Make Time for Cybersecurity

Humans or HIPAA?

When it comes to healthcare organizations addressing the HIPAA compliance of their business, many feel prepared and comfortable, readily checking that “compliant” box. But addressing the human part of security falls by the wayside too often.  Compliance and cybersecurity, which includes human security, both need to be a part of your overall strategic plan.

“If I have security, I’m ok with compliance, right?”  No, but you’re not alone in assuming that addressing one will take care of the other.  It is an easy mistake to make, and one that many healthcare businesses too often make.  Compliance and cybersecurity work together to keep you up, running and protected from a technical and federal regulations standpoint, but address different components.

When This Doesn’t Mean That

HIPAA compliance will take care of the laws and regulations that you need to adhere to.  Cybersecurity addresses the gaps or weaknesses in a business that makes that entity vulnerable to hackers.  If a breach occurs, your HIPAA compliance will be addressed by government agencies to make sure you were in accordance, and this will protect you legally in some respects.  So, in this regard, they work together to protect you, but cybersecurity must be your first line of defense.

With an increased value being put on healthcare data by cybercriminals, the target gets bigger every day on the business’s back.  Right alongside those increased values is the matching rise in the number of data breaches each year.  Healthcare data is sold for 10-20 times that of stolen credit card numbers, so where do you think hackers are focusing?  Just like most businesses, they go where the money is.  To add to the damage being done, they are not just focused on data theft, but also overall disruption to the business with targeted employee attacks.

Healthcare must begin to look at cybersecurity with the same reverence that they hold HIPAA compliance in.  Protecting your business and patient data should be an effort that combines both strategies.  If your IT provider isn’t discussing this with you, it doesn’t mean that they aren’t doing it already, but don’t assume. Ask questions, work together and make a plan that secures your business as a whole, not just segments of it.

 

The post Compliance & Cybersecurity Go Hand-In-Hand appeared first on HIPAA Secure Now!.

Remain Calm, Remain Honest – and Remain in Business

Avoiding the inevitable does not make it go away.

Healthcare patients choose a provider based on the quality of care.  In addition to that, the public will generally assume that their private information is safeguarded and not something that they need to verify or investigate before choosing that specific provider.  By alerting them to something they assumed to be a non-issue, it is understandable to be concerned about the loss of business.  However, credit reporting agency Experian has recently found that this churn can be kept to a minimum with the proper response plan.

In July 2019, Experian surveyed 1,000 adults in the United States and found that 90% of those surveyed would be somewhat forgiving if they were informed promptly as a result of an organized communication plan being in place by their provider.  Previous studies by Experian identify numbers that are more of a red flag to all parties.

It is in these studies that they found that only 34% of all breached response plans include some form of customer notification and that those plans are in place for only 52% of companies.  So, the few that are ideally prepared have a greater chance of survival, and those who aren’t prepared have a full stack of odds against them.

How Can the Risks Be Lowered?

Have a breach response plan in place.  This should be created by someone who knows their way around a breach and is ideally certified to assist with creating such a plan.  Additionally, have cyber insurance as part of your in-place plan.  This will allow you to call upon experts in the event that a (very likely) breach does occur.  And as we identified above, ensure that your breach plan includes client communication.

Even if you don’t have all of the answers immediately, letting them know that you are aware of the breach and will keep them updated will go a long way.  This increases the trust between you and your patients and makes it more likely that they will stay with your business following an incident.

66% of those surveyed would leave a practice due to slow or poor communication – don’t let this happen to your organization. It is better to be truthful up front than have to explain why you were dishonest in the past. People can accept mistakes, but they are less likely to accept being deceived.

The post Does Your Breach Response Plan Include Notification? appeared first on HIPAA Secure Now!.

 

A Toothache Beyond Repair

Hackers have used the very software that hundreds of dentists relied on to run their business, to bring it to their knees.  A ransomware attack is responsible for shutting down computers at roughly 400 dental offices all over the U.S. The Digital Dental Record and Wisconsin-based cloud services provider, PerCSoft collaborated on DDS Safe, which was used by US-based dental practice offices in the US for medical record retention and backup.  Cybercriminals deployed REvil (Sodinokibi) ransomware via this application to demand monies and regain access to their files.

