BLOG
What Your Security Risk Assessment Might Uncover: Why Your Server Set-Up Matters
HIPAA regulation sets national privacy and security standards. These standards are fundamental to protecting your office from data breaches and HIPAA violation fines. The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, covered entities must: Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and Ensure compliance by their workforce. The HIPAA Security Rule mandates covered entities (CEs) to perform a security risk analysis as part of your security management process to enable you to implement policies and procedures to prevent, detect, contain, and correct security violations. It is best practices to run a HIPAA Security Risk Assessment annually, since the Security Rule also mandates CEs to establish a plan for periodic technical and nontechnical evaluation of their policies and procedures, especially in response to environmental or operational changes that can affect the security of your electronic protected health information (e-PHI). As part of your annual HIPAA Security Risk Assessment, we perform a technical evaluation of your security infrastructure. If your server is set-up in a work group versus (vs.) a domain environment, we are unable to assess your full network (i.e. surrounding workstations). As a result, our risk assessment is not able to appropriately assess whether you have and apply reasonable and appropriate controls across your full network. Please note that the Security Rule requires CEs to maintain reasonable and appropriate administrative, technical, and physical safeguards to protect e-PHI; therefore, you must decide if setting up your network as a domain is reasonable and appropriate for your practice. However, in order to perform a full network assessment, we strongly urge you to set up your network as a domain, so that you are able to assess if your safeguards prevent, detect, contain, and correct security violations. As an alternative to setting up your server on a domain, you should have a local IT professional assess each individual workstation. The IT professional would need a working knowledge of all the HIPAA regulations and possess the requirement tools to accomplish the HIPAA required task on each workstation. It is estimated that a proper assessment would take approximately one hour per workstation.
Georgia Dental Clinic Suffers Ransomware Attack
Ransomware attacks against dental and medical practices are becoming commonplace. Read this important story from HackRead about a recent Georgia dental office attack. How do you protect your servers from ransomware and other attacks? Contact DDS Rescue about DATA SECURITY SERVICES for your practice. Our services include firewall and antivirus management, email encryption and HIPAA compliance and training services. Dental clinic learns of ransomware attack after phone call from hackers The ransomware attack was carried out by the Conti ransomware operator in November 2020. A dental clinic in Georgia, Galstan & Ward Family and Cosmetic Dentistry, suffered a ransomware attack. Interestingly, the facility discovered it after the attackers called to inform them about the attack. Drs. Galstan and Ward did notice that their computer systems displayed some anomalies. However, they ignored it and called in an IT expert to wipe the server and reinstall it from backup. They didn’t detect any data loss, and the service wasn’t disrupted either. See: US Criminal Court hit by Conti ransomware; critical data at riskHHS Then they received a phone call from the attackers and learned that their server was accessed, and several files were later posted on the dark web. The group also demanded a ransom from Drs. Galstan and Ward. After identifying the ransomware attack, the practice contacted outside counsel and engaged a cyber-security firm to carry out forensic analysis and determine the best remediation services. The practice issued a notification to its patients on Nov 13th, 2020 explaining that the intrusion occurred between Aug 31st and Sep 1st; they learned about it after the hackers informed them about the security breach. On Sep 11, according to Databreaches.net, they found out that many of the files stored on their server were posted on a dark web website. The practice confirmed that none of the stolen files contained patients’ data. However, they will offer the affected patients free identity theft restoration and credit monitoring service through IDX. The security firm assessed the restored server and confirmed that it was free of malware. They couldn’t find any evidence that confidential patient data stored in the facility’s software systems were accessed or stolen. Reportedly, at least 10,759 patients have been impacted by the incident. On Nov 6th, the HHS was informed about the attack. See: Plastic surgery tech firm leaks images of 100,000s of customers Further probe revealed that Conti threat actors were responsible for the attack since the Conti ransomware strain was used to compromise the dental clinic’s server. After gaining access, the attackers uploaded 20 files as proof of access. However, the practice claims that the files didn’t contain PHI but just the dental office’s Dentrix system’s documents and file templates.
