Breaking Compliance News Blog

Scott Gima

Recent Posts

Not-for-profit provider hit with ransomware twice in four months

Posted by Scott Gima on 8/28/19 6:35 AM

A not-for-profit community health center that provides health care for low-income and uninsured patients experienced two ransomware attacks in a four-month period. 

 

The first attack shut down computers for three weeks while the center rebuilt its systems from backups, and did not pay the ransom. This approach is consistent with industry advice for two reasons. First, there is no guarantee that the data will be reinstated after ransom is paid. Second, paying ransom encourages future ransomware attacks.

The second attack likewise locked the center out of its medical records.

Read More

Topics: HIPAA, data breach, security

The Threat of Nation-State Sponsored Cyber Attacks

Posted by Scott Gima on 7/31/18 7:13 AM

 

The public continues to be bombarded by the media coverage and debate of President Trump’s support or non-support of the U.S. intelligence agencies’ position on Russia. What has taken a backseat is the substance and urgency of a possible cyber-attack. The purpose of this blog is to discuss the threats and its relevance to covered entities and business associates.

On Friday, July 13, 2018, Dan Coats, the director of National Intelligence spoke at the Hudson Institute and discussed the current national security threats against the US. He equated the current risk of a cyber-attack to terrorist attack threats prior to September 11, 2001. The following are a few quotes from his speech:

     In 2001, our vulnerability was heightened…At the time, intelligence and law enforcement communities               were identifying alarming activities that suggested that an attack was potentially coming to the United                 States. It was in the months prior to September 2001 when, according to then CIA Director George Tenet,         the system was blinking red. And here we are nearly two decades later, and I'm here to say the warning             lights are blinking red again. Today, the digital infrastructure that serves this country is literally under attack.

     Every day, foreign actors — the worst offenders being Russia, China, Iran and North Korea — are                     penetrating our digital infrastructure and conducting a range of cyber intrusions and attacks against targets       in the United States. The targets range from U.S. businesses to the federal government (including our               military), to state and local governments, to academic and financial institutions and elements of our critical         infrastructure — just to name a few.

     All of these disparate efforts share a common purpose: to exploit America's openness in order to undermine       our long-term competitive advantage.

Threat to Healthcare Providers?

Mr. Coats never mentions healthcare providers. So does this mean there is nothing to worry about? Probably not.

Back in January, the Washington Post reported about NotPetya, a 2017 a Russia-sponsored cyber-attack against Ukraine, designed to disrupt their financial system. The ransomware wiped computer data from banks, energy firms, and senior government officials. While 50% of affected computer systems were located in the Ukraine, the attack spread across the globe and affected systems in Denmark, India and the United States. Half of the victims were unintended targets of the attack.

If government-sponsored cyber-attacks are imminent, the NotPetya attack reminds us that another attack can easily result in collateral damage against unintended victims. Healthcare providers could easily become collateral damage, especially those who have not adequately prepared for a ransomware attack. In the healthcare context, that collateral damage can include costly HIPAA Breaches, and, more alarmingly, patient harm due to lack of utilities and electronic medical records.

Mr. Coats’ “red-flag” warning makes clear that cyber-security measures must be in place. The OCR recommends the following preventative security measures as part of HIPAA compliance:

  • Complete a security management process, which includes a risk analysis and implementing security measures to mitigate or remediate those identified risks
  • Implementing policies and procedures to guard against and detect malicious software
  • User training so staff can assist in detecting and report attacks
  • Implementing access controls to limit access to ePHI to only persons or software programs requiring access.

 

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit

Read More

Topics: HIPAA, data breach, security

Improper Sharing of Medical Files Results in a Criminal Violation of HIPAA

Posted by Scott Gima on 5/15/18 7:00 AM

On April 30, 2018, the U.S. Attorney’s Office in the District of Massachusetts reported the criminal conviction of Rita Luthra, M.D., a Springfield, Massachusetts gynecologist for one count of violation of the HIPAA Act and one count of obstruction of a criminal health care investigation. Sentencing has yet to be scheduled. The HIPAA criminal charges stemmed from the allegation that Dr. Luthra allowed a Warner Chilcott pharmaceutical sales representative to access her patients’ medical files.

October of 2015, Warner Chilcott entered a false claims settlement with the federal government.  Warner Chilcott agreed to pay $125 million to resolve its criminal and False Claims Act allegations related to the company’s drug marketing campaign. Warner Chilcott was charged with paying kickbacks to physicians to induce them to prescribe its drugs, and manipulating prior authorizations to get insurers to cover the drugs they would not normally cover.

Dr. Luthra was receiving “numerous” denials for a Warner Chilcott osteoporosis medication unless there was a prior authorization. To expedite the prior authorization process, the Warner Chilcott sales representative was given access to Dr. Luthra’s medical records in order to prepare the prior authorizations that would then be signed by Dr. Luthra.

