Senators press CMS to recoup EHR overpayments under meaningful use

The agency overpaid hospitals $730 million and now two U.S. Senators want to know why it hasn’t tried harder to get that money back.

Senators Orrin Hatch, R-Utah, and Charles Grassley, R-Iowa, have sent a letter to Centers for Medicare and Medicaid Services Administrator Seema Verma with several questions about CMS’s plans to recover meaningful use overpayments.

“Given the estimated $729,424,395 in inappropriate incentive payments, why has CMS not made greater attempts to recover these funds?” Hatch and Grassley asked in the letter.

The Office of the Inspector General determined in June that, because of its failure to conduct appropriate reviews, CMS paid hundreds of millions more than it should have.


Up Next – MSSP 
Managed Security Service Provider

A while back you made the decision to out-source your IT needs and that has worked out reasonably well for you. The MSP (Managed Service Provider) monitors and maintains your network, has installed a good UTM (Unified Threat Management) firewall and a good Endpoint Protection (antivirus/antispam) software, answers all of your questions in a timely manner, acts as a liaison with your Line of Business Practice Management and EHR software Vendor and provides you with hardware support and maintenance.

All is good, right?

For now, anyway. The next thing coming down the pike is outsourced security. Most MSP’s handle some basic security, but, with the proliferation of ransomware, malware, viruses and other network threats, it may soon be time for you to step up your game to the next level.

That is going to mean a hiring an MSSP in addition to your MSP. The Managed Security Service Provider will act as your Security Operation Center using SIEM (Security Incident and Event Management) software to dig deeper into the threats to your network from both inside and outside.

SIEM software is not cheap. I received a Vendor quote for $35,000 for enough licenses to resell to a portion of our MSP customers.

But, monitoring the network at a deeper level is going to soon be required in order to protect your owner’s business from threats to that business.

Healthcare has been lagging in IT security, and MSSPs are a way to add that competency quickly, said Bill Ho, CEO of Biscom, a secure document and messaging systems company.

“Sometimes more specialized expertise is needed,” Ho said. “Much like your doctor referring you to a specialist, an internal IT department may not have specific and in-depth knowledge around security. With the speed at which threats change these days, it’s no surprise that many organizations are finding that Managed Security Service Providers can help them fortify their defenses.”

“It’s not a very good use of a relatively high-salary security specialist’s time to comb through logs on a daily basis and review reports every day and investigate every little alert that fires off of a device”. “Organizations want these highly compensated security professionals to lead a security strategy.”

This is where the SIEM software comes into play by doing the log perusal and only alerting the security specialist folks when abnormalities are detected.

TheDarkOverlord (TDO) Leaks Celebrity Patient Data From Beverly Hills Provider

The notorious hacker has been playing a game called “A Business a Day,” by publicly making extortion attempts on businesses.

The hacker known as TheDarkOverlord released another data dump, which contained patient data from California-based Dougherty Laser Vision.

TDO made the announcement on his Twitter account late Tuesday night. Unlike previous leaks, there’s no mention of attempted extortion on the healthcare provider.

The leaked data includes names, dates of birth and addresses of nine celebrities who endorsed the provider. For some, Social Security numbers were listed.

At time of publication, there was no mention of the breach on Dougherty’s website. And calls for an official statement were not immediately returned.

The hacker, per the norm, did not specify how he or she was able to obtain these records, but its clear TDO has no intention of stopping.

So far data has been dumped from two healthcare providers in a game the hacker is calling: “A Business a Day.” The hacker leaked 6,000 patient records on June 8 from Feinstein & Roe MDs in Los Angeles and 6,300 patient records from La Quinta Center for Cosmetic Dentistry on June 9.

The hacker began threatening Coliseum Pediatric Dentistry of Hampton, Virginia with a data leak on June 9.

This is not the first leak from TDO. The hacker was responsible for stealing over 10 million records in 2016 from organizations connected to the HL7 network by exploiting vulnerabilities in email software that supports the technology.

TDO is also responsible for hacks on the Indiana Cancer Agency, Aesthetic Dentistry, OC GastroCare, Tampa Bay Surgery Center and a long list of others.

Rick Boyles
757-333-3299 x200

Is Dropbox HIPAA Compliant?

Dropbox is a popular file hosting service used by many organizations to share files, but what about protected health information?

Dropbox claims it now supports HIPAA and HITECH Act compliance but that does not mean Dropbox is HIPAA compliant. No software or file sharing platform can be HIPAA compliant as it depends on how the software or platform is used. That said, healthcare organizations can use Dropbox to share or store files containing protected health information without violating HIPAA Rules.

