Breaking Compliance News Blog

Scott Gima

Recent Posts

Lessons from a Federal Government Email Phishing Scam

Posted by Scott Gima on 2/28/23 9:00 AM

Everyone knows email phishing scams are common. A CISA advisory provides details of a new email phishing scam that uses remote management software to steal money.
 
According to a recent Cybersecurity and Infrastructure Security Agency (CISA) joint advisory, the attacks were directed at federal civilian employees. But it is noteworthy because similar strategies can be used to target anyone, including healthcare providers.
On January 25, 2023, the Cybersecurity and Infrastructure Security Agency released a National Cyber Awareness System Alert, “Protecting Against Malicious Use of Remote Monitoring and Management Software” jointly with the National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC).
 
Why the Alert?

  • The attackers recently used phishing emails to gain access to a victim’s computer using legitimate remote monitoring and management (RMM) software in financial schemes.
  • The same tactics can be used for other purposes such as cybersecurity attacks or network backdoor access to conduct cyber espionage.
  • Attackers use legitimate remote management software that cannot be detected by normal security measures that prevent unauthorized software installation.

What is portable executable RMM software?
  • RMM software is commonly used by IT departments and managed service providers to provide remote technical support and troubleshooting.
  • Every managed service provider and IT department use RMM software.
Background of Attacks
  • In mid-June 2022, a federal civilian employee received a phishing email containing a phone number.
  • The employee called the number, which led them to visit the malicious domain, myhelpcare[.]online. CISA found additional similar attacks on multiple federal civilian department networks.
  • Attacks also used emails with a malicious link that downloaded the RMM software.
  • The CISA alert mentioned that legitimate RMM software vendors AnyDesk and ScreenConnect were identified in these attacks. CISA indicated that any legitimate RMM software can be used in these types of attacks.
 
The CISA alert provided a copy of an actual phishing email. It includes urgency (response needed within 24 hours), a common theme of phishing emails:
Read More

Topics: HIPAA, data breach, security

Fake Nursing Degree Scam Involving Three Florida Nursing Schools

Posted by Scott Gima on 2/21/23 9:15 AM

The scheme

  • 25 people were charged with wire fraud – administrators and employees of three Florida nursing schools as well as recruiters.
  • The recruiters sought out individuals that were willing to pay $10,000 to $15,000 for fake nursing school documents that allowed them to take national nursing licensure examinations.
  • A total of 7,600 fake nursing diplomas and transcripts (completion of required courses and clinicals) were provided to individuals from all over the US. The buyers wanted to take licensing exams to become registered nurses, licensed practical nurses, or licensed vocational nurse licenses.
  • The three now closed nursing schools that issued the fake documents were Siena College, Sacred Heart International Institute, and Palm Beach School of Nursing.
  • None of the individuals that bought the fake documents have been charged (yet).

Why is this Important?

  • In a NY Times article, the special agent in charge for the Miami region of the Office of Inspector General said approximately 2,800 buyers passed the licensure exam.
  • A large percentage of the 2,800 that passed are working.
  • The NY Times article stated that providers that hired these nurses “included Veterans Affairs hospitals in Maryland and New York, a hospital in Georgia, a skilled nursing facility in Ohio, a rehabilitation center in New York and an assisted-living facility in New Jersey.”

What to do?

Read More

Topics: HIPAA, data breach, security

OCR Announces Settlement for Banner Health’s 2016 Data Breach

Posted by Scott Gima on 2/15/23 10:52 AM

The OCR notes serious concerns with Banner Health’s pervasive noncompliance with the HIPAA Security Rule

Banner Health

  • OCR’s investigation of Banner’s data breach in 2016 found evidence of long-term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a serious concern given the size of this covered entity.
  • Banner Health is one of the largest non-profit health systems in the country, with over 50,000 employees and operating in six states.

Findings

  • No analysis to determine risks and vulnerabilities to electronic protected health information (ePHI) across the organization
  • Insufficient monitoring of its health information systems’ activity to protect against a cyber-attack
  • Failure to implement an authentication process to safeguard its ePHI
  • Failure to have security measures in place to protect ePHI from unauthorized access when transmitted electronically

The Attack

  • Banner Health discovered unauthorized access to process payment card data at some Banner Health food and beverage locations during a two-week period in June and July 2016.
  • The attackers targeted payment card data, including cardholder name, card number, expiration date, and internal verification code, as the data was being routed through affected payment processing systems.
  • Banner Health learned that attackers accessed patient information, health plan member and beneficiary information, and physician and other healthcare provider information.
  • The attack hit 27 locations and 3.7 million individuals.

