.st0{fill:#FFFFFF;}

Privacy Questions Everywhere – Ep 304 

 May 14, 2021

By  Donna Grindle

“privacyWe’ve talked about how damaging a ransomware attack can be in healthcare, not only for the practice or health facility but also for patients and the integrity and availability of their data. Today, we discuss an active ransomware attack affecting a health system that is not just making the local news, but also is blowing up on social media and creating a number of privacy questions. The implications for their patients is terrifying.

A 5 star review is all we ask from our listeners.
1x
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

Privacy Questions Everywhere – Ep 304

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The HIPAA Boot Camp

Virtual Edition Aug 17-19, 2021

Great idea! Share Help Me With HIPAA with one person this week!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!


HIPAA Say What!?!

[03:48] First, let’s tackle an email from listener George who asks a question in response to our podcast Episode 302 – Get Your Patch On – Ep 302. George writes:

Hi there. Thanks for the episode. Sooo, what about Solarwinds where the hotfixes were infected? We got lucky where we did not apply the hotfixes and the network was not compromised. I believe there needs to be a balance based on risk assessment on which critical assets need updates and the timeframes.

That’s the tricky thing about patching, especially when a hacker has infiltrated the actual supply chain of code. First, your IT or MSP vendors should look at the type of protections they have in place. Are they using a layered approach to securing and protecting their clients’ networks? Are they using AI behavioral based protections?

What happened to Solarwinds could happen to any application. It’s not good enough anymore to just whitelist those applications a company uses and let it update whenever it needs to and connect outside the network to other tools or resources. IT should be evaluating whether the software is doing what it is supposed to do. Is it doing what it normally does? And are those things OK? That’s where behavioral based protections come into play.

To George’s point, there should be some happy medium when it comes to patching. If you don’t have AI type protections, it will require a manual approach of evaluating patches based on what they are supposed to be fixin. This is especially true for the big ticket software apps a company uses because those could have a major impact.

Privacy Questions Everywhere

[09:57] There are privacy concerns all around us these days. Case in point is a question from listener Allison who raised a question on LinkedIn about the new laws being passed in several states. These new laws state that in order to get a mail in ballot to vote you have to submit a copy of your driver’s license so they can compare signatures. I am willing to bet there are no plans in place to manage this. Are they going to guarantee to us that they are going to shred the copies of drivers licenses sent to them? Can they guarantee that somebody isn’t just sitting there throwing one to the side every few minutes? For those that are kept to do the signature comparisons later, where are you going to keep them? Are you going to put them online somewhere? How are they going to store them? How are they going to be secured? So, whoever we have to send our licenses to needs to be thinking about what’s going to happen next.

[11:39] Another example comes from an article about the new Apple AirTags. They work really well but that isn’t such a good thing. There are lots of reasons to believe that they can be used effectively… by you and me but also by stalkers, domestic abusers, and others in a negative way too. As a simplistic explanation, the way the Aitr Tags work is it tracks your location and it uses connectivity to other Apple devices to share your location. If I have one on my gear and I walk by you, it might ping out your phone and say “hey, where am I?” And your phone would answer.

[13:44] Then there’s this article about Hackers targeting cash sharing apps Zelle, CashApp and Venmo. Here’s what you can do to stay safe. Hackers are not targeting the app itself. What they’re targeting is people not securing and using the app properly. In all of the cases that this particular article covered, the user gave up information by not securing it properly. Keep in mind that hackers know it is a lot easier to hack the user than to hack the technology. Even with ransomware, it’s not hackers hacking technology, it’s hackers attacking the humans that open the door for them to the network.

Ransomware Creates a Social Media Privacy Violation Storm

[18:19] Just days ago one of San Diego California’s main health systems, Scripps Health, was attacked by ransomware. The attack resulted in practically all of its technology being taken down. The EHR went down, patient portals were down, appointments had to be rescheduled, patients had to be diverted to other hospitals… even their website was down.

Here are a couple articles covering the attack and the effects it had on patient care and the community.

Ransomware Hits Scripps Health, Disrupting Critical Care, Online Portal

Scripps Health hack forcing appointments to be canceled and more

News outlets were talking to patients about how they have been affected by this ransomware attack. Patients reported that they have more questions than answers five days after Scripps fell victim to a ransomware attack. As a result, patients have had their appointments canceled, like Andrew Kaufman who had a critical surgery scheduled that week to help find a treatment for his rare muscular disease. He said the surgery was canceled due to the cyberattack making his medical history inaccessible. He still doesn’t know when he can be rescheduled and feels like he’s in big trouble.

