A couple of weeks ago, I was talking with a technology vendor who is starting to move into the healthcare space. Their technology isn’t used in the creation or manipulation of patients’ protected health information (PHI), but they do store information on behalf of healthcare organizations that could potentially include PHI. They wanted to know, “Are we required to comply with HIPAA?” Technically – yes. On the other hand, there are hundreds of healthcare organizations and healthcare vendors who actively choose not to comply.

As a healthcare organization or vendor with narrow profit margins, it’s understandable that one might think of HIPAA as a deferrable expense. After all, what are the chances of an information breach? Of an OCR audit?

Unfortunately, the chances are significant – and growing. Consider these facts:

• A healthcare record is worth 100-300 times the value of a credit card record on the black market (i.e., $100-$300 per healthcare record vs. $1 per credit card account number). Consequently, cyber criminals are targeting healthcare organizations.
• Healthcare organizations, in general, are very vulnerable to cyber attacks for a variety of reasons, including lack of personnel with cybersecurity expertise; years of under-investment in IT infrastructure; naivete regarding the threats; high staff churn; and poor physical facility controls.
• The risk of an OCR audit is very small. The risk of a covered entity being breached is very high. If breached, the risk of an OCR audit goes to 100%.
• If a Covered Entity is breached and then audited, the risk of that Covered Entity’s Business Associates being audited is also very high.
• When audited, organizations that can demonstrate they have taken all appropriate precautions will be fined at the lowest rate – or not at all. On the other hand, organizations that have actively neglected cybersecurity and HIPAA compliance will be fined at the “highest rate.” In fact, some recent fines levied by the OCR have exceeded what was previously thought to be the “maximum allowable.”
• The fine is only a portion of the total breach remediation costs. Other costs include patient notification (approximately $4 per affected patient); credit monitoring for affected individuals (free to the patients) for 1-3 years; legal fees; class action lawsuit settlements; personnel time spent handling the remediation; and reputation loss.
• Finally, HIPAA violations can now be prosecuted as both civil and criminal offenses.

Whether and how to invest in cybersecurity training and technology and HIPAA compliance is a business decision only you can make based on your own ethics and risk tolerance. Be sure, however, to base your decision on facts. Up-to-date breach information across industries is available at the Identity Theft Resource Center (ITRC). A list of healthcare organizations fined for HIPAA violations following a breach can be found on the HHS OCR’s Breach Report list. Whatever your choice, ensure that you have protected your customers’ data, protected your organization from the risk of data loss, and protected yourself by understanding and complying with all relevant laws.

Protect your Patients. Protect your Organization. Protect Yourself.™

The EquiFax breach really has me angry.  Mostly because I have no control over any aspect of this mess.  EquiFax scoops up data on all of us without our consent.  They seem unaccountable and untouchable.   With a last name like mine, I’ve had many opportunities to dispute incorrect data on my credit reports, which is always time consuming and irritating.  They make it known how unimportant you are and assume you are “guilty” unless you prove otherwise.  They collect data on all the people in the U.S. old enough to make purchases using credit, and they don’t even bother to encrypt it!  Worse yet they didn’t even bother to patch their systems after they had several breaches earlier this year!  Talk about arrogant!

Is EquiFax just one bad apple?  Sadly, they are not.  Historically, industries with self-certification of compliance to data protection regulations have woefully low compliance.  Government surveys say the healthcare industry is about 15 percent compliant!  With respect to the credit card industry, they are better than the healthcare industry by a whopping 5 percent!  Eighty percent of businesses fall short.  The insurance and financial industries currently have NO regulations to protect your data!  The “good news” is regulations are being drafted and are being implemented starting with New York state.

I hope EquiFax is a tipping point for the consumers in our country!  It’s time we take control of our data and demand it is properly protected.  Nothing seems safe when each morning news declares there is another data breach and the North Koreans launched another missile! It is alarming and discouraging.  But I shouldn’t have to give away my hard-earned credit score to buy that shiny new toy for my man cave (I wish!) for a low price on the Internet. I shouldn’t have to worry that my most confidential data is in jeopardy because I had my annual physical! Should I buy that insurance policy to protect my family, or will the data I provide on the application fall into the hands of cybercriminals and cause significant damage to my family?

