Health IT

August 2020 Security Reminder Notice

3lp
HSGLogoR
 
 
Note: For HIPAA Survival Guide with Expresso clients, this Security Reminder will be stored in your DOCS / Products / HIPAA Tools folder.
 
 
 
 
"Forrester, a leading global research and advisory firm, recently analyzed the emerging cybersecurity risk ratings solutions market.
 
The free 2020 Forrester report delivers critical insights for CISO's and third-party risk teams on how and why cybersecurity risk rating solutions can fit into their security programs."
 
 
 
 
"video surveillance component consists of around 700 different Siqura cameras, working with VDG Sense video management software and storage from TKH Security,” Anwer said. “The iProtect access control system, also from TKH Security, manages around 400 doors with card and pin authentication. [The] iProtect security management system is able to flawlessly fulfill the set of complex requirements demanded by this client."
 
 
 
 
"The pervasive impact of Internet of Things (IoT) devices on our lives is greater than that of traditional IT devices. There are several unknowns in IoT security, and it raises concerns for customers who are looking to incorporate IoT devices in their existing infrastructure. Fortunately, security by design can resolve some of the major root causes of the underlying vulnerabilities in these connected devices.
 
In acknowledgement of the challenges discussed above, an internal NIST report IR8228 entitled Considerations for Managing IoT Cybersecurity and Privacy Risks indicates that educating IoT device customers plays an important role and that they should be aware of the cybersecurity risks and mitigation plans for IoT devices. This report also points to the requirement of creating robust communication channels between the manufacturer and the customer, specifically regarding cybersecurity features and expectations for security controls."
 
 
 
 
"The unprecedented hacking of celebrity Twitter accounts this month was caused by human error and a spear-phishing attack on Twitter employees, the company has confirmed.
 
Spear-phishing is a targeted attack designed to trick people into handing out information such as passwords.
Twitter said its staff were targeted through their phones.
The successful attempt let attackers tweet from celebrity accounts and access their private direct messages.
 
The accounts of Microsoft founder Bill Gates, Democratic presidential hopeful Joe Biden and reality star Kim Kardashian West were compromised, and shared a Bitcoin scam."
 
 
 
 
"A preliminary settlement of a class action data breach lawsuit against Iowa Health System - which does business as UnityPoint Health - contains an extraordinary provision that could prove quite costly.
 
Unlike settlements in most other data breach class action lawsuits, this one does not contain a "global cap" on the total amount of claims to be paid to victims.
 
Under the terms of the proposed settlement, UnityPoint will provide one year of comprehensive credit monitoring and ID theft protection services with a retail value of about $200 per settlement class member."
 
 
 
 
"On March 15, 2020, the CDC announced gatherings of 50 or more people be canceled for the next eight weeks, marking a pivotal point in the 2019 Novel Coronavirus. The CDC needed to make a strong recommendation to limit the spread of the virus, and on this day, there were 3,000 cases in the US, and airports were in chaos due to new screenings.
 
With our daily livelihoods changing right before our eyes, bad actors online started to see this chaos as an opportunity. SlashNext Threat Intelligence researchers identified that in the days which followed, we saw a +3000% increase in COVID-19 themed Phishing URLs. With no sign of slowing down, thousands of new phishing pages are launched hourly to steal personal information, corporate data exfiltration, and credit card fraud."
 
 
 
 
 
The coronavirus pandemic has put many things on hold, but CCPA enforcement is not one of them. The California Attorney General’s enforcement authority kicked in on July 1, 2020, and companies reportedly have begun to receive notices of alleged violation. In addition, several class actions have brought CCPA claims. Although final regulations to implement the CCPA have yet to be approved, compliance cannot wait.
 
If you’re not yet on the road to CCPA compliance (or would like a refresher), this webinar is for you. We covered:
  • Latest CCPA developments
  • Compliance strategies
  • Potential changes to the CCPA if the California Privacy Rights Act (CPRA) ballot initiative passes
 
Anyone who has not begun their CCPA compliance efforts or thinks they need a refresher should watch this webinar.
To view the presentation slides, click here.
To view the webinar recording, click here."
 
Nudge: The Federal government is reviewing what HIPAA will require for a new Privacy Rule Risk Assessment. Note that in anticipation of expected Federal Privacy regulations, we have developed a Privacy Rule Risk Assessment for Expresso.
 
 
 
 
"TikTok has long presented a parenting problem, as millions of Americans raising preteens and teenagers distracted by its viral videos can attest. But when the C.I.A. was asked recently to assess whether it was also a national security problem, the answer that came back was highly equivocal."
 
 
 
"Data breaches are a hot topic and will undoubtedly get even hotter. Cybersecurity for your own enterprise isn’t enough — you must evaluate your vendors and determine if they’re prepared to resist cyberattacks. 
 
The increase in data breaches has only led to more regulatory scrutiny. Regulatory focus on third-party vendors was already increasing after the 2008 financial crisis, but has reached a fever pitch in recent years. New data privacy laws often make companies liable for the mistakes of their vendors, even as businesses are relying on outsourcing more and more. So this reliance on vendors, suppliers and subcontractors means increased liability."
 
 
Nudge: Take a look at our new Business Partner Vetting Portal in Expresso. It will save time and money with a paperless method to obtain valid assurances from potential Business Partners. Contact us at [email protected] for a preview.
 
 
 
 
"Enforcement of Maine’s landmark online privacy law, which bans internet service providers from collecting and selling customers’ personal data without their permission, began this month after clearing a major legal hurdle in July.
Still, state officials can not provide a clear picture of what will happen to providers in Maine if they don’t comply.
 
The law dictates that internet providers must gather express, affirmative consent from customers before collecting any of their identifying data, such as location, browsing history or device identification. Providers also must give customers “clear, conspicuous and non-deceptive notice” of their rights at the point of sale, and are not allowed to offer promotions to customers who choose to give consent to have their data collected or refuse service to those who do not."
 
 
 
 
"The ransomware threat landscape worsened in several significant ways through 2019 and into the current year, according to BakerHostetler’s 2020 Data Security Incident Response Report. Average demands increased more than tenfold and all industry segments saw growth in attack frequency, with stark increases seen by education and government entities.
 
