Resources for Healthcare Providers
You don't always have time to keep up with the news during your busy week, so we've created this Resource Center for you to visit at your convenience. Don't find it here? Contact us to request it. If it exists, we'll find it for you!
How to Recognize and Prevent DoS and DDoS Attacks
According to US-CERT, the United States Computer Readiness Team, Denial-of-Service (DoS) attacks occur when an attacker attempts to prevent legitimate users from accessing information or services. In DDoS (Distributed Denial of Service) attacks, one system may be used to attack another system. According to US-CERT, these attacks are on the rise. In this December Cyber Awareness Newsletter PDF, the HHS Office for Civil Rights describes the symptoms that a DoS or DDoS attack is underway and offers a dozen measures for preventing such attacks.
HHS Answers Questions About Cloud Services and HIPAA
When you, as a covered entity, engage a cloud services provider to create, receive, maintain, or transmit ePHI (for the purpose of processing and/or storing the ePHI) on your behalf, that CSP is your business associate and must comply with the applicable provisions of the HIPAA Rules. This also applies to subcontractors. Now, HHS answers your questions about the use of cloud services, what's OK and what's not, and your requirements under HIPAA. The PDF below provides abbreviated answers for quick understanding, and links to the complete HHS Guidance for all details.
FBI Urges Reporting of Ransomware Incidents
The FBI issued a Public Service Announcement on September 15, 2016, urging victims to report ransomware incidents to federal law enforcement to “help us gain a more comprehensive view of the current threat and its impact on U.S. victims.” Ransomware is a type of malware installed on a computer or server that encrypts the files, making them inaccessible until a specified ransom is paid. It is an increasingly common and insidious cybercrime. Details for reporting ransomware incidents, and security recommendations, are provided in the PDF below.
OCR Implements Plan to More Widely Investigate Small Data Breaches
On August 18, 2016, the Office for Civil Rights (OCR) issued its monthly publication, which is available to download in the PDF link below. The current publication announces how the OCR will investigate, analyze, and prioritize healthcare data breaches affecting fewer than 500 individuals. It also provides links to the five most recent settlement cases related to small data breaches.
Patient Data Breached at Athens Orthopedic Clinic
On June 27, 2016, Athens (Georgia) Orthopedic Clinic discovered that the data of 200,000 past and present patients had been hacked two weeks earlier, on June 14. As required by the HITECH Act, the Clinic mailed letters to the affected individuals the week of August 8 stating, in part, “We believe that the information taken includes your name, address, Social Security number, date of birth, telephone number and account number, and may include your diagnosis and medical history.” Further details are available in the article posted by the Athens Banner-Herald on August 12, and should serve as a cautionary tale for other healthcare providers who mistakenly believe it can never happen to them.
HHS OCR Guidance for Preventing Ransomware
The FBI has reported a steady increase in ransomware attacks across all industries, including healthcare. To help you better understand and respond to this growing threat, the HHS Office for Civil Rights today has released new guidance on ransomware. Ransomware is one of the biggest current threats to health information privacy, and can seriously compromise the integrity and availability of your patient data and other sensitive information.
Cost of Data Breaches is Highest in Healthcare, Among all Industries, Says 2016 Report
The latest Ponemon Report on data breaches proves that healthcare breaches remain the most costly, and the majority are caused by malicious or criminal attacks. Speedy detection of a breach can reduce the overall cost significantly, and factors such as encryption, business continuity management and employee training can also reduce the cost. Download the PDF to read the complete article.
Cybersecurity Investment Rose Dramatically, by 78%, in 2015 and Is Still Rising
Investment in cybersecurity rose by 78 percent in 2015 to $228 million, and Lux Research expects it to reach $400 million in 2016, in part because of the rapid adoption of Internet of Things (IoT) devices.
OCR Monthly Cybersecurity Guidance - March 2016
As a part of its ongoing program to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun Phase 2 of its audits of covered entities and their business associates. This article describes the steps of the process, beginning with an email from OCR to the covered entities selected for audit. Recommended reading for all healthcare providers and their business associates!
