BLOG
Social media: Proceed with caution
Here’s an article from RDH Magazine by Melissa Van Witzenburg, MS, RDH that we wanted to share with our customers. As HIPAA consultants, we want to remind you that all the HIPAA rules apply to social media used by the office. What’s the bottom line? It boils down to this: patient’s personal health information (PHI) should never be discussed on social media. Here are some more details about how to safely use social media. More importantly, make sure you are current with your HIPAA compliance and training. Remember that HIPAA compliance and training is included with your DDS Rescue service. Please make sure you are current for every year. Contact DDS Rescue to check your HIPAA status! Here’s the RDH MAGAZINE LINK https://www.rdhmag.com/patient-care/article/14173714/social-media-recommendations-for-dental-hygienists-hipaa-and-other-pitfalls Social media contains many pitfalls for dental hygienists and other healthcare professionals, but can be used properly with some good judgment and knowledge of HIPAA rules. Melissa Van Witzenburg, MS, RDH Social media is all around us, whether it is for personal or professional use. It has become the most effective way to connect with people all over the world. Currently, Facebook is the largest social media platform with over 2.4 billion users worldwide; other platforms have an average of half a billion to a billion users.1 Early in my career, electronic medical records were just beginning to become mandatory in health care, and social media was beginning to change the way we consulted with other professionals, educated patients, and marketed dental practices. It is important that we as health-care professionals are aware of guidelines and limitations when using technology, especially social media. The dos and the don’ts So, what are the dos and the don’ts of social media for health-care professionals? What can be discussed or shared on social media? To date, there are no firm rules on social media included in the HIPAA laws, but the same HIPAA principles apply to social networks. A HIPAA violation by definition is, “when a HIPAA covered entity—or business associate—fails to comply with one or more of the provisions of the HIPAA Privacy, Security, or Breach Notification Rules.”2 These violations can be unintentional or intentional. According to the website HIPAA Journal, the following are general guidelines when posting to social media:3 Patient’s personal health information (PHI) should never be discussed on social media. PHI can only be on social media if written consent is obtained. Written consent must specifically state how the PHI will be used. Sharing images and videos without written consent is not permitted. Do not post any images inside an office where PHI is visible. Avoid posting information or gossip about a patient, even when the patient cannot be identified. Never assume a post is private, secure, or has been deleted. To help further this discussion, let’s examine four different scenarios. Posting x-rays: A patient’s bitewing x-ray is posted in a private dental social media group to discuss the performance of another hygienist and the treatment outcomes. For any dental hygienist, it is frustrating to remove calculus that has been left behind or burnished, but a post like this would likely be a HIPAA violation. Unless the patient has given written permission for an x-ray to be posted on social media, posts such as this are not HIPAA compliant. It is important to remember that even though a post may not identify a patient by name, the circumstance or provider may give away the patient’s identity. Also, whether or not photos or x-rays are posted on a social media site without written permission, it is simply not professional to criticize another professional on either a public or private social network. Venting about a patient: A patient questions your clinical skills and then requests not to see you again for future visits. After work, you take to a dental social network to express your dismay and explain the patient’s behavior during and immediately after the visit with you. While we’ve all experienced frustrating days when we’ve encountered a noncompliant patient or someone who simply was not friendly, it is not appropriate to gossip about patients on social media. In 2018, a pediatric intensive care unit (ICU) and emergency room (ER) nurse in Texas posted on her personal social media page about a child who was seen in the ER with a case of measles. While she didn’t identify the child by name, the number of measles cases diagnosed in this region was small, and because of this, the possibility that the child could have been identified increased significantly. As a result of the HIPAA violation, this nurse was terminated from her place of employment.4 While this was not an intentional violation of HIPAA, one cannot assume that all posts are private or can easily be deleted. Accepting a patient’s friend request: A patient sends a friend request to your personal social media page, and you accept. What is posted on a personal social media site can vary from what is posted on a professional page. Private or personal social media pages can be a place to express political and personal views that could potentially skew the way you are viewed professionally. While this is not a direct HIPAA violation, providers should exercise caution when friending or following patients, as this could provide an opportunity to commit an unintentional violation. Removing PHI from a practice: A clinician takes PHI and images from a previous place of employment and uses them to market a new practice on social media. This is a major HIPAA violation and can also result in other professional consequences and penalties. Whenever PHI is removed from a practice, it must be with written consent from the patient, and many employers do not allow PHI to be removed, regardless of written consent. HIPAA is regulated by the US Department of Health and Human Services Office for Civil Rights (OCR). If a provider is reported to the OCR and found to have violated HIPAA, there is a four-tier system in place to categorize the severity of the violation and the penalty associated. It
