Resources for Healthcare Providers

 

You don't always have time to keep up with the news during your busy week, so we've created this Resource Center for you to visit at your convenience. Don't find it here?  Contact us to request it.  If it exists, we'll find it for you!

How to Recognize and Prevent DoS and DDoS Attacks

According to US-CERT, the United States Computer Readiness Team, Denial-of-Service (DoS) attacks occur when an attacker attempts to prevent legitimate users from accessing information or services. In DDoS (Distributed Denial of Service) attacks, one system may be used to attack another system. According to US-CERT, these attacks are on the rise.  In this December Cyber Awareness Newsletter PDF, the HHS Office for Civil Rights describes the symptoms that a DoS or DDoS attack is underway and offers a dozen measures for preventing such attacks.

OCR Cyber-Awareness Update - December 2016.pdf

HHS Answers Questions About Cloud Services and HIPAA

When you, as a covered entity, engage a cloud services provider to create, receive, maintain, or transmit ePHI (for the purpose of processing and/or storing the ePHI) on your behalf, that CSP is your business associate and must comply with the applicable provisions of the HIPAA Rules. This also applies to subcontractors. Now, HHS answers your questions about the use of cloud services, what's OK and what's not, and your requirements under HIPAA. The PDF below provides abbreviated answers for quick understanding, and links to the complete HHS Guidance for all details.

HHS Guidance on HIPAA and Cloud Computing - Abbreviated Q&A - Oct 2016.pdf 

FBI Urges Reporting of Ransomware Incidents

The FBI issued a Public Service Announcement on September 15, 2016, urging victims to report ransomware incidents to federal law enforcement to “help us gain a more comprehensive view of the current threat and its impact on U.S. victims.” Ransomware is a type of malware installed on a computer or server that encrypts the files, making them inaccessible until a specified ransom is paid. It is an increasingly common and insidious cybercrime. Details for reporting ransomware incidents, and security recommendations, are provided in the PDF below.

FBI Ransomware Reporting and Prevention - Sept 2016.pdf

OCR Implements Plan to More Widely Investigate Small Data Breaches

On August 18, 2016, the Office for Civil Rights (OCR) issued its monthly publication, which is available to download in the PDF link below. The current publication announces how the OCR will investigate, analyze, and prioritize healthcare data breaches affecting fewer than 500 individuals. It also provides links to the five most recent settlement cases related to small data breaches.

OCR Cyber-Awareness Update August 2016.pdf

Patient Data Breached at Athens Orthopedic Clinic

On June 27, 2016, Athens (Georgia) Orthopedic Clinic discovered that the data of 200,000 past and present patients had been hacked two weeks earlier, on June 14. As required by the HITECH Act, the Clinic mailed letters to the affected individuals the week of August 8 stating, in part, “We believe that the information taken includes your name, address, Social Security number, date of birth, telephone number and account number, and may include your diagnosis and medical history.” Further details are available in the article posted by the Athens Banner-Herald on August 12, and should serve as a cautionary tale for other healthcare providers who mistakenly believe it can never happen to them. 

Athens Orthopedic Clinic Data Breach.pdf

HHS OCR Guidance for Preventing Ransomware

The FBI has reported a steady increase in ransomware attacks across all industries, including healthcare. To help you better understand and respond to this growing threat, the HHS Office for Civil Rights today has released new guidance on ransomware. Ransomware is one of the biggest current threats to health information privacy, and can seriously compromise the integrity and availability of your patient data and other sensitive information. 

HHS HIPAA Guidance on Ransomware Threat.pdf

Cost of Data Breaches is Highest in Healthcare, Among all Industries, Says 2016 Report

The latest Ponemon Report on data breaches proves that healthcare breaches remain the most costly, and the majority are caused by malicious or criminal attacks. Speedy detection of a breach can reduce the overall cost significantly, and factors such as encryption, business continuity management and employee training can also reduce the cost.  Download the PDF to read the complete article.

Healthcare Data Breach Costs Highest Among Industries.pdf

Cybersecurity Investment Rose Dramatically, by 78%, in 2015 and Is Still Rising

Investment in cybersecurity rose by 78 percent in 2015 to $228 million, and Lux Research expects it to reach $400 million in 2016, in part because of the rapid adoption of Internet of Things (IoT) devices.

