(913) 396-8321

Information Security News

Our thought leaders are frequently requested to offer their perspective, insights, and observations on "top of mind" security topics and trends impacting healthcare. tw-Security consultants are quoted in the following articles. 

  • 2018-02-08

    Hospital Hit With Cryptocurrency Mining Malware

    Are More Healthcare Sector Entities at Risk?
    Do healthcare entities face a growing risk of being hit with cryptocurrency mining attacks, which have become more common in other sectors? A Tennessee hospital may be the first victim in the sector, and some security experts predict many more such incidents.

    Cryptocurrency mining refers to solving computationally intensive mathematical tasks, which are used to verify the blockchain, or public ledger, of transactions.

    " Cryptocurrency miners aren't specifically seeking systems in healthcare; they compromise any system they can find."
    —Keith Fricke, partner and principal consultant, tw-Security

    Keith Fricke, partner and principal consultant at tw-Security, says cryptocurrency mining schemers "scan the Internet for systems with vulnerabilities that can be exploited, granting them unauthorized access for purposes of installing cryptocurrency mining software. This becomes a cheaper alternative to purchasing their own hardware and paying for electricity to run it. Cryptocurrency miners aren't specifically seeking systems in healthcare; they compromise any system they can find."

    Despite the growing cryptocurrency mining threat, Fricke contends that ransomware is still likely a bigger threat to healthcare entities because of the potential disruptions to care delivery as well as possible privacy breaches ransomware poses. Healthcare entities can take steps to better detect these incidents as well as reduce their risk of becoming victims of cryptocurrency mining malware attacks.

    "Cryptocurrency mining software can tax the processing capabilities of a system, leading to a degradation in system performance," Fricke notes. "Additionally, look for suspicious software services running in the system's memory. There may be some unexpected outbound traffic from the compromised server communicating computation results to an external party."

    Read More

  • 2018-02-05

    Managing \\\'Shadow IT\\\' Risks in Healthcare Settings

    VA OIG Report Spotlights Some of the Challenges
    A new report from a Veterans Affairs watchdog agency on a guest Wi-Fi network that was up at a VA medical center in Florida without being fully coordinated with the VA's office for information and technology to ensure security spotlights the risks and challenges that many healthcare organizations face with so-called "shadow IT."

    Influence of the Cloud

    Tom Walsh, managing partner and founder of consulting firm tw-Security notes that "shadow IT has always been a problem in healthcare, and with cloud-based applications/systems and software as a service, the number of shadow IT systems is growing and in most cases, unbeknownst to the CIO or director of IT." The problem is often rooted in the distributed nature of healthcare delivery, Walsh notes.

    "Traditionally, there have been certain departments that have system administrator control over their systems, even when the servers reside in the IT data center," he says. These include, for example, pharmacy departments with their medication dispensing carts; radiology departments and their radiology information systems and PACs; laboratories with their laboratory information systems; and even human resources, he points out.

    "The individuals responsible for the administration of these systems may not be a true 'IT' person by training and may not be aware of security requirements or regulations," the consultant adds. "Often, the IT department only becomes aware of shadow IT systems when a call comes in, 'I need an IP address,' or when there is a problem, 'I need your help with accessing this system'."

    Organizations need to do a better job of communicating the importance of coordination and inclusion of IT in any decision to purchase, lease or use internally developed, purchased or leased applications or systems, Walsh says. "Turf wars can sometimes interfere with what is in the best interests of the organization," he notes.

    Medical devices and IoT devices also are often among shadow IT that falls outside of the radar health IT and security departments. Mark Dill, former information security officer at the Cleveland Clinic and a partner and principal consultant at tw-Security, says technologies such as network access controls can also aid efforts to protect networks from shadow IT and other unauthorized devices.

    "NAC tools are designed to only allow authorized assets to connect to the private network once they meet the minimum-security requirements for such things as the operating system level, patch level, correct configurations and antivirus software brand/version/update level," he says.

