ll tell you what you need to check for I won’t even charge you for that piece of information okay at the end of the day hip is not about fines and guidelines it’s about patient care and right so the patients are the ones that aren’t going to end up paying with each of one of these breaches and there are a number of switches for dentist need to get together dentist alright so there’s been a lot of news about Ring cameras last week or so Rick here is being hacked data breaches and I’m so I’m going to get you a data leak that was exposed I believe it is reported yesterday but I wrote a blogpost because the ring cameras are not being hacked that is false news fake news hashtag take who’s really at fault so many cameras hacked was really at fault and it hasn’t been all over the news the last few days almost every news title something along the lines of recant his heart causing hysteria and household the mainstream media there’s no doubt that the cases were where this happened are scary videos for surface on the internet, talking to each other and other family members to ring camera imagine purchasing camera I hope it’s only to have a strange thought man talking to each other through them I’d be very uneasy with it I would Lucy sleep I already don’t lose sleep thinking about their clients with him security but was really the play so I’m going to give you a little fresh course also called house with stuff in a stuffie because you need not just a password or the username credential stuffing 101 I’m going to separate the media to purchase the responsible media that reports is 3 accurately and they are responsible for what they will get you to click so I’m trying to get numbers so they’re going to stick in a spinach in a way that’s going to get you to read the responsible group includes terms like credential stuffing this is great but what is Kenosha suffix you understand pass yourself and you must first understand what one part of the dark web dark web is like the black market on the internet what are the items you can purchase some dark web is list of usernames and passwords off and on covered during she just Out Of Reach has for example 2012 170 emails and passwords wasn’t until 2016 is still used today to compromise other accounts on the internet how do I know if I know this because I ain’t the password I used to use for LinkedIn was on that list and fortunately just another application that I use recognize that the password is on that list and told you so that wasn’t supposed to know I I close to monitor this thing so now I know why I don’t use the same password anyway but secondly I know how to check my commercial accounts are being proactively monitor for that type of leaks in so I can we do offer that service if you were interested in that service dark web scanning give me a call it’s the second time I’ve got you to give me a call attackers I refuse to call the Packers because you’re not really hacking anyting they use these this to try to compromise try to compromise credentials on other websites and online resources many people likely use the same credentials for LinkedIn and Facebook for example she did a purchase on dark web you can easily find out if there’s a leak under stuff on this blog post to the dark lipstick and the so the initial scan is for you by the way and then we do monitoring unless there’s a monthly charge for that what does that have to do with ring cameras all over the Internet to the end user wants to ring cameras connected to network you can connect to them remotely through an app or website to do the camera feed your act interact with anyone that is in view of the camera you have probably seen the commercials of the homeowner scaring off would-be criminals by talking to them through their wings or the premises to go to ring camera for obviously other histories summary camera owners use a can of to talk to their pets while they’re not home others might use that to get home from school and lots of positive uses for rent cameras and other security cameras with ease of use comes of risk comes reska with Easter views from Drake all the speakers are great but they come with an inherent risk anything that is exposed to the internet and has potential for compromise ring cameras and other iot devices in Iowa to use Internet of Things are no exceptions or Internet of things through your smart speakers smart smart TVs any smart devices in my house I know the microwave now that connects it to your refrigerator to connect to any device that connects to the internet in fact there are more at risk than computers are almost always almost always immediately there’s a patch for it that is not the case with iot not yet we cameras however are the exception to the rule who’s at fault as was the case with Disney Plus accounts being compromised your end users end users at fault. It was reported that every case of ring camera being compromised credential stuffing is used to know there was someone crab usernames in the form of email primary camera app or website in a lot of cases that failed and some they did succeed is at fault for not using the more popular password policy that includes not using Packard it may not know they may not know no better go to Simply didn’t consider all the results of not taking care of more secure with password usage on a Better Property policy to factor authentication Ramirez DFA I’m here is to up there also can also be enabled whenever DFA and NFA is an option you should use it utilizing this could have mitigated the weak password and avoided the problem of the I don’t recommend using a password password significance lowercase numbers special characters and as long as possible security should give you peace of mind on the first floor of an apartment of an apartment or a used to work until 2 a.m. one night I came home to find my document to open the curtain knocked down and it smokes in your head in the bed with missing can you learn I interrupt someone breaking into my apartment with another missing this is a little unsettling I can’t imagine how it must feel to have your private home like broken it’s actually a device intended to make it more secure scariest top of everyone’s mind because we also want things to be easy security is everyone’s responsibility now as an addendum yesterday was reported that a data leak exposed to personal information of / 3 listen to the show shared this with me access to view