660 Providers Hit At Once – Ep 365 

Today’s podcast episode is all about why we worry about supply chain issues, why we keep talking about the HiC SCRiM guidance, and why the first day of the PriSec Boot Camp is supply chain risk management. We’ll review several supply chain breaches, one where there were 660 providers hit at once. As you probably have guessed, these breaches involved ransomware attacks.

In this episode:

660 Providers Hit At Once – Ep 365

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The Privacy and Security Boot Camp

3.5 day In Person Event

Sep 12, 13, 14 and 15

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

Awesome information for the HIPAA professional

⭐ ⭐ ⭐ ⭐ ⭐

Donna and David are the best. They are goofy but succeed in making HIPAA

fun. I listen every week and always learn something new. I can’t wait for

the PriSec Boot Camp! Bring on the fire hose!

HIPAA Say What!?!

The HHS OCR developed this guidance to help covered entities understand how they can use remote communication technologies for audio-only telehealth in compliance with the HIPAA Rules, including when OCR’s Notification of Enforcement Discretion for Telehealth Remote Communications (Telehealth Notification) is no longer in effect.

Yes. HIPAA covered entities can use remote communication technologies to provide telehealth services, including audio-only services, in compliance with the HIPAA Privacy Rule.

Do covered health care providers and health plans have to meet the requirements of the HIPAA Security Rule in order to use remote communication technologies to provide audio-only telehealth services?

Yes, in certain circumstances. The HIPAA Security Rule applies to electronic protected health information (ePHI), which is PHI transmitted by, or maintained in, electronic media.

The HIPAA Security Rule does not apply to audio-only telehealth services provided by a covered entity that is using a standard telephone line, often described as a traditional landline, because the information transmitted is not electronic.

Covered entities using telephone systems that transmit ePHI need to apply the HIPAA Security Rule safeguards to those technologies. Note that an individual receiving telehealth services may use any telephone system they choose and is not bound by the HIPAA Rules when doing so. In addition, a covered entity is not responsible for the privacy or security of individuals’ health information once it has been received by the individual’s phone or other device.

For example, some current electronic technologies that covered entities use for remote communications that require compliance with the Security Rule, may include:

• Communication applications (apps) on a smartphone or another computing device.
• VoIP technologies.
• Technologies that electronically record or transcribe a telehealth session.
• Messaging services that electronically store audio messages.

A covered entity’s risk analysis and risk management should include considerations of whether:

• There is a risk the transmission could be intercepted by an unauthorized third party.
• The remote communication technology (e.g., mobile device, app) supports encrypted transmissions.
• There is a risk ePHI created or stored as a result of a telehealth session (e.g., session recordings or transcripts) could be accessed by an unauthorized third party, and whether encryption is available to secure recordings or transcripts of created or stored telehealth sessions.
• Authentication is required to access the device or app where telehealth session ePHI may be stored.
• The device or app automatically terminates the session or locks after a period of inactivity

As communication technologies (e.g., networks, devices, apps) continue to evolve at a rapid pace, a robust inventory and asset management process can help covered entities identify such technologies and the information systems that use them, to help ensure an accurate and thorough risk analysis.

Yes, in some circumstances.

For example, a covered health care provider may want to conduct audio-only telehealth sessions with patients using a smartphone app offered by a health care provider that stores PHI (e.g., recordings, transcripts) in the app developer’s cloud infrastructure for the provider’s later use. In this case, the app would not be providing mere data transmission services and would instead also be creating, receiving, and maintaining PHI. Because it is not merely a conduit for transmission of the PHI, the provider would need to enter into a BAA with the app developer before it can use the app with patients.

Similarly, a covered health care provider would need a BAA with the developer of a smartphone app that the provider uses to translate oral communications to another language to provide meaningful access to individuals with limited English proficiency, because the app is creating and receiving PHI, and therefore the developer is a business associate of the provider.

Another similar guidance shared at the same time was explaining to consumers that teaches

Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet | HHS.gov

660 Providers Hit At Once

[16:47] 1 – Why we worry about supply chain issues:

Eye Care Leaders, an ophthalmology-specific EMR solution, experienced unauthorized access to its myCare Integrity system in December 2021.

Eye Care Leaders EMR Data Breach Tally Surpasses 2 Million

So far, it looks like over 2 million patient records were involved in the breach. Even more keep coming out.