    In addition, engaging an organization's supply chain to flag "out of IT's view" purchases can help, Dill says. "All new systems and acquisitions - and their vendors - should be vetted pre-purchase to help ensure that the hospital's IT standards are being met or exceeded. "

    Read More

  • 2018-01-31

    OCR: Take Action to Avoid Becoming a Cyber Extortion Victim - HealthInfoSec

    Agency Offers List of Steps to Take to Mitigate the Risk
    Federal regulators are warning healthcare entities and business associates to take action to prevent becoming the next victim of cyber extortion, such as a ransomware attack. "Incidents of cyber extortion have risen steadily over the past couple of years and, by many estimates, will continue to be a major source of disruption for many organizations," says the Department of Health and Human Services' Office for Civil Rights in a Tuesday cyber alert to HIPAA covered entities and business associates.
    Among the steps that OCR says organizations should consider taking to reduce the chances of being a victim of cyber extortion are: Implementing a robust risk analysis and risk management program; ………

    Keith Fricke, partner and principal consultant at tw-Security, says organizations can reduce the chances of being a cyberattack target by keeping up on security patches, maintaining layered security defenses and vigilantly educating users about phishing and social engineering. But the threats continue to evolve.
    "Organizations that are targets of intent still benefit from doing all these same things; unfortunately, criminals are relentless in gaining unauthorized access to organizations they are intent on breaching," he says.
    Fricke also suggests that organizations get familiar with law enforcement agencies prior to an attack. "For extortion involving the threat by criminals to post stolen data to public forums unless money is paid, organizations should have a good working relationship with local law enforcement, including the FBI," he says. "One way to do that is by participating in their local InfraGard chapter, which is a federally based organization bringing together the FBI with members of public and private section that are part of the national infrastructure." He also suggests healthcare organizations also should review their cyber insurance policies, checking for the extent to which it covers extortion. Fricke warns that all healthcare entities need to realize they are potential targets for cyberattack. "Many smaller to mid-size organizations likely feel that they will not be the victim of an extortion attack in cases where information is stolen and demands made to pay money to prevent release of that information," he notes.
    "The mindset is likely one of 'we are too small' and criminals go after the larger organizations," he says. "But criminals may pursue smaller organizations, assuming they are less secure than larger ones. Some pay the ransom ... because they are not prepared to recover from data backups."

    Read More

  • 2018-01-22

    Allscripts Ransomware Attack a Reminder of Cloud Risks

    Points to Need for Clients to Have Business Continuity Plan
    A ransomware attack on electronic health records vendor Allscripts late last week is a reminder of the potential disruption to patient care delivery healthcare entities can face if a cloud-services provider suffers a cyberattack. It also points to the need for business continuity planning. 

    Healthcare organizations relying on cloud-based services need to be ready for potential ransomware and other cyber-related outages that impact patient care and other business operations, says Tom Walsh, managing partner and founder of consulting firm tw-Security. "Healthcare entities need to take a closer look at their disaster recovery and business continuity plans to make sure the plans address what to do if the cloud services are unavailable," he says. "The lack of well-written disaster recovery and business continuity plans have been and still are a common finding in healthcare. These plans are supposed to be designed around the worst-case scenario, but seldom are."

    Some cloud-based services providers also have worst-case scenario planning in mind for customers that could be impacted by ransomware attacks on the vendors, Walsh notes.
    "Some EHR vendors offer a downtime or disaster recovery service offering in the form of a copy of the database of current inpatient population to a local workstation or server," he says. "While a full-functioning EHR may not be available, there is at least enough information available at a local level to provide patient care. But plans are only effective if they are periodically tested using a different scenario each time they are tested and revised as a result of the test. "

    The Risks
    Healthcare providers that rely on cloud-based services providers are often at the mercy of these vendors because their "eggs are all in one basket," Walsh adds. "Don't forget the basic concepts of business continuity and disaster recovery," he stresses. "Plan for the worst case. Develop strategies. Test plans. Revise plans and recovery strategies as needed. Disaster recovery and business continuity plans need to be reviewed frequently and not something that is written in order to check a compliance box. "

    Read More

  • 2018-01-12

    Lawsuit: HHS\\\\\\\' Patient Record Access Regulations \\\\\\\'Unlawful\\\\\\\'

    Case Spotlights Confusion, Hurdles In Providing PHI to Patients
    A federal lawsuit alleges that Department of Health and Human Services regulations "unlawfully ... and capriciously" restrict the fees healthcare providers and their medical record vendors can charge for gathering and disseminating a variety of health information upon patients' requests. In court documents, CIOX Health alleges that changes implemented by HIPAA Omnibus regulations in 2013 and modified in 2016 "threaten to bankrupt the dedicated medical-records providers who service the healthcare industry……

    Obstacles and Confusion
    Complying promptly with patient record requests are complicated by the diverse array of systems that store pieces of the patient's information, including the records often being maintained in a combination of paper-based and electronic systems, says Joe Gillespie, senior privacy and security consultant at consultancy, tw-Security. "Typically, it is the staff within the health information management or HIM department that responds to requests from patients for their PHI," Gillespie says. 

