Uninstall Apple QuickTime

The United States Computer Emergency Readiness Team, or US-CERT has put out a warning that Windows users should immediately uninstall QuickTime, as running the now-unsupported software could expose them to "elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss."

By exploiting vulnerabilities in QuickTime for Windows, cyber attackers could gain remote control of affected systems, the notice says.

"Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets," according to US-CERT. "The only mitigation available is to uninstall QuickTime for Windows."

Specifically, US-CERT points to research by security company Trend Micro, which on Thursday put out an "urgent call to action" that users follow Apple's recommendations about QuickTime and uninstall the outdated video viewing program on Windows machines.

Apple will continue to offer security updates for QuickTime on Mac OSX.

Computer Networks of Roanoke, Inc.
Hank Wagner, Owner
hank.wagner@computernetworksinc.com
757-333-3299 x232
It doesn’t cost anything to talk.

HHS Announces 2016 Protocols for Handling Audits

The Department of Health and Human Services Office for Civil Rights (OCR) has published a new HIPAA audit protocol for the second round of compliance audits.

The audit protocol has been updated to incorporate 2013 Omnibus Final Rule changes, and OCR is encouraging covered entities to read the new protocol and submit comments.

The 2016 HIPAA audits have a much narrower focus than the first round and will be conducted in modules. The modules will assess separate elements of the Privacy Rule, Security Rule, and Breach Notification Rule. OCR may decide to audit a covered entity on one or more modules, depending on the type of organization.

If selected for audit, covered entities will be required to submit a range of documents to OCR via a dedicated web portal. The most current versions of documents must be submitted in PDF, Word, or Excel formats. Documentation will need to include evidence of implementation of each aspect of HIPAA. If no documentation is held, the covered entity will be required to submit a statement to that effect. Auditors will then be provided with a selection of documents to assess compliance.

OCR may choose to assess covered entities on 89 aspects of the Privacy Rule, 72 elements of the Security Rule (administrative, physical, and technical safeguards), and 19 elements of the HIPAA Breach Notification Rule. OCR has detailed the nature of the inquiries that will be made in the published protocol.

OCR has previously indicated the purpose of the audits is not to catch covered entities that have failed to ensure compliance with HIPAA Rules, instead they will help OCR to develop new guidance and issue best practices for covered entities to follow. However, OCR is unlikely to turn a blind eye if major violations of HIPAA Rules are discovered.

Wake up and smell the coffee folks…

  • get your Security Risk Analysis done
  • get it documented
  • create your Policies and Procedures
  • update your Business Associate Agreements
  • fix the problems that you found
  • repeat the process annually

No one is immune. Your Practice is NOT too small.

There is PHI in places that you do not believe have PHI, there are staff members using work-arounds that expose PHI to others, there are employees who do not understand and sometimes do not care, you have PHI on your Smartphone, at your answering service, with the transcription service…

PHI is everywhere. Find it. Protect it.

Computer Networks of Roanoke, Inc.
Hank Wagner, Owner
hank.wagner@computernetworksinc.com
757-333-3299 x232
It doesn’t cost anything to talk.

Don’t let this be your Physician.

img3

Backup And Disaster Recovery (BUDR)

One of the requirements of HIPAA is that you have a Disaster Recovery Plan in place that allows for you to recover Patient data in an emergency.

2016-04-19-08-22-01

The purpose of contingency planning is to establish strategies for recovering access to EPHI should the organization experience an emergency or other occurrence, such as a power outage and/or disruption of critical business operations. The goal is to ensure that organizations have their EPHI available when it is needed.

The Contingency Plan standard requires that covered entities:

“Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.”

The Contingency Plan standard includes five implementation specifications.

  1. Data Backup Plan (Required)
  2. Disaster Recovery Plan (Required)
  3. Emergency Mode Operation Plan (Required)
  4. Testing and Revision Procedures (Addressable)
  5. Applications and Data Criticality Analysis (Addressable)

Two More Hospitals Struck by Ransomware, in California and Indiana

Both Alvarado Hospital Medical Center and King's Daughters' Health say that quick response times appear to have minimized potential damage.

