November Worst Month for Healthcare Data Breaches
The Office for Civil Rights reports that there were 57 reported data breaches in the month of November, more than any other month since they began keeping records.
August was the 2nd worst month, with 42 breaches reported.
Healthcare providers topped the list with 40 incidents followed by healthcare plans with 11 and Business Associates with 3 breaches. Others accounted for the balance.
The takeaway here:
Covered Entities and Business Associates should:
Conduct an enterprise-wide Security Risk Analysis that is accurate, comprehensive, and thorough. By conducting a risk analysis that identifies vulnerabilities to the ePHI in their enterprises, they can identify the vulnerabilities of their current authentication methods and practices, the threats that can exploit the weaknesses, the likelihood of a breach occurring, and how a particular type of breach (if it occurs) can impact their business and mission. This process helps entities rate the level of the risk and determine (based on their risk analysis.
Is your IT Vendor HIPAA compliant?
Your Vendor should be able to easily and quickly provide:
- A copy of their most recent (within 1 year) Security Risk Analysis
- A copy of their HIPAA Policies and Procedures
- Copies of their employees HIPAA Training certificates (within 1 year)
If they cannot do this, they are not HIPAA compliant and each time they login to your network, you have a reportable breach of ePHI.
There are a LOT of IT firms who are ignoring these rules. At a September HIPAA meeting in Washington, DC, Jocelyn Samuels, Director of the HHS Office for Civil Rights, stated that if your Business Associate fails an audit, YOU fail the audit.
1 Billion Yahoo Users Data Compromised
Yahoo has just disclosed that their data breach of 3 years ago compromised the records of One Billion (yes, Billion with a “B”).
This information is now for sale on the Internet.
Not only were the user names and passwords compromised, but the backup email addresses, phone numbers and security questions with answers were also part of the breach.
So, anyone knowing your mother’s maiden name or your first dog’s name can reset your password and take over your Yahoo account.
At this stage of the game, your safest bet is to close your Yahoo account permanently. At minimum, change your password now and invalidate your security questions.
And, all of you are aware that you have no Business Associate Agreement with Yahoo, which means that you have not been using Yahoo (or any other free email account) to send or receive ePHI (electronic Protected Health Information).
Using a free email service without a signed Business Associate Agreement and without encrypting the data, would be a reportable data breach.
Get Out of Jail Free
Full Disk Encryption (FDE) is the Office for Civil Rights equivalent to Monopoly’s “Get Out of Jail Free” card.
Here is what I mean:
If your medical offices loses a laptop or other portable device or the device is stolen, you have to prove to OCR that there was no ePHI on the machine.
On the other hand, if you have implemented Full Disk Encryption (FDE) on the device, then you do NOT have to report the loss to OCR.
File and folder encryption is NOT adequate. It must be Full Disk Encryption in order to rise to the level necessary.
Security Training Program
We are putting the final touches on a new program that will allow us to send sample phishing emails to your staff, see who opens them, report back to you who your “clickers” are, and then send them to an educational class about phishing emails.
Let us know if you have an interest in this program as an addition to your ongoing HIPAA Staff training.
Also, if you need a HIPAA Security Risk Analysis performed, give us a call to talk about it. We are Certified HIPAA Security Professionals (CHSP) and can get you on the right road with your compliance program.
Rick Boyles
rick.boyles@computernetworksinc.com
757-333-3299 x200
Ransomware
This is the biggest threat healthcare faces today. Ransomware is software that gets installed on your network and encrypts all of your files, including your Patient records, then demands a ransom payment to the criminal to decrypt all of your data.
The Office for Civil Rights (OCR) has issued guidance that this constitutes a Data Breach and is reportable to OCR. Because the files had to be accessed in order for the crook to encrypt them, the crook’s access is considered a breach of all your records and reportable to OCR.
2017 Predictions
Phishing will continue to be a huge issue in 2017. In 2016, it's been another day, another email leak. Retrospectively, 2015 did not see nearly as many attacks here compared to 2016, and the problem will persist without the right security training for users in all industries. Wombat's measurement of various industries' performance in security awareness and phishing susceptibility have pointed us to telecommunications, retail and health care as the verticals that need the most improvement if they're to mitigate the volume and impact of threats.