Several threat actor groups began exfiltrating sensitive data from victims as an additional means to extort a payment, the report noted.
The average ransom paid in 2018 was $28,920 and the largest payment $250,000. But that figure jumped to $302,539 the following year and the largest payment was $5.6 million, the latest report stated.
 
A tip to avoid this: require vendors to implement multifactor authentication to access an environment."

Posted at 09:59 AM in Accountable Care Organizations, Current Affairs, Health IT, HITECH / HIPAA, Information Technology for Healthcare (EHR/EMR), Internet Resources, Web/Tech | | Comments (0)

COVID-19 A Reminder to Reason

from the New England Journal of Medicine

 

https://www.linkedin.com/pulse/covid-19-reminder-reason-deborah-leyva-rn-hcp

 

PICT0002


"How long will this pandemic last? When will we find a treatment or vaccine? Which drug should we give our patients? Will we run out of personal protective equipment (PPE)? When will everyone return to work? We find ourselves in a time of great economic, social, and medical uncertainty. Faced with a crisis, Lee Iacocca, the late automobile company executive, once said, “So what do we do? Anything. Something… . If we screw it up, start over. Try something else. If we wait until we’ve satisfied all the uncertainties, it may be too late.” Similarly, in the heat of the Great Depression, Franklin Roosevelt commented, “Take a method and try it. If it fails, admit it frankly and try another. But by all means, try something.” Though a trial-and-error approach may be appropriate in business and politics, should it be applied to medical decision making during a pandemic?"

Posted at 01:43 PM in Current Affairs, Health IT, Health Reform, Healthcare, Population Health | | Comments (0)

Ransomware Resilience

March 2020 Webinar Title:
Ransomware Resilience: How to effectively respond to Ransomware when everything is on the line.
 
Description:
This webinar will discuss a framework for responding to a Ransomware attack in a manner that maximizes your negotiation options including, but not limited to: (1) how to avoid paying the Ransom; (2) how to pay the Ransom with plausible deniability if that is the option of least resistance; (3) how to walk through the Breach Notification Legal Framework for determining whether the attack in question requires notification to the authorities; and (4) the steps that should be taken to mitigate risks going forward.
 
Date and Time:
Thu, Mar 19, 2020 2:00 PM - 3:30 PM EDT
 
 
***************************************************************************************************************************
HIPAA Survival Guide March 2020 Newsletter Article
Ransomware Resilience: Only the Paranoid Survive!
 
Introduction
 
Unfortunately, the U.S. government (“Team USA”), despite being aware of the damage that Ransomware can inflict upon the healthcare industry writ large, including the fact that patients will die if a concerted effort is launched attacking the industry at its weakest links (of which hundreds of thousands exist), offers nothing more than platitudes as to how Ransomware Resilience can be obtained, to wit:
 
Three Steps to Resilience Against Ransomware:
 
1.     Back-Up Your Systems – Now (and Daily)
Immediately and regularly back up all critical agency and system configuration information on a separate device and store the back-ups offline, verifying their integrity and restoration process. If recovering after an attack, restore a stronger system than you lost, fully patched and updated to the latest version.
 
2. Reinforce Basic Cybersecurity Awareness and Education
Ransomware attacks often require the human element to succeed. Refresh employee training on recognizing cyber threats, phishing and suspicious links – the most common vectors for ransomware attacks. Remind employees how to report incidents to appropriate IT staff, in a timely manner, which should include out-of-band communication paths.
 
3. Revisit and Refine Cyber Incident Response Plans
Agencies must have a clear plan to address attacks when they occur, including when internal capabilities are overwhelmed. Make sure response plans include how to request assistance from external cyber first responders, such as state agencies, CISA and the MS -ISAC, in the event of an attack.
 
See CISA, MS -ISAC, NGA & NASCIO RECOMMEND IMMEDIATE ACTION TO SAFEGUARD AGAINST RANSOMWARE ATTACKS. Really, circa mid-2019 (i.e. the date that the above “advice” was promulgated) is this the best that Team USA can do? NO! But you can rest assured for the foreseeable future this is the best that Team USA will do, premised on national security concerns. Team USA is not about to go any further than the “proverbial toe in the water”—doing nothing more than reinforcing the anemic response that it has shown pursuant to cybersecurity threats over the last four decades. It’s not about to expose its sources and methods by coming to the rescue of the healthcare industry. If patients must die, then so be it. After all we are at war. People die during wars. It’s the inescapable nature of the beast. This is on us. Team USA will do little more than what its already done by offering platitudes yet not venturing into the no man’s land of reallocating public/private Risks pursuant to cybersecurity threats. Big Brother is not coming to the rescue anytime soon.
 
As discussed in February’s webinar, patients are likely, almost certainly, to die from a forthcoming concerted attack on the healthcare industry—arguably, along with government itself, one of the most vulnerable industries in the country. Team USA will not change its current position according to public/private cybersecurity risks anytime soon, and when it does, it will be a slow roll. The healthcare private sector has no choice but to step up in a big way, but it appears weak, and imminently ill-equipped for this challenge. The most insidious reason that the industry is so ill-equipped is that it continues to be in denial vis-à-vis its vulnerability, despite the U.S. government, ratings agencies, and knowledgeable observers beating the drum for well over a decade now. Healthcare executives, not all but in sufficiently large numbers, exhibit a naive response to this growing cacophony. They just want to place their collective hands over their ears and hope that the noise goes away. It won’t. In the interim people will die, and the latter will have blood on their hands; along with their underlings—all complicit in standing by and taking no action, while the writing has been on the wall for a long time now.
 
If you are a CO that has been beating the drum to no avail, we suggest that you start writing “memos to file” (i.e. as a CYA strategy) according to recommendations that likely fell on the deaf, dumb and blind. It’s important that you lead your executive team to the water, and that you document these efforts, even though you can’t make them drink. We understand that many CO’s are not able to affect real change within your respective organizations; you’re overworked and underpaid. Eventually, your management team will “wake up and smell the coffee” or perish as roadkill on the info highway. It’s important that you live to fight another day.
 
