Blog

rss

Business Consulting Blog

Veritas Consulting LLC is a full service consulting firm to help your business or medical office prevent security threats.

Latest Virus Aggressively Targeting Healthcare Industry in 2017

Latest Virus Aggressively Targeting Healthcare Industry in 2017


Amateur hackers are going after hospitals and general practices at record levels using a virus named Philadelphia. 

Philadelphia is a part of a ransomware spear phishing campaign geared to be a huge threat your medical facility regardless of size or location. 

 

What is spear phishing? 

Spear phishing is the fraudulent practice of sending emails seemingly from a known and trusted sender that will encourage recipients to unknowingly reveal confidential information.

 

What is Philadelphia? 

Philadelphia was designed so that even the least experienced cybercriminal can give it a hack. These program is so slick, that the attack is unrecognizable until it is too late. Simply double clicking an icon will activate JavaScript to download your network. Scary! 

Usually, when you hear of a cyberattack at a large hospital corporation, most people would assume this virus was highly advanced and stealthy. Philadelphia is quite the opposite. With the lack of sophistication, hackers find that keeping it simple is an advantage. 

 

How does Philadelphia get on my computer? 

Philadelphia, like many other ransomware virus, becomes a threat when a seemingly trusted email is received and attachments are opened. In a general practice office, receiving patient records is nothing out of the norm. 

Ransomware contains icons similar to patient information. You could also receive an email from someone appearing to be another physician’s office with an attached file, a medical record, for example. You or your staff opens it, and ransomware installs.

While it is usual that those with the least IT experience, like your receptionist, to be easily targeted, this particular virus targets those with the highest security privileges. 

 

How do they know who has the highest security privileges? 

This type of information is easily gathered. A great deal of people have their job and title listed on their Facebook account, and other online social platforms. When people are proud of where they work, they proudly display it on social media. Doctors go to school for many years, so that MD or PhD is proudly wore.

 Why not show it off? 

While removing your profile information is probably the smartest thing to do, you can simply change the audience settings on your profile to friends only. You’ll want to watch who you add as a friend. 

How do I know if Philadelphia is on my computer?

Once Philadelphia is downloaded onto your computer, you will know. . A screen will open encrypting all of your patient files and any other records in your database. It will demand a “ransom” before it provides you with the decryption key. Ransom is usually requested in the form of Bitcoin. If this happens to you, DO NOT PAY!! There is away around this. Contact us and we will help you remove this virus for you. 

If you are familiar with viruses or ransomware, you may have heard of Stampado. Philadelphia is updated version of that virus. Through some investigation of this virus, we located a YouTube video on how to use Philadelphia. The ease of use is quite frightening. 

How can I prevent this from happening?

Make sure you have the preventative measures in place, including education of your staff. Veritas Consulting, LLC, will evaluate your current system and show you any threats you may be vulnerable to and show you how to prevent it. We will educate you and your staff and keep you up-to-date with current threats. 
Contact us TODAY to learn more!


Second Largest HIPAA Fine to date is $5.5 Million!

Second Largest HIPAA Fine to date is $5.5 Million!

According to a recent article on tripwire.com, on February 16, 2017, the Office of Civil Rights has issued a cumbersome fine for failure to comply with audit procedures. Memorial Healthcare System, who was fined an astounding $5.5 million, failed to meet the terms by disregarding of review, modification, and even the termination of users’ access. 

 

By avoiding these terms with, what could have been, avoidable HIPAA violations, more than 100,000 patients had their records impermissibly disclosed!  

MHS settled their agreement with a substantial corrective action plan and landed the second largest fine to any entity. The largest fine was came just a few months ago in August 2016 at a whopping $5.55 million! 

What you should know about MHS

4th largest public healthcare system in the United States of America
Participant in OHCA (Organized Health Care Arrangement) with a network of physicians’ offices

What is OHCA? 

The Organized Health Care Arrangement allows covered entities from affiliated offices to access EHR records. This arrangement allows cross serving for patients where employees of the physician’s office to access a patients record from another office in the network. This type of arrangement was designed to improve patient care through access. 

As a participant in OHCA, entities are require to conform to their HIPAA based requirements. 

What happened at MHS that you need to know?

