HHS Points to Ways to Improve Compliance With HIPAA Requirements   Under the HIPAA Privacy Rule, patients and their authorized representatives have the right to access their electronic or paper health records. Unfortunately it’s often easier said than done, and federal regulators want that to change. Complaints from patients about the lack of access to their records have remained consistently among the top five issues in HIPAA cases that are...

Attackers are increasingly hacking into banks’ networks to gain access to the IT infrastructure connected to their ATMs. They then push malware onto the ATMs that allows a low-level gang member to walk up and enter a preset numerical sequence into the ATM to make it dispense all of its money in what’s known as a “jackpotting” or “cashing out” attack. Such attacks also allow them to steal card data from ATM...

The business world continues to evolve and banking is no different. There are two new rule changes being implemented in September this year. Beginning September 15, 2017, Same Day ACH will be available for debit entries, enabling the same-day processing of virtually any ACH payment. The Rule enables the option for same-day ACH payments through additional ACH Network functionality, without affecting previously available ACH schedules and...

With the exception of one large insider theft, hacker attacks, some involving ransomware, continue to be the method of choice behind the biggest health data breaches reported so far this year to federal regulators. As of July 3rd, 149 breaches affecting nearly 2.7 million people have been reported to the Department of Health and Human Services’ ‘wall of shame’. Of those 2017 breaches, 53 are listed as hacking/IT incidents. Even though...

Unsecure Email Incident a Reminder of Risks to PHI A breach report involving the transmission of protected health information via unencrypted email offers a reminder of the need to pay attention to safeguarding PHI no matter where it resides, including website forms used to collect information and smartphone apps. According to the HHS “Wall of Shame”, the Mississippi Division of Medicaid reported on May 26, 2017 to the U.S. Department of Health...

A just released update to the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool will should help make meeting regulators’ demands for “baseline” cybersecurity more attainable. The changes only impact Appendix A of the tool but those changes make a difference for smaller institutions. For example, many smaller institutions were not able to meet the tool’s requirement for having a...

HIPAA Enforcement Agency Cites Lack of Timely Risk Analysis, Again Colorado-based Metro Community Provider Network is just another healthcare entity to learn a painful lesson from the Department of Health and Human Services Office for Civil Rights regarding the importance of conducting a timely and comprehensive risk assessment. The breach was reported in early 2012 after a hacker accessed employees’ email accounts and obtained 3,200...

Many businesses have benefitted from the proliferation of mobile devices and text messaging apps that facilitate quick, round-the-clock communications. However, these technologies can make it difficult to monitor and control the unauthorized distribution of confidential data. This is critically important in highly regulated industries like banking. To give you an idea of how messaging apps have caused headaches for banks, on March 30, UK...

A ransomware attack on a Texas urology practice that could potentially affect nearly 280,000 patients ranks as one of the largest health data breaches of 2017. On January 22nd Urology Austin, suffered a ransomware attack that encrypted data stored on its servers. Among the information impacted by the ransomware were names, addresses, birthdates, SSN’s, and medical information. Their mitigation effort included restoring data from backups and...

Don’t pick up the phone to answer calls from unknown numbers. Instead, let them go to voicemail. While many of us do that anyway, that’s now the FCC’s advice to all Americans in response to an ongoing series of attacks designed to trick victims into uttering a single word. According to a March 27th alert, this scam centers on tricking victims into saying the word “yes,” which criminals record and later use to attempt to...

HHS Office of Civil Rights (OCR) is now completing reports of audits performed in 2016 and distributing reports. Once the report is received, organizations have 10 days to respond. The following is an overview of a small clinic that was subject to a Privacy Audit by the OCR. This was a desk audit, meaning that the auditors did not come on-site and all information was provided to the OCR by uploading documents to a portal. While a desk audit...

On March 6th, the Silicon Valley firm, Coupa, fell victim to a phishing attack that compromised the personal information of employees who worked for them in 2016. A scammer impersonated the company’s CEO and requested that payroll information (Form W-2) for the 2016 tax year be sent via email. Fraudsters continue to increase the number of W-2 phishing scams, also known as business email compromise – BEC – or CEO fraud attacks. These...

In 2016 the number of reported data breaches in the U.S. increased by 40% over 2015 levels. Worryingly, more than half of data breaches resulted in the exposure of Social Security numbers, increasing the risk of identity theft. 72 percent of breached records were exposed due to hacking, skimming or spear-phishing attacks. This continues a drastic increase in those type of attacks since 2009 when they first became the leading cause of breaches....

Reversing the position taken in May 2016, The Joint Commission (TJC) recently clarified that licensed independent providers (LIPs) or other practitioners may not use secure text messaging platforms to transmit patient care orders. TJC’s earlier position said that use of secure text messaging platforms was an acceptable method to transmit such orders, provided that the use was in accordance with professional standards of practice, law and...

Why are hacked healthcare records so valuable? It’s because they can be combined with other information to create a complete identity kit. Make no mistake—in most cases the stolen health information is the foundation of a counterfeit identity. That is why health records are so valuable to criminal groups around the world. Stolen patient records often end up for sale on the deep web as part of information packages called “fullz” and “identity kits” that can be used by fraudsters to commit a wide variety of crimes.

In the wake of this week’s rollout by NACHA, The Electronic Payments Association, of same-day ACH payments in the U.S., fraud departments at originating and receiving banks should be bracing for the new risks posed by faster payments. Developing robust anti-fraud procedures is even more critical now, as same-day ACH is the first step toward the move to real-time payments over the course of the next two years.

Most bankers probably don’t give the webcam at the top of their computer or laptop a second thought. That needs to change. If you don’t believe me, believe FBI Director James Comey and Facebook CEO Mark Zuckerberg. They both cover theirs.

Phase 2 of the HIPAA audits is fully underway, and covered entities now can take a breath if they have not received a desk audit request. But we still are at the beginning of Phase 2, with more to come. One of the best ways to ensure that your HIPAA compliance is in order is to prepare as if an audit is imminent. Here are some steps that covered entities and business associates can take to further prepare:

A business associate has settled a direct enforcement action over allegations that it potentially violated HIPAA. We can expect future HIPAA enforcement actions against business associates.

What Happened? It all started with the theft of a smart phone.

Federal regulators are intensifying the spotlight on security risks posed to healthcare organizations and business associates by vulnerabilities in third-party applications.

On June 7 the HHS OCR stated, “Recently, it has been reported that third-party application software security vulnerabilities are on the rise. Many covered entities and business associates may think their computers and devices that utilize operating systems are secure because the covered entities and business associates are deploying operating-system updates, but many systems are still at risk from third-party software.”