As of today, we know that some companies did opt to pay the ransom while others wait for a decrypter to recover their encrypted files. The process has been slow, and some offices are finding it isn’t working at all.

REvil (Sodinokibi) ransomware is one of the most active and widespread ransomware strains seen this year, and this is the second time it has happened this summer.  Earlier in June, a group yet to be named, was breached using the same strain.

Follow Up

While Digital Dental Record learned of the breach on August 26th, and immediate action was taken, even a quick response couldn’t save the offices that were already infected.

This means that those offices are unable to run effectively while this situation is remedied, and some may run the risk of never fully recovering.

The Wisconsin Dental Association issued a statement confirming that DDS Safe remains a “WDA endorsed product” and that they are aware of the breach.

This likely isn’t the last story we’ll hear about a medical breach this week.  Numbers continue to rise, including the risk percentage that all providers face.  We must continue to educate ourselves on how to be proactive and not reactive as cybercrime is now an ongoing occurrence.

And above all, we need to acknowledge that even our best efforts do not remove the risk of others being less diligent in their practice of cybersecurity.

The post Ransomware Hits Hundreds of Dental Offices appeared first on HIPAA Secure Now!.

 

It’s a Fact

When you search for cyberattacks by vertical, always in the top categories is healthcare.  It can be filtered from there by the size of the business, whether it is enterprise or small to medium-sized establishments, but the information targeted is patient data.

Why?

Because who knows more personal information about you than your doctor?  Likely, no one.  And if that data can be accessed, it can be like opening a treasure chest of data to a hacker.  So many ways to manipulate that data, it can be an endless source of income via ransomware or sales on the dark web.

Back for More

With outdated and unsupported systems allowing easy access for hackers, the amount of PHI uncovered in a simple breach makes it a jackpot find.  Not only are technical security gaps an easy entrance for cybercriminals into healthcare organizations, but poor employee cyber-hygiene makes it incredibly easy for hackers to find their way in. Once these databases go for sale on the dark web, they are then used AGAIN by other cybercriminals for a second round of attacking whether it be by selling the patient data or using administrative credentials to login and hit the network with another breach.

This activity is not limited to US-based hackers either.  Foreign-based hackers have been found to target US healthcare networks in an attempt to blackmail them, as well as gain access to research data.  Not only does this pose a threat to the patient data, but to the United States medical industry in a different way.  If advances in treatment, prescription solutions, or any type of research is stolen and credited to another business entity or country, US-based businesses will suffer that loss financially or from lack of recognition.

What’s the Remedy?

Raising awareness, updating equipment, networks, software, etc. and addressing the risk of biomedical devices before they are in place – all are necessary.  We also need to continually address the human factor within healthcare organizations as it is proven time and time again that this poses one of the highest risks to any breach occurring.

The post Repeat Offender appeared first on HIPAA Secure Now!.

HIPAA – Then & Now

The Health Insurance Portability and Accountability Act, better known as HIPAA, has been around since 1996, with the intent to protect patients by properly handling their protected health information (PHI).

With good intentions, HIPAA set forth to provide both security provisions and data privacy. The legislation was passed in the age of paper records, a time that required much different security measures than what we see today.

23 years later, it’s safe to say the ways in which we store, access, or transfer PHI have changed drastically. Of course, incredible changes and advancements in technology require changes to how we protect and safely handle patient data. Have we seen regulatory change with HIPAA regarding the digital age we now live in? Unfortunately, the answer is no.

The Digital Age

Today, the chances of you finding a healthcare provider that still relies on paper records is slim. The convenience of electronic medical records (EMRs) for both providers and patients is undeniable. From providing an easy way to share records with patients and other clinicians to allowing for simpler communication between patients and their providers, EMRs have changed the healthcare industry.

Unfortunately, with the pros come the cons. Digital medical records do pose some major risks, and as mentioned, HIPAA has made minimal progress when it comes to addressing them.