HIPAA AND COMPLIANCE NEWS
Treasury Dept: Ransomware Payment Facilitation Could Be Sanction Risk COVID-19 spurred an increase in ransomware attacks. The Treasury Department warns entities against facilitating ransomware payments for breach victims and possible sanction risks. THIS ARTICLE WAS ORIGINALLY PUBLISHED ON THE HEALTH IT SECURITY XTELLIGENT HEALTHCARE MEDIA WEBSITE Please talk to DDS Rescue about our cybersecurity solutions designed specifically for dental practices. BY JESSICA DAVIS October 01, 2020 – The US Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory on the potential sanction risks associated with companies that facilitate ransomware payments to the threat actors on behalf of breach victims, as the act may violate OFAC regulations and encourage future attacks. COVID-19 has spurred a drastic increase in the frequency and sophistication of ransomware attacks, with many threat actors taking to the double extortion method. In these cyberattacks, the cybercriminal first gains a foothold onto the network, proliferating to all connected devices and exfiltrating sensitive data. The hacker will wait sometimes months before deploying the final ransomware payload. And if the organization refuses to pay, they then move to leaking some of the victim’s data to extort them into paying. Sometimes entities refuse, while others have paid up, then the hacker will supposedly return the stolen data. Healthcare has remained a prime target for these attacks, given that many do indeed pay the ransom to regain access to the stolen data and resume business operations. The latest incident involved the University of California San Fransisco, which paid its hackers $1.14 million to restore access to the servers of its School of Medicine. In April, RiskIQ reported that about 16 percent of healthcare entities will inevitably pay the ransom. Those recent victims include Blackbaud, DCH Health System, Kentucky’s Park DuValle Community Health Center, and NEO Urology, just to name a few. READ MORE: Ransomware Reigns, as Cyberattacks Increase in Sophistication, Frequency While security researchers and even federal agencies have empathized with these organizations leaning on their cyber insurance or outside security teams to facilitate these payments to release sensitive data, the FBI has repeatedly stressed that the move should be a last resort. What’s more, paying the ransom can actually double recovery costs associated with a ransomware attack. In light of a spate of ransomware, including the massive Universal Health Services attack, OFAC released an advisory that not only advised against paying – warned that these acts may violate the agency’s rules. “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations,” OFAC officials wrote. “OFAC has designated numerous malicious cyber actors under its cyber-related sanctions program and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate ransomware transactions,” they added. READ MORE: Ransomware Spurs EHR Downtime at UHS Health System, 3 More Providers The agency provide several examples of the sanctioned organizations, which include the notorious SamSam hackers that pummeled the healthcare sector in 2018. Other threat actors include Dridex, WannaCry 2.0, Evil Corp, and the Lazarus Group, among others. Many of these groups have ties to foreign governments, which caused their sanctions. OFAC officials explained that it will continue to impose sanctions on the hackers and “others who materially assist, sponsor, or provide financial, material, or technological support for these activities.” Not only do ransomware payments fuel future attacks, OFAC explained it also threatens US national security interests given their profit and later ability to advance their cause. Paying ransom to a sanctioned entity or jurisdiction could fund activities in conflict with national interests. And as noted repeatedly by security leaders, paying a ransom demand does not guarantee a victim will regain access to their data. Notably, one out of 10 ransomware attacks leads to data theft, while an average of 45 percent of healthcare CISOs have faced a cyberattack aimed at destroying data. Further, the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), prohibits individuals or entities from engaging in transactions, directly or indirectly, with those on “OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes.” READ MORE: 3 Key Entry Points for Leading Ransomware Hacking Groups “Additionally, any transaction that causes a violation under IEEPA, including transactions by a non-U.S. person which causes a U.S. person to violate any IEEPA-based