Ransomware Resilience Framework
 
What is a Ransomware Resilience Framework (“RRF”) and why does it matter? Glad you asked. Our RRF (shipping soon to a theatre near you) is designed to help organizations of all sizes who experience a Ransomware attack to respond effectively, keeping in mind that lives are at stake. Our Framework also attempts to cover the major components of Ransomware Resilience, which by necessity, touches on other collateral in our Subscription Plan (e.g. our Breach Notification Framework, our Contingency Framework, and our Breach Response Framework). Other than the obvious shameless plug, we use our offerings here as reference to eliminate the healthcare industry’s constant lament that compliance is too confusing, too expensive, etc. Fill in your excuse du jour. These excuses do not hold water because once patients start dying based on your neglect, they will seem even more vacuous. We’re in perpetual cyberwar, no amount of excuses will get you through these dark tumultuous times. The healthcare industry writ large must take the proverbial “bull by the horns” and begin to take serious actions to mitigate the number of lives lost.
 
Resilience Components
 
Here we capture, at ten-thousand feet, the major components you should have in place as part of your Ransomware Resilience initiative. Our objective here is to put you on notice. If you want to take your initiative to the next level, then you must make the necessary investment. You can purchase our RRF or spend hundreds of man-hours trying to piece together the pieces of the puzzle yourself, but the important thing is that you act quickly. Time is not on your side. Patients’ lives are at risk because your organization has failed to prepare. This is true across the healthcare industry writ large.
 
No one contests the foundational material facts that lead to this inference. Last month’s webinar contains the sources that we relied on to arrive at this sobering conclusion. You can also look here and here for additional background. This is dark and unsettling territory that we have embarked upon, but we are never going back to the nonexistent, yet soothing concept, embodied in the nostalgia for the good-ole-days. For many of our fellow citizens, these mythical good days weren’t all that good. Moreover, if they ever existed, they are long since gone; we have crossed the Rubicon.
 
Preparedness
 
The problem with “preparedness” is that it is too easy to fall into a litany of platitudes that everyone knows they should do, yet no one does. Well sorry to say that we are not going to disappoint. Prepare for some dull, boring, trite platitudes. However, the difference is that our RRF provides the reader with a set of tools that facilitate “preparedness,” because at the end of the day there is no escaping it. You will be forced to develop your own preparedness plan (“Response Plan” or “Plan”) or modify ours to suit your needs. Having a plan in and of itself may help you avoid some liability (i.e. to the extent that having a Plan allows your legal team to make an argument that “far from being completely negligent, you were attempting to do the right thing”). Most of you understand that although this argument is better than no argument at all, it’s only going to take you so far. At the end of the day you will be forced to provide visible, demonstrable evidence (“VDE”) that you have responded to a Ransomware attack in an effective way—that is, your “boots on the ground” did the right thing.
 
Here's an outline of a Plan to get you started:
  • Review and distribute of Ransomware Resilience Policy
  • Review, modify, and distribute the Application Sensitive Data Criticality List (i.e. so that you know what applications and data to restore and in what order)
  • Actions that should be taken to ensure that the vector that allowed your adversaries to install the Ransomware malware has been plugged
  • A methodology for determining whether a breach has occurred (i.e. because any Ransomware response will require a breach notification analysis)
  • A forensic analysis to discover technical root cause analytics;
  • A legal analytical framework for deciding if the root cause analysis necessitates breach notification under applicable law, both state and federal;
  • A review of tools and templates such as executive management/board of director’s updates, call lists, sample notification letters/communications to stakeholders, press releases.      
  • Incidents
  • Ensure Incident gathering and documentation process are in place;
  • Ensure that your incident master document was designed, implemented and routed for approval.
  • A Communications plan
  • Communication to Response partners and the activation of Response teams;
  • Communication to regulatory authorities;
  • Communication to media, social media, and other appropriate organizational news consumption endpoints;
  • Communication to individuals impacted;
  • Activation of Call Center for inquiries;
  • Activation of identity protection services as required;
  • Activation of remediation teams, including closely working with third-party technical partners.
  • Response Plan Testing
  • Test your ability to instantiate virtual (i.e. cloud-based) servers wherein users can be routed once mission-critical data is restored;
  • Test the immediate incident reception and analysis workflow;
  • Instantiate and test the Communications Plan;
  • Review remediation readiness.
  • Response Postmortem
  • Review the status of remediation;
  • Update the executive management team on remediation progress;
  • Implement additional Security Controls that would prevent similar attacks;
  • Update Ransomware Response Plan according to insights gained from postmortem.
 
Whew! If you are not overwhelmed by now you haven’t been paying attention. Once the magnitude of the problem is understood then everyone becomes overwhelmed; no surprise. Most compliance officers are also paralyzed into inaction. They don’t know what to do or where to start. Our Frameworks answer this question. Moreover, the entirety of our Subscription Plan focuses on this issue. The shameless plug is unavoidable. Why? Because it demonstrates that there are cost-effective and compelling solutions in the marketplace today. If your organization is not willing to spend a little over $1K to address the problem, then there is nothing anyone can do. The abyss awaits you. It should go without saying, but with an abundance of caution, we will expressly state that there are other competitive solutions available in the marketplace, despite the fact that we believe ours is more comprehensive and offered at a price point unmatched anywhere. The takeaway from this article is this: do something. Doing nothing is no longer an option. Doing nothing will likely result in people dying. Start you Ransomware Resiliency initiative today.
 
Incidents
 
Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with the operations of an Information System. Although not all Ransomware attacks constitute Breaches per se, all are security incidents and must be analyzed as such. Notice that an attempt qualifies as an Incident. That is one of the reasons that all Incidents should be tracked as part of a rigorous compliance initiative. Tracking Incidents is obviously a key part of the Ransomware resilience process and shows visible demonstrable evidence that your organization is serious about your Ransomware response. That said, tracking Incidents is necessary, but not enough. As this article illustrates, more is required.
 
