Healthcare Providers worried about Cyber Crime? Ways to Protect Your Practice!

  1. Use anti-virus software: Your net-savvy friend may tell you that he doesn’t have anti-virus on his computer because it slows things down. But look at it this way, one wrong click and he may have to make the entire college project from scratch.
  2. DON’T CLICK IT: The golden rule: Hackers infect PCs with malware by luring users to click on a link or open an attachment. Social media has helped criminals profile individuals. They can see what you’re interested in or what you [post] about and send you crafted messages, inviting you to click on something. Don’t.
  3. Different site, different passwords: Keeping a common password for all online accounts is a lot like having the same key for all locks. Only difference being that it is a lot easier to get hold of the online key. Also never reuse your main email password. But most online users own accounts in over a dozen sites. So either try and use clever variations or start doing some really heavy memory-enhancement exercise.
  4. If in doubt, block: Just say no to social media invitations (such as Facebook-friend or LinkedIn connection requests) from people you don’t know. It’s the cyber equivalent of inviting home the guy with an eye-patch who stares at you at the bus stop.
  5. Don’t bank on public wi-fi: Most Wi-Fi hotspots do not encrypt information and once a piece of data leaves your device headed for a web destination, any ‘packet sniffer’ (a program which can intercept data) can intercept your unencrypted data. If you choose to bank online on public Wi-Fi, that’s very sensitive data you are transferring.
  6. Only shop online on secure sites: Before entering your card details, always ensure that the locked padlock or unbroken key symbol is showing in your browser. Additionally, the beginning of the online retailer’s internet address will change from “http” to “https” to indicate a connection is secure. Be wary of sites that change back to http once you’ve logged on.
  7. More than one email account: A hacker who has cracked your main email password has the keys to your [virtual] kingdom. Passwords from the other sites you visit can be reset via your main email account. A criminal can trawl through your emails and find a treasure trove of personal data: from banking to passport details, including your date of birth. A separate account for your bank and other financial accounts, another for shopping and one for social networks is a good idea. If one account is hacked, you won’t find everything compromised.
  8. Ignore pop-ups: Pop-ups can contain malicious software, which can trick a user into verifying something. “[But if and when you do], a download will be performed in the background, which will install malware. This is known as a drive-by download. Always ignore pop-ups offering things like site surveys on ecommerce sites, as they are sometimes where the malcode is.
  9. MACs are as vulnerable as PCs: Make no mistake, your shiny new Mac-Book Air can be attacked too. It’s true that Macs used to be less of a target, simply because criminals used to go after the largest number of users – hat is Windows – but this is changing. Determined attackers are able to find new ways to exploit users on almost any platform.
  10. Two-step verification: If your email or cloud service offers it – Gmail, Dropbox, Apple and Facebook do – take the trouble to set this up. In addition to entering your password, you are also asked to enter a verification code sent via SMS to your phone. So a hacker might crack your password, but without the unique and temporary verification code should not be able to access your account. Keying in a password or code 40-plus times a day might seem like a hassle but it is your first line of defence.
  11. Lock down your FB account: Remove your home address, phone number, date of birth and any other information that could used to fake your identity. Similarly you might want to delete or edit your “likes” and “groups” – the more hackers know about you, the more convincing a phishing email they can spam you with. Change your privacy settings to “friends” from “friends to friends”.
  12. Don’t store your card details on websites: Err on the side of caution when asked if you want to store your credit card details for future use. Mass data security breaches (where credit card details are stolen en masse) aren’t common, but why take the risk? The extra 90 seconds it takes to key in your details each time is a small price to pay.

These are only a dozen ways to protect yourself and your business.  There are hundreds of other ways as well we can be of assistance from a breach of your organization, personal or patient information.  Contact us at 1-800-376-0212 or contact@ehrpmc.com to learn more ways we can be of assistance.

OIG: Paying Close Attention To HIPAA Security In Meaningful Use Audits

According to the recently released work plan of The Office of the Inspector General will continue to pay closer attention to the healthcare industry’s use of electronic health records – in particular HIPAA security, EHR incentive payments and fraud.

As digitization continues to be a priority so does it’s appropriate implementation and use. In a response to ensure IT security, compliance and electronic health records, the OIG has requested a $400 million FY2015 budget, an increase of $105 million and creating another 284 fulltime jobs to enforce the OIGs audits and reviews.

