Breaking Compliance News Blog

Scott Gima

Recent Posts

Compliance Lessons from the Phillies: Own Your Mistakes and We’ve Got Your Back

Posted by Scott Gima on 5/17/22 8:45 AM

Alec Bohm, a third overall pick in the 2018 draft, is playing his third season with the Phillies. On April 11, against the Mets, Bohm was playing third base and committed three throwing errors early in the game. In the second inning, the Philadelphia fans mockingly cheered Bohm after a clean fielding play for an out. While walking back to third base, the TV broadcast captures Bohm telling shortstop Didi Gregorius, “I ****ing hate this place.”

Wow. Was he talking about the fans, the city, the situation right then and there? This is one of those “fork in the road” events that could turn a young player with a promising career into an exiled player. Just give social media the chance. The Phillies came back from a 4-run deficit to win the game with five runs in the 8th, which ironically started off with a walk to Bohm. But the comeback was clearly not the story of the game. In the clubhouse after the game, the reporters gathered around Bohm to hear what he had to say. Keep in mind that the video of what Alec Bohm said to his shortstop was not 100% clear. This is what he had to say:

Read More

Topics: compliance

When Senior Tech Support Scams are a Cybersecurity/HIPAA Issue

Posted by Scott Gima on 5/10/22 9:45 AM

The FTC regularly sends out consumer alerts on various scams. Turbo Tax’s “free” tax service and car dealer junk add-on fees are just a couple of recent alerts. Many times, these emails hit the trash bin after reading the subject line. This morning, my inbox had the FTC’s latest alert: Shutting Down Tech Support Scams. This morning was different – I opened the email and read the alert. Why? Because an older family member was a victim of a tech support scam.

First, let me tell you about my family member’s experience with a tech support scam. Some of the facts have been changed to protect the family member’s identity. But to make it easier, let’s call my family member Mom. Mom and Dad are retired and in their 80s. A few years ago, my family went to Mom and Dad’s house for Thanksgiving. While there, other siblings and cousins are discussing possible Christmas gifts, so I jump on Mom’s computer to do a little online shopping.

In the bottom right-hand corner, the Windows task bar typically has a bunch of icons that show programs that are loaded on startup. Mom’s taskbar showed a TeamViewer icon. TeamViewer is a legitimate remote desktop program that is typically used by tech support people to obtain remote access to a workstation, computer or laptop. I recognized the icon because TeamViewer has been used by our own company’s tech support. But there is no reason for Mom to have this program on her home computer. So I start asking questions and this is what I learned.

Read More

Topics: HIPAA, security

What the Russia-Ukraine Conflict Means for Your Cybersecurity

Posted by Scott Gima on 3/22/22 8:15 AM

 

I recently had a conversation with Scott Wolff, President and owner of LanServ, a St. Louis IT and managed service provider. Scott was a recent guest expert for a MPA webinar that discussed HIPAA Security Risk Assessment and cybersecurity.

I asked Scott if there has been an increase in cyber threat activity as a result of the Russian invasion of Ukraine. Surprisingly, Scott has so far found a significant decrease in hacker activity with his clients. Maybe all the hackers are focused on Russia and Ukraine, but regardless of the reason, it is very easy for organizations to let their guard down.

Coincidently, the same thing was discussed earlier this week with some members of Congress who received a briefing on the elevated Russia cyber threat to the US. Former Cybersecurity and Infrastructure Security Agency (CISA) Director Chris Krebs led the briefing which was closed to the public. The Washington Post was able to speak to Krebs after the briefing. He is worried about complacency. He told the Post “We have been talking with some alarm for weeks, if not months, about the potential Russian threat and fatigue is real and the desensitization to ongoing activities that are happening elsewhere is real.”

Krebs also stated: “the Russian cyberthreat as especially elevated now because Putin has already demonstrated he’s willing to cross Western red lines by invading Ukraine.”

I agree with Krebs. Just because cyberattacks have not yet occurred against the United States, organizational efforts to improve cybersecurity should continue and be responsive to new threats. This is especially true for critical infrastructure entities including health care providers.

I asked Scott Wolff, President/Director of IT Operations for LanServ, Inc., for his take on the situation:

The current reduction in cyber security events started a few weeks ago, and appears to coincide with the Russian invasion of Ukraine.  To many of us this may provide a much needed break from responding to the high volume increase in cyber security events over the last few years, and thus take the time to kick back and breathe a little bit. 

However, I am approaching this temporary reduction in events as a “quiet before the storm scenario.”  Currently, I am spending even more time than normal implementing additional security measures, as well as learning from the Russian cyber-attacks against Ukraine to build future cyber defenses should these same cyber-attacks be used against us.  There is no better time than now to assess your overall network system security, and user password hygiene before the storm potentially heads back this way.

What you can do

Discuss cyber threats with your IT team or managed service provider. The Cybersecurity and Infrastructure Security Agency (CISA) provides security updates and free resources. With a high threat level, now is the perfect time to update your HIPAA Security Risk Analysis.