Teams
 
No man is an island. There is no compliance officer anywhere capable of responding to a Ransomware attack on his/her own. This is impossible for obvious reasons. That said, most compliance officers also do not have a Ransomware resilience program in place. They don’t understand the magnitude of the problem. They are blissfully ignorant of the teams (“Teams”) they must collaborate with to effectively respond. The Teams of necessity will include inside or outside counsel and the potential need for additional technical personnel with deep experience in Cybersecurity. You don’t want to be scrambling to put these teams in place after an attack. During an attack, you will be facing enormous pressure and it won’t take you long to figure out that your career is on the line. If you work for a certain kind of covered entity, then you are likely to also realize that lives are on the line. Failing to prepare is akin to “planning to fail.”
 
Testing
 
There is not much sense in developing a Ransomware Resilience Plan (“RRP”) if you don’t test prior to use. Sure, the old military adage that “no plan survives” the first contact with the enemy remains true; however, the military, writ large, plans more than any other organization that we know of. Why? Because if you don’t have a baseline plan, including provisions for reacting to the adversary’s anticipated actions, then you won’t know what to tweak should the unexpected occur. In war, the unexpected almost always occurs. Cyberwar is no different. Planning represents one of the most effective tools in a compliance officer’s toolbox. Yet most compliance officers do not have resilience plans in place, let alone one that has been rigorously tested.
 
Conclusion
 
This article has covered a significant amount of ground. We intended it to. We are at war. It is time that we get on with the business at hand. Big Brother is not going to come to the rescue. By all accounts, Big Brother is incapable of protecting its own information systems. We crossed the Rubicon. We are now in dark and uncharted territory. Hoping that things will get better on their own is the stuff of children. There will be no peace in our lifetime. Winston Churchill was virtually alone in the wilderness sounding the alarm of what Nazi Germany was up to, long before the commencement of WWII. Here we are not alone. Others have done the leg work. We are doing nothing more than connecting the dots and stating the inescapable inference. People are going to die because of Ransomware or computer network attacks on the healthcare industry. That blood will be on all our hands. What is the acceptable death count?
 

Posted at 02:00 PM in Current Affairs, Health IT, HITECH / HIPAA, Information Technology for Healthcare (EHR/EMR), Internet Resources, Webinars | | Comments (0)

The Compliance Manifesto Podcast

Capture
In case I haven't mentioned it, we recently began a Compliance Podcast where we first reviewed The Compliance Manifesto, 2nd Edition and its contents at a high level. We also plan to have conversations with industry luminaries to discuss issues of importance in the compliance space as well as other relevant topics. Download a Podcast Episode from the Podcast player of your choice as shown here.

Posted at 09:21 AM in Health IT, Healthcare, HITECH / HIPAA, Internet Resources, Podcasts | | Comments (0)

HIPAA Survival Guide Newsletter & Webinar February, 2020

 
 
FREE FEBRUARY WEBINAR
 
Webinar Title: A Short History of Cyber war and Why It Matters

Description:  
This webinar will discuss the history of cyber warfare and its impact on Compliance. Understanding cyber war is a small step in the right direction, but not sufficient. Organizations, and especially those responsible for compliance, must do a better job preventing cyber attacks. 
 
Because in healthcare, the lives of people and not just data are at stake. 

After registering, you will receive a confirmation email containing information about joining the webinar.
 
Date:     Thu, February 20, 2020
Time:     2:00 - 3:30 p.m. EST
 

A Short History of Cyber War and Why it Matters
 
 
 
 
 
Introduction
 
If you are a Compliance Officer ("CO") you must care about cybersecurity and cyber warfare; 
that's all there is to it. Compliance and cybersecurity are joined at the hip, they can't be separated. Like peanut butter and jelly. 
 
OK. So what? Why does history matter? Because that short-lived history will astound you with events that are still applicable today as a daily lived experience for thousands of healthcare enterprises and their business associates. This history doesn't begin in 1983 but that was the groundbreaking year President Ronald Reagan watched War Games [1] (the movie). He was so intrigued by the narrative that in a White House Briefing on a different classified topic, he stopped the discussion and asked the Joint Chiefs ("JC") and others in attendance if anyone had seen what was portrayed in the movie War Games and could it really happen? The group was speechless. First, they hadn't seen the movie because it just came out and second, they thought the Prez was being a little "nutty" since he had recently announced his "Star Wars" policy. One of the chiefs had someone in mind who could provide a quick answer to the question, and the answer came back (paraphrasing), "Mr. President, it's even worse than you think!" But despite the fact the group was astounded by the answer, they likely gave very little credence to it. Nothing changed. Why? Because generals are always fighting that last war.
 
Four Star (****) Generals don't appear to have any interest in the geeky nonsense. If there are cyber-targets, they would rather just bomb them into nothingness; problem solved. Well not quite. Because if you decimate the enemy you lose the opportunity to penetrate their networks in the same way they have penetrated ours. It's an offensive "opportunity cost." You don't know what you don't know. Fortunately for the USA, there were some real believers at the National Security Agency ("NSA") (i.e. you know, the agency that for sure does NOT listen to communications between Americans), and some career officers that were the best and brightest in cryptology, deciphering, and electronic espionage. They were committed to showing the DOD, JC, and the President just how easily we could be hacked. Should new defense systems require re-design, updates, testing, and implementation? What's this new problem called? Cybercrimes, Cyber War, Cybernetics, Cyber Threats? In 1994 it was ultimately named Cyber Security. With this recognition, the nation began moving from Signals Intelligence (SIGINT) to the cyber age (i.e. all intelligence taking a digital form).
 
