.st0{fill:#FFFFFF;}

Podcast

New NY State AG HIPAA Enforcement – Ep 442 

 January 26, 2024

By  Donna Grindle

Share0
Tweet0
Share0

We all know that OCR is the HHS department that oversees and enforces HIPAA to ensure the protection of individuals’ healthcare information. However, more and more states around the country are also making efforts to protect their constituents’ personal information and hold companies accountable for their poor data security practices. Today, we discuss recent HIPAA enforcement actions taken on businesses by the NY State Attorney General’s Office.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

New NY State AG HIPAA Enforcement – Ep 442

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

The HIPAA Privacy and Security Boot Camp

3.5 day In Person Event

April 9, 10, 11 and 12, 2024

PriSecBootCamp.com

HIPAA Briefs

[13:00]

Who enforces HIPAA regulations?

  • HHS OCR – This is the department we sometimes refer to as the “HIPAA Police”
  • States Attorney General – Under the HITECH Rule, they are allowed to enforce HIPAA on behalf of their constituents for incidents that happen in their state.

405(d) Tip of the Week

[16:06] 405d Post Volume XXII Dec 2023

The main article is Building Sustainable Health and Public Health Services with Enhanced Cybersecurity Knowledge and Action by Kendra Siler who is the HHS 405(d) Task Group Wave Lead. This Task Group looks at different ways and different methods to provide specific training for and resources to healthcare professionals to help build a culture of cyber hygiene to protect businesses and their patients. They created the CommHIT program that is a way to train technology providers and provide the CHMSP certification for IT professionals working with healthcare clients in Florida. They are also looking at programs in the US Virgin Islands as well.

Another article on Effective Policies to Mitigate the Risk of Cyber-Attacks that specifically points out what small entities should prioritize.

Also released in Dec 2023:

Cyber Insurance for Small Healthcare Organizations

Cyber Insurance for Medium/large-sized Healthcare Organizations

These are 1 page flyers with information on why you should care and what things you should think about.

New NY State AG HIPAA Enforcement

[18:30] We don’t always cover the state cases but this one has some interesting details in the settlement. This one is between NY AG and Refuah Health Center. They are a health care provider that operates three facilities and five mobile medical vans in the Hudson Valley. Plus there is a lot more happening in NY these days.

Attorney General James Reaches Agreement with Hudson Valley Health Care Provider to Invest $1.2 Million to Protect Patient Data

Refuah Health Center, Inc NYAG Investigation Findings

Refuah shlema is a Hebrew phrase similar to saying “get well soon”. Ree Fu Ah

What happened?

May 2021, Refuah experienced a ransomware attack which they reported and NYAG initiated an investigation. Refuah discovered the attack June 1, 2021. Lorenz Ransomware group claimed to be the attackers.

250,000 residents of New York records were exposed.

Findings

[23:14] From their announcement here is what the official statement of the findings were.

The OAG’s investigation concluded that attackers were able to access this data because Refuah had failed to adopt appropriate data security practices to protect patients’ personal and health information. Refuah failed to decommission inactive user accounts, rotate user account credentials, restrict employees’ access to only those resources and data that were necessary for their business functions, use multi-factor authentication, and encrypt patient information.

Included in the settlement are several specific details including these:

Attackers were able to gain access to a Refuah system used for viewing video from internal cameras monitoring facilities. Access to this system was protected by a static four-digit code.

From this system, attackers were then able to remotely network using login credentials for an administrative account that were stolen during the attack. The administrative credentials the attackers exploited to gain remote access were associated with a Refuah account used by a former IT vendor. The credentials had not been changed for at least 11 years. Further, despite the fact that the IT vendor had not worked with Refuah since 2014, the account used by the vendor had not been deleted or disabled. Multi-factor authentication was not enabled for the account.

Over the course of two days, the attackers exfiltrated files and data that contained patient information. The attackers also deployed ransomware that encrypted several systems, rendering them inaccessible without the decryption key held by the attackers

Refuah did not, however, investigate whether attackers had accessed the database, even though: (a) the screenshot containing information on 34 patients that the attackers provided to representatives of the company contained information only found in the database and (b) the screenshot likely reflected data in an actor-controlled database electronic medical records system.

The most recent SRA prior to May 2021 was March 2017 by an external vendor. That tells you there are a lot of other mentions of deficient areas of their data security program.

Settlement

[31:45] Pay $450,000 in penalties and costs plus invest $1.2 million to strengthen its cybersecurity. A commitment that $100,000 will be suspended when the company spends $1.2 million to develop and maintain its information security program.

The agreement also requires the health care provider to:

  • Maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of consumer information;
  • Implement and maintain policies and procedures that limit access to consumer information;
  • Require the use of multi-factor authentication to remotely access resources and data;
  • Regularly rotate credentials that are used to access resources and data;
  • Conduct audits at least semi-annually to ensure users only have access to resources and data necessary for their business functions;
  • Encrypt all consumer information, whether stored or transmitted;
  • Implement controls to monitor and log all security and operational activity of the company’s networks and systems; and
  • Develop, implement, and maintain a comprehensive incident response plan.

