The State of Security, Privacy  & Compliance
In This Issue
Premera Breach
Anthem Breach on "Wall of Shame" 
Is it Time to Revisit the HIPAA Security Rule? 
Security In Our Personal Lives
Phishing Infographic
CMS Announced MU Stage 3 Rule
Encrypt or Not to Encrypt?
HIMSS 2015
Compliance Q&A 
Quick Links
Privacy & Security Services
Technical Testing Services
Managed Services
Where You'll Find Us


 
















 

March 2015
 

Mega healthcare breaches continue to make headlines, and as an industry we should learn from these incidents. Read this month's newsletter to learn how you can protect yourself from similar attacks and why it might be time to revisit the HIPAA Security Rule. Also learn about the proposed Meaningful Use Stage 3 Rule and download our latest infographic on phishing. 

a
The Next Mega Breach: 11M Records Exploited
Many experts have said that this year will be the year of the big breaches in healthcare. Unfortunately, it looks like they may be right after Premera Blue Cross announced 11 million customers' information was exposed. Modern Healthcare reports that the company learned of the attack late in January of this year but that the initial attack dates back to May of 2014. One thing that isn't certain is if any data was removed, and there is not evidence yet that any records were inappropriately used.
b Anthem Breach is Now Largest Listed on the "Wall of Shame"
The Anthem breach of 78.8 million individuals is now listed on The Department of Health and Human Services' "wall of shame". This is the largest breach on the list and now brings the tally to 120 million individuals affected by a major healthcare breach since September of 2009.

The list includes 97 breaches that were the result of a hacking incident and affected 82.6 million individuals. Experts believe that these types of incidents will continue to trend as hackers target the healthcare industry. 
cIs it Time to Revisit the HIPAA Security Rule?
CynergisTek's CEO asks if it is time to revisit the HIPAA Security Rule. Mac McMillan says, " I've not spoken to a single security professional, meaning someone who carries the experience, training and certifications to be called a CISO, who believes that they can adequately protect the healthcare organization they serve by simply being compliant with HIPAA. It's time we let the air out of that balloon. The last couple of years, and in particular last year, showed everyone that data security in healthcare was no longer for the faint of heart. Securing healthcare today is the business of serious organizations and serious men and women with real skills. HIPAA is neither a suitable standard nor a framework for protecting a modern, diverse, hyper-connected enterprise. We live in an information ecosystem that is evolving at a rate that is straining our ability to keep up."
 
dSecurity In Our Personal Lives
Did you know that hotels have experienced most of the payment breaches? SurfWatch Labs reports that the hotel industry experienced an increased number of attacks in February. Just like the healthcare industry, hotels need to take a proactive approach to security and make more of an effort to secure their systems. SurfWatch Labs also reminds us that it is a best practice to monitor credit cards for people that frequently travel.
 
ePhishing Infographic
Did you know that a phising email occurs every minute and cost organizations $4.5B in losses in 2014? We recently released an infographic that highlights both industry statistics and findings from CynergisTek's phishing assessments. Some highlights include:
  • There were 123,741 unique phishing attacks worldwide in the first half of 2014
  • CynergisTek's phishing assessments found that 74% of users that opened a phish email clicked on a link in the email, and 46% of those who clicked on a link submitted personal or company credentials
fCMS Proposes Meaningful Use Stage 3 Rule
CMS announced  its proposed Meaningful Use Stage 3 Rule. Concurrently, the Office for National Coordinator for Health Care IT (ONC) has proposed a 2015 edition for the certification requirements of electronic health record technology. These proposed rules are scheduled to be published in the Federal Register on March 30, 2015. The publication in the Federal Register will start the customary 60-day public comment period for the proposed rule through May 29, 2015.
gExperts Debate: Encrypt or Not to Encrypt?

There has been a lot of talk about encrypting sensitive data after Anthem reported that its data was not encrypted. iHealthBeat asks, "Does it make sense to encrypt everything, and would that protect clinical data more than current procedures do?" Mac McMillan points out that encryption gives organizations a fighting chance against cyber attacks but that it doesn't solve all problems. Other experts suggest that inadequate policies and procedures are the root cause and that there are safe ways to handle unencrypted data. 

   

hAttending HIMSS15 in April?

CynergisTek is again exhibiting at HIMSS. Be sure to stop by booth 6524 to meet the team and to enter for a chance to win a Jawbone UP3™.  We also have an interactive phishing game that tests your ability to identify a well-crafted phish email.

 
Our CEO Mac McMillan will also be at HIMSS and was selected to present, "Selecting the Right CISO and Building the Security Office." This presentation will identify some of 
the  necessary skills and experience of effective CISOs and provide insight for recruiting the right candidates. 

   

iCompliance Q&A
This month's compliance Q&A is about the breach notification rule. With all of the recent large breaches it has been a question we hear often. David Holtzman addresses reporting requirements.

A health plan that provides benefits to our employees just suffered a mega breach. What are our responsibilities under the HIPAA Breach Notification Rule?  

The recent breaches involving Anthem and Premera have affected a number of employer sponsored group health plans. If your group health plan has contracted with a health plan to administer its benefits, then it may have primary responsibility if the third-party administrator has a breach. Covered entities under HIPAA are healthcare clearinghouses, certain healthcare providers, and health plans. A "group health plan" is one type of health plan and is a covered entity (except for self administered plans with fewer than 50 participants). The group health plan is considered to be a separate legal entity from the employer or other parties that sponsor the group health plan. The Privacy Rule and the Breach Notification Rule recognizes that most fully insured group health plans may not need to satisfy all of the requirements of the Rules since these responsibilities will be carried out by the health insurance issuer or HMO with which the group health plan has contracted for coverage of its members.  However, self-funded or self-insured employer sponsored health plans are covered entities. Often, these benefit plans contract with a health insurer to act as the third party administrator for the plan. In this case the health insurer is the business associate to the group health plan. Under the Breach Notification Rule, a covered entity is responsible for notification to individuals when a business associate suffers a breach. Some organizations have delegated this responsibility through its business associate agreements. Group health plans should take action now to review policies for breach notification assessment and response to make sure they are prepared to respond to an incident involving their health insurer.
Thank you for reading this month's newsletter. Email us if you have a compliance question.

Sincerely,

The CynergisTek Team

Want a printable version of the March newsletter? Click below to download a PDF version of this email.