Top Story…
Hollywood Presbyterian Hospital Hit With Ransom Demand…and Pays It!!!
It seems that Hollywood Presbyterian Medical Center needs a new Backup and Disaster Recovery system and maybe a new HIPAA Security Risk Analysis.
Last week one of their staff downloaded some malware (probably via an email) that made it by the hospital’s security defenses.
They have paid hackers a $17,000 ransom to regain access and control over the hospital’s computer systems after a low-tech ransomware attack locked them out of their networks. CEO Allen Stefanek said the payment was the quickest way to restore their systems.
"On the evening of February 5th, our staff noticed issues accessing the hospital’s computer network," wrote Stefanek. "Our IT department began an immediate investigation and determined we had been subject to a malware attack," which encrypted critical patient files effectively locking the system. To decrypt the files requires an access key that could only be obtained by paying the ransom. The other option is to have a solid Disaster Recovery methodology in place so that you can recover the files from a time before the crooks got into the network.
Editorial Comment:
Few people in the HIPAA Compliance industry recommend paying the ransom. Negotiation when dealing with terrorists is a strategy that the FBI has deemed counterproductive. If you are hit with one of these attacks, it is our suggestion that you have a Backup and Disaster Recovery system in place, which allows you to retrieve files prior to the crooks encrypting them. If there is no financial incentive, then the behavior is not likely to occur. So, get rid of those tape backups and get your company onto a Disaster Recovery system that gets your data backed up frequently at an offsite location. If you are a medical office, then having a tested Disaster Recovery Plan is a HIPAA requirement.
Do You Know Where Your Notice Of Privacy Practices Is?
Hint: If you want to be HIPAA Compliant, it had better be on your website and in your waiting room.
When and how can I receive a Notice of Privacy Practices?
- You’ll usually receive notice at your first appointment. In an emergency, you should receive notice as soon as possible after the emergency.
- The notice must also be posted in a clear and easy to find location where patients are able to see it, and a copy must be provided to anyone who asks for one.
- If an organization has a website, it must post the notice there. (in a prominent place)
- A health plan must give its notice to you at enrollment. It must also send a reminder at least once every three years stating that you can ask for the notice at any time.
- A health plan can give the notice to the “named insured” (subscriber for coverage). It does not have to give separate notices to spouses and dependents. ]
http://www.hhs.gov/hipaa/for-individuals/notice-privacy-practices/
HHS has some “model” notices that you can download and use including notices in Spanish:
http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/
OCR to Receive $4 Million Budget Increase to Support Audit Program
The Department of Health and Human Services’ Office for Civil Rights is to receive a budget increase of $4 million in 2017 to support its proposed HIPAA compliance audit program, bringing the department’s annual funding up to $43 million.
HIPAA Compliance Audit Program to Receive a Funding Boost
The second phase of compliance audits are penciled in to start “in early 2016,” although the start date has yet to be announced. OCR was mandated to conduct HIPAA compliance audits in the Health Information Technology for Economic and Clinical Health Act (HITECH), and while the pilot phase of audits took place in 2011/2012, the second phase has suffered delay after delay. Those delays have been attributed to a lack of funding. The additional $4 million is therefore much needed, especially after the budget freeze in 2016.
The purpose of the audits is in part to ensure that covered entities (healthcare providers, healthcare clearinghouses, health insurers, and business associates of covered entities) are complying with HIPAA regulations. The audits will also give OCR insight into the aspects of HIPAA that are causing problems for covered entities. The information gained during the audits will help direct future enforcement activities, develop future guidance, and provide better technical assistance to covered entities.
The second phase of audits are to be conducted by FCiFederal and were expected to consist of desk-based compliance reviews of the Privacy Rule, Security Rule, or Breach Notification Rule, with each of the three aspects of HIPAA to be assessed by a separate audit module. Covered entities could therefore be expected to be audited on one, two or all three aspects of HIPAA.
200 audits are now expected to be conducted during the next round of audits, with 150 to be conducted on healthcare providers and health insurers and 50 on business associates. Those audits are now expected to be split evenly on Privacy Rule and Breach Notification Rule Standards.
The second round of compliance audits should be followed with the implementation of a permanent audit program to continually assess the compliance efforts of covered entities.
OCR Increases Enforcement Activities
In recent months OCR has stepped up its HIPAA enforcement activities. Late last year, OCR announced three new settlement agreements with covered entities that were discovered to have breached HIPAA rules. In each case the HIPAA violations were uncovered following an investigation into reported data breaches. Last year, six settlements were reached with HIPAA covered entities bringing in an additional $6.175 million.
OCR retains and expends the funds from its enforcement activities which are used to support further enforcement actions.
This year, the financial penalties have continued. OCR recently announced Lincare Inc., had been ordered to pay a civil monetary penalty of $239,800 for failing to comply with the HIPAA Privacy Rule.
How Will OCR be Spending its 2017 Funding?