Going forward, I will do my homework when purchasing online by selecting reputable companies and not chasing the lowest price.  I will ask my doctor when was the last time his practice did a security risk assessment and all staff had cyber security training?  Does their medical system encrypt the data at all points (most don’t)?  I will look at my financial and insurance companies with a skeptical eye and make informed decisions.  I will also add my voice to the Equifax failure to better protect my children and their future.

I encourage you to take our confidential free mini-Risk Assessment to see how compliant your organization is. Should you discover you aren’t as compliant as you had hoped, contact us at compliance@thirdrock.com.  We’d be happy to help you improve your score and protect your patients, your practice, and yourself!

Stealing headlines from Hurricane Irma was the revelation that Equifax experienced a major data breach during the summer.  Equifax is one of the “big three” credit monitoring services and therefore the data they collect on each of us is broad and deep.  They estimate that data for 143 million people –  nearly half the population of the United States – has been stolen!

What does this breach mean for you?  Your financial history and ability to buy a home, new car, or even get healthcare could be at stake.  Here are recommended steps to protect you and your family.

1. Be skeptical! Equifax is looking out for itself, not you!  They will fight to survive this fiasco, spending the minimum required. Don’t give away your rights – read all documents carefully before signing. Don’t rush to sign any agreements. The aftermath of the breach will play out over months, not hours, and new information will emerge every week.
2. Be cautious! This breach is so large, scammers will take advantage of it.  We learned this morning that a hacktivist created a fake EquiFax website where consumers could check to see if their information was stolen.  EquiFax actually linked to this bogus site and directed consumers to it!  (Remember item 1 – Be Skeptical!) Also be wary of offers to sign up for credit monitoring services and giving out any additional personal information!  Validate the authenticity of any such services. Research these services because many do not provide the protection you need or believe you will receive.
3. Assume your data has been stolen, even if Equifax says your data has not been stolen! Breaches tend to grow over time because companies often under-report to minimize the bad publicity. As the company investigates the breach, they are also likely to uncover more theft that wasn’t obvious at the beginning of the investigation. For instance, on Tuesday of this week, it was publicized that EquiFax suffered additional breaches this year before this major breach.
4. Check the Equifax website set up to inform people if their data was stolen. The link to the site is  equifaxsecurity2017.com.  Questions abound about whether the website provides accurate responses or not!  Remember, be skeptical!
5. Keep all your records! Record all your interactions with Equifax. Ask for email confirmations after phone conversations. Save email as PDFs.  Any costs you incur, get receipts and put them in a specific location or folder.
6. Check your credit report at; https://www.annualcreditreport.com/index.action.  This is a free service and you can get one free report a year from each credit reporting service.  I recommend getting one report every 4 months from a different service so you can maintain a fairly regular status of your credit information.
7. Freeze your Credit – this is your last option and prevents companies from checking your credit score in an effort to get additional credit. This is not something you should do without evaluating your circumstances.  If you are planning to purchase a new car, take out a loan, or get a new credit card, you should evaluate your options.

This blog was originally intended as the second article in the new “Protect Yourself” section of our monthly newsletter.  We focus on protecting small to medium sized businesses but felt we needed to offer some cyber protection information to the individual people who read our newsletter.  I was looking forward to gradually building up our readers knowledge and skills to eventually cover this topic, but the Equifax breach is just like hurricanes Harvey, Irma and Maria – unpredictable and causing a lot of damage and pain.  I hope this helps you all and best of luck!  We are all going to need it!  And please remember and help in any way you can all those affected by these hurricanes.

Join our free monthly newsletter to stay up-to-date on HIPAA and cybersecurity.

Protect Your Patients. Protect your Practice. Protect Yourself. ™

In January of this year, the HHS Office of Civil Rights levied a $475,000 fine against Presence Health for taking too long to notify their patients – as well as the OCR – after discovering the breach of PHI (protected health information). The incident occurred in October 2013 when Presence Health, based in Illinois, discovered that hundreds of physical documents containing patient names, birth dates, medical record numbers, and surgery details for 836 patients were missing.  They did not report the breach to the OCR until Jan, 31, 2014 — 100 days after the incident occurred.

This was the first HIPAA fine “solely based on an unnecessary delay to breach notification” (HIPAAJournal).

