This is the ProactiveIT Podcast. This Week: The latest in IT and Cyber Security news plus It’s a Strange New World, Lots of Updates/Patches and Should the Government be Allowed to Scan Our Messages?
This is Episode 21!
Hi Everyone and welcome to the Proactive IT Podcast. Each week we talk about the latest in tech and cyber news, compliance and more. We also bring you real-world examples to learn from so that you can better protect your business and identity.
This podcast is brought to you by Nwaj Tech – a client-focused & security-minded IT Consultant located in Central Connecticut. You can find us at nwajtech.com.
Thanks for listening to this podcast. Show us some love on Apple or Google Podcasts. Subscribe and leave us some positive feedback. What are you waiting for?
Also, go join the Get HIPAA Compliance Facebook Group. Search for Get HIPAA Compliance
QOTW: Is there an app or software that can be used to send and sign PDF documents that is HIPAA compliant?
Patch Tuesday Update:
Google Chrome 80.0.3987.149 (Update)
Microsoft March 2020 Patch Tuesday Fixes 115 Vulnerabilities
Microsoft Leaks Info on Wormable Windows SMBv3 CVE-2020-0796 Flaw
Microsoft Releases Out-of-Band Security Updates for SMB RCE Vulnerability
Update VMware Releases Security Updates for Multiple Products
Updates from Google, Adobe, Drupal and Cisco
Cyber Security News
This is the proactive IT podcast this week the latest in it in cybersecurity news. Plus, it’s a strange new world. Lots of updates and patches. And should the government be allowed to scan our messages? This is Episode 21 Hi everyone and welcome to the productive it podcast each week we talk about the latest in tech and cyber news compliance and more. We also bring your real world examples to learn from so that you can better protect your business and your identity. This podcast is brought to you by wash tech a client focused and security minded consultant located in Central Connecticut, you can find us at and wash tech comm that’s NW Aj tech.com. Alright, let’s get into it. Times are changing and that is for sure. Right now things are upside down, inside out left, right up down, who knows. Things are definitely challenging right now. But we’re gonna, we’re gonna stick with the program. We’re gonna stick with the the outline here and continue to move forward. If you are listening to this, greatly appreciate it. We know you have other things you could be doing right now. But probably a lot less than normal at this point. If you could review or like or share or comment on on the podcast platform that you’re listening to this on, would really appreciate that share it out to social media so that other people can listen to it as well and learn from it. Because this is a teaching podcast as well. Also, if you are in a HIPAA compliant business, whether that’s a covered entity or business associate Go to Facebook in a search type in get HIPAA compliance and join that group because we share HIPAA information there all the time. And it’ll prove to be beneficial to your business as it grows in the HIPAA world. Things are very fluid in the world. And we’re going to talk about that in a little bit right now or in a little bit on this podcast. But first up the question of the week, is there an app or software that can be used to send in signed PDF documents? That is also HIPAA compliant? So the answer is there’s probably more than one, but I will tell you, the one that I would go with is DocuSign does have does have a HIPAA compliant function, and they will sign a business associate agreement. I don’t know the cost of that software for for HIPAA compliance purposes. I know most software’s charge more money when HIPAA is involved. So it probably costs more than our normal package. But DocuSign, which is a very reputable pieces of software I’ve used it for normal business purposes. Definitely worth a look as far as as far as sending and signing PDF documents that require HIPAA compliance. Along those lines. I also want to mention since I’ve been dealing with a lot of smaller practices, one man shops and so forth that have gone in doing, they’re doing the telehealth work now, zoom offers a package that is telehealth and HIPAA compliant. It says tell if that’s actually what they call it. So, so you can go to zoom.us and take a look at the features of that and believe there was a tab that said telehealth click on that and I’ve set up a couple of practices smaller practices today to be able to do or this week I should say to be able to provide telehealth services to their clients. That being said I’m going to talk about it a little more later. The Trump did relax Are the OCR did relax the the rules around telehealth. So, essentially, you could use pretty much anything at this point to provide telehealth services that I believe will be dangerous going forward. But for now, it is what it is. Patch Tuesday updates. So we had the Patch Tuesday updates that came last week are Yeah, last week, I think it was last week. It just feels like it’s been so long with everything that’s happened in the last week and a half. It feels like it’s been an eternity. I’ll be honest with you. It’s only been a week really since my kids have been out of school and it feels like it’s been an eternity. But so last week, Patch Tuesday rolled out. There was patches for of course for Microsoft Windows. It was an out of band patch for SMB v3, an RC remote code execution vulnerability, that Tom is causing a lot of issues on its own. There was a So that didn’t come out on Tuesday but it came out a few days later. Google had an update. And but not much