Is your cyber security really covered?

By John Southrey, CIC, CRM

Health care organizations are increasingly the target of cyber attacks, and cyber criminals are using a spectrum of techniques* — ransomware, phishing attacks and other malware infections — to gain access to electronic protected health information (ePHI).

TMLT policyholders reported 112 cyber-related incidents in 2016. One-third of these incidents involved ransomware attacks. To combat these cyber threats and data breaches, TMLT developed fee-based risk management resources to help medical practices assess and mitigate their cyber risks.

TMLT’s cyber risk management services are focused on protecting medical privacy and security and include:

  • HIPAA risk assessments (done on-site or remotely) to evaluate a practice’s physical, administrative, and technical safeguards;
  • customized workforce training (on-site or online) to maintain compliance with privacy laws;
  • IT support such as system penetration and phishing vulnerability testing, hosting, back-up management and disaster recovery;
  • managed detection and response from eSentire and;
  • policy and procedures review.

Though data breaches are a systemic business risk that can be devastating to a medical practice and its patients, many health care organizations continue to take a “wait and see” approach to improving their data security. They may not even recognize when they have been breached, because it can take up to several weeks to detect and respond to incidents. (1)

Indeed, TMLT regularly encounters the following objections when addressing this issue with practice administrators and physicians.

“Our cyber security is covered.”

  • But are you monitoring your computer log files (i.e., network traffic) 24 hours a day?
  • How often are you updating your computer system and software?
  • How would you know if malicious malware bypassed your security, such as “zero-day” flaws that have not yet been patched by a software vendor?

“We’re too small to be a target”

  • How many medical records do you have in your EHR and/or PM systems?
  • Do you give your Business Associates and their sub-contractors access to your EHR?
  • Are you aware that small-to-medium practices are targeted by cyber criminals because they’re considered “low-hanging” fruit due to inadequate data security?

“We outsource our IT”

  • How much does your IT vendor know about the HIPAA Security Rule? (Breaches can originate within Business Associates or their subcontractors.)
  • Do you have an Incident Response Plan and have you educated your workforce on the HIPAA Breach Notification Rule?

“We’ve moved our data to the cloud.”

  • Will your cloud provider sign a Business Associate Agreement?
  • Does your cloud provider’s data security strategy include end-users on the network?
  • Are you and your employees aware of phishing, social engineering, and targeted attacks and how to appropriately handle them?

There are inherent risks with using technology in health care; moving to the cloud doesn’t eliminate data security risks. Sophisticated malicious software such as some ransomware variants, have the capability to lock cloud-based backups when systems are continually backed up in real time and can even encrypt cloud storage devices that are mapped to infected computers. (2)

It is widely reported that the health care industry is failing to keep pace with evolving cyber threats and have under-invested in protecting their data. (3) The Office for Civil Rights (OCR), the HIPAA enforcement arm of the U.S. Dept. of Health and Human Services, has advised health care organizations that: “Healthcare organizations and contractors and vendors that handle protected health information must step up their game.”

The OCR has also warned warned that Cybersecurity-related attacks have continued to rise and become more destructive and disruptive. Although effective incident response planning can be a complex task, it should be one of covered entities and business associates’ priorities.” (4)

Effective cyber security requires a multi-layered approach using threat detection, prevention, and incident response planning. The legal ramifications and reputational harm can be significant to a medical practice suffering a data breach. And as practices pursue the “triple aim” of value-based health care, data breaches will not improve the patient experience.

1. In a survey of 223 US-based health care executives conducted by KPMG, only 13 percent reported tracking known cyber security attacks daily. Additionally, 25 percent stated they do not have or do not know their capabilities, in real-time, if their organization’s systems are being compromised. KPMG. Health Care and Cyber Security — Increasing Threats Require Increased Capabilities. 2015.

