Breaking Compliance News Blog

Sign up for MPA's Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 5/19/22 8:45 AM

HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

When Senior Tech Support Scams are a Cybersecurity/HIPAA Issue

Posted by Scott Gima on 5/10/22 9:45 AM

The FTC regularly sends out consumer alerts on various scams. Turbo Tax’s “free” tax service and car dealer junk add-on fees are just a couple of recent alerts. Many times, these emails hit the trash bin after reading the subject line. This morning, my inbox had the FTC’s latest alert: Shutting Down Tech Support Scams. This morning was different – I opened the email and read the alert. Why? Because an older family member was a victim of a tech support scam.

First, let me tell you about my family member’s experience with a tech support scam. Some of the facts have been changed to protect the family member’s identity. But to make it easier, let’s call my family member Mom. Mom and Dad are retired and in their 80s. A few years ago, my family went to Mom and Dad’s house for Thanksgiving. While there, other siblings and cousins are discussing possible Christmas gifts, so I jump on Mom’s computer to do a little online shopping.

In the bottom right-hand corner, the Windows task bar typically has a bunch of icons that show programs that are loaded on startup. Mom’s taskbar showed a TeamViewer icon. TeamViewer is a legitimate remote desktop program that is typically used by tech support people to obtain remote access to a workstation, computer or laptop. I recognized the icon because TeamViewer has been used by our own company’s tech support. But there is no reason for Mom to have this program on her home computer. So I start asking questions and this is what I learned.

Read More

Topics: HIPAA, security

Sign up for MPA's Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 5/4/22 8:15 AM

HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

What the Russia-Ukraine Conflict Means for Your Cybersecurity

Posted by Scott Gima on 3/22/22 8:15 AM

 

I recently had a conversation with Scott Wolff, President and owner of LanServ, a St. Louis IT and managed service provider. Scott was a recent guest expert for a MPA webinar that discussed HIPAA Security Risk Assessment and cybersecurity.

I asked Scott if there has been an increase in cyber threat activity as a result of the Russian invasion of Ukraine. Surprisingly, Scott has so far found a significant decrease in hacker activity with his clients. Maybe all the hackers are focused on Russia and Ukraine, but regardless of the reason, it is very easy for organizations to let their guard down.

Coincidently, the same thing was discussed earlier this week with some members of Congress who received a briefing on the elevated Russia cyber threat to the US. Former Cybersecurity and Infrastructure Security Agency (CISA) Director Chris Krebs led the briefing which was closed to the public. The Washington Post was able to speak to Krebs after the briefing. He is worried about complacency. He told the Post “We have been talking with some alarm for weeks, if not months, about the potential Russian threat and fatigue is real and the desensitization to ongoing activities that are happening elsewhere is real.”

Krebs also stated: “the Russian cyberthreat as especially elevated now because Putin has already demonstrated he’s willing to cross Western red lines by invading Ukraine.”

I agree with Krebs. Just because cyberattacks have not yet occurred against the United States, organizational efforts to improve cybersecurity should continue and be responsive to new threats. This is especially true for critical infrastructure entities including health care providers.

I asked Scott Wolff, President/Director of IT Operations for LanServ, Inc., for his take on the situation:

The current reduction in cyber security events started a few weeks ago, and appears to coincide with the Russian invasion of Ukraine.  To many of us this may provide a much needed break from responding to the high volume increase in cyber security events over the last few years, and thus take the time to kick back and breathe a little bit. 

However, I am approaching this temporary reduction in events as a “quiet before the storm scenario.”  Currently, I am spending even more time than normal implementing additional security measures, as well as learning from the Russian cyber-attacks against Ukraine to build future cyber defenses should these same cyber-attacks be used against us.  There is no better time than now to assess your overall network system security, and user password hygiene before the storm potentially heads back this way.

What you can do

Discuss cyber threats with your IT team or managed service provider. The Cybersecurity and Infrastructure Security Agency (CISA) provides security updates and free resources. With a high threat level, now is the perfect time to update your HIPAA Security Risk Analysis.

Need more HIPAA help? MPA can help with t he HIPAA Security Risk Analysis.