So, how do we protect critical infrastructures like Telecommunications, Electrical Power, Oil and Gas, Banking and Finance, Transportation, Water Supply, Emergency Services, and Continuation of Government in an emergency? These components mostly relied on networks and/or computers and could be impacted by cyber threats. But then, the big question in our mind is Where is Healthcare on the list? Healthcare must be considered a key component of the national infrastructure deserving protection. Electronic Medical Records and healthcare devices are also prone to hackers, especially when they provide interoperability and sharing of patient data across the Internet. Furthermore, that information not only consists of patient medical records, but also credit cards, insurance accounts, Medicare and Medicaid billing data, and provider Fee-for-Service records. It is likely that omitting the healthcare industry from the initial "critical infrastructure list" was an oversight. Clearly, it is a critical infrastructure. Witness the trouble that could be created by adversaries if the CDC's computers were hacked-right in the middle of dealing with a potential emerging pandemic threat, one analogous to what we are facing at this very moment.
 
Interestingly, an NSA project to bring down the telephone grid in several large cities was authorized as a cybersecurity study called "Eligible Receiver." This project's purpose was a demonstration of how to bring down power grids and 911 emergency communication lines for 8 cities: Los Angeles, Chicago, Detroit, Norfolk, St. Louis, Colorado Springs, Tampa, Fayetteville and the island of Oahu, Hawaii. Although this project impacted the delivery of healthcare services to needy people, it's actual purpose was to pressure political leaders into removing certain sanctions that negatively impacted Cyber Security Teams and their research on cyber threats. To make matters even more explicit, the NSA took it a step forward and successfully launched a similar attack on the military's telephone, fax, and computer networks. 
 
Eligible Receiver consisted of a group of NSA analysts who attacked systems that the DOD and JC thought were impenetrable. The NSA thought they could do it in four days. It took one day! Many defense computers weren't protected with a password; others were protected by gimpy passwords, like ABCDE or 12345. In one case, a team member simply called the office and said he needed to reset all passwords for security reasons; he got a password without hesitation. After successfully penetrating many computers, the team left notes; "Kilroy was here." But then they did more, they intercepted communications, deleted files, and sent false emails. This is the ultimate goal of Cyberwarfare; "disrupt the norm, confuse the parties, and have them believe false information!"[2] 
What might happen in traditional wartimes?
 
Eligible Receiver demonstrated that the DOD was completely unprepared for cyberwarfare, yet progress continued to be SLOW. In 1997 the President's Commission on Critical Infrastructure Protection released a report that stated, "We must learn to negotiate a new geography, where borders are irrelevant and distances meaningless, where an enemy may be able to harm the vital systems we depend on without confronting our military power."[3] 
 
With this statement, military operations began to focus on cyber threats as weapons of mass disruption! In 2009 a dedicated Cyber Command was established having a budget that went from $2.7 billion to $7+ billion in its first three years.

Short Chronological History of Key Events

  • 1952 Establishment of the National Security Agency (NSA) America's largest secret Intelligence Agency.
  • 1980 Computers for the masses.
  • 1984 Reagan's National Policy on Telecommunications and Automated Information Systems Security.
  • 1990 Evolution and widespread use of the Internet with a new focus on electronic medical records. 
  • 1990 Air Force Cryptology Support Center established.
  • 1995 Critical infrastructure Working Group created. 
  • 1996 HIPAA becomes law.
  • 1996 Two kinds of threats to Critical Infrastructure identified: Physical and Cyber.
  • 2009 Creation of a dedicated Cyber Command. 

Still, Progress has Remained Painfully SLOW

Why is progress SLOW? Because most generals still prefer to drop bombs. I guess it's the macho thing to do. Furthermore, all of us have biases in favor of what we know works, rather than having to grok a heavy topic like cybersecurity. There are many Compliance Officers in healthcare that prefer to remain in the dark for that same reason. Ignorance is bliss until a breach occurs. It's not a question of if, but when one will occur. That's when all those things you have not been paying attention to will be available to all relevant stakeholders: (1) the executive management team; (2) the board (assuming you have one); (3) your colleagues; and perhaps (4) the offices of HHS and State Attorney Generals. 
 
Remember that willful neglect fines start at $50K and max out at $1.5M for identical violations. However, if you are in willful neglect of 10 distinct violations you could max out your civil monetary penalties (just for willful neglect) at over $10M. This does NOT include the cost of notifying patients when (not if) you have a Breach. The Ponemon Institute, which has been conducting Breach cost studies for nearly a decade now, states that in Healthcare it costs $400.00 per record/patient to notify. Say you had a small Breach of 10K records. You do the math. It is going to ruin your day and perhaps your career. Unfortunately, many Healthcare Compliance Officers believe that they have HIPAA wired. There are a few that do; most do not. 
 
The latter have no idea of the unknown unknowns. The smart ones, like the rest of us that struggle with complex topics, are willing to embark on a lifetime adventure of continuous education. The others, including us if we stop learning, will become roadkill on the info highway. Nothing personal. Simply the manifestation of Darwinian capitalism in a global economy. There is always someone coming after your job. You can bank on that! As we discussed earlier, the generals are always fighting that last war. It's the nature of the business they're in. They are students of military history; however, no amount of history is going to help you when your adversaries are rapidly inventing the future of cyber warfare as we speak. 
 
The Healthcare industry is especially vulnerable, a fact that the bad guys (organized crime, enemy nation-states, and enterprising hackers to name a few) are aware of. The Healthcare industry is SOFT compared to, for example, banks and financial services industries. Moreover, even the latter is NOT as prepared as they should be. Why are we not better informed about the current vulnerable state of affairs? Because for obvious reasons, including the fact that we are at war, it is not wise to broadcast your vulnerabilities to your enemies via public discussions. Many in Healthcare believe that an attack (ransomware, DDOS, etc.) won't happen to them. That's the stuff that happens to other people. And it turns out, it has been happening to other people in Healthcare A LOT. So much so that HHS is now starting to pay attention to small as well as large Breaches; even those that don't reach 500 records (a ridiculously low number to start with) that places your organization on the HHS Wall of Shame.

