• Eagle Consulting Blog

Common Wireless Feature, WPS, Readily Hacked

By Gary Pritts | Published: January 15, 2012

An industry-standard feature on wireless routers marketed to consumers and small businesses, Wi Fi Protected Setup (WPS), is vulnerable to a simple “brute force” attack. Free tools are already available to gain access to these routers. Making matters worse, it has been discovered that some router brands are unable to disable WPS, making it impossible to secure the routers at this time.  Many healthcare providers use this low-cost, consumer-grade equipment with WPS in their facilities.

WPS is a feature invented by the wireless industry to ease the setup process for people lacking technical expertise. The intent is to help people easily enable encryption features for greater security and protection. In an ironic twist, a feature to improve security has become a vulnerability. Click to read the rest!

Posted in County board, Developmental Disability, HIPAA, HIPAA Security, Unassigned | Tagged , , | Leave a comment

New HIPAA Obligations for EHR vendors and VARs are Coming

By Gary Pritts | Published: December 14, 2011

EHR Authors and Value Added Resellers (VARs) will soon have their own HIPAA obligations. At present, EHR Authors and VARs are contractually obligated by the terms of any HIPAA Business Associate Agreements (BAAs) they have signed. Soon, EHR Authors and VARs (and all other types of Business Associates) will be directly regulated by HIPAA. This means that they will be subject to Civil Monetary Penalties up to $50,000 per incident and up to $1.5 million for identical violations in 1 year. Click to read the rest!

Posted in Electronic Health Records, HIPAA, HIPAA Penalties, HIPAA Security | Tagged , , | Leave a comment

HIPAA and Facebook

By Gary Pritts | Published: December 7, 2011

Facebook, and other Social Media including Twitter, Google+, LinkedIn, and others are a reality of mainstream society. Employers in general, including HIPAA covered entities, are grappling with this new reality.

On the one hand, social media have been proven to be a powerful vehicle to advance the aims of the organization. Social media are being used to increase the visibility of the organization, promote products and services, enhance fundraising, increase public support and to recruit employees.

Similarly, the same media provide visibility to disgruntled customers, patients and employees and can mar the reputations of even powerful organizations. Click to read the rest!

Posted in County board, Developmental Disability, HIPAA, HIPAA Privacy, HIPAA Security | Tagged , , , , , | Leave a comment

JCAHO Weighs in: “No texting of physician orders”

By Gary Pritts | Published: December 6, 2011

The Joint Commission (JCAHO) weighed in recently regarding the issue of physicians using text messages to transmit orders. They didn’t explicitly state that their opinion was related to the HIPAA regulations, but we infer that HIPAA was part of the thought process.

“It is not acceptable for physicians or licensed independent practitioners to text orders for patients to the hospital or other healthcare setting. This method provides no ability to verify the identity of the person sending the text and there is no way to keep the original message as validation of what is entered into the medical record.” This statement appears in the JCAHO Frequently Asked Questions section regarding their Standards. Click to read the rest!

Posted in HIPAA, HIPAA Privacy, HIPAA Security | Tagged , , , , | Leave a comment

OIG To Review Portable Device Security, OCR HIPAA Enforcement

By Gary Pritts | Published: November 18, 2011

The Department of Health and Human Services Office of the Inspector General, the agency’s watchdog, has released its annual work plan. It is 117 pages specify hundreds of work items reviewing every nook and cranny of the health system.

Medicare and Medicaid contractors, and hospitals will be scrutinized for their security controls to prevent the loss of HIPAA Protected Health Information stored on portable media including laptops, jump drives, backup tapes and disposed equipment. They cited NIST Special Publication 800-53 and NIST Special Publication 800-53A as accepted control frameworks for the Medicare and Medicaid Contractors. Click to read the rest!

Posted in HIPAA, HIPAA Enforcement, HIPAA Privacy, HIPAA Security | Tagged , , , , , | Leave a comment

Random HIPAA Compliance Audits Begin

By Gary Pritts | Published: November 9, 2011

The random HIPAA compliance audits mandated under the HITECH Act will begin this month. Yesterday, the HHS Office of Civil Rights (OCR) announced that every covered entity and business associate is eligible for an audit. To guide future audit efforts, a wide range of types and sizes of covered entities will be selected. Based on the results, OCR will refine the audit methodology. Eligible entities include both individual and organizational health providers, health plans of all sizes and functions, and health care clearinghouses. Click to read the rest!

Posted in County board, Developmental Disability | Tagged , , , , , | Leave a comment

New Texas Medical Privacy Regulations More Stringent than HIPAA

By Gary Pritts | Published: September 2, 2011

Texas Governor Perry recently signed House Bill 300 — which further strengthens Texas medical privacy laws, which were already more stringent than HIPAA.  To begin, HIPAA currently covers only providers, insurers, and clearinghouses — while Texas law covers virtually any business that has patient health information including traditional HIPAA Business Associates, billing companies, computer support companies, or anyone who has a website.  The new law becomes effective September 1, 2012.

Penalties for violations were significantly increased.  The new civil monetary penalties are $5000/violation in cases of negligence, $25,000/violation if committed knowingly, $250,000/violation if done for financial gain, up to $1.5 million/year when repeat violations constitute a pattern of practice.  Further, in egregious cases licenses may be revoked.  For entities that delay a “breach notification”, penalties can be as high as $100/person for each day of delay, which even for a solo physician office could quickly reach the maximum of $250,000 for a single breach.

The state was given new powers to both request audits by federal officials and to conduct their own audits, as well as to request certain remedies.

Businesses are required to strengthen employee training.  New employees must be trained within 60 days of hiring, and all employees must receive refresher training at least every two years.   Training must explain the state and federal privacy laws as they relate to the employers business and specifically to the employee’s job.

A number of other miscellaneous provisions are included; any Texas business which uses patient medical information is advised to update their compliance program early.

 

 

Posted in HIPAA, HIPAA Enforcement, HIPAA Penalties | Tagged , | Leave a comment

OCR Details HIPAA Audit plans for 2011-2012

By Gary Pritts | Published: August 20, 2011

On August 11, 2011, the HHS Office of Civil Rights, the agency responsible for enforcement of the HIPAA regulations, delivered its first annual report on HIPAA Compliance and Enforcement to Congress. OCR shed a little light on the subject of random compliance audits which were mandated by the HITECH act. OCR reported that it has completed a study which identified various audit models. Further, they have selected one of these audit model and has “begun to develop a pilot audit program and a process for evaluating” its effectiveness. They have contracted for the development of a database to enable the “meaningful and objective selection of covered entities to be audited by OCR based on a variety of potential factors, including the types, sizes, and geographic locations of covered entities.” In addition, they have contracted for the development of a compendium of compliance audit protocols for distinct types of covered entities and will use the protocols to conduct audits of up to 145 entities. The protocols will be a “comprehensive methodology, serving as a single source of audit criteria, assessment methods, and procedures for conducting HIPAA Privacy and Security Rule and HITECH Breach Notification Rule compliance audits.” They anticipate that these 145 audits will be complete by December 31, 2012.

If OCR’s database of covered entities catalogs, say, 500,000 entities, the chance of a compliance audit in 2012 would be about 3/100 of 1%. The report also revealed that in 2010 there were 243 complaints filed regarding HIPAA Security Violations and 8,524 complaints for HIPAA Privacy Violations. Also, in 2010 there were 210 reported security breaches involving 500 or more individuals. From these statistics, a covered entity’s most likely encounter with the Office of Civil Rights would come from a Privacy Rule complaint. In 2010, the top issues in investigated cases, with Corrective Action, were:

  • Impermissible Uses & Disclosures
  • Inadequate Safeguards
  • Not Providing Patients Access to their Records
  • Violations of the Minimum Necessary Provision
  • Issues with the Notice of Privacy Practices

The full report can be viewed at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/compliancerept.pdf.