Hackers Exploiting Healthcare

According to the Protenus Breach Barometer, 2018 saw 15 million patient records compromised in 503 breaches, triple the number of compromised records in the previous year. 2019 has already seen some massive healthcare breaches, like the Quest Diagnostics data breach that affected at least 12 million patients.

So, why are hackers setting their sights on healthcare organizations? There are several reasons.

PHI yields high profits on the dark web. Where credit card information can quickly become worthless to cybercriminals, PHI is another story. Not only can healthcare breaches go undetected for sometimes lengthy periods of time, the data that is compromised in one is not something that the affected individual can easily change, like a birth date for example.

Hackers also know that the healthcare industry historically underinvests when it comes to IT security and training. What’s this mean for a cybercriminal? Lack of IT resources often means poor security, perhaps no firewall, outdated systems, no anti-virus, and more. In addition, lack of employee training means employees are ill-equipped to handle a cybercriminal’s malicious attempts at gaining access to the sensitive information they are expected to safeguard.

Furthermore, with the vast technology and highly connected systems used in the healthcare industry, one attack on a small system could lead to detrimental consequences for an organization. Cybercriminals know that organizations rely on these systems, and thus, suspect that attacking them may give them what they’re hoping for, like in a ransomware attack for example – pay the ransom and regain access to your systems, or ignore this request and lose your data.

Acknowledging the Cybersecurity Problem

With HIPAA being flawed and outdated, how do we move forward to protect patients and their data from cybercriminals?

Although HIPAA needs some major updating, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), who is responsible for enforcing HIPAA, hasn’t completely ignored the issue at hand.

In December 2018, HHS issued cybersecurity guidelines in an effort to drive voluntary adoption of cybersecurity practices. This guidance sent a message that HHS’ is well-aware of the cybersecurity issues surrounding the healthcare industry.

In addition to the cybersecurity issues plaguing healthcare, protecting consumer data, in general, has become a hot topic with the passing of the EU’s General Data Protection Regulation (GDPR). While Congress has tossed around the idea of a federal privacy legislation that would create a unified privacy law, there are no real signs of that being carried out anytime soon.

How Do We Fix This?

  1. Don’t wait around for a regulation. We cannot wait around for HIPAA to change. Nor Congress to pass a federal law to better protect the privacy of patients and consumers.
  2. Take a look around. It is critical for Covered Entities and Business Associates to tightly examine the patient data they are protecting. Cybercriminals don’t just seek financial information,  but rather, information that could yield a large profit for them. Information such as a birthdate, a Social Security number, or anything in between can prove to be more valuable. If you store, access, or transmit any kind of PHI, take a hard look at that data. If a hacker were to exploit it, what kind of damage could be done?
  3. Secure your systems. Now that you’ve thought through what kind of data you have access to, secure it. Don’t leave any data vulnerable. Cybercriminals can launch extremely detrimental attacks against individuals and organizations. Do everything you can to keep them from successfully carrying one out against you.
  4. Train employees. Make sure employees understand how valuable the data they have access to is, and the repercussion that could ensue if that data is compromised. Employees should know how to properly protect PHI, how to report a data breach, how to spot a phishing attempt or any other malicious attempt by cybercriminals, and everything in between.
  5. HIPAA is not optional – abide. Despite the flaws of HIPAA, it’s intended to protect patient data, which is valid and necessary, from an ethical point of view as well as a regulatory one. Whether you’re a Covered Entity or a Business Associate, it is your responsibility to comply with HIPAA.

Technology will continue to advance, and hackers will continue to do the same with their skill. It is up to us to continue to evolve our cybersecurity practices, which in turn will help better protect PHI.

 

The post Why We Need to Go Beyond HIPAA appeared first on HIPAA Secure Now!.

Hipaa Officer

Healthcare Systems

 

Healthcare organizations more and more require high end systems to provide doctors the data required to make rapid and accurate diagnoses. Digital patient records and medical imaging drive bandwidth greater as insurance providers and legislators still pressure healthcare providers to lessen costs. Data network solutions from NHR enable healthcare organizations to provide greater quality, readily available, and much more economical choose to meet their clinical and business objectives.

