Microsoft Patch Tuesday:
20 critical issues addressed
Adobe Patch Tuesday:
62 vulnerabilities for Reader/Acrobat,
5 critical for Flash Player
Just a reminder that patching your PCs and Servers is an important task that you must stay on top of.
A car thief is not generally going to steal a car that has the doors locked and an alarm turned on. They are going to look for the easy mark like a car with the keys in the ignition running.
Your computer network needs to be hardened enough that the crooks go someplace else to an easier mark. One way to do that is by installing the patches and security fixes that Vendors issue, as soon as they are available.
By way of example, Equifax had a data breach of 143 million +/- credit records last month, which is about half of the US population.
This breach would have been prevented if they had applied a patch that was released in March of 2017!
Now, let’s see when the lawsuits begin.
FirstHealth of the Carolinas Infected
The computer network of Pinehurst-based FirstHealth of the Carolinas was shut down by a new form of WannaCry ransomware the week of October 16th.
Ransomware encrypts your files and then the criminals request a ransom payment from your company in order to decrypt the files.
Ransomware normally comes into your network via a malicious email that is opened by one of your staff.
The health system detected the virus and the organization took its system offline while it attempted to remove the malware from its system, according to FirstHealth’s alert. FirstHealth’s staff initiated its downtime procedures at that time.
“We are experiencing some delays and appointment cancellations as a result of the downtime event,” officials continued. “This does not apply to critical and emergent needs. We sincerely apologize for any inconvenience this has caused.”
While we are talking about ransomware, the latest twist is “file-less” ransomware.
In the past files had to be downloaded by a user/staff member to the PC or server before they would run and begin encrypting data.
Now, when a user clicks a phishing email, the files load into RAM memory and run their dirty work from there.
Because RAM memory is temporary, there is little to no trace of the malicious files once the ransomware encrypts your files.
You have to train your staff not to click on emails that have attachments if they are not expecting the attachment and do not know the sender.
I Am From Microsoft And I Am Here To Help
One of the latest scams going around involves infected, malicious websites.
It happened to me the other day. I was typing in a website address and typed in a wrong letter in the web address. All of a sudden there was a pop-up on my screen:
The YOUR COMPUTER HAS BEEN BLOCKED Tech Support Scam is a web browser advertisement shown by fraudulent remote tech support companies. They try to scare visitors into thinking that they are infected, so they call the listed phone number.
If you see this alert in a web browser then your computer is fine! This is just an advertisement and you should not call the number or purchase any services from them.
This scam only works if you call them and give them access to your computer and/or give them your credit card number.
Do not do either!
128,000 Patient Record Breach
Buried deep inside MACRA (Medicare Access and CHIP Reauthorization Act) lies a key requirement for eligibility—the Security Risk Assessment (SRA). If ignored it could undo the Herculean effort taken by physicians to reach high scores and maximize Medicare reimbursements, under the new Medicare payment reform plan.
MACRA establishes a framework to reward physicians for providing higher quality care at lower costs and improving health outcomes for patients—a switch from fee for services to the value-based care model. One pathway to higher reimbursement is the Merit-based Incentive Payment System (MIPS).
Using MIPS calculations, clinicians are scored on performance and quality measures, costs, use of electronic health records, and improvement activities like patient safety and care coordination. Higher scores equal higher reimbursements. For the first year, physicians will have to decide which measures they’ll report on, with measures increasing year by year.
To achieve 25% of the MIPS score, for example, medical practices will have to report on a set of measures for the day-to-day use of their EHR system, with a particular emphasis on increased interoperability and electronic information exchange across the clinical care network and with patients.
Based upon their MIPS performance scores in 2017, physicians can expect to see their payments vary by +/- 4% beginning in 2019. By 2022 payments will vary by +/- 9%.
But if physicians are so steeped in figuring out their MIPS categories and measures, and creating reports that they forget to complete an SRA all efforts will have been in vain.
Plus failing to perform an SRA will leave a practice noncompliant with HIPAA regulations. Imagine spending months doing painstaking tax preparation and submitting all the forms to the IRS, then forgetting to sign the documents, rendering the tax returns invalid. Going through the complex MIPS measuring and reporting process without performing the SRA has similar consequences.
To start on the path to MACRA and MIPS scoring and increasing reimbursements, medical practices must perform an SRA and identify vulnerabilities in protecting patient information.
