HIPAA Journal – Exposure of PHI During Online Presentations
Highlights From The HIPAA Journal
From the August 24th Newsletter
Radiology Groups may have allowed exposure of PHI during online presentations
- The American College of Radiology, the Society for Imaging Informatics in Medicine, and the Radiological Society of North America have issued a warning about the risk of accidental exposure of protected health information (PHI) in online medical presentations.
- The radiology organizations warn against the use of formatting tools in the presentation software – PowerPoint, Keynote, Google Slides etc – for cropping the images so as not to display any patient identifiers, as this practice will not permanently remote PHI from the images.
OCR identifies the importance of maintaining a comprehensive IT asset inventory
- Many cases of noncompliance are due to the failure to perform a comprehensive risk analysis across the entire organization.
- One of the common reasons for a risk analysis compliance failure, is not knowing where all ePHI is located in the organization.
- The inventory should include all physical IT related devices plus the applications associated with the organization’s hardware.
Vishing, the new way hackers are trying to hack in to a Healthcare Organization’s database, is announced as a threat by the FBI and CISA
- The threat actors impersonate a trusted entity and use social engineering techniques get targets to disclose their corporate Virtual Private Network (VPN) credentials.
- Due to many workers working from home and working on a VPN, cybercriminals are targeting Organizations with the potential to receive those credentials.
Recent cyber/ransomware attacks related to the Healthcare industry
- Dynasplit Systems, a manufacturer of stretching devices to improve joint motion, experienced an attack that PHI may have been stolen. Over 102,000 individuals were likely affected by this attack.
- Pinnacle Clinic Research of Texas announced it had a phishing attack. One email account was compromised and was immediately secured when the breach was discovered. It is unclear how many individuals were potentially affected by this attack.
- The Institute for Integrative Nutrition (NY) had a phishing attack in March of 2020 where it wasn’t discovered until June 22 that the breach occurred. Significant measures have been taken.
- Mental Health Center of Boulder County (CO) incurred a phishing attack in March of this year and complimentary credit monitoring services were given to clients that were potentially affected by this attack.