    "The problem I've always had with the [HIPAA] term of 'designated record set' is that it may include PHI in systems that HIM staff may not have access to where some limited PHI may exist, such as cost-accounting systems, lab information systems and analyzers, radiology systems ... and pharmacy systems, etc.," he says. "And if the facility outsources this disclosure function, that company will likely have even less access. So, if a facility is asked to provide the entire 'designated record set,' the HIM staff would have to coordinate that with many other departments and that takes much more time," Gillespie says. "If electronic, depending upon the electronic medical record vendor used, these requests can be much easier to fulfill than with paper records or hybrid paper/electronic records," he notes.
    The evolution of web-based patient portals is helping to make it more convenient for patients to securely access their digital health information in a timely manner, Gillespie notes.

    However, there are limitations with portals as well. "Portals have most certainly been successful in allowing access and engaging patients with their own care," he says. However, portals - while usually offering secure means to communicate directly with clinicians - typically only provide a subset of a patient's 'designated record set,' such as immunizations, lab results, medical problem list, and medications, Gillespie notes. 

    Also, "the security of any portal has to be balanced with the ease of use," he says. If the security is too tight - such as frequent password changes, really strong/complex password rules, etc. - patients will stop using the portal. If the rules are too weak, the portal is more vulnerable to hacking. It's a difficult balancing act. "

    Read More

  • 2017-12-21

    2017 Health Data Breach Tally: An Analysis

    Experts Analyze Whether the Stats Signify Real Progress
    Compared to the mega-breaches that hit the healthcare sector in 2015 and 2016, the top 10 breaches reported for 2017 were far smaller. The 10 largest incidents of 2017 reported so far affected a combined total of just 2.6 million individuals. And as of Dec. 21, a total of 335 health data breaches impacting more than 4.9 million individuals had been added to the federal breach tally in 2017. As of Dec. 21, some 2,158 breaches affecting nearly 176.5 million individuals had been posted to that federal tally since it was initiated in September 2009. So what has led to the big drop in mega-breaches in the past year?

    "I have a few theories on this," says Keith Fricke, partner and principal consultant at tw-Security. "Perhaps after the large breaches in 2015, more organizations housing large amounts of protected health information raised the bar on their security posture, thereby reducing opportunities for criminals to exploit vulnerabilities. But it is possible that some yet-to-be-discovered large breaches are out there. Some metrics show that the average time between a hacker's first unauthorized access and when they are discovered is around 200 days, which is about 6.5 months."

    …….. Entities need to reinforce with their workforces the critical practices to reduce the risk of unintentional insider breaches, Fricke says. "As always, recurring workforce training helps keep security and privacy top of mind, which can reduce the risk of accidental incidents," he says. "Breaches caused by insiders with intent can be reduced or avoided with improved monitoring and alerting. These days, it is more practical to outsource that monitoring to a third party with resources to watch activity around the clock."

    Read More

  • 2017-12-06

    GAO: CMS Must Improve Medicare, Medicaid Anti-Fraud Efforts

    Watchdog Agency Makes Recommendations for Fighting Billing Fraud
    The Department of Health and Human Services has taken important steps to fight Medicare and Medicaid fraud, but it can further strengthen its efforts in several ways, according to a new government watchdog agency report. The Government Accountability Office estimates that in fiscal 2016, improper Medicare and Medicaid payments totaled about $95 billion.
    Fighting healthcare fraud clearly is a complex issue that requires a multifaceted approach.

    "Medicaid reimbursements are notoriously low. Crooks use this as motivation to 'game' the system," says Kerry McConnell, partner and principal consultant at tw-Security, who has previously worked in Medicaid claims processing. "Crooks get greedy and then they get flagged, caught. More training to identify fraud can't hurt, but technical tools are more effective."

    Read More

  • 2017-11-30

    DMARC in Healthcare: Lots of Work to Be Done

    Study: Little Adoption of Standard So Far to Fight Phishing Threat
    Adoption of the Domain-based Message Authentication, Reporting & Conformance - or DMARC - standard is very low in the healthcare sector, and broader use could greatly reduce phishing risks, according to a new study.

    "By design, DMARC validates an email sender and based on how DMARC records are configured in DNS, email messages not aligning with DMARC could be quarantined for further inspection or outright rejected," says Keith Fricke, partner and principal consultant at tw-Security. "Therefore, phishing attacks would likely become less successful. A reduction in phishing attacks would correlate to a decrease in ransomware, malware-infected attachments and links to malicious web sites."