SCADA Systems

Hospitals generally do not have supervisory control and data acquisition systems ("SCADA") per se, because the latter is a term that is usually associated with production plants of all kinds, including but not limited to oil refineries and nuclear power plants. However, hospitals have thousands of electronic devices, now networked, that collect information on patients 24/7 365 and are ALL potential vectors for an intrusion. Imagine what would happen if an adversary were to shut down a Hospital's grid and it didn't have a redundant power supply. People would die. It turns out that we don't have to imagine this scenario, it happened during Katrina and recently in Venezuela when its grid was down for three weeks. Ah, does anyone believe that Venezuela's grid remained down for three weeks by accident? If you do, then you haven't been paying attention. Nation-states must test their cyber warfare offensive capabilities somewhere. Remember it was Americans, together with the Israelis that launched Stuxnet against an Iranian nuclear power plant in 2007, bringing it down to its knees. Enough said.

HIPAA

In 1996 President Clinton signed the Health Insurance Portability and Accountability Act ("HIPAA") and it became law. HIPAA included provisions to simplify administration and protect patient data confidentiality (i.e. the Privacy Rule) and included cybersecurity protections in the form of the Security Rule. The law did not go completely into effect until circa 2005. It was not taken seriously by the healthcare industry until the Breach Notification Rule was introduced in 2009 as part of the HITECH Act. Therefore, the industry writ large has arguably only been paying serious attention to cybersecurity for about a decade. Although significant progress has been made amongst the largest covered entities and business associates, progress has not been as widespread for the remainder of the industry, which in terms of numbers means the vast majority of covered entities and business associates who remain incapable of protecting the PHI they have been charged with protecting. That status has begun to change incrementally, but not apace of what the bad guys are capable of launching. This needs to change. Understanding a short history of cyber warfare is a small step in the right direction; necessary but not sufficient. The industry must do better. Lives, not just data, are at stake.

1  Lawrence Lasker and Walter Parkes, 1990: "WarGames"
2  Fred Kaplan, Dark Territory: The Secret History of Cyber War
3  Ibid
 
Signup for our FREE Newsletter here.
 

Posted at 11:03 AM in Current Affairs, Health IT, HITECH / HIPAA, Information Technology for Healthcare (EHR/EMR), Internet Resources, Webinars | | Comments (0)

HIPAA Survival Guide December 2019

What you need is a workflow..

Introduction

We have often preached our mantra that compliance can only be achieved at the granularity level of a requirement ("Requirement"). Further, the only way to show compliance is by providing visible, demonstrable, evidence ("VDE") that the Requirement's result was delivered. A Requirement presupposes the existence of a discrete deliverable. VDE is an abstraction that indicates how this result is accomplished; however, it only works at 10K feet. To make it actionable within your organization you need a process that works at ground level. What you need is a well-defined process that achieves the result. What you need is a workflow.

Since this workflow topic is "heavy," as you read through this month's article, please note that you may contact us with questions you may have. Email us at: [email protected]

The following are examples of Privacy Rule ("PR") workflows and their attendant results.

  • Authorize PHI         ->     PHI Authorized
  • Restrict PHI            ->     PHI Restricted
  • Access PHI             ->     PHI Accessed (or delivered)
  • Amend PHI             ->     PHI Amended
  • Disclose PHI           ->     PHI Disclosed
  • Account for PHI      ->      PHI Accounted for

To demonstrate the need for a workflow, we borrow from the book: Workflow Modeling, Tools for Process Improvement and Application DevelopmentSecond Edition by Alec Sharp. Key definitions From Alec's work are shown below to enable the development of coherent compliance workflows and avoid the recursive semantics that has led many workflow projects into the abyss-turning what Edward Yourdon (father of Data Flow Diagrams) once correctly called "death march projects." Once you have experienced a demolished workflow design process and managed to survive, you never want to experience one again. Unfortunately, because we are veterans of the technology industry, we have managed to survive more than one-a fate that we would not wish on our worst enemies. 

Definition of a Process (aka "Workflow")

It should go without saying that a Process involves some sort of work. Duh. Well not so much because what often appears obvious in the business modeling space isn't.

A Process is a defined method to achieve some result, and that result is far more important to the definition of a business process than the work that goes into it.

Named in Verb-Noun Form

The first step in deciding whether or not you have a process is to name it and apply two exceedingly simple and useful guidelines:

  1. The Process name, at it's simplest, must be in the form verb-noun. (e.g. Assign Inspector). It might be in the form verb-qualifier-noun (e.g. Assign Backup Inspector) or verb-noun-noun (e.g. Assign Inspector to Route). Note the Processes are almost always defined in the singular. Not "Handle Orders" but rather "Fill Order."
  2. Here's where it gets interesting-the verb-noun name must indicate the result of the Process, as follows. If you flip the terms around into noun is verbed form, the phrase should indicate the intended result of the Process (i.e. as we have done above in the PR examples.

Delivers a Specific, Essential Result

And now it really gets interesting. The result of the Process, in "noun-verbed" form, must meet three criteria. 

The Result is discrete and identifiable

  1. That is, you can differentiate individual instances of the result, and it makes sense to talk about "one of them." For instance, the result of Authorize PHI is that one individual or entity is now authorized to view the patient's PHI. It stands to reason that a patient can designate one-to-many Authorizations.

The Result is countable

  1. That is, you can count how many results you have produced in a day, week, month, year, etc.

The Result is essential

  1. That is, it is fundamentally necessary to the operation of the enterprise, not just a consequence of the current implementation. It is axiomatic that "Authorize PHI" is essential to a Covered Entity ("CE") under HIPAA because it is a HIPAA regulatory requirement.

Producing VDE Requires a Workflow

It is axiomatic that producing VDE requires a Workflow. The "triggering event" in compliance is a Requirement; the result is the fulfillment of that Requirement. Do all regulatory Requirements fit this model? Who knows? We believe that the majority do. Here our objective is not to reach Workflow Panacea, that is way beyond our pay grade. Our objective is to illustrate how widely the Workflow Modeling framework can be applied to compliance, and in this instance to HIPAA. To be a competent Compliance Officer going forward it is essential that you master this discipline. Workflow modeling should be one of many tools inside your toolkit. If you want a seat at the C-Suite table that means getting busy. Iterate. Iterate. Iterate. Literacy. Literacy. Literacy.

