Forget action-packed heist movies — the real cybersecurity heroes are the ones making their auditors yawn. In this episode, we break down why “boring and patched” should be everyone’s new life goal. From AI developments that won’t sit still for five minutes to real-world cyber drama featuring surprise FBI visits (no popcorn needed), we’re serving up a crash course in staying safe, sane, and just boring enough to avoid disaster.
In this episode:
Keeping It Boring and Patched – Ep 504
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Keeping It Boring and Patched
[04:57]The National HIPAA Summit was last week. It is virtual now so everything is prerecorded making it less likely to be a big breaking news event like it was for years. Now it is about hearing the latest about what is happening with all the different areas impacted by HIPAA. I have several sessions I will be going back over to make notes for a review. However, this year on top of being prerecorded it is also clear there is so much more unknown than known from a regulatory standpoint.
What is very clear right now is that the attackers are upping their game using AI. It is very unfortunate for us that those advancements coincide with the chaos and uncertainty we are experiencing across the board today. So, today I have a few points to touch on from the Summit but then a very interesting article that I think is very important to share.
Keeping It Boring – HHS OCR Address HIPAA Summit
[11:57]Just a few highlights from my notes:
The audits that were coming back into play began officially in December. Fifty organizations were selected for an audit of their compliance program. Some are CEs and some are BAs. If you are lucky enough to be one of those organizations consider it as free consulting from OCR and roll with it. Unless they find something horribly egregious they won’t think of switching to an enforcement case. They wouldn’t normally do that and I doubt they want to take that on now.
He said the audit is looking at compliance with “selected provisions” of Security Rule, most relevant to hacking and ransomware attacks.
“These audits will give us an opportunity to examine their mechanisms for compliance and discover risks and vulnerabilities that may not have been revealed by enforcement activities. It will benefit the auditees by giving them OCR’s assessment of their Security Rule compliance and how to improve their cybersecurity.”
I loved the statement he made about how to handle OCR audits and investigations. His tip is to make their work on your case boring. If it is boring that means they aren’t finding any major problems. Maybe that needs to be our goal – we want to make sure you are boring!
One thing I don’t think they touched on is that under the recognized security practices amendment they are supposed to let the audit be quick and easy if you can prove you are following them. Yet another reason to implement and document HICP!
This session did review the NPRM and he said they had received about 4,745 comments. That will take some time to sort through. He said they intend to read every single one of them.
Another thing, this was all recorded and released before the announcement of the 10,000 people being cut from HHS.
Over the entire conference there is a sense of doing your best to maintain and move forward with your defenses because no one knows where anything will go at this point. The one thing we know for sure is that the attacks are not decreasing. If anything they are increasing. So, while we wait for them to figure out what playbook they plan on writing and then actually write it – we still have to deal with the problems at hand. Our message continues to be to defend yourself now and do what you are currently doing so you are meeting requirements that we know exist today.
Keep your eye on the ball, or you’ll end up behind the eight ball — and no one wants to play cybersecurity in hard mode. Yes, I mixed sports metaphors. No, I don’t regret it. Security is a full-contact sport these days.
More on HIPAA Summit sessions in future episodes. I have several reports to review beyond what was in the presentations. Some presentations I couldn’t catch when they were released on the conference schedule and have to go back to watch them and review that content too. Yep, I have plenty of work to do but that is why you listen to the podcast, right! I am doing that exciting work.
Keeping It Patched
[23:40]This is the FBI, open up. China’s Volt Typhoon is on your network
From the Cyberattack Article
“We don’t have any access to large critical infrastructure. We don’t own transmission. We’re a distribution company. Yes, we’re part of the overall grid, but the impact of taking out Littleton is small. You would never think that would be a target of any type of attack,” Lawler told The Register
When the FBI called he really did say Go f-yourself, I’m not going to click on a link, you must think I’m an idiot. What is your name again? And demanded they show up at his office on Monday morning if there really was a problem. Imagine his surprise!
The Chinese snoops gained initial access via a buggy FortiGate 300D firewall, according to Lawler. Fortinet patched this flaw in December 2022, but as of August 2023 LELWD’s managed services provider still hadn’t updated the firmware. The water and electric utility has since fired that MSP.
And there you have it — a friendly reminder that in the wild world of tech and cyber threats, boring is beautiful. Whether it’s AI evolving faster than your favorite pizza place’s delivery times or hackers sneaking in through the tiniest cracks, staying patched and cautious is the name of the game. Play it safe, keep it low-drama, and maybe even enjoy being the most uninteresting case file on someone’s desk.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