The Health Insurance Portability and Accountability Act requires covered entities to enter into a business associate agreement (BAA) with an entity before any protected health information (PHI) is shared. Dropbox is classed as a business associate so a BAA is required.

Dropbox will sign a business associate agreement with HIPAA-covered entities. To avoid a HIPAA violation, the BAA must be obtained before any file containing PHI is uploaded to a Dropbox account. A BAA can be signed electronically via the Account page of the Admin Console.

Dropbox allows third party apps to be used, although it is important to note that they are not covered by the BAA. If third party apps are used with a Dropbox account, covered entities need to assess those apps separately prior to their use.

Dropbox Accounts Must be Configured Carefully

HIPAA requires healthcare organizations to implement safeguards to preserve the confidentiality, integrity and availability of PHI. It is therefore important to configure a Dropbox account correctly. Even with a signed BAA, it is possible to violate HIPAA Rules when using Dropbox.

To avoid a HIPAA violation, sharing permissions should be configured to ensure files containing PHI can only be accessed by authorized individuals. Sharing permissions can be set to prevent PHI from being shared with any individual outside of a team. Two-step verification should be used as an additional safeguard against unauthorized access.

It should not be possible for any files containing PHI to be permanently deleted. Administrators can disable permanent deletions via the Admin Console. That will ensure files cannot be permanently deleted for the lifetime of the account.

It is also essential for Dropbox accounts to be monitored to ensure that PHI is not being accessed by unauthorized individuals. Administrators should delete individuals when their role changes and they no longer need access to PHI or when they leave the organization. The list of linked devices should also be regularly reviewed. Dropbox allows linked devices to have Dropbox content remotely wiped. That should occur when a user leaves the organization of if a device is lost or stolen.

Dropbox records all user activity. Reports can be generated to show who has shared content and to obtain information on authentication and the activities of account administrators. Those reports should be regularly reviewed.

Dropbox will provide a mapping of its internal practices on request and offers a third-party assurance report that details the controls that the firm has implemented to help keep files secure. Those documents can be obtained from the account management team.

So, is Dropbox HIPAA compliant? Dropbox is secure and controls have been implemented to prevent unauthorized access, but ultimately HIPAA compliance depends on users. If a BAA is obtained and the account is correctly configured, Dropbox can be used by healthcare organizations to share PHI with authorized individuals without violating HIPAA Rules.

Verizon, the major telecommunications provider, has suffered a data security breach with over 14 million US customers’ personal details exposed on the Internet after NICE Systems, a third-party vendor, mistakenly left the sensitive users’ details open on a server.

Chris Vickery, researcher and director of cyber risk research at security firm UpGuard, discovered the exposed data on an unprotected Amazon S3 cloud server that was fully downloadable and configured to allow public access.

The exposed data includes sensitive information of millions of customers, including their names, phone numbers, and account PINs (personal identification numbers), which is enough for anyone to access an individual’s account, even if the account is protected by two-factor authentication.

“The exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning,” explained UpGuard’s Dan O’Sullivan in a blog post.

NICE Systems is an Israel-based company that is known for offering wide-range of solutions for intelligence agencies, including telephone voice recording, data security, and surveillance.

According to the researcher, it is unknown that why Verizon has allowed a 3rd party company to collect call details of its users, however, it appears that NICE Systems monitors the efficiency of its call-center operators for Verizon.

The exposed data contained records of customers who called the Verizon’s customer services in the past 6 months, which are recorded, obtained and analyzed by NICE.

Interestingly, the leaked data on the server also indicates that NICE Systems has a partnership with Paris-based popular telecommunication company “Orange,” for which it also collects customer details across Europe and Africa.

“Finally, this exposure is a potent example of the risks of third-party vendors handling sensitive data,” O’Sullivan said.

“NICE Systems’ history of supplying technology for use in intrusive, state-sponsored surveillance is an unsettling indicator of the severity of this breach of privacy.”

Vickery had privately informed Verizon team about the exposure in late June, and the data was then secured within a week.

Vickery is a reputed researcher, who has previously tracked down many exposed datasets on the Internet. Just last month, he discovered an unsecured Amazon S3 server owned by data analytics firm Deep Root Analytics (DRA), which exposed information of more than 198 Million United States citizens, that’s over 60% of the US population.

In March this year, Vickery discovered a cache of 60,000 documents from a US military project for the National Geospatial-Intelligence Agency (NGA) which was also left unsecured on Amazon cloud storage server for anyone to access.