Why is this Important?

  • The OCR indicated that hacking is the largest threat to ePHI, with 74% of 2021 reported breaches involving hacking/IT incidents.
  • This settlement and corrective action plan remind us that healthcare providers must take action to protect the privacy and security of PHI. It is just as important to document all measures taken to secure ePHI.
  • The corrective action plan states that Banner must do the following to address the findings of the OCR’s investigation:
    • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization.
    • Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
    • Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically.

What you should do

(Hint: Turn Banner’s Corrective Action Plan into a checklist)

Read More

Topics: HIPAA, data breach, security

The Rackspace ransomware attack – How safe is your cloud?

Posted by Scott Gima on 12/20/22 10:40 AM

What is Rackspace?

Rackspace Technologies is a tech company that provides cloud-based servers, data storage and data backup services.

What Happened?

On December 2, 2022, at 2:49 a.m. EST, Rackspace posted a message stating that customers that used their hosted exchange email servers did not have email access. The Hosted Exchange services include mailboxes (up to 100GB), Microsoft Outlook, Outlook Web Access, mobile device synchronization, anti-spam and anti-virus protection.

On 12/6, Rackspace indicated that they suffered a ransomware attack.

Rackspace has not yet indicated when email service will be restored to their clients. In the meantime, email accounts and domains are being migrated to Microsoft 365. This temporary solution only provides access to new emails. Clients currently have no access to existing emails.

Rackspace has not reported the number of impacted customers. It has been speculated that the number of small and medium sized customers may be in the thousands.

Why is this Important?

In the old days, Microsoft Outlook and Office programs were installed on your company’s server. Email Exchange Servers were also physically located within your company. All emails, email attachments, documents, and spreadsheets were also stored on the server or on your desktop. Today, companies like Rackspace and Microsoft provide these applications with data storage in the cloud.

The Rackspace incident provides a sobering example that cloud applications and cloud stored data are not as safe as you think. Rackspace customers lost the ability to receive and send emails. According to news reports, many customers have email after Rackspace moved them over to Microsoft 365. But there is an ongoing concern of archived email data loss once email service is restored. Think about the impact to your organization and your job tasks if you lost the ability to send and receive emails, plus access to all of your old emails, both sent and received. My guess is that you will come to the same conclusion as me – the impact would be significant if not catastrophic.

Impact?

Loss of email typically means lost revenue. What is your organization’s tolerance to downtime? In other words, how long can you go without email? These are questions that need to be posed to each department. The loss of access to the EHR is the #1 issue, but that can be handled by going old school with paper documentation. The impact on other departments must be reviewed in detail.

Let’s start with the business office. Is there enough cash if billing Medicare, Medicare Advantage, Medicaid and private pay stops or takes longer than normal? What about follow-up of unpaid claims? Referrals? Communication with referring hospitals is typically handled by email. How do you review payor eligibility? How will you recruit staff for open positions without receiving email notifications from recruiting websites? Background checks and review of exclusion lists? The list goes on and on.

All of us are heavily dependent on emails to do our daily tasks. The temporary loss of being able to send or receive emails for a week or two is tolerable, but the tipping point may well be the possible loss of old emails and attachments.

What to do?

I reached out to Scott Wolff, President and Director of IT Operations at LanServ, Inc., a managed service provider (MSP) in St. Louis, and asked him: What do companies need to do to limit their email downtime and prevent the loss of archived (old) emails and attachments? Here is a list of recommendations from Scott W:

Read More

Topics: HIPAA, security, compliance

Understaffing increases cybersecurity risk

Posted by Scott Gima on 12/6/22 10:21 AM

Workforce statistics: An (ISC)2 workforce survey of 11,779 cybersecurity practitioners and decision makers reported strong increases in cybersecurity workers:

  • The US cybersecurity workforce increased by 5.5% between 2021 and 2022.
  • Globally, the increase was 11.1%, or 464,000 new workers.

But demand for cybersecurity workers increased almost twice as fast resulting in an increase in need. In the US, the workforce gap increased by 9.0%. The global gap has climbed by 26.2% since 2021.

Why it matters: For organizations, unfilled cybersecurity jobs increase the risk of a successful cyber event. The (ISC)2 survey identified multiple staffing related problems:

  • 70% of organizations don’t have enough cybersecurity staff to be effective.
  • More than half believe their organization is at a “moderate” or “extreme” risk of cyberattack.
  • Oversights in certain procedures have been made.

