Breaking Compliance News Blog

Scott Gima

Recent Posts

When Healthcare Hacking Means Life and Death

Posted by Scott Gima on 9/18/17 10:00 AM


On August 28, 2017, the Department of Homeland Security’s Industrial Control systems Cyber Emergency Response (ICS-CERT) team released a safety notice regarding Abbott Laboratories (formerly St. Jude Medical) pacemakers manufactured before August 28, 2017. The affected pacemakers, which include include Accent/Anthem, Accent MRI, Assurity/Allure and Assurity MRI, require a firmware update to address vulnerabilities.

ICS-CERT stated:“Successful exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to a pacemaker and issue commands, change settings, or otherwise interfere with the intended function of the pacemaker.” Fortunately, a hacker must be within inches of the device/patient in order to exploit the firmware vulnerability. Unfortunately, if the vulnerability is exploited, a patient could die. Patients with one of the affected devices should visit their physician and ask whether their device needs a firmware update.

Healthcare security research company MedSec, who played a role in exposing the risk of Abbott’s pacemakers, adds: “For years this company has continued to put patients at risk by profiting from the sale of devices and a device eco-system which has little to no built-in security.”

The scope of cyber vulnerabilities facing the healthcare industry is increasing in fearsome ways. Providers should maintain an inventory of all medical devices and update software or firmware as prescribed by the vendor or manufacturer. Review your contracts to include language that requires timely provider notification of software and firmware updates.

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit

Read More

Topics: HIPAA

HIPAA Security Alert: BlueBorne - Bluetooth Vulnerability

Posted by Scott Gima on 9/13/17 4:19 PM

Armis Labs, an Internet of Things (IoT) security company, has publicly revealed a new Bluetooth vulnerability called “BlueBorne.” This vulnerability allows hackers to take complete control over Bluetooth enabled devices. This vulnerability affects all devices with Bluetooth capabilities including smartphones, laptops, smart watches, and TVs. Google, Microsoft and Linux will be releasing patches. Apple devices have been patched since the roll out of iOS 10 in September 2016. According to Armis, there are approximately 2 billion Android and Linux devices that cannot be patched.

Since its inception in 1982, Bluetooth has been plagued with security issues and this latest flaw is further proof of the security risks with Bluetooth. Remember that exploitation of any this and any Bluetooth vulnerability requires proximity to the device, depending on whether the device is indoors or outdoors.

What you can do

When conducting a HIPAA security risk analysis, make sure an inventory of Bluetooth capable devices is covered. Patch all devices and if that is not possible, the best defense is to turn off Bluetooth.

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit


Read More

Topics: HIPAA

HIPAA News: NIST Wants Simpler Password Rules

Posted by Scott Gima on 8/29/17 7:00 AM

The National Institute of Standards and Technology (NIST) is a federal agency within the U.S. Department of Commerce that recommends security controls for federal agency information systems. These standards are also frequently used as security best practices in the private sector.

Read More

Topics: HIPAA

Bupa Global Breach Due to Employee Theft

Posted by Scott Gima on 8/8/17 7:00 AM

The international health insurance division of Bupa Global recently disclosed a data breach that affected approximately 547,000 customers of their international health insurance plans. According to Bupa, names, birth dates, nationalities and some contact information was compromised, but no financial data or medical information was breached. The culprit was an employee who copied and removed customer information.

Read More

Topics: HIPAA

* HIPAA Security Alert: Hidden Cobra *

Posted by Scott Gima on 6/20/17 2:00 PM

On June 15th, the HHS Healthcare Cybersecurity and Communications Integration Center (HCCIC) issued an unprecedented warning regarding North Korean cybercriminal activities and their tactics of using Microsoft operating system vulnerabilities. This HHS memo follows a joint DHS (Department of Homeland Security) and FBI alert issued on June 13th warning that a North Korean hacker group called "Hidden Cobra" has launched attacks against global institutions, including media organizations, aerospace and financial industries and critical infrastructure. The separate HHS warning was issued by HCCIC because healthcare organizations and medical devices are cybercriminal targets.

Read More

Topics: HIPAA

Misdirected Fax Leads to $387,200 HIPAA Settlement

Posted by Scott Gima on 5/31/17 7:00 AM

On September 12, 2014, the OCR received a complaint alleging that the Spencer Cox Center disclosed sensitive PHI information including HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis and physical abuse. St. Luke’s-Roosevelt Hospital Center Inc., which operates the Spencer Cox Center, entered a resolution agreement and corrective action plan with the OCR for possible HIPAA violations and has paid a $387,200 fine.

A Simple Mistake?

The OCR investigation found that St. Luke’s disclosed PHI of two patients by faxing PHI to the employer of one patient and faxing PHI to an office where the second patient volunteered. The OCR stated that St. Luke’s failed to reasonably safeguard the patients’ PHI from “intentional or unintentional disclosure.”

