Help Me With Hipaa

There has always been a concern from many people we work with about compliance officer personal liability. Specifically, is a compliance officer personally liable for the compliance of the company? The recent settlement agreement between the FTC and the Chief Compliance Officer of Moneygram has created interesting conversations for compliance circles. In this case, the Chief Compliance Officer of Moneygram was able to reach a settlement in the liability case against him but it included a $250,000 penalty payment and 3 years restriction on working in that industry. Yep, that is enough to make you sit up and take notice. More details at HelpMeWithHIPAA.com/114

The monthly OCR Cyber Newsletter for June had some interesting points.  The fact that OCR mentions multiple times and in multiple ways that they do not endorse, certify, or recommend specific technology or products should serve as their "OCR mic drop moment" on this discussion.  We can dream, can't we!  Today we are going to review that newsletter and how they have pointed these things out once again. Before we close out the episode we are also covering some questions and comments from listeners.  Hang around for those just after the 30-minute mark. More info at HelpMeWithHIPAA.com/113

This is not another episode about preventing and responding to the NotPetya ransomware. There are countless articles about those topics.  We are discussing the bigger picture today.  In this episode, NotPetya, Windows, and Ransomware, we discuss what happened in the case but also what does all of this really mean in the big picture of cyber attacks.  If you don't stay proactive in evaluating what the criminals may do next then you don't have a chance of being anything but reactive. In light of these recent global attacks, we have many questions.  Are we experiencing a shift in the criminal's intentions or are they just bumbling around with new toys?  If is it no longer just about taking our money then what is really about?  If you haven't cared about protecting your data so far, how about protecting your data from becoming a pawn in the latest cyberwarfare battle? For more information go to HelpMeWithHIPAA.com/112

In June, the NY State Attorney General announced a settlement with CoPilot, a healthcare services company that illegally deferred notice of breach of more than 220,000 patient records.  Another annual report was also just released with the latest numbers : 2017 Cost of a Data Breach Study from Ponemon Institute and IBM.  Today, we are going to discuss how the two of them can help us all make better decisions where potential breaches of PHI are concerned.  Breach reporting costs and decisions in 2017 are proving to be something you should understand before a crisis, not after one hits. For more info: HelpMeWithHIPAA.com/111

Mobile devices are susceptible to malware attacks, phishing, and other security vulnerabilities just the same as laptops and desktops.  The systems most of us have in place are directed at managing the security for laptops and desktops, however.  It is important to expand your security controls to address the growing threat that mobile devices introduce to your network and systems regularly.   In most cases, it is important to have a "home base" tool that can talk to and monitor the mobile devices.  That is where MDM comes into play.  For most people that brings us to the question: What is MDM and why do I want it?   For more: HelpMeWithHIPAA.com/110

There are countless times we have covered the "my EHR vendor handles HIPAA for me" misconception. The recent $155 million whistleblower lawsuit settlement between eClinicalWorks (eCW) and the government really brings it home how wrong you can be about EHR vendors. Meaningful Use attestations relied heavily on the vendors supplying proper information. eCW set up thousands of organizations to take a major hit based on the details in this case and it's settlement. Especially, when you take into account that eCW is one of the biggest EHR vendors out there. CIA of PHI is the objective of the entire Security Rule under HIPAA. Unreliable data created by an application is clearly a data Integrity issue. If you can't trust the data can you trust the system at all? If you have knowledge of this kind of stuff going on somewhere you should review it closely. It includes civil payments by developers and project managers not just the C-Suite folks involved.   For more information: HelpMeWithHIPAA.com/109

The 5 stages of grief during a cyber attack really do follow the process of dealing with grief in those familiar 5 stages. Many don't realize that ransomware attacks aren't always just the result of someone clicking in an email and running a program.  As Erie County Medical Center found out recently, ransomware attacks can come from a hacker being active in your network too.  Those 5 stages of grief during a cyber attack for them and others we have seen is what we will be discussing today.   We have a special guest with us for today's discussion too.  David Benton with Altep is joining us.  David is a super IT forensics dude.  The CSI of the nerds, so to speak.  He is helping us review this topic. More information at HelpMeWithHIPAA.com/108

A major breach of PHI was announced by a Beverly Hills plastic surgeon's office on Jun 1. There are so many things about this case from the fact that it involved a malicious insider to how many different ways proper HIPAA policies and procedures would have stopped it, if not prevented it completely. Celebrity patients records breached in this case may make it hit home with a lot of folks who haven't worried too much about those protections until now. We have talked about insiders as a major vulnerability a lot lately and this one really makes it big news! 15,000 files with medical and personal information. Added to that are pictures including those of celebrity patients records breached without them even know the pictures existed! More info at HelpMeWithHIPAA.com/107