That breach alone should be enough reason for you to worry about your vendors.

Then there’s this one:

Vendor Ransomware Attack Impacts 660 Healthcare Organizations

They didn’t say how many patients were involved. What they did say is here’s a list of all of the covered entities that we’ve notified. There are 660 of them.

Professional Finance Company, Inc. Notice of Cybersecurity Incident

Professional Finance Company, Inc. (“PFC”) is notifying individuals whose information may have been involved in a recent network security incident. PFC is an accounts receivable management company that provides assistance to various organizations (including healthcare providers).

Professional Finance Company, Inc. List of CEs

On February 26, 2022, PFC detected and stopped a sophisticated ransomware attack in which an unauthorized third parties accessed and disabled some of PFC’s computer systems. PFC immediately engaged third party forensic specialists to assist us with securing the network environment and investigating the extent of any unauthorized activity. Federal law enforcement was also notified. The ongoing investigation determined that an unauthorized third party accessed files containing certain individuals’ personal information during this incident. PFC notified the respective healthcare providers on or around May 5, 2022.

Aside from the massive breach, this is an example of why you need to make sure you are not giving your vendors 60 days in your BAA to notify you of a breach. Otherwise, you will be caught with egg on your face.

Double Whammy

Patient Notice – Charlotte Radiology

On December 24, 2021, we identified a security incident that impacted systems that contained our patient information. We immediately initiated our incident response process, notified law enforcement, and began an investigation with the assistance of a forensic firm. Within days, we were able to quickly contain the incident and resume serving patients. The investigation subsequently determined that between December 17 and December 24, 2021, an unauthorized party gained access to our network and took copies of some of the documents on our system.

This one is a mess. This radiology group had its own patients but also served as a BA for other entities. They not only needed to notify their patients, but also the covered entities they were a BA for.

Counterfeit CISCO

CEO of Dozens of Companies and Entities Charged in Scheme to Traffic an Estimated $1 Billion in Fraudulent and Counterfeit Cisco Networking Equipment | OPA | Department of Justice

Cisco is a well known networking equipment company, and they sell routers and other networking devices that do communications. They are a big deal in the industry and are often used in more complex environments. So, they are a legit company.

So what happened was a company with 15 different Amazon storefronts, ten ebay storefronts, and multiple other entities that imported tens of thousands of fraudulent and counterfeit Cisco networking devices from China and Hong Kong resold them to customers in the United States and overseas, representing them as brand new and genuine. This company got millions of dollars.

The DOJ is on the case, but apparently these devices were sold, retail, for around 95% below Cisco’s MSRP. So, if you purchased a “Cisco” device from a reseller between now and 2014, it’s worth figuring out where you got the device from because the software running on them could be stealing data or infecting your network in a number of ways.

2 – More Ransomware Concerns

Two ransomware gangs and a data extortion group are adding a search function on their leak site so that it’ll be easier for victims to find themselves and specific details of what they’ve stolen. So, for those that the data was stolen or you’ve been told the data wasn’t stolen, you can go there and search for stuff. They’ve created a searchable database where you can look for file names or content and images.

So, for all of you who think you can just cover these breaches up, the bad guys are making it more convenient for everybody else to see what they’re able to do successfully. More

The North Korean state sponsored cyber actors apparently are targeting the health care and public health (HPH) sector’s organizations using Maui ransomware. This alert includes tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) for technical people on how Maui ransomware works.

The bottom line is they are urging the HPH sector organizations to apply the recommendations in the mitigation section of this release to reduce the likelihood of compromise and that victims of Maui ransomware should report the incident to the local FBI andor Cisa.

The Maui ransomware encrypts the target files with multiple layers of encryption, one on top of another. But here’s the key element: This is not a spray and pray tactic where the bad guys get you to click on something and immediately run the ransomware. This is human operated ransomware which is becoming the next big thing because they have more control and they’re doing it with businesses. Since they have moved on from going after the consumers to targeting businesses, they have gotten a whole lot better. But the important thing to note is they create a log of all the files they encrypt, likely exfiltrate the data and then decrypt it to use it for further ransomware attacks on the same businesses.

Make sure your IT staff/vendor reviews and addresses CISA’s mitigation recommendations detailed in the alert. It does point out that IT should not only monitor computer and network devices, but also IoT devices, medical devices and EHR systems. It is important to understand everything your IT staff/vendor is monitoring and securing.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.