If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
Listener email from Jack:
1st – Love your podcast and have listened to every one of them.
2nd – I work for a company that requires our health information (Minimal – see below for the information needed) into a portal. It is an external portal and not part of our company. We are also self insured, so we are considered CE if I understand correctly. We are a copier supplier with the following areas that would fall into the role of a BA.
– Copier Service company
– MSP portion of the business
– Shredding Company
Each has clients in a HIPAA Compliance vertical.
The company I work for does not feel that they are a CE even after providing documentation of that status.
The company does not have a signed BAA with the vendor. When I questioned them on that, they stated that HIPAA has provided some allowances for this to put something into place. The question they could not answer was what the vendor will do with the data collected during and after the service is used. We also have not completed any due diligence in their services or portal. I also mentioned that we should have officiated the names with the employee number or something that they could not connect with a name. The answer I received was that the Employee Number can be considered part of PHI. I commented that this could be correct, but the vendor would not have access to the database that holds the Employee Number and the Employee Name to make the connection.
Are my concerns valid or is this the norm in this time of the pandemic? Any insight would be greatly appreciated.
Merchant bank account change form story from Donna. It is going to be interesting how this turns out.
No one is watching the hen house
No matter what you are focused on in your normal day-to-day survival it probably hasn’t been all the announcements about new malware, vulnerabilities, and attack methods being actively used while we are all distracted. Yes, it is certainly understandable we are distracted by any one much less all of these issues.
Dumpster disposal of records by a records management company and a tornado hits a building holding medical records causing two different data breaches from paper. It is unfortunate that we will see continued issues as companies are going out of business or being acquired during this economic downturn created by COVID-19. What will happen to the
We certainly can’t forget the nation state attackers in this. An alert tells us that the North Koreans are going to be attacking more and bigger using all of this as a great cover for their actions. No one will be safe if you are connected you will be a potential target for these hackers. Covid-19 Relief: North Korea Hackers Lazarus Planning Massive Attack on US, UK, Japan, Singapore, India, South Korea?
You must use Microsoft O365 to be HIPAA compliant is not true. David just went through this today with a client who was told exactly that. Vet those vendors you are looking for to save money. You don’t want to spend your money on addressing things just because your vendors may be cheaper but very much misinformed as to what you should be doing. Spend the time to make sure that cheaper deal really is going to save you money and not open you up to bigger issues.
We have all these folks working from home and very little has been done to secure those machines or those home networks. News came out this week about multiple issues that directly impact home networks and systems. If no one is making sure those issues are dealt with they can become the way into your network or systems, or both.
We have a couple of cases that came in to us from clients as well as business partners. The financial attacks are really growing. They are also getting much more sophisticated. You must stay on top of any request to release any information relating to your EIN, SSN, bank account, credit cards, etc. No request should be fulfilled without double checking and sometimes triple checking.
InfoSec Handlers Diary Blog – Broken phishing finds zero day accidentally. Even sometimes these guys are sending things that don’t work but they find something new with their failure that can be used against you.
BJC reports one of the largest breaches this year – due to email phishing.
Yet another breach involving a BA was reported to HHS on May 5 by BJC Health System in Missouri, which provides services to hospitals as a parent corporation. That incident, reported as involving email and impacting nearly 288,000 individuals, is the third largest breach posted on the HHS website so far this year.
We have seen reports that some phishing campaigns are fake notifications of data breaches by other companies. Google Alerts catches fake data breach notes pushing malware
IoT Ripple 20
This week a new vulnerability was found dealing with how IoT devices such as medical devices work. This one is way deep in the networking software and literally millions upon millions of devices have the problem. The worst part is even when this is fixed it will take years to roll out the changes to all those devices. We already have issues updating medical devices.
A nifty attack going around includes a tool that claims to be a ransomware decryptor that will get your data back without paying. But, what it really does is perform ANOTHER round of encryption on your data so that you are now being held for ransom TWICE.