cameras in somebody’s home that’s a real serious potential invasion of privacy right back 3672 ring camera owners work out by this week exposing login email passwords time zones and the names people give two specific cameras which are often the same as the cameras location such as bedroom house for the last 4 digits and security code and Intruder could also access live camera footage from all active green camo associated with an account as well as 30 to 60 days Video Extra depending on users cloud storage clearance we don’t know how is this information was leaked recognize any claims that the data is compromised as part of the preacher drink systems a ring spokesperson declined to tell BuzzFeed news what is the cable where do they occur or weather affected third party that ring you just to provide services ring has not had a data breach of security team has investigated these incidents and we have no evidence of an unauthorised intrusion or compromise Rings systems or network the spokesperson said it is not common for Bad actors to harvest data from other companies data breaches our credit looks like this so that other Bad actors can attempt to gain access Play services so what could have happened is credential stuffing so so somebody may have tried I thought you were cameras books does username or password to see if they work and just kept the list of the ones that did work so again not the fault of rain sounds like and not not on behalf of Amazon soap strong passwords multi-factor authentication don’t reuse passwords that’s Dad’s the resolution there are final topic today ransomware hit over 1000 US schools in 2019 reported on bleeping computer Just Cause 3 days ago since January 1039 schools across the USA potentially hit by ransomware attack after 72 School District educational institutions have publicly reported being a ransomware victim according to reports and Security Solutions provider are 11 of the total number of impacted us school district have their systems affected by ransomware simply October with 226 schools being directly affected as a result of the 11 School District in the last attack wave only one has reported being having paid the ransom but did not disclose the song that was Port neches-groves three or four to have refused to pay that was what County fencing Penn Harris and Madison Clermont Penn Harris Madison and in Claremont 7mm not revealed when they’re paying the ransom or not which is probably the best policy since the firm previously reported a September that over 500 years school girl hit by ransomware attack effect of effective schools in under 3 months according to armor stats so it’s clear that schools are Target understand the impact of ransomware attack can have when it hits a school district just even if the case of Las Cruces public schools in I thought of all roughly thirty thousand District devices complete the schools as well as full hard drive Watson operating system install struts that’s a lot of work Louisiana’s governor in Late July following a huge wave a ransomware attacks at Target Estates school districts so I guess I said earlier in the show Louisiana’s we’re taking a beating this year will this 11 school district is here so we got Wood County schools in Parkersburg West Virginia court next throws Independent School District in Port Neches Texas Penn Harris Madison School Corporation in Mishawaka Indianapolis Indiana start Livingston New Jersey school district in Livingston New Jersey Chicopee school districts in Chicopee Claremont Unified School District in Illinois Lincoln County in Brookhaven Mississippi San Bernardino City Unified School District in San Bernardino California endless Las Cruces public schools in Las Cruces New Mexico overall spending all of the actors armor says that it is identify that it to identify Pelican Smurf attack reports for 269 North Shore renovation since January first victim with a two reports closely followed by education activities with 72 so that’s a lot of schools and colleges getting hit with a report published in December 12th 2018 at 86 universities colleges in school districts with operations at up to 1224 individual School potentially effective so they’re reporting even bigger number which one is the medication so he’s as I reported in the cyber-security daily there is no legislation in place or not a place but being proposed Pac-12 cyber security act against the background of ransomware attack city school frequently do senators have introduced through 12 Security Act act compromised or comprises of guidelines guidelines to protect schools ransomware attack Senator Gary Peters of Michigan and Rick Scott of Florida where members of Senate Homeland Security as well as governmental Affairs committee are responsible for introducing this legislation schools are becoming popular Target for asthma attacks affect more than 1,000 education is to just fell victim infections in the first nine months of 2019 according ncsoft payroll information details of staff and students could medical records were at risk because of these infection how’s the acting help so the ACT requires dhs’s system which is cyber security infrastructure security security agency to study the cyber security risks associated with K through 12 education institutions the system must then developing online tool kit and recommendations that would Aid schools and preventing ransomware attacks although it doesn’t provide funding that I quit provide a framework for schools to follow play the saying the schools across the country are entrusted with safeguarding the personal. Of the students and faculty but like many of the resources and information needed to adequately defend themselves against sophisticated server Texas Senator Gary Peters in a statement of our students and teachers proud to sponsor the K through 12 cyber Security Act of 2019 to further protect school students and Educators and give them the resources they need to stay safe cigarettes got issues by various experts so at least there is something made in a quart you have Cobra iradar Cobra which is going to be the US version version of gdpr so good news on that front I don’t know education I think it’s going to be an important component of that you’re going to need to address it head-on with the score sheets teach the students how to recognize an attack as well something I do at home with my kids and I think it’s important to do