The OCR’s resolution agreement requires St. Luke’s to:

  • Review and if necessary, revise, its policies and procedures concerning the uses and disclosures of PHI including mailing, faxing or other electronic PHI transmission.
  • Distribute the policies and procedures to new hires and current employees, and obtain a signed compliance certification from each workforce member.
  • Assess, update and revise the policies and procedures at least annually.
  • Review and revise training programs pertaining to the safeguarding of PHI.
  • Train new and existing employees on PHI safeguards.
  • Review training at least annually and when there are updates needed to address changes in Federal law or HHS guidance, or any issues discovered during internal audits or reviews.
  • Block PHI access to any employees that has not certified receipt of safeguarding PHI policies and procedures.

This Has Happened Before

In 2010, a St. Louis man filed a lawsuit alleging that Quest wrongfully disclosed his HIV status when it faxed his lab results to his employer. The patient’s doctor wrote the patient’s work fax number on a lab order, so that office staff could fax the order to the patient at work. The patient took the order to Quest, who ran the labs, and faxed the results to the patient at work. Quest mistakenly believed the fax number was written on the order so that Quest would fax the results to the patient’s employer. Six months after the fax was received, the patient was terminated.

The doctor argued that the lab results did not reveal the patient’s HIV status. And, the employer claimed it already knew the patient was HIV positive, and terminated his employment for financial reasons.

Still, Quest had to pay to defend this lawsuit. It is easy to imagine the dire consequences when a fax is misdirected, especially when that fax contains sensitive information.

Could This Happen To You?

The OCR resolution agreement provides a roadmap for all providers to address similar issues. This settlement is one example of how a mistake can lead to a hefty HIPAA fine. Use your HIPAA Security Risk Analysis process, plus HIPAA Walk-Through audits, to identify areas where your employees could be making inadvertent or sloppy mistakes that could jeopardize patient confidentiality.


Read More

Topics: Penalties and Enforcement, HIPAA

Fake Nurses: A Compliance Nightmare

Posted by Scott Gima on 5/24/17 6:45 AM

On April 18, 2017, a woman was arrested in St. Louis, MO and is facing federal charges of health care fraud and identify theft after working as an agency nurse in the intensive care unit and geriatric psych unit at a local hospital for three months. The woman is accused of working as a nurse, despite lacking a nursing license or degree in any state.

The Red Flags

In March 2017, this individual applied for a job with a nurse staffing company in Chicago. As reported in the St. Louis Post-Dispatch, the co-owner of the firm found the following problems with her employment application:

  • She failed a basic ICU skills test
  • She reported a New Mexico nursing license, but her social security number did not match any nursing license in New Mexico
  • The copy of her nursing license looked like it was copied and pasted with incorrect numbers and formatting as well as crooked text

Separate criminal charges have also been filed against the woman in New Mexico, where the authorities claim she was hired as a nursing instructor at the Brown Mackie College School of Nursing in 2015 – despite not having a nursing degree or license.

Don’t Let This Happen to You

How does an individual who is not a licensed nurse get hired as 1) a hospital ICU nurse and 2) a school of nursing instructor? This mistake was easily found by the Chicago staffing company which tried to verify her credentials with the state.

License verification is a necessary procedure for all new hires. This requires independent verification with the state – never rely on documentation provided by applicants or staff. Verification should also occur on a monthly basis. Many state license boards publish monthly lists of professionals whose licensed have been disciplined, suspended or revoked. Someone in the HR or Compliance departments should be reviewing this list to see if any staff or contractors are listed. HR and Compliance should also collaborate to audit these procedures periodically to make sure these simple steps are being completed.

Finally, staffing agencies should be thoroughly addressed. If your company uses temporary or agency staff, be confident that the agency(ies) are properly vetting the individuals they send to work in your organization. You are billing Medicare and Medicaid for their work, and exposing your patients to these individuals, after all. The agency’s duty to screen their staff can be addressed by contract. The provider can – and should – also audit the agency to verify that screening occurs. Finally, it is wise for providers to also conduct screens of agency or temporary staff whenever feasible.

compliance risk assessment annual review 


Read More

Topics: Compliance Basics, Excluded Providers

WannaCry? Ransomware Attacks on the Rise!

Posted by Scott Gima on 5/17/17 5:07 PM

An exclusive interview with Montez Fitzpatrick, Director of Information Security and Compliance for Keystone Technologies.

Over the weekend, the WannaCry ransomware attack was reported widely in the media to have affected more than 200,000 computers in over 150 countries. Despite the breadth of the attack, only $50,000 in bitcoin payments have been made as of Monday morning (5/15/2017). Infected organizations were being asked for payments to decrypt files for $300, rising to $600 after 72 hours.

Ransomware attacks have been on the rise. In an U.S. government interagency report that was released in 2016, there have been 4,000 daily ransomware attacks since early 2016, a 300% increase over the 2015 rate of 1,000 daily reported attacks.

For answers and tips to prevent a WannaCry attack, MPA interviewed Montez Fitzpatrick, the Director of Information Security and Compliance for Keystone Technologies.