Need more HIPAA help? MPA can help with t he HIPAA Security Risk Analysis.

Read More

Topics: HIPAA, security, compliance

Healthcare Provider Ransomware Risk is Elevated – What Do We Do???

Posted by Scott Gima on 11/5/20 10:00 AM

On October 28, a joint cybersecurity advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) that provided a warning of imminent ransomware attacks to U.S. hospitals and healthcare providers.

This advisory provides technical information on the methods used by the hackers so healthcare providers can better protect themselves. In particular, the advisory mentioned the hackers’ use of Ryuk and Conti ransomware.

Leading up to this advisory, Universal Health Services was a recent target of a ransomware attack in late September. UHS is a large health care provider with 26 hospitals in the U.S., Puerto Rico and the U.K. It is believed that the Ryuk ransomware was used in the attack.

I don’t know about you, but for me, a non-IT person, the technical details are way over my head. However, the user awareness best practices are relevant to anybody who uses a workstation or laptop. Here are the user awareness best practices found in the advisory (direct quote):

Read More

Topics: HIPAA, data breach, security, compliance

Protect your organization from skyrocketing COVID cyber scams

Posted by Scott Gima on 4/30/20 11:00 AM

Google’s Threat Analysis Group (TAG) is responsible for identifying online vulnerabilities and threats. The Group released a report on April 22, 2020 that describes their latest information on COVID-19 related threats. This report provides a timely reminder that cybersecurity concerns continue and everyone must remain cautious and vigilant with their email accounts.

COVID-19 Themed Attacks

In April, Google has detected 18 million COVID-19 related malware and phishing Gmail messages per day and more than 240 million COVID-related daily spam messages. If you use Gmail, 99.9% of these messages never reach your inbox. The TAG has found that these attacks are government sponsored. They have identified over a dozen government-backed attacker groups using COVID-19 related topics.

Type of Attacks

The attack tools are no different from what has been used in the past; phishing emails that lure you to click malicious links or download files that contain malware. Google provided the following examples:

Free meals and coupons in response to COVID-19.

Links to malicious websites disguised as online ordering and delivery options, where the recipient is asked to provide their Google account credentials.

Emails that impersonate the World Health Organization:


Emails luring users who may be working from home:


Stimulus package theme:



Best Practices Reminder

These types of attacks are not limited to Gmail and everyone must be vigilant with all email accounts, work and personal. For all your accounts, users should:

  • Never download file attachments - or, verify an email attachment with the recipient by voice or text before downloading – this is an old-fashioned version of two-factor authentication.
  • Don’t click on an email link. An alternative safe option is to go directly to the web-page or google the target described in the link. For example, if it is an email from your bank that could be legitimate, open a new browser page and type in the website or search for the website.
  • If possible, use or activate two-factor authentication.

MPA can help with your HIPAA Security Risk Analysis - contact me today to learn more.

Read More

Topics: HIPAA, security, COVID-19

Breaking News: First social media HIPAA settlement!

Posted by Scott Gima on 10/8/19 7:15 AM

 

Whenever a settlement agreement is announced, the OCR is sending a message to all providers. On October 2nd, The OCR announced a $10,000 settlement agreement with Elite Dental Associates in Dallas Texas. At first glance, it is easy to overlook this settlement; $10,000 does not seem to be a big deal when there are other cases with fines in the millions of dollars. For example, Anthem paid a record $16 million following the PHI breach of close to 79 million people; the largest health data breach in history. So what is the big deal? Or more importantly, what are the lessons to be learned from this breach? There are several.

Read More

Topics: HIPAA, Social Media

Not-for-profit provider hit with ransomware twice in four months

Posted by Scott Gima on 8/28/19 6:35 AM

A not-for-profit community health center that provides health care for low-income and uninsured patients experienced two ransomware attacks in a four-month period. 

 

The first attack shut down computers for three weeks while the center rebuilt its systems from backups, and did not pay the ransom. This approach is consistent with industry advice for two reasons. First, there is no guarantee that the data will be reinstated after ransom is paid. Second, paying ransom encourages future ransomware attacks.

The second attack likewise locked the center out of its medical records.

Read More

Topics: HIPAA, data breach, security

The Threat of Nation-State Sponsored Cyber Attacks

Posted by Scott Gima on 7/31/18 7:13 AM

 

The public continues to be bombarded by the media coverage and debate of President Trump’s support or non-support of the U.S. intelligence agencies’ position on Russia. What has taken a backseat is the substance and urgency of a possible cyber-attack. The purpose of this blog is to discuss the threats and its relevance to covered entities and business associates.

On Friday, July 13, 2018, Dan Coats, the director of National Intelligence spoke at the Hudson Institute and discussed the current national security threats against the US. He equated the current risk of a cyber-attack to terrorist attack threats prior to September 11, 2001. The following are a few quotes from his speech:

     In 2001, our vulnerability was heightened…At the time, intelligence and law enforcement communities               were identifying alarming activities that suggested that an attack was potentially coming to the United                 States. It was in the months prior to September 2001 when, according to then CIA Director George Tenet,         the system was blinking red. And here we are nearly two decades later, and I'm here to say the warning             lights are blinking red again. Today, the digital infrastructure that serves this country is literally under attack.