with your kids so if you’re not teaching the kids how to recognize things on social media and email and no texting and all that you should you should get a jump on it because it’s used to be we have to worry about what our neighborhood now we have to worry about the world so keep that in mind when you send your kids out there with a smartphone do it for our interpretation of the show hope you enjoy that piece we’re going to move on to the HIPAA breaches for the week where is time for the HIPAA breach round up so the person to talk about Hippodrome opposed to do November 2019 Healthcare data breach report we have already surpassed it’s so generous in November of this year is by far the second biggest year for healthcare preachers Reach Records number represent a breach 2015 still not even close to 2015 but not no other here is closed for November I’m going to quickly go through the list of the provider covered entity and the location of the preach in the type of bridge everything Ivy rehab Network Inc and its Affiliated companies is a healthcare provider under 25000 records impacted through hacking or it incident and my location with an email Solara medical supplies LLC healthcare provider 114000 + 7 pack 19 Gmail Saint Francis Medical Center health care provider a hundred 7054 hacking it and that was an electric electronic medical record Network server Southeastern Minnesota Oral & Maxillofacial Surgery healthcare provider 80,000 record packing RT network server Elizabeth family health health care provider 28375 paper film Brooklyn Hospital Center healthcare provider 26212 acting Mighty Network server Utah Valley Eye Center healthcare provider 20,000 units in a desktop computer Loudoun Medical Group DBA comprehensive sleep Care Center healthcare provider 15575 hacking itnc the email Choice Cancer Center healthcare provider for 2673 asking I T and send an email in Arizona Arizona Dental Insurance Services Inc DBA Delta Dental of Arizona Health Plan 12886 records impacted hacking iTunes to email show of the one two three four five six seven eight nine 10 list of here five of them will email that means fishing is still happening and we’re still storing documents in email theft was caused a breach by tons of November to access or disclosure seven times and then hacking iTunes in a 21 x in November location of the priest information are there once are there portable electronic device plays Network server for email 17 * 17 * a personal 7 electronic medical records for laptop three times this package is quite not sure how to stop unless it was compromised that’s a that’s a quick rundown of November I reported this in the second security daily this morning seeing this blue button 2.0 coin but exposed to HIV symptoms of Medicare beneficiary CMS has shut that down no word of whether or not no idea who may have compromised it put it was reported that 10,000 records were exposed that was this morning reported that email security breaches reported by Conway Medical Center in Equinox so 1021 concert Equinox ink notified of thi exposure Equinox in Albany New York based Provider Services to individuals suffer from teak chemical dependency mental health issues and domestic abuse virus has discovered that you know cancel two of its for his happiness is by an authorized individuals that is true. Which was discovered by on July 6th 2019 one suspicious activity was when suspicious activity was detected in a digital environment its systems were immediately secure than third-party cyber security threats were engaged to investigate the breach Equinox wasn’t for me on August 28th that clean out cap a Connex about authorized individuals affecting you my parents were reviewed to determine whether they’re they contain any patient information Equinox was informed on October 9th that the particular of information on 1021 current and former clients had to touch the been accessed affected individuals word of notified of December 6th so if you go by there Regional preach date which is July 26th took the morning today so not good there but if they don’t drive when they can be determined that there was Phi involved then it doesn’t succeed a row and the email accounts are several employees at Conway Medical Center South Carolina open our final throes individuals phishing attack was detected on October 7th and effected email accounts where Amy is secured to prevent further on authorized access external service. Chavez get to preach and determine whether a patient information had been viewed or require investigators determined that the first email accounts were compromised in or before July to 17th November 20th for investigators to confirm that protected health information of patients have been exposed as if you know how to be affected determine whether contain Phi have an axis axis that was largely a manual process doesn’t say when they notified patients here but they do say that they were notified so I’m not sure when tidelands Health recovery from malware Attack on Titan Men’s Health in Georgetown South Carolina is working around the clock to restore its computer systems after the discovery of malware on this network on December 12th attack has forced to healthcare provider to shut down personals Network and Implement emergency protocols. Has been using paper records for patients while then our is renewable and sisters all the store so I don’t know if there’s no one takes it as if it was restored yesterday that was a week ago 8 days ago but it does not indicate what the hell were or was and it’s not clear if there was they said there’s no data loss but it’s not clear if it was ran somewhere afterwards if it was something else stolen children’s Hope Alliance laptop computer contained the Phi 4564 patients that’s so. Springs North Carolina based health care provider children’s Hope Alliance is notifying 4564 patients that some of the protected health information has been exposed. It was stored in an employee’s laptop computer with the store on October 7th 2018 third-party computer forensic investigators have been engaged to determine what information was stored in the laptop investigation is ongoing but preliminary findings indicate documents on the advice contain names on the device contain names addresses Social Security numbers tax ID numbers dates of birth medication and dosage information notifications will be sent to affected users and checked it individual sorry when