Cybersecurity Investment Rose 78% in 2015 and Still Rising.pdf

OCR Monthly Cybersecurity Guidance - March 2016

As a part of its ongoing program to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun Phase 2 of its audits of covered entities and their business associates. This article describes the steps of the process, beginning with an email from OCR to the covered entities selected for audit. Recommended reading for all healthcare providers and their business associates!

OCR Cyber-Awareness Update March 2016.pdf

IRS Warns of Email Phishing Scheme Involving W2 Form Requests

The Internal Revenue Service has issued an alert to payroll and human resources professionals to beware of an emerging phishing email scheme that purports to be from company executives and requests personal information on employees. Part of the surge in phishing emails seen this year, this new scheme has already claimed several victims as payroll and human resources offices mistakenly emailed payroll data, including W-2 forms that contain Social Security numbers and other personally identifiable information, to cybercriminals posing as company executives.

IRS Warns of Email Phishing Scheme Involving W2 Form Requests.pdf

OCR Issuing Monthly Cybersecurity Guidance

The Office for Civil Rights, enforcement arm of the Dept. of Health & Human Services, is issuing monthly updates to help covered entities and business associates become more cyber-aware, and hopefully more secure. Topics in the latest update are (1) Why any organization can suffer a healthcare breach, and tips for keeping your PHI safe, (2) NSA’s lesson learned, including tips for keeping intruders out of your network, and (3) Malware and medical devices, and what to think about when you order equipment.

OCR Cyber-Awareness Update February 2016.pdf

Physical Therapy Provider Hit with $25,000 Fine for HIPAA Violation

The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services has agreed to a HIPAA settlement with Complete P.T., Pool & Land Physical Therapy, Inc. (CPT) after alleged violations that the physical therapy provider potentially exposed patient information. CPT must pay $25,000 as well as implement a corrective action plan, according to OCR, and must report on its compliance efforts for one year.

Physical Therapy Provider Fined $25,000 for HIPAA Violation.pdf

Healthcare Leads in 2016 Data Breaches Through February 9

According to a report by the Identity Theft Resource Center, the medical/healthcare sector posted the largest percentage of total breaches so far this year at 34.8% (24 breaches). The number of records exposed in these breaches is more than 1.1 million, or 79.2% of the total through February 9, 2016.  Many healthcare organizations become victims of their failure to implement even the most basic security measures, such as commercial-grade firewalls, secure data storage and regular backups, and updated software, as common examples.  

Data Breaches Reported by ITRC.pdf

January 28, 2016 is Data Privacy Awareness Day

JDL HealthTech is proud to support Data Privacy Day as a Champion.  You can, too.  Visit the Stay Safe Online website, sponsored by the National Cybersecurity Alliance, at https://www.staysafeonline.org/data-privacy-day/. And be sure to keep your ePHI and other sensitive data private and secure, every day of the year.  It's a requirement for HIPAA compliance.

How Administrative Safeguards Can Prevent Data Breaches

Healthcare organizations need to adopt administrative safeguards that are applicable to their daily operations. Policies and procedures that dictate employee training at a small doctor’s office will likely not be applicable to a large hospital.  According to the HHS, "...compliance with the Administrative Safeguards standards will require an evaluation of the security controls already in place, an accurate and thorough risk analysis, and a series of documented solutions derived from a number of factors unique to each covered entity.” 

How Administrative Safeguards Can Prevent Data Breaches.pdf

Oncology Group Fined $750,000 for Loss of ePHI in Laptop Theft

Cancer Care Group, P.C. has paid $750,000 to the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), to settle potential violations of HIPAA Privacy and Security Rules. The radiation oncology private physician practice with 13 radiation oncologists also agreed to implement a robust corrective action plan to resolve serious deficiencies in its HIPAA compliance program. 