else the world on fire. I think Firefox had an update to I’m not sure why I don’t have it on my show notes. But there wasn’t much else last week. Well, this week that’s changed. So this week, we have software updates from Drupal, Cisco. Cisco released security updates for SD win solution. Google, again, released updates to Google Chrome, so you should be on at point 149, Adobe released updates for Adobe Reader in Adobe Acrobat. VMware released updates, as well for multiple products. So a lot of updates this week. So get those patches applied. In addition to your Microsoft patches, I might hold out I mean, SMB v3 vulnerabilities is critical, considered critical. So I might be careful about holding out on that, but at the same time, I will be honest, I am I’m holding out on it because it is causing a lot of issues for for people right now. And that is going to do it for the Patch Tuesday update of the show. Deep portion of the show. Hold on for your news. All right, some of the week’s hottest news, we got abc news, reporting that suspicious cyber activity targeting HHS tied to Corona virus response. Sources say so the Department of Health and Human Services experienced confusion, suspicious cyber activity Sunday night related to its coronavirus response administration sources confirmed to ABC News Monday to suspicious activity. hhs was not a hack, but it may have been a distributed denial of service attack. DDoS according to multiple sources, the distinction is important because there was no apparent breach of the HHS system, which could interfere with critical functions of the lead agency responding to the coronavirus contagion a DDoS effort in this cost automated users called bots to overwhelm a public facing system in order to slow it down or even paralyze it. Officials believe any coordinated effort against HHS, if there was one was not particularly successful and are satisfied that the system was not significantly affected. Nevertheless, the concern is that foreign actors might attempt to explain to cope in 19 creases to achieve some of their anti American goals. So that is true. And you’re going to see an increased amount of activity against not just, you know, government, HHS, CDC and things like that. You’re going to see it against everybody to work from home, the massive amount of people that are working from home, we’re going to see an increase in activity targeted at those users as well. Because now they don’t have the support system. They have the support system but it’s not readily available at you know, right there. It’s not the same network it’s there’s there’s it becomes a little more relaxed at that point and I think you’re going to see an increased, you’re going to see increased activity in that in that area too. bleeping computer reported FBI warns of human traffickers luring victims on social networks FBI internet crime complaint center, I see three today issued a public service announcement on human traffickers continued usage of online platforms like dating, dating sites and social networks to lure victims. The FBI warns the public to remain vigilant of the threat posed by criminals who seek to traffic individuals to force fraud or coercion through popular social media and dating platforms that PSA says offenders often exploit dating apps and websites to recruit and later advertised sex trafficking victims in addition offenders are increasingly recruiting labor trafficking victims through what appears to be legitimate job offers. According to FBI investigations victims from various different backgrounds from rural areas to large cities are being lured by human traffickers also forced labor into forced labor or sex work. Using online platforms, many cases the criminals who will pose as legitimate job recruiters or agents of employment agencies and will bait the potential victims with the promise of fake employment and a better life. Individuals who share personal information on online platforms are the ones most likely to be targeted by such criminals, especially after posting about financial hardships, their struggles with low self esteem or their family problems. So why am I sharing this now? I think it’s important to note that we’re going to see some of that increased too. You’re going to see people share that, you know, financial hardships because they’re not working now. And potentially from family issues and low self esteem issues. We’re going to see more of that. So you may see an increase in, especially with, you know, with a lot of companies laying off at this point. job offers that aren’t real job offers, so be careful Be careful what you’re sharing Be careful what you accept. And what you do with with the information that you get. Tech explored in is te ch x PLR e.com, researchers expose vulnerabilities of passwords managers. Now this article doesn’t point out any specific Password Manager but I’ll still go through it. security experts recommend using a complex some commercial password managers sorry some commercial password managers may be vulnerable to cyber attack by fake apps new research suggests security experts recommend using a complex random and unique password for every online account, but remembering them all would be a challenging task. That’s where password managers come in handy. encrypted vaults access by a single master password or PIN is store and autofill credentials for their user and come highly recommended by the UK National Cybersecurity center. However, researchers at the University of New York have shown that some commercial password managers may not be watertight way to ensure