The Audits Have Begun!
The Office for Civil Rights (OCR) has started sending out audit emails asking to verify your contact email. Business Associates may receive more than one email if they have a relationship with more than one Covered Entity being audited.
You have 14 days to respond to the email. Once you respond, you will get another email with this ominous language:
Screening Questionnaire You are receiving this notice because you have been selected to complete the pre-audit screening questionnaire linked below. This screening questionnaire is intended to gather data about the size, types, and operations of potential auditees for the HIPAA Privacy, Security and Breach Notification Audit Program. This data will be used with other information to help us select entities that reflect a variety of types, sizes, and locations for the next phase of the Audit Program. Receiving this notice does not mean your organization has been selected for an audit; rather, your organization is part of a pool from which OCR will select the entities that will be audited this year.
Per Devin McGraw, Deputy Director of Health Information Privacy at OCR,
“We will definitely be selecting the Covered Entities and begin to audit them first because our current database of Business Associates is not robust enough. And so we will need to rely on Covered Entities who are selected for audit to provide us with information on their Business Associates so that we can go through the same process of verifying contact information and forming more robust Business Associate pools – and pick Business Associate auditees from there.”
So, don’t be surprised if you receive these communications from the OCR. Answer them within the time frames they give. And, whatever else you do, DO NOT IGNORE THEM. Ignoring these folks is akin to ignoring the IRS. It is not a recipe for success. Our advice: Forewarned is Forearmed. If your HIPAA documentation is not in order today, you need to take action to correct this immediately. Although chances of being selected for an audit are low, if you are selected you have to be prepared to submit documentation in a timely manner. Other government programs (Meaningful Use, MACRA, PCMH) require HIPAA compliance as a condition of participation.
Scam Of The Week: LinkedIn Email "Change Your Password".
Knowbe4.com May 2016
You probably remember the 2012 LinkedIn data breach. It was a big deal because something like 6.5 million user account passwords were posted online, but LinkedIn never confirmed the final number of people that were impacted.
Well, it turns out that really 117 million records were stolen which have both emails and passwords that were easily decrypted. And this new number is all over the news because that database is now being sold on the dark net. It is not unusual for such stolen material to turn up for sale long after the initial data breach.
LinkedIn is invalidating the compromised passwords and currently sending out emails to users, asking them to change their passwords in response to this report (though the email LinkedIn is sending is vague about the actual nature of the threat).
And of course the bad guys have jumped on this too. It's prime time for them to exploit user fear and confusion and send out their own fake versions of that email, and other LinkedIn-themed phishing attacks.
This means you need to inoculate your users before they fall for these new scams. I have some copy you can send employees. You're welcome to copy/paste/edit:
"The original LinkedIn 2012 data breach turns out to have been much larger than the estimated 6.5 million username and passwords that were stolen. There are really more than 100 million records compromised and LinkedIn is sending emails to these users that they need to change their password.
The bad guys however, are jumping on this as well and are sending phishing emails with a fake LinkedIn login page. If you fall for this scam and log in on their fake page, your credential will be stolen, your LinkedIn account compromised and/or your computer infected with all kinds of malware.
If you receive an email that seems to come from LinkedIn, hover over the links and make sure they are legit before you click. Even better, do not click on anything and just go to LinkedIn using your browser and change your password. If you have used your LinkedIn password at other sites, it's time to change those as well!"
Go to www.LinkedIn.com, click Help, (bottom right) and choose Changing Your Password. In case you want to get another layer of password protection, LinkedIn also offers dual factor authentication by which you can have a one time numerical code sent to your smartphone each time you need to access your LinkedIn account.
Computer Networks of Roanoke, Inc.
Hank Wagner, Owner
hank.wagner@computernetworksinc.com
757-333-3299 x232
It doesn’t cost anything to talk.
PHI is everywhere. Find it. Protect it.
Ransomware
The latest threat to your network is Ransomware.
What is it?
Ransomware is a program that installs itself on your PC or Server and encrypts all of the files it can find. Encrypted files require a key to unlock them. The crooks offer to sell you the key after they have done their dirty work.
How do I get infected?
From the most gullible employee in your employ. Most Ransomware installs on your network either by an employee opening an email attachment (phishing) and clicking on items/links in the email or from an employee visiting an infected web site.
How do I get rid of it?
There are some 3rd party programs that can detect and remove some of the infections. However, once a file is encrypted, you need the decrypt key to get your data back.
How does my business recover from Ransomware?
Most security experts do not recommend paying the ransom because it fosters more of the same behavior by the criminals. The best way to recover is to have a good Backup and Disaster Recovery (BUDR) solution in place that backs up important files frequently (such as hourly) and then moves them offsite. Those backups can be used to restore the latest copies of the encrypted files.
Won’t I lose data that way?
Maybe. It depends on how frequently the data changes between the time the file was backed up and the time the crook encrypted it.
Is it a HIPAA violation?
That depends. There is currently no guidance from OCR on this. However, Omnibus 2013 said that mere possession of ePHI constitutes a Business Associate arrangement. We are going to opine that if the encrypted data leaves your network (and some of the criminals are doing this), you most certainly have a reportable data breach. If the files are encrypted on your network and never leave the building, then the argument can be made that it is not a reportable data breach.
How do we defend against this?