NY AGs office has closed several others

[35:01]

Attorney General James Secures $450,000 from Medical Company Providing Services in Western New York for Failing to Protect Patient Data November 8, 2023

The US Radiology Settlement documented how the network was infiltrated due to a delay in installing a Sonicwall replacement for end of life hardware with a known vulnerability going back to Jan 2021. They planned to replace it in July but then it got put off for the usual reasons. Dec 8, 2021 the attackers found them and were able to sign into the VPN and take over all kinds of things. 92,540 New Yorkers were included in the data breach out of a total of 198,260 exposed.

Note on this one that US Rad provides several managed services for Windsong Radiology Group which is in Western NY. The AG got involved specifically concerning that group. No mention of how many others may have gotten hit at the same time.

[39:19]

Attorney General James Secures $350,000 from Long Island Home Health Care Company for Failing to Protect Patient and Employee Data – October 18, 2023

In January 2021, a Personal Touch employee opened a malware-infected file attached to a phishing email that allowed a hacker to gain access to Personal Touch’s network and collect patient and employee records from an unencrypted server. These records dated back decades…

Personal Touch has agreed to pay $350,000 in penalties to New York, update and improve their cybersecurity infrastructure, and offer free credit monitoring and identity theft services to affected individuals. In addition, Attorney General James secured $100,000 from an insurance software vendor for compromising Personal Touch employees’ data.

[41:05]

Attorney General James Recoups $550,000 from Erie County Medical Management Company for Failing to Protect Patients’ Data May 23, 2023

In January 2019, Practicefirst’s firewall provider released a new version of its software that was designed to patch a critical vulnerability. Practicefirst failed to update its software and failed to conduct penetration tests, vulnerability scans, or other security testing that would have identified security problems. In November 2020, a hacker exploited the critical firewall vulnerability and successfully gained access to Practicefirst’s systems. The hacker later deployed ransomware and pulled out files containing patients’ personal information. Days later, screenshots containing personal information of 13 consumers were discovered on the dark web.

Attackers stole over 79,000 files with over 1.2 million patients of Practicefirst clients, including over 428,000 New Yorkers. This information, maintained on Practicefirst’s network, was not encrypted.

Practicefirst has agreed to pay $550,000 in penalties to New York, strengthen its data security practices, and offer affected consumers free credit monitoring services.

[45:51]

Attorney General James Releases Data Security Guide to Help Businesses Better Protect Consumers’ Personal Information April 19, 2023

NY AGs guide: Protecting consumers’ personal information

NY Proposed Cybersecurity Requirements for Hospitals

[46:14]

Governor Hochul Announces Proposed Cybersecurity Regulations for Hospitals Throughout New York State

Governor Hochul’s FY24 budget includes $500 million in funding that health care facilities may apply to upgrade their technology systems to comply with the proposed regulations.

“Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals,” Governor Hochul said. “These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”

The details are published in the State Register NYS Register/December 6, 2023 you can find them beginning at the bottom of page 7.

A few of the proposed requirements and details in the register to note:

  • Applies to all general hospitals licensed in the state but not to other entities.
  • CISO required to design and implement the cybersecurity program. Currently, it allows for that to be an employee of a 3rd party.
  • Hospitals will also be required to establish policies and procedures for evaluating, assessing, and testing the security of externally developed applications used by the hospital.
  • “Given the variability in cybersecurity preparedness and current programs at facilities, the initial startup and ongoing costs could vary significantly. After initial conversations with facilities to gain a basic understanding of costs, it is estimated that effective cybersecurity programs can cost millions to develop and implement initially, and anywhere from $50,000-$2 million or more to maintain on a yearly basis depending on the facility size. For small hospitals (of which there are 15 and are defined as less than 10 acute care or ICU beds), ongoing annual costs are estimated to be $50,000-$200,000. For medium sized hospitals (of which there are 62 and are defined as those with between 10 and 100 beds), ongoing costs are estimated to be $200,000-$500,000. For large hospitals (of which there are 114 and are defined as those with more than 100 beds), ongoing annual costs are estimated to be $2 million.”
  • Facilities will be required to report any cybersecurity incidents as defined in the proposed regulation within 2 hours of discovery

New York State Cybersecurity Strategy has details about the bigger picture for all of the state.

Go to top

Creating and maintaining a robust cybersecurity program in the healthcare industry is absolutely vital. A strong cybersecurity program not only protects patients’ personal data from potential breaches but also ensures the uninterrupted functioning of essential healthcare services. Beyond that, it builds trust among patients, as they need to feel confident that their private health information is secure. In a world where cyber threats continue to evolve, investing in cybersecurity is not just a choice, but an ethical and practical imperative for the healthcare sector.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: