FBI Alert Email Fraud

deptSheildOne of the latest Internet based frauds to occur is referred to as BEC, or Business Email Compromise. While this can involve the theft of passwords of your company’s executives, the biggest threat so far has been fake emails ordering the accounting department to transfer of large sums of money.

The scam is not technically sophisticated, but rather relies on social engineering. The hackers collect email account credentials through phishing schemes and then begin monitoring how employees communicate. In other cases, emails are spoofed to appear to come from an organization.

"Most victims report using wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment," the FBI says. "The fraudsters will use the method most commonly associated with their victim's normal business practices."

In addition to email authentication, the FBI also suggests businesses invest in intrusion detection systems that are tuned to catch emails coming from spoofed domain names that closely resemble the businesses' legitimate domains.

Computer Networks of Roanoke, Inc.
Henry “Hank” Wagner, Owner
hank.wagner@computernetworksinc.com
757-333-3299 x232
It doesn’t cost anything to talk.
PHI is everywhere. Find it. Protect it.

Determining If a Ransomware Attack Is a Reportable Breach

Attorney Reviews Critical Factors in Assessing Incidents

Marianne Kolbasuk McGee (HealthInfoSec) • June 10, 2016

While awaiting new guidance from the Department of Health and Human Services' Office for Civil Rights, healthcare organizations can take several steps to help determine whether a ransomware attack is a reportable breach under HIPAA, says compliance attorney Betsy Hodge.

"I would encourage covered entities and business associates who believe they've been subject to a ransomware attack to drill down and investigate what type of ransomware is involved, and what has the ransomware done - and not done - to the data," Hodge says in an interview with Information Security Media Group.

Hodge says victim organizations need to ask: "Has [the ransomware] only encrypted the data - sort of wrapped around the data - or is there any evidence that the data in any way has been accessed, acquired or exfiltrated?" If more than just encryption has occurred, the incident may be a reportable breach, she notes.

Sophisticated audit tools, which can prove costly, are helpful in performing an assessment "to determine, if, in fact, there is a low probability that protected health information was improperly used or disclosed during the ransomware attack," she says.

"Right now, it's an open question whether a ransomware attack is reportable, but I think it depends on the particular facts in a particular case. That's why everyone is anxiously awaiting some guidance from the Office for Civil Rights on that point."

Eventually, class-action lawsuits will likely be filed in the wake of ransomware incidents, Hodge predicts. But the basis of the lawsuits will likely depend on the facts in a particular case, she says.

A lawsuit might address, for example, "whether ... the covered entity had lax security or perhaps had not implemented all the policies and procedures required under the HIPAA Security Rule ... and whether the covered entity or business associate should've provided notice under the HIPAA Breach Notification Rule, but did not," she says. "Another interesting question will be how plaintiffs in a particular case show how they've suffered harm as the result of a ransomware attack ... [such as in] a situation where someone had a delay in surgery or other necessary procedure because the necessary systems were down."

In the interview, Hodge also discusses:

  • Lessons emerging from recent OCR enforcement actions, including resolution agreements and financial settlements stemming from breach investigations;
  • Areas where business associates are still struggling, more than three years after the HIPAA Omnibus final rule made these vendors directly liable for HIPAA compliance;
  • Whether OCR enforcement actions might result from the next round of HIPAA compliance audits.

Hodge is an attorney at the Tampa office of the national law firm Akerman LLP, where she provides guidance to physicians and hospitals regarding compliance with federal and state regulations, including HIPAA. She is a member of the Florida Hospital Association's HIPAA Preemption Analysis Task Force.

Can I Get Rid Of My Server If I Go To A Cloud Based EHR?

Not going to happen, and don’t let some sales person tell you otherwise.

One of your Practice’s requirements under HIPAA is to have enough logging turned on to be able to definitively tell if anyone (employee, Business Associate, whoever) accesses ANY ePHI.

So, what does that mean? It means you must have the ability to show who looked at what information about a Patient on what date and at what time.

My EHR does that. Yes, it does.

And, if you have no ePHI stored anywhere on any server, such as transcription files, insurance appeals letters, scanned images, and have no other important files to put in a central place to share, or don’t want backups of any of that data, or don’t have any need to have a central place for your anti-virus software to live, and have no need to write Windows Group Policies to control certain behaviors, or have no need to authenticate the users trying to access your network, then you might be able to dump the server. But, we have never seen that scenario. People have ePHI in shared folders on servers, on their desktop PCs, they are emailing it back and forth to their smartphones and who knows what else.

A Windows server serves as the “boss” of those activities and is necessary for the protection of shared information in addition to, HIPAA compliance.

Don’t Blame HIPAA: It Didn’t Require Orlando Regional Medical Center To Call the President

The following is a guest blog post by Mike Semel, President of Semel Consulting. As a Healthcare Scene community, our hearts go out to all the victims of this tragedy.

Orlando Mayor Buddy Dyer said the influx of patients to the hospitals created problems due to confidentiality regulations, which he worked to have waived for victims’ families.

“The CEO of the hospital came to me and said they had an issue related to the families who came to the emergency room. Because of HIPAA regulations, they could not give them any information,” Dyer said. “So I reached out to the White House to see if we could get the HIPAA regulations waived. The White House went through the appropriate channels to waive those so the hospital could communicate with the families who were there.” Source: WBTV.com

I applaud the Orlando Regional Medical Center for its efforts to help the shooting victims. As the region’s trauma center, I think it could have done a lot better by not letting HIPAA get in the way of communicating with the patients’ families and friends.

