The FBI Released Steps that can be Taken to Mitigate Teleconferencing Hijacking Threats

As many Americans are now working from home, companies have been utilizing video-teleconferencing (VTC) platforms to host virtual meetings. In the last couple of weeks, reports of VTC hijacking or "Zoom-bombing" have emerged across the country. The FBI has received reports of conferences being interrupted by pornographic and/or hate images and threatening language. While much of the country remains under shelter-in-place orders, many people continue to rely on VTC platforms to perform their daily job duties. So, what can you do to help protect yourself and your co-workers from a VTC hijacking?

Read More

What you need to know about telehealth and HIPAA, and what has changed to address COVID-19.

With COVID-19 dictating most of our actions currently, many offices are switching to seeing patients via telehealth appointments. Under HIPAA, healthcare providers may communicate with patients and provide telehealth services through remote communications technologies. However, some technologies and how they are being used, may not fully comply with HIPAA requirements. So what do you need to know about telehealth and HIPAA, and what has changed to address COVID-19? Below are three points to help you navigate telehealth and understand the changes regarding HIPAA during this nationwide public health emergency.

Read More

There’s a new threat to your patients’ data from ransomware.

Some of the biggest and most successful ransomware organizations, including REvil (Sodinokibi), have announced that they are not just encrypting data. They are stealing data before they encrypt it, and then threatening to publish the stolen data if the ransom is not paid. These criminal organizations know that if you are regulated by HIPAA or GDPR, you face hundreds of thousands in fines and notification costs for data breaches. These five steps can help you reduce the risk of ransomware and survive a ransomware attack without losing your business if, despite your best efforts, you are a victim of ransomware.

Read More

According to CNN and other media, ~400 dental offices were hit by ransomware through a managed service provider (MSP). Some offices have been closed over a week. Other offices are reporting that they are still missing some patient or imaging files. Are you prepared to deal with ransomware, other type of security incident, or a breach caused by a business associate? What would you do if this happened to you?

The first priority for these offices is to get their doors open and start seeing patients as quickly as possible. Unfortunately, even though the business associate was likely the source of the ransomware, these dentists can face a HIPAA investigation and possible violations even if it is determined that it wasn’t a breach.

Some of the questions we’ve received are:

• Is it a Breach?
• If the business associate was the source of the ransomware, aren’t they responsible for the incident response?
• If my business associate was the source of the breach, don’t they have to notify my patients?
• Can I get in trouble with HIPAA even if the business associate, not me, was the source of the breach?

These questions and more are answered in our 60-minute webinar, "Ransomware & HIPAA: What 400 Dentists Need to Know."

We know that many people may not have an hour to spare, so we also prepared the short answers to the top 10 questions dentists have had about this incident. It includes the section of the webinar that can be viewed to get additional information.

If you haven’t completed a recent HIPAA risk analysis, or an ongoing risk management plan, you need to get working on one today. Not tomorrow. Not next week. Today. None of these dentists had any idea that they would walk into their office on a Monday to deal with ransomware instead of treating patients. It can happen to anyone, without warning, any time. We can help you with your risk analysis and other parts of your HIPAA program. Call us today. 1-800-334-6071.

Do you have one of the approximately one million Windows computers that are at risk to the Blue Keep vulnerability, which could lead to a HIPAA data breach?

The Blue Keep vulnerability has been known for months, and Microsoft has issued a security update to patch this vulnerability in the Remote Desktop Protocol (RDP) for Windows XP, Windows 7, Windows Server 2003, and Windows Server 2008. If you are running any of these operating systems and haven’t installed the security update that was released by Microsoft on May 19, 2019, you are vulnerable to a Blue Keep exploit.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Several security researchers have warned that exploits using the Blue Keep vulnerability are expected at any time because workable exploits and detailed instructions on how to produce them have been published on the internet. That means that criminals now have the code to exploit the Blue Keep vulnerability to hack into computers that have not been updated, leading to potential HIPAA data breaches, such as ransomware attacks.

"Install the latest Windows security updates." It's a task on each of our clients' monthly HIPAA Security Risk Management checklist for servers, desktops, and laptops. That’s because it is one of the most effective ways to reduce the likelihood of malware, ransomware, and other malicious attacks on your computers. Failure to install security updates can lead to HIPAA violations and penalties – one covered entity paid $150,000 because of a breach that could have been prevented if security updates had been installed.

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/acmhs/index.html

Remember, HIPAA Security isn’t limited to a one-a-year audit and staff training; compliance requires continuous evaluation of threats and security measures through the implementation of an ongoing risk management plan.

Alert: Windows 7 is "end-of-life" on January 14, 2020, which is just 8 months away. If your office is using Windows 7 on any computer that accesses, transmits, or updates protected health information (PHI) or is connected to your business network, you must upgrade the computer to Windows 10.

What is end-of-life? "End-of-life" is a term used to indicate that a software developer will no longer be providing updates or patches to their product. These updates and patches are intended to fix features of the applications, operating systems or software suites that aren’t working as intended. Software updates are also issued to address security concerns.

What this means for Windows 7: On January 14, 2020, Microsoft will no longer provide updates to fix vulnerabilities that can be used by malicious software (viruses) to infect computers running Windows 7. This means Windows 7 will be susceptible to malware and these computers will be “out of compliance” if they are not upgraded by January 14, 2020.

Action: If your office is using Windows 7 on any computer that accesses, transmits, or updates protected health information (PHI) or is connected to your business network, you must upgrade the computer to Windows 10.

When was the last time you reviewed your Business Associate Agreements? It’s important to make sure that your current business associate agreement reflects the regulations outlined in the 2013 OMNIBUS final rule. It’s also a good idea to review your list of business associates on a yearly basis to ensure that you have a signed BAA from any vendors who have access to protected health information.

Set a goal this week to review your BAAs if you haven’t done it already this year.