OCR continued their enforcement trend for 2017 with 2 more settlements announced in May.  These stand out on their own because the focus is specific disclosure of PHI instead of major breaches.  A total of three patients were involved in these large settlements.  This week we review what transpired and what OCR found as violations of privacy for these three patients.   For more information go to HelpMeWithHIPAA.com/106  

A wide variety of questions have come in from listeners over the last few weeks. The list is so good we have a whole episode devoted just to answering listener questions.  At least one of these will likely apply to you if not several. For more information go to HelpMeWithHIPAA.com/105

All of those ransomware outbreaks we have been dealing with since last year were overshadowed this past week by WannaCry.  This has been called called the most destructive attack ever.  The most concerning part is that was how bad it was but the US wasn't hit that hard.  When these kinds of things happen it is always a good idea to review what you learned from the outbreak and any necessary changes you need to make to protect you from this one happening to you.  The is the topic of the day.  What should we learn from WannaCry?   Learn more at HelpMeWithHIPAA.com/104

You may not even know about all the applications and support logins that vendors use on your applications, systems, and networks. Vendors may set up admin passwords and share them with their whole staff to support you. If they have unlimited access to the systems out there and the usernames and passwords never expire or log off automatically that is certainly not secure. How do you manage all of those?  If there are things that automatically log in and run, what about those? More details at HelpMeWithHIPAA.com/103

April has had three more OCR resolution announcements. That's a total of 7 cases for $14.3m in 2017 so far. When we covered resolutions recently I kept waiting for another one to come out and gave up. Then, BAM, three in a row! For more info go to HelpMeWithHIPAA.com/102

Are we creating a crisis of trust in healthcare? A business partner put that question out to us recently. We have already been looking at several angles to discuss the patient part in all of this breach and ransomware news. This question seems like the perfect way to approach it. Let's look at the topic and see what we think - Are we creating a crisis of trust in healthcare?   For more information on this podcast and how to win $100 Amazon gift card go to HelpMeWithHIPAA.com/101

For our 100th episode we wanted to do a Top 10 list.  After some thought, we landed on the Top 10 HIPAA Lessons we hope you get from our little podcast.   It is hard to believe that we are publishing our 100th episodes of Help Me With HIPAA!  Two years ago we started out with this little idea that has become a really exciting venture for both of us.  We truly enjoy the responses and interaction from our listeners.  Well, first, we are thrilled to HAVE listeners.  But more importantly, we love hearing how much people learn and laugh at the same time.  That combination has been our show objective since the very beginning. Another big thing we are doing with this episode is a chance to win a $100 Amazon gift card if you help share and promote us with you social networks.  Listen in or go to the website for more details on how to win!  More info at: HelpMeWithHIPAA.com/100

OCR Resolutions 3 and 4 for 2017 were released in February.  Examples of what not to do from OCR were released AGAIN.  We kept waiting for another resolution to be announced and lump them together.  Once we gave up and recorded this episode to review those two you know another one was announced.  We will hit that one next time.  For now, we review what happened in these cases that resulted in OCR resolutions after a breach notification started an investigation.  They are so kind to give us examples of what not to do from OCR without us paying for it! For more details go to HelpMeWithHIPAA.com/99    

Recently, New Mexico passed a new data breach notification law in March. Once it is signed there will only be 2 states that don't have their own notification rules, Alabama and South Dakota. What do all the state laws mean when you are also required to do HIPAA notifications. Most of them say that if you are subject to GLBA or HIPAA the notification laws do not apply to you. But, it is always best to be sure you know what your state requires. HIPAA says that as long as it is more strict than state laws then HIPAA takes precedence but many times states are now enacting stronger legislation in some areas. California and Texas developed some pretty extensive requirements that apply to CEs and BAs in their states. Massachusetts also added their own twist beyond HIPAA. More info at HelpMeWithHIPAA.com/98

All the news about ransomware and hackers usually gets the biggest headlines.  But, the ones that fly under the radar may be something you should pay more attention to than the big splashy news.  Insiders usually don't have to work hard to plot ways to break into your data, you have invited them in and given them access. A damaging assumption is that you don't have to worry about your insiders. Get more info at HelpMeWithHIPAA.com/97

Call it teleworking, remote access, or mobile access if you have any access to PHI outside of your office, you should have a HIPAA mobile access policy. Any person that accesses you systems and data outside of your internal network should be trained and sign off on commitments to protect your PHI. We've never specifically covered the topic of what should be included in a HIPAA mobile access policy. It is about time we did just that. Learn more at HelpMeWithHIPAA.com/96

Building a culture of a compliance is something we have talked about many times in this podcast.  We never looked at it as a community problem.  The things we heard about training the human element to build a cyber security culture were very exciting to us.  Well, at least to Donna.  The concepts they covered about training not just the workforce but training the community as a whole to better understand what cybersecurity really means. We also followed that up with a session that explained some more scary darknet activity.  Your machine could be for sell on the darknet and you don't even know it. More information at HelpMeWithHIPAA.com/95