Provider Pays $750,000 to OCR for Loss of ePHI in Laptop Theft.pdf

AMA, Other Physician Groups, Urge Congress to Fix Meaningful-Use Rules

A coalition of 111 medical societies led by the American Medical Association is urging Congress to “refocus” the federal requirements for providers under the electronic health records incentive payment program. In a letter to House and Senate leaders, the physician groups said congressional action to refocus this program is urgently needed before physicians abandon the program completely--frustrated by the near impossibility of compliance with meaningless and ill-informed bureaucratic requirements. 

AMA_Urges_Congress_to_Fix_Meaningful_Use.pdf

Need to reach us?  Have a question?  Send us an email at info@jdlhealthtech.com.

Office for Civil Rights to Move Ahead with HIPAA Audits

Recent news reports indicate that the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is planning to move ahead with proactive HIPAA audits of business associates and covered entities. OCR noted that the first audits will mostly consist of desk audits, under which it will ask entities to send in policies and procedures for review, though there may be some in-person audits as well.

OCR_Will_Step_Up_HIPAA_Audits.pdf

Secret Service Issues Warning About Rising Mobile Payment Fraud

In the past few months, the US Secret Service has observed a steady increase in criminals exploiting vulnerabilities in the account provisioning and verification process for near field communication (NFC) payments to commit fraud. Specifically, criminals are using stolen identity information--such as credit reports, tax records, healthcare, and employee records that contain personally identifiable information--to establish fake accounts on NFC devices and make illicit transactions both online and at “brick and mortar” retailers.  Please read details and mitigation suggestions in the PDF below.

US_Secret_Service_on_Increasing_Mobile_Payment_System_Vulnerability.pdf

Most Physicians Still Work in Small, Private Practices

The AMA survey shows that the majority of physicians (60.7%) were in small practices of 10 or fewer physicians, and that practice size changed very little between 2012 and 2014 in the face of profound structural reforms to healthcare delivery. A majority of physicians (56.8%) work in private practices wholly owned by the physician(s). 

New_AMA_Study_-_Most_Physicians_Still_Work_in_Small_Practices.pdf

ICD-10:  CMS Won't Deny Claims for First Year

The Centers for Medicare & Medicaid Services announced on July 6, 2015, that it will adopt suggestions made by the American Medical Association to ease the transition to the new ICD-10 code set, which becomes effective October 1, 2015. These suggestions concern claims denials, quality reporting, payment disruptions and transition communications plans.  Details in the article PDF below.

ICD-10_-_CMS_Wont_Deny_Claims_for_First_Year.pdf

HIPAA Audits of Business Associates - How to Prepare and Why

These two articles posted on Lexology and HealthCare IT News discuss the increasing HIPAA focus on the business associates of healthcare providers who are subject to HIPAA and HITECH regulations. The first recommended step for any business associate, in achieving compliance, is to conduct a Security Risk Assessment to precisely identity their vulnerabilities and risks. Read more in the PDFs below. 

Compliance_Tips_for_Business_Associates.pdf

HIPAA_Audits_of_Business_Associates_Include_Financial_Institutions.pdf

NOTE: JDL HealthTech is a HIPAA-compliant business associate with substantial experience conducting comprehensive Security Risk Assessments for healthcare providers and their business associates. Contact us to learn more.

U.S. Secret Service Warns of Business Email Scam Leading to ACH Fraud

The Secret Service is currently observing a significant increase in the frequency, sophistication, and fraud losses associated with Business Email Compromise scams, which are a form of Automated Clearing House (ACH) wire fraud. Organizations are encouraged to immediately implement additional authentication steps before performing wire transfer payments to non-U.S. financial institutions, and to report suspected criminal activity associated with these scams to their local Secret Service Electronic Crimes Task Force or field office.

Business_Email_Scam_Leads_to_ACH_Wire_Fraud.pdf

Miami-based Plaza Health Settles Medicare Fraud Charges for $17 Million

Plaza Health Network in Miami has settled Medicare fraud charges for $17 million, the nation's largest settlement paid by a skilled nursing facility for alleged violations of the Anti-Kickback Statute. It originated with a whistle-blower lawsuit filed in 2012 by former Plaza Health CEO Stephen Beaujon. The company operates seven centers throughout South Florida.

