Print Page   |   Contact Us   |   Sign In   |   Register
News & Press: HIPAA Compliance

Ransomware 'WannaCry' attack - health orgs hugely affected - leaves HIPAA breaches in its wake

Wednesday, May 24, 2017   (0 Comments)
Posted by: Sheri Ryan
Share |
 

IN THIS ALERT:

What you need to know:

*Ransomware is especially nasty as it locks you out of your data, blackmails you forREAL dollars, and opens you up to HIPAA fines for not protecting your data against such an incident and thus causing breaches of individuals private information etc. There are also reports of attacks on medical devices that store information. The government has issued some new guidelines found below and the Contingency Plan requirement takes center stage (an often overlooked segment of a HIPAA program);

**Many of you who have heard me talk live know that I always tell the story of Homeland Security threatening to take over HIPAA-- these massive incidents bring that closer and closer to reality. Homeland security is recommending for further information to search for government information relative to HIPAA! - this alert came to me on Monday, May 15, 2017 -details in body copy:

***If you haven’t done anything about implementing or updating your HIPAA and OIG program what is it going to take before you realize the significance of Cybersecurity in today’s world and get yourself protected?

We have products and services to help-details at the bottom of the alert.

 
Government advice relative to Ransomware:
 


HHS Office of Civil Rights Guidance on HIPAA specific to WannaCry

  • OCR presumes a breach in the case of Ransomware attack. The entity must determine whether such a breach is a reportable breach.
  • Establishing a strong HIPAA program in accordance with the HIPAA Security Rule helps entities prepare for ransomware attacks, including with regard to contingency planning.
  • Reporting information to law enforcement, DHS, or other HHS divisions does not constitute inadvertent or intentional reporting to OCR. All reporting of breaches to OCR should be made as required by the HIPAA Breach Notification Rule. Important Note: Ifdata is not encrypted by the entity, then OCR presumes a breach occurred, due to the ransomware attack. As such, the entity would need to prove, through forensic or other evidence, that the ePHI was encrypted when the attack occurred.
 
Where can I find the most up-to-date information from the U.S. government?
www.us-cert.gov

How can I help protect myself from email-based ransomware attacks?
 

Ransomware can be delivered via email by attachments or links within the email. Attachments in emails can include documents, zip files, and executable applications. Malicious links in emails can link directly to a malicious website the attacker uses to place malware on a system. To help protect yourself, be aware of the following:
 
  • Only open up emails from people you know and that you are expecting. The attacker can impersonate the sender, or the computer belonging to someone you know may be infected without his or her knowledge.

  • Don’t click on links in emails if you weren’t expecting them – the attacker could camouflage a malicious link to make it look like it is for your bank, for example.

  • Keep your computer and antivirus up to date - this adds another layer of defense that could stop the malware.
Note from Dr. Ty the HIPAA guy:patches being current are very important– don’t use outdated software that is no longer supported, such as Microsoft XP, don’t use pirated software that is not available to the updates that are constantly coming out to help protect your software and data and make sure that when you’re notified of updates they automatically load and or you allow them to load to always be current. This international attack was mainly against people with one or more of these issues!

How can I help protect myself from open RDP ransomware attacks?
Recently, attackers have been scanning the Internet for Remote Desktop Protocol (RDP) servers open to the Internet. Once connected, an attacker can try to guess passwords for users on the system, or look for backdoors giving them access. Once in, it is just like they are logged onto the system from a monitor and keyboard. To help protect yourself, be aware of the following:
  • If you do not need RDP, disable the service on the computer. There are several ways of doing this based on which version of Microsoft Windows you are using.

  • If RDP is needed, only allow network access where needed. Block other network connections using Access Control Lists or firewalls, and especially from any address on the Internet.

  • To find which version of Microsoft you are using:https://support.microsoft.com/en-us/help/13443/windows-which-operating-system

If you are the victim of ransomware
If your organization is the victim of a ransomware attack, please contact law enforcement immediately. We recommend organizations contact theirFBI Field Office Cyber Task Forceimmediately to report a ransomware event and request assistance.

“We would like to flag for the community that an individual called a hospital claiming to be from Microsoft and offering support if given access to their servers. It is likely that malicious actors will try and take advantage of the current situation in similar ways.
Additionally, we received anecdotal notices of medical device ransomware infections.”
 
Where can I find the latest Microsoft Security Information?
Visit theMicrosoft Update Catalogfor the latest security updates.

Warning from homeland security:
The WannaCry ransomware may be exploiting a vulnerability in Server Message Block 1.0 (SMBv1). For information on how to mitigate this vulnerability, review the US-CERT article onMicrosoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010. Users and administrators are encouraged to review the US-CERT Alert TA16-091A to learn how to best protect against ransomware. Please report any ransomware incidents to the Internet Crime Complaint Center (IC3)
-- and the part that made the hair on the back of my neck stand up ‘for further information search government/HIPAA’
 
As a reminder, our levels of HIPAA service are:
 
Our HIPAA and OIG compliance Products:upgrade to a HIPAA Silver program - so many doctors are needing to get their OIG compliance program in place that they are upgrading their HIPAA program to Silver so that we can help do their HIPAA while they take care of their OIG -andour OIG compliance program is free with the upgrade to Silver or a new purchase of any HIPAA product - details below, order form by clicking at the bottom...

 

Remember our new OIG Compliance Program is absolutelyFREEwith any new purchase of any level HIPAA program. (retail $399.00)

See order form at very bottom of Alert!
 
 
 
Our team provides consulting as needed as well as arriveon-siteand install your program, inspect your facility, train your staff and are available in person to educate your appointed compliance officer,plusboth the Silver and Bronze services are included as well - this is the best option for the busy, elite practice that wants to minimize their time commitment relative to administrative work thus focusing team members on practice growth / profitability.

This program is typically $5000 plus expenses for a single location with chiropractors only under a single business name.

Our special pricing, for orders placed in the next seven days, is a total cost of $4800 with expenses included in that $4800!

Please contact us for an exact quote if there is more than one business entity at a location and/or you have more than one location and/or more than one type of licensed professional in the business.

 
 

Record numbers of people continue toupgradeto our most popular Silver program(Click this LINK for order form!)

With this programweask you questions via email and/or phone and thenauthorall of those documents for you and present you final copies in electronic and hard copy. This is often a 500 to 700 page completed HIPAA compliance manual! You also receive a complimentary copy of the HIPAA Survival Kit as an ongoing resource.** If you've purchased a Survival Kit in the past, we will credit that amount toward the upgrade to a Silver program!

 
 

 

 

This program utilizes theHIPAA Survival KIT-

The do it yourselfHIPAA Survival KIT- most cost effective approach.

 
BRONZE
 
Contact us to help get your program current or with any questions!
 

 

Dr. Ty Talcott, CHPSE

President,

HIPAA Compliance Services

469-371-8804


Community Search
Sign In
Sign In securely
Latest News
Calendar

Alaska Chiropractic Society, PO Box 111507, Anchorage, AK  99511-1507 
    
Phone: (907) 903-1350   Fax:  (907) 770-3790   Email:  info@akchiro.org