Welcome to another episode where chaos meets cybersecurity and common sense tries to crash the party. In this digital drama, we’re untangling the curious case of a former employee with way too much access, some mysterious printed medical records, and a whole lot of “Wait… WHAT?!” moments. We also dive into the thrilling (read: terrifying) reality of outdated edge devices and how your trusty old router might just be moonlighting as a hacker’s BFF. Oh, and spoiler alert—Microsoft Recall still isn’t winning any popularity contests.
In this episode:
Edge of Disaster – Ep 512
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Edge of Disaster
[02:08]HIPAA Security Rule Investigation with a Florida Health Care Provider
Resolution Agreements | HHS.gov
Settlement Resolves Investigation into Potential Security Rule Failures Exploited by Malicious Insider
BayCare Health System in Tampa, FL is a huge health system. But this settlement is all about a problem created when an ex-employee at a connected physicians office.
OCR initiated the investigation following its receipt of a complaint in October 2018, in which the complainant alleged that after receiving treatment at a BayCare facility, she was contacted by an unknown individual who had photographs of her printed medical records, as well as a video of someone scrolling through her medical records on a computer screen. The investigation determined that the credentials used to access the complainant’s medical record belonged to a non-clinical former staff member of a physician’s practice, which had access to BayCare’s electronic medical records for the continuity of common patients’ care.
$800k and a 2-year CAP.
“In an era of hacking and ransomware attacks, HIPAA regulated entities still need to ensure that workforce members and other users with access to an electronic medical record only have access to the health information necessary for them to perform their jobs,” said OCR Acting Director Anthony Archeval. “Allowing unrestricted access to patient health information can create an attractive target for a malicious insider.”
Under the corrective action plan, BayCare will take steps to resolve its potential violations of the HIPAA Security Rule, and to protect the privacy and security of ePHI, including:
- Conducting an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
- Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
- Revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
- Training its workforce that has access to ePHI on its HIPAA policies and procedures.
We Still Don’t Like Recall
[16:36]The Edge Is Now Your Problem
[22:12]In today’s shifting cybersecurity landscape—where federal agencies like CISA are stepping back from certain enforcement actions—companies must rethink how they manage and mitigate digital threats. In a recent SecureWorld article, cybersecurity veteran Todd Inskeep outlines this new reality and the imperative for organizations to take greater ownership of their cyber risk strategies. With over 30 years of experience as an executive, advisor, inventor, and CISO, Inskeep now leads Incovate Solutions, where he provides board-level strategy and fractional-CISO services to help mid-market businesses navigate today’s complex threat environment.
The Edge Has Become the Battleground
The article refers to another situation about how end of life routers are being used by the criminals in attacks. These routers are often found in homes and small businesses. FBI: End-of-life routers hacked for cybercrime proxy networks
“If your board minutes and risk register don’t show active oversight of edge resilience, plaintiff’s counsel will frame it as negligence—especially once a safe-harbor standard exists for those who did act.”
The list the author recommends aligns well with many of the actions we have discussed over and over here.
- Gather a complete inventory of all technology assets
- Monitor and plan for end-of-life devices to be replaced or increasing their security
- Monitor your network and devices for suspicious activity
- Have all the workforce involved in cybersecurity – if you don’t know what is normal activity you also don’t know what is abnormal activity.
- Run table top exercises to review what your plans are from downtime
“Use the next board session to pose three questions:
Do we have a living inventory of every edge device that could impact revenue or safety?
Can management show evidence that those devices are patched, segmented, and monitored?
If an adversary (like Volt Typhoon) triggered localized outages tomorrow, what is our plan for business continuity and regulatory disclosure before federal help arrives?
If the answers are shallow, redirect capital. Edge resilience lacks the flashy headlines of AI, but it underpins every digital transformation.”
There is a lot to grasp here but just like the settlement discussion we started with you have to consider how small things can have a major impact. If you aren’t actively managing these risks then they are likely going to become a major problem at some time in the future. As the author stated in his closing:
“The adversary has already demonstrated the edge is the fastest path to strategic leverage. The only question is whether your leadership understands it, too—and acts before gravity does its work.”
As we slam the laptop lid on this episode, let’s reflect on a few truths. Giving ex-employees unrestricted access is like handing your house keys to your ex and being surprised when your fridge is empty and your secrets are on YouTube. The edge of your network isn’t just a forgotten nook filled with tangled cables—it’s the new frontier for hackers who love outdated hardware more than cats love boxes. Leadership, not just IT, needs to suit up and make the big calls—because relying on dusty old routers and training people via bathroom-stall policy manuals won’t cut it. And if someone tries to push Windows Recall on you, just say no like it’s a suspicious van offering free candy. Stay patched, stay paranoid (in a healthy way), and maybe give your router a quick glance—it could be moonlighting for the dark side.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