- Identify and document all patient information repositories. Medical practices often operate under the assumption that all patient information is stored in their EHRs. But it can also reside in emails, Excel spreadsheets, Word documents, PDFs with scanned explanations of benefits, or ultrasounds and MRIs. The SRA should determine exactly where all ePHI (electronic protected health information) is located.
- Identify and document potential threats and vulnerabilities for each repository. Make sure backup and disaster recovery procedures are in place, as well as procedures for dealing with lost or stolen laptops, smartphones, and mobile storage devices containing ePHI.
- Train employees and create access policies. Train employees to recognize phishing scams, phone scams, follow rules for accessing public Wi-Fi, social media posting, and other risky behaviors in order to avoid breaches. Review employee policies to ensure they access only the patient records they need to perform their jobs. Make sure that procedures are in place to prevent terminated employees from accessing ePHI.
- Encrypt data. Encrypt patient data to not only protect against attacks but to help alleviate any potential penalties as auditors will consider whether a firm took all reasonable steps to protect the data.
- Develop a breach response plan. Have a response plan in case a breach does occur. Specify who will be on the response team, what actions the team will take, and how the practice will prevent another breach from occurring. The SRA will make sure a plan exists and all employees are trained in how to respond.
Invest the time and devote the resources to perform a comprehensive risk assessment or hire a HIPAA security consultant to assist. Medical practices must achieve HIPAA compliance and ePHI security to begin scoring MACRA points and maximizing reimbursements.
Cyber Attacks On Healthcare Expected To Increase
Throwing all of your computers in the trash and going back to paper are not options for dealing with all the healthcare security issues. So, you need to buckle down, hook up with a Security focused IT firm (that is HIPAA Compliant), and start hardening your network to the outside world.
Some basic steps-
A good Unified Threat Management firewall, with ALL of the Security subscriptions enabled is the first step.
Then use that device to block all traffic coming and going to foreign countries.
Configure Content Filtering so that your users are not able to go willy-nilly anywhere on the Internet they want.
Next, install a good endpoint protection anti-virus software on all machines, including servers and have it update hourly and scan nightly.
Lastly, train your staff to recognize phishing emails and to never click on links in emails if they do not understand where that link will take them or what that link will do.
If you take these basic steps, you have reduced your footprint on the internet and therefore reduced your exposure to the criminals trying to steal your patient data.
An old geezer, who had been a retired farmer for a long time became very bored and decided to open a medical clinic.
He put a sign up outside that said: "Get your treatment for $500 - if not cured get back $1,000."
Doctor "Young," who was positive that this old geezer didn't know beans about medicine, thought this would be a great opportunity to get $1,000. He went to Dr. Geezer's clinic and this is what happened.
Dr. Young: "Dr. Geezer, I have lost all taste in my mouth. Can you please help me?
Dr. Geezer: "Nurse, please bring medicine from box 22 and put 3 drops in Dr. Young's mouth."
Dr. Young: "Aaagh! This is Gasoline!"
Dr. Geezer: "Congratulations! You've got your taste back. That will be $500."
Dr. Young gets annoyed and goes back after a couple of days figuring to recover his money.
Dr Young: "I have lost my memory, I cannot remember anything."
Dr. Geezer: "Nurse, please bring medicine from box 22 and put 3 drops in the patient's mouth."
Doctor Young: "Oh no you don't, that's Gasoline!"
Dr. Geezer: "Congratulations! You've got your memory back. That will be $500."
Dr. Young (after having lost $1000) leaves angrily and comes back after several more days.
Dr. Young: "My eyesight has become weak I can hardly see!"
Dr. Geezer: "Well, I don't have any medicine for that so. Here's your $1000 back."
Dr. Young: "But this is only $500..."
Dr. Geezer: "Congratulations! You got your vision back! That will be $500."
Moral of story: Just because you're "Young" doesn't mean that you can outsmart an old "Geezer ".
A doctor and a lawyer were talking at a party.
Their conversation was constantly interrupted by people describing their ailments and asking the doctor for free medical advice.
After an hour of this, the exasperated doctor asked the lawyer,
"What do you do to stop people from asking you for legal advice when you're out of the office?"
"I give it to them," replied the lawyer, "and then I send them a bill."
The doctor was shocked, but agreed to give it a try.
The next day, still feeling slightly guilty, the doctor prepared the bills.
When he went to place them in his mailbox, he found a bill from the lawyer.
This newsletter is provided as a professional courtesy to you and your staff. Feel free to distribute as you see fit or to use in your training program.
Founder/CEO/Chief Cook and Bottlewasher