“Important changes are taking place across the healthcare industry,” wrote Daniel R. Levinson, U.S. inspector general, in OIG’s 2015 work plan justification. These changes, Levinson continued, include “an emphasis on coordinated care and an increased use of electronic health records. OIG will need to adopt oversight approaches that are suited to an increasingly sophisticated healthcare system and that are tailored to protect programs and patients from existing and new vulnerabilities.”

So how does that translate to healthcare providers and healthcare organizations? Practices can expect closer scrutiny for HIPAA privacy and security compliance. Penalties have increased significantly under the new regulations. Practices can face fines up to $50,000 per occurrence—quickly offsetting or negating the EHR incentives they received.

Physicians can no longer afford to be relaxed about HIPAA compliance. They must have sound privacy and security protocols in place to protect against violations that could result in severe penalties.

A prime example occurred in July 2009, when a physician and two former employees of an Arkansas medical center pleaded guilty to misdemeanor federal charges that they inappropriately accessed the medical records of a local television anchor, thereby violating the HIPAA privacy rule. Each faces a maximum penalty of one year in prison, a fine of up to $50,000, or both.

HIPAA Compliant v. Mobile Devices

The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes.

The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information.

The description above may seem black and white but the recent rise in theft of healthcare data has revealed gray areas that have caused some debate amongst the medical security community as to what safeguards are to be taken in order to assure your providers and staff are HIPAA compliant. Recently Beth Israel Deaconess levied a hefty fine, when a provider’s unencrypted laptop was stolen that contained patient information. This incident was responsible for leaking sensitive information of more than 41 million patients. This is clearly a black and white case of negligence, which is why the fine was levied, however what if the laptop was encrypted and the owner was robbed at knife point and forced to disclose the password information? Not so black and white, right? According to a recent robbery reported by Boston’s Brigham and Woman’s Hospital, this is exactly what happened to one of their physicians, creating an interesting interpretation of the HIPAA Privacy Rule and Security Rule. This most incident reported the theft of two devices that contained patient related information on 999 patients.

The armed robbery, which took place Sept. 24, was reported to the Boston Police Department, who then issued a community alert six days later. According to the police department, the physician was robbed at knifepoint and then bound to a tree. The stolen items have not yet been recovered.

“We apologize for any inconvenience and deeply regret any concern this situation may cause our patients,” said Cedric Priebe, MD, chief information officer at BWH, in a Nov. 17 press statement. “We have no knowledge that the information on these devices has been accessed, and we are reviewing related policies and procedures in an effort to determine if there are steps that may decrease the likelihood of this type of incident in the future.”

The bigger question of whether encryption alone covers a healthcare organization responsibility to the HIPAA Security Rule. According to the Department of Health and Human Services, the answer is No, encryption alone not enough. HHS states that the HIPAA Security Rule involves, “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key … and such confidential process or key that might enable decryption has not been breached.”

This is the third HIPAA breach for BWH, according to data from HHS – and the third theft. BWH, is one of the largest healthcare organizations in Massachusetts and one of the most respected. If it can happen here, it can happen anywhere. With the advances of technology and sharing of information come the responsible to protect that information, the government has defined how that information is to be protected but it is responsibility of the Healthcare organization to safeguard patient sensitive information and put the proper precautions and mitigation plans in place to ensure security. Consult with a Security Expert today at EHR & Practice Management Consultants, Inc. (www.ehrpmc.com) by contacting us at 1-800-376-0212 or contact@ehrpmc.com, even if you have completed a Security Assessment and have a Mitigation plan already in place, it’s better to have the assurance from a professional.

 

Failure to Encrypt A Provider’s Laptop Leads to a $100,000 Fine

Identity theft and security breaches have affected such big name companies as Target, Home Depot and most recently JP Morgan. hackers, reportedly stealing financial information from over 76 million households. Financial information is important to safeguard understandably but what about your personal information, such as your medical records and social security number, the most coveted piece of information? A recent healthcare data breach has affected 30 million people and counting, this information however includes patients’ social security numbers, leaving some feeling more exposed than when wearing a hospital gown. Beth Israel Deaconess, in Boston, MA can attest to how this can happen to any Healthcare Organization, especially when the proper training and precautions are not put in place. Beth Israel Deaconess was hit with a heavy fine this month, after information was leaked from an incident occurring in 2012, when a physician’s personal laptop was stolen. The Massachusetts Office of Attorney General levied a $100,000 fine for failure to encrypt the device.