If I were to have a crisis I’d have to go to the hospital. My concern is my medical history is really extensive, but they wouldn’t have access to my history. History that could be very pertinent in treating me, said Kaufman.

He is now writing down his medical history to the best of his knowledge just in case he has to call 911.

Another patient, who wanted to remain anonymous, told News 8 that she is worried her personal information is no longer secure.

And another patient, Jacob, was unable to get his medication right away but was contacted by Scripps to pick it up a day later.

I’ve been on that medication for 20 years, if I had not taken it for 2 days, I would have gone into a coma and died, said Jacob.
[23:23] These patients worry that this hack is a sentinel event that may lead to more problems. People have even vented frustrations on the Scripps Health Facebook page. Lots of people! As of our recording over 220 comments have been posted about this incident.

Scripps Health – Scripps Health experienced an information…

This gets into some serious privacy issues, not to mention the Scripps brand damage that we’ve talked about before as being one of the effects of an attack like this. There are lots of things from this incident that should be considered and included in your incident response plan.

One that stands out the most in Scripps Health attack is communication. This is super important. You should have a plan B and a plan C for communication because if you don’t figure out a way to communicate with your patients, they will figure out a way to communicate with you and they’ll tell everybody else about it. But responding to patient comments on Facebook is NOT a good way of communicating with them. Facebook is NOT a secure method of corresponding with patients about their healthcare requests and they will NOT provide you with a BAA.

Also, you want to have a sound plan on how you will communicate with your staff… at every location. Don’t leave them to their own devices. In the Scripps case, employees were communicating with each other on the company Facebook page too. And all their posts were able to be viewed by patients, media, law enforcement… everyone.

[32:10] As a side note: It is important for any business, especially in the healthcare industry, to understand that when things like this happen, it’s not a quick fix. It can be days, weeks, even months sometimes before IT is able to restore data and get systems back up and running. And when you have a ransomware attack, it’s not a matter of just getting a business back up and running. It’s a matter of preserving evidence. The incident has to be fully and properly investigated.

Four days into the Scripps Health ransomware attack, no one seems to be effectively communicating with patients or employees on how long it will be until access to systems will be available, when patients will be able to reschedule appointments, procedures and surgeries, etc. And to make it more confusing you have all kinds of people offering their two cents and speculating on what’s going on and how to fix the problem… from patients to Scripps’ employees to “technical” people. It is creating a social media nightmare and patients are stressed, terrified and are panicking. People are even posting pleas for Scripps Health to simply pay the ransom demand, because that way they can get back all of their patients’ data. That’s not necessarily true. In fact, we will be talking next week about ransomware and how one article states that 92% of businesses that pay the ransom never get all of their data back.

[49:49] At the beginning of our conversation, we talked about all the privacy breaches caused by Scripps’ staff communicating with patients via Facebook. Then, all of a sudden it all stopped and patients have no way to get any information about this breach. It doesn’t appear that Scripps’ is providing any information in any form to their patients about what’s going on. So, lack of communication is very bad. Unsecured communication is very bad. Employees talking is very bad. And in the end there is panic and fear and concern about life and death over ransomware.

The Scripps Health ransomware attack should be a terrifying event for all of us, not to mention their patients. Many of their lives are literally hanging in the balance. The social media storm is creating panic, fear and anger towards Scripps Health. The lack of effective communication is adding to this. When a situation like this happens, a business should have all communication to the public and the media go through one channel.

If you are one of those people of organizations who don’t think this is going to happen to you and you don’t need to make a plan for this kind of thing to happen, get your head out of the sand. All providers of healthcare need to take this seriously and take steps to protect their patients’ data. Your patients need you to do this. And believe it or not, they expect you to.

For years we’ve been preaching that privacy and security and compliance requirements are about patient care. This ransomware attack on the Scripps Health network is a perfect example of why you do all of these things so that you can provide a level of patient care. People expect you to take care of their healthcare needs and take care of their protected health information. And when something goes wrong… remember, it’s not IF it’s WHEN… you should have to have an incident response plan to address not only the incident itself, but also how you will continue to take care of patients and recover from the event. Communication should be a big part of your response.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: