HIPAA Critical: Episode 15 | Ransomware Attacks on the Rise, COVID-19 Threat Resources, Interview with Terra Durbin
by Rick Kuwahara COO of Paubox
This week on the HIPAA Critical Podcast we learn more about the latest in ransomware attacks and its impact on healthcare, OCR shares privacy and security threat resources to prevent HIPAA violations, how UrgiKids is using Paubox Marketing to keep patients informed, BJC Healthcare suffers another data security issue and we chat with Terra Durbin of Quality Care to share some insights into the effects of COVID-19.
Here’s the full transcript of this episode.
Olena Heu: Welcome to another edition of The HIPAA Critical Podcast by Paubox. I’m Olena Heu your host. And joining me, chief operations officer, Rick Kuwahara!
Rick Kuwahara: Hey Olena. Great to be back again.
Olena: Thank you so much. And of course, you’re a wealth of knowledge and information. And on every episode, we talk about what’s happening in the news, who’s winning and failing each week, and also feature a very insightful interview. So let’s dive right in and talk about what’s happening in the news right now. And Ransomware, continues to stick its head right into everything that’s happening. And having a major impact.
Rick: Yeah. So, you’re right, it’s been in the news lately, all the time. And recently there’s been some research from Coveware, which helps people who are affected by Ransomware.
They did some research, and it looks like there’s been a big jump in the average demand paid by organizations to these hackers, when they are compromised with Ransomware. So it went up 33% to nearly $112,000. Compared to last year at the same time.
And from their research on their side, they know that healthcare is definitely impacted by it, with one of the biggest things being at risk is, if there’s any electronic health records that are down after a ransomware attack. Because that puts patients at risk if the provider can’t access the health record when they’re trying to treat them.
Olena: My sentiments exactly. Obviously, that’s going to impact care.
Rick: Right. And it looks like the hackers are definitely tailoring their attacks based on who the target is. So they’re not gonna ask the same amount for every organization, so they can see that large ones might see, for example, a million dollar ransom demand while smaller per service providers might just get hit with $5 to $10,000.
So the key insight on that is these hackers aren’t just spraying and praying, they kind of are targeting who they wanna go after. Which can mean more tailored attacks, which means that people have to be really aware, especially if phishing is the method that people are trying to get in for the threat vector.
Olena: And they’re trying to take advantage of what’s happening right now in the world.
Rick: Right. Especially since people are moving more remote, they did see that outside of just email, another common attack factor is Remote Desktop Protocol. So as people move online and remotely, to access the servers remotely, they do what’s called a remote desktop.
So you basically virtualize your work desktop on your home computer. But that is seeing a dramatic rise in attacks as people trying to break in because that can be definitely a weakness. Especially if organizations don’t already have something in place, and they’re trying to spin it up new, anything new is definitely a vulnerability for any organization.
Olena: It makes me think about one of my friends who works for a bank. And he was saying that he was able to do that from home, utilizing his cellphone. And [chuckle] you know it’s just kind of like, “Oh my gosh, I just think of all the threat out there.”
Rick: Yeah. Something that people have to be aware of. Not just healthcare, but of course any organization, regardless, as we talked about previously, you definitely need to make sure things are in place as you let your employees work remotely.
Olena: And apparently they can sell information on the dark web that they’re obtaining. Is that right?
Rick: Yeah. So researchers have found that there are a lot of exposed credentials that are for sale on the dark web for cheap. And people are using that as a way to kind of, find a way in as they’re trying to break into these remote desktop protocols.
Olena: Good warning. And is there anything that you would recommend that they do? To prevent this?
Rick: I mean a lot of it is just making sure that people are using unique passwords to get set up, and that it is being changed from set up time to when they are actually rolling it out. You know multi-factor authentication is always good. So that even if a credential is compromised, there’s a second way that someone has to log in to get access.
And just making sure that when people are setting up these remote work environments, that they’re doing it as secure as possible. Letting their employees know what to do at home to make sure their network is secure there.
And then as well on their side using all that multi-factor authentication, secure connections to make sure that it’s as protected as possible.
Olena: Good to know. And also making news headlines, we’re gonna transition back over to some COVID-19 topics. The Office of Civil Rights has actually done something to help prevent HIPAA violations.
Rick: Yeah, the OCR put together some good resources for organizations to take a look at as they try to protect themselves from the rise in attacks, and coming at them from the hackers, whether it is the remote worker workforce that we just talked about, or if it’s the good old fashioned phishing attacks that’s happening.
They want organizations to have the resources in place to protect themselves. Especially for the smaller organizations who may not have the budget to allocate to a cyber security expert.
The OCR put together some great resources that a lot of people can use, especially the smaller organizations, making it easy to find and it’s on their website. People can go to hhs.gov/ocr, and they have it front and center to have all these resources around coronavirus, and also what they can do to protect themselves, as hackers are targeting healthcare organizations, more and more.
So some of the resources they recommend that people and guidance that they recommend people go through, is one; to go back and look at the guidance they put out when the WannaCry Ransomware attacks were happening back in 2017. And it provides some insights on instructions of what to do when they’re responding to a successful ransomware attack, as well as things you can do to protect yourself from getting compromised in the first place.