Miami_Plaza_Health_Settles_Medicare_Fraud_Charges_for_17M.pdf

Tips for Resolving Physician Referral Problems Affecting Radiologists and Pathologists

This two-page article by McKesson provides useful guidance for radiologists and pathologists who regularly receive faulty diagnostic codes with physician referrals. ICD-10 offers the perfect opportunity to address these issues now, before the code shift occurs.

Tips_for_Resolving_Physician_Referral_Problems_Affecting_Radiologists_Pathologists.pdf

Cybertheft Costs Healthcare $6 Billion a Year

This latest study should be a wake-up call for healthcare providers regardless of size or specialty. ePHI and other data is being resold on private forums that specialize in stolen credit cards and Social Security numbers. Medical records often sell for as much as 20 times the price of a stolen credit card number, because of their value. Is your organization leaking data? 

Cybertheft_Costs_Healthcare_6_Billion_Annually.pdf

JDL Technologies Quoted in CRN Article on Cybersecurity

In responding to CRN about Obama's April 2015 Executive Order authorizing targeted sanctions against cybercriminals, including nation states, JDL Technologies' Alex Muchnik observed, "While our government is taking the actions that it has the power to take, our corporations and businesses need to exercise the same vigilance.  In the final analysis, security is everyone’s responsibility.” 

New_Tool_Against_Cyberthreats.pdf

AWARD-WINNING EBOOK:  Healthcare Data Breaches & Vulnerabilities, and What You Can Do

Let the lessons of 2014 guide your compliance actions this year, with this compelling report developed by JDL HealthTech and offered in easy-to-digest eBook form. Learn what causes 83% of all data breaches in healthcare, and discover the two most common vulnerabilities. Consider the penalties applied in 2014, by the HIPAA-enforcing DHHS Office for Civil Rights, to some extremely small data breaches. It doesn't have to happen to you.

Healthcare_Vulnerabilities_Report.pdf

How Better Log Monitoring Can Prevent Data Breaches

Recent high-profile data breaches reaffirm that the threat from data thieves is both persistent and pervasive. Could better log monitoring mitigate or even prevent these types of security catastrophes? This excellent article in CIO explores log monitoring in depth.

How_Better_Log_Monitoring_Can_Prevent_Data_Breaches.pdf

FEATURE ARTICLE:  Going Thoroughly Virtual

By using virtualization throughout your clients’ entire IT infrastructure — from servers to desktops and applications to storage — you can deliver greater levels of agility, mobility, and efficiency. This ChannelPro article quotes JDL Technologies President Scott Fluegge and other IT experts on what to consider in adopting virtualization within your organization.

Going_Thoroughly_Virtual_-_ChannelPro_Article.pdf

Unencrypted Laptop Costs Healthcare Entity $250,000

Chances are your laptop or tablet goes where you go, carrying healthcare data and PHI from office to vehicle to home and back again. Throw in a side trip to the grocery store or the bank, and you've got a theft in the making. It can happen to anyone, anywhere. 

Unencrypted_Laptop_Costs_Healthcare_Entity_$250,000.pdf

Meaningful Use Update – CMS Announces EHR Penalties

The Centers for Medicare and Medicaid Services say many doctors will see their 2015 Medicare payments cut by 1% for failing to meet federal electronic health-record incentive-payment program standards.  In addition, only about 10% of those scheduled to move to Stage 2 this year have done so. However, their payment period doesn't end until Dec. 31—and they have until the end of February to attest. 

Meaningful_Use_Update_-_CMS_Announces_2013_Penalties_and_Other_News.pdf

Hospital CIOs Face Head-Spinning Challenges

A November 3, 2014 article quotes Rick Schooler, the Chief Information Officer at Orlando Health, and two other prominent CIOs on the crazy challenges facing healthcare today. IT priorities shift every month in the face of government and market changes, and IT staffs must become Swiss Army knives in order to cope with the numerous and sometimes conflicting priorities.  This article is a must-read for anyone working in the healthcare industry.