The steady drumbeat of ransomware attacks continued with new reports of two hospitals forced to fight off malware that froze IT systems.

San Diego-based Alvarado Hospital Medical Center was hit by a "malware disruption" on March 31, the San Diego Union-Tribune reports. A spokesperson for the 306-bed hospital confirmed the cyber attack, but would not say which systems had been affected.

Alvarado was the third hospital owned by Prime Healthcare Services to be hit with malware in March; Chino Valley Medical Center and Desert Valley Hospital had also been affected by viruses but were able to recover systems with minimal disruption and without having to pay ransom.

Meanwhile, another hospital, this one in southeast Indiana, said it proactively powered down all its computer systems on Wednesday, after discovering that a single employee's file had been infected with the Locky ransomware virus.

King's Daughters' Health officials told Indiana's WSCH radio that patient data was secure and had not been compromised, and that it would restart its computer systems once it is safe to do so. In the meantime, KDH is using manual processes to continue operations.

Linda Darnell, the hospital's senior director of IT, told the station that ongoing staff education about these evolving cyber threats had helped employees act quickly to contain the Locky virus once it was found.

Editorial Comment

These Ransomware attacks are coming from “phishing” emails. The emails are sent from criminals to your staff, the staff opens the email which begins the infection.

You must train your staff:

  • not to click on website links that they are unsure of
  • not to open emails unless they recognize the sender and were expecting the email
  • not to open attachments unless they were expecting the attachment

Data Breach Preparation

  1. Wake Up
  2. Prepare To Be Breached
  3. Beware of Insiders
  4. Don’t Miss Breach Warning Signs
  5. Limit the Amount of Data You Store
  6. Keep Reviewing Access Permissions

10 Red Flags That You Are Not HIPAA Compliant

  1. You have failed to compete a Security Risk Analysis and update it regularly
  2. You have not documented your organizations threats and the safeguards you have in place for each
  3. You have not created HIPAA Security Policies
  4. You bought guides, templates or toolkits and you have yet to implement them
  5. You are missing the documents referred to in your Policies
  6. You did not write Policies for the addressable standards
  7. You are missing an Implementation Plan to fix the problems found in your Security Risk Analysis
  8. You have not documented any of your HIPAA activities
  9. You have not reviewed your ongoing compliance
  10. You have not evaluated any new technology added to the Practice or any change to the Operations

$150,000 HIPAA Fine

“...not adopted sample Security Rule policies and procedures...”

“…the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software”

$50,000 HIPAA Fine

“...had not conducted a risk analysis… did not have policies or procedures to address mobile device security”

$1,975,220 Fine

“…previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk. While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time

Breach Costs per Record $398 in 2015

“The cost of data breach sets new record high”

Cyber Liability Insurance Claim Denied

“Insurer cites cyber policy exclusion to dispute data breach settlement… failure to follow minimum required practices”

Lose 54% of Your Patients

“54% very likely or likely to change providers following a data breach”

$1.44 Million Dollar Verdict Against Walgreens

“Indiana Court of Appeals upheld a $1.4 million verdict against Walgreens Co. and one of its pharmacists who shared confidential medical information about a client that had once dated her husband”

Folks, this is not getting any better. Your IT firm needs to have a layered approach to protecting the physical network and you need to be conducting rigorous staff training to educate your people about email, phishing and ransomware.

I.T. Cannot Stop all Threats!

There are new malware and ransomware variants coming online daily and the hardware and software we use cannot possibly know about a brand new, “zero day” threat. If you are unlucky enough to be the very first person that it is sent to, then YOU have to be educated well enough to say: “This email looks suspicious. Let me call the IT people and ask about it”.

Your staff needs to be the first line of defense by not clicking on that suspicious email.