HIPAA Hot Water
Bedford Memorial Hospital
Staff at University of Pittsburgh Medical Center’s Bedford Memorial Hospital are in trouble after taking photos of a sedated and unconscious man’s genital injury and then sharing it with staff not involved in the Patient’s treatment.
According to UPMC: “The behavior reported in this case is abhorrent and violates the mission of UPMC Bedford and the overall values of UPMC. Upon discovery, UPMC quickly self-reported the incident to the Pennsylvania Department of Health and took appropriate disciplinary action with the individuals involved.”
Those actions included suspensions and firings of staff who were discovered to have violated the patient’s privacy. The patient, who was not identified, has also been informed of the privacy breach.
Hand & Upper Extremity Centers
This Thousand Oaks, CA medical practice has reported that their computer systems were hacked with a possible breach of up to 13,000 records. No details are available about the exact methods used, but, the hack was made by The Dark Overlord (TDO).
TDO admitted the hack and provided a sample of 10 patients’ records which were used to verify the claim. TDO also informed the site that an extortion demand was issued.
AMA Calls For EHR Changes
The AMA is calling for the implementation of eight priorities for improving EHR usability, calling for a reframing the design and configuration of EHR technology to emphasize the following priorities:
- Enhance physicians' ability to provide high-quality patient care
- Support team-based care
- Promote care coordination
- Offer product modularity and reconfigurability
- Reduce cognitive workload
- Promote data liquidity
- Facilitate digital and mobile patient engagement
- Expedite user input into product design and post-implementation feedback
The AMA said it recognizes that many of the recommendations can only be implemented in the long-term due to vendor product development life-cycles, limitations of current legacy systems and existing contracts, regulations and institutional policies.
“However, there is a great sense of urgency to improve EHRs because every patient encounter and the physician’s ability to provide high-quality care is affected by the current state of usability,” AMA writes in its call for action.
CCleaner is a popular PC cleanup tool made by the folks at Piriform (recently acquired by Avast, an antivirus vendor). Piriform reports that their download servers were hacked and that a malicious version of their software (version 5.33.6162) was available and downloaded by an estimated 2.5 million people between August 15th and September 12th.
They have since fixed the problem, but, you may want to check your version of CCleaner to insure that you do not have the “bad” verison.
If you are a customer of ours, then rest easy. We have already scoured the machines we manage and eliminated or replaced any of the bad versions.
ePHI is everywhere. Protect it!
Are You Protected?
Cyber-liability insurance is a relatively new area of practice for most insurance companies. It is an area that each Practice Administrator should investigate with their insurance carrier.
In today’s times of hacking, ransomware and data leaks, carrying “cyber” liability insurance is a must.
But, you cannot just trot down to the cyber-liability insurance store, plunk down your money and stroll out with cyber.
At some point in the application you are going to be asked if you have performed a recent Security Risk Analysis.
Every medical practice that stores Patient information is required by HIPAA to perform a Security Risk Analysis and to update the Risk Analysis whenever there are major changes in the organization.
So, you should already have one and it should already be current! If not, then you are out of compliance with HIPAA.
If you should choose to overlook this question on the insurance application, you may get insurance, but may find your business being denied when you make a claim! Lately, insurance carriers are auditing the cyber-liability applications looking for statements that are incorrect.
Saying you have done a thorough Security Risk Analysis just to obtain cyber may lead to your claim being denied for making false statements.
How Bad Is It?
According to the folks at Barracuda, over the course of 24 hours beginning August 30, there were 20 million attempts at a ransomware attack through an email attachment.
The warning note comes two days after the hackers behind Locky ransomware launched a massive campaign on August 28, with more than 23 million infected emails sent in a 24-hour period, researchers at AppRiver found.
Barracuda said the newest attack comes from a spoofed email address bearing the attachment name and number in the subject line.
The takeaway here is that you MUST TRAIN your staff to be vigilant, use the Internet and email in a responsible manner, while remaining aware of today’s threats.
Equifax – 143 Million Credit Records Exposed
What were these bozos thinking?
There are 3 “repositories” of credit information in the United States. Those companies are:
- Trans Union
If the car dealer or mortgage lender pulls a credit report on you, they get that info from a Credit Bureau, who in turn gets the data from a repository.
So, these three guys are the keepers of all credit info for pretty much everyone in the U.S.
That is a pretty big responsibility.
Equifax has confirmed that attackers entered its system in mid-May through a web-application vulnerability that had a patch available in March. In other words, the credit-reporting giant had more than two months to take precautions that would have defended the personal data of 143 million people from being exposed. It didn't.
Turns out that the CISO (Chief Information Security Officer) did not have any discoverable background in security, but was educated in music.
…a bachelor’s degree in music composition (magna cum laude) and a Master of Fine Arts degree in music composition (summa cum laude), both from the University of Georgia…
It will be interesting to see how this pans out.
In the meantime, since the credit records of 50% of the US population are now on the Internet, you may want to contact each of the repositories and have them put a credit “freeze” on your account. This mean that they will not give out any credit info, to anyone trying to open a new account. If a crook is trying to open a new account in your name and the merchant cannot pull your credit, then it is doubtful that the crook will succeed.
While a credit freeze will also keep YOU from opening new credit until you contact the repositories, this is a much easier thing to do than to fight for months to clear your name and your credit after someone has misused it.
Medical Identity Theft
One of the other factors with the Equifax data breach is that your information may not be used to open up credit cards or to create other financial obligations.
It might be used to commit Medical Identity Theft.
Let’s say you have a bad hip and a hip replacement will give you a better quality of life and get you back on your feet again. But, you don’t have a good job and you don’t have any health benefits where you work, but, you make too much money for Medicaid.
And, let’s say that you have some sketchy friends and that you are a bit sketchy yourself.
One day, one of your sketchy friends comes to you with some of the Equifax data and helps you create a new identity using the stolen Equifax info. You get a replacement insurance card, a new driver’s license and you march off to the Orthopedic Surgeon posing as your new self.
You managed to con your way through their system and next thing you know you are up and moving with your new hip and no one is the wiser.
A month or so later, the person whose identity you stole gets an Explanation of Benefits (EoB) listed a hip surgery that they never had.
Congratulations, you just stole the price of a orthopedic hip replacement and all it cost you was a few co-pays.
That is Medical Identity Theft.
Security Is Not Just An IT Problem
You can’t just throw Security in the lap of your IT folks and walk away. Security is not just a matter for IT folks. Good Security involves Executives of the organization, it involves the IT people, and it involves the end users as well.
Everyone needs to be rowing the boat in the same direction, at the same time, when it comes to Security.
Executives need to commit the dollars and the support that IT needs to implement and maintain a secure computer environment. IT needs to take that security seriously and to implement and configure the tools that they are given. And, our end user need to be trained to understand that they cannot just willy-nilly wander around the Internet hoping that they don’t bring something bad to the network.
Make sure that you support securing your network from potential attackers.
Look at it this way:
If a crook is going to steal a car, he is going to go someplace with a lot of cars, like the Mall.
Now is he going to steal a car with the windows rolled up, doors locked, alarm on and a big German Shepherd drooling all over the inside windows?
Nope. He is going to go steal the car with the windows down, keys in the ignition, no alarm and no dog.
Why? Because crooks are generally lazy and they want to expend the least effort for the highest return.
They go for the easy mark.
Don’t be an easy mark.
If you need some help with this, give us a shout!
Keep your network hardware up to date. Keep your network firmware patched out. Keep your software security patches up to date.
Don’t putz around with security. It could cost you your business.