Criminal convictions as a result of a HIPAA violation do happen occasionally. In addition to OCR fines and penalties, criminal charges and convictions can occur when covered entities “knowingly” obtain or disclose protected health information in violation of HIPAA. MPA recommends including examples of both civil and criminal HIPAA violations and penalties in your HIPAA training program.

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit

Read More

Topics: HIPAA, Kickbacks and Referrals

Is your EHR ready for ransomware?

Posted by Scott Gima on 2/28/18 7:02 AM

In January 2018, EHR vendor Allscripts was a target of a ransomware attack that took down several of its applications, including its EHR and patient management/scheduling systems. FierceHealthcare reported the following notice from Allscripts: “While we cannot guarantee that the hosted Professional suite and hosted Allscripts PM service will be fully restored to all clients on Monday, Jan. 22, we do currently expect to return meaningful service to the majority of clients over the next 12-24 hours."

For example, a medical group was unable to use Allscripts’ e-prescribing system after the ransomware attack. Others could not access their EHR.

The use of cloud-based applications has increased providers’ reliance on EHR vendor security measures. A detailed contract that states standards for EHR data protection is a start. But it only provides the ability to seek legal and financial remedies if the EHR vendor fails to meet its contractual obligations. It does nothing to guarantee uninterrupted access to your data.

A copy of your EHR data that is saved to an on-site computer is the only way to ensure access. A mirror backup provides an exact copy of the data. The technology allows updates to the mirror backup every 15 minutes. When selecting an EHR vendor, the availability of a mirror backup must be a key selection criteria. A local copy of the EHR application is also needed. Without it, the data is useless.

Read More

Topics: HIPAA, records, data breach

U.S. vs Epic Software – Lessons for EMR Users

Posted by Scott Gima on 11/14/17 7:00 AM

A whistleblower False Claims case against Epic Software Corp. (ESC or Epic) was made public on November 2, 2017. The complaint was originally filed in January of 2015, and states that Epic was overbilling Medicare for anesthesia services.

As of January 1, 2012, base units should not be billed to Medicare – only the physician’s time is submitted by the provider. The lawsuit alleges that Epic’s billing software has a default setting that charges both 1) base units for anesthesia provided for a procedure; and 2) the time of the procedure. As a result, payors are overbilled.

The whistleblower filed a lawsuit after attempts to get Epic to change the software were met with resistance.

Why Are the Hospitals Being Sued?

The breadth of this False Claims complaint is immense. In addition to Epic Systems, the defendants in this case include customers of Epic Systems, which number more than 280. The complaint states: “it is probable that most of ESC’s software customers (ie, the other listed Defendants) are using ESC’s Epic billing software as written.” These customers may have been submitting false claims” by not recognizing and correcting billing errors caused by flawed billing software. The DOJ is sending a clear message that providers are accountable and liable for overbilling errors that are caused by billing software.

Read More

Topics: HIPAA

Prevent “Worthless Services” With a QAPI Checklist

Posted by Scott Gima on 11/7/17 7:02 AM

In October, Health Services Management, Inc., the parent company for Huntsville Health Care Center, agreed to pay the U.S. government $5 million to resolve a whistleblower lawsuit that included allegations that the company billed Medicare and Medicaid for “worthless services” and services that were not provided. The settlement includes an agreement to enter a Corporate Integrity Agreement with the OIG. The whistleblower was an employee of the facility who claimed she witnessed patient physical and verbal abuse and neglect, inadequate care, and the absence of basic services including food and water.

The common response to this settlement is “This can’t happen in our building!!!” But how is it prevented? With a strong QAPI program.

Read More

Topics: Quality Assurance

Outdoor Engine Power Equipment Company Reports HIPAA Breach – Could this happen to you?

Posted by Scott Gima on 11/1/17 7:03 AM

Briggs and Stratton is not a healthcare provider – they make gasoline engines for lawn and outdoor power equipment. Yet, on September 29, 2017, the company notified OCR of a breach of unsecured protected health information (PHI). According to the OCR Breach Portal, the breach affected 12,789 individuals as a result of a hacking/IT incident affecting desktop computers, laptops, and network server(s).

 

Briggs and Stratton is not a health care provider or a business associate under HIPAA. But, it offers an employer-sponsored health plan – which makes it a HIPAA covered entity. This is a reminder that any employer that provides health insurance may need to be HIPAA compliant if PHI is shared with the employer. This includes employers who are self-insured or provide health insurance through a group health plan. Simply put, an employer that handles PHI could be a covered entity that needs to be in 100% compliance with HIPAA’s privacy, security and breach notification requirements.

