HIPAA Journal – Exposure of PHI During Online Presentations

Highlights From The HIPAA Journal
From the August 24th Newsletter

Radiology Groups may have allowed exposure of PHI during online presentations

• The American College of Radiology, the Society for Imaging Informatics in Medicine, and the Radiological Society of North America have issued a warning about the risk of accidental exposure of protected health information (PHI) in online medical presentations.
• The radiology organizations warn against the use of formatting tools in the presentation software – PowerPoint, Keynote, Google Slides etc – for cropping the images so as not to display any patient identifiers, as this practice will not permanently remote PHI from the images.

OCR identifies the importance of maintaining a comprehensive IT asset inventory

• Many cases of noncompliance are due to the failure to perform a comprehensive risk analysis across the entire organization.
• One of the common reasons for a risk analysis compliance failure, is not knowing where all ePHI is located in the organization.
• The inventory should include all physical IT related devices plus the applications associated with the organization’s hardware.

Vishing, the new way hackers are trying to hack in to a Healthcare Organization’s database, is announced as a threat by the FBI and CISA

• The threat actors impersonate a trusted entity and use social engineering techniques get targets to disclose their corporate Virtual Private Network (VPN) credentials.
• Due to many workers working from home and working on a VPN, cybercriminals are targeting Organizations with the potential to receive those credentials.

Recent cyber/ransomware attacks related to the Healthcare industry

• Dynasplit Systems, a manufacturer of stretching devices to improve joint motion, experienced an attack that PHI may have been stolen. Over 102,000 individuals were likely affected by this attack.
• Pinnacle Clinic Research of Texas announced it had a phishing attack. One email account was compromised and was immediately secured when the breach was discovered. It is unclear how many individuals were potentially affected by this attack.
• The Institute for Integrative Nutrition (NY) had a phishing attack in March of 2020 where it wasn’t discovered until June 22 that the breach occurred. Significant measures have been taken.
• Mental Health Center of Boulder County (CO) incurred a phishing attack in March of this year and complimentary credit monitoring services were given to clients that were potentially affected by this attack.