The CynergisTek Blog

In the United States, we got lucky, very lucky, that a malware researcher known only as @MalwareTechBlog on Twitter found the “kill switch” domain in the code of the WannaCry ransomware. Had he not found and purchased this domain, effectively neutering the ransomware, I believe that the incident could have been much worse. It was already quite bad around the world with estimates of over 200,000 systems infected including many healthcare providers in the United Kingdom.

Recently, incidents involving the internet of things (IoT) have had no shortage of media coverage. In fact, I would suggest that the IoT has become one of the top buzzwords in IT right now. Large, more mature organizations have started to realize the growing attack surface that IoT is creating for the enterprise they manage, but whether large or small organizations are feeling the pressure to allow IoT on their networks even though in many cases they are not equipped to deal with it effectively. In healthcare, this is particularly troubling as IoT attacks generally cause some form of disruption which can affect both operations and patient safety.

CynergisTek is committed to creating awareness and providing education to the industry to help the industry move forward. As such, we are proud to support CHIME and help advance the role of the CIO and other senior executives in health IT. Recently, CHIME discussed the value of its Cooperative Member Services Program and how it benefited Brian Sterud, CIO at Faith Regional Health Services.

If one lesson is clear from the constant stream of recent settlements announced by the Office for Civil Rights, it is that covered entities are not implementing risk management plans to reduce risks to protected health information (PHI) to an acceptable and appropriate level. The frequency of seeing the same finding is a strong indicator of a more systemic issue – that organizations could use more detailed guidance on how to manage risks.

The Office for Civil Rights (OCR) has issued advisories that a HIPAA covered entity or business associate that is affected by the “WannaCry” ransomware attack or other malware should respond to the incident as a reportable breach under the HIPAA/HITECH Breach Notification Rule.

In your midst is a shadowy network of illicit devices poisoning the carefully controlled ecosystem you and your networking operations team have painstakingly built. Years of toiling with management to fund new initiatives, educating users to act securely, managing policies and procedures with careful and diligent precision are at risk of being rendered useless.

Thus far in 2017, the Office for Civil Rights (OCR) has announced that they have negotiated settlements or levied penalties in seven cases that have resulted in covered entities and business associates paying over $14.3 million. In all but one of these cases, organizations have also been saddled with multi-year corrective action plans in which HHS will exercise oversight of their compliance with the HIPAA standards. At this pace, OCR will eclipse its record-setting performance of 2016 in which there were 13 formal enforcement actions that had covered entities and business associates paying $23.5 million in fines and penalties for HIPAA violations.

Compliance officers everywhere want to believe the compliance program they oversee is effective. Some believe it is effective, some hope it will be found effective and some know the program is not effective because of significant gaps in one or more of the seven elements of an effective compliance program. If you are a believer, ask yourself, “What methods have I established to demonstrate effectiveness?” If you are filled with hope – well hope is not a strategy. If you know your program has gaps, what are you doing to address those gaps? An additional resource now exists to help evaluate effectiveness. The OIG/HCCA Measuring Compliance Program Effectiveness: A Resource Guide released March 27, 2017, provides recommendations on what to measure and how to measure it under each of the seven elements.

Earlier this month, New Mexico became the forty-eighth state to enact a data breach notification law. Only Alabama and South Dakota remain without such requirements. The Data Breach Notification Act goes into effect on July 1, 2017. Organizations that are subject to the requirements of the HIPAA breach notification standards are exempt from the statute.

CynergisTek is alerting you to a number of changes the Centers for Medicare & Medicaid Services (CMS) is proposing to the requirements of the EHR Incentive Program that would apply to the program in either 2017 or 2018. The changes to the EHR Incentive Program, which would primarily apply to hospitals, are contained in a proposed rule, Medicare Program: Hospital Inpatient Prospective Payment Systems for Acute Care Hospitals and the Long Term Care Hospital Prospective Payment System and Proposed Policy Changes and Fiscal Year 2018 Rates, which is due to be published in the Federal Register on April 28th. The publication of the 2015 MU proposed rule in the Federal Register will start the customary 60-day public comment period which would be scheduled to end June 27, 2017.