Maria Perez
Maria is an experienced writer, providing content for Healthcare Industry News since 2021. Working as a senior writer, Maria focuses on news reporting, making the complex healthcare topic comprehensible for readers. Maria’s expertise and dedication to delivering accurate stories make him a trusted source on our site.
by Maria Perez | Jun 9, 2020 | Compliance News
St Joseph Health System in North Central Indiana is notifying patients concerning the compromise of some of their protected health information (PHI) because of unauthorized access. The data breach didn’t take place at St Joseph Health but in a business associate.
Central Files Inc, a safe document storage center in South Bend, IN, was hired to safely store patient files in compliance with government and state laws and to discard some records as per HIPAA regulations. Central Files Inc. is now completely closed nevertheless must continue to keep patient information until an alternate safe records center may be established.
From April 1 to April 9, 2020, various healthcare groups allied with St Joseph Health System were advised that sensitive information comprising patient information was thrown in a place in the South Bend area some time prior to April 1, 2020.
The data uncovered at the location were in a terrible state. As per the substitute breach notification published on the St Joseph Health System webpage, the files had evidence of mold, moisture damage, and rodent infestation, and damage caused by combining with trash and other particles. Efforts were done to know patients whose records were compromised, however, trained security employees confirmed that inspecting almost all the records is going to be harmful to health and endorsed the best solution was to safely dispose of the files.
The documents that can be securely taken were retrieved and St Joseph Health System has employed a vendor to retrieve the other files from the area. That process was done on May 20, 2020 and agreements were made to safely and completely dispose of those documents.
In numerous instances, the records were obsolete and included old data. A couple of the paperwork involved paper copies of healthcare information and billing statements that comprised details like names, contact data, Social Security numbers, clinical and diagnostic details and service dates. Patients were advised concerning the breach. there is no proof that indicates the misuse of any data, though the likelihood of unauthorized access cannot be eliminated.
The documents were related to these entities
Allied Physicians of Michiana (From 1995 to 2007)
Saint Joseph Health System (From 1999 to 2013)
South Bend Medical Foundation (From 2009 to 2015)
New Avenues (From June 2004 to December 2015
Michiana Hematology Oncology (From 2002 to 2004)
Cardiology Associates, Inc. (From March 1, 2007 to November 30, 2013)
Elkhart Emergency Physicians, Inc. / Goshen Emergency Physicians, LLC (From 2002 to 2010)
The HHS’ Office for Civil Rights breach website hasn’t posted the breach yet, hence it is unclear at this time how many patients were impacted.
by Maria Perez | Jun 4, 2020 | Compliance News
Cybercriminals are reforming their strategies, approaches, and processes throughout the COVID-19 health pandemic and are targeting work from home workers by means of COVID-19 inspired baits in their phishing activities. The number of phishing attacks directed at individuals using mobile gadgets like mobile phones and tablets has dramatically increased based on a newly released report by Lookout mobile security firm.
Around the world, there was a 37% higher number of mobile phishing attacks on company users from the 4th quarter of 2019 up to the ending of the 1st quarter of 2020. In North America, there was actually a 66.3% growth in mobile phishing attacks. Cybercriminals are targeting people working from home in certain industries for instance healthcare and financial companies.
Although the dramatic rise in mobile phishing attacks is linked to the switch in work practices caused by the COVID-19 crisis, mobile phishing attacks have been progressively increasing during the last few quarters. The rate of success of phishing attacks on mobile gadget users seem to be greater, as users are more inclined to click on hyperlinks than if utilizing a laptop or desktop computer because the phishing links are trickier to distinguish as malicious on more compact screen measurements.
Though the full web link is likely viewable on a laptop or desktop computer, a mobile gadget will merely present the last segment of the web link, which could make the hyperlink seem legitimate on mobile gadgets. Whenever doing work from home, people more probably opt to use their smartphone to carry out tasks to be productive, especially those who do not have big screens or several monitors at home.
Mobile gadgets generally have no identical level of security like laptop computers and office computer systems, thus it’s less possible to deter phishing emails. There are even more ways that phishing hyperlinks could be sent to mobile gadgets than netbooks and desktop computers. On a desktop computer, phishing hyperlinks will mainly be sent through email, however, on mobile gadgets they could easily be sent through email, messaging applications, SMS, and social networking and dating applications. There is additionally a leaning for mobile phone users to react quickly and not wait to give thought to whether a request is authentic, though they might be notably mindful on a desktop or laptop computer.
The surge in phishing attacks aiming for mobile device users is a security problem and one that ought to be attended to by company management by means of education and training about security awareness, specifically with remote employees. Phishing awareness training needs to include the danger of mobile phishing attacks and make clear how hyperlinks could be previewed on mobile units and other tips that ought to be taken to confirm legitimate requests.
When the message looks like it comes from a person you are familiar with but looks like an unusual ask or brings you to an odd website, make contact with that individual straight away and verify the message. When doing remote jobs, it’s a lot more necessary to verify any sort of odd communication.
