Texas Dentists for Medicaid Reform

NEW PHONE NUMBER
For more information call (512) 487-7584

  • Home
  • Issues
  • * Medicaid Difficulty Alert *
    • About the Medicaid Difficulty Alert
    • Alert Form
  • Articles
    • TDMR articles
    • Medicaid Media
    • Compliance Articles
  • Archive
    • The Facts About the Medicaid Orthodontic Scandal 2007 to 2012
    • Antoine Dental Case
    • HHSC-OIG Archive 2012 to 2014
      • TMHP
      • Harlingen Family Dentistry Case
        • Further HFD articles
      • OIG Never Returns Funds
      • Webinar March 19 2012
      • 2008 TMHP Audit by OIG
      • 2012 TMHP Audit by OIG
      • OIG Legislative Testimony
        • OIG Testimony March 19 2013
        • OIG Testimony February 13 2013
        • OIG Testimony February 4 2013
        • OIG Testimony January 30 2013
      • Jack Stick Arrest for DWI
    • Due Process Archive
      • Survey Results
      • Committees
        • Hearing Videos
      • TDMR Submission
      • HB 1536/SB 785
        • House Committee on Human Services
        • Written Testimony
        • Attorney Testimony Videos
        • Dental Provider Testimony Videos
      • SB 1803
        • Overview
        • Bill Moves to House
        • Public Testimony Videos
        • Passes House Committee
        • Bill Changed Before House Vote
        • SB 1803 Has Passed the House!
      • Other Proposed Bills
      • Due Process Legal Articles
      • Legislative Media
      • Media Archive
  • About
    • Dr. Juan D. Villarreal
    • Dr. Paul Dunn
    • Gregory Ewing
  • Contact
You are here: Home / Compliance Articles / Equifax and the Small Health Care Provider

Equifax and the Small Health Care Provider

October 25, 2017 By TDMR 1 Comment

By TDMR President Gregory Ewing

On September 7, 2017, Equifax, one of the nation’s three credit-reporting companies reported that it had discovered a cybersecurity breach that compromised the personal information of as many as 143 million Americans, roughly half of the population of the United States.  Also, Equifax disclosed that the credit card information of roughly 209, 000 of its customers were exposed, along with the personally identifiable information of its customers who had filed credit disputes with the company.  Potential data elements exposed included social security numbers, addresses and driver’s licenses.

The breach occurred between mid-May and July as a result of not applying a software patch released earlier in March to repair a widely reported critical flaw in Equifax’s modern Java web applications in a timely manner.  This unpatched flaw created a vulnerability to Equifax, which National Institute of Standards (NIST) Special Publication (SP) 800-66 rev. 1 defined as a “weakness in a system security procedure, design, implementation, or control that could be intentionally or unintentionally exercised by a threat”.

Security Incidents, Data Breaches and Software Defect

The U.S. Department of Homeland Security (DHS) stated that 90 percent of all security incidents are the result of cyber criminals exploiting software defects.  Coincidentally, in its latest Global Threat Landscape Report, Fortinet, a global leader in high-performance cybersecurity solutions, noted that, in Q2 2017, 90% of organizations recorded exploits for vulnerabilities that were three or more years old.  It would seem that for a number of reasons, such as inadequate information security resources, outdated and/or unsupported software, or general inattention, many organizations continue to struggle to maintain adequate vulnerability management practices and stay current with their software patching activities.  Small health care practices face this problem as well.

While the Equifax breach impacts the American public in general, it should serve as a wakeup call to small health care providers. After all, if a multi-billion dollar company that handles the information of over 800 million individual consumers lacks the resources or inhibited a level of intention that limited its ability to fight off cyber criminals, then how could a small health care provider fare better?

Small Practices and Information Security

In June 2017, the Health Care Industry Cybersecurity Task Force (Task Force), in its Report on Improving Health Care Industry Cybersecurity, noted that smaller practices and rural hospitals “continue to use unsupported legacy systems, and lack access to proper security training [and] have not crossed the cybersecurity digital divide”.  While larger organizations can afford to spend millions on their IT, according to the report, “small organizations cannot afford to retain in-house information security personnel, or designate an IT staff member with cybersecurity expertise”.

HIPAA requires health practices to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

Top Ten Cybersecurity Tips

In 2015, healthIT.gov published “Top 10 Tips for Cybersecurity in Health Care” which consisted of the following:

·       Establish a Security Culture

·       Protect Mobile Devices

·       Maintain Good Computer Habits

·       Use a Firewall

·       Install and Maintain Anti-Virus Software

·       Plan for the Unexpected

·       Control Access to Protected Health Information

·       Use Strong Passwords and Change Them Regularly

·       Limit Network Access

·       Control Physical Access

Several of these tips are applicable for ensuring your practice has a robust vulnerability management program.  Under the tip that directs organizations to maintain good computer habits, the article advised health care organizations to keep software up-to-date and address identified vulnerabilities.  The article recommends that small practices automate patch updates on a weekly basis and monitor vendor messages for critical and urgent patches and updates that require immediate application.These tips could serve as a quick checklist for practices to evaluate the adequacy of their information security controls.

Another tip advises practices to plan for the unexpected.  HIPAA requires health care practices to “establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information”.  Having a contingency plan includes establishing a process for conducting incident response exercises on a regular basis to identify potential risks and develop and practice responding to those risks.

