Survey Reveals HIPAA Compliance Issues with Group Health Plan Sponsors
Jan15

Survey Reveals HIPAA Compliance Issues with Group Health Plan Sponsors

Many group health plan sponsors are not fully compliant with the Health Insurance Portability and Accountability Act Rules, according to a recent survey by the integrated HR and benefits consulting, technology, and administration services firm, Buck. The survey uncovered several areas where group health plan sponsors are noncompliant and revealed many group health plan sponsors are not prepared for a compliance investigation or HIPAA audit. The 2019 HIPAA Readiness Survey was conducted between April 29, 2019 and May 17, 2019 on 31 group health plan sponsors. The survey uncovered several areas where important provisions of HIPAA Rules are not fully understood or are not being followed such as risk analyses, business associate agreements, HIPAA training for staff, and breach notifications. Risk analyses are not being conducted as frequently as they should, so threats to the confidentiality, integrity and availability of ePHI may not be identified and managed. 42% of respondents were unsure when a HIPAA-compliant risk assessment was last conducted or that said it was last conducted...

Read More
DHS Warns of Continuing Cyberattacks Exploiting Pulse Secure VPN Vulnerability
Jan14

DHS Warns of Continuing Cyberattacks Exploiting Pulse Secure VPN Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to Pulse Secure customers urging them to patch the 2019 Pulse Secure VPN vulnerability, CVE-2019-11510. Pulse Secure VPN servers that have not been patched are continuing to be attacked by cybercriminals. The threat actors behind Sodinokibi (REvil) ransomware are targeting unpatched Pulse Secure VPN servers and are exploiting CVE-2019-11510 to install ransomware. Several attacks have been reported in January 2020. In addition to encrypting data, the attackers are stealing and threatening to publish victims’ sensitive information. Last week data belonging to Artech Information Systems was published when the ransom was not paid. CISA continues to see widespread exploitation of the flaw by multiple threat actors, including nation-state sponsored advanced persistent threat actors, who are exploiting the flaw to steal passwords, data, and deploy malware. Exploitation of the vulnerability can allow a remote, unauthenticated attacker to gain access to all active VPN users and obtain their plain-text...

Read More
Support for Windows 7 Finally Comes to an End
Jan14

Support for Windows 7 Finally Comes to an End

Microsoft is stopping free support for Windows 7, Windows Server 2008, and Windows Server 2008 R2 on January 14, 2020, meaning no more patches will be released to fix vulnerabilities in the operating systems. Support for Office 2010 has also come to an end. The operating systems will be up to date as of January 14, 2020 and all known vulnerabilities will have been fixed, but it will only be a matter of time before exploitable vulnerabilities are discovered and used by cybercriminals to steal data and deploy malware. Even though Microsoft has given a long notice period that the operating system was reaching end of life, it is still the second most used operating system behind Windows 10. According to NetMarketShare, 33% of all laptop and desktop computers were running Windows 7 in December 2019. Many healthcare organizations are still using Windows 7 on at least some devices. The continued use of those devices after support is stopped places them at risk of cyberattacks and violating the HIPAA Security Rule. The natural solution is to update Windows 7 to Windows 10, although that...

Read More
Georgia Man Charged Over False Allegations of HIPAA Violations
Jan13

Georgia Man Charged Over False Allegations of HIPAA Violations

A Georgia man has been charged over an elaborate scheme to frame an acquaintance for violations of the Health Insurance Portability and Accountability Act (HIPAA) that never occurred. Jeffrey Parker, 43, of Richmond Hill, GA, claimed he was a whistleblower reporting HIPAA violations by a nurse. He reported the violations to the hospital where the person worked, and complaints also sent to the Department of Justice (DoJ) and the Federal Bureau of Investigation (FBI). Parker was also interviewed by Fox28Media in October 2018 and told reporters that the nurse had been violating HIPAA privacy laws for an extensive period. The nurse worked at an unnamed hospital in Savannah, GA, which was part of a health system that also operated healthcare facilities in Nashville, TN and other areas. She was alleged to have emailed graphic photographs of patients with traumatic injuries such as gunshot wounds to other individuals outside the hospital. In the Fox28Media interview Parker explained that the sharing of images between employees and other individuals had been going on for a long time....

Read More
DHS Warns of Critical Citrix Vulnerability Being Exploited in the Wild
Jan13

DHS Warns of Critical Citrix Vulnerability Being Exploited in the Wild

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a recently discovered vulnerability in the Citrix Application Delivery Controller and Citrix Gateway web server appliances. Exploitation of the vulnerability – tracked as CVE-2019-19781 – is possible over the internet and can allow remote execution of arbitrary code on vulnerable appliances. Exploitation of the flaw would allow a threat actor to gain access to the appliances and attack other resources connected to the internal network. Some security researchers have described the bug as one of the most dangerous to be discovered in recent years. The alert, issued on January 8, 2020, urges all organizations using the affected Citrix appliances (formerly NetScaler ADC and NetScaler Gateway) to apply mitigations immediately to limit the potential for an attack, and to apply the firmware updates as soon as they are released later this month. Two proof of concept exploits have already been published on GitHub which makes exploitation of the flaws trivial. Scans for...

Read More