Posts Tagged security

The Lowdown on Public Wi-Fi

The Lowdown on Public Wi-Fi

I am writing this from an airplane. Often, when I hop on a plane — particularly for a long flight — I wait for the ascent to 10,000 feet and immediately jump onto public Wi-Fi, just as I do in coffee shops, the dentist’s office, and pretty much anywhere else I can grab a signal. But that was before I spent an hour chatting with Joe Gervais, director of security communications at LifeLock, and part-time hacker (though Gervais points out, he hacks “only for good”). The point of the conversation was to figure out when it’s okay to use public Wi-Fi, when it’s not, and what you can do instead. Here’s what I learned…

What is public Wi-Fi? Any Wi-Fi that’s shared with someone other than yourself and the members of your household. A guest account that’s been set up for visitors to a particular company? Hotel Wi-Fi, free or not? In-flight Wi-Fi? Public, public and public. It doesn’t matter if it’s free or you pay a fee, or if it’s password protected.

Get that? Even if the Wi-Fi network requires a password, that doesn’t mean it’s safe.

What danger does that pose for me? Whenever computers are on a shared network, all the data is flowing over shared “wires.” Every computer on the network can see all the data flowing over that network. The default behavior, Gervais explains, is to ignore data that isn’t meant for your machine. But if you’re technically savvy and so inclined, you can, essentially, flip a switch and see everything. Most of it, he says, is garbage unless you’re a “network geek, a hacker, or attacker.” Then you can learn things that could be used, for example, in targeted phishing attacks.

For example? Say you’re a veteran, and you’re researching PTSD. You go online to search the terms, “PTSD” and “treatment.” Maybe you look up a local treatment center or a Veterans Administration support group. How much information an attacker can glean depends on the kinds of website pages you visit.

If you’re on secure websites (which have “https” in the URL address) vs. insecure ones (which have only “http”), the attacker can see the site itself, but not the page you went to. Visit enough sites, though, and it still might give someone enough information to launch a relevant phishing attack against you.

Even downloading apps on public Wi-Fi is to be avoided. A sophisticated attacker could pose as that app telling you there’s an update and use that via phishing to get you to give up personal information—your financial info, for instance, if you were downloading a bank’s app.

This is getting very scary. You’re telling me. But there a few things you can do to keep yourself safer.

  1. Limit your behavior on public Wi-Fi. Don’t do anything on your browser that you wouldn’t do if a stranger was sitting next to you staring at your screen, Gervais says. That means no transacting. It also means not sending emails that contain sensitive information. You’re better off picking up the phone or, if that’s not possible, texting.
  2. Use a VPN app. VPNs are virtual private networks and they come in app form for your smartphone and tablet. This creates an encrypted channel, so your online business is protected from prying eyes. Some good ones include WiTopia and F-Secure Freedome. You will find plenty of free ones in the app store, but Gervais cautions: “If you’re not paying for the VPN, you the user, are the product.” Use your hotspot. If you don’t want to go the VPN route, use cellular data on your phone and, for your computer or tablet, connect using the personal hotspot on your phone. Now that many of the cellular carriers are going to unlimited data, you can feel better about using it freely.

Oh, and while you’re at it, make sure your home Wi-Fi network is protected with a strong password. You don’t want neighbors “borrowing” your bandwidth, slowing your internet connection, or — if they’re so inclined — seeing what you’re doing online.

Contributed by LifeLock, which is a partner with the Medical Association. Medical Association members receive a discount on LifeLock memberships. Click to learn more.

Posted in: MVP

Leave a Comment (0) →

How Can You Avoid a HIPAA Mega Breach?

How Can You Avoid a HIPAA Mega Breach?

A HIPAA breach often occurs when a health care entity wrongfully discloses the protected health information of a patient or client. These incidents can occur by accident, like faxing patient information to the wrong fax number. They can also be the result of willful or intentional acts, like employees who gather patient information for the purpose of filing false tax returns. They occur in many forms and can affect any number of individuals.  Breaches can range in scale from a single individual being compromised to an incident affecting thousands and even millions of people.