the investigation has been completed at this stage no evidence has been found to indicate any page the mission has been accessed and it was reported stolen on October 7th so it’s only been two months quickie just uploaded to a database for someone to discover much to know doesn’t sound like his encrypted doesn’t say here but if it is encrypted and they don’t have to they don’t have to report so once again something still happening in late 2018 we’re going to have unencrypted devices with each eye on them all devices should be encrypted Truman Medical Center notifies 114466 patients of potential Phi exposure Truman Medical Centers words provided to Patient outpatient services in Kansas City Missouri has discovered the formation of 114466 patients were stored on an unencrypted laptop computer that was stolen from vehicle with one of his employees so here we go again another one this has occurred in July 18th 2018 I don’t know why but it took until October 29th 2019 to determine that patient information was stored on the device kind of silly cuz it shouldn’t take that long if you know it is or you know it’s not either way they did not meet the 60-day March stolen stolen black tarry contain the pH I have $0.24 thousand for December 7th patience of La Clinica de La Raza this is in California August 20th 2018 I don’t know a why anybody still using Blackberry at this point and be why is it I don’t know what can you encrypt a Blackberry and not sure you can encrypt email and that those emails contain names birth dates so technically was on the email BlackBerry device was stolen and the device had undercooked in emails without sounds like there wasn’t even a password on the device and that’s like two patients were notified of the breach by mail on December 13th so also did not report within 60 days and it finally we talked about earlier and then in our cyber security news Hackensack Meridian health recovering from ransomware Attack not going to go into details on that but look for that to be I don’t doesn’t say how many records were impacted but look to see that potentially texture sometime or the year after as far as penalties go all right it’s going to do it for the hippo Roundup we will conclude with the HIPAA education peace now and you’re so wonderful right I got the rights of access for patients okay it’s the moment you’ve all been waiting for this to hit the education portion of the show this week we’re going to talk about rights of to access the short version of the rule all regulations but the short version of the rule is that if a patient request their medical record electronic medical record that a covered entity which would be the health care provider has 30 days to provide that information if for some reason they need more than 30 days than they have to notify the patient within 30 days that they need more than 30 days and they will have no more than 60 days to supply that holds record to the patient that Pete that health record should include can’t or can include health information medical and billing records. So now the long version of the movie with to be found in hhs.gov we’re going to go through HIPAA breach violation announcement about the similar case of one case caught one person claimed that they did not receive their Healthcare record a $5,000 so the general right to privacy rule requires generally requires hipaa-covered entities health plans are most Healthcare Providers to provide individuals upon request with access to the protected health information about 18 by or for the covered entity this includes the right to expect to obtain a copy or both of the Phi as well as to direct the covered entity to transmit a copy to a designated emergency of the individual so if you want to and I’m going to get you want to see a different doctor you want to go see a specialist and you could send that information to that doctor you can request that information to be sent to the doctor individuals have the right to access information is maintained by the covered entity or buy a business in for me or by business associate on behalf of the Covenant ticket information was created for electronic systems on-site remotely or is archive or where the Phi originated so some general information so individuals have a right to access Phi in a designated record set it doesn’t need a wrecker set is to find at 45 CFR 164 501 as a group of Records maintained by or for a covered entity that comprises the medical records and billing records about individuals maintained by or for a covered health care provider enrollment payment claims adjudication and case or medical management record systems maintained by or for a health plan or all the records that are used in whole or in part by or for the covered entity to make decisions about this last category Blues records that are used to make decisions about any individuals whether or not the records happen use or make decision about the particular individual requesting access the term record me to any item collection or a grouping of information includes phin is maintained collected used for disseminated by covered entity so upset because the information not used to make decisions about individuals so it could be kind of gray area there it’s may include certain quality assessment or Improvement records patient safety activity Planning Development and management records that are used for business decisions more generally rather than example Performance evaluations or health clinic quality control records that are used to improve customer service or formulary records maybe generator from and include an individual’s Phi but might not be in the covered entities doesn’t need to let her set and subject to access buy individual two categories of information are expressly Psychotherapy notes which are personal notes of mental health care provider documenting or analyzing the contents of the counseling session medical records 45 CFR 164.524 subsection a1i and 164. 