cybersecurity. After creating a malicious app to impersonate a legitimate Google app, they were able to fool two out of five of the password managers that tested into giving away a password. The research team found some of the password managers use weak critical criteria for identifying an app, and which username and password to suggest for autofill. The weakness allowed the researchers to impersonate a legitimate app simply by creating a rogue app with an identical name. Senior author of the study Dr. Samak Shonda shahana just I can’t say that sorry, sh a na SHHNDSTA sH h A and D a ‘s HDI from the Department of Computer Science in the University of Oxford you vulnerabilities in password managers provide opportunities for hackers to extract credentials, compromise a commercial information or violating employee information, because there are gatekeepers to a lot of sensitive information, rigorous security analysis of password managers is crucial. And it goes on to talk about the study. So here’s what I’ll tell you. I don’t know which two they’re referring to or which five they tested, I could guess, but I don’t know. If you’re using a password manager, you should be using multi factor authentication as well. And biometrics whenever possible. If you’re if, if your password manager doesn’t have those options, then you should be moving to a different Password Manager anyway. recorded on the geek app by alien skills. So this is the alien skills comm cloud database leak exposes 425 gigs of small business financial data. And I think I saw another breach. Another similar. I wouldn’t call it a breach but I guess a leak. over half a million highly sensitive legal and financial documents have been leaked online by us loans company after another cloud configuration error. security researchers that VPN mentor led by Noam wrote them found the database in an unsecured Amazon Web Services. That’s AWS for sure. So s3 bucket at the end of December. It appears to be linked to a smartphone app known as MCA wizard developed by New York based fintechs. Advantage capital funding in August capital funding which VPN mentor claimed were likely owned by the same company. They are said to provide merchant cash advances Cassatt yeah merchant cash advances wow I cannot talk today Sorry, sorry people. merchant cash advances controversial, high interest loans for small businesses startups, which you should probably stay away from anyway. But however, although the database URL contains the words MC wizard the app is no longer available in almost files bore no relation to the project. Even as the researchers discovered and tried to contact the firms without success, new files were apparently being uploaded to the database. 425 gig Trove contain highly sensitive customer information Including credit reports, bank statements, driver’s licenses, Social Security info, tax returns, scan checks, purchase orders and much more. With this information, attackers could launch highly convincing phishing attacks attempt check and financial fraud target victim companies and malware, or even sell the data on the dark web born VPN mentor which is becoming more and more popular by the way. The leak could even be investigated under the new California consumer Privacy Act ccpa if it claimed, which means now they’d be subject to potential lawsuits from that this leak raises serious credibility and trust issues for advantage in August. By not sufficiently securing this database and revealing so much information they have compromised the safety, privacy and security of their clients, partners and customers. The firm said those affected may take action against advantage it argues for doing so either from ceasing to do business with either company or possibly pursuing legal actions. Both would result in considerable loss of clients contracts, business relationships and Ultimately revenue. After receiving no reply from the database owners, the researchers went directly to AWS, which promptly corrected the privacy snafu on January 9, so another misconfigured AWS s3 bucket and you see the results, not not not a good thing. I mean, you need to have qualified people managing your AWS, three buckets, s3 buckets. And then finally, techrepublic, much of the US healthcare system is running on outdated, outdated software unsupported operating systems such as Windows seven, leaving devices vulnerable to hackers actively exploiting the kernel virus. So we know there’s going to be we’ve talked about this for weeks now there’s going to be an increase in cyber attacks. Because of Corona virus. Corona virus right now has everybody’s attention. And so there’s going to be a huge increase already has been a huge increase in in attacks. And you have these vulnerable machines. And so the numbers are here in this article here. Even as Coronado continues it’s unrelenting spread across the country and no, it’s more than half country and hospitals are gearing up for what is expected to be a massive influx of sick patients. They are on the backfoot when it comes to cybersecurity according to research from Atlas VPN 83% of healthcare systems are running on outdated software. Atlas based part of the findings on Palo Alto Networks survey of 12 or I’m sorry, 1.2 million Internet of Things devices used in thousands of healthcare organizations across the US. palo survey found that 56% of devices are still running on Windows seven operating system systems which Microsoft stopped supporting in January. Due to the Cova 19 outbreak hospitals are using patient monitoring devices more than ever said Rachel Welch Atlas VPN CEO. Research