Your Information Technology folks have to do everything they can to protect the network:
- UTM (Unified Threat Management firewall)
- Full Security subscriptions on the firewall including Intrusion Prevention, Gateway Antivirus, Content Filtering of user web browsing, GEO IP blocking of Internet traffic from foreign countries, Event Logging and Reporting
- Centrally monitored and managed Server and PC antivirus/endpoint protection
- Blocking of email attachments
- Blocking of .exe files in emails
- Regular Windows updates
- Regular updates to the other applications installed on your PCs and Servers
- Continuing, repeated, consistent, on-going education of your end users
We are working on a program that will allow us to “test” your end users several times annually to determine their willingness and likeliness to open some sample phishing emails. The program will carry a modest annual fee per user and allow us to report back to you which of your users opened the “test” emails so that you may offer those users additional security training.
I.T. Cannot Stop All Threats!
There are new malware and ransomware variants coming online daily and the hardware and software we use cannot possibly know about a brand new, “zero day” threat.
If you are unlucky enough to be one of the first people that it is sent to, then YOU have to be educated well enough to say: “This email looks suspicious. Let me call the IT people and ask about it”.
Your staff needs to be the first line of defense by not clicking on that suspicious email or Internet web link.
Here’s some good news for victims who are trying to unlock and remove TeslaCrypt ransomware.
Now, you can decrypt all your important files that have been encrypted by TeslaCrypt ransomware.
Since its launch in March last year, TeslaCrypt computer virus has been used in massive malvertising attacks. The ransomware, which often targets PC gamers, locks up files until a ransom is paid, usually $500 in Bitcoin. Infection generally comes through corrupted websites, malvertising or phishing emails.
In a surprising move in the malware's story, the cybercriminals behind the nefarious TeslaCrypt ransomware have apparently shut down their operations and released a master key to the public that can unlock all encrypted files on PCs infected by the latest versions of TeslaCrypt.
Here’s what one of the developers of TeslaCrypt posted on the TeslaCrypt Dark Website:
"Project closed! Master key for decrypt: 440A241DD80FCC5664E861989DB716E08CE627D8D40C7EA360AE855C727A49EE.
Wait for other people make universal decrypt software. We are sorry!"
The above note was prompted by a query from an ESET security researcher, who had noticed the successive downfall of TeslaCrypt and asked the authors for a decryption key.
The authors offered a free master key in an entirely surprising move and ESET quickly created a Free Ransomware Decryptor tool for TeslaCrypt, which is available for download from the ESET website.
Don’t Use Public WiFi
We’re all guilty of it: connecting to free public WiFi. Whether it’s at the coffee shop, hotel or airport, the temptation to check e-mail and surf the web is just too strong to resist. So BEFORE you connect to any free, public WiFi, make sure the connection is legitimate.
It’s not uncommon for hackers to set up fake clones of public WiFi access points to try and get you to connect to THEIR WiFi over the legitimate, safe public one being made available to you.
Before connecting, check with an employee of the store or location to verify the name of the WiFi they are providing.
Next, NEVER access financial, medical or other sensitive data while on public WiFi. Also, don’t shop online and enter your credit card information unless you’re absolutely certain the connection point you’re on is safe and secure.
4 Reasons Your EHR is Vulnerable to a Cyberattack
physicianspractice.com May 16, 2016
Last year, insurance giant, Anthem was attacked by hackers who stole the names, birth dates, social security numbers, and contact details of 78.8 million current and former members and employees. Earlier this year, cybercriminals effectively shut down access to computer records at Columbia, Md.-based MedStar Health’s ten hospitals and more than 250 outpatient centers, which forced the health system to turn away patients. News like this reinforces the need for management to have security safeguards in place to head off cyberattacks, said Jim Kelton, managing principal at Costa Mesa, Calif.-based Altius Information Technologies.
Here are four reasons your practice could be vulnerable to a cyberattack:
Staff members are unwittingly unleashing malware. You can have all the right application safeguards in place, but if your staff are receiving emails and clicking on links that unleash malware — or software that’s intended to damage or disable computers and computer systems — that can provide a hacker with internal access to your EHR or other systems with sensitive information, said Kelton.
You think your practice is too small to attract the attention of cybercriminals. But it’s a mistake to think that a cybercriminal will have mercy on a small practice in a small town, said Lee Kim, director of privacy and security at the Health Information and Management Systems Society (HIMSS).The reality is, cybercriminals are very interested in the healthcare sector, she said. All practices are targets for cybercrime because healthcare data is very valuable on the black market, added Kim.
You don’t have a firewall in place. Another vulnerability occurs with your internet connection, according to Kelton. If you only have wireless internet access and no formal firewall, you could be in trouble. The purpose of the firewall isn’t just to route traffic, it also provides a level of protection to the employees using systems on your network.
There is a malicious team member. For various reasons, there are employees who want to steal health information and then sell it, says Lee. While only very few people are going to want to steal healthcare information from their employers, it’s something you have to prepare for, she added. “Cyberattacks happen. We see this in the news. And [cyberattacks require] a lot of damage control, and [cause you] to lose a lot of good will with patients, who are going to be less inclined to want to see your physicians…because they think your organization can’t be trusted with their health information,” said Kim.
Computer Networks of Roanoke, Inc.
Hank Wagner, Owner
hank.wagner@computernetworksinc.com
757-333-3299 x232
It doesn’t cost anything to talk.
PHI is everywhere. Find it. Protect it.
