Posts

Healthcare Vendor Breach: Credit Card System Hacked

On September 29, 2018, Baylor Scott & White Medical Center – Frisco, a joint venture managed by United Surgical Partners International (USPI), discovered that more than 47,000 patient records may have been compromised when the hospital uncovered an issue with the credit card processing system of a third-party vendor. The Texas hospital was required to notify federal regulators under the HIPAA Breach Notification Rule.

Data that may have been accessed by hackers includes name, mailing address, telephone number, date of birth, medical record number, date of service, insurance provider information, account number, last four digits of the credit card used for payment, the credit card CCV number, type of credit card, date of recurring payment, account balance, invoice number and status of transaction.

The hospital assures it patients that medical record information and social security numbers were not accessed; however, name, address, date of birth and medical record number may have been accessed by hackers. Under HIPAA, name, address, date of birth and medical record number are all considered protected health information (PHI).

Corrective Action

In addition to terminating the relationship with the vendor, Baylor Scott & White Medical Center – Frisco is also offering affected patients or guarantors one year of free credit monitoring services through TransUnion Interactive. However, the damage may have already been done. According to an article by Health IT Security, health information is more valuable than just credit card information or financial data alone, and hackers could sell the information on the dark web for more money than a social security number.

Breaches on the Rise

The U.S. Department of Health and Human Services Office for Civil Rights maintains a breach portal, commonly called the “wall of shame,” of all breaches of unsecured PHI affecting 500 or more individuals. Currently, the list contains more than 400 breaches in just the last 24 months. Each breach is currently under investigation by the Office for Civil Rights.

Breaches can be inevitable, but healthcare organizations must do everything in their power to protect PHI and avoid a breach. To accomplish this, a good vendor risk management program should be implemented. Third-party vendors must be inventoried, classified and assessed to determine their level of inherent risk on the healthcare organization. Once assessed, you can determine if their level of risk is acceptable, if you need them to go through a remediation process, or if you need to discontinue your relationship with this vendor. By doing so, healthcare organizations can show due care and create a defensible position in the event of a breach.

s2core

Estimate your score or book free demo today

/by

HIPAA: It’s Not Just for Hospitals

Most people are relatively aware of the Health Insurance Portability and Accountability Act (HIPAA). It was created to make sure that medical records of patients remain safe, and that the medical providers accessing them are doing their best to ensure that’s the case. When most people think of HIPAA, they often go right to medical providers and hospitals. It’s important to understand that dental providers are also expected to adhere to HIPAA requirements. However, being HIPAA compliant poses challenges for dental providers. Here are some of those challenges, and what dental providers can do to combat them.

Failure to Identify Your Dental Practice as a HIPAA “Covered Entity”

Covered entities are required to follow HIPAA requirements. A dental practice is considered a covered entity if it transmits an electronic claim, payment, etc. to a dental plan or on behalf of a dental practice. It’s very likely that your dental practice is a covered entity and should be considering HIPAA requirements.

Missing Business Associate Agreements (BAAs)

Outside people or entities often have access to patient records and information. If your dental practice works with third parties of this nature, it’s important that you’re keeping tabs on them. Third parties are often root causes of breaches and data exposure. Continuously review your third parties and be sure you have BAAs for them.

Security Policies and Procedures

Well thought out, written plans are needed to ensure that your practice stays in compliance. Your HIPAA compliance policy should clearly state the responsibilities of your office and each staff member in protecting your patients’ private health information. The policy should clearly outline how your office handles and remediates various kinds of security breaches.

Training

Training employees is a critical component to HIPAA compliance, even for dental practices. Once you have your policies and procedures in place, it becomes critical that you train your employees on them. If someone’s job is affected by a change in your HIPAA policies or procedures, provide training on the change within a reasonable time after the change becomes effective. Training employees will limit the risk of breach.

Texting and Email

HIPAA applies to emails and text messages sent to a patient, such as for scheduling or appointment reminders. HIPAA also applies to emails and texts sent to another provider about a referral, with diagnostic images, or to discuss treatment. Here’s the kicker—HIPAA applies when a dentist emails patient records or information from a work email account to a personal email account, even if the dentist is doing so simply to finish up work from home later that evening. While HIPAA doesn’t prohibit using email or text to communicate patient information, it is important it’s done the proper way.