     Every day, foreign actors — the worst offenders being Russia, China, Iran and North Korea — are                     penetrating our digital infrastructure and conducting a range of cyber intrusions and attacks against targets       in the United States. The targets range from U.S. businesses to the federal government (including our               military), to state and local governments, to academic and financial institutions and elements of our critical         infrastructure — just to name a few.

     All of these disparate efforts share a common purpose: to exploit America's openness in order to undermine       our long-term competitive advantage.

Threat to Healthcare Providers?

Mr. Coats never mentions healthcare providers. So does this mean there is nothing to worry about? Probably not.

Back in January, the Washington Post reported about NotPetya, a 2017 a Russia-sponsored cyber-attack against Ukraine, designed to disrupt their financial system. The ransomware wiped computer data from banks, energy firms, and senior government officials. While 50% of affected computer systems were located in the Ukraine, the attack spread across the globe and affected systems in Denmark, India and the United States. Half of the victims were unintended targets of the attack.

If government-sponsored cyber-attacks are imminent, the NotPetya attack reminds us that another attack can easily result in collateral damage against unintended victims. Healthcare providers could easily become collateral damage, especially those who have not adequately prepared for a ransomware attack. In the healthcare context, that collateral damage can include costly HIPAA Breaches, and, more alarmingly, patient harm due to lack of utilities and electronic medical records.

Mr. Coats’ “red-flag” warning makes clear that cyber-security measures must be in place. The OCR recommends the following preventative security measures as part of HIPAA compliance:

  • Complete a security management process, which includes a risk analysis and implementing security measures to mitigate or remediate those identified risks
  • Implementing policies and procedures to guard against and detect malicious software
  • User training so staff can assist in detecting and report attacks
  • Implementing access controls to limit access to ePHI to only persons or software programs requiring access.

 

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit

Read More

Topics: HIPAA, data breach, security

Improper Sharing of Medical Files Results in a Criminal Violation of HIPAA

Posted by Scott Gima on 5/15/18 7:00 AM

On April 30, 2018, the U.S. Attorney’s Office in the District of Massachusetts reported the criminal conviction of Rita Luthra, M.D., a Springfield, Massachusetts gynecologist for one count of violation of the HIPAA Act and one count of obstruction of a criminal health care investigation. Sentencing has yet to be scheduled. The HIPAA criminal charges stemmed from the allegation that Dr. Luthra allowed a Warner Chilcott pharmaceutical sales representative to access her patients’ medical files.

October of 2015, Warner Chilcott entered a false claims settlement with the federal government.  Warner Chilcott agreed to pay $125 million to resolve its criminal and False Claims Act allegations related to the company’s drug marketing campaign. Warner Chilcott was charged with paying kickbacks to physicians to induce them to prescribe its drugs, and manipulating prior authorizations to get insurers to cover the drugs they would not normally cover.

Dr. Luthra was receiving “numerous” denials for a Warner Chilcott osteoporosis medication unless there was a prior authorization. To expedite the prior authorization process, the Warner Chilcott sales representative was given access to Dr. Luthra’s medical records in order to prepare the prior authorizations that would then be signed by Dr. Luthra.

Criminal convictions as a result of a HIPAA violation do happen occasionally. In addition to OCR fines and penalties, criminal charges and convictions can occur when covered entities “knowingly” obtain or disclose protected health information in violation of HIPAA. MPA recommends including examples of both civil and criminal HIPAA violations and penalties in your HIPAA training program.

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit

Read More

Topics: HIPAA, Kickbacks and Referrals

Is your EHR ready for ransomware?

Posted by Scott Gima on 2/28/18 7:02 AM

In January 2018, EHR vendor Allscripts was a target of a ransomware attack that took down several of its applications, including its EHR and patient management/scheduling systems. FierceHealthcare reported the following notice from Allscripts: “While we cannot guarantee that the hosted Professional suite and hosted Allscripts PM service will be fully restored to all clients on Monday, Jan. 22, we do currently expect to return meaningful service to the majority of clients over the next 12-24 hours."

For example, a medical group was unable to use Allscripts’ e-prescribing system after the ransomware attack. Others could not access their EHR.

The use of cloud-based applications has increased providers’ reliance on EHR vendor security measures. A detailed contract that states standards for EHR data protection is a start. But it only provides the ability to seek legal and financial remedies if the EHR vendor fails to meet its contractual obligations. It does nothing to guarantee uninterrupted access to your data.

A copy of your EHR data that is saved to an on-site computer is the only way to ensure access. A mirror backup provides an exact copy of the data. The technology allows updates to the mirror backup every 15 minutes. When selecting an EHR vendor, the availability of a mirror backup must be a key selection criteria. A local copy of the EHR application is also needed. Without it, the data is useless.

Read More

Topics: HIPAA, records, data breach

    Privacy Policy           Terms of Use