These vulnerabilities worsened in 2022:

  • Not enough time for proper risk assessment and management
  • Oversights in process and procedure
  • Slow to patch critical systems
  • Not enough time to adequately train each cybersecurity team member and not enough training resources
  • Misconfigure systems

The top four reported reasons for the shortage:

  • 43% - my organization can’t find enough qualified talent.
  • 33% - My organization is struggling to keep up with turnover and attrition.
  • 31% - My organization doesn’t pay a competitive wage.
  • 28% - My organization doesn’t have the budget.

Tackling the problem: Multiple strategies were identified by the (ISC)2 survey. While all had a positive impact, some were more effective. Organizations that focused on training were least likely to have staffing shortages. These organizations focus on rotating job assignments, mentorship programs and encouraging employees outside of cybersecurity to join the field. Organizations that outsourced cybersecurity showed a higher percentage of staffing shortages. Effective strategies include the following:

Read More

Topics: HIPAA, security, compliance

Making Recognized Security Practices work for you

Posted by Scott Gima on 11/30/22 10:15 AM

One Big Thing

IImplementation of Recognized Security Practices (RSPs) for at least 12 months provide covered entities and business associates with the opportunity to reduce fines and penalties for violations of the HIPAA security rule.

Background

On January 5, 2021, Congress passed an amendment to the HITECH Act that requires the OCR to take into account the Recognized Security Practices of covered entities and business associates when they are able to show that RSPs have been in use for the 12 months prior to a HIPAA breach incident.

If RSPs are in place, the OCR may mitigate fines and remedies and allow an early and favorable termination of an audit..

Over the past months, the amendment has generated questions related to the uncertainty about what constitutes RSPs, and how to demonstrate their implementation. In response, on October 31, 2022, HHS-OCR released a video that addresses some of these concerns about RSPs.

What Are Recognized Security Practices?

Read More

Topics: HIPAA, security, compliance

Health System Ransomware Attack Lingers…

Posted by Scott Gima on 11/22/22 10:08 AM

CommonSpirit hospitals reported IT issues on October 3rd with a response that included taking systems offline, including their electronic medical records. CommonSpirit has 140 hospitals in 21 states.

According to Healthcaredive.com, based on website information, hospitals in seven states have been impacted. Scheduling issues and procedure delays have been reported.

Systems being restored. On November 9, CommonSpirit announced that it continued to “work diligently to bring systems online and restore functionality as quickly and safely as possible, including electronic health records….” We know that, after the attack, many clinicians were unable to access medical records, and patient access to the MyChart portal was impacted.

Why it matters: There are no details on whether there has been a data breach of PHI – CommonSpirit says a forensic investigation is ongoing. But the news reports provide a clear picture of the operational impact that occurs in response to a ransomware attack – IT systems and applications have to be taken down to contain the impact or spread of the attack.

Security risk analysis and business continuity planning. A business continuity plan prepares your organization to respond quickly with temporary procedures and measures to continue key operational tasks and get systems back online as quickly as possible.

What to do: Identify and prioritize tasks that include but are not limited to electronic medical records (scheduling, documentation, orders, medications, and communication), communication, payroll, billing, collections, and food and supply ordering.

Every critical task must be reviewed to minimize patient risk. For example: a new medication order. What steps are now needed to get a new medication order from the physician to the bedside? Will human runners be needed? How and who will review, transcribe, and double check orders to prevent errors?

Email – don’t under estimate its impact. Business continuity takes a hit when email is inaccessible. Is your inbox your de facto “to do” list? Imagine how you are going to be able to tackle routine tasks without access to your inbox. Don’t overlook other email folders, as well as the inability to communicate by email for at least a couple of weeks if not longer….

Read More

Topics: HIPAA, security, compliance

$5 Million hospice therapy false claims settlement

Posted by Scott Gima on 10/18/22 11:50 AM

A whistleblower complaint by a hospice employee led to a $5.59 million settlement. Allegations include:
Read More

Topics: Compliance Basics, Penalties and Enforcement, false claims, hospice

Has your HIPAA security program addressed Callback Phishing?

Posted by Scott Gima on 8/30/22 8:45 AM

callback phishing

What is Callback Phishing?

