CAEK BITE: New Ransomware Threat to Physicians and Dentists – Pay or We Publish Your Data

By: Anna Green

Beware

There’s a new threat to your patients’ data from ransomware.

Some of the biggest and most successful ransomware organizations, including REvil (Sodinokibi), have announced that they are not just encrypting data. They are stealing data before they encrypt it, and then threatening to publish the stolen data if the ransom is not paid. These criminal organizations know that if you are regulated by HIPAA or GDPR, you face hundreds of thousands in fines and notification costs for data breaches. These five steps can help you reduce the risk of ransomware and survive a ransomware attack without losing your business if, despite your best efforts, you are a victim of ransomware.

Read More


CAEK BITE: 400 Dentists Hit by Ransomware

By: Anna Green

According to CNN and other media, ~400 dental offices were hit by ransomware through a managed service provider (MSP). Some offices have been closed over a week. Other offices are reporting that they are still missing some patient or imaging files. Are you prepared to deal with ransomware, other type of security incident, or a breach caused by a business associate? What would you do if this happened to you?

The first priority for these offices is to get their doors open and start seeing patients as quickly as possible. Unfortunately, even though the business associate was likely the source of the ransomware, these dentists can face a HIPAA investigation and possible violations even if it is determined that it wasn’t a breach.

Some of the questions we’ve received are:

  • Is it a Breach?
  • If the business associate was the source of the ransomware, aren’t they responsible for the incident response?
  • If my business associate was the source of the breach, don’t they have to notify my patients?
  • Can I get in trouble with HIPAA even if the business associate, not me, was the source of the breach?

These questions and more are answered in our 60-minute webinar, "Ransomware & HIPAA: What 400 Dentists Need to Know."

We know that many people may not have an hour to spare, so we also prepared the short answers to the top 10 questions dentists have had about this incident. It includes the section of the webinar that can be viewed to get additional information.

If you haven’t completed a recent HIPAA risk analysis, or an ongoing risk management plan, you need to get working on one today. Not tomorrow. Not next week. Today. None of these dentists had any idea that they would walk into their office on a Monday to deal with ransomware instead of treating patients. It can happen to anyone, without warning, any time. We can help you with your risk analysis and other parts of your HIPAA program. Call us today. 1-800-334-6071.


CAEK BITE: Blue Keep Vulnerability: What you Need to Know

By: Anna Green

Do you have one of the approximately one million Windows computers that are at risk to the Blue Keep vulnerability, which could lead to a HIPAA data breach?

The Blue Keep vulnerability has been known for months, and Microsoft has issued a security update to patch this vulnerability in the Remote Desktop Protocol (RDP) for Windows XP, Windows 7, Windows Server 2003, and Windows Server 2008. If you are running any of these operating systems and haven’t installed the security update that was released by Microsoft on May 19, 2019, you are vulnerable to a Blue Keep exploit.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Several security researchers have warned that exploits using the Blue Keep vulnerability are expected at any time because workable exploits and detailed instructions on how to produce them have been published on the internet. That means that criminals now have the code to exploit the Blue Keep vulnerability to hack into computers that have not been updated, leading to potential HIPAA data breaches, such as ransomware attacks.

"Install the latest Windows security updates." It's a task on each of our clients' monthly HIPAA Security Risk Management checklist for servers, desktops, and laptops. That’s because it is one of the most effective ways to reduce the likelihood of malware, ransomware, and other malicious attacks on your computers. Failure to install security updates can lead to HIPAA violations and penalties – one covered entity paid $150,000 because of a breach that could have been prevented if security updates had been installed.

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/acmhs/index.html

Remember, HIPAA Security isn’t limited to a one-a-year audit and staff training; compliance requires continuous evaluation of threats and security measures through the implementation of an ongoing risk management plan.


CAEK BITE: "End-of-Life" for Windows 7

By: Anna Green

BewareAlert: Windows 7 is "end-of-life" on January 14, 2020, which is just 8 months away. If your office is using Windows 7 on any computer that accesses, transmits, or updates protected health information (PHI) or is connected to your business network, you must upgrade the computer to Windows 10.

What is end-of-life? "End-of-life" is a term used to indicate that a software developer will no longer be providing updates or patches to their product. These updates and patches are intended to fix features of the applications, operating systems or software suites that aren’t working as intended. Software updates are also issued to address security concerns.

What this means for Windows 7: On January 14, 2020, Microsoft will no longer provide updates to fix vulnerabilities that can be used by malicious software (viruses) to infect computers running Windows 7. This means Windows 7 will be susceptible to malware and these computers will be “out of compliance” if they are not upgraded by January 14, 2020.

Action: If your office is using Windows 7 on any computer that accesses, transmits, or updates protected health information (PHI) or is connected to your business network, you must upgrade the computer to Windows 10.


CAEK BITE: Business Associate Agreements

By: Adam McKeever

When was the last time you reviewed your Business Associate Agreements? It’s important to make sure that your current business associate agreement reflects the regulations outlined in the 2013 OMNIBUS final rule. It’s also a good idea to review your list of business associates on a yearly basis to ensure that you have a signed BAA from any vendors who have access to protected health information.

Set a goal this week to review your BAAs if you haven’t done it already this year.