Now, CoPilot Provider Support Services, Inc., a business associate based in New York, is under investigation for delayed reporting of a breach of ePHI (electronic protected health information). An unauthorized person accessed and downloaded 221,178 individuals’ sensitive information in October 2015, but CoPilot didn’t involve the FBI until February 2016 and didn’t issue breach notifications to patients or the media until January 2017. Oops! The OCR is still investigating whether CoPilot is a HIPAA-covered entity, but the NY State Attorney General levied a $130,000 fine in June for violation of state law, according to an announcement from the Attorney General’s Office.

Healthcare entities cannot afford to delay breach notification. Here’s a summary of the basic notification requirements outlined in the Breach Notification Rule:

• A covered entity must notify the Secretary of Health and Human Services (via their portal) if it discovers a breach of unsecured protected health information.
  •  If the breach affects 500 or more individuals, the covered entity must notify HHS/OCR “without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.” (HHS.gov)
  • If a breach affects fewer than 500 individuals, the covered entity must notify HHS/OCR “within 60 days of the end of the calendar year in which the breach was discovered.” It is NOT necessary to wait until the end of the calendar year.
• Regardless of the size of the breach, a covered entity must notify patients “in written form by first-class mail…or by e-mail” (if an individual has agreed to email communication) “without unreasonable delay and in no case later than 60 days following the discovery of a breach.”
• If a breach affects more than 500 individuals, the covered entity must also notify the media.

More detailed instructions for dealing with incomplete or out of date contact information can be found on the HHS website.

These incidents and resulting fines should serve as a wake-up call to the industry – take action sooner rather than later!

Join our free monthly newsletter to stay up-to-date on HIPAA and cybersecurity.

The American Heart Association lists heart disease as the #1 cause of death in the US with nearly 800,000 deaths per year. In comparison, more than 3.1 million patients have been impacted in the first half of 2017 by a data breach that led to the theft of protected health information (PHI). That’s right — in half the time, nearly four times as many people have been impacted by an information breach as have died from heart disease! Yet an estimated two thirds of medical practices remain at risk of being breached due to a lack of appropriate privacy and security measures as outlined in the 2013 HIPAA Omnibus Rule.

Getting on a Compliance Diet

This is where the old adage of “an ounce of prevention” comes into play. Diet and exercise have been drilled into us since we were young as the most important factors for preventing heart disease. The consequences of forgoing them seemed small in those days. But over time, things changed and life got busy. Various demands on our time started to pile up, and what was once routine is now a New Year’s resolution.

HIPAA compliance is no different. You know you should follow HIPAA guidelines, not just because it’s the law, but because protecting your patients’ data is fundamental to the business and reputational integrity of your practice. But there are so many other demands on your time – OSHA, MACRA, staffing, payer negotiations, drug-resistant TB, continuing education… Acknowledging this, however, doesn’t give practitioners or administrators any more hours in the day. So how can you make HIPAA a habit, make it your team’s standard operating procedure, and still deal with everything else you have to do?

Third Rock’s HIPAA solution streamlines the process of identifying security vulnerabilities and simplifies the process of addressing security gaps in your practice. When dealing with compliance, we want you to feel comfortable and confident that you are acting with the best interest of your patients and your practice. This is why the THSA has recently endorsed Third Rock for our complete, easy, and affordable approach to HIPAA compliance.

We are helping small, medium, and large healthcare organizations by diagnosing, prioritizing and mitigating their vulnerabilities. We also provide the written Policies & Procedures and training so not only are you compliant but you now have the framework for a standard operating procedure moving forward. Should you have any questions along the way, we have a support team that is able to assist.

There is finally a way to take charge – Ask us today about our HIPAA compliance package!

Protect Your Patients. Protect your Practice. Protect Yourself. ™

Find out more at http://thirdrock.com/

As we hear more and more about breaches and ransomware in businesses and especially healthcare, it is becoming an even greater concern for healthcare business owners. It is no longer if you will be attacked, but when and how often.

The first step in closing the cybersecurity gap is to realize that you can’t do it on your own. Cybersecurity is not finding your basic “IT guy” that “can fix it”. It is about obtaining the right resource whether that is a full time hire or a managed service.

The next thing to realize with cybersecurity is that it is not a one time fix, but is ongoing and continually changing to meet the new challenges coming out every day. This is not just adding a firewall, anti-virus, patches, etc. It is a plan, a mentality that evolves over time.

HIPAA is actually a good start towards good cybersecurity, but it is not everything. We all like to complain about HIPAA, but it is actually a great guide to getting your business far more secure and ready to be secure. However, to truly close the cybersecurity gap, no static documents and processes will keep you continuously secure by themselves.

