KENTUCKY REGIONAL EXTENSION CENTER

Reminder: Join us for our 2017 Healthcare Transformation Survival Seminars

Reminder: Join us for our 2017 Healthcare Transformation Survival Seminars

Join us as we travel across the Commonwealth to provide an in-depth look at the Medicare Access and CHIP Reauthorization Act (MACRA) legislation and the Quality Payment Program!

There are significant changes to physician payments that are now tied to quality and value. This event will prepare healthcare providers for the changes under MACRA and Value-Based Payment. We will explore: QPP Eligibility, QPP Reporting Metrics, Improvement Activities, ACI and Meaningful Use, HIPAA Requirements, and Quality Improvement.

Lunch will be provided!
This activity has been approved for AMA PRA Category 1 Credit™

Register Now

Dates/Locations

August 18, 2017 – London, KY
London Community Center
Room AB
529 S Main St
London, KY 40741
9:30AM – 3PM EST

September 14, 2017 – Georgetown, KY
Georgetown College
Banquet Hall
100 Crawford Drive
Georgetown, KY 40324
9:30AM – 3PM EST

September 28, 2017 – Paducah, KY
Baptist Health Paducah
Heart Center Auditorium
2501 Kentucky Avenue
Paducah, KY 42003
9:30AM – 3PM CST

October 5, 2017 – Ashland, KY
Ashland Community College
The Rocky Adkins Pavilion
902 Technology Drive
Grayson, KY 41143
9:30AM – 3PM EST

Registration Fee

Clinicians/Practice Representatives/Non-profit organizations: $25
Vendors and Non-Practice Representatives: $75

Register Now

qpp-surs-logoThis material will be prepared by the QPP Resource Center, the Quality Payment Program for the Midwest, under contract with the Centers for Medicare & Medicaid Services (CMS), an agency of the U.S. Department of Health and Human Services. The contents presented do not necessarily reflect CMS policy.

Agenda Announced for 2017 Healthcare Transformation Survival Seminars

This year’s 2017 Healthcare Transformation Survival Seminars will provide a heavy focus on Medicare Access and CHIP Reauthorization Act (MACRA) legislation and the Quality Payment Program.

The topics will include:

  • MACRA Quality Payment Program 2.0 Sessions: Preparing for QPP
    • Getting Ready for QPP – Who is Eligible?
    • How & What Should I Report for QPP?
    • Which Measures Should I Report for QPP?
    • Which Improvement Activities Are Right for Me?
    • How do I Meet the ACI Requirements?
  • Health IT Sessions:
    • How do I Handle Medicaid Meaningful Use?
    • What About Hospital Meaningful Use?
    • What Role Does HIE Play in MU & ACI?
  • How Do I Protect my IT Systems from Bad Guys?
  • How Do I Improve my Performance & QPP Score?

Lunch will be provided!
This activity has been approved for AMA PRA Category 1 Credit™

Register Now

Dates/Locations

August 18, 2017 – London, KY
London Community Center
Room AB
529 S Main St
London, KY 40741
9:30AM – 3PM EST

September 14, 2017 – Georgetown, KY
Georgetown College
Banquet Hall
100 Crawford Drive
Georgetown, KY 40324
9:30AM – 3PM EST

September 28, 2017 – Paducah, KY
Baptist Health Paducah
Heart Center Auditorium
2501 Kentucky Avenue
Paducah, KY 42003
9:30AM – 3PM CST

October 5, 2017 – Ashland, KY
Ashland Community College
The Rocky Adkins Pavilion
902 Technology Drive
Grayson, KY 41143
9:30AM – 3PM EST

Registration Fee

Clinicians/Practice Representatives/Non-profit organizations: $25
Vendors and Non-Practice Representatives: $75

Register Now

qpp-surs-logoThis material will be prepared by the QPP Resource Center, the Quality Payment Program for the Midwest, under contract with the Centers for Medicare & Medicaid Services (CMS), an agency of the U.S. Department of Health and Human Services. The contents presented do not necessarily reflect CMS policy.

Warning: Current International Ransomware Campaign

170512135712-ransomware-1024x576The U.S. government is aware of an international ransomware campaign that may be affecting Healthcare and Public Health Sector assets in addition to other Sectors. Please review the information below and share with colleagues.
You may send additional questions to cip@hhs.gov

HHS/ASPR Critical Infrastructure Protection Program:

If you are the victim of a ransomware attack
If your organization is the victim of a ransomware attack, HHS recommends the following steps:
1. Please contact your FBI Field Office Cyber Task Force or US Secret Service Electronic Crimes Task Force  immediately to report a ransomware event and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.
2. Please report cyber incidents to the US-CERT and FBI’s Internet Crime Complaint Center.
3. **NEW** If your facility experiences a suspected cyberattack affecting medical devices, you may contact FDA’s 24/7 emergency line at 1-866-300-4374. Reports of impact on multiple devices should be aggregated on a system/facility level.
4. For further analysis and healthcare-specific indicator sharing, please also share these indicators with HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) at HCCIC@hhs.gov.