Guidance for Patch Management

NIST SP 800-40 rev. 3, Guide to Enterprise Patch Management Technologies, provides detailed guidance to organizations on how to develop a framework for patch management and ensure timely and appropriate patching.  The guidance advises organizations to follow three broad principles.  Specifically, organizations should:

  • Deploy enterprise patch management tools using a phased approach.
  • Reduce risks associated with enterprise patch management tools by applying standard security techniques. Specifically, ensure that patches aren’t being altered, credentials aren’t being misused, vulnerabilities in the tools aren’t being exploited, and health care practices monitor patch management tool communications to identify vulnerabilities.
  • Balance security needs with the needs for usability and availability. In other words, test the patches first before applying to ensure the patches’ applications do not “break” software or inhibit business operations.

Information Security recommendations and Small Healthcare Practices

The Task Force recommended that the organizations engage managed security service providers (MSSPs), companies that provide information system security services to organizations that outsource these activities.  MSSPs could provide information security services in a cost-effective manner and address the needs of small and medium-sized organizations, allowing health care organizations to focus on providing services to needy patients.

In its report, the Task Force noted smaller practices and rural hospitals provide most of the health care in the country but lack the information security resources to implement and rapidly deploy protections against ongoing, ever changing tactics, threats and attack vectors.  In short, small health care practices should not let the recent Equifax date breach defer them from developing and maintaining appropriate security controls to protect its data.  HIPAA requires these protections, patients expect it and implementing the appropriate safeguards are well within reach.

Share this:

  • Click to share on Facebook (Opens in new window)
  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to print (Opens in new window)
  • More
  • Click to share on Reddit (Opens in new window)
  • Click to share on Pinterest (Opens in new window)
  • Click to share on Tumblr (Opens in new window)

Filed Under: Compliance Articles, Medicaid Reform News Tagged With: cyber security, equifax, healthcare compliance, medicaid compliance

Comments

  1. Darrell Pruitt says

    October 26, 2017 at 1:49 pm

    Here are the top ten security tips for paper dental records:

    1. Make sure you lock the door at night on the way out.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Search the TDMR Website

Most Viewed Posts & Pages

  • Dental firm managers accused of health care fraud
    Dental firm managers accused of health care fraud
  • UPDATE: Dentists Clarified as Healthcare Workers to Receive COVID-19 Vaccines
    UPDATE: Dentists Clarified as Healthcare Workers to Receive COVID-19 Vaccines
  • Fort Worth Doctor Sentenced to 10 Years in Health Care Fraud Conspiracy
    Fort Worth Doctor Sentenced to 10 Years in Health Care Fraud Conspiracy
  • Fort Worth Orthopedist Indicted for Healthcare Fraud
    Fort Worth Orthopedist Indicted for Healthcare Fraud
  • Feds sweeten Medicaid deal
    Feds sweeten Medicaid deal

Receive Updates on TDMR Activities

Recent Comments by Readers

  • mattthew on Texas Lawyers Behind Samson Dental Partners and ImmediaDent $5.1 million settlement in Indiana
  • Spence on Woman claims dentist pulled wrong tooth
  • Spence on Woman claims dentist pulled wrong tooth
  • Nilar Vargas on Dentists cleared to administer COVID-19 vaccine in California
  • TDMR on UPDATE: Dentists Clarified as Healthcare Workers to Receive COVID-19 Vaccines
  • Angela on UPDATE: Dentists Clarified as Healthcare Workers to Receive COVID-19 Vaccines

Recent Media of Interest

Dental firm managers accused of health care fraud

February 26, 2021

Spine surgeon gets 10-year prison sentence for healthcare fraud

February 26, 2021

Fort Worth Doctor Sentenced to 10 Years in Health Care Fraud Conspiracy

February 26, 2021

U.S. Attorney Scott Brady and Pennsylvania Attorney General Josh Shapiro Announce Indictment in Nursing Home Investigation

February 25, 2021

AG Healey reaches settlement with Brighton dental office for failing to accept MassHealth patients

February 24, 2021

Feds: Father, son sentenced in $27M Obamacare scheme

February 24, 2021

Mhiramarc Exec Sentenced in $28 Million Hospice Fraud Scheme

February 22, 2021

HHS Acting Secretary Norris Cochran Declares Public Health Emergency for State of Texas Due to Winter Storms

February 19, 2021

President Biden Announces Key Members of his Health and Human Service, Education, and Veterans Affairs Teams

February 19, 2021

Feds sweeten Medicaid deal

February 19, 2021

Senior Care Company Agrees to Pay $714,996 to Resolve False Claims Act Allegations

February 18, 2021

Three companies receive Medicaid managed care dental contracts

February 17, 2021

Medical equipment firm and its owner agree to pay $20.3M in fraud scheme

February 17, 2021

Biden’s Medicare Pick Would Be 1st Black Woman to Hold Post

February 17, 2021

15 years in prison for $154 million Medicare fraudster

February 15, 2021

Former top aides say Attorney General Ken Paxton received assistance with home remodel, job for alleged girlfriend in return for helping political donor

February 12, 2021

More Articles...

Copyright © 2021 · All Rights Reserved. Texas Dentists for Medicaid Reform · Privacy Policy