Why worry?

One breach can close your business! Think about your business being down for days, weeks, or even longer. How long can you survive? What about a breach where patient data gets stolen and leaked!! Now you have to go through notifying the government and the public, HIPAA audits, and major fines.

Keep in mind there are 4 tiers of HIPAA fines. If you have a proper HIPAA risk assessment and cybersecurity plan, those fines will be significantly reduced. If not, you could see fines of $50,000 PER PATIENT RECORD.

Time to close that GAP!!

Protect Your Patients.  Protect Your Practice. Protect Yourself™.

If you have questions concerning establishing a cybersecurity plan or about HIPAA, including how to conduct a Security Risk Assessment or how to best remediate identified risks, please contact us: info@thirdrock.com; 512.310.0020.  We’d be happy to help!

Breathing a sigh of relief that the WannaCry ransomware attack didn’t hit your organization?  Thinking you’ve dodged that bullet?  Well, think again!  If trends are any indication, and they typically are, I think it’s going to get a lot bumpier.  Below are some incidents that lead me to this conclusion.  So, buckle up and hold on tight!

January 2015 – Largest Single Healthcare Breach – Anthem Insurance breach affecting over 80 million people.  Investigations point to state sponsored cyber-theft by China.  Anthem is a major insurer of U.S. Government employees.

February 2016 – Ransomware Attacks Hospital – Hollywood Presbyterian Medical Center hit by ransomware and all their computers were disabled. Patients were transferred to other hospitals and staff had to revert to paper to continue providing care to the remaining patients.   A series of hospitals were then successfully targeted.  Ransomware use has soared since.

October 2016 – Successful Attack of Internet Infrastructure – Distributed Denial of Service (DDOS) attack on Dyn, an internet infrastructure company severely disrupted the East Coast shutting down PayPal, Twitter, Netflix, and many other companies. First Major Cyber Attack using IoT Devices – Hundreds of thousands of IoT (Internet of Things) devices like webcams, thermostats, video reorders, etc. were redirected to message the Dyn facility and overload it.

April 2017 – NSA Hacking Tools Released – Shadow Brokers leak NSA’s hacking arsenal providing cyber criminals more sophisticated and effective ways to access IT systems and steal data.

May 2017 – Global Ransomware Attack – WannaCry ransomware unleashed a global assault not seen before, that spread across 200 countries in just a few short days. An estimated 300,000 systems infected worldwide and in England, 48 hospitals were crippled from the attack.  WannaCry also infected a range of medical devices that shook manufacturers like Siemens and Bayer. WannaCry leveraged vulnerabilities identified from the NSA leaks. The finger is being pointed at North Korea.

What does this list of cyber incidents foreshadow for the future?  Well, the hackers are more sophisticated and capable, being able to breach strong defenses and shut down infrastructure.  They can hack sophisticated systems or “simple” IoT devices to gain their goals.  Clearly, ransomware is the weapon of choice and will be for the foreseeable future.  It puts cash in their pockets faster, with less effort.  Our list of vulnerabilities seems to be multiplying and we are up against a wide range of threats; lone-wolf hackers, organized crime, and nation-state actors, all of which can cripple your business or even destroy it.  It feels like IT terrorism!

What can you do to protect your organization?  Partner with a reputable organization who can identify your vulnerabilities and bring transparency to your IT security.  Help put processes in place to maintain and strengthen security without overburdening your organization.

Contact Third Rock for additional information at:  info@thirdrock.com.  We can help!

By now, most have heard or been affected by the WannaCry ransomware that has spread to over 150 countries at last count.

The WannaCry ransomware started taking over users’ files on Friday, demanding $300 to restore access.

Hundreds of thousands of computers have been affected so far. Computer giant Microsoft said the attack should serve as a wake-up call.

The first line of defense in this is always having a properly maintained firewall both on your network and on each individual computer system. However, as we all know, your network can and will be breached at some point, whether or not it is due to WannaCry or some other ransomware or virus; it will happen.

What is the best defense against ransomware and other malware?

A good backup!

It sounds simple, but amazingly most either are not doing backups or not verifying that the backup works. I worked with an organization that had been backing up for several years, but had never tested restoring the files. Well, they got hit with a bad virus, and it was determined that restoring the previous day’s backup would be the best way to recover. Unfortunately, the backup was corrupted and would not work. We went back to previous days and weeks, and none of their backups were good.