sanctions, is also prohibited, U.S. persons, wherever located, are also generally prohibited from facilitating actions of non-U.S. persons, which could not be directly performed by U.S. persons due to U.S. sanctions regulations,” OFAC explained. “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC,” they added. Entities should review OFAC’s enforcement guidelines before engaging in these transactions and to determine an appropriate response. Organizations are encouraged to ensure they have implemented a risk-based compliance program to mitigate potential exposure to sanctions-based violations. These recommendations extend to companies that work with ransomware victims, including cyber insurance providers, digital forensics firms, and incident response, and financial services. Lastly, when faced with a ransomware attack, organizations should first contact relevant government agencies. It’s particularly important for healthcare entities, in light of the UHS system outage and the death of a patient in Germany due to a ransomware attack, to review ransomware guidance from Microsoft, OCR, and NIST to bolster systems now, as recent attacks prove hackers have increased in both stealth and sophistication. Following the death of the patient in Germany, Emsisoft released insights that stressed the need for a federal ban on ransomware payments given the rapid increase for ransom demands and the likelihood of data theft. The security firm predicts more than $25 billion will be paid in ransom demands this year alone, with an overall $170 billion impact on the economy. In short, to Emsisoft, banning the payment of ransom demands to hackers is the only practical solution. “The ransomware problem has continued to worsen,” Emsisoft Threat Analyst Brett Callow told HealthITSecurity.com. “In the last month alone, nine healthcare providers or healthcare systems have been successfully attacked, potential impacting patient care at hundreds of individual hospitals
5 questions to ask about your backup system
Here’s an article from a few years back from Dentistry IQ. This information holds true today. Make sure you are asking the right questions before you purchase a backup system for your practice. Talk to DDS Rescue about which option is the best fit for you. By Gregory Campos, DDS In theory, it’s easy to understand the importance of backing up practice data on a regular basis. Real life, however, is another story. Dr. Gregory Campos walks you through five questions to consider when shopping for a computer backup system. Read the complete Dentistry IQ article
Crypto-Locking Malware Wielded by Even More Types of Extortionists
Ransomware: DarkSide Debuts; Script-Kiddies Tap Dharma Read the latest about RANSOMWARE from Data Breach Today Ransomware-wielding gangs continue to rack up new victims and post record proceeds. That’s driving new players of all sizes and experience – beginners, criminals already skilled in the ransomware ecosystem and more advanced attackers – to try their hand at the crypto-locking malware and data-exfiltration racket. For criminals, the draw of ransomware is easy to see: Using crypto-locking malware to extort organizations continues to pay ever-greater dividends – on average, now nearly $180,000, according to ransomware incident response firm Coveware, based on cases it investigated from April through June. The average amount was a 60% increase from the first quarter of the year (see: Ransomware Payday: Average Payments Jump to $178,000). Clearly, ransomware is surging, despite the ongoing economic chaos caused by the COVID-19 pandemic. In large part, of course, that’s because some victims are paying their attackers for the promise of a decryption key, to remove their name – and potentially, exfiltrated data – from a “name and shame” site, for a promise from attackers to delete stolen data, or potentially all of the above. On Thursday, the University of Utah disclosed that it was hit in July by an unspecified strain of ransomware that cryptolocked “employee and student information,” after which it paid attackers a $457,000 ransom – partly covered by its cyber insurance policy – in return for not releasing data. More examples: Blackbaud, which builds marketing, fundraising and customer relationship management software, last month claimed to have “recently stopped” a ransomware attack by paying off its attackers. Garmin, which builds fitness-tracker and navigation devices, also reportedly paid an undisclosed ransom amount to attackers who successfully encrypted its systems with WastedLocker. Ever-Growing List of Victims Not every ransomware attack, of course, results in victims paying. But many attackers appear to be playing the numbers. Via the attempt to name and shame victims who didn’t pay, especially if they’re well-known names, gangs also earn free marketing about their operations, potentially building buzz that might persuade future victims to pay them quickly to go away. The list of ransomware victims is growing longer. Recent victims include Brown-Forman, a Louisville, Kentucky-based manufacturer of alcoholic beverages – including Jack Daniels – that was recently hit by Sodinokibi, aka REvil, which claimed to have stolen 1 TB of data, including sensitive employee records. Brown-Forman vowed to not pay a ransom. The Sodinokibi ransomware-as-a-service operation has also listed on its dedicated data-leaking site “Happy Blog” the law firm