Read More

Topics: HIPAA, security, compliance

Cold hard HIPAA stats

Posted by Margaret Scavotto & Scott Gima on 1/25/22 8:15 AM

As we enter a new year, it’s a good time to review the status of data breaches, HIPAA hazards, and the state of security risk with some statistics:

  • The average cost of a data breach in the United States is $9.05 million. The average cost is higher in organizations with greater compliance failures.

  • Only 25% of employees are “very confident” they can identify a social engineering attack.

  • 76% of healthcare employees have received security awareness training. That means 24% have not.

  • 24% of employees believe “clicking on a suspicious link or attachment in an email represents little or no risk.”

  • Only 31% of employees think “allowing family members of friends to use work devices for personal activities outside of work” is risky.

  • In the past 12 months, 94% of organizations have had an insider data breach. The most common cause is human error.
  • As many as 90% of data breaches are phishing attacks

It is always eye-opening to review the latest HIPAA stats – because they get colder and harder every year. Especially in healthcare.

What you can do

Read More

Topics: HIPAA, data breach, security

When HIPAA security is a public health issue

Posted by Margaret Scavotto & Scott Gima on 1/18/22 9:00 AM

Read More

Topics: HIPAA, data breach, security, compliance, webinar

Have you upped your HIPAA game during COVID?

Posted by Margaret Scavotto, JD, CHC on 1/11/22 8:00 AM

HIPAA was a high priority for most healthcare providers before the pandemic.

 

COVID-19 stretched resources and lengthened to-do lists, and has made it harder to keep up with HIPAA compliance.

 

Which is tricky, because HIPAA risk has only increased during the pandemic, for two reasons.

 

First, hackers are opportunists.

They know the pandemic strains healthcare facilities, and a cyberattack might be more successful on a provider facing a COVID-19 surge. In March 2020, U.S. authorities warned that hackers were focusing their efforts on the three states hit the hardest by coronavirus: California, New York, and Washington – and hackers were targeting employees working from home.

Second, the pandemic has brought new ways to violate HIPAA.

Providers and vendors have scrambled to implement testing sites and vaccine clinics, ways to manage the data flowing in and out of testing sites and vaccine clinics, and software programs to sign up for testing and vaccines – to name a few. Many of these methods had to be put together hastily, as they were urgently needed. Was HIPAA the first consideration? Probably not. This inevitably led to breaches.

For example:

  • Denton County, Texas announced a breach involving a third-party application used by the County for COVID-19 vaccination clinics. This application had a configuration error that exposed information about individuals who received vaccinations.
  • An agency employee at Atacadero State Hospital in California improperly accessed patient and employee information, including COVID-19 test results. The records involved 1,735 employees and former employees, and 1,217 job applicants. The improper access was discovered during an “annual review of employee access to data folders, and the employee is believed to have been improperly accessing the information for about 10 months….”
  • The Lake County Health Department and Community Health Center in Illinois announced that 24,000 patient names were on a spreadsheet sent attached to an unencrypted email to an employee’s personal email address. 
  • Indiana’s COVID-19 online contact tracing survey was breached, compromising the data of hundreds of thousands of Indiana residents. The breach was caused by a software misconfiguration that left the information visible to the public.

I know resources are stretched thin, and people are exhausted. But it is still important to ask: Have you upped your HIPAA game during the pandemic? Has your organization addressed evolving threats that COVID-19 has brought the healthcare industry?

Here are some more questions to ask:

Read More

Topics: HIPAA, data breach, security, compliance, webinar

Earn 5 CEUs with MPA’s Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 8/10/21 9:15 AM

HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

*** Approved for 5 hours of NAB CEUs***

Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

Earn 5 CEUs with MPA’s Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 8/5/21 11:40 AM

HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

*** Approved for 5 hours of NAB CEUs***

Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

HIPAA hazard: Doctor appears in traffic court by webcam from the OR

Posted by Margaret Scavotto, JD, CHC on 3/9/21 1:27 PM

A California doctor recently appeared in traffic court by videoconference while he was performing plastic surgery. The traffic court session was livestreamed and posted to YouTube.

The traffic court commissioner could see that a medical operation was in process, and said: “I do not feel comfortable for the welfare of a patient if you’re in the process of operating….” The trial was rescheduled.

The Medical Board of California is investigating the incident.

I’m also concerned about privacy.

Read More

Topics: HIPAA, security, privacy

    Privacy Policy           Terms of Use