Posts Tagged ransomware

10 Common HIPAA Violations and How to Avoid Them

10 Common HIPAA Violations and How to Avoid Them

For health care providers, arguably your most valuable asset is your patient information. Patients assume you will protect their private information.  Unfortunately, many practices are not implementing even the basic safeguards required under the Health Insurance Portability and Accountability Act (HIPAA).

In fact, Consumer Reports recently warned their subscribers (your patients) they need to protect themselves from improper handling of protected health information (PHI) by hospitals, doctors and insurance companies. HIPAA Compliance should not be a one-time, “set-it-and-forget-it” process. Instead, protecting the privacy and security of patient information should be a culture lived and implemented by the organizational leaders and followed by their employees. Risks are no longer insignificant. Fines range from $10,000 per incident up to $1.5 million per year. The reputation of the practice can be crippled if a data breach occurs and proper protocols aren’t followed.

10 Common HIPAA Violations, and How to Avoid Them 

  1. No Updated Policies and Procedures:  HIPAA requires documentation to show you understand what is required by law and your practice has the policies and procedures in place. It’s a best practice to purchase a set of policies and review them with your team annually. You can also subscribe to a service like OfficeSafe where policies are online, employees can log in anytime, and updates are automatic.
  2. No Risk Assessment on File:  You must perform an adequate risk assessment to determine your vulnerabilities. HIPAA does not define “how” an assessment needs to be performed, it only states you need to document your risk level, key vulnerabilities and plans to fix them. Having a risk assessment on file and showing you are making progress implementing key safeguards required under HIPAA will materially mitigate your risks.
  3. Lack of Employee Training Documentation:  Employees are the first line of defense for your practice. Employees also make human errors. Making training a priority is key to creating a culture of compliance for your practice.  Employees can also watch for phishing scams, other employee behaviors, help identify privacy issues and more.
  4. Loss of a Device:  Losing a laptop or mobile device that stores PHI is a HIPAA violation unless you can prove the data stored was encrypted and/or the device was secure. To mitigate risks, don’t store PHI on these devices and setup controls to wipe data from mobile phones if they are used inside your practice.
  5. No Emergency or Incident Response Planning:  HIPAA law now requires that every practice document an Emergency and Incident Response Plan. Also, with all of the hurricane’s, fires, ransomware attacks, and other incidents, it makes sense to document your plans in case an emergency does occur. HIPAA requires: 1) a Data Backup Plan, 2) a Data Restoration Plan and 3) an Emergency Mode Operations Plan.
  6. A Ransomware Attack:   Your patient information is valuable to a hacker. If obtained, they sell it on the Dark Web. Phishing scams lead to ransomware attacks and not only can this harm your practice, but a ransomware attack is also considered a data breach under HIPAA. Your patients may have to be informed unless a forensic investigation can prove data was not accessed. For more information on ways to prevent a ransomware attack, you can learn more at Top 10 Ways to Fight Ransomware
  7. A Credit Card Data Breach:  Every practice handles patient credit card information. A Payment Card Industry (PCI) violation can also end up being a reportable breach under HIPAA. Securing and properly handling credit card data is imperative. Don’t store any credit card information in QuickBooks, Excel or any other software. Also, make sure you are PCI certified and using EMV devices to limit chargeback liabilities.
  8. Violations Under the HIPAA Privacy Rule:  Too many health care professionals do not have a clear understanding of The HIPAA Privacy Rule. Not only does PHI need to be secure, but it also needs to be kept private. Practices need to have an updated Notice of Privacy Practices shared with patients and posted in the practice. Also, employees need to understand under what circumstances PHI can and cannot be shared. It’s important (and the law) to designate a HIPAA Privacy and Security Officer for the practice. They can learn the basics and quickly mitigate behaviors that may be leading to unnecessary risks.
  9. No Encryption Safeguards:  HIPAA does not state you have to use encrypted solutions, but it’s a good idea. Your PHI should be backed up using an encrypted solution.  It also should be backed up in the cloud with multiple days of backup sets. Also, when e-mailing PHI, you should be using an e-mail encryption service. Encryption mitigates human e-mail error and also protects the unauthorized access of data.
  10. Lack of Compliance Documentation and Execution of Business Associate Agreements:  We often see practices struggling to execute their Business Associate Agreements, Employee and Patient Acknowledgments, Authorizations, and overall HIPAA compliance. Compliance isn’t a he-said, she-said proof exercise. You must have updated policies, procedures, and proof you are implementing the proper HIPAA safeguards.