2. How to protect your network Network From Ransomware. U.S. Department of Justice.

3. Playing catch-up. Heatlh Care Risk Management Review. January 14, 2016.

4. HIPAA enforcer’s latest actions: an analysis. Health Care Info Security. July 18, 2016.
* These techniques are also known as “attack vectors,” which is a path or means by which a hacker can gain access to a computer or network server to deliver a payload or malicious outcome. Attack vectors enable hackers to exploit system vulnerabilities, including the human element. More information is available at:

Social media and cyber risk maangement

Using social media can lead to risk and liability for an organization. Privacy and data security issues can arise from employees using social media in a way that discloses confidential or sensitive information — such as personal Information of customers, patients, or employees, and confidential information about the organization.

These disclosures are usually innocent, but can harm an organization.

In addition, social media can provide an avenue for hackers or thieves to attack an organization. Information found through social media is often used in spear-phishing attacks and makes them effective because it increases the legitimacy of the request. Hackers can also use social media to exploit vulnerable networks, steal intellectual property, or harm an organization’s reputation.

You can help protect the organization from these risks by following these best practices.

1. Develop a social media policy and educate your workforce on it.  Every organization, regardless of size, should have a policy on the use of social media. Staff should know their responsibilities about referring to the organization on social media and the consequences of misuse or abuse of it.

2. Never disclose your organization’s trade secrets, intellectual property, or other confidential information through social media platforms.

3. Never disclose private or personal information related to (a) clients, customers, vendors, or patients, or (b) employees, managers, supervisors, senior management, officers, board members, or owners. This includes financial information, social security numbers, etc.

4. Do not disclose client, customer, or patient names or the work the organization performs for them unless the information is already available in the public domain.

5. If you say something online in support of your organization, including its products or services — even with a personal account — be sure to clearly disclose your relationship with the organization.

6. Do not accept “friend requests” from anyone that you do not know personally, including friends of friends. When a social media friend request is accepted — unless privacy settings are specifically adjusted to restrict access — that person can view all of your personal information, familiarizing themselves with your nearest friends and associates.

Source: eplace Solutions



New Mexico Supreme Court rules in favor of physicians

The Supreme Court of New Mexico has ruled in favor of physicians in the Montano v Frezza case, in a 4 to 1 decision. 

At issue in the case was whether a New Mexico resident who was treated in Texas by a Texas physician could file suit against that physician in New Mexico and the physician would be held to New Mexico law. The New Mexico Supreme Court ruling allows the Texas Tort Claims Act to govern the case.

In arriving at their opinion, the justices only considered the issue of comity – that is, respecting the sovereignty of sister states.

Amicus briefs to the Court made a difference

In the court’s ruling, the Justices referred to “numerous amici” that described the “shortage of doctors, particularly specialists, in certain rural areas of New Mexico and the important role that state-operated health care facilities in Texas play in filling those gaps for many residents of the southern and eastern portions of our state.”

They further commented that while there is no proof that this case would jeopardize the availability of care, they “do not consider it overly speculative to conclude that extending comity to Texas in this case will positively serve New Mexico’s public policy interests by encouraging the continuing cooperation of Texas and New Mexico in maintaining cross-border care networks.”

A total of 31 parties — including the New Mexico Medical Society, the New Mexico Hospital Association, the University of New Mexico Health Science Center, the Texas Medical Association and the American Medical Association — joined on a brief submitted by the Texas Alliance for Patient Access.

TMLT and the University of Texas System filed complementary briefs. View the TMLT brief.

Patient consent forms still needed

Because this ruling only dealt with tort claims act cases involving governmental employees, physicians who treat patients from New Mexico should continue to have those patients sign choice of law and forum agreements before treatment.

Summary of the case

In 2004, New Mexico resident Kimberly Montano traveled to Lubbock, Texas to undergo bariatric surgery.

Eldo Frezza, MD — an employee of the Texas Tech University Health Sciences Center — performed the surgery. Over the next six years, Dr. Frezza and others performed follow-up care for complications related to Mrs. Montano’s surgery. All of the care given by Dr. Frezza occurred in Texas. Dr. Frezza’s was listed on the Lovelace New Mexico health plan, allegedly creating a direct connection with the state that would allow him to be sued there. Reportedly he was the only bariatric surgeon listed on their plan.

