HHS Office of Civil Rights (OCR) is now completing reports of audits performed in 2016 and distributing reports. Once the report is received, organizations have 10 days to respond. The following is an overview of a small clinic that was subject to a Privacy Audit by the OCR. This was a desk audit, meaning that the auditors did not come on-site and all information was provided to the OCR by uploading documents to a portal. While a desk audit sounds less stressful than having auditors on-site, it is often more difficult. The reason is the...read more
On March 6th, the Silicon Valley firm, Coupa, fell victim to a phishing attack that compromised the personal information of employees who worked for them in 2016. A scammer impersonated the company’s CEO and requested that payroll information (Form W-2) for the 2016 tax year be sent via email. Fraudsters continue to increase the number of W-2 phishing scams, also known as business email compromise – BEC – or CEO fraud attacks. These incidents involve attackers, often impersonating the CEO, tricking someone within the company into...read more
In 2016 the number of reported data breaches in the U.S. increased by 40% over 2015 levels. Worryingly, more than half of data breaches resulted in the exposure of Social Security numbers, increasing the risk of identity theft. 72 percent of breached records were exposed due to hacking, skimming or spear-phishing attacks. This continues a drastic increase in those type of attacks since 2009 when they first became the leading cause of breaches. What is not clear is whether the increase in breaches is due to more state agencies publicly sharing...read more
Reversing the position taken in May 2016, The Joint Commission (TJC) recently clarified that licensed independent providers (LIPs) or other practitioners may not use secure text messaging platforms to transmit patient care orders. TJC’s earlier position said that use of secure text messaging platforms was an acceptable method to transmit such orders, provided that the use was in accordance with professional standards of practice, law and regulation along with and policies and procedures. In reversing its position, TJC identified that concerns...read more
Why are hacked healthcare records so valuable? It’s because they can be combined with other information to create a complete identity kit. Make no mistake—in most cases the stolen health information is the foundation of a counterfeit identity. That is why health records are so valuable to criminal groups around the world. Stolen patient records often end up for sale on the deep web as part of information packages called “fullz” and “identity kits” that can be used by fraudsters to commit a wide variety of crimes.read more
In the wake of this week’s rollout by NACHA, The Electronic Payments Association, of same-day ACH payments in the U.S., fraud departments at originating and receiving banks should be bracing for the new risks posed by faster payments. Developing robust anti-fraud procedures is even more critical now, as same-day ACH is the first step toward the move to real-time payments over the course of the next two years.read more
Most bankers probably don’t give the webcam at the top of their computer or laptop a second thought. That needs to change. If you don’t believe me, believe FBI Director James Comey and Facebook CEO Mark Zuckerberg. They both cover theirs.read more
Phase 2 of the HIPAA audits is fully underway, and covered entities now can take a breath if they have not received a desk audit request. But we still are at the beginning of Phase 2, with more to come. One of the best ways to ensure that your HIPAA compliance is in order is to prepare as if an audit is imminent. Here are some steps that covered entities and business associates can take to further prepare:read more
A business associate has settled a direct enforcement action over allegations that it potentially violated HIPAA. We can expect future HIPAA enforcement actions against business associates.
What Happened? It all started with the theft of a smart phone.read more
Federal regulators are intensifying the spotlight on security risks posed to healthcare organizations and business associates by vulnerabilities in third-party applications.
On June 7 the HHS OCR stated, “Recently, it has been reported that third-party application software security vulnerabilities are on the rise. Many covered entities and business associates may think their computers and devices that utilize operating systems are secure because the covered entities and business associates are deploying operating-system updates, but many systems are still at risk from third-party software.”read more