Posted in HIPAA, HIPAA Enforcement, HIPAA Privacy, HIPAA Security | Tagged , , , | Leave a comment

OIG Criticizes CMS for Poor HIPAA Security Enforcement

By Gary Pritts | Published: July 20, 2011

In May 2011 The HHS Office of the Inspector General (OIG) published their findings regarding CMS’s oversight and enforcement of the HIPAA Security Rule. The findings state that the oversight and enforcement actions “were not sufficient” to insure that covered entities “effectively implemented the Security Rule.” As a result, ePHI was “vulnerable to attack and compromise.”

OIG audited 7 hospitals and identified 151 vulnerabilities, of which 124 were categorized as “high impact.” “Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge.”

The most frequent vulnerabilities at hospitals were:

  • Wireless Access. 15 vulnerabilities were identified at 5 hospitals including ineffective encryption, rogue wireless access points, no firewall separating wireless from internal wired networks, broadcasted SSIDs, no authentication required to enter the wireless network, the inability to detect rogue devices, and no procedures for continuously monitoring the wireless networks.
  • Access Control. 38 vulnerabilities were identified at 7 hospitals involving domain controllers, servers, workstations, and mass storage media. Vulnerabilities included inadequate password settings, computers that did not log users off after inactivity, unencrypted laptops containing PHI, and excessive access to root folders.
  • Audit Control. 9 vulnerabilities were identified at 5 hospitals involving servers, routers, firewalls, databases, and wireless access points. The five hospitals had audit logging disabled for one or all of the above. In addition, their network administers did not routinely review operating system and application audit logs.
  • Integrity Control. 21 vulnerabilities wre identified at 7 hospitals on PCs and servers. These included uninstalled critical security patches, outdated antivirus updates, operating systems no longer supported by the manufacturer and unrestricted internet access.

Other high impact vulnerabilities identified included Transmission Security, Authentication, Facility Access Control, Device and Media Control, and lack of Contingency Plans.

As of July 27, 2009, Secretary Kathleen Sebelius transferred authority for enforcing the HIPAA Security rule from CMS to the HHS Office of Civil Rights.

Posted in HIPAA, HIPAA Enforcement, HIPAA Security | Tagged , , | Leave a comment

At its Beijing facility, Microsoft Hurries Fix to Windows

By Gary Pritts | Published: May 5, 2011
Microsoft Research Asia

Microsoft's new Beijing Facility, home to Microsoft Research Asia

Reporting from Beijing, China.  Microsoft is hurrying to fix a significant problem with windows at its Beijing facility. Recently, Microsoft constructed a new, dual-tower facility in the Haidian district of Beijing to consolidate its 3000 software engineers here in China’s capital city.  This facility houses multiple Microsoft R&D units under the umbrella Microsoft Asia-Pacific Research and Development Group.   This group contributes to Vista, Windows 7, Windows Server Products, and multiple other Microsoft offerings.  During a visit this week to the facility I learned about a serious windows vulnerability affecting security, safety and other critical matters.

Security Perimeter around Rear of BuildingNonetheless, Eagle Consulting’s Beijing contacts have helped piece together the components of the remediation effort.  Immediately after the incident, the front entrance was closed and a security perimeter was established for pedestrian safety.  A protective canopy was constructed along the rear and employees and visitors were directed to use the rear entrance.  Then, the inspection and correction of any problems on the front was conducted.  Now that phase is complete, attention has turned to the rear of the building.
Replacement Windows on Site at Microsoft

Replacement Windows on Site at Microsoft Facility

A security perimeter is currently established around the building as a safety precaution.  Replacement windows are on-site at the location.  Any visitors to the Beijing facility are advised to obey posted safety precautions to avoid a personal blue screen of death.   Stay tuned for progress updates on this critical fix to Microsoft’s windows.

Posted in HIPAA Security | Leave a comment