  • 2017-11-28

    Lawsuit: Hospitals Lied About Providing Quick Records Access

    Complaint Alleges Dozens of Hospitals Falsely Attested to Meeting HITECH Act Requirements
    Two Indiana attorneys, frustrated by delays in obtaining patient records on behalf of clients, have filed a lawsuit against 60 hospitals in the state seeking more than $1 billion in damages. The suit alleges the hospitals that received HITECH Act electronic health record incentive payments failed to live up to the program's initial requirements for providing prompt access to records. 

    … HITECH Act requirements for hospitals in Stage 1 of the incentive program, which lasted three years, were measured by more than 50 percent of all patients receiving a copy of their information within three business days. Later, HHS replaced this objective with one requiring that patients could view, download and transmit health information online within 36 hours of hospital discharge, …

    "This is how patient portals are used to great effect for accomplishing this," says Joe Gillespie, senior privacy and security consultant at consultancy tw-Security.
    "A healthcare entity may deny a patient's request for records because the patient has not paid for healthcare services rendered. This is not allowed under the law," Gillespie says. In addition, "the healthcare entity may charge unreasonably high fees for fulfilling requests. HIPAA allows only "reasonable, cost-based fees" and provides some clarity on how those are to be determined. Many states have now enacted fee schedules that lock down what the entities may charge," Gillespie notes.

    Read More

  • 2017-11-08

    No. 1 Patient Safety Threat? Ransomware, Cyberattacks

    ECRI Institute Releases List of Top 10 Health Technology Hazards
    While dirty hospital mattresses and the failure to properly disinfect medical gear are among top safety risks posed to patients, ransomware and other cyberattacks will pose even bigger threats to patients in 2018, according to the ECRI Institute. The non-profit patient safety research organization named ransomware and cybersecurity threats as the No. 1 health technology hazard for 2018.

    Nevertheless, some organizations fail to realize that ransomware poses a threat to patient safety, says Keith Fricke, partner and principal consultant at tw-Security. For example, he notes, "those entities that have experienced ransomware events may have been inconvenienced by files getting encrypted that did not directly impact patient care." So they may not see ransomware as a patient safety issue.

    Fricke says many organizations' data backup plans are insufficient, putting them at additional risk. "In addition, those with mature backup strategies have to be wary of ransomware-encrypted files getting replicated to their offsite backups," he points out.

    Read More

  • 2017-10-25

    Ransomware in Healthcare: Time for Vigilance

    As organizations combat BadRabbit, the latest global ransomware campaign, healthcare entities in the U.S. should monitor the situation and take preventive measures to avoid becoming the next potential victim of any emerging malware, experts advise.
    Keith Fricke, partner and principal consultant at tw-Security, says the BadRabbit attacks are also a reminder for healthcare sector entities to patch systems with known software vulnerabilities and educate the workforce on phishing attacks. "In this case, BadRabbit is prompting the download and update of Flash Player that is really the ransomware," he notes. BadRabbit reportedly "can spread from computer to computer in an organization's network. Healthcare IT folks may want to consider advising users to turn their computer off at the first sign of ransomware infection messages," he says.

    Read More

  • 2017-10-18

    Hack-proofing ID and access management

    Managing user privileges is among the most basic practices in any security strategy. Establishing a process also paves the way for other tactics, like provisioning and bridging the gap between IT and HR, that can keep internal and external threats at bay. Experts divulge insights and best practices. 
    Four steps to getting started. The process of identity and access management consists of four steps, according to Tom Walsh, founder and managing partner of tw-Security. “We advocate the minimum-necessary-privacy principle,” Walsh said. “The principle of least privilege, in the security world, the idea is the same: Only give access to information as it’s appropriate in order for someone do their job function.”

    Read More

  • 2017-10-17

    Clinic Pays Ransom After Backups Encrypted in Attack

    A small Missouri clinic admits paying a ransom to unlock data after a ransomware attack in August encrypted patient data on a file server, as well as backups. … some healthcare entities can't afford long disruptions to patient care, so they choose to pay the ransom in hopes of a quick recovery of data. "How long it takes to recover a backup depends on two key things: how much data has to be restored and the source of the restore," says Keith Fricke, partner and principal consultant at tw-Security. "Ransomware that encrypts thousands or tens of thousands of files on network file shares can take 12 to 16 hours or more to recover. If the restore is from tape backup, that takes longer than restoring from a replicated disk-to-disk backup." Still, it may take just as long to recover encrypted data by purchasing the decryption key because the ransom has to be paid by digital currency such as bitcoin, Fricke notes. "If the organization is not set up for bitcoin transactions that can take several days to get in place," he says. In some cases,....