The Department of Health and Human Services requires a breaching entity to take specific reporting action based on the number of individuals the breach affects. In the world of HIPAA breaches, 500 is a magic number. Breaches affecting greater than 500 individuals are generally considered a HIPAA “Mega” breach. These mega beaches have more stringent notification requirements that could cause your health care practice to be featured on the evening news. Just as with breaches affecting fewer than 500 people, mega breaches require that you provide individual notice to each patient. This often requires staff time as they work to locate each patient’s last known address and send them a breach notification letter explaining what happened, who was involved, how their data was compromised, and what the entity is doing to avoid similar incidents in the future. Often, entities will offer their patients credit monitoring for a two-year period to mitigate the breach and demonstrate to the patient that the entity is serious about data security.

Mega breaches also require individual notice. However, these large breaches also require simultaneous notice directly to the HHS Office of Civil Rights and local media and news outlets. Entities reporting these large breaches will deal with immediate issues like loss of business and loss of reputation while also responding to patients and clients who are angry that their information has been compromised.

How can you avoid dealing with a HIPAA Mega breach in your practice?

You Must Perform a Competent and Thorough Risk Analysis. Many compliance professionals refer to this as your entity’s “annual exam.”  During this process, you and your team should determine every system that contains electronic protected health information and assess its vulnerability for inappropriate disclosure. This analysis is a requirement of the HIPAA Security Rule and must occur annually or sooner if necessitated by changes to your IT system or turnover in your workforce. Entities must remember to document this process and have it readily available to produce to HHS upon request. Failure to perform, document, and/or produce an adequate Risk Analysis is often a sign to HHS that an entity is non-compliant and may lead to a more extensive audit. This is an opportunity for entities to determine the adequacy of their cybersecurity and how to protect their entity from malware.

Invest in Encryption. HIPAA categorizes patient data in two ways: (1) secured and (2) unsecured. Entities most often find themselves in trouble when they have a breach of unsecured  The breach notification requirements discussed above which include notice to patients, HHS and media outlets ONLY refer to breaches of unsecured data. However, secured data is exempt from notice requirements. Secured or encrypted data is considered to be unusable, unreadable, or indecipherable to unauthorized individuals; thus, a breach of that device cannot occur. Encrypting patient data is the ultimate safety net! For example, a nurse uses a business laptop to store patient information of the 550+ individuals that are treated in her practice. She takes it home for the night and leaves it on the passenger seat of her car. Her vehicle is broken into overnight and the laptop is stolen. If the laptop is unencrypted, she now faces HIPAA breach notification requirements, loss of reputation, and the overwhelming threat of possible fines and lawsuits. However, if the laptop is encrypted, she would simply document the occurrence and have the laptop replaced.

Enforce Privacy and Security Policies and Provide Training. Often, the most effective tool in your health care compliance arsenal is a competent and well-informed workforce. Employees must understand how their actions can affect the security of data along with the consequences of violating policies and procedures. Additionally, having policies and procedures that are customized to your practice demonstrates a serious approach to compliance. Often, being able to produce copies of polices and training that employees were mandated to review and participate in will reflect that the entity itself was aware of its risks and sought to avoid or minimize them. An employee who has documented that they have reviewed the policies and participated in training, but nevertheless participated in negligent or reckless behavior, is more likely to be seen as a “bad actor” and not a reflection of a culture of non-compliance within the entity.

You’re entity may also want to reflect on how the following devices are utilized and stored:

  1. Hard Drives
  2. CDs/DVDs
  3. Flash Drives
  4. Back-Up Storage Tapes

To ensure that your practice is complying with federal regulations, and for assistance with avoiding or navigating a mega breach, please consult a health care compliance professional.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: HIPAA

Leave a Comment (0) →

Managing Your Practice: Is Your Practice Cyber Secure?

Managing Your Practice: Is Your Practice Cyber Secure?

With the increased use of technology in health care comes the increased risk of cyber attacks and cyber liability, as well as regulatory investigations, fines and penalties. Anything created, stored or transmitted electronically is at risk of being compromised by an innocent mistake or – worse yet – maliciously stolen by a criminal.

According to a compilation of data breach statistics, there were 1,673 reported data security breach incidents worldwide in 2015, and 1,222 of those occurred in the United States. Of that total, 374 – approximately 22 percent – were breaches of medical or health care information. This equated to more than 134 million individual health care data records being accessed or stolen by cyberattacks just in calendar year 2015 alone.1

Many people don’t believe — or understand why — medical information is valuable or at risk.