CrowdStrike, a third-party cybersecurity firm, recently disclosed a new phishing tech support campaign. Hackers send out a fake email from a reputable cybersecurity firm (like CrowdStrike). The email falsely claims your business had a cybersecurity event and is working with the company’s security department to address a possible issue with the employee’s workstation. The letter asks the employee to urgently call a provided phone number to resolve the issue on their workstation.

If a call is made, the hackers will trick the caller into installing remote desktop software. Once given access, the hacker now has access to the user’s workstation and will attempt to move through the network to initiate a ransomware attack.

 

A New Version of an Old Scam

This tech support phishing attack is a new twist on an old scam. A May 2022 blog post discussed a FTC alert on Senior Tech Support Scams, which happened to a family member.

It is highly likely that these emails will get into an inbox because they contain no malicious links or attachments which diminishes the effectiveness of spam or anti-phishing filters.

 

Use your HIPAA training program to increase awareness

Training and education is the most effective method to prevent callback phishing attempts. A phishing reporting policy may be a worthwhile addition to your HIPAA and/or cybersecurity policies. Here are some simple training reminders:

 

  • Do not call the number provided. Assume any email from a well-known cybersecurity firm like CrowdStrike is a phishing email, especially if the email alleges a breach of your environment and requests an urgent call back.
  • Follow your organization’s phishing reporting policy. Call or forward the email to your Security Officer and/or IT department and let them handle the matter. If it is legitimate, they will let you know.
  • Pat yourself on the back, you just prevented a phishing attack.

 

Update your HIPAA Security Risk Analysis

Revisit and update your HIPAA Security Risk Analysis. Add callback phishing as a threat where appropriate. Document your anticipated mitigation strategies including training. Lastly, document when each mitigation effort has been implemented, and include dates so progress can be easily understood.

MPA can handle your HIPAA Security Risk Analysis

The HIPAA Security Risk Analysis is a lot to tackle. We all know it’s even more challenging to accomplish during COVID times. MPA can conduct your HIPAA Security Risk Analysis, saving you time and improving your security. Reply to this email to learn more information.

Read More

Topics: Training and Education, HIPAA, security, risk analysis

Compliance lessons from recent fraud cases

Posted by Scott Gima on 7/20/22 9:15 AM

 

Outlier billing patterns will get you noticed!

A New York ENT physician was convicted of filing false claims with Medicare and Medicaid. The physician submitted claims totaling about $585,000 to Medicare and Medicaid and was paid roughly $191,000.

The fraudulent act was upcoding of ear exams or ear wax removal to an incision procedure of the external ear. An analysis of Medicare and Medicaid data identified this physician’s billing was an outlier and was found to be the highest biller for this procedure in the State of New York. 

Compliance lesson: Enforcement agencies are actively using data analytics to identify, investigate and prosecute providers with unusual billing activity – and so should you. Audit your claims regularly to identify potential false claims, so they can be corrected and/or reported.

 

Mole billing fraud scheme totals $4.1 million in false claims over 7 years

The second case involves a Chicago physician who conducted cancer screenings on moles that were removed from his patients. The US Attorney’s office in the Northern District of Illinois recently filed charges in the US District Court in Chicago. The press release includes the allegation that the physician removed more moles from patients than was medically necessary, totaling $4.1 million in fraudulent payments between 2015 and 2021.

But how does a simple case of removing one mole but billing for removing multiple moles leads to $4.1 million? Well, it turns out that the scheme was, shall we say, creative. Here is what was included in the charge document:

  • More moles were removed that were medically necessary
  • If multiple moles were removed from one area of the body, false documentation would be created to indicate that the moles were removed from different areas of the body
  • When multiple moles were removed from a patient, the specimens would not be submitted immediately to pathology
  • The practice would instead submit one specimen at a time to pathology on different days
  • False documentation was created to show the removal of a single mole on different visits
  • Some of the fraudulent visits were submitted on days when the physician was out of town
  • Fraudulent documentation was submitted in response to Medicare audits

That is how you collect $4.1 million in false claims over a seven-year period.

Compliance Lesson: Examples like this fall into the category of “truth is stranger than fiction.” It is impossible to draft policies and train staff on for every possible compliance risk scenario. The goal of an effective compliance program is to train employees and staff to trust their instincts – if something does not seem right, notify the compliance officer directly or anonymously.

 

How well is your compliance program performing?

Find out with MPA's compliance program assessments.

Learn more.

Read More

Topics: Penalties and Enforcement, Billing and Claims Submission

    Privacy Policy           Terms of Use