MHS submitted a breach report in 2012 regarding two employees who wrongfully accessed patient records. Three months after the initial breach report, MHS reported an additional 12 users also accessed the patient ePHI (electronic Protected Health Information).

Ultimately, MHS failed to follow their own polices to deactivate login credentials of former employees at the affiliated physicians offices. The same credentials were used for a year gaining access to the data over and over again. 

This inexcusable and inappropriate access resulted in federal criminal charges from the pertinent patient information being sold as well as fraudulent tax returns.    

The Settlement

This particular case is the first forceful enforcement action against a company for failing to terminate user access controls. This case showed a pattern of complete disregard for monitoring and auditing user access. There were risk analysis reporting this very issue over the course of five years reporting this very issue. 
This large settlement certainly sets a tone for others who must comply with HIPAA’s compliance program. MHS could have easily avoided these risks by implementing and auditing the already established policies and procedures, terminating user controls on a routine basis and verifying they no longer have access, and conform to the risk analysis. 

Contact Veritas to consult and identify what measures you may be missing. 



Archives

Recent Posts

  • Latest Virus Aggressively Targeting Healthcare Industry in 2017 Posted 8 years ago
    Latest Virus Aggressively Targeting Healthcare Industry in 2017 Amateur hackers are going after hospitals and general practices at record levels using a virus named Philadelphia.  Philadelphia is a part of a ransomware spear phishing campaign geared to be a huge threat your medical facility regardless of size or location.    What is spear phishing?  Spear phishing is the fraudulent practice of sending emails seemingly from a known and trusted sender that will encourage recipients to unknowingly reveal confidential information.   What is Philadelphia?  Philadelphia was designed so that even the least experienced cybercriminal can give it a hack. These program is so slick, that the attack is unrecognizable until it is too late. Simply double clicking an icon will activate JavaScript to download your network. Scary!  Usually, when you hear of a cyberattack at a large hospital corporation, most people would assume this virus was highly advanced and stealthy. Philadelphia is quite the opposite. With the lack of sophistication, hackers find that keeping it simple is an advantage.    How does Philadelphia get on my computer?  Philadelphia, like many other ransomware virus, becomes a threat when a seemingly trusted email is ...
  • Security Breaches Attacking Dentist and General Practice Offices Posted 8 years ago
    Security Breaches Attacking Dentist and General Practice Offices We hear about large corporations and other lucrative medical facilities security breaches and attempts, making smaller offices feeling less vulnerable to those types of threats.   The reality is that any practice regardless of size is vulnerable to ransomware attacks.  While large corporations like hospitals have beefed up their security efforts and spend millions on the latest and most innovated tools and credentialed IT employees on staff 24/7, cybercriminals are finding the smaller offices a prime target for the information they want.  Why would a cybercriminal want to attack a small office? Smaller offices are less likely to notice a threat due to their own inexperience. Dentists and General Practices often have insufficient securities and provisioned IT components in place to prevent these breaches.  Cybercriminals are taking advantage of your front line. They know that you do not have an internal IT department, so they easily bypass through the gates via your very own staff, and most likely your sweet and innocent receptionist. They use a program called ransomware to deceive an inexperienced eye, take your ...
  • Second Largest HIPAA Fine to date is $5.5 Million! Posted 8 years ago
    Second Largest HIPAA Fine to date is $5.5 Million! According to a recent article on tripwire.com, on February 16, 2017, the Office of Civil Rights has issued a cumbersome fine for failure to comply with audit procedures. Memorial Healthcare System, who was fined an astounding $5.5 million, failed to meet the terms by disregarding of review, modification, and even the termination of users’ access.    By avoiding these terms with, what could have been, avoidable HIPAA violations, more than 100,000 patients had their records impermissibly disclosed!   MHS settled their agreement with a substantial corrective action plan and landed the second largest fine to any entity. The largest fine was came just a few months ago in August 2016 at a whopping $5.55 million!  What you should know about MHS • 4th largest public healthcare system in the United States of America • Participant in OHCA (Organized Health Care Arrangement) with a network of physicians’ offices What is OHCA?  The Organized Health Care Arrangement allows covered entities from affiliated offices to access EHR records. This arrangement allows cross serving for patients where employees of the physician’s office to ...
Read More »