Healthcare_IT_Staffs_Must_Be_Swiss_Army_Knives.pdf

Cybercrime is a Growth Industry, Says Latest CSIS Report

The returns are great, and the risks are low. The most recent report on the state of cybercrime worldwide is now available from the Center for Strategic and International Studies (CSIS), in concert with Intel Security.  The report estimates the probable annual cost to the global economy at more than $400 billion.  According to the report, “Governments and companies underestimate how much risk they face from cybercrime, and how quickly this risk can grow.”

Report_on_Global_Cybercrime_June_2014.pdf

Security: Healthcare's Fixer-Upper

This excellent article by Healthcare IT News Editor Erin McCann explores the alarming state of affairs in healthcare today, how the industry's slack security is bad for business, and what some are doing to step it up. Solid advice ... should be required reading for heatlhcare providers!   

Security_Healthcares_Fixer_Upper.pdf

Groups Hit with Record $4.8 Million Fine for HIPAA Violation

To those shirking their HIPAA privacy and security duties: get ready to pay up. That's the message the Department of Health and Human Services is sending after it set a new record for the largest HIPAA monetary fine to date against two covered entities found to be seriously lacking in the security arena.   

Record_4.8M_HIPAA_Fine_Imposed.pdf

Healthcare Security Stuck in Stone Age

Healthcare has a few things to do differently in the privacy and security arena -- one of them being: Start taking it seriously.  The new 2014 Verizon Data Breach Investigations Report highlights a concerning carelessness regarding privacy and security, specific to the healthcare industry.

Healthcare_Security_Stuck_in_Stone_Age.pdf

Glossary of Healthcare Regulatory Terms

Navigating the maze of healthcare industry regulatory terminology is almost as painful as making sense of the regulatory requirements themselves.  We created this Glossary to help you keep it all straight.  Watch for our video, "HIPAA Compliance Simplified," coming soon!

Healthcare_Industry_-_Glossary_of_Terms.pdf

The Facts About ICD-10 and Its Impact on Physicians

The deadline for implementation of a huge new set of diagnostic codes, known as ICD-10, is set for October 1, 2014, after a one-year postponement. Compliance is required, and no further delays are expected. This set of useful FAQs is provided courtesy of the American Medical Association.

Facts_About_ICD-10.pdf

US CERT Alert on CryptoLocker Ransomware

US-CERT is warning of a vicious new malware campaign that surfaced in late 2013 and is associated with a growing number of ransomware infections affecting Microsoft Windows systems running Windows 8, Windows 7, Vista, and XP operating systems. 

CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. There is also an identity theft element to the infection.

Cryptolocker-US-CERT-Alert-Nov-2013.pdf

CryptoLocker Facts and Tips from Sophos

With CryptoLocker wreaking serious havoc, especially in the SMB community, this article is a must-read. It explains how this new ransomware works and offers instructions for prevention, cleanup, and recovery (which is actually possible in certain cases). Convenient 8-minute video makes it crystal clear. 

CryptoLocker-Details-From-Naked-Security-By-Sophos-Oct-2013.pdf

Five Ways to Secure Your Web-Browsing Users

In addition to the usual suspect tips, this article offers detailed advice for securing your browsers and standardizing your web software. Recommended reading, from the security experts at Sophos. 

Five-Ways-To-Reduce-Risk-From-Modern-Web-Threats.pdf

Five Ways Your SMB Can Profit From Managed IT Services

It’s been demonstrated repeatedly that Managed Services make clear sense for small businesses. In this article, Steven Vigeant of Data Evolution discusses five primary benefits of Managed Services for small to mid-size businesses. We second his conclusion!

5-Ways-Small-Business-Will-Profit-From-Managed-IT-Services.pdf

Why a Managed Services Solution is Good for Your Enterprise IT Team

Managed IT Services aren't just for small or mid-size businesses. Many enterprises leverage an expert MSP to manage the routine activities so that internal IT staff can be more strategic, more effective, and more productive. 

Why-A-Managed-Services-Solution-Is-Good-For-Your-IT-Team.pdf

Computer Security Tips for Small Business

As small businesses become more reliant on technology, they also become more vulnerable to cybercrime. A Gartner study found that 90 percent of companies who suffer major data loss close their doors within two years. Here are 10 tips to secure your business computers.

10-Computer-Security-Tips-For-Small-Businesses.pdf