    Read More

  • 2017-10-04

    GAO: 24 Agencies Still Struggle With IT Security Weaknesses

    Two dozen federal agencies continue to experience security weaknesses in five critical areas, which puts government systems and data at risk, according to a new watchdog agency report. The Government Accountability Office says in its report new report, Federal Information Security: Weaknesses Continue to Indicate Need for Effective Implementation of Policies and Practices….

    There are a number of common reasons why organizations inside and outside of government fail to mature and improve the effectiveness of their security programs, says Mark Dill, a partner and principal consultant at consultancy, tw-Security. Those reasons include "a lack of personnel or specific talent levels; complacency - 'it will never happen to us'; a lack of focus on the leading threats; too many vulnerabilities to address; a large volume of devices to protect - some are legacy and difficult to secure; missing tools; budget constraints; immature processes; and……..

    Read More

  • 2017-07-28

    Ransomware Attack Affects 300,000 Patients of Women\\\'s Clinic

    A hacker attack on a women's healthcare clinic that impacted hundreds of thousands of patients ranks as the second largest ransomware related health data breach reported to date to federal regulators.

    Keith Fricke, partner and principal consultant at tw-Security notes recent metrics that suggest that on average, criminals have gained unauthorized access to an organization's internal network for just over 200 days before being detected.
    "For unauthorized access to a network, the delays in detection are usually because intruders try to fly under the radar," he says. In addition, many organizations do not have adequate and/or timely intruder detection methods.
    However, "in contrast, ransomware makes itself known in much shorter periods of time because criminals want to collect their ransom fee," Fricke says.

    Read More

  • 2017-07-20

    Patient Matching: The Latest Congressional Proposal Pending Legislation Calls for a Study Focusing on Medicare Patients

    The effort to improve the matching of patients to all the right records from multiple sources may get a new boost from Congress. 
    "The challenges with any database system is to maintain data integrity and eliminate duplicate records," says Tom Walsh, president of the consultancy tw-Security.
    "For example, if I have made several visits to a healthcare organization, they may have my name listed differently in their MPI database ... [including] 'Thomas Walsh,' 'Thomas R. Walsh,' or 'Tom Walsh,'" he notes. "The multiple entries occur during patient access - admissions or registration. The clerk at the healthcare organization doing the data entry during admissions or registration may be in a hurry and doesn't have the time to verify if I already exist in the database. Thus, duplications commonly occur. This causes problems not only for the patient, but also for payer organizations such as Medicare."

    Read More

  • 2017-07-14

    Feds Charge 412 in $1.3 Billion Healthcare Fraud Bust Authorities Call Takedown a Record Enforcement Action

    Keith Fricke, partner and principal consultant at tw-Security, says despite the pattern of escalating healthcare fraud enforcement actions annually, "I don't think the feds are trying to break any records; rather, they are trying to enforce laws and seeing that criminals serve time for crimes committed. In addition, reducing further fraud stems the financial burden on the government and the country's taxpayers. In this case, it also serves to reduce loss of life due to opioid abuse and overdoses while criminals profit from it."
    Nonetheless, the trend of bigger takedowns indicates at least two issues, he says. "First, it…… 

    Read More

  • 2017-06-13

    Some EHR Incentive Payment Recipients Lacked Risk Assessments Audit Finds Millions Paid Inappropriately Due to Lack of Evidence

    Although OIG found 6 percent of eligible professionals in its review sample were unable to support their attestations of conducting a security risk assessment, Keith Fricke, partner and principal consultant at tw-Security, says the actual figure among healthcare providers who have weak security risk assessment practices is likely higher.
    "It is probably a safe bet to say that more than 6 percent do a poor job of conducting or documenting security risk assessments, but I don't how much higher the metric is," he says. "Some organizations don't fully understand what a risk assessment involves. Others may conduct a risk assessment and document the findings but take no action on addressing findings. I often see documentation that states it is a risk assessment, when in fact, it is really a HIPAA gap analysis. Those are two very different things."……

    Read More

  • 2017-06-05

    Analysis: Are HHS Cybersecurity Recommendations Achievable? Experts Sort Through New Task Force Report

    A new Department of Health and Human Services report to Congress containing more than 100 recommendations for how healthcare can better address cybersecurity threats is stirring debate over whether smaller organizations will be able to take the recommended actions.

