01.16.2019

Record Numbers of Phishing Attacks Are Succeeding. Stop Being Such Tasty Bait.

Phishing attacks, at an all-time high in 2018,  continue to pelt healthcare organizations, gaining access to invaluable patient data and personal information of staff members. Social Security numbers, credit card and bank data, logins, driver’s licenses, medical histories, and even digital signatures — is grabbed and used to make illegal purchases or otherwise commit fraud. Mobile devices have morphed into profitable new opportunities for criminals executing phishing attacks, as identifying and blocking mobile-based phishing attacks is especially difficult for both individuals and employers’ current security technologies. These exploits create entry-ways into entire hospital computer networks and wreak broadscale havoc. Phishing accounts for nearly 40% of hospital security breaches (HIMSS), and end-users are the number one enablers when they are negligent or so hoodwinked by criminal “social engineers” that they break proper security procedures.

Regular education of all end-users is a must today for all healthcare organizations and their business associates. Frequent reminders help keep the ball rolling. As a small contribution to the cause, we’ve developed a free infographic poster with key tips on avoiding common phishing ruses. Print it (scalable up to 18 X 24), and post it!

(more…)

09.20.2018

Managing the HIPAA Risks of Outsourcing to Business Associates

Today, most hospitals count on external outsourcing services for a myriad of essential functions like revenue cycle management, health information management, IT support, data storage and security, housekeeping, and many other clinical and non-clinical functions. Many of these partners are business associates under HIPAA — and therein lies major potential security risks for hospitals. Relationships with diligent, qualified business associates have proven to be a boon to hospitals’ service quality and cost efficiencies. But data security and privacy breaches either caused by business associates or enabled by their deficiencies have exploded in recent years.  Every hospital and healthcare organization must protect itself through a well-defined and enforced business associate management program. Here’s what you need to know — plus a great infographic to summarize this critical issue.

(more…)

08.22.2018

Healthcare Phishing Attacks Are Succeeding. Let’s Stop Being Such Tasty Bait.

Phishing attacks continue to pelt healthcare organizations, successfully gaining access to invaluable patient data and personal information of staff members. This information — Social Security numbers, credit card and bank data, logins, driver’s licenses, medical histories, and even digital signatures — is typically used to make illegal purchases or otherwise commit fraud. These exploits also create entry-ways into entire hospital computer networks and wreak broadscale havoc. Phishing accounts for nearly 40% of hospital security breaches (HIMSS), and end-users are the number one enablers when they are negligent or so hoodwinked by criminal “social engineers” that they break proper security procedures.

Regular education of all end-users is a must today for all healthcare organizations and their business associates. Frequent reminders help keep the ball rolling. As a small contribution to the cause, we’ve developed a free infographic poster with key tips on avoiding common phishing ruses. Print it (scalable up to 18 X 24), and post it!

(more…)

08.7.2018

Cybercrime 2018: Most Hospitals’ IT Security Is Still Not Enough

Have you noticed? We haven’t read shocking news of record-breaking security breaches, in fact not since 2015-2016. Remember Bon Secours Health System where the information of 655,000 patients was compromised via the internet? Or the breach at 21st Century Oncology Holdings that hit more than two million patients across 181 cancer treatment centers? A cyber attack on Banner Health affected 3.6 million people, and NewKirk Products, a business associate, was hacked to the tune of 3.5 million affected individuals. According to HHS’ Wall of Shame, over 113 million people were hit in 2015 by breaches of their personal data, and in 2016 more than 27 million patient records were impacted. But, in the whole of 2017 “only” about 4.7 million people were victimized, a four year low.  This may seem like good news, but before we get too comfortable with our seemingly safer data security today, here’s the story behind the story —  and it isn’t pretty.