IRS Warns of Email Phishing Scheme Involving W2 Form Requests
The Internal Revenue Service has issued an alert to payroll and human resources professionals to beware of an emerging phishing email scheme that purports to be from company executives and requests personal information on employees. Part of the surge in phishing emails seen this year, this new scheme has already claimed several victims as payroll and human resources offices mistakenly emailed payroll data, including W-2 forms that contain Social Security numbers and other personally identifiable information, to cybercriminals posing as company executives.
OCR Issuing Monthly Cybersecurity Guidance
The Office for Civil Rights, enforcement arm of the Dept. of Health & Human Services, is issuing monthly updates to help covered entities and business associates become more cyber-aware, and hopefully more secure. Topics in the latest update are (1) Why any organization can suffer a healthcare breach, and tips for keeping your PHI safe, (2) NSA’s lesson learned, including tips for keeping intruders out of your network, and (3) Malware and medical devices, and what to think about when you order equipment.
Physical Therapy Provider Hit with $25,000 Fine for HIPAA Violation
The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services has agreed to a HIPAA settlement with Complete P.T., Pool & Land Physical Therapy, Inc. (CPT) after alleged violations that the physical therapy provider potentially exposed patient information. CPT must pay $25,000 as well as implement a corrective action plan, according to OCR, and must report on its compliance efforts for one year.
Healthcare Leads in 2016 Data Breaches Through February 9
According to a report by the Identity Theft Resource Center, the medical/healthcare sector posted the largest percentage of total breaches so far this year at 34.8% (24 breaches). The number of records exposed in these breaches is more than 1.1 million, or 79.2% of the total through February 9, 2016. Many healthcare organizations become victims of their failure to implement even the most basic security measures, such as commercial-grade firewalls, secure data storage and regular backups, and updated software, as common examples.
January 28, 2016 is Data Privacy Awareness Day
JDL HealthTech is proud to support Data Privacy Day as a Champion. You can, too. Visit the Stay Safe Online website, sponsored by the National Cybersecurity Alliance, at https://www.staysafeonline.org/data-privacy-day/. And be sure to keep your ePHI and other sensitive data private and secure, every day of the year. It's a requirement for HIPAA compliance.
How Administrative Safeguards Can Prevent Data Breaches
Healthcare organizations need to adopt administrative safeguards that are applicable to their daily operations. Policies and procedures that dictate employee training at a small doctor’s office will likely not be applicable to a large hospital. According to the HHS, "...compliance with the Administrative Safeguards standards will require an evaluation of the security controls already in place, an accurate and thorough risk analysis, and a series of documented solutions derived from a number of factors unique to each covered entity.”
Oncology Group Fined $750,000 for Loss of ePHI in Laptop Theft
Cancer Care Group, P.C. has paid $750,000 to the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), to settle potential violations of HIPAA Privacy and Security Rules. The radiation oncology private physician practice with 13 radiation oncologists also agreed to implement a robust corrective action plan to resolve serious deficiencies in its HIPAA compliance program.
AMA, Other Physician Groups, Urge Congress to Fix Meaningful-Use Rules
A coalition of 111 medical societies led by the American Medical Association is urging Congress to “refocus” the federal requirements for providers under the electronic health records incentive payment program. In a letter to House and Senate leaders, the physician groups said congressional action to refocus this program is urgently needed before physicians abandon the program completely--frustrated by the near impossibility of compliance with meaningless and ill-informed bureaucratic requirements.
Need to reach us? Have a question? Send us an email at firstname.lastname@example.org.
Office for Civil Rights to Move Ahead with HIPAA Audits
Recent news reports indicate that the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is planning to move ahead with proactive HIPAA audits of business associates and covered entities. OCR noted that the first audits will mostly consist of desk audits, under which it will ask entities to send in policies and procedures for review, though there may be some in-person audits as well.
Secret Service Issues Warning About Rising Mobile Payment Fraud
In the past few months, the US Secret Service has observed a steady increase in criminals exploiting vulnerabilities in the account provisioning and verification process for near field communication (NFC) payments to commit fraud. Specifically, criminals are using stolen identity information--such as credit reports, tax records, healthcare, and employee records that contain personally identifiable information--to establish fake accounts on NFC devices and make illicit transactions both online and at “brick and mortar” retailers. Please read details and mitigation suggestions in the PDF below.
Most Physicians Still Work in Small, Private Practices
The AMA survey shows that the majority of physicians (60.7%) were in small practices of 10 or fewer physicians, and that practice size changed very little between 2012 and 2014 in the face of profound structural reforms to healthcare delivery. A majority of physicians (56.8%) work in private practices wholly owned by the physician(s).