Medical records are targeted because they contain a wide variety of a patient’s personal information: social security number, financial, health, demographic and family information. This gives criminals many potential uses for the stolen information, including identity theft and applying for credit cards, store accounts, or other lines of credit. But they also use the information to purchase medical equipment and pharmaceuticals that can be resold, or to fraudulently bill health insurers or the government for fictitious medical care by masquerading as health care providers. One cybersecurity expert estimates that a medical record can fetch up to $50 on the black market, while a credit card number may go for as little as $5.2

Big or small, all health care organizations are at risk.

Large health care systems, hospitals, group practices and individual health care providers have all been attacked, but the size of the entity is no clear indication of the size of the breach. One need only reference the HIPAA data breach “wall of shame” to bear out the truth of this assertion. Data breach incidents at very large organizations have exposed anywhere from several hundred to several million patient records. Likewise, cyber attacks on small solo practices — though frequently in the range of several hundred to several thousand — have exposed tens of thousands of patient records with a single breach.

Transition to EHRs, dated systems, and weak security measures pave the way for cyberattacks.

The transition to electronic health records has given criminal hackers more opportunities to steal medical records. The chief information officer for a hospital system in Utah estimates his hospital’s EHR system fends off thousands of attempts to penetrate its network each week.3

Another reason is ease of access. Many hospitals and physician practices are using EHR systems that have not been updated in more than 10 years. While hospitals and physician practices grappled with more urgent matters like ICD-10 implementation and Meaningful Use, robust cybersecurity measures fell down the priority list. Once a hacker penetrates whatever security the system does have, the exposed information is there for the taking.4

Cyberattacks on EHR systems take many forms.

In addition to outright theft of medical information, emerging cyber threats also include various forms of cyber terrorism and cyber extortion. Recent reports of ransomware attacks are particularly troublesome. Sophisticated hackers launch malicious codes (typically via entry through email) that crawl through a target’s computer system, encrypting and locking up data files, and then demand payment (ransom) in exchange for providing the decryption key. Cybersecurity experts believe health care providers make good targets for ransomware attacks because they do not typically have the advanced backup systems and other resilience measures in place that are typical of other types of organizations.5

What can you do to safeguard EHRs and protect patient information?

Patient trust in your practice’s ability to protect medical information is critical. To maintain that trust, it is important to have safeguards in place that help prevent data breaches. When implementing or updating an EHR system for your practice, talk to your vendor about cybersecurity. Ask whether the stored information is encrypted. It is also a good idea to determine if or when the vendor will provide security updates for your EHR software.

You may need to invest more resources in shoring up the walls around your electronically stored and transmitted data. Cybersecurity is a highly specialized area that requires a certain degree of expertise and experience. Your EHR vendor may be able to provide some assistance in this area, but remember their expertise is more about creation and functionality and less about security. Hiring an in-house cybersecurity expert or contracting with a cybersecurity firm specializing in this area may be the best option to protect your practice and your patients.

ProAssurance also helps protect you against cyber liability threats.

ProAssurance is also committed to helping you reduce uncertainty and increase the control you have over cybersecurity — it’s only fair. That’s why we partnered with NAS Insurance Services to provide coverage for certain types of cyber liability risk exposures. This coverage, called CyberAssurance Plus®, is now embedded in your existing ProAssurance professional liability insurance policy and is provided at no cost to you. Through CyberAssurance Plus® you have coverage for Network Asset Protection, Privacy Breach Response Costs and Patient Notification Expenses, Patient Support and Credit Monitoring Expenses, Privacy and Security Liability, as well as coverage for Regulatory Defense Costs and certain Fines and Penalties. This embedded coverage was recently enhanced to also include coverage for Multimedia Liability, Cyber Extortion and Cyber Terrorism, PCI DSS Assessments, and a unique coverage feature called BrandGuard® for lost revenue as a result of an adverse media report or customer notification of a security or privacy breach. Your CyberAssurance Plus® coverage is limited to $50,000 per claim and subject to an annual aggregate limit (determined by group size) for all claims in a single policy year. You may, however, purchase higher coverage limits for cyber liability threats through ProSecure®, which is a co-branded insurance program with NAS Insurance Services that is exclusive to ProAssurance insureds. Through ProSecure® you can purchase an additional $1 million in cyber liability coverage that is designed to work seamlessly with CyberAssurance Plus® coverage already embedded in your ProAssurance policy.