Having a backup is not good for anything if you can’t actually recover the data when you need it.

1.  To get started, investigate business level backup systems that will work in your environment. It truly is a case by case basis on which backup system is right for your organization; depending on size, speed, hours, etc.
2. Schedule restore tests on a regular basis to make sure that you have a valid backup that you can recover from in the case of an attack.
3. Maintain the backup system to ensure that it is considered “mission critical” as it is the last line of defense for your entire business.

Bottom line:  Stay ahead of ransomware by maintaining complete, working backups!

For questions about how to evaluate and improve your own backup practices or for a comprehensive Security Risk Assessment, contact us at info@ThirdRock.com.

 

Sometimes it is easy to forget that the greatest threat is from within. In today’s focus on cyber-security world, we tend to focus on keeping people out of our network as a primary method to keep our sensitive data, such as ePHI, safe. While that is incredibly important, we should make sure not to overlook the threat posed by those we do grant access. How much of a threat is it? Well, roughly half of all attacks originate from inside the company – and not all are with malicious intent.

Part of the problem is we leave the door open, so to speak. While we are spending time and effort to keep people from the outside out, we are leaving the door open for people on the inside to take what they want.

Think about this…

An employee with access to ePHI decides they want to work over night or on the weekend. That is pretty admirable, in itself. However, that employee decides to send the data via Gmail or another cloud/web based tool to make it available on his/her home computer. Now you have a serious problem. As most of you probably know, the cloud has a habit of being hacked and compromised by targeted attacks.

Now imagine an employee who wants to intentionally steal information! They have abundant options to smuggle information out. In addition to cloud/web apps, they can use USB drives, smart phones with cameras, etc.

While you can’t possibly stop everything, there are simple things that can be done to ensure that your data is safe, from both external threats and internal threats. There is generally zero reason for employees to have access to Gmail, Yahoo, Facebook, Pastebin, etc. from within your organization. And outside of a very few exceptions, there should be no ability to use USB drives. The great thing is that all these channels can be blocked fairly easily and with little cost.

Employees will complain about losing access to popular social websites, but it will be much easier to explain these constraints to your employees than to explain a breach to the government, your patients, and the Board.

Ask your IT service provider if they’ve taken steps to minimize information “leakage” by internal system users. If they aren’t sure or have questions about what you mean, contact Third Rock to schedule a risk assessment.

info@ThirdRock.com | 512-310-0020

According to a post on HIPAA Journal, 60% of healthcare organizations have already introduced networked medical devices into their technical infrastructure. Networked medical devices are the healthcare version of the “internet of things” (IoT) – smart devices that communicate with applications, such as the EHR, and with one another without human intervention. The problem – many medical devices aren’t cyber-secure!  89% of the organizations reporting the use of networked medical devices also reported having experienced a security breach as a result.

The FDA is focusing more attention on the cyber security of medical devices, but no single security standard yet exists. Even medical devices with security features incorporated in their design have a wide variance of capabilities, leaving gaps that can be compromised. There is a growing appreciation, however, that installed medical devices exist in a complex ecosystem of people, processes, and technologies. Therefore, the security issues related to these devices cannot be addressed by the device manufacturers alone – healthcare facilities need to identify and evaluate all the “things” connected to their networks.

In his presentation at HIMSS17, Brian Finch, JD, Partner and Co-Chair of the Cybersecurity and Global Security Practice Groups at Pillsbury Winthrop Shaw Pittman, noted that “there is a gross lack of awareness of the number and diversity of ‘things’ connected to a covered entity’s network.” And he went on to say that “the OCR is really whacking those that have not done a risk assessment and those risk assessments that don’t address ‘internet of things issues’.”

A widely-publicized study by Hewlett Packard subsidiary Aruba Networks reported that in just two years, 87% of healthcare organizations will have adopted Internet of Things technology. Will your organization be one of them? Do you know where your Things are? Did you assess the security of your Things in your Risk Assessment?

Bottom line:  Smart, networked medical devices are a rapidly growing component of healthcare information systems, but they are often the weak link in an organization’s security infrastructure. The first step in addressing the security challenges is identifying the vulnerabilities and associated risk through a comprehensive risk assessment.

If you’d like more information on HIPAA compliance, risk assessments, or reducing the liabilities for your practice, contact us at: compliance@thirdrock.com