ICD-10: CMS Won't Deny Claims for First Year
The Centers for Medicare & Medicaid Services announced on July 6, 2015, that it will adopt suggestions made by the American Medical Association to ease the transition to the new ICD-10 code set, which becomes effective October 1, 2015. These suggestions concern claims denials, quality reporting, payment disruptions and transition communications plans. Details in the article PDF below.
HIPAA Audits of Business Associates - How to Prepare and Why
These two articles posted on Lexology and HealthCare IT News discuss the increasing HIPAA focus on the business associates of healthcare providers who are subject to HIPAA and HITECH regulations. The first recommended step for any business associate, in achieving compliance, is to conduct a Security Risk Assessment to precisely identity their vulnerabilities and risks. Read more in the PDFs below.
NOTE: JDL HealthTech is a HIPAA-compliant business associate with substantial experience conducting comprehensive Security Risk Assessments for healthcare providers and their business associates. Contact us to learn more.
U.S. Secret Service Warns of Business Email Scam Leading to ACH Fraud
The Secret Service is currently observing a significant increase in the frequency, sophistication, and fraud losses associated with Business Email Compromise scams, which are a form of Automated Clearing House (ACH) wire fraud. Organizations are encouraged to immediately implement additional authentication steps before performing wire transfer payments to non-U.S. financial institutions, and to report suspected criminal activity associated with these scams to their local Secret Service Electronic Crimes Task Force or field office.
Miami-based Plaza Health Settles Medicare Fraud Charges for $17 Million
Plaza Health Network in Miami has settled Medicare fraud charges for $17 million, the nation's largest settlement paid by a skilled nursing facility for alleged violations of the Anti-Kickback Statute. It originated with a whistle-blower lawsuit filed in 2012 by former Plaza Health CEO Stephen Beaujon. The company operates seven centers throughout South Florida.
Tips for Resolving Physician Referral Problems Affecting Radiologists and Pathologists
This two-page article by McKesson provides useful guidance for radiologists and pathologists who regularly receive faulty diagnostic codes with physician referrals. ICD-10 offers the perfect opportunity to address these issues now, before the code shift occurs.
Cybertheft Costs Healthcare $6 Billion a Year
This latest study should be a wake-up call for healthcare providers regardless of size or specialty. ePHI and other data is being resold on private forums that specialize in stolen credit cards and Social Security numbers. Medical records often sell for as much as 20 times the price of a stolen credit card number, because of their value. Is your organization leaking data?
JDL Technologies Quoted in CRN Article on Cybersecurity
In responding to CRN about Obama's April 2015 Executive Order authorizing targeted sanctions against cybercriminals, including nation states, JDL Technologies' Alex Muchnik observed, "While our government is taking the actions that it has the power to take, our corporations and businesses need to exercise the same vigilance. In the final analysis, security is everyone’s responsibility.”
AWARD-WINNING EBOOK: Healthcare Data Breaches & Vulnerabilities, and What You Can Do
Let the lessons of 2014 guide your compliance actions this year, with this compelling report developed by JDL HealthTech and offered in easy-to-digest eBook form. Learn what causes 83% of all data breaches in healthcare, and discover the two most common vulnerabilities. Consider the penalties applied in 2014, by the HIPAA-enforcing DHHS Office for Civil Rights, to some extremely small data breaches. It doesn't have to happen to you.
How Better Log Monitoring Can Prevent Data Breaches
Recent high-profile data breaches reaffirm that the threat from data thieves is both persistent and pervasive. Could better log monitoring mitigate or even prevent these types of security catastrophes? This excellent article in CIO explores log monitoring in depth.
FEATURE ARTICLE: Going Thoroughly Virtual
By using virtualization throughout your clients’ entire IT infrastructure — from servers to desktops and applications to storage — you can deliver greater levels of agility, mobility, and efficiency. This ChannelPro article quotes JDL Technologies President Scott Fluegge and other IT experts on what to consider in adopting virtualization within your organization.
Unencrypted Laptop Costs Healthcare Entity $250,000
Chances are your laptop or tablet goes where you go, carrying healthcare data and PHI from office to vehicle to home and back again. Throw in a side trip to the grocery store or the bank, and you've got a theft in the making. It can happen to anyone, anywhere.