shows that one in four such devices have security issues based on these numbers. Atlas VPN estimates that cyber criminals will be focusing on the healthcare sector in 2020. Today, 16% of imaging systems are at a 51% risk of getting hacked. There is 26% Chances are that 40% of patient monitoring tools will get attacked. The research also found that 27% of medical devices are still running Windows XP or decommissioned versions of Linux OS. I mean, that’s 27% of medical devices are still weren’t running Windows XP. Atlas also reports that in 2019, the number of stolen medical records increased by 65%, impacting 40 million Americans. Even if you do not upgrade to Windows 10. Your device will continue to operate normally, set outlets but you will no longer receive essential security updates or bug fixes, meaning your device becomes vulnerable to various security threats. Given the severity of the corona virus threat and the act of targeting of healthcare organizations by hackers looking to cash in using ransomware more than 40% of healthcare executives were planning to improve their cyber security measures in 2020. Now, that was probably a quote before all this stuff happened. But still, this leaves many digital medical devices vulnerable today as engineers responsible for maintaining or maintaining these devices often do not receive proper training or resources to ensure best safety practices are being filed. cyber criminals have been using the situation to their advantage since the beginning of coronavirus spread Atlas said, for instance by creating fake coronavirus maps, they were able to trick people into downloading malware into their devices. It was only a matter of time before hackers began to take a step further by exploiting the vulnerabilities lying in the US healthcare system. Those maps By the way, if you go to coronavirus Jay chou.edu slash map dot html that is a legitimate map. They’re using that map to cover up malware. Not john hopkins but malicious attackers are using dat map to cover malware on other websites. So if you’re going to use look at this map, then the best one is the address I just gave this coronavirus Jay Chou. edu slash map dot html All right, our first hot topic of this podcast this week, they earned it bill is the government’s plan to scan every message online. So kind of important for you to listen to this because, you know, either whatever side of the of this you fall on, it’s important that you Your voice is heard. So imagine an internet where the law required every message sent to be read by government approved scanning software companies that handle such messages wouldn’t be allowed to securely encrypt them, or they lose legal protections that allow them to operate. So what does that mean? So you might you might remember the the, or the Patriot Act, I think it was called that was some that allowed the government to scan, text messages and so forth. You phone calls. And they basically they listen to they listen for certain, certain buzzwords, I guess you could say. I don’t think the debt Patriot Act is in effect anymore. I’m not sure. Not a lawyer and I don’t really follow those things too carefully. But this bill is sort of similar in that it would scan online messages and those messages through Whatsapp, Facebook Messenger, Telegraph, or todos a telegraph or telegram. Things like that. And so they’ll be allowed to scan those messages. And they’re telling those vendors so we all WhatsApp if you don’t know WhatsApp is supposed to be secure. It’s encrypted, end to end encryption. And so nobody is supposed to be able to eavesdrop on those conversations, although it has happened. The US government is saying we don’t want WhatsApp to have that capability. So that’s what the Senate Judiciary Committee has proposed and hopes to pass into law the so called earn it and it’s er n and then it bill sponsored by Senators Lindsey Graham, Republican of South Carolina and Richard Blumenthal democrat of Connecticut. So I’m in Connecticut obviously. Richard Blumenthal is is the center here in Connecticut. This will strip section 232 30 protections away from any website that does not follow a list of best practices, meaning those sites can be sued into bankruptcy. The best practices lists will be created by a government commission headed by Attorney General Barr, who has made it very clear he would like to be an encryption and guarantee law enforcement legal access to any any digital message. earn it bill has had its first hearing today. And so this was written on the 12th. So it had its first hearing today and his supporters tried to support support a strategy is clear because they didn’t put the word encryption in the bill. They’re going to insist it doesn’t affect encryption. This bill says nothing about encryption co sponsor senator Blumenthal said it at today’s hearing. Have you found a word in this bill about encryption? Yes, one witness. It’s true that the bills authors avoided using that word but they did propose legislation that enables an all out and saw a saw on encryption. It would create a 19% commission that’s completely controlled by the Attorney General and law enforcement agencies in at the hearing a vice president at the National Center for Missing and Exploited Children. And CNBC made it clear what he wants the best practices to be. And CNBC believes online services should be made to screen their message from material that CMHC considers abusive. Use screening technology approved by NCM mec and law enforcement report what they find in messages to NC mec and be held legally responsible for the content