In the wake of the horrific nightclub shooting, the hospital made things worse for the victim’s families and friends. And it wasn’t necessary, because built into HIPAA is a hospital’s ability to share information without calling the President of the United States. There are other exemptions for communicating with law enforcement.

The Orlando hospital made this situation worse for the families when its Mass Casualty Incident (MCI) plan should have anticipated the situation. A trauma center should have been better prepared than to ask the mayor for help.

As usual, HIPAA got the blame for someone’s lack of understanding about HIPAA. Based on my experience, many executives think they are too busy, or think themselves too important, to learn about HIPAA’s fundamental civil rights for patients. Civil Rights? HIPAA is enforced by the US Department of Health & Human Services’ Office for Civil Rights.

HIPAA compliance and data security are both executive level responsibilities, although many executives think it is something that should get tasked out to a subordinate. Having to call the White House because the hospital didn’t understand that HIPAA already gave it the right to talk to the families is shameful. It added unnecessary delays and more stress to the distraught families.

Doctors are often just as guilty as hospital executives of not taking HIPAA training and then giving HIPAA a bad rap. (I can imagine the medical practice managers and compliance officers silently nodding their heads.)

“HIPAA interferes with patient care” is something I hear often from doctors. When I ask how, I am told by the doctors that they can’t communicate with specialists, call for a consult, or talk to their patients’ families. These are ALL WRONG.

I ask those doctors two questions that are usually met with a silent stare:

  1. When was the last time you received HIPAA training?
  2. If you did get trained, did it take more than 5 minutes or was it just to get the requirement out of the way?

HIPAA allows doctors to share patient information with other doctors, hospitals, pharmacies, and Business Associates as long as it is for a patient’s Treatment, Payment, and for healthcare Operations (TPO.) This is communicated to patients through a Notice of Privacy Practices.

HIPAA allows doctors to use their judgment to determine what to say to friends and families of patients who are incapacitated or incompetent. The Orlando hospital could have communicated with family members and friends.

From Frequently Asked Questions at the HHS website:

Does the HIPAA Privacy Rule permit a hospital to inform callers or visitors of a patient’s location and general condition in the emergency room, even if the patient’s information would not normally be included in the main hospital directory of admitted patients?

Answer: Yes.

If a patient’s family member, friend, or other person involved in the patient’s care or payment for care calls a health care provider to ask about the patient’s condition, does HIPAA require the health care provider to obtain proof of who the person is before speaking with them?

Answer: No. If the caller states that he or she is a family member or friend of the patient, or is involved in the patient’s care or payment for care, then HIPAA doesn’t require proof of identity in this case. However, a health care provider may establish his or her own rules for verifying who is on the phone. In addition, when someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care.

Can the fact that a patient has been “treated and released,” or that a patient has died, be released as part of the facility directory?

Answer: Yes.

Does the HIPAA Privacy Rule permit a doctor to discuss a patient’s health status, treatment, or payment arrangements with the patient’s family and friends?

Answer: Yes.

The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, which the patient does not object. Under these circumstances, for example:

  • A doctor may give information about a patient’s mobility limitations to a friend driving the patient home from the hospital.
  • A hospital may discuss a patient’s payment options with her adult daughter.
  • A doctor may instruct a patient’s roommate about proper medicine dosage when she comes to pick up her friend from the hospital.
  • A physician may discuss a patient’s treatment with the patient in the presence of a friend when the patient brings the friend to a medical appointment and asks if the friend can come into the treatment room.

Even when the patient is not present or it is impracticable because of emergency circumstances or the patient’s incapacity for the covered entity to ask the patient about discussing her care or payment with a family member or other person, a covered entity may share this information with the person when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR 164.510(b).

Thus, for example:

  • A surgeon may, if consistent with such professional judgment, inform a patient’s spouse, who accompanied her husband to the emergency room, that the patient has suffered a heart attack and provide periodic updates on the patient’s progress and prognosis.
  • A doctor may, if consistent with such professional judgment, discuss an incapacitated patient’s condition with a family member over the phone.
  • In addition, the Privacy Rule expressly permits a covered entity to use professional judgment and experience with common practice to make reasonable inferences about the patient’s best interests in allowing another person to act on behalf of the patient to pick up a filled prescription, medical supplies, X-rays, or other similar forms of protected health information. For example, when a person comes to a pharmacy requesting to pick up a prescription on behalf of an individual he identifies by name, a pharmacist, based on professional judgment and experience with common practice, may allow the person to do so.

Other examples of hospital executives’ lack of HIPAA knowledge include:

  • Shasta Regional Medical Center, where the CEO and Chief Medical Officer took a patient’s chart to the local newspaper and shared details of her treatment without her permission.
  • NY Presbyterian Hospital, which allowed the film crew from ABC’s ‘NY Med’ TV show to film dying and incapacitated patients.

To healthcare executives and doctors, many of your imagined challenges caused by HIPAA can be eliminated by learning more about the rules. You need to be prepared for the 3 a.m. phone call. And you don’t have to call the White House for help.

About Mike Semel

Mike Semel, President of Semel Consulting, is a certified HIPAA expert with over 12 years’ HIPAA experience and 30 years in IT. He has been the CIO for a hospital and a K-12 school district; owned and managed IT companies; ran operations at an online backup provider; and is a recognized HIPAA expert and speaker.