Cyber attacks keep on coming and there is no expectation that they’ll ever stop. Attacks are coming from everywhere – vulnerabilities in software applications, insecure IoT devices connected on the internet, email attacks and phishing, etc. Protecting systems from cyber attacks is not a “one and done,” “set it and forget it” project. It is a critical and continuous business process that every organization must address. And, surprise surprise, it also requires vetting your vendors as many attacks are coming through your supply chain.
In this episode:
Courts, Cameras, and Exchange – Ep 297
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The HIPAA Boot Camp
Virtual Edition Aug 17-19, 2021
Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
Debt Collection Firm Reaches Breach Settlement With States
A coalition of 41 state attorneys general has reached a settlement with American Medical Collection Agency in the wake of a 2018 data breach that compromised the personal and health data of 21 million individuals and pushed the company to file for bankruptcy.
We talked about this when it came out. Remember when all the Quest and Labcorp letters went out. They were the big ones but several smaller labs were also involved in this breach. Over 20 million people. That’s a big data breach. That explains why all but 9 states were involved in this settlement.
They made an announcement in the beginning June 2019 disclosing the fact that “an unauthorized user” had been in their internal systems between August 1, 2018 and March 30, 2019. Looks like they waited until exactly 60 days. But, they started mailing out millions of breach notifications.
It is clear they are a HIPAA BA which may be part of the state settlement. The consumer protection laws in all of these states is what this settlement is all about. We have seen this happen before with Anthem who settled first with the states and then worked out a resolution agreement with OCR. That may happen in this case the same way.
They filed for bankruptcy within a week or so after the news broke saying there is no way they will be able to cover all the costs of this data breach and stay solvent. That was especially an issue when their big clients dropped them immediately.
This case is nowhere near done. Civil actions are ongoing asking to allow these consolidated patient suits to hold the individual CEs liable for damages.
The New York settlement includes a corrective action plan to implement the following items regarding their security program:
30. The Program must be documented, in writing, and must contain administrative, technical, and physical safeguards appropriate to (i) the size and complexity of the business; and (ii) the sensitivity of the PI and PHI that Defendant collects, stores, transmits, and/or maintains.
31. The Program shall permit users access to PI and PHI only to the extent necessary for each user to perform job functions and assignments.
32. The Program shall require the employment of a person who will serve the function of a Chief Information Security Officer (CISO) with responsibility to implement, maintain, and monitor the Program. The CISO shall have appropriate training, expertise, and experience in the field of information security to oversee the Program and further, will be charged with regular and direct reporting to the Chief Executive Officer regarding the status of the Program, the security risks faced, resources required for implementation of the Program, and the security implications of Defendant’s business decisions. At a minimum, the CISO shall provide a written report to the Board or Chief Executive Officer and Chief Financial Officer on a quarterly basis.
33. The Program shall include a documented written incident response plan to prepare for and respond to any future Security Events. At a minimum, this plan shall provide for the following phases of a response: Preparation; Detection and Analysis; Containment; Notification and Coordination with Law Enforcement and Regulators; Recovery; Consumer Notification and Remediation; and Post-Incident Analysis.
Requires annual assessment of its Program pertaining to the collection, storage, maintenance, transmission, and disposal of PI and PHI from a Third-Party Assessor for next 7 years.
Here is a note to those of you who think a big company will have plenty of insurance and security in place so there is nothing to worry about. Imagine if your money and patients were tied up in this breach. Imagine if the breach happened to any of you business associates out there.
Courts, Cameras, and Exchange
[33:35] Way back in May 2019 we did an episode called Smile You Are On Camera – Ep 202 where we discussed how cameras are everywhere these days – from dashcams to home security camera systems to CCTV in cities and businesses and even in our pockets. But more and more we hear about how these camera systems aren’t being properly secured.Case in point, the Verkada camera debacle reported by Healthcare Info Security:
Verkadas Camera Debacle Traces to Publicly Exposed Server
Verkada, a fast-growing cloud surveillance camera company, left over 150,000 cameras deployed by large companies, schools, local government agencies and healthcare institutions exposed on the internet. A hacker group called Arson Cats gained access to these cameras with relative ease and could have pretty much done anything they wanted to with the cameras. They found the Verkada cameras by using the Shodan IoT search engine, which can be used to find devices or applications exposed to the internet.
These cameras were located in hospitals, prisons, schools, local government agencies and large companies… all over the place. The hackers found hard coded backdoor credentials exposed publicly on the internet. These hackers didn’t attack these cameras, they simply just looked around (at least that’s what they said).
[39:19] If you have cameras, period, you need to like double check, triple check, quadruple check, never stop checking to make sure those are segmented and secured so that people can’t access those and look around. As a matter of fact, you should consider every single piece of technology you bring into your business and get IT involved to help you evaluate the impact it could have on your network and security. Furthermore, if you are relying on a third party to store your camera feeds and support the cameras themselves, then you need to properly vet the vendor and make sure that that the cameras are secure, not easily accessible on the internet, and that the devices are being updated on a consistent basis. Also, have someone, maybe your IT company check online periodically to make sure that this company hasn’t had some sort of breach.
Also, work with your IT company to segregate these cameras on a separate network from your local business network where all the work is done by your staff. Doing so can help protect you from hackers getting into your network through the cameras and them looking around to see what else they can potentially exploit that’s on the same network.
Microsoft Exchange Hack
[44:08] A Chinese hacking group seized control over hundreds of thousands of Microsoft Exchange Servers worldwide – at least 30,000 of them located in the US. They are stealing email from victim organizations by exploiting four newly discovered flaws in the email software. The attacks give the hackers total, remote control over the affected email systems.At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software
On March 2, Microsoft released emergency security updates to plug four security holes in Exchange Server versions 2013 through 2019 that hackers were actively using to siphon email communications from Internet-facing systems running Exchange.
So, if you use email, period, then check with IT and find out whether your email is hosted via a Microsoft Exchange Server connected to the Internet. Because it could be among those that have been attacked. Then, determine if the newly released updates have been applied.
In the past, some IT companies believed that if they could make a network super complicated no one could break into it. But in actuality, the more complicated and complex a network environment is, the harder they are to protect. Just throwing technology at a problem isn’t always the answer. You could be increasing your risk of a piece of software or hardware to be infected, attacked, breached or being used against you.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