501 information compiled and reasonable anticipation of or were used in civil criminal or administrative action or proceeding however the underlying Phi phone records or other records used to generate the above types of excluded record or information remains part of the designated record set and subject to access plus if you need your medical records that include billing or medical record in history then absolutely you should get it within 30 days in the requested format or if you sent to someone else to another doctor or something along those lines however if that would be for the Improvement of the health care provider for example houses of the healthcare record by the insurance provider then that would not be included or if you request Psychotherapy notes seeing a therapist or a psychiatrist and they’ve made note outside of what’s being documented within the charge information that is used in a lawsuit of some type or criminal investigation of some type and you would not be able to ship those the Phi that’s involved in those things is absolutely yours otherwise you would not be able to get those request for Access you can require you can request access in writing covered entity may require individuals to request access in writing Rite Aid covered entity reforms individuals of this is that a head of time and no other words you go to the doctor to fill out this form ahead of time to inform you of your HIPAA rights it’s kind of ironic cuz usually on paper but and then I also inform you that you have a right to your records and how you would go about getting those records not to tell you from my own experience I’ve had I’ve had to go to the doctor and say I need you on the records for this for myself these records and they will charge of the Beatles $5 now we now we have access through an app that they provide they don’t provide when a third party app and I left her going there and we don’t do no other need to request them through so covered entities Also may offer individual the option of using electronic means so there you go to email secure airport to make request for access in addition to shove identity Mary quite a bit just use density Zone supply for but if you see the phone does not create a barrier to or unreasonable delay the individual form Privacy Rule for too much today that will be a future episode but eventually they need to be able to verify you are who you are and accidentally driver’s license state ID passport like that unreasonable measures by the price will be required if I know they tell you got to use the report open if you don’t have access to the internet on a regular basis than they have to provide other access to your birthday wanting electronic format they should be able to give it to you in electronic format show Zaragoza kind of barriers see what else is Sophie’s that’s the other piece to receive a summary or explanation of the information to see may include only the cost of labor for chopping by the individual weather in paper or electronic form supplies for creating a paper copy or electronic form posted when individual request a copy or summary of the explanation be mailed and preparation of an explanation or summary of the Phi Alpha Creed II by the individual if he may not include causes other cross not listed above so that’s the Federal Reserve may be some things that the stable also requires but that’s the federal law federal law for Access rights to your medical records are those that are in the care like I said I think I paid $5 once or twice for records and I never paid more than that that I’m aware of grounds for denial under certain limited circumstances a covered entity may deny individual request for access to all or a portion of the pH I requested in some of these circumstances individual has a right to have the denial by licensed Healthcare professional destination by the covered entity who did not participate in the original decision to deny unreviewable dropping out of Christmas for Psychotherapy notes as I mentioned earlier or information compiled and reasonable anticipation of or for using illegal to see if an inmate request a copy of her his or her Phi help a covered entity that is that is a Correctional Institution for healthcare provider acting under the direction of the institution and providing the copy would jeopardize the house safe to security custody safety of correction officers employees are other parsnip institution responsible for transporting of the inmate retains the right to request resizing near designated record set that as part of a research study that includes treatment and is still in progress provided individual agreed to the temporary suspension of Acts Privacy Act protected records for example of certain records under the control of federal agency which may be maintained by federal agency contract is consistent with the requirements of the act because I was a team by someone other than health care provider for example family member or or the individual under the promise of confidentiality wish you would be likely to reveal the source of information reviewable ground for them out the access requested is reasonably likely to endanger life of the four individual or another person the ground for denial does not extend to concerns about psychology psychological or emotional harm access requested a reasonably likely to everybody referencing Phi the provision of access to a personal representative of the individual individual that request such access is reasonably likely to cause substantial harm to the individual or another person religious right to direct their Phi to another person and individual also has a right to directly covered entity to transmit Phi about the individual directly to another person or entity designated by the individual to another person must be in writing signed by the individual and clearly identify the designate person where to send Phi covered entity May accept an electronic copy of a signed request example PDF as well as electronically executed request via secure web portal that includes an electronic signature the same requirements for providing to Phi to the individual such as the fee limitations and requirements for providing Phi to format format men and manner requested by individual apply when an individual joins Phi be sent to another person that provides access to the pH higher than the price you will or that are contrary to the prophets who are not preempted by HIPAA and Dustin still apply to know where is it in the state of Connecticut reply what else can I tell you here there’s some question and answers are not going to go through but so that’s the right to access your own health care records Phi protected health information and for this episode of the podcast so until next week I won’t talk to you before Christmas on this podcast so until next week have a Merry Christmas and stay secure