And a lot of healthcare organizations right now, like we just talked about, are under attack from ransomware. That is starting to become more and more prevalent.
And some other things that they have resources on is the FBI phishing insights that came out a month ago, about there. And we talked about it on the podcast a few episodes ago, as well, where the FBI released information warning the healthcare providers about cyber criminals targeting them in particular. And it really helps with reinforcing to your staff and employees, education on what to be aware of.
And making sure that you’re taking the right steps, to make sure that all your software is patched up, you have the necessary security updates on your systems, that sort of thing.
They also put forth resource that was put out by the National Security Agency, about tele-working and securing that, which we just talked about was a big deal right now. Especially with video conferencing as well. You know Zoom is has gotten a lot of press, both good and bad, about what they’ve been doing. But they’re putting out some security updates, and we talked about that as well, previously.
But making sure that as you’re doing more telehealth and those type of things, that your platform is secure.
Olena: Alright. Well that’s the very latest in news headlines, so far for this week. Now we’re gonna transition over to who’s winning and who’s failing. And so let’s start with the good news first.
Rick: Yeah. We always like to highlight our customers when we can. And there’s a great story that we found coming from UrgiKids, which is a pediatric Urgent Care Provider based out of Illinois. They treat kids from cuts and broken bones, to fevers and stomachaches that pop up after the primary care physician’s office is closed.
So a really needed thing, especially for parents and these days with the Coronavirus, a lot of parents don’t know what to do if something were to happen. Especially as they’re told to stay at home. And when should I go to the doctor? How do I know what symptoms I’m seeing in my child? Is it serious enough that I should go in? What should I do?
So they have a lot of questions, and UrgiKids, like most businesses, I don’t wanna say shut down, but they’ve tried to do best practices with social distancing, and keeping patients away unless they really have to come in for a visit.
And they needed a way to communicate to their patients and the families, the parents of like the children who come in.
So in the past, they could always send out information, just general information with social media, using like Facebook and Instagram.
But it wasn’t a way that they could reach out to patients directly. Especially, you know, with Coronavirus going on, how can they get information out right away to the people who need it?
So they did a lot of research, and they found Paubox Marketing, which is our email marketing tool that can send secure emails, in a HIPAA compliant way.
And they found that this tool would be the best for them to kind of get information out about critical information that families need to know, about services they can offer, best practices, things like that. Including new services that they have, like COVID-19 testing. Which you can imagine is something that, of course, you want to let people know you have available, so that they can get tested if needed.
So they sent their first email out with Paubox Marketing, and they instantly saw a big boost in the number of calls received, and the number of appointments that they got made for telemedicine. So really a great way that they could inform their patient’s families, and just help the community to make sure that everybody’s staying safe, and that if they need services that they can be helped out by UrgiKids.
Olena: That’s wonderful. And you probably don’t even know how many families you’ve helped by offering this service as well. So that’s a really, really great tool that they’ve been able to harness through Paubox Marketing.
Olena: Alright. Well now we’re gonna transition over to those that are failing. And of course, when someone is winning, we also have to highlight whose failing. And it’s related to something that we just touched on a little bit ago with our news headlines.
Rick: Right. So, unfortunately, BJC Healthcare began notifying patients that their data was potentially compromised due to a phishing attack. So they found out that in March, three of their employees fell victim to a phishing attack.
Good thing is that they detected it right away, but the impacted email accounts did give the hacker access to patient information, emails, attachments, things like that. And they’re still investigating but they’re not able to really tell what exactly has been compromised. So when that happens, you gotta just assume everything was. Just to be on the safe side.
So this information could be things like patient data, like medical records, account numbers, treatments, medications, Social Security Numbers, health insurance information, so really a treasure trove of data that hackers can take advantage of.
And it doesn’t seem like it’s the first time for BJC either, which sometimes can be the case for a lot of these larger organizations. I think BJC has something like 19 affiliated hospitals. So they found that this is about the third data breach that BJC had to report in the last two years alone.
So March 2018, they had an issue with their server configuration that exposed Health Information. 2017 through 2018 was when that was discovered. And also later in ‘2018 that they found their patient portal was hacked as well, which exposed data for even more patients.
Olena: Unfortunate. It sounds as if they need more security and better training for their employees, but because they’re so big, maybe they’re just having a hard time keeping up.
Rick: They definitely are probably just being targeted a lot ’cause they are bigger. The breaches themselves were all different threat vectors that came in. It’s not like they are failing the same way every time. But definitely it’s something that they have to keep their eye on as they are getting targeted a lot.
Olena: Definitely. Alright well, now we’re gonna also highlight one of your encrypted interviews, Rick. Now you had a chance to chat with Terra Durbin, owner of Quality Care, a social work agency based in Kentucky. Its mission is to provide high quality care, by promoting respect, personal growth, and empowerment. In this interview, they talk about how quality care serves their community and the impact of the Corona virus on how the non-profit delivers their much needed services. Take a listen.
Rick: So tell us a little bit about Quality Care, and your mission.