Mitigating against this threat

• Educate users on common Phishing tactics to entice users to open malicious attachments or to click links to malicious sites.
• Patch vulnerable systems with the latest Microsoft security patches here.
• Verify perimeter tools are blocking Tor .Onion sites
• Use a reputable anti-virus (AV) product whose definitions are up-to-date to scan all devices in your environment in order to determine if any of them have malware on them that has not yet been identified. Many AV products will automatically clean up infections or potential infections when they are identified.
• Monitor US-CERT for the latest updates from the U.S. government. See below for current reporting.
• Utilize HPH Sector ISAC and ISAO resources. See below for further information.

US-CERT Resources
Multiple Petya Ransomware Infections Reported
06/27/2017 12:56 PM EDT
Original release date: June 27, 2017 US-CERT has received multiple reports of Petya ransomware infections occurring in networks in many countries around the world. Ransomware is a type of malicious software that infects a computer and restricts users’ access to the infected machine until a ransom is paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.
Petya ransomware encrypts the master boot records of infected Windows computers, making affected machines unusable. Open-source reports indicate that the ransomware exploits vulnerabilities in Server Message Block (SMB). US-CERT encourages users and administrators to review the US-CERT article on the Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010. For general advice on how to best protect against ransomware infections, review US-CERT Alert TA16-091A. Please report any ransomware incidents to the Internet Crime Complaint Center (IC3).

Sector ISAO and ISAC resources
National Health Information-Sharing and Analysis Center has shared the following TLP-White Message and will continue to share information at nhisac.org.
HITRUST has shared the following Threat Bulletin for distribution.

ONC and OCR resources
• ONC provides many helpful resources about Health IT Security to include cybersecurity guidance materials and training here and here.
• OCR provides cybersecurity guidance materials including a cybersecurity checklist, ransomware guidance and cyber awareness newsletters here.

 

Join us for our 2017 Healthcare Transformation Survival Seminars

Join us as we travel across the Commonwealth to provide an in-depth look at the Medicare Access and CHIP Reauthorization Act (MACRA) legislation and the Quality Payment Program!

There are significant changes to physician payments that are now tied to quality and value. This event will prepare healthcare providers for the changes under MACRA and Value-Based Payment. We will explore: QPP Eligibility, QPP Reporting Metrics, Improvement Activities, ACI and Meaningful Use, HIPAA Requirements, and Quality Improvement.

Lunch will be provided!
This activity has been approved for AMA PRA Category 1 Credit™

Register Now

Dates/Locations

August 18, 2017 – London, KY
London Community Center
Room AB
529 S Main St
London, KY 40741
9:30AM – 3PM EST

September 14, 2017 – Georgetown, KY
Georgetown College
Banquet Hall
100 Crawford Drive
Georgetown, KY 40324
9:30AM – 3PM EST

September 28, 2017 – Paducah, KY
Baptist Health Paducah
Heart Center Auditorium
2501 Kentucky Avenue
Paducah, KY 42003
9:30AM – 3PM CST

October 5, 2017 – Ashland, KY
Ashland Community College
The Rocky Adkins Pavilion
902 Technology Drive
Grayson, KY 41143
9:30AM – 3PM EST

Registration Fee

Clinicians/Practice Representatives/Non-profit organizations: $25
Vendors and Non-Practice Representatives: $75

Register Now

qpp-surs-logoThis material will be prepared by the QPP Resource Center, the Quality Payment Program for the Midwest, under contract with the Centers for Medicare & Medicaid Services (CMS), an agency of the U.S. Department of Health and Human Services. The contents presented do not necessarily reflect CMS policy.

Ransomware: Are You Protected?

ransomewareOn May 12, 2017 The Department for Homeland Security released the following report:

US-CERT has received multiple reports of WannaCry ransomware infections in several countries around the world. Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee access will be restored.

Can HIPAA compliance help covered entities and business associates prevent infections of malware, including ransomware?

Yes. The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. Some of the required security measures include:

• implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks;
• implementing procedures to guard against and detect malicious software;
•training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and
• implementing access controls to limit access to ePHI to only those persons or software programs requiring access.

Is it a HIPAA breach if ransomware infects a covered entity’s or business associate’s computer system?

Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination. A breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” See 45 C.F.R. 164.402

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.

Call the Kentucky REC today at 859-323-3090 to see how we can help with your HIPAA compliance.

Sources:
https://www.us-cert.gov/ncas/current-activity/2017/05/12/Multiple-Ransomware-Infections-Reported

https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

No Business Associates Agreement? $31K Mistake

Stethoscope-MoneyFrom the HHS Office of Civil Rights on April 20, 2017: No Business Associate Agreement? $31K Mistake

The Center for Children’s Digestive Health (CCDH) has paid the U.S. Department of Health and Human Services (HHS) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and agreed to implement a corrective action plan. CCDH is a small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois.

In August 2015, the HHS Office for Civil Rights (OCR) initiated a compliance review of the Center for Children’s Digestive Health (CCDH) following an initiation of an investigation of a business associate, FileFax, Inc., which stored records containing protected health information (PHI) for CCDH. While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015.

The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/CCDH

For more information on Business Associate Agreements, please visit https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit http://www.hhs.gov/hipaa/index.html

Don’t let this happen to you! Contact the Kentucky REC with your questions. Our security advisors are here to help you. 859-323-3090