GSMLaw as a victim, as well as fresh victims in the insurance, consulting, and oil and gas sectors. Sodinokibi is one of a number of operations that steals data before crypto-locking systems, then threatens to leak or auction stolen data unless victims pay (see: Avaddon Ransomware Joins Data-Leaking Club). Meanwhile Carnival, the world’s largest cruise ship company, on Aug. 15 suffered its second ransomware outbreak of the year and warned in a U.S. Securities and Exchange filing that both customer and employee data had likely been stolen. Other recent ransomware victims include Boyce Technologies, which builds transit communication systems – and lately also ventilators – and got hit by the DoppelPaymer gang, and Canon USA, which got hit by the Maze gang. DarkSide Makes Debut Drawn by the potential profits, new players continue to arrive on the scene. Kaspersky last month warned that the North Korean hacking team Lazarus Group now appears to have expanded into ransomware, which it drops after using malware to gain a foothold in a network and steal Active Directory credentials. arlier this month, another new ransomware operation called DarkSide appeared, although it claimed that its members are not newcomers. “We are a new product on the market, but that does not mean that we have no experience and we came from nowhere,” the group claimed in a post to a hacking forum that was posted by Malwrhunterteam security researchers. “We received millions of dollars in profit by partnering with other well-known cryptolockers.” In the “press release” announcing its arrival, the gang says that it only targets organizations “that can pay the requested amount.” It adds: “We do not want to kill your business.” Bleeping Computer reports that the operation appears to have demanded ransoms ranging from $200,000 to $2 million. Security experts say there are some similarities between DarkSide and REvil, although no smoking gun that would prove that DarkSide is a breakaway operation. For example, DarkSide‘s ransom note is very similar to REvil’s, but such text is easy to cut and paste. Bleeping Computer also reports that DarkSide uses an encoded PowerShell script that’s identical to REvil, but again that could be copied. Also, both types of ransomware check infected PCs to ensure they’re not in one of the member states of the post-Soviet Commonwealth of Independent States. The CIS includes Russia as well as Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Turkmenistan, Uzbekistan and Ukraine (see: Russia’s Cybercrime Rule Reminder: Never Hack Russians). ‘Iranian Script Kiddies’ Wield Dharma Some ransomware-wielding attackers, however, appear to be newcomers to the hacking scene in every sense. For example, in what appears to be a relatively new phenomenon, a group of Persian-speaking hackers operating from Iran appear to be wielding Dharma ransomware for financially motivated attacks against targets in China, India, Japan and Russia, says cybersecurity firm Group-IB. Dharma, aka CrySis, first appeared as a ransomware-as-a-service operation in 2016, and continues to be “targeted at entry-level cybercriminals, and provides a paint-by-the-numbers approach to penetrating victims’ networks and launching ransomware attacks,” Sean Gallagher, a senior threat researcher at Sophos, says in a recent research report (see: How Dharma Ransomware-as-a-Service Model Works). Since it debuted, multiple variants of Dharma have been in circulation. In March, the source code for one such variant appeared for sale online for $2,000 on a Russian cybercrime forum, Sophos says. Whereas Dharma had previously been tied to relatively low ransom demands, in recent months, Coveware says it’s started seeing some six-figure ransoms being demanded by Dharma-wielding attackers. “The fact that Dharma source code has been made widely available led to the increase in the number of operators deploying it,” says Oleg Skulkin, a senior digital forensics
5 questions to ask about your backup system
Here’s an article from a few years back from Dentistry IQ. This information holds true today. Make sure you are asking the right questions before
Crypto-Locking Malware Wielded by Even More Types of Extortionists
Ransomware: DarkSide Debuts; Script-Kiddies Tap Dharma Read the latest about RANSOMWARE from Data Breach Today Ransomware-wielding gangs continue to rack up new victims and post record proceeds.
HHS OCR PRESS RELEASE: Cyber Alert – Computer Network Infrastructure Vulnerable to Windows 7 End of Life Status, Increasing Potential for Cyber Attacks
OCR is sharing the following update with our listserv from the Federal Bureau of Investigation (FBI), warning individuals that the FBI has observed cyber criminals
Alert: Postcard Disguised as Official OCR Communication
Alert: Postcard Disguised as Official OCR Communication August 6, 2020 OCR has been made aware of postcards being sent to health care organizations disguised as
Ransomware Attacks Delivered Via Phishing Campaigns on the Rise
Please read the latest cybersecurity news about email-based phishing campaigns used to deploy ransomware attacks. Attackers are specifically leveraging the COVID-19 pandemic to lure targeted
Reopening dental practices needs a team approach, ADA president says
Reopening dental practices needs a team approach, ADA president says Written by Gabrielle Masson | April 30, 2020 As some dental practices begin plans to reopen, dentists