Chat with us, powered by LiveChat

Fighting Ransomware: A Success Story

When the HHS Office for Civil Rights released the HIPAA guidance on ransomware in the summer of 2016, collectively the health care community sat up and took notice. The guidance (found here) outlines various activities required by HIPAA that assist organizations in the prevention and detection of threats. One of the key activities listed in the guidance is completing an annual Security Risk Analysis.

As an Auditor at HIPAA One®, my goal is to dot every “i” and cross every “t” to ensure a comprehensive HIPAA Security Risk Analysis.  By utilizing the HIPAA One® Security Risk Analysis (SRA) tool, I am able to guarantee compliance, automate risk calculations and identify high-risk technical, administrative, physical and organizational vulnerabilities.

Recently, I was on-site with one of our clients, which I will call “Care Health” to preserve their confidentiality, working on organization-wide identity protection. Care Health utilizes our SRA to safeguard their critical data and provide security and protection from Ransomware, malware and the proverbial “sophisticated malware attacks”.

blogWhile at the Care Health office, two staff members in the Billing department were utilizing shared files in a network-mapped drive (e.g. N: drive). One of the staff members noticed new files were being spontaneously created and the file icons in the network folder were changing. By watching the changing file names, the staff member noticed one showed up as ransom.txt.

Acting quickly, she contacted the IT Helpdesk for assistance. The Helpdesk had been trained to triage all security-related service-desk requests immediately to the HIPAA Security Officer (HSO). Upon being notified of the issue, the HSO logged-into the N: shared drive and found their files were slowly being encrypted!

How do you stop a Ransomware attack?

blog-2Promptly, the HSO ran Bitdefender full-scans on the Billing department computers and found nothing. He then installed and ran Microsoft’s built-in Windows Defender, which has the most current malicious software removal utilities on Server 2012 and found Tescrypt.  Installing Windows Defender on the two desktops not only detected the encryption, but also removed it.

This specific Ransomware variant had somehow infected the system and was systematically encrypting these files.  Thankfully, the quick-acting team at Care Health recognized the attack and stopped the Tescrypt variant before any patient data was compromised. Following the incident, backups were used to restore the few-dozen encrypted files on the network-drive. Due to appropriate safeguards and training, the Care Health team was ready and a crisis was averted.

Upon a configuration review of Care Health’s security appliances, WebSense was configured to allow “zero-reputation” websites through.  Zero-reputation websites are new sites without a known reputation and are commonly used by hackers to send these types of attacks. At Care Health, the Ransomware apparently came from a valid website with an infected banner ad from a zero-reputation source. The banner ad was configured to trigger a client-browser download prior to the user being allowed to see the valid web page. This forced website visitors to download the executable virus from the banner-ad and unknowingly install the Ransomware on their local computer. Once downloaded, the Ransomware would begin encrypting files in high-lettered network-drives.

Next steps…

Unfortunately, Ransomware is here to stay and the number of attacks are rising.  Now more than ever, it is critical that health care organizations have updated policies and procedures in place to prevent these attacks and a comprehensive user training and awareness program. Let the Care Health incident be a reminder that a well-trained employee is an organization’s best defense against Ransomware, Phishing and sophisticated malware attacks.

The HIPAA One® software suite offers an automated approach to implementing and maturing your organization’s HIPAA Security Compliance Program. To learn more, visit us at  https://www.hipaaone.com/contact/

7 Ways Employees Can Help Prevent HIPAA Violations

Prevent HIPAA Violations

There are several qualities of working in healthcare that are not dissimilar from other careers in other industries. You need to come into work on time, work hard while clocked in, get along with the other staff members, be a good representative of your company and so on. But there’s one aspect of working in healthcare that other industries don’t need to worry about: violating the HIPAA Privacy Rule or Security Rule.

When just one employee’s actions result in a HIPAA violation, it not only results in major consequences for that individual, it’s also jeopardizing for the entire organization. If an employee/workforce member breaks a common HIPAA violation, even in the smallest way, the entire organization faces severe penalties, involving substantial fines and having a bad reputation.

Nurses are on the frontlines of patient communication, so understanding the key ways YOU can prevent potentially disastrous violations is vital. To help you get started, here are seven ways you and all employees can help ensure HIPAA compliance.

1. Be educated and continually informed.

Image Source: COD Newsroom

Image Source: COD Newsroom

The first way to ensure staff members aren’t violating HIPAA is to educate and inform each employee on HIPAA regulations and when any changes are made or new information is released regarding those regulations. Everyone should also be told what penalties they and your workplace will face if compliancy isn’t maintained by all. Hold in-office trainings to teach employees all they need to know about HIPAA privacy and security regulations and to answer any questions they might have. You or your HIPAA privacy office can conduct these trainings, or if you use HIPAA security software, many of these programs offer training courses and seminars for your office to use. Take the necessary time to keep staff members knowledgeable on the HIPAA regulations and device standards they must follow in order to keep themselves and your organization HIPAA compliant. Education will take time, but it’s your best asset so make the time to do it.