 

OfficeSafe was designed to ease the administrative burdens and uncertainties associated with HIPAA compliance and financially protect you in case of a ransomware attack, HIPAA audit, or patient data breach.

Posted in: HIPAA

Leave a Comment (0) →

Phishing Schemes Can Paralyze Your Medical Practice

Phishing Schemes Can Paralyze Your Medical Practice

“Phishing” occurs when emails are sent to individuals or entities in an attempt to fraudulently gain access to personal information or introduce malware into the computer system. These emails are often disguised to look familiar to the recipient. The perpetrator may disguise their communication to appear to be from a colleague, family member or friend. They may also attest to be from a reputable source, like your bank, PayPal or other legitimate websites. They request that you click on a link or open an attachment. Fraudulent links will generally request that you update your information by entering your username or password. Some may ask for other types of personal information like address, date of birth, social security number or credit card information. Fraudulent attachments may contain malware, the most common being ransomware, which has had a significant impact on the health care industry.

What Is “Spear Phishing”?

Spear phishing is a specific kind of phishing that customizes its attack to specific individuals. For instance, the perpetrator may study an individual’s social media profiles and send them an email that appears to be from a co-worker or organization that they belong to. Just as with normal phishing exercises, the goal is for the target individual to click on a fraudulent link or attachment that will either provide the perpetrator with personal information or provide an opportunity to introduce malware into their computer system.

How Are Phishing Schemes Impacting Health Care Entities?

The threat of phishing activities to health care entities has steadily increased. Perpetrators are learning that the types of identifying information that health care entities attain and maintain are the exact types of identifiers they need to participate in a wide range of fraudulent activity from filing false tax returns to credit card fraud. These identifiers include data that health care professionals work with daily, like date of birth, social security numbers and health plan information.

When health care professionals fall victim to these phishing schemes it can threaten their entire organization. With the widespread use of Electronic Medical Records (EMRs), compliance professionals are seeing ransomware attacks on the rise as entity administrators attempt to recover their vital data.

Reduce Your Risk

  • Ensure that your entity has a clear and documented policy which addresses how employees should handle email communications. Some entities forbid accessing personal emails on work equipment while others set specific parameters. Your entity should determine the process that works best for your workforce and enforce that policy.
  • Train your staff on how they can identify phishing schemes and educate them on the threat that these schemes pose to your organization.
  • Ask your Information Technology (IT) personnel to send phishing emails to employees to test the number of employees who fall for phishing schemes after training.
  • Consider purchasing cyber insurance to protect your entity in the event of an attack.

Identify Phishing Activity

  • Often these fraudulent emails will have email links that are misspelled. For example, instead of customerservice@regionsbank.com, it may have customerservic@reggionsbank.com.  Those variations are small and often overlooked.
  • Be careful about the information that you share on social media. Try not to post personal information like your address, phone number and birth date.
  • Be suspicious about sites that attempt to redirect you to other similar looking websites.
  • If you think an email looks suspicious, contact your supervisor or HIPAA Security Officer so that it can be investigated properly.

Report Phishing Attempts

If you believe that you or someone that you know may have been the victim of a phishing attempt, there are a number of authorities that receive these reports and act to minimize their impact.