The budget increase will help OCR “modernize HIPAA protections, support innovation in healthcare, ensure adequate protections in new programs and technologies, streamline requirements to make them less burdensome, and evaluate new areas where HIPAA does not currently apply”
Not all of the budget increase will be used for matters relating to HIPAA. OCR will be using part of the budget increase to enhance enforcement activities relating to Section 1557 of the Affordable Care Act.
Rheumatology Practice Announces Mailing Error HIPAA Breach
Borgess Rheumatology in Kalamazoo, MI is informing 700 patients that they have mailed their confidential information to the wrong patients in December of 2015.
Borgess spokesman Lew Tysman says no information, such as social security numbers, was compromised.
The letters did have names of patients and the fact they had received treatment at Borgess Rheumatology.
According to the statement Borgess learned of the breach on December10th and immediately attempted to contact every impacted patient.
"Borgess takes patient confidentiality very seriously and we deeply regret that this has occurred," said Susan McDonald, Borgess Corporate Responsibility Officer & HIPAA Privacy Officer. "We are doing everything we can to notify patients who were impacted by this mistake."
The statement concludes stating: Borgess has taken aggressive steps to keep this from happening in the future, including reviewing policies and procedures and re-educating and training staff on necessary safeguards.
Editorial Comment
Your staff is one of the weakest links in the chain. Your IT tech support folks can lock down the network, put a high-end firewall/UTM device on the Internet, run a gateway antivirus, run Intrusion Prevention software and run desktop antivirus, but, all it takes is one staff member to click on a suspicious email or not pay attention and you are in the same boat as Hollywood Presbyterian and Borgess.
37-Year Old Memphis, TN Man Indicted For Identity Theft From Medical Office
The U.S. Attorney for the Western District of Tennessee reports that Jeremy Jones has been indicted in a scheme to steal the identities of more than 145 patients at Memphis Neurology.
Jones’ scheme involved a co-conspirator who worked at the Physician’s office who actually stole the initial information. Jones then used that stolen Patient information to open bank accounts and to apply for loans and credit in their names. Jones compensated the co-conspirator with proceeds from the scam which netted about $1.7 million.
Jones was indicted on charges of conspiracy to commit identity theft, identity theft, mail fraud, and aggravated identity theft.
Editorial Comment
That is a lot of money. Make sure that you are running background checks and thoroughly vetting all of your employees and new hires.
Remember to turn on Windows Logging and to purchase software that logs everyone’s access to Windows shared folders. ePHI lives in those shared folders. Check those logs on a regular basis.
Also, check your Practice Management (PM) and EHR (Electronic Health Records) logs regularly for activity that is abnormal! You must retain these logs for 6 years.
If the folks at this Practice had been checking their PM and EHR logs, they might have discovered that a staff member was improperly accessing Patient records. ]
PHI is everywhere. Find it. Protect it.
We are happy to discuss your Information Technology needs and provide a no cost evaluation and meeting.
Apple and FBI Lock Horns
Outcome Uncertain
U.S. Magistrate Judge Sheri Pym of the Federal District Court for the District of Central California on Feb. 16 ordered Apple to assist the FBI by updating the iPhone to disable security features deigned to wipe its memory or slow passcode entry, to block brute-force attacks. Pym issued her order using the All Writs Act of 1789, which gives a judge the ability to issue court orders for matters not covered under current law.
The Justice Department has framed its request as being limited to only a single phone: an iPhone 5C issued to Calif.-based Rizwan Farook, 29, by his employer, San Bernardino County. Farook and his wife Tashfeen Malik, 29, attacked Farook's work colleagues in a December 2015 shooting spree that left 14 people dead and 22 wounded.
In an impassioned Feb. 17 letter, Apple CEO Tim Cook said that Apple would fight the "dangerous" court order. "We have no sympathy for terrorists," he said. "But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone."
The Justice Department quickly fired back. "It is unfortunate," it said in a Feb. 17 statement, "that Apple continues to refuse to assist the department in obtaining access to the phone of one of the terrorists involved in a major terror attack on U.S. soil."
The same day, White House spokesman Josh Earnest said that both the Justice Department and FBI have the Obama administration's "full support" in this matter.
But many technology sector heavyweights are siding with Apple. Google CEO Sundar Pichai took to Twitter to defend Apple's move, warning that "forcing companies to enable hacking could compromise users' privacy." Microsoft's chief legal officer, Brad Smith, has called for a vigorous debate and repeated his company's condemnation of government surveillance programs. And multiple civil rights groups - including Electronic Frontier Foundation and the Center for Democracy & Technology - say they will support Apple in court.
Editorial Comment:
I think everyone in Information Technology is conflicted over this one.
On one hand, the people that owned the phone are admitted terrorists that killed 14 people and wounded another 22. So, give the Feds the information.
On the other hand, what happens once you give the government a backdoor into anyone’s phone? Will they take advantage of that? Is it too big-brotherish?
I am going to stay on the sidelines on this one for a while and see how it plays out.