Expanding & Upgrading Systems on a tight budget – Modern healthcare uses burgeoning way to obtain digital diagnostic images. Ultrasounds, X-sun rays, PET scans and MRIs rapidly grow to many mega-bytes per record and bog lower network traffic. Pre-owned networking equipment from NHR enables health systems to construct the condition-of-the-art architecture they require without draining sources.

Regulatory Compliance – It’s imperative for Healthcare IT professionals to conform with HIPAA along with other government privacy rules while using the latest e-health technologies and looking after a high-notch security program under tight financial constraints. Security and integrity of patient records needs a robust network, and NHR places world-class technology inside the budget.

Downtime No Choice for Critical Systems – Medical professionals command real-time use of digitized patient information from the location, night or day. With lives at risk, network downtime isn’t an option. Substantial discounts on pre-owned equipment from NHR make redundant configurations an economic possibility. Onsite sparing strategies provide the epitome of immediate recovery. NetSure maintenance provides 24×7 support and then-day hardware substitute at a small fraction of manufacturer maintenance costs. These affordable solutions are perfect for protecting distribution or access level equipment – keeping every hospital and each physician connected.

Collaboration – Getting a higher-performance core facilitates multi-niche or multi-radiologist collaboration therefore the right individuals are associated with patient information to be able to enhance the time-to-treatment ratio and also to facilitate accessibility right specialists. And just what about online patient collaboration? Forward thinking health systems are exploring Telecare mixers allows patients to make use of online monitoring systems to upload data for their medical records. NHR’s expertise and cost-effective solutions help healthcare organizations innovate their systems and add new information sources.

 

 

As many of you know, an Electronic Health Record (EHR) is a digital record of a patient’s paper charts, updated in real-time.  This is an incredible option to have in the world of medicine, where information can be exchanged between doctors as well as business associates. It also provides an incredible benefit to the patient, giving them the best and most appropriate care when needed.

Overall, it really is a great thing to have so much information at your fingertips.  Unless that information gets into the wrong hands.  Which is exactly what happened to Allscripts Healthcare, an EHR company used by a variety of businesses in the medical field, including

hospitals, pharmacies and emergency service (ambulance) centers around the world.

Today Allscripts is working with the Department of Justice to pay $145 million in a preliminary settlement in response to an attack that exposed patient records which were thought to be safe in the cloud.   They were in violation of HIPAA, the HITECH Act’s EHR incentive program, and the Anti-Kickback Statute related to Practice Fusion – which was the company acquired by Allscripts in 2018.  This settlement will resolve both companies of all criminal and civil liability related to the investigation surrounding them both.

Unfortunately, they aren’t alone.  With the human component being the big risk factor in any organization, healthcare employs many, many people with patient access.  Each record is a gold mine for hackers, and therefore even one mistake can prove costly to an organization like we’re seeing with Allscripts.

How do we remedy this?  The first and most important step is to cover your assets. Cyber Insurance is going to increase your likelihood of surviving a breach, but once you have the end protection setup, get your employees trained.  And then repeat the training.  Conduct Security Risk Assessments at least annually, not only to comply with HIPAA but to identify security gaps which could leave your organization’s data up for grabs. Then, perform a vulnerability scan and find out if your system is as secure as you hope and believe.

Protection and prevention go hand in hand and in the world of healthcare, you can never have enough.

The post Allscripts to Pay $145 Million for Practice Fusion EHR Investigation appeared first on HIPAA Secure Now!.

 

We’re just passed the midway point of the year and if this were our own health report, we’d be failing miserably when it comes to data breach prevention.

According to a recent report from Protenus and Databreaches.net, over 31 million healthcare records were breached in the first six months of 2019.  That is double the amount of 2018.

The information in these breaches was not caught and remediated quickly either.  Patient data was ‘for sale’ and available for manipulation on the dark web for months before being discovered in the American Medical Collection Agency breach.  With a confirmed 20 million records having been affected, the fallout from that will reveal itself in all of the days and months ahead – if not years.

So how did we get here?