Meaningful Use Update – CMS Announces EHR Penalties
The Centers for Medicare and Medicaid Services say many doctors will see their 2015 Medicare payments cut by 1% for failing to meet federal electronic health-record incentive-payment program standards. In addition, only about 10% of those scheduled to move to Stage 2 this year have done so. However, their payment period doesn't end until Dec. 31—and they have until the end of February to attest.
Hospital CIOs Face Head-Spinning Challenges
A November 3, 2014 article quotes Rick Schooler, the Chief Information Officer at Orlando Health, and two other prominent CIOs on the crazy challenges facing healthcare today. IT priorities shift every month in the face of government and market changes, and IT staffs must become Swiss Army knives in order to cope with the numerous and sometimes conflicting priorities. This article is a must-read for anyone working in the healthcare industry.
Cybercrime is a Growth Industry, Says Latest CSIS Report
The returns are great, and the risks are low. The most recent report on the state of cybercrime worldwide is now available from the Center for Strategic and International Studies (CSIS), in concert with Intel Security. The report estimates the probable annual cost to the global economy at more than $400 billion. According to the report, “Governments and companies underestimate how much risk they face from cybercrime, and how quickly this risk can grow.”
Security: Healthcare's Fixer-Upper
This excellent article by Healthcare IT News Editor Erin McCann explores the alarming state of affairs in healthcare today, how the industry's slack security is bad for business, and what some are doing to step it up. Solid advice ... should be required reading for heatlhcare providers!
Groups Hit with Record $4.8 Million Fine for HIPAA Violation
To those shirking their HIPAA privacy and security duties: get ready to pay up. That's the message the Department of Health and Human Services is sending after it set a new record for the largest HIPAA monetary fine to date against two covered entities found to be seriously lacking in the security arena.
Healthcare Security Stuck in Stone Age
Healthcare has a few things to do differently in the privacy and security arena -- one of them being: Start taking it seriously. The new 2014 Verizon Data Breach Investigations Report highlights a concerning carelessness regarding privacy and security, specific to the healthcare industry.
Glossary of Healthcare Regulatory Terms
Navigating the maze of healthcare industry regulatory terminology is almost as painful as making sense of the regulatory requirements themselves. We created this Glossary to help you keep it all straight. Watch for our video, "HIPAA Compliance Simplified," coming soon!
The Facts About ICD-10 and Its Impact on Physicians
The deadline for implementation of a huge new set of diagnostic codes, known as ICD-10, is set for October 1, 2014, after a one-year postponement. Compliance is required, and no further delays are expected. This set of useful FAQs is provided courtesy of the American Medical Association.
US CERT Alert on CryptoLocker Ransomware
US-CERT is warning of a vicious new malware campaign that surfaced in late 2013 and is associated with a growing number of ransomware infections affecting Microsoft Windows systems running Windows 8, Windows 7, Vista, and XP operating systems.
CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. There is also an identity theft element to the infection.
CryptoLocker Facts and Tips from Sophos
With CryptoLocker wreaking serious havoc, especially in the SMB community, this article is a must-read. It explains how this new ransomware works and offers instructions for prevention, cleanup, and recovery (which is actually possible in certain cases). Convenient 8-minute video makes it crystal clear.
Five Ways to Secure Your Web-Browsing Users
In addition to the usual suspect tips, this article offers detailed advice for securing your browsers and standardizing your web software. Recommended reading, from the security experts at Sophos.
Five Ways Your SMB Can Profit From Managed IT Services
It’s been demonstrated repeatedly that Managed Services make clear sense for small businesses. In this article, Steven Vigeant of Data Evolution discusses five primary benefits of Managed Services for small to mid-size businesses. We second his conclusion!
Why a Managed Services Solution is Good for Your Enterprise IT Team
Managed IT Services aren't just for small or mid-size businesses. Many enterprises leverage an expert MSP to manage the routine activities so that internal IT staff can be more strategic, more effective, and more productive.
Computer Security Tips for Small Business
As small businesses become more reliant on technology, they also become more vulnerable to cybercrime. A Gartner study found that 90 percent of companies who suffer major data loss close their doors within two years. Here are 10 tips to secure your business computers.