According to the Identity Theft Resource Center, Healthcare data has seemingly become increasingly targeted, accounting for 43 percent in major data breaches reported in 2013. It seems to be on pace for this year and a dark shadow has already been cast over 2015.

Although the Federal Reporting requires breach notifications, that is in my opinion too little too late. Hefty fines are turning the heads of many larger healthcare organizations, reporting that 69 percent of health security professionals in a 2013 survey said their organization has a data breach plan in place. That’s not a number to grant a sense of ease, in fact it’s not the 40 percent of larger healthcare organizations that are unprepared that worries me, it’s the smaller private practices that have no or strategy in place and much like the Beth Israel Deaconess incident are still carrying my private medical information and potentially my social security number on a personal laptop with no encryption to secure the contents of the computer.

The moral of this story…don’t be a victim, take HIPPA security seriously and protect your patients’ sensitive information. Talk to a security expert, get the right training for your staff and put the proper precautions in place.

Contact EHR & Practice Management Consultants, Inc. (www.ehrpmc.com) for Assistance at 1-800-376-0212 or contact@ehrpmc.com for all your security needs including encryption!

Security Tips from EHR & Practice Management Consultants, Inc.

Approximately 40% of healthcare organizations reported a criminal data attack this year.

Ask yourself how can you put a multi-layer defense in place to prevent a Breach?

What are the risks?  Reputational Risks? Data Integrity Risks?

Areas To Address:

  • Encrypt Every Device and how to protect the data center from external and internal attacks
  • Have a Risk Analysis Done Properly since the OCR is asking up to 5 years back now to show that you have made a concious effort to mitigate your risks every year
  • Staff Training and education, penetration tests, cable locks or trackers for unencrypted devices all matter.
As previously mentioned in my blogs, the OCR stated over 60% of breaches occur because of theft or loss of an unencrypted device.  Therefore, it is important to keep track of any device that leaves the office!  Unauthorized disclosure of accounts accounted for 16% of breaches.  Hacking of account accounted for only 7% of actual breaches.
A 2011 Ponemon Institute report estimated full disk encryption to average $232 per user, per year.
Keeping EPHI secure is not only a matter of professional responsibility but a matter of cost, reputation, and integrity to the patient-provider relationship.
If you need help keeping EPHI (Electronic Patient Health Information) secure please contact us to do a HIPAA Privacy/ Security Risk Assessment & Mitigation Plan at 1-800-376-0212 or contact@ehrpmc.com.

Important Reasons To Keep Patient Information Secure

Some organizations are unaware they have a breach of information until the FBI initiates the incidence report.  It is not only hospitals that are responsible.  It could even go as far a medial application developer or third party vendors  It is highly recommended for healthcare organizations to verify vendors’ security  and make it part of their contract.  HIPAA breaches can cause you to get federal, state and/ or regional fines.

For example, Health Net the Woodland Hills, Calif.-based health insurance company learned its business associate IBM had lost nine unencrypted server drives on January 2011. These servers contained names, Social Security numbers, addresses and health information of Health Net employees, members and providers. They did not receive federal fines  but two state attorneys general offices filed suit against the firm.
As a result, Health Net had to pay $625,000 in fines and damages to the Connecticut attorney general and the state insurance commissioner. Additionally they settled with the Vermont’s attorney general for $55,000.
As of the statistics in 2012, if your data was breached you have a 1 in 4 chance of being a victim of fraud.
Breach Due to a A Weak Default Password on a Server
The report examined a HIPAA oversight by a contracted Utah Department of Health employee affecting 780,000 people in this breach. The server had a weak default password and failure to manage the department’s IT assets appropriately, hackers exploited the vulnerability and took  Social Security numbers, medical diagnostic codes and dates of birth.   Javelin Research estimated some 122,000 cases of fraud would occur.  Resulting in a total cost pegged at a whopping $406 million.  This represents approximately 20 hours to resolve each fraud case.

Having a Social Security number stolen put the person to be at risk indefinitely.

Trust & Patient Health

“People refuse to see doctors for sensitive conditions because they know the information won’t stay private. I’m talking about cancer, depression, sexually transmitted diseases,” said Deborah Peel, MD, founder of Patient Privacy Rights, a non-profit consumer privacy watchdog organization, in a 2013 Health Privacy Summit video. “That’s a tragedy when people who have very treatable, serious medical illnesses won’t get care.”
A 2014 Harvard School of Public Health study assessing the privacy perceptions of U.S. adults pertaining to their health data found more than 12 percent of some 1,500 respondents withheld information from care providers over medical security concerns.
If you need help keeping EPHI (Electronic Patient Health Information) secure please contact us to do a HIPAA Privacy/ Security Risk Assessment & Mitigation Plan at 1-800-376-0212 or contact@ehrpmc.com.