and messages sent by others. That’s kind of dangerous. You can’t have an internet we’re missing. are screened in mass and also have end to end encryption and more than more than you can create backdoors that can only be used by good guys. The two are mutually exclusive concepts like client side scanning aren’t a clever route around as such scanning is just another way to break end to end encryption. Either the message remains private to everyone but its recipients or it’s available to others. The 19% draft commission isn’t any better than the 15% Commission and vision and an early draft of the bill. It’s completely dominated by law enforcement and allied groups like NC mec. Not only will those groups have a majority of the votes in the commission, but the bill gives the Attorney General Barr the power to veto or approve the list of best practices. Even if other commission members do disagree with the law enforcement bars veto power will put him in a position to strong arm them. The Commission won’t be a body that seriously considers policy will be a vehicle for creating a law enforcement wish list. bar has made clear over and over again that breaking encryption is at the top of that list. Once it’s broken authoritarian regimes around the world will rejoice as they have the ability to add their own types of mandatory scanning not just for child sexual abuse material but for self expression that those governments want to suppress. The privacy and security of our all users will suffer if US law enforcement is able to achieve a stream of breaking encryption. Senators should reject to earn it bill. So I read this on e ff.org. That’s the electronic I forget what e FF stands for Electronic Frontier Foundation, and they’re the ones that led to the fight against other other things on the internet front. In the past. If you would prefer to take action you can do that from that website ff.org and it is the earn it bill. also given our current state of affairs in this country, I have a post that on health IQ healthcare IT news, OCR will ease restrictions on telehealth tech during At 19 the privacy watchdog won’t impose penalties on providers who use non HIPAA compliant remote communications technology during the public health emergency. I personally think this is risky move on, I get why they’re doing it. I don’t think it’s a good idea. The HHS Office of Civil Rights, announced on Tuesday that during the coronavirus pandemic it will use discretion when enforcing HIPAA compliance for telehealth communication tools. Even though some of those technologies may not fully comply with HIPAA requirements, OCR says it will not impose penalties for non compliance with the regulatory requirements under the HIPAA rules against covered healthcare providers in connection with the good faith provision of tele health during the Cova 19. Nationwide public health emergency covered entities seeking to use audio or video communication tech to reach patients where they live can use any non public facing remote communication product that is available to communicate with patients to the agency this exercise have discretion applies to tell the provider for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of the health conditions related to kovat 19. To help broaden use of remote consult consults during the outbreak, OCR says providers will temporarily be allowed to use applications such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts, video or Skype. OCR does does know, however, that healthcare providers should notify patients that such third party apps may pose privacy risks. In addition, providers should enable all available encryption and privacy modes when using each application or such applications. The agency also specifies that Facebook Live twitch Tick Tock other paper public facing video communications should not be used in provision of telehealth so should not go live and share your telehealth session with other people. If that’s not abundantly, obvious already, whenever, wherever possible, providers should use telehealth tools from vendors that are HIPAA compliant. Enter into business associate agreements set OCR so that means it is obviously temporary. And if you can, you should still be using those. And as I mentioned earlier in this episode zoom is a great tool for that. While specifying that is not that it is well specifying that it is it has not reviewed the bcaas offered by these vendors and this list does not constitute an endorsement, certification or recommendation agency lists companies that claim HIPAA compliance and willingness to sign vas including Skype for Business, which is which is another tool I’ve suggested to healthcare providers and that’s through office 365. Up Doc’s vs CS zoom for healthcare doc see me and Google G Suite hangouts meet how telehealth is in the spotlight as the coronavirus crisis unfolds offering an essential link between patients and physicians while removing the need to travel to overburden hospitals on Tuesday Centers for Medicare and Medicaid Services. expanded its Medicare telehealth coverage during the Cova 19 pandemic to enable more patients to get virtual care services from their providers. physicians, nurse practitioners, clinical psychologist and licensed clinical social workers can now offer telehealth to Medicare beneficiaries in any healthcare facility, including a physician’s office hospital, nursing home or rural health clinic as well as from their homes according to CMS. We are empowering medical providers to serve patients wherever they are during this national public health emergency said OCR director