Allscripts EHR Ransomware Attack is Huge–How Will it Impact Healthcare Practices?

OCR LogoSee recommendations below

On January 19, 2018, cybercriminals were successful in a ransomware attack on Allscripts, an electronic healthcare record (EHR) provider for healthcare providers across the United States. The attack encrypted some of Allscripts systems and prevented those healthcare providers who use those systems for their EHRs from being able to access their patient records. Not only is there the obvious impact this has had on those healthcare providers’ ability to treat their patients, but also, under HIPAA, the Office of Civil Rights presumes that all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless certain criteria are satisfied. (See checklist in this post and this post for further explanation).

TMLT LogoThe Texas Medical Liability Trust (TMLT)’s blog post, Allscripts EHRS Falls Victim to Ransomware Attacks, goes into much greater detail in describing the facts of this event and what has taken place since the initial attack. The blog also provides an excellent analysis of the Business Associates considerations in a situation such as this and the post features several important recommendations for what practices need to do now from my friend and excellent cybersecurity and data privacy attorney Adrian Senyszyn (LinkedIn) and myself. So, what are you waiting for, go read the TMLT post … and hope and pray that you planned ahead and have cyber insurance!

See Also:

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

The Most Positive Cybersecurity Trend I Have Seen in Nearly 20 Years!

business-1989131_1920In the last quarter of 2017, I have observed a cybersecurity trend that has given me more hope than any that I have seen previously. Let me explain.

As an attorney, I have been practicing what can generally be described as cyber law or cybersecurity law since 1999, which means that my practice has evolved a lot over the years. It also means that I have seen a lot over the years.

My practice has been divided into three distinct areas over the last several years:

  1. Proactively, by helping clients assess and understand their overall cyber risk and then developing, implementing, and maturing a strategic cyber risk management program that prioritizes their efforts to help minimize their cyber risk.
  2. Reactively, by leading companies through the cyber incident response and data breach response process (e.g.,  as a “breach guide” or “breach quarterback”) and regulatory investigations and enforcement actions.
  3. Reactively, by representing clients in litigation involving cyber-related claims like data loss, data theft, computer hacking, and business to business disputes concerning responsibility for cyber incidents.

For nearly twenty years, the number of clients that have hired me to help in a reactive role, such as with incident response and litigation of cyber claims, has towered above those who have sought my help for proactively assessing their cyber risk and developing and implementing a cyber risk management program. It has not even been close.

This has not been due to a lack of effort on my part. I have always done my best to encourage clients to be responsible when it comes to cybersecurity by being proactive and focusing first on risk management and prevention but this has generally fallen on deaf ears. They did not want to be cyber responsible — or, even if they did want to be, they were not willing to invest resources into being cyber responsible.

But in the last quarter of 2017, this has changed.

The trend that I have observed developing over the last Quarter of 2017 is outstanding! For the last few months I have had substantially more clients hire our firm for helping them with a proactive cyber risk management program than we have ever seen in the past, so much so that the amount of work we are now doing on these programs is equal to or greater than the amount of work we are doing on incident response and litigation.

What makes this trend so great? The answer is simple: it shows that companies are finally starting to get it! They are finally seeing that it is better for them to invest resources into proactively preventing cyber incidents and data breaches from happening than it is to sit back and wait with the only strategy being to hope that it will not happen to them — because it will happen to them if they do nothing to stop it.

I hope that the trend that I am seeing is consistent across the industry. If it is, we just may be turning the corner in the war on cybercrime that is destroying our companies and decimating our individual privacy.

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Complimentary Webinar: Countdown to #GDPR – Compliance for Non-EU Companies

Countdown to GDPR Compliance is a complimentary webinar that I will be moderating on Thursday, December 7, 2017, at 12:00 PM Central.  This is the second webinar in a three-part series sponsored by Mackrell International and will focus on Compliance for Non-EU Companies. You don’t want to miss it!

