Merry Christmas and Happy Hanukkah
Ransomware and Hacking Predicted To Increase in 2018
According to Accenture’s 2017 MIDYEAR CYBERSECURITY RISK REVIEW, criminal marketplaces are flourishing in the Dark Web corners of the Internet, and the hacker tools that are for sale are becoming easier to use. Ease of use means that less skilled wanna-be hackers can now download a single program, pick a target (your network) and start trying to hack their way in. No special knowledge required.
If you are still using a $50 router/firewall that you bought from the big box store 3 years ago to protect your network from the Internet, that is a mistake. Not probably, but, most definitely.
Today’s Internet protection requires more sophistication that that device is able to provide. A current UTM (Unified Threat Management) Security device will act as a firewall, router, Intrusion Detection device, Content Filter to keep your employees under control, gateway anti-virus, and GEO-IP blocker (to protect you from foreign countries trying to connect to your network and more.
The crooks have stepped up their game and you need to follow suit by stepping up your network security.
A UTM firewall is just the first step in protecting the network from the Internet. Because a phishing email is the biggest culprit in the installation of ransomware on a network, we also need to train staff to recognize what a phishing email looks like.
We are ramping up a new Security service that will address these concerns. Stay tuned in January for more news.
Sleep Center Ransomware Hack
New Jersey’s Hackensack Sleep and Pulmonary Center was hit by a ransomware attack in September that potentially breached the data of 16,476 patients.
Officials discovered the malware had encrypted its computer system on Sept. 25, when the ransomware locked down its EHR and the hacker demanded a ransom to unlock the files.
The sleep center did not pay the ransom. Instead, the medical center immediately contacted the New Jersey State Police Cyber Crimes Unit and hired a computer forensics team to help with the investigation and make recommendations on how to better protect its system. Further, officials said they’re implanting stronger security measures.
Affected patient records contained complete medical records including diagnoses and office notes, personal identifiers including credit card information and Social Security numbers, and insurance details.
Because Hackensack Sleep and Pulmonary Center’s staff had prepared for ransomware attacks, it was able to regain files from an unaffected, offline backup. Officials said they are confident the records are intact.
They are also encouraging affected patients to review account statements, health insurance records and benefits forms to ensure there’s no suspicious activity. While ransomware attacks don’t appear to breach data, data access is possible under HIPAA rules.
“We sincerely apologize and regret that this incident has occurred,” officials said in a statement. “Please know we are doing everything we can to continue to monitor this issue, to safeguard your personal and health information, and to protect against future incidents.”
While it is true that most ransomware only encrypts files and then demands a ransom to decrypt the files, HHS and OCR have issued guidance that says that if a hacker got far enough into your network to encrypt the files, that is a data breach, even if the evidence indicates that the ePHI was not compromised.
So, getting infected by ransomware is the exact same as if you had taken all your Patient data and put it on the Internet for everyone to see.
Would YOU have a sleep study done at this facility knowing that their systems were breached?
This newsletter is provided as a professional courtesy to you and your staff. Feel free to distribute as you see fit or to use in your training program.
Points lost for failure to perform a security risk assessment
There are four MIPS pillars that determine how providers will be scored. One of those pillars, advancing care information (ACI), requires a security risk assessment (SRA), among other criteria, to receive a base score. Practices must prove that their patients’ electronic protected health information (ePHI) is being protected on their networks. Failure to perform an SRA will result in a base score of zero, an automatic loss of 25 points from their MIPS score, lower reimbursements and a lower ranking accessible to the public.
Moreover, under MACRA, MIPS participants are subject to a random audit for up to 10 years. In the event of an audit, participants may be asked to upload documentation to prove they performed an SRA. Even after going through the process of selecting and reporting on measures for each pillar, failure to perform an SRA puts the practice at risk for having its MIPS scores recalculated. Revised scores will be published by CMS, with subsequent recoupment of significant amounts of already received Medicare Part B payments.
Maybe You Don’t Have A Security Risk Assessment After All
Recently I have come across two of our competitors who have given Medical Practices a copy of a Network Scan document as part of their IT Service Proposal. Both of these entities were under the impression that these network scans were Security Risk Assessments.
Nothing could be farther from the truth.
Just because an IT firm runs some software on your network that shows you have some people who have not logged in 30 days, and that some of your Windows patches are out of date and has a fancy graph on it in which your Practice is up in the red of the graph indicating that you have major problems, does not mean you have conducted a Security Risk Analysis.
An SRA is an expensive proposition, measured in the thousands of dollars that does an extensive dive into your business as well as your computer network. Trying to pass one of these scans off as a Security Risk Assessment is asking for trouble in the event of an audit by OCR.
If you find yourself in this position, give us a call to quote you on a real Security Risk Analysis. We do not care if we are not your IT vendor. We regularly perform our SRA service on networks where other IT Vendors take care of the network on a daily basis.
Sued For a Billion Dollars
Healthcare IT News last month reports that eClinicalWorks is now the subject of a Class Action Lawsuit by a cancer patient alleging that as a result of their faulty software, he was unable to determine when his cancer symptoms began.
The suit comes just six months after the company was hit with a $155 million settlement to resolve a False Claims Act suit that claimed it gave customers kickbacks to publically promote its products.
The company did not immediately respond to a request for comment.
Kristina Tot, in charge of the Stjepan Tot estate, filed the complaint in the U.S. District Court in the Southern District of New York on Thursday. Tot is asking for $999 million in monetary damages for breach of fiduciary duty and gross negligence.
Stjepan Tot died of cancer, and the suit claims that “he was unable to determine reliably when his first symptoms of cancer appeared [as] his medical records failed to accurately display his medical history on progress notes.”
Further, the lawsuit claims that millions of patients have compromised patient records, as eClinicalWorks’ software didn’t meet meaningful use and certification requirements laid out by the Office of the National Coordinator.
These patients “can no longer rely on the accuracy and veracity” of their medical records as it stands in eClinicalWorks EHRs. According to the suit, more than 850,000 healthcare providers use eClinicalWorks software.
In the complaint, Tot lists a wide range of the company’s shortcomings including failure to reliably record diagnostic imaging orders; failed audit log requirements; failed data portability requirements; and failure to satisfy required certification criteria, among others.
eClinicalWorks settled with the Department of Justice in May for knowingly falsifying meaningful use certification, which allowed for fraudulent incentive payments to providers. It was the first case of its kind. But some have suggested eClinicalWorks was not the only vendor to shirk certification criteria.
As a result, DOJ demanded eClinicalWorks transfer its data to rival EHRs for free and hire an independent watchdog for the company.
The lawsuit was first filed by whistleblower Brendan Delaney, who was a software technician at the New York City Division of Health Care Access and Improvement at that time.
Team Viewer Vulnerability
Do you have remote support software TeamViewer installed on your desktop?
If yes, then you should pay attention to a critical vulnerability discovered in the software that could allow users sharing a desktop session to gain complete control of the other's PC without permission.
TeamViewer is a popular remote-support software that lets you securely share your desktop or take full control of other's PC over the Internet from anywhere in the world.
For a remote session to work both computers—the client (presenter) and the server (viewer)—must have the software installed, and the client has to share a secret authentication code with the person he wants to share his desktop.
However, a GitHub user named "Gellin" has disclosed a vulnerability in TeamViewer that could allow the client (sharing its desktop session) to gain control of the viewer's computer without permission.
Team Viewer has published a patch to correct the problem, but, it is not going to install automatically. Make sure the IT folks who installed Team Viewer get it updated ASAP.