register every no in a statement. We are especially concerned about reaching those most at risk including older persons and persons with disabilities. So we’ve always said to hip is about patient care. And if you’re in the business of health care, then you’re supposed to care about your patient. So there is this there relaxing the rules around telehealth for now. Don’t expect it to last it will not last and when it does, be prepared to switch back to normal HIPAA compliant methods of conducting business in in healthcare we have a little good news I guess in this saw time of pandemic in isolation and so forth. bleeping computer reports Netflix party lets you watch shows with friends to fight isolation. Feeling lonely during the period of social social isolation or self quarantine, a Chrome browser extension lets you binge watch your favorite Netflix shows with friends and family while text chatting with them with social interaction at a minimum during the Cova 19 outbreak. People rightfully feel cooped up and lonely dirt due to not being able to do anything with difference, if free Chrome browser extension called Netflix party may help bring a little social interaction back into your life. Netflix party allows friends and family to watch the same show together while providing a text chat room experience. To use this browser extension. Each user must be logged into Netflix and have the Netflix party extension installed. A user can Then started Netflix video posit, and click on the MP button in the chrome omnibar to create a link that will that can be shared with others. When creating this group as I suggest you make it too, so only the group creator can control the video playback so that other people do not pause the video whenever they want. When another user with Netflix party clicks on the shared link, they will automatically be brought to the Select a video in a chat room will be shown on the right side of the screen. This chat allows you to set your name, use one of the few available avatars and chat with other while you are watching the show or moving. The group creator can then start the show and pause it as needed, and a show will start and pause on the other party members computers. In bleeping computers test the process works very well but there will be a slight delay between the person controlling the video and others who are part of the party. And our test is only caused about one to two second delay. It should be also noted that this extension does track your activity and what Netflix shows you watch but we’ll talk This data to your anonymous Netflix party ID, if this does, if this does not bother you, the Netflix party may be great way to watch a show or movie with some friends to ease the social isolation. So there’s an attempt to kind of deal with the social isolation of social distancing or calling it whatever you want to call it, there’s a there’s an attempt to deal with that. So that’s good news. I would also recommend using something like Facebook Messenger or zoom to maybe have group meetings, we’re doing it for for our business networking groups as well. But this way, you’re not completely cut off in the world. And you have some social interaction with the outside world during this time. So that’s another thought. I’ve shared some of the tips of things you could do. I mean, it’s a great time to do spring cleaning and yard work and whatever because if you’re not going anywhere else, you may as well get it done right, because eventually this will stop and then you’ll wish you had done it. All right, our HIPAA education for the week, we’re going to talk about it’s timely. So, OCR will ease restrictions on telehealth tech during cobit 19. The Privacy watchdog won’t impose penalties on providers who use non HIPAA compliant remote communications technology during the public health emergency. And I did it an Instagram TV about this a few days ago. So if you follow the watch tech on Instagram and wha tech, you’ll see that it’s Apple’s latest, the most recent post on there as well. So watch Instagram TV for us. And you’ll see you can see what I talked about but I’ll talk about it here to the HHS Office for Civil Rights announced on Tuesday that during the coronavirus pandemic it will use discretion when enforcing HIPAA compliance for telehealth communications tools. So telehealth just means you’re providing the healthcare service. as you would normally provide in person, you’re providing an over a platform like zoom or, in this case you can use Facebook Messenger or FaceTime. But zoom and Skype for Business are usually the two most common platforms to do that with. Even though some of these technologies may not fully comply with HIPAA requirements, OCR says it will not impose penalties for non compliance with the regulatory requirements under the HIPAA rules against covered health care providers in connection with the good faith provision of telehealth during the Cova 19 nationwide public health emergency. So that is an actual statement. It is important to understand that it is only during the nationwide public health emergency. So once that subsides then you will be required to go back to doing things the way you’re supposed to do it under HIPAA covered entities seeking to use audio or video communication tech to eat to reach patients where they live can use any non public facing remote communication product that is available to communicate with patients. So the agency of this success exercise of discretion applies to telehealth provide for any reason regardless of whether the telehealth services related to the diagnosis