2017 will be ransomware's biggest year yet because organizations aren't inspecting for malware in the most commonly used apps. Malware is hiding in plain sight as SSL traffic passes through uninspected (which is a huge issue in general for enterprises).
IoT security issues threaten human health and safety like never before. Not only are medical devices connected opening them to patient data theft and patient safety impacts, security issues with smart devices such as thermostats or gas meters can cause rampant human heath and safety problems. Widespread use of IoT devices in the home dwarf the numbers of companies affected by software vulnerabilities we've seen in the past.
Ransomware protection. Until this past year, companies and consumers had few solutions available to them to help detect and combat ransomware. Security researchers have been working hard to identify core characteristics of specific ransomware types so that they can effectively protect against them in the near future. However, when a ransomware descriptor is recognized, ransomware authors often tweak their attacks to avoid detection.
Fighting Back Against Ransomware: 32 More Free Decryptors Added To No More Ransom campaign
The project founded by Europol, Intel, Kaspersky Lab and the Dutch National police also added 34 new partners.
The 'No More Ransom' campaign, established by Intel Security, Kaspersky Lab, Europol and the Dutch National police in July, expanded again with the addition of 34 new partners and 32 new decryptors, Europol announced.
Security companies Emsisoft, Check Point, Trend Micro and Bitdefender are now associate partners of the project, which means the companies directly contribute to the development of decryption keys and tools.
The program provides software to decrypt (unencrypt) files that have been encrypted by ransomware.
Emsisoft discovered the decryptor for the Stampado ransomware strain, soon after it was released on the black market. Trend Micro released decryptors for some strains of the TeslaCrypt, CryptXXX, AutoLocky, SNSLocker and Chimera ransomware families.
These companies have helped to add the 32 new decryption tools.
As of December 15, more than 6,000 users have been able to decrypt their files without paying the ransom, using the decryption tools from the 'No More Ransom' site.
eu-LISA (the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice) and the national police from: Austria, Croatia, Denmark, Finland, Malta, Romania, Singapore and Slovenia have joined the cause as supporting partners.
Also joining the project as supporting partners are: ESET; Heimdal Security; Computer Emergency Response Team for the EU institutions, agencies and bodies; Irish Reporting and Information Security Service; and the Computer Incident Response Center Luxembourg, among others.
"Both the private sector and law enforcement are stepping up efforts to fight these cybercriminals who are using ransomware to deprive their victims of large amounts of money," Europol officials said in a statement. "However, awareness remains key to preventing ransomware from being successful."
Funnies
A computer lets you make more mistakes faster than any invention in human history – with the possible exceptions of handguns and tequila.
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.
A programmer was walking along the beach when he found a lamp. Upon rubbing the lamp a genie appeared who stated “I am the most powerful genie in the world. I can grant you any wish you want, but only one wish.” The programmer pulled out a map of the Mediterranean area and said “I d like there to be a just and lasting peace among the people in the Middle East.” The genie responded, “Gee, I don’t know. Those people have been fighting since the beginning of time. I can do just about anything, but this is beyond my limits.” The programmer then said, “Well, I am a programmer and my programs have a lot of users. Please make all the users satisfied with my programs, and let them ask sensible changes” Genie: “Uh, let me see that map again.”
A Software Engineer, a Hardware Engineer and a Branch Manager were on their way to a meeting. They were driving down a steep mountain road when suddenly the brakes on their car failed. The car careened almost out of control down the road, bouncing off the crash barriers, until it miraculously ground to a halt scraping along the mountainside. The car’s occupants, shaken but unhurt, now had a problem: they were stuck halfway down a mountain in a car with no brakes. What were they to do? “I know,” said the Branch Manager, “Let’s have a meeting, propose a Vision, formulate a Mission Statement, define some Goals, and by a process of Continuous Improvement find a solution to the Critical Problems, and we can be on our way.” “No, no,” said the Hardware Engineer, “That will take far too long, and besides, that method has never worked before. I’ve got my Swiss Army knife with me, and in no time at all I can strip down the car’s braking system, isolate the fault, fix it, and we can be on our way.” “Well,” said the Software Engineer, “Before we do anything, I think we should push the car back up the road and see if it happens again.”
