no one is watching the hen houseSo far 2020 has the whole world turned upside down. A true global pandemic, global economic fallout still happening from a shutdown caused by the pandemic and a level of global social unrest that hasn’t been seen in 40-50 years. Yes, it is overwhelming. But, it is also very clear that the criminal factors and nation-state attackers are well aware no one is watching the hen house too.


A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

No one is watching the hen house – Ep 260

The HIPAA Boot Camp

2020 COVID Session Dates

August 18, 19, 20

Online Version!!

For info go to

Registration Form

Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

If you would like to donate to the cause you can do that at

Like us and leave a review on our Facebook page:

Listener email from  Jack

1st – Love your podcast and have listened to every one of them.

2nd – I work for a company that requires our health information (Minimal – see below for the information needed) into a portal. It is an external portal and not part of our company. We are also self insured, so we are considered CE if I understand correctly. We are a copier supplier with the following areas that would fall into the role of a BA.

– Copier Service company

– MSP portion of the business

– Shredding Company

Each has clients in a HIPAA Compliance vertical.

The company I work for does not feel that they are a CE even after providing documentation of that status.

The company does not have a signed BAA with the vendor. When I questioned them on that, they stated that HIPAA has provided some allowances for this to put something into place. The question they could not answer was what the vendor will do with the data collected during and after the service is used. We also have not completed any due diligence in their services or portal. I also mentioned that we should have officiated the names with the employee number or something that they could not connect with a name. The answer I received was that the Employee Number can be considered part of PHI. I commented that this could be correct, but the vendor would not have access to the database that holds the Employee Number and the Employee Name to make the connection.

Are my concerns valid or is this the norm in this time of the pandemic? Any insight would be greatly appreciated.

Merchant bank account change form story from Donna. It is going to be interesting how this turns out.

No one is watching the hen house

No matter what you are focused on in your normal day-to-day survival it probably hasn’t been all the announcements about new malware, vulnerabilities, and attack methods being actively used while we are all distracted. Yes, it is certainly understandable we are distracted by any one much less all of these issues.

Crazy stuff

Business Associate Incidents Added to Breach Tally

Dumpster disposal of records by a records management company and a tornado hits a building holding medical records causing two different data breaches from paper.  It is unfortunate that we will see continued issues as companies are going out of business or being acquired during this economic downturn created by COVID-19.

We certainly can’t forget the nation state attackers in this. An alert tells us that the North Koreans are going to be attacking more and bigger using all of this as a great cover for their actions. No one will be safe if you are connected you will be a potential target for these hackers.  Covid-19 Relief: North Korea Hackers Lazarus Planning Massive Attack on US, UK, Japan, Singapore, India, South Korea?

You must use Microsoft O365 to be HIPAA compliant is not true. David just went through this today with a client who was told exactly that.  Vet those vendors you are looking for to save money. You don’t want to spend your money on addressing things just because your vendors may be a cheaper but very much misinformed as to what you should be doing. Spend the time to make sure that cheaper deal really is going to save you money and not open you up to bigger issues.


We have all these folks working from home and very little has been done to secure those machines or those home networks. News came out this week about multiple issues that directly impact home networks and systems. If no one is making sure those issues are dealt with they can become the way into your network or systems, or both.

WFH Alert: Critical Bug Found in Old D-Link Router Models

Adobe Patches 18 Critical Flaws in Out-Of-Band Update

Netgear Zero-Day Allows Full Takeover of Dozens of Router Models

Phishing campaigns

We have a couple of cases that came in to us from clients as well as business partners. The financial attacks are really growing. They are also getting much more sophisticated. You must stay on top of any request to release any information relating to your EIN, SSN, bank account, credit cards, etc. No request should be fulfilled without double checking and sometimes triple checking.

InfoSec Handlers Diary Blog – Broken phishing finds zero day accidentally. Even sometimes these guys are sending things that don’t work but they find something new with their failure that can be used against you.

BJC reports one of the  largest breaches this year – due to email phishing.

Yet another breach involving a BA was reported to HHS on May 5 by BJC Health System in Missouri, which provides services to hospitals as a parent corporation. That incident, reported as involving email and impacting nearly 288,000 individuals, is the third largest breach posted on the HHS website so far this year.

We have seen reports that some phishing campaigns are fake notifications of data breaches by other companies. Google Alerts catches fake data breach notes pushing malware

IoT Ripple 20

This week a new vulnerability was found dealing with how IoT devices such as medical devices work. This one is way deep in the networking software and literally millions upon millions of devices have the problem. The worst part is even when this is fixed it will take years to roll out the changes to all those devices. We already have issues updating medical devices.

Millions of Connected Devices Have Exploitable TCP/IP Flaws

‘Ripple20’ Flaws in Medical Devices: The Risks

‘Ripple20’ Bugs Impact Hundreds of Millions of Connected Devices

‘Ripple20’ Bugs Plague Enterprise, Industrial & …

Protecting Unmanaged & IoT Devices: Why Traditional Security Tools Fail

New Ripple20 Flaws Put Billions of Internet-Connected Devices at Risk of Hacking


A nifty attack going around includes a tool that claims to be a ransomware decryptor that will get your data back without paying. But, what it really does is perform ANOTHER round of encryption on your data so that you are now being held for ransom TWICE.

Maze Ransomware Gang Continues Data-Leaking Spree

ICS Threat Snake Ransomware Suspected in Honda Attack

Ryuk Continues to Dominate Ransomware Response Cases

Ransomware victims keep paying, and ransomware groups keep growing

The sheer magnitude of attacks is bad enough. The rate of sophistication and adaptability to all our defenses makes this no joking matter. We have to find some way to take the time to protect ourselves because it truly is a case where no one is watching the hen house and all kinds of trouble is lurking around about to walk in that door.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.