Other Workflow Considerations

A Process is initiated to deliver its Result by a triggering event ("TE"). Generally, but not always, the Process is triggered by the "customer" that will benefit from the Result. The customer may be internal or external. In the examples herein, it is the patient or legal representative ("Individual") that triggers these processes. Between the TE and the Result is a collection of tasks, actions, steps (referred to as "Activities") that must be accomplished to deliver the Result. There may also be sub-processes, each meeting the Process definition, that may be interposed between a Process and its Result. For the Processes we present here as examples we will constrain the analysis to a collection of Activities. 

However, within your organization, there may be sub-processes interposed. That is something we leave as an exercise for our readers. Be forewarned, there are some non-trivial technical challenges when you start interposing sub-processes. Each sub-process consists of another collection of Activities.

The Activities within a Process must be interrelated, they are not just some arbitrary collection of work. They must be related either through a necessary sequence or a dependency. A dependency is implicated when Activity "C" cannot occur until Activity "B" is completed. This distinction may be semantic "hair-splitting" because a sequence appears to implicate dependency, although one could quickly think of use cases where this is not true (i.e. where the sequence does not occur in any particular order).

Activities are also interrelated because they all deal with the same "Token." We think of a Token as a single unit of work. For example, in the "Authorize PHI" example the Token is the work required to complete the Authorization, provide the necessary access, or notification of denied access. If we included training staff to deliver Authorizations in that Process than that would introduce a different Token-which under this model would mean that said training constitutes a separate Process.

Privacy Rule Example

The example provided below is intended to be just that. We do not pretend that this example Process will meet every CE's need, or that of any specific CE. We intend, by way of example, to demonstrate how you should be thinking about Workflow Modeling within your organization. We also hope to extend our lexicon to show that producing VDE for a Requirement requires a Process and what that Process might look like when diagrammed.

Authorize PHI

This Requirement is driven by the following PR section: §164.508 Uses and disclosures for which an authorization is required. In general, the Requirement is stated as follows:

(1) Authorization required: General rule

Except as otherwise permitted or required by this sub-chapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization.

Let's provide a specific example. An aging mother (C) requests medical record access from her Physician (CE) for her daughter (Entity A). The TE for an authorization is the Individual ("I" or "C") (e.g. the Mother) who has requested access for her daughter. 

In this simple example the Individual is both the Customer ("C") that triggers the Process ("P") and is the ultimate beneficiary of the Result ("R") (however here there are two beneficiaries(1) the Mother (C); and (2) the Daughter (Entity A) that actually get authorized access to the PHI)

  • Authorization Requested by (C) for Entity A
  • Request communicated to Physician (CE) 
  • Validate Request
  • Provide Access
  • Notify Customer (C) and Entity A

Right away there should be some flags that are set off based on the simplicity of this Process. But first let's determine if all the attributes of a Process are met:

(1)   Here the R is discrete and identifiable: Access to the PHI has been provided and the Individual has been notified (two results here).

(2)   The number of times an Authorization is provided is clearly countable over time.

(3)   The R is essential in that it fulfills a regulatory requirement.

So, it appears that on its face we have a valid process. The issue is not based on the validity of the Process but rather on its simplicity. To see why this is true let's explore other aspects of §164.508. The Rule states as follows:

1) Valid authorizations.

(i) A valid authorization is a document that meets the requirements in paragraphs (a)(3)(ii), (a)(4)(ii), (c)(1), and (c)(2) of this section, as applicable.

(ii) A valid authorization may contain elements or information in addition to the elements required by this section, provided that such additional elements or information are not inconsistent with the elements required by this section.

(2) Defective authorizations. An authorization is not valid, if the document submitted has any of the following defects:

(i) The expiration date has passed, or the expiration event is known by the covered entity to have occurred;

(ii) The authorization has not been filled out completely, with respect to an element described by paragraph (c) of this section, if applicable;

(iii) The authorization is known by the covered entity to have been revoked;

(iv) The authorization violates paragraph (b)(3) or (4) of this section, if applicable;

(v) Any material information in the authorization is known by the covered entity to be false.

It should be clear from above that the Authorization requires validation and that the next steps cannot proceed until validation is complete. Further, it should be clear that "Validate Request," written in verb-noun form, is likely a sub-process with its own set of Activities. The same is true of "Provide Access" and "Notify Customer." 

What are the takeaways thus far? First, it should be clear that Process modeling is iterative. You are simply not going to get it right during your first attempt. Second, in order to model effectively you are going to need some expert knowledge of the subject matter domain. Third, there are other questions and/or flags that should be on your radar by now. For example, what happens if "Validate Request" fails? And a sub-process to "Store Validation?" If we do not perform the latter how will we find the Authorizations that this Individual has triggered when the same (or other) person/entity wants access again?

Here is an example of a Swim Lane Diagram for this Example (Workflow Process). A quick explanation of its components is helpful. 

  1. Left side (in grey) contains the names of the individuals or departments responsible for performing the duties to it's right (on the same line) a) Individual, b) Compliance Officer,    c) HIM Department, and d) Entity A.
  2. Arrows point to subsequent activities once the prior activity is complete.
  3. Notes are entered for clarification and further explanation.
  4. Blue starts the process (Triggering Event) and Red stops the Process.
  5. Yellow diamond designates yes or no response and may have sub-processes.

SwimLane

Summary

Are we done? No. There are other steps in the Process modeling framework that remain (e.g. creating a more detailed "swim lane diagram"). However, the intent here was to introduce Process modeling and how it might work pursuant to the Privacy Rule. We suspect that most healthcare organizations have not modeled the Processes required to comply with the HIPAA Rules (i.e. Privacy, Security, and Breach Notification). Process modeling is the mechanism by which an organization gets "down and dirty" with the Activities necessary to produce VDE for a single Requirement. 

Stay tuned for future webinars where we will provide additional information about how your organization can use swim lane diagrams (workflows) to improve HIPAA Compliance. 

Signup for our FREE Newsletter here.

Posted at 02:55 PM in Current Affairs, Health IT, Information Technology for Healthcare (EHR/EMR), Knowledge Management | | Comments (0)

EXPRESSO 2.5 RELEASED! and the HIPAA Survival Guide October Webinar

 

To sign up for our free monthly newsletter and webinars, click here.