2. Maintain possession of mobile devices.

The most common HIPAA violation today is mobile devices storing patient health information being lost or stolen. It’s the obligation of covered entities and business associates to keep their mobile devices secure and out of the wrong hands, so if an employee accidentally loses a laptop or work tablet, or leaves it unattended and it gets stolen, your business pays for that mistake. Continually remind employees to be aware of where mobile devices are at all times and to shut them down and lock them up when they’re not using them.

3. Enable encryptions and firewalls.

Image Source: Ervins Strauhmanis

Image Source: Ervins Strauhmanis

Your next defense with mobile devices is enabling encryptions, firewalls and secure user authentication on every device. There are technologies that can also remotely lock, or wipe (ie. Reset to factory defaults erasing all apps and data) using apps and software programs. This is your backup plan if a work device is lost or stolen. Again, stress the importance of maintaining possession of devices and keeping the encryptions and firewalls up-to-date and user authentication hard to crack to employees handling these devices. Accidents do happen, but sometimes employees are just cavalier, so to help your employees and yourself remain HIPAA compliant, enable these security precautions on each mobile device your business has and lends out for employee use.

4. Double check that files are correctly stored.

Image Source: Medill DC

Image Source: Medill DC

Handling paper and electronic files is a tricky business. Misfiling a patient’s paperwork in a cabinet or saving it on the wrong computer drive or network is a costly mistake. And many employees fall victim to this because they’re distracted while filing. Constantly remind employees who deal with patient files to focus on what they’re doing and double check that they properly store and save files in the right folders and drives.

5. Properly dispose of paper files.

Image Source: Sh4rp_i

Image Source: Sh4rp_i

Again, this is a human error problem. Too many of these cases have occurred because employees forgot or chose not to shred paper files before throwing them away. An employee could be having a bad day, an extremely busy day or is easily distracted by other employees, which causes them to overlook shredding papers with PHI on it. The best way to avoid this problem and keep employees from violating HIPAA is switching to an electronic filing system. If you still prefer paper files, then make sure staff members’ double and triple checks that they properly dispose of any and all paper files.

6. Keep anything with patient information out of the public’s eye.

Image Source: COD Newsroom

Image Source: COD Newsroom

A minor way your company and its staff could be in violation with HIPAA laws is having patient information in plain view to anyone who comes into your establishment. Don’t fall victim to this small but careless mistake. Keep patient folders closed, don’t have appointment calendars openly displayed in patient areas and keep your computer monitors and mobile device screens hidden from patients and visitors.

We found one Hospital displaying their patients’ XRAY (technically it was CR Scan) on a wall-mounted, big screen TV next to the Nurse’s workstation area where other patients walk by.  Tell the staff to be mindful of these things and that if they notice something to be out of place to quickly take care of it before unauthorized eyes see it. Get everyone in the habit of keeping information concealed that needs to be.

7. Use social media wisely.

Last but not least, express to employees just how crucial it is to use social media wisely. The way we communicate with each other has changed. Now, many people spend more time messaging on Facebook, sending Tweets and sharing how their day is going via a collage of pictures on Instagram. Social media usage has increased the likelihood for employees to violate HIPAA. Your safest bet to have employees and company remain HIPAA compliant is having a company rule not to post any text or pictures about what goes on in the workplace on social media or even on their personal blog. Your organization or business could be severely fined for neglectfully hiring, training and/or supervising an employee if he or she posts something sensitive, even if by accident or only shares a small tidbit of a situation that doesn’t include any names. Employees and businesses must be extremely careful when dealing with social media.

In order for your organization to remain HIPAA compliant, each employee must be HIPAA compliant. By educating, informing and training employees on what HIPAA regulations they must follow and the consequences they’ll face from being non-compliant, as well as reminding them to be smart and use common sense, employees can actually help prevent HIPAA violations from happening.

5 Most Common HIPAA Privacy Violations

The HIPAA Privacy Rule was put in place to provide rights to access and amend our protected health information, appropriate disclosers and help reduce fraud, waste and abuse. If your facility and its network aren’t HIPAA compliant, the costs may be significantly higher than taking action. Penalties could result in millions of dollars in fines and could even include some jail time (HITECH failure to report a breach of > 500 individuals to HHS).

Image Source: Yuri Samoilov

Image Source: Yuri Samoilov

That’s one risk you just can’t afford to take.

Take a look at these 5 most common HIPAA privacy violations and learn what preventive measures you can take to avoid these violations and their severe penalties.

