Your Business Associates Have The Same HIPAA Burden As Your Practice

You keep saying this. What does it mean to me as a Practice Manager or Physician Owner?

If you hire an Information Technology person or company, they are required to have:

  • Conducted a Security Risk Analysis (SRA) on their own business
  • Developed written HIPAA related Policies and Procedures for their staff to follow
  • Trained their staff on those Policies and Procedures along with general HIPAA staff training annually

Regardless of the size of the Practice and regardless of the size of the I.T. company, these three things are required.

What are you trying to tell me?

I am trying to tell you that if you are using an I.T. firm that cannot show you a copy of their latest Security Risk Analysis, show you some evidence of their current Policies and Procedures and offer some evidence of current staff training, then you have committed a breach of Patient Data that is reportable to the Office for Civil Rights. There are NO if’s, NO and’s, NO but’s.

If you hire your cousin’s, brothers, girlfriend’s, nephew to do I.T. work on a part-time basis or once in a blue moon, that person has to have complied with the requirements. If you have hired Dell Computer to manage your network 24 x 7 x 365, they have to have complied with the requirements. Everyone in between has to have complied with the requirements. And, when the Office for Civil Rights (OCR) comes knocking, you better be able to prove your compliance and the compliance of your Vendors.

faceimgThat’s what I am trying to tell you.

If I.T. companies are to do business with a Medical Practice, they should have educated themselves on the pertaining Federal Laws and be in compliance with all Federal Law. Failure to do so, puts your Physician’s paycheck and livelihood in danger.

OCR handed out monetary penalties of about $6,000,000 in 2015.

The year to date total for 2016: over $20,000,000 and we still have three months left in the year.

2016 OCR Civil Monetary Highlights

Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million – August 4, 2016

Multiple Alleged HIPAA violations result in $2.75 million settlement with the University of Mississippi Medical Center (UMMC) – July 21, 2016

Widespread HIPAA vulnerabilities result in $2.7 million settlement with Oregon Health & Science University - July 18, 2016

Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement – June 29, 2016

Unauthorized Filming for "NY Med" Results in $2.2 Million Settlement with New York Presbyterian Hospital - April 21, 2016

$750,000 Settlement highlights the need for HIPAA business associate agreements - April 19, 2016

OCR Launches Phase 2 of HIPAA Audit Program – March 21, 2016

Improper disclosure of research participants’ protected health information results in $3.9 million HIPAA settlement - March 17, 2016

$1.55 million Settlement underscores the importance of executing HIPAA business associate agreements - March 16, 2016

Physical therapy provider settles violations that it impermissibly disclosed patient information for $25,000 - February 16, 2016

Administrative Law Judge rules in favor of OCR enforcement, requiring Lincare, Inc. to pay $239,800 - 02/03/2016

$750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis - 12/14/2015

Computer Networks of Roanoke, Inc.

Hank Wagner, Owner
hank.wagner@computernetworksinc.com
757-333-3299 x232

PHI is everywhere. Find it. Protect it.

8.8 Million Patient Health Records Breached in August

septimg2

Some 8.8 million records containing patient health information were breached during August 2016, according to the monthly Protenus Breach Barometer.

There were 44 reports of data breaches in August stemming from 42 separate incidents. The number of patients affected was available for 32 of these reports, totaling

8,804,608 records breached. From January through August, there were 233 reported data breaches in healthcare, the barometer said.

The barometer is a snapshot of reported or disclosed breaches impacting the healthcare industry compiled by DataBreaches.net.

“Visual Hacking”

This is when someone is able to visually see ePHI or PHI when they are at your Practice. It applies to someone looking at physical items like your monitor, papers stacked on your desk, the screen on your mobile device, papers left in the fax machine and near recycling bins.

Because most organizations are normally squeezed for space, placement of printers, copiers, fax machines and monitors may not be ideal from a security standpoint.

Just walking through your Practice while thinking like a criminal who wants to steal PHI, can help you discover vulnerabilities that need to be addressed in your Security Risk Analysis.

88 Per Cent of U.S. Ransomware Attacks Are on Healthcare

During the second quarter of 2016, an overwhelming 88 percent of all ransomware detections throughout U.S. industries, including healthcare, retail, education, finance and technology, occurred at healthcare organizations, according to the Security Engineering Research Team Quarterly Threat Report for Q2 2016 from cybersecurity technology and services vendor NTTSecurity, formerly Solutionary.

The SERT report for Q2 2016, which studied the digital activity of NTTSecurity client organizations, also found that ransomware detections decreased between January and February of this years but picked up again in March, April and May.

That 11 percent spike happened shortly after Hollywood Presbyterian fell prey to a ransomware attack and ultimately had to pay the cybercriminals to get its data back.

“As healthcare and education sectors continue to be plagued with ransomware and often pay the demanded ransoms, the probability of more targeted attempts in these sectors will increase,” the report said. “Healthcare organizations use an abundance of systems and IoT devices that can become crucial pivot points for an attacker or can even be victims of ransomware themselves.”

hsseptimg

Overview
The advancing capabilities of organized hacker groups and cyber adversaries create an increasing global threat to information systems. The rising threat levels place more demands on security personnel and network administrators to protect information systems. Protecting the network infrastructure is critical to preserve the confidentiality, integrity, and availability of communication and services across an enterprise.

To address threats to network infrastructure devices, this Alert provides information on recent vectors of attack that advanced persistent threat (APT) actors are targeting, along with prevention and mitigation recommendations.

  1. Segregate Networks and Functions
  2. Limit Unnecessary Lateral Communications
  3. Harden Network Devices
  4. Secure Access to Infrastructure Devices
  5. Perform Out-of-Band Management (alternate methods of remote management)
  6. Validate Integrity of Hardware and Software

Healthcare is under attack because the Patient data (ePHI) you have in your possession is valuable for identity theft.

These days you must take precautions that you did not even consider 2 years ago, to protect your hardware and software from intrusion. This means expensive Unified Threat Management (UTM) firewalls with all the Security subscriptions enabled, Endpoint Protection (anti-virus/anti-spyware), monitoring, reporting, and a good I.T.

firm who looks out for your interests (and who sends you 2 newsletters every month).

It does not cost anything to talk.

‘Flash Hijacks’ Add New Twist to Muggings

septcomicA frequent crime in Brazil is a scheme in which thieves kidnap people as they’re leaving a bank, and free them only after visiting a number of ATMs to withdraw cash. Now the crooks have introduced a new time-saving wrinkle into this scam: In these so-called “flash hijacks” the thieves pull out a wireless card reader, swipe a few debit transactions with the victim’s card, and then release the individual.

A story in the Brazilian newspaper Liberal documents one such recent flash hijacking, involving two musicians in their 20s who were accosted by a pair of robbers — one of whom was carrying a gun. The thieves forced the victims to divulge their debit card personal identification numbers (PINs), and then proceeded to swipe the victim’s cards on a handheld, wireless card machine.

First spotted in 2015, flash hijackings are becoming more common in Brazil, said Paulo Brito, a cybersecurity expert living in the Campinas area of Brazil. Brito said even his friend’s son was similarly victimized recently.

“Of course transactions can be traced as far as they are done with Brazilian banks, but these bad guys can evolve and transact with foreign banks,” Brito said.