Listener message Listener message potpourri means we will be hitting several different topics in this episode. We get emails and messages from listeners a lot these days. While we do our best to respond we can’t say we are consistent. That is why we do these episodes periodically.  If we’ve missed yours, don’t hesitate to point it out to us in another message.

HIPAA For MSPs by David Sims Listener Message Potpourri
00:00:00 00:00:00

Listener Message Potpourri

Start with a scary story that is way beyond Halloween.  This one reminds us to have different passwords for all our logins.  It also reminds us that adding cool new technology in our homes without security can be dangerous in more ways than most people realize.  A family installed cool accessible cameras in the kid’s rooms so parents could talk with them remotely when they had to work.  Cool idea.  It worked great, right up until someone ELSE was talking to their kid through the camera!

1- Our first listener message is from our listener survey:  What are the risks with virtual terminals and shared files?

There are problems with virtual terminals that often get overlooked due to overconfidence.  Yes, if the machine gets whacked you just wipe it and spin up a new one.  However, if you get hit with ransomware and have access to shared folders on a server, those files you don’t just whack and restore so easily.

2- Our next listener message is asking a question about geoblocking features available in firewalls.

What is Geoblocking? The question came up today about geoblocking China. What if a resident of a community has family in China and their internet is provided by a Continuing Care Retirement Community? I’m thinking that their family email would be blocked. Is there a way to open up specific emails or IP addresses and not open up the whole country?

Geoblocking can come in handy when you know there shouldn’t be any traffic to or from your website or router from certain parts of the world.  You can just not allow that to happen.  There are times where you have problems with that though.  You must have a plan for dealing with the issues.

3 – A couple from our friend George in Oregon. First about email account compromise:

In reference to BEC-EAC the latest threat to your business Ep 167 George wanted to point out another risk we had not discussed.

Howdy. Another risk is that your domain could be blacklisted by other organizations if emails are considered fraudulent and unresolved:

https://www.infosecurity-magazine.com/news/oregon-state-employee-falls-for/

Oregon.gov is managed by the Oregon state government, specifically the Oregon Department of Administrative Services (DAS). Oregon county and municipal government agencies receive a lot of encrypted emails from various state agencies, which use oregon.gov domain. “Some” of the state government employees accounts were compromised and used to send spam and BEC emails to their respective contacts in their email address books (including global…). Let’s just say a lot of BECs and spam. So the above articles basically stated that the receiving organizations started blacklisting oregon.gov.

Here’s the funny part: the County where I work did not fall for these BECs from oregon.gov, even though the From addresses were legitimate. I obtained senior management permission to do a massive phishing test in early November 2017, and I have been conducting ongoing phishing and social engineering security awareness throughout the County. We also have a good IPS checking the incoming emails. So when the BECs from oregon.gov started in early 2018, we basically did not fall for them. Kudos to the County employees! (BTW, can’t tell you the phishing test results, but the shock value was effective enough…)

Enjoyed your podcasts! Hope to attend your boot camp one day 🙂

Take care. –George

3.2 – The next listener message is another question from George about the HHS HIPAA Remote Use Guidance:

The Covered Entity is basically responsible for determining the risk of remote/mobile workforce accessing ePHI. The Guidance also has some Possible Risk Management Strategies based on a risk scenario (real threat scenario). A Business Associate that is a cloud service provider processing EHR basically decided to interpret this Guidance where is not their responsibility to provide the mitigation strategies as part of their core product/feature offerings. Instead, they provided a list of options and they will custom develop them for the Covered Entity (Washington County, in this case). I was very offended by this SaaS cloud service provider, because they are (in my opinion) strictly interpreting the HHS Guidance stating that they are “in compliance with the HIPAA Security and Privacy Rules” by just having userID and password (with some account settings, like lockout after 5 retries) to access the EHR. This to me means “As a BA, they are in compliance” because the Guidance does not state that the BA has to offer these mitigation strategies (this viewpoint was alluded to in the risk analysis report). If you are a cloud service provider, shouldn’t 2FA or MFA be part of your core feature set since EVERYONE is remote?  https://twofactorauth.org/#health

Just wanted to know your viewpoints on this. Thanks. –George

We understand the issue but technically, you are supposed to evaluate your risk and decide how important you think it is to your organization.

4 – Another regular listener, David Fessenden, sent us a great story about helium locking down iPhones at a facility.

This is a very interesting story.  We can’t wait to see how someone figures out how to use this vulnerability with Apple devices.

Some listener messages we get from our listener survey we include with listener message episodes:

How large is the podcast community? (i.e. how many listeners tune in a month? is there a way we can connect with each other, say over a LinkedIn group, Slack channel, Forum, or another way?)

If we had time to manage something like that it would be great!  We just don’t have any more capacity right now

Another listener message was funny a suggestion from our survey:

Add an area to asked questions and get a response immediately 😉

I say LMAO.  Actually, that is called being a Kardon client.  🙂

We also have this interesting iPhone case to watch from our friend in Jacksonville, Chris Dix.  It is too complicated to cover right now but it will show up soon.

So that is the end of the listener message reviews we can fit in today.  We hit on several topics today but that is how things happen if you want to protect the privacy and security of data.  Many days you bounce all over the realm of both topics.  Keep sending in the requests and we will do our best to keep up with them.