As a ProAssurance insured, you and your staff also have access to webinars, toolkits, bulletins, posters, FAQs, and online training programs to help you address cyber liability risks. For example, you can access:

  • Summaries of major changes to the HIPAA/HITECH Rules (effective September 2013), including required changes to your Notice of Privacy Practices; the expanded definition of Business Associates (with updated sample Business Associate and Vendor Agreements); and patients’ ability to request medical records in electronic form
  • Webinars, tool kits, and sample documents, including basic data privacy/security, encryption, and destruction practices; sample HIPAA Privacy/Security Rule policies and procedures; social media training tools; sample mobile and personal device user policies, procedures, and agreements; and how to implement a data security plan
  • Breach notification requirements under federal and state laws (where applicable); sample HIPAA Breach/Risk Assessment Worksheets; examples of incidents to report, how to report data security incidents, and more

You can access these resources from NAS Insurance Services’ Data Security Risk Resource Website through your proassurance.com account. Please Note: Content on the NAS Insurance Services’ Data Security Risk Resource Website is provided by third party sources. ProAssurance is not responsible for the content and does not consider it to be legal advice.

For more information about cyber liability, cybersecurity, risk management, CyberAssurance Plus® and ProSecure®, contact your ProAssurance representative. Article by ProAssurance, a Platinum Partner with the Association. ProAssurance insured physicians and their practice managers may contact Risk Resource for prompt answers to liability questions by calling (844) 223-9648 or email riskadvisor@proassurance.com.

SOURCES

1   2015 The Year Data Breaches Got Personal: Findings from the 2015 Breach Level Index. Gemalto website. http://www.gemalto.com/press/Pages/Gemalto-releases-findings-of-2015-Breach-Level-Index.aspx. February 23, 2016. Accessed September 8, 2016.

2   Murphy T., Bailey B. Hackers mine for gold in medical records. The Boston Globe website. https://www.bostonglobe.com/business/2015/02/06/why-hackers-are-targeting-medical-sector/xxjFN6G3cFJZ8Fh3mF3XhN/story.html. February 6, 2015. Accessed September 1, 2016.

3   Humer C., Finkle J. Your medical record is worth more to hackers than your credit card. Reuters website. http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924. September 24, 2014. Accessed September 1, 2016.

4   Radcliffe S. Patients beware: hackers are targeting your medical information. Healthline News website. http://www.healthline.com/health-news/hackers-are-targeting-your-medical-information-010715#1. January 7, 2015. Accessed September 1, 2016.

5   Conn J. Hospital pays hackers $17,000 to unlock EHRs frozen in ‘ransomware’ attack. Modern Healthcare website. http://www.modernhealthcare.com/article/20160217/NEWS/160219920. February 18, 2016. Accessed September 1, 2016.

Posted in: Management

Leave a Comment (0) →

Don’t Fall Victim to Cyber-Security Disasters

Don’t Fall Victim to Cyber-Security Disasters

Editor’s Note: This article was originally published in the 2015 Fall Issue of Alabama Medicine magazine

Every day, it seems the news is filled with more and more reports of cyber-security attacks. Unfortunately, the health care community is considered a prime target for those individuals who would seek to gain access to confidential information.

Did you know that stolen medical records can be valued at up to 10 or 20 times that of a credit card number?1 Compounding this is the ever-growing reliance within the medical community upon electronic and digital systems to capture patient data and deliver medical care. So how can health care providers protect themselves from being the victim of a cyber-security incident?

Assess and Manage Your Risk

Medical providers should have a comprehensive knowledge of where their critical information resides, and of any and all vulnerabilities related to the storage and transmission of the data. To ensure that those in the medical community recognize the threat(s) to confidential information, the United States Department of Health and Human Services mandated within the HIPAA Security Rule that all covered entities conduct a thorough risk analysis to identify all potential vulnerabilities as well as determine the probability and magnitude of a possible security event.2

While a risk assessment should be a formal exercise in which all facets of information security are reviewed and vetted for adequacy, the provider should also establish and maintain a strategy for risk management. This involves implementing proper safeguards to secure information as well as communicating and educating personnel throughout the organization on the policies and procedures which continually mitigate risk. By creating and cultivating a culture of compliance, one can significantly reduce the chance of exposing a vulnerability that could lead to unauthorized access.