Moderator: Shawn Tuma
Presenter: Marta Stephanian, Ten Holter/Noordam
Presenter: Henrik Nilsson, Wesslau Söderqvist Advokatbyrå

 

COUNTDOWN TO GDPR COMPLIANCE: Compliance for Non-EU Companies
Sponsored by Mackrell International
Thursday, December 7, 2017 @ 12:00 PM CT
LINK for more information
Register via email: GDPR@hogefenton.com

GDPR Invite 2 11_21

I hope you are able to attend the webinars and find the information helpful in your business. As always, please let me know if you have any questions or if I can help you.

Shawn E. Tuma | Scheef & Stone, L.L.P.
Cybersecurity & Data Privacy Attorney
2600 Network Blvd., Suite 400, Frisco, TX 75034
214.472.2135 (direct) | 214.726.2808 (mobile)
Email: shawn.tuma@solidcounsel.com
Firm: www.solidcounsel.com
Blog: www.businesscyberrisk.com

Tips for Staying #CyberSecure While Shopping Online for #CyberMonday

Cybercriminals need shopping money for the Holidays and one of their favorite times to get yours is when you are shopping on #CyberMonday.

Use these tips to help stay #cybersecure while shopping online for #CyberMonday and at any other time:

  1. Credit or debit? Use credit cards, not debit cards, for your online shopping. Debit cards are tied directly to your bank account so if there is a problem, your money is gone. With credit cards, it is borrowed money, plus, if you have a problem with the merchant or order, the credit card company can act as your intermediary in the dispute. If possible, have one credit card that is used solely for online shopping in case you need to cancel it.
  2. Secure Internet connection. When shopping online, it is best to avoid free WiFi or other forms of open WiFi in public locations. When you are out, it is best to use your own data plan or, if you must use public WiFi, use a VPN to help minimize the risk of having your information stolen.
  3. Credible merchants. Only shop at online merchants that are credible and well-established. Anyone can put up a website in a short amount of time, make sure you know you’re dealing with a trusted merchant with a history of doing business.
  4. Scams – too good to be true (merchants). Be wary of deals that seem too good to be true and do not get too greedy because if a “deal” seems that good, it almost certainly is and the person behind the scam is either outright stealing your money or they are trying to steal your information.
  5. Saving information with merchant. While it is more convenient to save your personal information and payment information with the merchant, doing so also means that information is now stored in their database and can be compromised. It is best to not save your information with merchants.
  6. Scams – too good to be true (click here). Be wary of emails or social media posts that advertise deals that seem too good to be true and then tell you to “click here” on a link to see more information. Those are usually phishing emails that are designed for the sole purpose of getting you to click the link so they can either steal your information or deposit malware on your device. Cybercriminals can perfectly clone emails from legitimate merchants such as FedEx, PayPal, Amazon, and others so just because the email looks legit doesn’t mean it is — don’t click on the links!
  7. Scams — the sad story. While not limited to online shopping, a close relative to the “too good to be true” scam are the scams that play on your sympathy and generosity during the Holidays. An example of these is chain emails that tell of a tragedy that has befallen people and asks for donations. Criminals know how to play on our sympathies and use our emotions to manipulate us into doing things we would never do otherwise, such as sending money because someone asked for it in an email or social media post. Unless you know the people first hand, do not let your emotions overtake your judgment and stick with reputable charitable organizations with an established history.
  8. Good Cyber Hygiene. Whether for shopping on #CyberMonday or otherwise, it is best to always use good #CyberHygiene to protect yourself online. Here is a free Checklist for Good Cyber Hygiene.

For more discussion of these tips for staying safe while shopping online see 5 tips for Avoiding the Cyber Grinch this Cyber Monday! and Cyber Monday: Online safety tips from a cybersecurity expert.

SEE ALSO

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Uber’s Settlement With FTC Emphasizes Companies’ Need for Cyber Risk Management Programs

The FTC and Uber have settled the enforcement action the FTC brought against the company. This action stems from Uber’s data breach of more than 100,000 individuals’ PII despite its promises that their data was “securely stored within our databases.” The FTC found this promise was misleading when compared with the actions the company was really taking. In settling the dispute, Uber entered into a Consent Decree that Continue reading “Uber’s Settlement With FTC Emphasizes Companies’ Need for Cyber Risk Management Programs”