Social Media

A restaurant is very likely to respond to a Yelp, Facebook or Google review to either appreciate what has been said, or try to take corrective action. Dental practices must be a bit more careful. It’s easy to respond in a way that violates HIPAA rules. Ensure you and your employees understand privacy rules before responding to your practice’s reviews.

Other Media

As photos or videos are being taken of a patient there is the possibility that other patients may be included inadvertently. These photos and videos are quite often shared through social media and this can compromise those patients’ privacy. In addition, staff members of the practice might be included in the photo or video and this violates their privacy. Be cognizant of what is going on in the background of your images and videos so you do not compromise patient information.

Reporting Breaches

Breaches happen. It can and will happen to anyone at any time. It’s crucial that you understand what you need to report, and when. Covered dental practices must report all breaches of unsecured protected health information to the Office of Civil Rights, as well as to individuals and, in some cases, to the media. The bottom line is, have a plan for what to do in case an incident does occur, because it certainly can.

 

How can you get a better understanding of these challenges, so you know how to avoid and face them? A cyber security assessment is a great tool to do that. Security assessments helps you identify where your gaps in security are. Once they’ve been identified, you can also use the assessment to develop action plans for improvement, meeting HIPAA regulations and proving to examiners that you have a strong data protection program. While there are many challenges as a dental provider to being HIPAA compliant and safeguarding patient information, getting a security assessment puts you on the fast track to understanding and preventing your patients’ data being compromised.

 

s2core

Estimate your score or book free demo today

/by

Douglas County Hospital Revamps Information Security Program with SecurityStudio

Douglas County Hospital is a system of healthcare providers that includes Heartland Orthopedic Specialists, Alexandria Clinic and Osakis Clinic. This 127-bed, non-profit regional hospital and clinics located in Alexandria, MN includes 875 staff and 72 physicians and advanced practice professionals providing integrated health care services to the patients, families and communities they serve.

The hospital is heavily focused on customer care, and because of this, saw a need to keep the organization’s patient data as safe as possible. Its leadership understood that compliance is only a small part of risk management and that it needed to expand its thinking beyond the ordinary security measures. Heating and cooling systems, outside foliage and camera placements were just a few potential vulnerabilities the hospital was looking to measure vulnerabilities on.

asset-management

So, Douglas County Hospital looked to SecurityStudio®.

SecurityStudio® was vital in helping the hospital mature its information security program. It provided an intensive independent review of the hospital’s security practices. To do so, it used the S2SCORE assessment, a security rating system that measures internal, external, administrative and physical security controls. This assessment was the crucial first step in improving the hospital’s security program, as it indicated strengths, weaknesses and threats that could help determine where the focuses for improvement should lie.

“Our information security program and policies should be based on an independent and unbiased standard. This assessment is helpful as it gives us a foundation on which to mature our program, develop new policies and rework current practices,” Director of Information Security, Joyce Beck said.

“We wanted to understand our security position and its effectiveness. After the assessment we learned that strengthening logical segmentation protocols via restrictive VLAN would protect our overall network from unauthorized access in a more effective way. Systems such as heating, cooling and camera control were given limited access and could only communicate on their assigned VLAN networks,” IT Lead Ryan Engelbrecht added.

The implementation of the additional protocols through the assessment added an additional layer of security to the hospital’s overall security. On top of this, it shifted their focus from reactionary thinking to a proactive mindset with a systematic handling of their known vulnerabilities, and it guided the hospital on recommended lifecycles for its hardware and software.

“Asset management was one of the tools we utilized but not to its fullest potential. Improved documentation was implemented and additional methods for auditing and ensuring the necessary follow through were added. The assessment gave us an approach that was modest and a directive to keep it simple, by starting at square one and building this plan from the ground up. This made the process of managing our hardware less overwhelming and cumbersome,” Engelbrecht said.

The S2SCORE security assessment not only pinpointed vulnerabilities for immediate improvement but also provided a roadmap for enhancing the overall security posture of Douglas County Hospital. Overall, this open, collaborative and mentoring approach is what made the difference to improving the hospital’s security position now and into the future.

 

s2core

Estimate your score or book free demo today

/by