and treatment of health conditions related to Cova 19. So, the health treatment doesn’t need to be related to cobit 19. It could be anything. You know, if you’re a therapist and you want to apply, you want to you want to be able to practice remotely, you can use telehealth. To help broaden the use of remote consults. During the outbreak. OCR says providers will temporarily be allowed to use applications such as Apple FaceTime, Facebook Messenger, video chat, Google Hangouts, video, or Skype. OCR does Note however, that healthcare providers should notify patients that such third party apps may pose privacy risks or they’re not as secure as as the ones that have been approved. In addition, providers should enable all available encryption and privacy modes when using such applications. The agency also specifies that Facebook Live twitch Tick Tock and other people public facing video communications should not be used in provision of healthcare. So in other words, you can’t go on Facebook Live because people are going to see it that’s broadcast out to the public and the same for Twitch and tik tok and so forth. And I forget what I forget what Twitter’s version is, but Twitter and Instagram Live. Those things are public facing people are going to see wherever possible providers should use telehealth tools from vendors that are HIPAA compliant and will enter into a business associate agreements at the OCR and so they have a list here but I will tell you zoom is probably the best one and then Skype for Business being the next so while specifying what is not, has not reviewed to be as offered by those vendors, and this list does not constitute an endorsement, certification or recommendation to agency list companies that claim a HIPAA compliance and willingness to sign vas including Skype for Business up Doc’s vs. e. Soon for healthcare. Doxey me and Google G Suite hangouts meet telehealth is in the state. Life as the coronavirus crisis unfolds offering an essential link between patients and physicians while removing the need to travel to overburdened hospitals. On Tuesday, Centers for Medicare and Medicaid Services expanded its Medicare telehealth coverage during the cobit 19 pandemic to allow to enable more patients to get virtual care services of their from their providers. physicians, nurse practitioners, clinical psychologists and licensed clinical social workers can now offer healthcare to Medicare beneficiaries in any healthcare facility including a physician’s office hospital, nursing home rule Health Care Clinic, or the actual home. According to CMS. We are empowering medical providers to serve patients wherever they are during this national public health emergency said OCR director Roger Severino, his statement. We are especially concerned about reaching those most at risk including older persons and persons with disabilities. You’re going to see an increase in mental health issues with isolation, I can promise you that. So you’re going to want to if you’re in therapy, psychiatry, psychology, whatever, you’re going to want to be able to offer telehealth services so that you can reach those that need the the guidance set at that time as well. That being said, it concerns me a little bit that we’re doing this because I did set up some some of my clients to be able to do this through the proper channels. So they’re all set up on zoom for healthcare zoom is called telehealth on the zoom site. And yes, it cost a few dollars, but they’re doing it the right way. Because what’s going to happen is when they when they when the pandemic ends, they’re going to have to go back to normal routine. And when that happens, you’re going to have patients that have gotten used to you facetiming them or Facebook messaging them. And that’s going to going to be a problem for you and your practice because then only takes one complaint It only takes one complaint, and then you’re going to be looking at a problem. Most likely the OCR would come in and say, give me some technical advice, tell you what to do. But then if you continue, then you’re looking at trouble. The other concern I have is that I’ve heard people say that, you know, there’s no HIPAA now, the HIPAA has gone out the window. No, that is not true. All of the rest of HIPAA is still in place. We cannot divulge pH I, for any reason. If you get hit with a phishing attack or ransomware, attack, whatever, you’re still obligated to report it. The other HIPAA rules have not been relaxed. It’s only the rules around telehealth. Right, it’s time for our HIPAA breach report. And as I’m recording this, I’m going to check one last time but there have been no HIPAA breach reported. HIPAA breaches reported in probably close to two weeks now primarily because the HHS is busy with the corona virus outbreak so and as I say that there is a post here of roundup of recent healthcare data breaches so let’s go through it. Texas network of walking clinics attacks with maze ransomware afford to care, Urgent Care Clinic and network of walking clinics in Texas has been attacked by the maze ransomware gang. According to a recent report on data breaches net. The hackers stole 40 gigs of data prior to encrypting files. Some of the stolen data was published online when afford to care refuse to pay the ransom. published data included patient contact details, medical medical histories, diagnosis billing information, health insurance information and employee payroll data. It is currently unclear how many patients have been affected as the breach has not yet appeared on HHS OCR breach portal. So doesn’t it Doesn’t list the date as to