Eventually, Mrs. Montano sought evaluation from another physician. She also retained legal counsel. Counsel for Mrs. Montano reports that tests revealed she had gastrointestinal bleeding caused by an “eroding permanent suture.” The second physician performed corrective surgery.

In 2011, Mrs. Montano sued Dr. Frezza and Lovelace in a New Mexico court. Mrs. Montano argued that her case should be tried under New Mexico law because her injuries “manifested” themselves in New Mexico.

This was contested in a New Mexico Appellate Court, which agreed with Mrs. Montano. The court concluding that the “place of the wrong” is the place where Mrs. Montano allegedly first discovered the alleged injury and not where the alleged injury occurred.

Also, the court determined that the “choice of law” favored New Mexico since applying Texas’ more restrictive tort claims act violated New Mexico public policy that provides the greatest remedy for the plaintiff.

Though Dr. Frezza was not an employee of the State of New Mexico, the court elected to treat him as if he were. The court’s ruling could have been interpreted broadly to affect not only state employees, but also Texas physicians in private practice, eliminating their access to protections from our tort reform.

New Mexico physicians and hospitals have long relied on their ability to refer or transfer sick and injured patients to Texas for specialized care. The willingness of Texas providers to receive those patients could have been shaken if the Montano ruling had been allowed to stand. Access to health care is already challenging for some New Mexico residents.

Commitment to physician advocacy
A physician in Lubbock first brought this case to the attention of the medical community. TAPA, TMA, TMLT, and others immediately saw the need to get involved and advocate on behalf of physicians. The ruling is an important victory for physicians from Amarillo to El Paso and along the Texas-New Mexico border. It is also important for hospitals and medical centers throughout Texas, as these facilities also treat patients from New Mexico.

Together, we continue our commitment to stand up for health care professionals and the patients they serve.

For more information, please contact Jill McLain with TMLT at 512-425-5827 or jill-mclain@tmlt or John Opelt with TAPA at 512-703-2156 or

Continued reading

Keep your practice safe within the Internet of Things

The Internet of Things (IOT) is an umbrella term referring to any smart device that connects to the Internet. The IOT network has rapidly grown over the past few years, with light bulbs, refrigerators, copy machines, cameras, and cars all becoming Internet-connected devices. All of these connected devices are generating and storing data for their various functions, posing serious security and privacy concerns.

Many IOT vendors are new startups and may have little experience in information security. In order to get their devices on the market, IOT vendors may not pay close attention to the security of their products. In addition, many IOT devices are opened, taken out of the box, and left unsecure and vulnerable to attack.

IOT devices can also increase the attack surface on a company’s network. As more devices connect to the Internet, attackers gain another gateway to access a company’s internal networks and systems. It is important to keep these devices secure so attackers cannot use them to attack or gain access to your network and data.

Best practices

  • Do your research on the device. It is important to know the level of security available with the device and similar devices from other manufacturers.
  • Keep patches and versions up-to-date. Does the device automatically update? If not, determine how often should you check for updates? Ideally, you want an IOT device that automatically updates when security fixes are released. Otherwise, monitor for any alerts released by the manufacturer.
  • Change the default password when setting up the device. Most factory and default passwords are commonly known and attackers will be able to bypass it with ease. Setting up a strong password when first configuring your IOT device is one of the simplest and most effective security practices.
  • Limit devices connected to the network. Connect devices only when necessary or buy non-connected versions. Turn connected devices off when not needed.
  • Report suspicious activity on company IOT devices to IT. Prompt reporting is important to stop malicious activity before it spreads to other company devices and networks.

Source: ePlace Solutions.



New call coverage rules from the Texas Medical Board

In October 2016, the TMB adopted new call coverage rules.

Most physicians participate in a “reciprocal call coverage model” — sharing call with physicians of the same or similar specialties.

However, some physicians participate in a “non-reciprocal call coverage model.” The rules for this model include requirements for a written call agreement, access to patient medical records, a written report, and other elements.

For more information regarding both call coverage models, please see TMB rules Section 177.20 and the article “New Texas Medical Board call coverage rules causing concern,” published by the Texas Ophthalmological Association.