Education by itself might not be enough. Security software ought to also be employed on mobile gadgets to better secure users from phishing and ransomware attacks.
by Maria Perez | May 26, 2020 | Compliance News
The IRS, DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury published a joint notification to boost awareness of the danger of phishing attack and other cyber attacks connected to the Coronavirus Aid, Relief, and Economic Security (CARES) Act.
Because of the CARES Act, there is $2 trillion funds available to assist businesses and persons detrimentally impacted by the COVID-19 crisis, which could help to lessen the financial weight by economic impact payments to qualified U.S. citizens. Hackers are utilizing CARES Act payments as a trick in phishing attacks to acquire personal and financial details and try to reroute CARES Act payments. All people in America are exhorted to search for criminal fraud linked to the CARES Act and COVID-19.
The U.S. Government reports that plenty of cybercriminal groups are employing stimulus-themed lures in phishing emails and texts to acquire sensitive details including bank account details. Financial companies were asked to inform their customers to follow good cybersecurity practices and to watch for questionable account use and creation.
Criminals are utilizing CARES Act-themed email messages and web pages to acquire sensitive details, pass on malware, and get access to computer systems. They include themes like loan and grant programs, economic stimulus, personal checks, or other subject-matter linked to the CARES Act. These CARES Act connected cybercriminal efforts could support a large selection of follow-on activities that may jeopardize the rollout of the CARES Act.
Threat actors may well attempt to disturb the operations of institutions in charge of the implementation of the CARES Act, which includes the usage of ransomware to disturb the flow of CARES Act funds and to extort the beneficiary money. Government, state, local and tribal groups are being advised to assess their loan processing, banking and payment systems and fortify security to avert attacks.
International threat actors were identified to be showing bogus claims for COVID-19 relief cash, such as one Nigerian business email compromise (BEC) gang regarded to have filed more than 200 bogus claims for unemployment benefits and CARES Act payments. The group, named Scattered Canary, has been filing a number of claims through state unemployment web pages to acquire payments making use of data stolen in W-2 phishing attacks. The gang has placed no less than 174 fraudulent claims with the state of Washington and about 12 claims with the state of Massachusetts. About 8 states were targeted thus far.
The U.S. Government has been giving out threat intelligence and cybersecurity best tactics to help break up and stop criminal activity. The U.S. Secret Service is now focused on investigating operations to track down persons taking advantage of the pandemic to be sure they face the law and money lost due to the crimes are reclaimed.
The IRS has informed taxpayers that it won’t contact taxpayers through email, text, or social media platforms to ask for personal and financial data like bank account numbers, PINs and credit card details. The IRS has notified Americans that copycat web pages that can be built to acquire sensitive details and to carefully check out any domain name for transposed letters or mismatched SSL certificates. The IRS is merely making use of www.irs.gov and the IRS-run website, https://www.freefilefillableforms.com/.
All U.S. citizens were cautioned to be watchful and keep an eye on their financial accounts for indications of fake activity and to report instances of phishing attacks and other fraudulence to the right authorities. They must likewise notify their employer in case they believe they were victimized by a scam and disclosed sensitive details concerning their business.
The notification, Avoid Scams Related To Economic Payments, COVID-19, are downloadable on this link.
by Maria Perez | May 21, 2020 | Compliance News
The Healthcare and Public Health Sector Coordinating Council (HSCC) and the Health Information Sharing and Analysis Center (H-ISAC) published a joint guidance on cybersecurity tactical response management when going through emergency conditions, like a pandemic.
Threat actors are going to make an effort to take advantage of emergency events to perform attacks, which was undoubtedly noticed at this period of the COVID-19 pandemic. In numerous situations, the entire time of an emergency will control the likelihood for threat actors to capitalize on the situation, but with a pandemic the time period of exposure is prolonged. The SARS-CoV-2 episode was proclaimed on January 30, 2020 as a public health emergency, allowing threat actors enough time to make use of COVID-19 to execute attacks on the healthcare industry.
What is essential to managing the higher level of cybersecurity danger through emergency conditions is planning. Without planning, healthcare providers will be continually fighting fires and struggling to better security during the time when resources are outspread.
The latest guidance was made for the COVID-19 crisis by HSCC’s Cybersecurity Working Group (CWG), H-ISAC, and healthcare sector and government cybersecurity professionals and is designed to guide healthcare providers produce a tactical response for dealing with cybersecurity threats that crop up at the time of emergencies and to aid them to boost their level of readiness.
At this time of the COVID-19 pandemic, cyber threat actors have performed an array of attacks on healthcare institutions such as domain attacks, phishing attacks, and malware and ransomware attacks. The attacks occurred at a time when healthcare providers were striving to deliver health care for highly infectious patients, utilize remote diagnostic and medication services, and transition to teleworking to avert the spread of the coronavirus. The transformation in working procedures considerably expanded the attack surface and presented new attack vectors and vulnerabilities.