 

 RExpresso2Expresso Release 2.5 Shipped!

Expresso Release 2.5 features our Breach Notification Wizard that shipped on October 23, 2019. See the Press Release! The Wizard allows Expresso Users to analyze Security Incidents to determine whether a Breach has occurred.  It walks users through an automated analytical framework to determine if a Breach is triggered and, if so, it provides the reporting times required under applicable federal and state law. With this release, we continue to deliver on the promise of Enterprise Compliance for the Masses.  Ask us for a demo to get a preview! Email us at [email protected].

 

OCTOBER WEBINAR

Webinar TitleHow Other People Comply with the Security Rule (Redux)?

Description: This webinar will review one of the most insidious Required implementation specifications of the HIPAA Security Rule: Information System Activity Review and provide some "show and tell" of an elegant and affordable solution to this problem.

Featuring 

Proactive Patient Privacy Monitoring

Veriphyr

Accurately Detect Inappropriate Access - The First Time It Happens

Advanced data science enables automatic and accurate reporting of impermissible use by anyone who accesses your clinical or business systems.  

Date:  October 24, 2019

Time:  2:00 - 3:30 p.m. EST

Register here for the Webinar!

 

SECURITY REMINDERS

Introduction

Given the quality of today's "alert tools," (e.g. Google Alerts) fulfilling the "Addressable" implementation specification ("Security Control" or "Control") under the following section of the Security Rule should be a "no-brainer:"

(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).(ii) Implementation specifications. Implement: (A) Security reminders (Addressable). Periodic security updates.

Still, we believe that this seems rather basic Security Control rarely gets implemented, and when it does, it's done in a manner that is either trite or overwhelming, neither of which make it actionable for your Workforce. First, let's clear up (again) a myth about what an "Addressable" Control means. 

One bright-line rule that you can take to the bank is that it doesn't mean optional! In plain English, an Addressable Control under the Security Rule means: (1) that you must implement the Control as stated in the Rule; or (2) that you must implement a suitable alternative for an organization of your size, sophistication, resources, etc.; or (3) you must document a compelling rationale why you decided to do nothing. Simply ignoring an Addressable Control is likely to get you a "willful neglect" fine; which start at $50K a pop (ouch).

The Challenge?

The challenge here is that we can think of no compelling rationale(s) why even the smallest Covered Entity or Business Associate cannot implement this control. Further, let us remind you of one of the guiding principles that underpin the Security Rule and that is, you are required to do what is "reasonable and appropriate." We often call these legal "weasel words" because it is how HHS, or a court of law, can "bite you" even when you believe that you are otherwise in full compliance. For example, encryption is also an Addressable Control under the Security Rule, but if you are storing your PHI in the cloud (e.g. on AWS or Azure), where you can literally encrypt with "clicking a checkbox," do you really believe that the authorities would find it "reasonable and appropriate" if you failed to check the box? Of course not.

So that begs the question, why is this Control so often ignored or implemented in a manner that makes it virtually useless? One reason is that you can't continue to provide "motherhood and apple pie" Security Reminders and not expect them to be ignored, (e.g. do not share passwords, use strong passwords, lock your workstations when not in use, don't open emails from people you don't know, etc., etc.). It's not that "motherhood and apple pie" are bad things in and of themselves, it would be silly to suggest that. However, if that's what your Reminders consistently regress to then it's akin to your mom nagging you to clean your room when you were a kid. You may eventually do it because the nagging becomes "worse than the cleaning," or out of fear of some more dire form of reprisal (e.g. taking your Nintendo away) but it's unlikely to change your conduct going forward. Mom will continue to nag because you will continue to need it. 

The Purpose?

That brings us to the critical question we want to pose in this article: "What is the purpose of Security Reminders?" From our perspective, the purpose is to change your organizational compliance DNA over time so that this small, but meaningful, Control significantly contributes to the creation of a "culture of compliance" within your organization. Compliance is not a "set and forget or once and done" process. In the 24/7 365 online world that we all now inhabit, cybersecurity must be transformed from some necessary regulatory evil to a mission-critical piece of your value proposition for patients and other stakeholders. Even a small breach is going to ruin your day and cost you thousands of dollars to analyze and report. If a robust Reminder program can prevent and/or mitigate the same, then this is a huge organizational win.

Summary

So, what should a robust Reminder program consist of? Like so many things in the HIPAA compliance universe, there's no single way to go about implementing one. However, as a guiding principle, it should produce "news your Workforce can use" (i.e. in addition to motherhood and apple pie) regarding emergent "zero-day" exploits, including but not limited to, remediation for new: (1) phishing schemes; (2) attack vectors; (3) ransomware; and (4) encryption strategies, etc. Reminders should also be used to inform your Workforce of material changes in the law and events that mandate new Risk Assessments, like mergers and acquisitions, moving your data center, and other significant modifications to your operational environment.

 

 

Posted at 08:01 PM in Health IT, HITECH / HIPAA, Webinars | | Comments (0)

HIPAA Stuck on Stupid Webinar

TitleStuck on StupidHow to Eliminate 95% of HIPAA Liability while being less than Thirty Percent (30%) Compliant.

Description: This webinar focuses on providing the C-Suite and compliance officers a strategy for eliminating a significant portion of HIPAA liability despite the fact that your organization may be less than 30% compliant. All organizations, both large and small, must make strategic decisions as to what to attack first with limited compliance budgets and staff.
 
Date:  March 21, 2019
Time2:00 - 3:30 p.m. EST

 

Posted at 09:18 AM in Current Affairs, Health IT, HITECH / HIPAA, Web/Tech, Webinars | | Comments (0)

Human Error and Cybersecurity Breaches in 2018

Posted at 12:56 PM in Health IT, HITECH / HIPAA, Webinars | | Comments (0)

HIPAA Survival Guide November Webinar!

Posted at 06:50 PM in Health IT, HITECH / HIPAA, Webinars |

Next »

Search

Healthcare Blogroll

Categories

Analytics

CC