HIPAA Say What!?!
Q: If a covered entity selects a video conference / telehealth provider (like Zoom for Healthcare, WebEx, Babylon, etc.) where patients need to login and the episode might be recorded or transmitted – are these providers considered as a BAA under HIPAA?
What has been your experience with vendors regarding their willingness to enter into a BAA?
In Canada, my experience is that it is almost impossible to get a vendor to enter into an agreement (we call them IMA).
We feel your pain. It is a problem many times. First, the tools that are used for these type sessions are required to be BAs under normal HIPAA rules. There is a temporary “enforcement discretion” period during COVID but other than that temporary reprieve they must be a BA and sign a BAA.
Here comes trouble
When I am trying to work out topics for this episode there are a bunch of tabs open with articles about breaches and attacks. Then, this pops up in my email from the OCR listserv: Cyber Alert: Computer Network Infrastructure Vulnerable to Windows 7 End of Life Status, Increasing Potential for Cyber Attacks
OCR Alert about an FBI Alert
Let’s start with why OCR was alerting us. This FBI Notice: Windows 7 End of Life PIN 20200803 002 BC
OCR is sharing the following update with our listserv from the Federal Bureau of Investigation (FBI), warning individuals that the FBI has observed cyber criminals targeting computer network infrastructure after an operating system achieves end of life status.
Just as we have been telling folks since before Windows 7 EOL in January and since before Windows XP EOL years ago, these devices become targets once they know the security updates won’t be done. The FBI alert specifically calls out healthcare entities first. Shocking, I know. Can you believe the Win 7 EOL date was just in Jan 2020? Seems like a lifetime ago!
As of May 2019, an open source report indicated 71 percent of Windows devices used in healthcare organizations ran an operating system that became unsupported in January 2020. Increased compromises have been observed in the healthcare industry when an operating system has achieved end of life status. After the Windows XP end of life on 28 April 2014, the healthcare industry saw a large increase of exposed records the following year.
Then they call out RDP being used. What have we been concerned about during the shut down? RDP use increased dramatically. We feel certain the security requirements of RDP were not included in a majority of those cases.
Cyber criminals continue to find entry points into legacy Windows operating systems and leverage Remote Desktop Protocol (RDP) exploits. Microsoft released an emergency patch for its older operating systems, including Windows 7, after an information security researcher discovered the RDP vulnerability called BlueKeep in May 2019. Since the end of July 2019, malicious RDP activity has increased with the development of a working commercial exploit for the BlueKeep vulnerability. Cyber criminals often use misconfigured or improperly secured RDP access controls to conduct cyber attacks. The xDedic Marketplace, taken down by law enforcement in 2019, flourished by compromising RDP vulnerabilities around the world.
Then they point out how unpatched Windows 7 was the reason WannaCry spread like wildfire. Can you believe WannaCry was back in May 2017? Wow, we have known about these things for a while and some of them may still be unpatched. The end of that review in the alert was really the whole point:
cyber criminals will continue to view Windows 7 as a soft target
These issues are not new but the fact that they are specifically seeing traffic that is looking for those devices just shows us that the criminals are indeed running business as usual. They are using all of the known gaps in our technical and human security issues. For those with this problem you should be handling it with some method other than business as usual. Mitigate it with segmentation and zero trust. Which only points out why you need professional IT support not someone who is good with computers and worked at X. In the words of the FBI:
Migrating to a new operating system can pose its own unique challenges, such as cost for new hardware and software and updating existing custom software. However, these challenges do not outweigh the loss of intellectual property and threats to an organization.
Microsoft shares how easy it is to get hacked on Windows
[34:18]I loved the articles about this when you get titles like: Microsoft Reveals New Innocent Ways Windows Users Can Get Hacked
Patch Tuesday for August 2020 was full of issues being corrected and many of them serious ones. Just this month the batch included 120 fixes, 17 were critical, and the rest were considered important. This article pointed out that these fixes showed just how vulnerable the average user is when these problems exist on their devices.
In a nutshell, your Windows computer can be hacked if you:
- Play a video file — thanks to flaws in Microsoft Media Foundation and Windows Codecs
- Listen to audio — thanks to bugs affecting Windows Media Audio Codec
- Browse a website — thanks to ‘all time buggy’ Internet Explorer
- Edit an HTML page — thanks to an MSHTML Engine flaw
- Read a PDF — thanks to a loophole in Microsoft Edge PDF Reader
- Receive an email message — thanks to yet another bug in Microsoft Outlook
So there’s that. Patching is essentially the only way to have a fighting chance.
If it can happen to them
Speaking of having a fighting chance. When I saw these articles I felt a bit defeated.
If SANS gets hit like this then we should all be prepared for it to happen to us. End of discussion, period, nothing else to argue here. Move along.
The breach announcements are flowing
As expected, we are starting to see the damage from the overload that has been happening all over the world.