trouble toilet paper rollToday we are going to cover the trouble we expected to see start happening after the rush to convert us all to work from home. Our concern that “no one was paying attention except the criminals” is starting to come to fruition.

A 5 star review is all we ask from our listeners.
1x
0:00
...
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

Here comes trouble – Ep 268

Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

You know how you can sometimes read an article that makes you laugh due to an inside joke. When I saw this one I had a good laugh.  What not to do in a bear attack? Push your slower friends down in attempts of saving yourself, says the National Park Service

HIPAA Say What!?!

[13:59]Q: If a covered entity selects a video conference / telehealth provider (like Zoom for Healthcare, WebEx, Babylon, etc.) where patients need to login and the episode might be recorded or transmitted – are these providers considered as a BAA under HIPAA?

What has been your experience with vendors regarding their willingness to enter into a BAA?

In Canada, my experience is that it is almost impossible to get a vendor to enter into an agreement (we call them IMA).

We feel your pain. It is a problem many times. First, the tools that are used for these type sessions are required to be BAs under normal HIPAA rules. There is a temporary “enforcement discretion” period during COVID but other than that temporary reprieve they must be a BA and sign a BAA.

Here comes trouble

[19:25]When I am trying to work out topics for this episode there are a bunch of tabs open with articles about breaches and attacks. Then, this pops up in my email from the OCR listserv: Cyber Alert: Computer Network Infrastructure Vulnerable to Windows 7 End of Life Status, Increasing Potential for Cyber Attacks

OCR Alert about an FBI Alert

Let’s start with why OCR was alerting us. This FBI Notice: Windows 7 End of Life PIN 20200803 002 BC

OCR is sharing the following update with our listserv from the Federal Bureau of Investigation (FBI), warning individuals that the FBI has observed cyber criminals targeting computer network infrastructure after an operating system achieves end of life status.

Just as we have been telling folks since before Windows 7 EOL in January and since before Windows XP EOL years ago, these devices become targets once they know the security updates won’t be done. The FBI alert specifically calls out healthcare entities first. Shocking, I know. Can you believe the Win 7 EOL date was just in Jan 2020? Seems like a lifetime ago!

As of May 2019, an open source report indicated 71 percent of Windows devices used in healthcare organizations ran an operating system that became unsupported in January 2020. Increased compromises have been observed in the healthcare industry when an operating system has achieved end of life status. After the Windows XP end of life on 28 April 2014, the healthcare industry saw a large increase of exposed records the following year.

Then they call out RDP being used. What have we been concerned about during the shut down? RDP use increased dramatically. We feel certain the security requirements of RDP were not included in a majority of those cases.

Cyber criminals continue to find entry points into legacy Windows operating systems and leverage Remote Desktop Protocol (RDP) exploits. Microsoft released an emergency patch for its older operating systems, including Windows 7, after an information security researcher discovered the RDP vulnerability called BlueKeep in May 2019. Since the end of July 2019, malicious RDP activity has increased with the development of a working commercial exploit for the BlueKeep vulnerability. Cyber criminals often use misconfigured or improperly secured RDP access controls to conduct cyber attacks. The xDedic Marketplace, taken down by law enforcement in 2019, flourished by compromising RDP vulnerabilities around the world.

Then they point out how unpatched Windows 7 was the reason WannaCry spread like wildfire. Can you believe WannaCry was back in May 2017? Wow, we have known about these things for a while and some of them may still be unpatched. The end of that review in the alert was really the whole point:

cyber criminals will continue to view Windows 7 as a soft target

These issues are not new but the fact that they are specifically seeing traffic that is looking for those devices just shows us that the criminals are indeed running business as usual. They are using all of the known gaps in our technical and human security issues. For those with this problem you should be handling it with some method other than business as usual. Mitigate it with segmentation and zero trust. Which only points out why you need professional IT support not someone who is “good with computers and worked at X”. In the words of the FBI:

Migrating to a new operating system can pose its own unique challenges, such as cost for new hardware and software and updating existing custom software. However, these challenges do not outweigh the loss of intellectual property and threats to an organization.

Microsoft shares how easy it is to get hacked on Windows

[34:18]I loved the articles about this when you get titles like: Microsoft Reveals New Innocent Ways Windows Users Can Get Hacked

Patch Tuesday for August 2020 was full of issues being corrected and many of them serious ones. Just this month the batch included 120 fixes, 17 were critical, and the rest were considered important. This article pointed out that these fixes showed just how vulnerable the average user is when these problems exist on their devices.

In a nutshell, your Windows computer can be hacked if you:

  • Play a video file — thanks to flaws in Microsoft Media Foundation and Windows Codecs
  • Listen to audio — thanks to bugs affecting Windows Media Audio Codec
  • Browse a website — thanks to ‘all time buggy’ Internet Explorer
  • Edit an HTML page — thanks to an MSHTML Engine flaw
  • Read a PDF — thanks to a loophole in Microsoft Edge PDF Reader
  • Receive an email message — thanks to yet another bug in Microsoft Outlook

So there’s that. Patching is essentially the only way to have a fighting chance.

If it can happen to them

[42:56]Speaking of having a fighting chance. When I saw these articles I felt a bit defeated.

SANS Institute Sees Its Breach as Teachable Moment

SANS infosec training org suffers data breach after phishing attack

If SANS gets hit like this then we should all be prepared for it to happen to us. End of discussion, period, nothing else to argue here. Move along.

The breach announcements are flowing

[49:51]As expected, we are starting to see the damage from the overload that has been happening all over the world.

Three more medical practices hit by ransomware

Unsecured Database Exposed on Web – Then Deleted

Due to HHS intervention, an FTP leak in 2018 is finally reported to patients

Medical records for more than 61,000 cardiac patients left unsecured online

Ashley County Medical Center investigates former employee accused of violating federal privacy laws

OH: Premier Health Partners Discloses Breach, but No Notifications to Patients Yet

The attacks keep happening and the activity will continue to be high for months to come. Understanding these issues are part of the battle gear you need. If you have no idea this is happening how do you have a chance to protect yourself? Information is key to protecting yourself.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.