Read More

Topics: HIPAA

Equifax Breach Debacle Continues to Unfold

Posted by Scott Gima on 10/3/17 12:55 PM

Equifax Chief Executive Richard F. Smith announced his retirement this week. The Equifax board has said that it could retroactively classify Smith’s retirement as a firing – jeopardizing his compensation

Here’s what happened

The scope of the massive Equifax breach, which directly affected 143 million people, is incredible. Equifax publicly reported the breach on September 7, stating it was discovered on July 29th. It is believed that the breach started in mid-May and continued until its discovery in late July. My initial reaction was that this must have been a sophisticated cyberattack. How else could an organization such as Equifax, that handles millions of data rich information, allow this to happen? A company that large should have unlimited resources to have the most sophisticated high-tech strategies to secure their data. After all, is any data more high risk or high demand than credit reports and social security numbers? And if Equifax cannot prevent a breach, what does that mean for the small companies or healthcare providers who have very limited budgets and are frequently required to outsource their IT security?

According to the Wall Street Journal, the breach was caused by an unpatched flaw in the Apache struts web application software used by Equifax customers to dispute credit report errors. The flaw was first discovered by Cisco security researchers on March 8. On that same day, Apache released a patch. The U.S. Computer Emergency Readiness Team also released a vulnerability security bulletin on March 8. 

Wired magazine reported: “it would have been simple for an attacker to exploit the flaw and get into the system.” Wired also wrote:

        "This vulnerability was disclosed back in March. There were clear and simple instructions of how to  remedy the situation. The responsibility is then on companies to have procedures in place to follow such advice promptly," says Bas van Schaik, a product manager and researcher at Semmle, an analytics security firm. "The fact that Equifax was subsequently attacked in May means that Equifax did not follow that advice. Had they done so this breach would not have occurred."

Lessons for your organization

The investigation continues, and if the cause of the breach is confirmed to be unpatched software, this breach provides a very strong reminder to everyone - including small providers - that reducing the odds of a breach requires a straightforward strategy of installing all operating system and application software updates. Make sure there is a policy and procedure addressing this. The policy should include receiving emails from the US Computer Emergency Readiness Team (US-CERT). If not already part of your policy, sign up here. Make sure your Security Officer, Privacy Officer, Compliance Officer and IT Support are subscribers.

 Keep in mind that software patching is only one small element of a data security management plan. There are many other risk areas. HIPAA security readiness is not just an IT responsibility. It requires attention from management and IT. The first step in developing a security management plan is to complete or update your Security Risk Analysis

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit

Read More

Topics: HIPAA

When Healthcare Hacking Means Life and Death

Posted by Scott Gima on 9/18/17 10:00 AM

 

On August 28, 2017, the Department of Homeland Security’s Industrial Control systems Cyber Emergency Response (ICS-CERT) team released a safety notice regarding Abbott Laboratories (formerly St. Jude Medical) pacemakers manufactured before August 28, 2017. The affected pacemakers, which include include Accent/Anthem, Accent MRI, Assurity/Allure and Assurity MRI, require a firmware update to address vulnerabilities.

ICS-CERT stated:“Successful exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to a pacemaker and issue commands, change settings, or otherwise interfere with the intended function of the pacemaker.” Fortunately, a hacker must be within inches of the device/patient in order to exploit the firmware vulnerability. Unfortunately, if the vulnerability is exploited, a patient could die. Patients with one of the affected devices should visit their physician and ask whether their device needs a firmware update.

Healthcare security research company MedSec, who played a role in exposing the risk of Abbott’s pacemakers, adds: “For years this company has continued to put patients at risk by profiting from the sale of devices and a device eco-system which has little to no built-in security.”

The scope of cyber vulnerabilities facing the healthcare industry is increasing in fearsome ways. Providers should maintain an inventory of all medical devices and update software or firmware as prescribed by the vendor or manufacturer. Review your contracts to include language that requires timely provider notification of software and firmware updates.

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit

Read More

Topics: HIPAA

HIPAA Security Alert: BlueBorne - Bluetooth Vulnerability

Posted by Scott Gima on 9/13/17 4:19 PM

Armis Labs, an Internet of Things (IoT) security company, has publicly revealed a new Bluetooth vulnerability called “BlueBorne.” This vulnerability allows hackers to take complete control over Bluetooth enabled devices. This vulnerability affects all devices with Bluetooth capabilities including smartphones, laptops, smart watches, and TVs. Google, Microsoft and Linux will be releasing patches. Apple devices have been patched since the roll out of iOS 10 in September 2016. According to Armis, there are approximately 2 billion Android and Linux devices that cannot be patched.

Since its inception in 1982, Bluetooth has been plagued with security issues and this latest flaw is further proof of the security risks with Bluetooth. Remember that exploitation of any this and any Bluetooth vulnerability requires proximity to the device, depending on whether the device is indoors or outdoors.

What you can do

When conducting a HIPAA security risk analysis, make sure an inventory of Bluetooth capable devices is covered. Patch all devices and if that is not possible, the best defense is to turn off Bluetooth.

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit

 

Read More

Topics: HIPAA

    Privacy Policy           Terms of Use