WannaCry has been described as ransomware. What is ransomware?

Simply put, ransomware is a malicious application or program.  Once ransomware infects the victim's computer, the overarching goal is removing access to files.  Those files tend to be documents, pictures, videos and other commonly used file types.

How does a computer or network get “infected?”

Good question, as of right now it is always a computer that becomes infected.  We have not seen widespread infections which target network devices.  The industry term for how a computer gets infected is called a 'vector.'  The most common vector is still through an unsolicited e-mail message.

Sending out these e-mails with the hopes that an individual will click and execute the malicious application is called 'phishing.'  Each iteration of phishing attempts are called 'campaigns.'  Large campaigns tend to be covered in news-media hype cycles which make it seem that ransomware comes in waves.  That is false, ransomware campaigns never stop.

Why is this attack so widespread?

WannaCry variants have some specific worm components, which are very sophisticated, that exploit weaknesses in older protocols on Windows computers.  A portion of those sophisticated components were likely part of the National Security Agency's Tailored Access Operations division.  Somehow the NSA lost control the source code which makes WannaCry variants possible.  The hackers who stole the source code, published it online.

What are the basic steps that should be taken to reduce exposure to the WannaCry attack?

Microsoft issued a patch for supported operating systems back in March.  In a somewhat unprecedented move, they issued a patch for Windows XP, Windows 8 and Windows Server 2003 last Friday.  It is unprecedented as those operating systems are no longer officially supported.

What can be done to reduce exposure to future ransomware attacks?

It is not so simple.  But healthy doses of security awareness, least privilege practices and good backup strategies go a long way. Each person should create their own "personal mental baseline."  Be wary of e-mails and attachments from unknown sources.  If someone you know sends you an e-mail which is uncharacteristic or atypical of the types of messages this person is known to send; reach out to that person via another channel, such as by phone, to verify the authenticity of that e-mail.


In 2016, the OCR published a Fact Sheet to assist covered entities and business associates in preventing and responding to ransomware attacks. 

How to Protect Your Networks from Ransomware

Ransomware – What It Is and What to Do About It

Montez's blog


Read More

Topics: HIPAA

HIPAA lessons from banking cybercrime

Posted by Scott Gima on 5/9/17 6:15 AM

In an $81 million scheme, hackers took advantage of customer-level security gaps with banks that use the Society for Worldwide Interbank Financial Telecommunication’s (SWIFT) Network. SWIFT provides a secure interbanking network messaging system to send and receive payment orders. SWIFT is used by over 11,000 financial institutions in more than 200 countries.

Hackers are sophisticated

Using this messaging system, thieves used malware to hack into the Bangladesh Central Bank and send 70 fake money transfer requests to the New York Fed. Keylogger software which captures everything a person types into a computer was used to steal the Bangladesh Central Bank’s SWIFT identification codes. It is believed that the hackers were gathering keystroke information for weeks before striking on February 5, 2016. It has been speculated that dozens of computers at the central bank may have been breached. The fake messages requested $1 billion in transfers. The New York Fed blocked most of the transfers, but $81 million was transferred to bank accounts in the Philippines.

Despite high levels of security at its operations centers around the world, the Wall Street Journal reports that SWIFT did not require strict security procedures for its customers: the banks. For example, the Bangladesh Central Bank did not change SWIFT passwords between late 2015 and early February 2016, the period when they were hacked. The bank was also not using two-factor account authorizations. In addition to an ID and password, two-factor authorizations add a second level such as the requirement to enter a randomly generated PIN that is sent to your smartphone after entering an ID and password. In response to the incident, SWIFT now requires 16 mandatory standards including two-factor authentication.

Healthcare institutions are more vulnerable than banks.

Health care records are up to 50 times more valuable than banking records. And yet the health care industry spends far less than the banking industry on security: the banking industry spends 12-15% of its IT budget on security; the federal government spends 16%; and healthcare providers only spend 6%. This means that a breach like we saw with SWIFT is more likely to occur in the health care setting, compromising patient information. 

Don’t be a sitting duck

Fortunately, there is something providers can do about this. For starters, two-factor authorizations significantly increases user-level security. When conducting a risk assessment, this option should be reviewed as a security option. Also, the Office of Civil Rights (OCR) issued Guidance on Ransomware Attacks and HIPAA Breaches. This eight-page memo helps covered entities and business associates prevent, respond to and recover from malware attacks. The OCR recommends:

  • Conducting complete security risk analysis identifying threats and vulnerabilities to ePHI
  • Implementing a risk management plan that mitigates the identified risks including malware attacks
  • Training employees and users about malware attacks, including prevention, detection and reporting

Read the ransomware guidance here.

Source: Burne, K. and Sidel, R (2017, April 30) Hackers Ran Through Holes in Swift’s Network, The Wall Street Jounal, pg A1. Retrieved from

Free  HIPAA Checklist

Read More

Topics: HIPAA

    Privacy Policy           Terms of Use