Terra Durbin: Quality Care, we serve individuals with intellectual and developmental disabilities through the Supports for Community Living Waiver, and the Home and Community based Waivers in Kentucky.
Our mission is to provide the highest level of care, with the highest level of quality. We feel like they go hand in hand. And it is my mission, my personal mission that all of our individuals that we will treat them as if we would want someone to treat our own family.
So we deliver services to each of our individuals as if they were a member of our family. We provide different types of services, but all of our services are community based and range from physical therapy, occupational therapy, to case management and behavior modification, cognitive behavior support. So, we have kind of a strong array of services.
Rick: That’s awesome. And in the news lately, of course, everything’s around the coronavirus, this pandemic that we’re all going through. So how has delivering services changed with that pandemic? How have you adjusted?
Terra: It’s actually completely changed for us. I mean, all of our services have always been hands-on, face-to-face, direct social services. We’re not able to do that anymore, they’re limiting that completely for us, unless it’s a health safety or welfare need.
So, we have completely switched to doing telehealth services. Which has been a challenge for us, because our individuals are used to seeing us face-to-face.
They’re used to being able to look at us, and read our body language, and we’re able to read their body language, and be able to put skills and interventions in place based on reading those body language cues. We’re not able to do that anymore. So we are currently doing everything from home, from our computers, with Zoom, and email, and internet functions.
So we have went from a hands-on service model, to a complete telehealth model. [chuckle] Overnight, pretty much.
Rick: Wow. So how has that been, kinda rolling that out, ’cause you’re right, it’s not just your team that has to deal with it, is these individuals and families that you’re working with.
Terra: It depends on the person. Some individuals, some patents have been, it’s kind of been seamless for them, and they’re used to using computers and technology, so they’ve adjusted well.
However, even some staff and some patients have never used a video chat. Or hardly ever check their email, or have no idea, this is all very foreign to them. So it’s a complete paradigm shift in the way that they function because they’re having to learn all new technology and all new resources that they’re not used to.
We live in a very rural area. Some people don’t have internet, they don’t have those resources. So it’s been important for our staff and for me to give support to my staff and our patients, to be able to navigate through this complete unknown for them.
Rick: Right. And when we’ve talked to other people in other industries or areas in healthcare, as they’ve been forced to this telehealth move, they kinda see it as maybe being beneficial for them down the road. But like you mentioned, you’re so hands-on in your services. I guess, how do you see telehealth going and helping you beyond the pandemic? Like, knock on wood, if everything gets back to normal later this year, do you see that this adjustment period that you’ve had to go through to implement telehealth and more virtual services could potentially benefit yourself and your industry?
Terra: I think that it definitely could benefit several of our individuals, in the fact that we support a lot of kids with behavior support services, and sometimes they respond better, we’re finding, that sometimes a child responds with a longer attention span, and more tolerance to something on their iPad, a virtual interaction, than they do if you’re sitting in front of them.
So we are finding that the technology component is a benefit when we’re working with younger individuals, because they respond more to that than they do the face-to-face interaction. I do think that that will be something that will be positive that we can continue moving forward.
I also think that it allows us to reach people that we may not otherwise be able to reach, if we have snow or hazardous weather conditions, or that kind of thing, we can still provide services through telehealth. Whereas previously, we might have just canceled the session for that day. So definitely I think that it’s something that we will be able to utilize in the future, more than we have in the past.
And it also frees up a lot of our time, because we’re driving in between sessions, whereas with telehealth, we can hop off one Zoom call and on to the next. So it allows us to have more time to actually spend directly providing services without that time in between for transportation and such.
So, I do think that it will be something that we’ll be able to use moving forward. It’s just been an adjustment period for people to get used to it.
Rick: That’s great. Speaking of kinda technology and where things are going, overall how do you kinda see your industry evolving in the next 10 to 15 years?
Terra: I think that a lot of the technology that we have put in place to be able to continue services, will continue to stick around after the Coronavirus and the pandemic is over. I do think that there will be more or telehealth services, and more Zoom calls, and things like that, to communicate.
I do think that that will continue and I think it is beneficial because it gives people immediate access to us. Even if it’s by way of Skype, or Zoom, or however, that you’re still able to access us immediately, and they don’t have to wait for us to fit it in our schedule to come sit down with them face-to-face.
I think those aspects will continue and I think that’s positive, that we’ll be able to continue to increase our services and provide even higher quality services because we’ll have additional avenues to provide those services that we didn’t before. Or we just didn’t utilize before.
Olena: And for more, you can log on to our website paubox.com, P-A-U-B-O-X.com. Rick, what was it like chatting with Terra this week?
Rick: It was great. She’s so friendly, very passionate about what she does. And it’s always great to talk to customers like Terra. And later on we’ll have a full transcripted interview out on our website, so stay tuned for that. It was really inspiring to talk with her about her experience as a female business owner, and getting Quality Care off the ground to where it is right now, where it really is delivering such great services to the community.
Olena: Excellent. Alright, well that’s gonna wrap it up for this edition of HIPAA Critical. If you like what you hear, be sure to subscribe and also follow us on social media. And Rick, until next time. We’ll see you then.