The exposure to malicious cyber-actors goes up with every gain afforded by automation, interoperability, and information analytics. To combat these attacks well before they come about, it is vital for healthcare institutions to establish, use, and retain existing and effective cybersecurity strategies.
Healthcare institutions of different sizes can utilize the guidance document to strengthen their cybersecurity programs and be prepared for emergency cases. Smaller healthcare companies could employ the guidance for selecting suitable measures to boost their security posture, whereas larger sized institutions that have previously organized their tactical crisis response could employ the guide as a list to make certain nothing is skipped.
The guidance document puts strategies, practices, and activities into four primary groups:
- Education and Outreach
- Enhance Prevention Techniques
- Enhance Detection and Response
- Take Care of the Team
The cybersecurity response to a crisis is mainly centered on technical regulators, nevertheless, HSCC/H-ISAC points out that education and outreach take a crucial part in the response strategy’s good results. In emergency scenarios, even the best-laid plans could come unstuck without having the right education and outreach. Organizations that communicate their plans properly will lessen mix-up, better response times, and boost the performance of their cybersecurity plan. The guide makes clear how to make a communication plan and execute policy and procedure evaluations correctly.
Avoiding cyber attacks is very important. Many healthcare institutions will have used many different measures to curb cyberattacks ahead of the public health emergency, nonetheless, HSCC/H-ISAC recommends three practices must be evaluated: Confining the probable attack surface, reinforcing remote access, and utilizing threat intelligence feeds.
Limiting the attack surface demands reliable vulnerability management, fast patching, keeping safe medical devices and endpoints, and controlling third party network access. The guidance document recommends a number of the tactics of securing remote access, and how to use threat intelligence feeds to avert attacks and quicken the response.
Plenty of attacks are tough to prevent, thus it is essential for processes to be designed and employed to locate successful attacks and act promptly. The guidance document advises a number of steps to optimize detection and resolution to attacks.
It is likewise crucial to handle the team. In critical conditions, health, well-being, employment security, and financial reliability are all major considerations for healthcare personnel. It is necessary for businesses to communicate appropriately with their staff and street address these concerns and discuss how the business will assist employees while in the crisis.
The guidance document can be downloaded on this link. HSCC published another guidance document earlier this month that highlights steps healthcare institutions can do to secure trade secrets and research work. The guidance document can be viewed here.
by Maria Perez | May 13, 2020 | Compliance News
Rave Mobile Safety had published the results of its yearly survey of workplace safety and preparedness performed early this 2020. The report looks at the emergency preparedness levels in medical care and other industries all across the United States. It must be factored in that the survey was performed before the announcement of the COVID-19 public health crisis, which most likely caused a switch in priorities in numerous companies.
Workplace Security in 2020
The coronavirus pandemic set off the necessity of effective communication at the time of emergencies, nonetheless, the survey shows other vital reasons for bettering security and communication in the work environment. The last time the study was performed in 2019, 26 participants reported cases of violence in the work environment. This year, the employees who came across violence in their workplace has increased two times.
The survey unveiled that workers are now more mindful of safety. 58% of survey respondents stated they would file a safety problem report on the job regardless of whether it may be accomplished anonymously or not; however, 41% of Gen Z and millennials will only report safety problems if it is completed anonymously. This implies that 18-29-year olds are scared that voicing safety problems will have adverse consequences.
Though most employers have created emergency options, most aren’t doing drills. For example, 76% of firms have emergency programs for extreme weather occurrences, however, only 40% carried out drills to rehearse their reaction in case there is an event, though 48% of survey participants said they had an extreme weather situation last year. Many organizations have designed emergency blueprints for cyberattacks, yet 51% of survey participants mentioned drills were not done to check those options. About 30% of employees were not sure or uninformed regarding their employer’s emergency programs. The least aware were the 18-29-year old employees.
Emergency Communications
The selection of methods utilized to converse with employees in emergency events has gone up in 2020. Email is still the most often used way of communication and 63% of companies utilize it to communicate critical advice, yet communication options like mass texting have increased in popularity. Mass SMS is nowadays utilized by 42% of businesses represented in the annual survey, though many continue to count on obsolete communication techniques including in-person press releases, which don’t include remote employees.
The survey revealed that employers typically adhere to dated communication procedures, even if employees would opt to get notifications concerning safety and security utilizing a faster and quickly accessible system, for instance mass texting.
Emergency Communication in the Medical Industry
The survey showed a considerable proportion of healthcare employees were uninformed of emergency programs for cases including system breakdowns (22%) and active shooters (16%). The moment there are emergency events, email was the most prevalent means of correspondence, utilized by 65% of healthcare companies. Intercom systems were likewise often used (50%) coupled with in-person press releases (44%). Even though these might be valuable onsite, they’re not efficient for conversing with remote employees, who would choose to accept notifications by means of text message, however, just 41% of healthcare providers are utilizing mass text notifications in crisis events. The survey likewise showed breaks in security practices, with 80% of healthcare staff not expected to carry out a security check-in when doing work off-site.
The complete findings of the Annual Workplace Safety and Preparedness Study can be viewed on this page.