Increase Detection Capabilities

Recent cyberattacks in the health care community have exposed a very dangerous trend: Many times, hackers have accessed and begun harvesting data several weeks or even months prior to being detected.3 It is no longer sufficient for medical providers to consider security safeguards, such as firewalls and anti-virus software applications as “set-it-and-forget-it” mechanisms. Solutions should be implemented to enable the monitoring and detection of breaches that could trigger proper incident response processes quickly and efficiently.

Health care organizations should consider investing in Next-Generation Firewalls. These security devices provide more than just network filtering – they typically offer advanced security features, such as deep packet inspection (where each specific data part that passes through is examined for viruses or other types of malicious software) as well as intrusion prevention systems that monitor network traffic for malicious activity and are configured to actively prevent or block such attempts once detected.In addition to these technologies, other applications, such as Security Information and Event Management Systems, allow for real-time analysis and monitoring of systems. These solutions can be configured to alert the proper personnel in the event of a suspicious activity (e.g., multiple failed system logins) and allows for the organization to establish a proactive stance against unauthorized access to critical systems.

In addition to these technologies, other applications, such as Security Information and Event Management Systems, allow for real-time analysis and monitoring of systems. These solutions can be configured to alert the proper personnel in the event of a suspicious activity (e.g., multiple failed system logins) and allows for the organization to establish a proactive stance against unauthorized access to critical systems.

Protect and Secure Mobile Devices

According to the 2014 SANS Health Care Cyber-Security Survey, 52 percent of respondents allow access to health record information via mobile devices. Another 30 percent indicated that sensitive data was being included in instant messaging applications.4 As mobile device usage continues to grow, it becomes more and more important for healthcare providers to implement a mobile device management policy to address and minimize the threat of these devices causing a security incident.Specific to the mobile device itself, all providers should ensure that both authentication (via password or PIN code) and encryption are enabled on all devices. Furthermore, public Wi-Fi networks should not be used in situations where health information will be transmitted. Secure, encrypted connections, such as SSL VPN should be established when accessing corporate resources remotely. Providers should also implement technologies that can remotely wipe or disable mobile devices that are lost or stolen.

Specific to the mobile device itself, all providers should ensure that both authentication (via password or PIN code) and encryption are enabled on all devices. Furthermore, public Wi-Fi networks should not be used in situations where health information will be transmitted. Secure, encrypted connections, such as SSL VPN should be established when accessing corporate resources remotely. Providers should also implement technologies that can remotely wipe or disable mobile devices that are lost or stolen.As much as one can try to protect and mitigate risk related to the mobile device itself, the user of the device can still pose a significant liability. In addition to addressing the physical device, organizations should also invest in continuing education and training for users, as well as maintain strict policy and procedures related to the use of the device in providing medical care.

As much as one can try to protect and mitigate risk related to the mobile device itself, the user of the device can still pose a significant liability. In addition to addressing the physical device, organizations should also invest in continuing education and training for users, as well as maintain strict policy and procedures related to the use of the device in providing medical care.

Looking Ahead

The SANS report data shows that the health care industry is slowly starting to make strides and improve when it comes to protecting critical data from attack. However, it has become clear that not only are the hackers getting smarter, but their overall activity and attempts to infiltrate and mine confidential information continue to increase significantly.5 A 2014 report in United States Cyber Security Magazine indicated that the health care industry was the target of more cybercrime incidents than any other market, and this trend is likely to continue as hackers start to realize the value of medical information.6

Health care organizations will need to continue to thoroughly examine and assess the ways in which they are protecting themselves from attack. Analysis will need to be conducted internally and externally, as associated organizations such as payers, insurers, and other entities within community health care networks will be responsible to each other for protection of medical information. By effectively assessing and managing risk and building a risk framework that addresses all areas of critical data, medical providers can take significant steps towards minimizing the likelihood of a cybersecurity attack.

Sources

  1. http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924
  2. http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf
  3. http://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/
  4. https://www.sans.org/reading-room/whitepapers/analyst/threats-drive-improved-practices-state-cybersecurity-health-care-organizations-35652
  5. http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
  6. http://www.uscybersecurity.net/Pages/online_magazine.html

The information in this article is not intended as tax or legal advice. Please consult your tax advisor for specific information regarding your individual situation.

Contbronzemvpributed by Nic Cofield, Jackson Thornton Technologies Consultant. Jackson Thornton is a Certified Public Accounting and Consulting Firm and an official partner with the Medical Association.

Posted in: Management

Leave a Comment (0) →
Page 2 of 2 12