Month: February 2013

NBC, Chrysler, and Burger King Hacked through trusted vendors

February 22, 2013 Corie Bogan Leave a comment business management, compliance, Security, Security Alert

Websites and social media sites have been under attack this week. Here’s the short list:
 – NBC.com: the site was hacked on 2/21 and the Citadel Trojan, which is used by cyber criminals for “banking fraud and cyber-espionage”, was introduced. If you visited NBC.com yesterday morning you may have picked up a virus. Please scan your PC for this virus. If you are unsure how to do this then please give us a call.
 – Jeep’s twitter account was hacked on 2/19 and bogus information was posted. This hack was so severe that Chrysler had to shut down the account.
 – Burger King’s twitter account was hacked on 2/18 and bogus information was posted.

At this time preliminary reports indicate that in all of the above cases the hackers were able to break in by accessing compromised email accounts hosted on 3rd party mail servers out of their control. If you rely on a 3rd party for maintenance of any social media accounts or critical systems then you need to make sure that they employ security at least as strong as your own if not stronger. This vendor could potentially be the weakest link in your company security. You have the right to ask this 3rd party for their internal security policies. If they don’t have any policies or if the policies are not adequate then it may be time to look for another provider.

Which vendors should I be concerned about?

  • Vendors that have access to any system owned or used by you or your company.
  • Vendors that take your data or equipment offsite. 

Don’t be shy about who this vendor is or what they mean to your business. In 2011 in Houston, TX the laptops of two credit union examiners were stolen from the trunk of their car. These laptops contained detailed spreadsheets with account information for the credit unions that had just recently  been examined. The hard drives of these laptops were unencrypted. This was a clear violation of the policies of the credit unions being examined and these credit unions had to treat this data loss just like any other breach.

If you have any questions or concerns about your security or your vendors security then please give us a call. We can help you prioritize your data, identify your risks, and formulate the questions you need to ask of your critical vendors.We can be reached at 512-832-6209.

The HITECH Rule and its implications with HIPAA

February 12, 2013 Corie Bogan Leave a comment compliance, hipaa, planning, Security


The Department of Health and Human Services recently published the Final Omnibus Rule which officially implements the HITECH Act under HIPAA. The Final Omnibus Rule will replace the Interim Rule on March 26, 2013 and will significantly raise the bar on patient privacy. By September 23, 2013, all covered entities and business associates will be legally required to be in compliance with HITECH.

Who are these “Covered Entities”?
Any medical office regardless of size, large hospitals, drugstore chains, and large health insurance companies are all covered entities. Offices of all size must comply with current regs. On April 17, 2012, the United States Department of Health and Human Services (“HHS”) announced that its Office of Civil Rights (“OCR”) had reached a settlement with Phoenix Cardiac Surgery, P.C. requiring the practice to pay a $100,000 fine. Phoenix Cardiac Surgery is a five-physician practice in Phoenix, Arizona. The practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. 

The biggest changes to the final rule are:
1. Business Associates
Business Associates are now directly liable for compliance with the requirements of HIPAA. Under the Security Rule provisions, they must evaluate security programs and implement risk management strategies to protect electronic PHI. To learn “What is a Business Associate?” please click here.

2. Breach Notification
The “risk of harm” standard used to determine when notification of a security or privacy breach is required has been replaced with the “risk assessment” standard. While the two are similar, a risk assessment is more precise and it is hypothesized that more breach notifications will be reported.

This is just a small part of the changes needed. If you don’t know where to start then give us a call at 512-832-6209 and we can help.