Kusserow on Compliance: Health care remains a top target for cyber-criminals

Data has value and businesses and individuals rely upon imperfect systems to store their information. Those committing fraud focus on sensitive data and targets with weak controls. For these reasons, data breaches are becoming more common in the health care sector where sensitive data can be found. Thus, organizations which have yet to protect themselves need to take proper cautionary steps to control access to that information. Among the best targets are hospitals and other health care institutions that are dependent on immediate access to their data in order to provide necessary treatment for their patients. They also have a treasure chest of data about their patients, including addresses, date of birth, Social Security numbers, family members, phone numbers, contact details, and more. Once obtained, this information can be sold on the “black market.” Gaining access to this valuable data can be extremely profitable, but locking the entity out of access to their information, as in the case of ransomware, can be a calamity for providers that must have immediate access to their patient data. A further attraction to cyber-criminals is the fact that many health care entities have weak controls. In this regard, entities’ major weakness is their employees, who through ignorance or carelessness open the door to cyber-attacks. With that in mind, health care firms should put more resources into proper training for their employees.

Cyber-Attack Prevention Tips

  1. Implement policies and procedures for taking precautions against malware
  2. Provide training on recognizing phishing and the danger of malicious links and attachments
  3. Ensure everyone creates complex passwords that are difficult to penetrate
  4. Conduct regular systems tests to help flag vulnerabilities before a hacker can gain access
  5. Limit employee access to systems on a need to know standard.
  6. Review/restrict privilege by limiting the people accessing files on a single server
  7. Monitor email carefully and don’t open email attachments from unknown parties
  8. Train employees (the weak link) to recognize and prevent cybercrimes
  9. Train against clicking email links/attachments, or responding to “pfishing” inquiries
  10. Ensure employees don’t leaving the workplace with data and files
  11. Monitor external exchanges
  12. Continuously monitor employee and vendor networks
  13. Establish an aggressive patching schedule for all software
  14. Update software to include improved controls
  15. Establish and monitor the use of encryption of transmitted information
  16. Regularly test users to make sure they are on guard
  17. Configure email servers to block zip or other files that are likely to be malicious
  18. Focus security efforts on those files that are most critical—patient records

For more information on this subject, contact Dr. Cornelia Dorfschmid at cdorfschmid@strategicm.com

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Tips for reducing the risk of cyber-attacks

Tim Murphy, former FBI deputy director stated that he rated cyber-attacks as the number one threat facing the country. Threats come from both inside organizations and outside. Insider threats may involve current or former employees or vendors. They may be motivated to steal intellectual property, funds, or simply to cause problems. The danger of employee-related crimes is that they have inside information concerning how things work and have access to data and computer systems. One of the best ways to combat attacks by insiders is to maintain a continuous monitoring of an individual’s public, online activity as well as the internal, network activity to detect changes in behavior. Often, cyber-attackers have patterns of detectable behavior and network activity which can provide indicators of risk, assist in early detection. It is important to know at any given time what are employees doing on the network; who are they dealing with; if they are leaving with data and files; and whether they are violating policy by sharing sensitive information with outsiders. Employee engagement in careless practice is far more common than engagement in malicious practice. Oftentimes carelessness takes the form of simple negligence by clicking on a link in a random email. However, there are ways to mitigate the threats, which can reduce the risk of cyber-attacks by as much as 80 percent, including:

  1. Provide ongoing employee and contractor training on what to do and not to do
  2. Conduct a risk assessment to understand threats presented by an insider
  3. Continuously monitor employee and vendor networks
  4. Update and upgrade software
  5. Use encryption to guard against information being read by unauthorized parties
  6. Establish multi-factor authentication

For more information health care provider cyber-security, contact Dr. Cornelia Dorfschmid at cdorfschmid@strategicm.com or at (703) 535-1419.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: New OCR Guidelines

The HHS Office for Civil Rights (OCR) issued a new guidance which points out a list of 10 violations where Business Associates (BAs) can be held directly liable. The guidance points out that where BAs may not be liable, the covered entity (CE) may be still on the hook for violations of those violations. As such CEs should carefully review their BA Agreements (BAAs) to ensure that they cover requirements that don’t directly apply to BAs but are still enforceable against CEs.

The OCR also notes that large data breaches also continue to dominate the press. The OCR recently cited among recent notable breaches that an EMR and software services provider allowed hackers access to 3.5 million patient records. Touchstone Medical Imaging (TMI), agreed to pay $3 million for a breach involving one of its FTP servers that contained PHI for over 300,000 patients. LabCorp received notice from American Medical Collection Agency (AMCA), a collection firm working on its behalf, regarding unauthorized access of 7.7 million patients’ PHI stored by AMCA. This announcement followed a similar one from Quest Diagnostics, in which they reported that AMCA’s breach affected 11.9 million of its patients.

Updates on OCR enforcement actions can be found at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Compliance officers cite HIPAA as their highest priority

The 2019 Compliance Benchmark Survey respondents reported that compliance officers are finding dealing with data breaches as their highest-ranked priority, with two-thirds of respondents citing HIPAA Security/Cyber-security and over half for HIPAA Privacy as their number one concern. This represented the biggest change since last year’s survey. Coupled with this finding was that nearly 75 percent of respondents reported the compliance office has assumed responsibility for HIPAA Privacy and nearly one-third assumed responsibility for HIPAA Security. So far this year, OCR has reportedly received upwards of a quarter million HIPAA privacy complaints.

The Survey did not focus on privacy laws and regulations emerging on the state level, nor did it provide much understanding on how organizations and compliance offices were responding to the challenges. As such, a separate 2019 survey has been designed to gather that information along with a variety of other issues.  It is designed to provide a general understanding of levels and nature of current commitment to this area.  Those who wish to participate in the 2019 HIPAA Compliance Survey can do so by clicking on the following hyperlink.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.