Some of these were insider jobs – in fact, 60 of the incidents were a result of that. That means that over 3 million records were exposed because of existing employees.  These aren’t the hackers lurking on the dark web or in airports stealing your Wi-Fi, these are KNOWN actors in a business.  Hacking accounted for 60% of all incidents.  This means that out of 168 data breaches, phishing took down 88 businesses, with ransomware and malware being deployed at 27 of those.

The statistics are staggering, but what is also something to take note of – aside from the revelation that insiders are putting your business at risk – is that it’s not direct healthcare entities that are always responsible.  Yes, providers reported 72% of the breaches, but it was also health plans and business associates that are contributing to the overall numbers.

What does this mean?

It means that we can stand by and watch the numbers continue to elevate, the rate of increase continues to double and triple, or we can rework our approach, attack and react.  We’ve said it before, but every business owner – regardless of the vertical or channel in which they operate, need to say, “It is no longer an option of IF I’m part of a breach, but a matter of WHEN I’m part of a breach.”  Second to this must be the integration of cyber insurance into a business’s arsenal.  Surviving the breach is one thing, but thriving afterward and even during a breach, is another.

The post Halfway Health Check appeared first on HIPAA Secure Now!.

 

Every day in my newsfeed I’m alerted to yet another compromise to patient information.  The headline isn’t always the attention-grabbing ones that we see when major credit companies or big-box retailers are exposed. These are just listed, one after the other, identifying locations of healthcare businesses, whether it be hospitals or private practice, that have had possible exposures.

If you are part of a private practice or small organization that works in the healthcare industry, you need to be aware: this is happening in your office.  It doesn’t always happen in the huge hospital with thousands of employees, the locations that we assume have less control over such a large employee base.  This is happening everywhere.  The doctor’s office with the same 3 people who have run the front office for years; the dentist you’ve been going to see since you were a child.

Patient data is a coveted treasure among cybercriminals and unless you are taking measures to protect it from end to end, you are at risk.  While working with a trusted IT advisor is critical, you also need to ensure that you are covered if a breach does occur.

Those compromises that are listed in my newsfeed don’t say that patient data was stolen and sold, they merely confirm the fact that it was seen by uncertified eyes.  That means, they don’t know what happened, but they do know that it could pose a problem in the future.  So, in order to protect their business and reputation, they are going to incur the cost of credit monitoring.  What you don’t hear about is the cost of the forensic expert or additional breach resources that were needed even to identify if data was compromised.

Verify that you have a cyber insurance policy to protect you in such an incident.  Without it, your business and its health are at risk of “not making it”.

The post Scrolling Through the Breaches appeared first on HIPAA Secure Now!.

cyber insurance policy
Computer network security

This isn’t something you can pencil in and get to when you have time, cyber maintenance has to be something you commit to. We all have those moments when we realize that we had the best intentions to stick with something, but its priority fell by the wayside. We start off strong, then taper off until we forget completely.

When it comes to your cybersecurity, there isn’t a shortcut or short-term guide to safeguarding your information and identity, so taking time to address it is not only necessary, it is going to pay off in the long run.

Sharpie this in

Book time on your calendar in the way you would for personal or home maintenance.  You schedule haircuts and change the batteries in smoke detectors, so consider establishing the same type of habits when it comes to your online information.

Take this time to update passwords, ensure that your software is all updated to the latest version and that you have two-factor authentications enabled where it is an option.  Call your credit card companies and ask about their security policy – and do they have methods in place to protect you from being hacked?  Enabling alerts on purchases and payments via text or email will help you to tackle any issues immediately rather than long after the damage has been done.

The bottom line is that you need to take time out of your schedule to deal with this. It’s not always convenient and it’s not always what you feel like doing, but you need to make it as much as a priority as any other maintenance in your life.

The post Make Time for Cybersecurity appeared first on HIPAA Secure Now!.

Cyberwarfare

Is Your COMPANY's Data on the Dark Web, Find out TODAY!!!

GET YOUR FREE DARK WEB SCAN TODAY!!!

Copyright © 2015 - 2018 Sentree Systems, Corp.. All rights reserved.

Sentree Systems, Corp. | 6137 Crawfordsville Rd Ste F #177 Indianapolis, IN 46224 | 317-939-3282