Attacks on dental offices and related healthcare businesses are growing
Mary Beth Versaci at ADA News recently covered the latest alert by the Cybersecurity and Infrastructure Security Agency, FBI and Department of Health and Human Services. Please note that the attacks on dental offices and related healthcare businesses are growing. Please contact DDS Rescue about what you can do to protect your practice. Our security solutions guard against attacks and ensure your data is fully backed up and can be easily restored if necessary. DDS Rescue customers receive yearly HIPAA training and compliance as part of their service. Alert warns of cybercrime threat to U.S. hospitals, health care providers Federal agencies believe attacks could lead to data theft, disruption of health care services By Mary Beth Versaci at ADA News READ MORE The Cybersecurity and Infrastructure Security Agency, FBI and Department of Health and Human Services are warning health care providers to take precautions in response to credible information of an increased and imminent cybercrime threat to the U.S. health care and public health sector, according to an alert from the agencies. DETAILS OF NEW ALERT The Oct. 28 alert details the tactics, techniques and procedures used by cybercriminals against targets in the health care and public health sector to infect systems with ransomware for financial gain, as well as the practices the agencies encourage health care organizations to use to help manage the risk posed by ransomware and other cyber threats. The agencies believe cybercriminals are targeting the sector with malware, often leading to ransomware attacks, data theft and the disruption of health care services, according to the alert. “These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments,” the alert states. The agencies recommend that health care organizations implement both ransomware prevention and response measures immediately. The alert includes tips from CISA and the Multi-State Information Sharing and Analysis Center’s joint Ransomware Guide, including maintaining offline, encrypted backups of data and regularly testing those backups; creating, maintaining and exercising a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident; and planning for the possibility of critical information systems being inaccessible for an extended period of time. The agencies do not recommend paying ransoms, as payment does not guarantee files will be recovered and could embolden attackers to target additional organizations or encourage others to engage in the distribution of ransomware and funding of illicit activities. GET HELP For additional resources, visit CISA’s ransomware guidance and resources webpage, the FBI’s ransomware webpage and the HHS Office for Civil Rights’ Fact Sheet: Ransomware and HIPAA.
Don’t let this happen to you! Make sure you’ve received your HIPAA training this year!
OCR Settles Eleventh Investigation in HIPAA Right of Access Initiative The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announces its eleventh settlement of an enforcement action in its HIPAA Right of Access Initiative. OCR announced this initiative as an enforcement priority in 2019 to support individuals’ right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule. Dr. Rajendra Bhayani, who is a private practitioner specializing in otolaryngology in Regal Park, New York, has agreed to take corrective actions and pay $15,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. In September 2018, OCR received a complaint alleging that Dr. Bhayani failed to provide a patient with access to her medical records following her request in July 2018. OCR responded by providing Dr. Bhayani with technical assistance on complying with HIPAA’s Right of Access requirements and closed the complaint. In July 2019, however, OCR received a second complaint alleging that Dr. Bhayani still had not provided the complainant with access to her records. OCR determined that Dr. Bhayani’s failure to provide the requested medical records was a potential violation of the HIPAA right of access standard. As a result of OCR’s investigation, the complainant received a complete copy of her medical records in September 2020. “Doctor’s offices, large and small, must provide patients their medical records in a timely fashion. We will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message,” said Roger Severino, OCR Director. In addition to the monetary settlement, Dr. Bhayani will undertake a corrective action plan that includes two years of monitoring. A copy of the resolution agreement and corrective action plan can be found at: https://www.hhs.gov/sites/default/files/dr-bhayani-ra-cap.pdf
What Your Security Risk Assessment Might Uncover: Why Your Server Set-Up Matters
HIPAA regulation sets national privacy and security standards. These standards are fundamental to protecting your office from data breaches and HIPAA violation fines. The Security
Georgia Dental Clinic Suffers Ransomware Attack
Ransomware attacks against dental and medical practices are becoming commonplace. Read this important story from HackRead about a recent Georgia dental office attack. How do
Attacks on dental offices and related healthcare businesses are growing
Mary Beth Versaci at ADA News recently covered the latest alert by the Cybersecurity and Infrastructure Security Agency, FBI and Department of Health and Human
Don’t let this happen to you! Make sure you’ve received your HIPAA training this year!
OCR Settles Eleventh Investigation in HIPAA Right of Access Initiative The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services
Social media: Proceed with caution
Here’s an article from RDH Magazine by Melissa Van Witzenburg, MS, RDH that we wanted to share with our customers. As HIPAA consultants, we want
HIPAA AND COMPLIANCE NEWS
Treasury Dept: Ransomware Payment Facilitation Could Be Sanction Risk COVID-19 spurred an increase in ransomware attacks. The Treasury Department warns entities against facilitating ransomware payments