  • You may file a report with the Federal Trade Commission (FTC). Reports can be sent electronically at FTC.gov/complaint.
  • Reports can be made to APWG at reportphishing@apwg.org. This is an anti-phishing workgroup that analyzes and fights cybercrimes.
  • Always notify your IT support staff or your HIPAA Security Officer when you believe that you have received a fraudulent email so that they can investigate the email and take action to minimize the threat.

If you have questions regarding phishing and malware, or if you believe that it is time to update your entity’s policies and procedures, please consult a health care compliance expert.

Article contributed by Samarria Dunson, J.D., CHC, CHPCattorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama. Find more of Ms. Dunson’s contributions on her partnership page

Posted in: HIPAA

Leave a Comment (0) →

“WannaCry” Ransomware Holds True to its Name

“WannaCry” Ransomware Holds True to its Name

This week, countries around the world faced an unprecedented cyber security attack. On May 12, 2017, the Critical Infrastructure Protection Lead for the Department of Health and Human Services Laura Wolfe first reported it as a “significant security issue.” Hours later, the Department of Homeland Security’s Computer Emergency Readiness Team warned the public of a malware virus called “WannaCry.” As with typical ransomware, an individual would receive an email purposely designed to look like an email sent by a business or individual the recipient may be familiar with and contain either a link or attachment. Once opened, the virus spreads giving the attackers access to computer systems and the ability to encrypt the information and extort money from the victim.

What’s the relationship between HIPAA and ransomware?

When a health care entity is the victim of a ransomware attack, the protected health information accessed during the attack is considered to be breached. Therefore, unless the affected entity can prove the information was encrypted prior to the attack, it must go through all of the usual steps to comply with the HIPAA Breach Notification Rule. This includes, but is not limited to, reporting the breach to people whose information was compromised no later than 60 days from discovering the breach. If the breach includes the protected health information of greater than 500 people, there must also be contemporaneous notice to HHS and news media outlets.

Why can’t you just follow the money?

Often, individuals connected to ransomware activity will use a currency called “Bitcoin.” Since around 2009, bitcoin has allowed for the exchange of goods and services without regard to the identity of the sender or recipient. Since there is no bank to act as a conduit, there are no transaction fees which have allowed the use of bitcoins to increase in popularity among merchants. However, the anonymous nature of the transactions makes it difficult, if not impossible, to trace. This anonymity makes it a currency of choice among hackers.

Who does this affect?

Many health care entities built their information technology infrastructure around Windows XP when it was introduced in 2001. Windows XP was discontinued in 2014 and is no longer supported by Microsoft. As a result, it has not received necessary updates or security patches. Due to its initial popularity, many entities may still have at least one Windows XP device and have been sluggish to fully convert to a more secure operating system. Fortunately, as of the date of this article, experts have been able to identify the threat and dramatically slow the spread of the most recent virus. However, health care entities must be vigilant about addressing these cyber security concerns. Hackers are aware of these vulnerabilities and will continue to use their resources to exploit those weaknesses.

How can you protect yourself?

Make sure that you are using up-to-date antivirus software, and be sure to implement updates and patches as they are made available. Educate your staff on the importance of not opening suspicious emails, and teach them how to look for subtle irregularities hackers often use when they are attempting to pose as someone familiar to the recipient. Additionally, ensure you and your staff never click on links in emails that appear bizarre. A common example is an email from your banking institution that you were not expecting or a link to collect a fictitious lottery prize.

Victims of this cyber crime are encouraged not to pay the ransom because most often the information is still not made available by the hacker. Instead, if you believe that your system has been exposed to this malicious software, please report this threat to authorities. You can begin the process by contacting your FBI Field Office Cyber Task Force by visiting https://www.fbi.gov/contact-us/field-offices.  You can also report cyber incidents to the US-CERT and FBI’s Internet Crime Complaint Center at https://www.ic3.gov/default.aspx.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: Liability

Leave a Comment (0) →