when it happened. tandem diabetes care Inc and San Diego California has been targeted by cyber criminals who gain access to the email accounts of a limited number of of its employees between January 17 2020 January 23 of 2020. The attack was discovered in January 17 and cyber security firm was engaged to assist with investigation and analysis of the compromised accounts revealed it contain patients names, contact information, clinical information related to diabetes care, and information about customers use of tandems products and services in limited number of social security numbers may also have been compromised. Of course, to enemas, enhancing email security controls, but a little too little too late. When multiple accounts are compromised. That just means there is no phishing mitigation in place, and there is no multi factor authentication in place. The Cambridge Massachusetts based provider for genomic profiling services foundational medicine has discovered the email account of employee has been compromised as a result as a result of response to phishing email The incident was discovered on January 14, a third party forensics firm was engaged to conduct an investigation and determined the email account was accessible between December 17 and January 14, so almost a month. During that time an authorized individual unauthorized individual potentially access patient information in the email account, which included patient names dates of birth, ages test names, ordering physicians names, FM, FM AI ID numbers. foundational medicine has notified all affected patients and additional security awareness training has been provided in the workforce. So no indication of how many people there either random and I center in North Carolina has experienced a ransomware attack that affected a server containing patients protected health information. The attack was detected on January 13 2020, and a third party computer forensics firm was retained to assist with the investigation. The investigation is ongoing but the investigators have determined patient information was acquired. cryptid in the attack and could potentially have been accessed by the attackers, the server contains names dates of birth genders and digital retinal images. Towards Memorial Medical Center in California has discovered a server used by third party, radiology, vendor and security protections removed. That allowed certain patient information to be accessed by unauthorized individuals so Oh, okay, so I read that wrong so let me read it again towards medical health center in California has discovered a server used by a third party radiology vendor had security protections move that allowed certain patient information to be accessed by unauthorized individuals. tsmc was notified about the potential data breach by its radiology vendor on January 6. The investigation revealed protections were accidentally removed on June 20. So six months worth and server could be accessed by unauthorized individuals up to December 13 2020. The risk to each patient is believed to be low as radiology images are only stored on a server For a short period of time, every 24 hours images on the server are automatically deleted. However, over the course of six months, the server temporarily stored the medical images of 3448 patients. Those radiology images including names, dates of birth, gender, a session, number of medical record number and referring physician names. And then on January 16 2020, genuine dead took care in Saratoga, California discovered thieves had broken into its offices in installing a server that contained the protected health information of 2190. Day 90 patients data on the server required multiple passwords to be entered in order for patient information to be accessed over it is possible that these access to patient data well, so this means it wasn’t encrypted. If they’re reporting it, it means it wasn’t encrypted. And if it’s not encrypted, it doesn’t matter if you have passwords or not. patient information stored on the server including names, addresses, telephone numbers, social security numbers, driver’s license numbers, health insurance information, dental records, and some financial information including credit card numbers. Genuine dental care Also reports that medical images of certain patients that received dental treatment between June 2018 and January 2020 have been permanently lost. The incident was reported to the San Jose police department which is conducting an investigation. Genuine dental care has taken steps to improve physical security. And additional technical controls have been implemented to further protect patient data. I feel like we’ve talked about this before, because first of all, it’s a dentist. And so, again, just just reiterate that what I’ve been saying for months now that dentists are supposed to be covered under HIPAA. But more importantly, you didn’t encrypt your server. And you can say you have passwords all you want. It’s not hard to grab information off of a server, even if you don’t have the password. If the data is not encrypted, it’s very easy to do. So you’re left your patients data exposed on a server, probably thinking nobody’s gonna walk out here with a server but somebody did. Alright, that is going to do it for the HIPAA breach report. Surprised breach report because they hadn’t reported anything since the ninth so it’s been 11 days. So but that is going to do it for the HIPAA breach report and that is going to do it for the productivity podcast. So until next week, stay safe, stay secure and stay healthy.
Transcribed by https://otter.ai