1. Losing Devices

The biggest problem today is devices with stored patient health information, i.e. desktop computers, laptops, tablets and smartphones, being stolen or lost. This includes work devices and your own personal devices if you use them to access this information. Mobile devices are the most vulnerable to theft and misplacement because of their smaller size and portability.

Solution: Keep a watchful eye on your devices and keep them locked up when you’re not around. Better secure your files on these devices with encryptions and use a cloud hosting solution for remote access. Encryption won’t reduce the cost of the device or time to rebuild/recover the user’s system, but can alleviate the need to notify HHS of a breach > 500 individuals.

2. Getting Hacked

 Data from several healthcare network servers have been hacked into over the last few years. These servers have PHI for hundreds to millions of patients, so when these skilled hackers — who are only getting better at what they do — get their hands on them, they leak this information out or sell it to the highest bidder. Some of this information includes Social Security numbers, birth dates, addresses and insurance information.

Solution: Take necessary security measures, like encryption and deep-packet inspection firewalls that can block phishing or other malware attacks, to safeguard PHI.

3. Employees Dishonestly Accessing Files

Unfortunately you can’t trust everyone. An all-too-common HIPAA violation is employees accessing files they’re not supposed to. They do this out of curiosity, spite or because a friend or relative asked them to. No matter their excuse, it’s wrong, but it’s still something that continues to happen.

This problem is amplified when accounts are shared between Physicians and their underlings. Physician staff may use the Physician’s System user account assuming they will not be held accountable for these activities (see Huffington Post article on Kim Kardashian’s fall-out from this type of behavior).

Solution: Policies and procedures with annual HIPAA Security training enforcing unique User IDs, Implement passwords, passcodes, user ID codes and/or clearance levels to discourage employees from accessing patient files they’re not authorized to see.

4. Improper Filing and Disposing of Documents

When using a paper filing system, it’s highly likely there will be some human error resulting in an employee incorrectly filing a patient’s record or accidentally getting rid of a document without first shredding it. Sometimes people just have a bad day or get distracted. Mistakes happen, but they happen more so with this system.

Solution: Establish Policies and Procedures to ensure any ePHI or PII on paper is locked at night, or stored in secured disposal bins prior to shredding. Switch over to an electronic filing system or make sure everyone double and triple checks they correctly file and dispose of documents.

5. Releasing Patient Information After the Authorization Period Expires

There are expiration dates on HIPAA authorization forms. Too many times someone hasn’t paid close enough attention to that date when a request for a release of information comes through and ended up sending out that information even though they shouldn’t have. If a request comes in and it’s past the expiration date, you must complete a new HIPAA authorization form.

Solution: Verify the expiration dates for HIPAA authorizations before releasing any information. Complete a new form if needed. See HIPAA Reference: §164.508(a)(1)-(3), §164.508(b)(6), §164.508(c)(1), §164.508(c)(2), §164.530(j)

Another preventive method is performing a HIPAA self-assessment. A self-assessment shows any high-risk vulnerabilities or gaps in compliance your facility and network have, so you then can create an action plan to remediate those issues.

So now you know the most common HIPAA privacy violations, and you know how to prevent them so you steer clear of hefty penalties, keep your facility and network HIPAA compliant and protect patient information.

For more information about HIPAA Privacy compliance and risk assessment, please contact info@hipaaone.com or by phone at 801-770-1199.

HIPAAOne statement on Heartbleed

HIPAA One Heartbleed update:

You are probably aware of the Heartbleed Bug. This vulnerability is in the OpenSSL cryptographic software library (CVE-2014-0346 / CVE-2014-0160).  There has been a tremendous amount of media coverage due to the severity of this bug.

This bug enables someone to read the memory of systems protected by vulnerable versions of OpenSSL software

. More details can be found here: http://heartbleed.com.  In summary, an information disclosure flaw was found in the way OpenSSL handled TLS and DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server could send a specially crafted TLS or DTLS Heartbeat packet to disclose a limited portion of memory per request from a connected client or server. Note that the disclosed portions of memory could potentially include sensitive information such as private keys. (CVE-2014-0160)

HeartbleedAfter analyzing our cloud infrastructure at https://secure.hipaaone.com, we found that no production servers were impacted by this bug.

We conduct regular vulnerability scans and are commencing with periodic ethical hacking.  This helps provide assurances we are current with vulnerabilities and managing risk in our production platforms.
Thank you for your attention to this matter.

For anyone else who is running Linux, and and are running OpenSSL it internally, we recommend you apply the security patch issued by RedHat or equivalent against affected servers and restart the OpenSSL service. For example, you can issue “openssl version” from the command line to determine if it is running a version susceptible to the bug. The RedHat security advisory is included here for your reference.

https://rhn.redhat.com/errata/RHSA-2014-0376.html

Steven Marco

HIPAA One® President