(more…)

05.30.2018

New Infographic: Risks of HIPAA Business Associate Relationships

Last week, we published a blog post about the importance of hospitals’ establishing and monitoring Business Associate Agreements with contractors who touch protected health information (PHI). Most hospitals and other HIPAA-covered entities, e.g. payors, physician practices and pharmacies, outsource a myriad of services for better, cost-effective operational results. Many of these services “touch” PHI, e.g. transcription services, revenue cycle managers, IT support and many other clinical and non-clinical functions. They are deemed HIPAA business associates (BAs) as of the 2013 Omnibus HIPAA Rule, and are accountable (think fines and even prison time) for PHI breaches. Many hospitals and their contractors still don’t know this or just aren’t on top of this issue. Read on for our newest infographic that simplifies the risks of HIPAA business associate relationships.

(more…)

05.24.2018

Essentials in Managing the HIPAA Risks of Outsourcing

Almost all hospitals outsource a myriad of services for better and more cost-effective operational results. These services extend well beyond the traditional transcription, data entry, housekeeping and food services of yesteryear.  Today, outsourcing services are used for health information management, revenue cycle management, clinical research, IT support, data storage and security, and many other clinical and non-clinical functions. While outsourcing can be a huge boon to efficiencies and quality, it also may bring serious HIPAA-related risks if the vendor qualifies as a business associate (BA) under the law.

Which vendors qualify as business associates? What are the HIPAA risks of depending on these outsiders? Data security and privacy breaches by business associates have exploded in recent years, but diligent management by your hospital via proper procedures will minimize its risks. Here’s what you need to know.

(more…)

03.27.2018

Infographic Poster: Top 8 Rules for Secure Texting in Healthcare

Texting among healthcare team members has become a valuable communications tool that creates efficiencies and improves patient safety. Some organizations also use opt-in texting programs to send reminders to patients. But strict rules must be followed to meet HIPAA privacy and security regulations and prevent cybercriminal activity. Providers must implement policies to ensure the security and integrity of their texting systems, platforms and content. We have developed an infographic (downloadable as a poster) that will serve as a great reminder to your staff that secure texting in healthcare is essential, and to FOLLOW THE RULES.

(more…)

02.27.2018

Texting in Healthcare is Here to Stay: But Know the Rules!

The December 28, 2017 announcement of CMS’ new and apparently final stance on clinicians’ texting patient information probably sailed under your radar. CMS clarified what previously had been a confusing message, and now has specified that it is permissible for clinicians to communicate PHI, but only across a secure platform. However, significant caveats were noted. Every clinician across all healthcare provider organization must be educated, preferably through IT leadership, on CMS’ clarified policy on texting in healthcare as soon as possible — not just to adhere to federal rules, but to prevent compromise of texting usage by cyber criminal activity.

(more…)

02.15.2018

2017 Was the Worst Year Ever for Hospital Data Breaches. Get Set for 2018.

Ransomware and other cyber attacks barraged healthcare industry headlines in 2017. By December 20, the Identity Theft Resources Center (ITRC) had recorded 1,293 U.S. data breaches in 2017; nearly 30% of them hit the healthcare sector. 78% of provider organizations dealt with ransomware, malware or both in just 12 months. Cybercriminals have emphatically targeted healthcare providers because they collect immense amounts of personal data, and have lagged behind other industries in upgrading to systems with high standard security protections. 2018 is expected to be an even worse year for hospital data breaches than 2017 — just as last year was worse than 2016. It’s imperative that providers once again re-examine their security strategies to keep on top of potential vulnerabilities, starting with organizational security assessments. There is the rub.

(more…)

05.16.2017

WannaCry Highlights the Huge Difference: IT Security vs. HIPAA Compliance

With the massive WannaCry global cyberattack — and hospitals a focal point — the dire warnings of security experts are now an extraordinary reality. Hours after infecting one European computer, WannaCry captured entire networks throughout 50 countries including the British healthcare system. After a temporary fix,over 150 countries are still experiencing system locks by criminals demanding money, days later.  American hospitals have not been major victims thus far. Do hospital leaders think HIPAA compliance has provided a dike against the tide? Think again…HIPAA is not security. If we continue to hope compliance is enough to protect our hospitals, we are likely to become the next victims of a super-ransomware attack. HIPAA security compliance was supposed to enable capable protection. But no. Why doesn’t compliance represent the security hospitals need against major cyber attacks?

(more…)