Over $2 million collected from Concentra and QCA Health Plan for breaches of patient information

The Department of Health and Human Services Office for Civil Rights announced on April 22 that it collected nearly $2 million to resolve potential HIPAA violations from Concentra Health Services & QCA Health Plan for failure to secure protected health information on laptops and mobile devices.

Both organizations demonstrated long-time non-compliance with HIPAA, according to OCR, which has now taken this level of action against at least 20 organizations.

In an announcement titled, “Stolen Laptops Lead to Important HIPAA Settlements,” OCR noted, “These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.” Susan McAndrew, deputy director of health information privacy, stated: “Covered entities and business associates must understand that mobile device security is their obligation. Our message to these organizations is simple: encryption is your best defense against these incidents.”

Encryption is the #1 source of patient breaches.  If you have questions on how to encrypt your PCs and mobile devices please contact us at EHR & Practice Management Consultants, Inc. (800) 376-0212 or contact@ehrpmc.com

Cyber Threats are at Highest Risk in the Healthcare Industry

In April 2014 the FBI Cyber Division issued a warning that medical devices and healthcare systems are at risk for increased cyber attacks due to financial benefits of hackers.

Due to the deadline for providers to go on an EHR by 2015 there will be many providers going on an EHR to reach this deadline which will include a greater number of medical devices connected to the Internet which will be at an increased risk of cyberattack for medical information of patients.

Compared to other industries the FBI stated the healthcare industry is not as well prepared to handle these cyber attacks.

As cited by Symantec, last year 37% of breacjhes were forund to be in the healthcare industry which is the largest for any industry.

As I have discussed in my earlier blogs, this not only puts the patient’s identity at risk for fraudulent activity but it also creates potential health risks in case a person fraudulently uses their identity and receives medical treatment. This can have misinformation as part of the true patients health history, treatments, and medications they are on. Not only could this cause an increase in the patients premium but misinformation could be given to other patients regarding the patients health and be mistreated by other providers. This is why it always important for a patient to periodically go online with their insurance company to make sure the claims being sent to the insurance firm are for claims that they actually had on their behalf. Additionally, when their providers are starting to receive information on the health information exchange (HIE) of care they received elsewhere to verify with the provider this is correct.

Identity theft not only can cost a person thousands of dollars to have resolved but can also put their health outcomes at risk.

If you are a provider/ practice/ clinic and would like a full risk assessment and mitigation plan completed for your practice to avoid any security breaches of your patients protected health information please contact us at EHR & Practice Management Consultants, Inc.  1 (800) 376-0212 or contact@ehrpmc.com

 

Stanford Hospital & Clinics Pay $4 Million for privacy offense

Practice, clinics an hospital not only have to worry about HIPAA laws at a federal level but they need to take into account the state privacy laws that can cost them as well!

In California, the law requires that medical providers maintain their patients’ medical information confidential and prohibits the disclosure of such information without a patient’s written authorization.

Stanford Hospital and Clinics has had 5 big HIPAA breaches in the last 3 years compromising the protected health information of more than 92,000 patients.  Four of the breaches involved the theft of unencrypted company laptops.   It would have been much better if this was merely property losses as opposed to data losses. They may now be required to pay a $4.1 million class action settlement after violating California’s medical privacy law.

The settlement was given approval last week by Los Angeles County Superior Court Judge Elihu Berle from a 2010 incident when Stanford notified 20,000 of its patients that their protected health information was wrongfully posted to a student website. The information was posted on a public website  for almost a year included medical diagnoses and patient names.

In September 2011, Shana Springer, a patient, filed a $20 million class action lawsuit against Stanford and its business associate Multi-Specialty Collection Services for violating California’s Confidentiality of Medical Information Act.

When Stanford Hospital and Clinics notified patients, it claimed it had sent Multi-Specialty Collections services encrypted patient information for “permissible business purposes,” making the company “responsible by law and contract for protecting all patient information provided to it for its services.”

HIPAA-covered entities and business associates have paid over $18.6 million to settle alleged federal HIPAA violations, with $3.7 million of that just from last year which does not include the state and private legal settlements.