Business Continuity, Cyber Security, Data Breach, Disaster Recovery, News Events, Tip of the Week, Uncategorized, Vulnerability Testing & Management

Breach exposed sensitive information about 143 million consumers

It’s been called the worst data breach in U.S. history. Attackers stole half the U.S. population’s social security numbers from Equifax in July, but the company only notified customers in September. The fallout has been devastating, with class action lawsuits being filed and consumers demanding free credit monitoring.

“Equifax has been hit with dozens of lawsuits from shareholders, consumers and now one filed by a small Wisconsin credit union that represents what could be the first by a financial institution attempting to preemptively recoup losses caused by alleged fraud the hack could cause” as reported by the Washington Post.

Equifax provided a website for customers to search if they were affected. However, on multiple occasions, the company’s official Tweeter account directed customers to a fake phishing site instead.  See imageNick Sweeting fake website small

The company’s stock price has fallen 25 percent since they announced the hack Sept. 7 according to ABC news. In the meantime, Equifax had a meeting with investors in New York in hopes to contain the fallout.

To receive information on how to prevent this type of breach visit VirtualAuditor.com

Virtual Auditor’s Virtual Security Officer Server (VSOS) is a unique, fully-managed, information security auditing assessment solution that helps you establish a formal information security program within your organization. VSOS is packed with powerful vulnerability, auditing and testing tools that can help identify security vulnerabilities within your environment, as well as gaps in your existing security program.

Quick tips on how consumers can protect themselves

  • Monitor your credit reports closely
  • Be aware that scammers can use your sensitive information at any time
  • Freeze your credit report to halt thieves from opening new credit cards or loans using your name

Equifax Cybersecurity Incident:

“To learn more about the cybersecurity incident, including whether your personal information was potentially impacted, or to sign up for complimentary identity theft protection and credit file monitoring”, please go directly to their site:

https://www.equifax.com/personal/

 

Advertisements
Education, News Events, Social Media, Tip of the Week, Upcoming Events

National Health IT Week

National Health IT Week

September 26-30, 2016

health-it-week

Click for more activities, information, highlights and new health IT tools/resources

A Message from President Obama Commemorating National Health IT Week

 

“During National Health IT Week, we recommit ourselves to improving the health of our citizenry using the breakthrough technologies of our time and reaching for the next frontier of innovation…Because of our collective efforts, 97 percent of our Nation’s hospitals and three-quarters of doctors are using electronic records to care for their patients…These efforts help advance our Administration’s goal of fostering the seamless and secure flow of electronic health information when and where it is needed most. Though there is more to be done to realize a healthcare system that fits each of our needs, I am confident that if we continue working together, we can build a future of greater health and prosperity for coming generations.”

President Barack Obama, commemorating National Health IT Week

For the full message see: RISCconsulting.com

Here are some of the events. View daily for updates

  • New resources: Health IT Playbook, EHR Contract Guide
  • Blockchain white papers posted
  •  Newest survey on hospitals using certified EHRs
  • Dr. Vindell Washington will be available on Tuesday, September 27 at 11:00 am ET using #AskVindell for Twitter Chat
  • Twitter Chat on Model Privacy Notice on Thursday, September 29th at 2:00 pm ET using #MPNchat
Education, News Events, Tip of the Week, Upcoming Events

Introduction to the Health IT Playbook

health-it-playbook-logo

 

The Office of the National Coordinator (ONC) within the U.S. Department of Health and Human Services (HHS) developed this 1st edition of the Health IT Playbook (Release 1.0) to address many of the questions that providers ask during implementation and use of health IT. Created from compilation of multiple research, previously developed as well as newly created tools, this playbook provides content that addresses these questions and more:

  • How do I choose, implement, or upgrade an electronic health record (EHR) system?
  • How do I redesign workflows to improve and optimize practice efficiency and effectiveness?
  • How can I connect and share information with other providers and public health officials?
  • How can I activate and engage patients and their families?
  • How do I learn more about improving patient outcomes and prepare for new quality payment programs?
  • How do I protect the confidentiality, integrity, and availability of personal health information in my EHR system?

Will include Electronic Health Records, Certified Health IT, Health Information Exchange, Patient Engagement, Value-Based Care, Privacy and Security, Quality & Patient Safety, Care Settings, Population and Public Health, and Specialists.

For the complete playbook visit: The Office of the National Coordinator for Health Information Technology HEALTH IT PLAYBOOK: https://www.healthit.gov/playbook/introduction/

 

News Events, OCR HIPAA Audits, Risk Analysis/Risk Management

$1.55 million settlement underscores the importance of executing HIPAA business associate agreements

March 16, 2016

From the HHS Press Office
media@hhs.gov

$1.55 Million Settlement Underscores the Importance of Executing HIPAA Business Associate Agreements

 North Memorial Health Care of Minnesota has agreed to pay $1,550,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to enter into a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities.

“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals.

OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive Health, Inc., access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial.

The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure — including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.

In addition to the $1,550,000 payment, North Memorial is required to develop an organization-wide risk analysis and risk management plan, as required under the Security Rule. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan.

The Resolution Agreement and Corrective Action Plan can be found on the HHS website at:http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/north-memorial-health-care/index.html.

Risk Management

Risk Management is the practice of identifying potential risks in advance, analyzing them and taking precautionary steps to reduce or curb the risk.

What Is A Risk Analysis? A Risk Analysis is an assessment of the risks and vulnerabilities to any sensitive information that your organization may collect, store, process, transmit, or share with others.

After an organization has identified all of the risks to the confidential information that it collects, stores, processes, or transmits, a determination of “What to do with those risk elements?” must be made.

  • Risk Analysis is the First Step
  • Document and Analyze
  • An organization has only four choices to address all risks that are identified

Choices to address all risk elements

Accepting Risk

An organization has the choice to accept identified risk. However, that decision must be made with thorough and comprehensive knowledge of the potential damage or liability that acceptance implies. The acceptance of risk must be made by executive management, and be based upon all of the available information. Executive Management must make this determination clear, and security policies should be updated to reflect the determination.

Transferring Risk

An organization has the choice to transfer the risky behavior or the risk liability to another party. An example of transferring risk might be obtaining data breach insurance so as to reduce the liability in the event a risk is exploited. Another option is to transfer the risky activity to another party. An example of this might be outsourcing all credit card transactions to a third party that accepts the payment for a percentage of the charged amount.

​Eliminating Risk

​Another option includes the complete elimination of a risky activity. If risk cannot be reduced sufficiently so that it is acceptable to executive management, and it is not reasonable to transfer that risk to a third party, then an organization may decide to eliminate the risk entirely. In these cases an organization makes an executive decision that the revenue opportunity is not sufficient to justify the residual risk after mitigation strategies are applied.

​Reducing Risk

​By far the most popular option is risk reduction. Risk reduction is accomplished by many methods. An organization predominantly employs multiple strategies including those above and implementation of reduction strategies and controls.

Organizations might deploy techniques and controls to reduce risk. Controls typically fall into categories such as:

  • Administrative
  • Physical
  • Technical

Controls typically include policies, procedures, practices, processes, technology, logs, checklists, and the like. RISC Management employ experts with extensive experience in these techniques.

RISC Management and Consulting, LLC can assist your organization in identifying, documenting, addressing, and eliminating risk to all your sensitive information. Contact us today to find out how!