    "Even though the task force did not have a much representation from small and rural providers, I was impressed with the numerous references to small and rural providers and the suggestions for helping them," says Tom Walsh, president of the consulting firm tw-Security. "The task force gets it. Folks that reside inside the Washington D.C. beltway often forget that the majority of healthcare in our country is delivered in small or rural settings."
    For instance, the report notes: "We recommend that industry create more low-cost, managed security service provider models to support smaller and under-funded entities in order to ensure that they have the same level of robust, state-of-the-art security monitoring, defensive, and reporting capabilities as larger healthcare organizations."

    This would allow healthcare organizations to leverage resources and expertise, "such as a shared security official, and will create economies of scale. MSSPs would be better resourced to engage in information sharing activities, such as Information Sharing and Analysis Organizations," the report adds.

    The report recommends that the federal government "should evaluate incentive options, such as grants and tax incentives, to encourage more MSSPs to achieve economies of scale to support small and medium-size health care providers."

    Read More

  • 2017-05-10

    HIPAA breach fines: It's time to rethink this mess

    There has to be a more sustainable way to get hospitals to put information security controls in place than taking millions out of operating budgets.
    When the Department of Health and Human Services Office for Civil Rights slaps hospitals with a hefty fine for a data breach, from where does that money ultimately come?
    Tom Walsh, founder and managing partner of tw-Security, contends that since IT is widely viewed as a cost center, and information security, in turn, is overhead to IT, it’s among the first things executives cut from the budget.
    “Fining an organization is like me tying one of your hands behind your back and saying ‘now get out there and fight the good fight,’” Walsh said. “Don’t tie their hands behind their back.” ……

    Read More

  • 2017-05-01

    Doctors Regain EHR Access After Ransomware Targets Vendor

    A recent ransomware attack on electronic health records and practice management software vendor Greenway Health, which affected several hundred physician group practices using its cloud-based applications, is a reminder to all healthcare providers of the risks that vendors can pose.

    Keith Fricke, a partner and principal consultant at tw-Security, notes that most ransomware attacks in healthcare that make headlines tend to be "about the malware infections at hospitals" and not so much about cloud providers. …… "It is possible for ransomware to encrypt files of a cloud-based system if a system administrator has a drive mapping to the backend file system for support purposes." ….

    Read More

  • 2017-04-19

    HHS Watchdog Agency Issues Phone Scam Warning

    HHS-OIG, which is ironically the federal watchdog agency whose stated mission is "to fight waste, fraud, and abuse in Medicare, Medicaid and more than 100 other HHS programs" has become an unwilling party involved with the scam.

    ….If that caller has a way of using the credentials for data access, a breach may result, Keith Fricke, tw-Security Partner says. "Imagine if a caller pretended to be an IT person and told the person answering the call there was a system problem the day before and IT is checking to make sure the issue is fixed. 'Could I have your username and password to check the system?,'" Fricke says. "Note that an organization's help desk needs to be on their toes too. A fraudulent caller could pretend to be an employee having trouble remembering their password and asked for it to be reset. The help desk staff should have procedures to validate a caller's identity." To help avoid falling victim to these schemes, "be wary of .....

    Read More

  • 2017-04-01

    tw-Security is pleased to welcome our newest 'Rock Star'!
    Richard Free, CISSP, CISM, Security Consultant

    Richard has over 20 years of experience in IT, information security, and management specializing in clinic operations (FQHC) and physician practices.

  • 2017-03-28

    FBI Warns Healthcare Entities of Threats to FTP Servers

    The FBI is warning the healthcare sector to step up security of its file transfer protocol servers as cybercriminals step up attacks targeting FTP servers running in anonymous mode.
    Keith Fricke, principal consultant of tw-Security, says the anonymous FTP mode puts data at risk because it means that a named account is not required to log into the FTP service. "A default anonymous account may have a known default password," he says. "This makes unauthorized access easy once an intruder discovers the FTP services exists." …..

    Read More

  • 2017-03-13

    Breach Tally: Hacking Incidents Still on the Rise

    So far in 2017, hacking incidents continue to affect the largest number of individuals impacted by major health data breaches. As of March 9, 50 major breaches impacting 424,286 individuals have been added to the Department of Health and Human Services' Office for Civil Rights' "wall of shame" website of major breaches affecting 500 or more individuals.

    Security expert Tom Walsh says it's important to learn from the mistakes of others. His firm regularly reviews the corrective action plans that are part of HIPAA violation and breach investigation settlements posted on the OCR's website "to look for the reasons cited by the OCR for fines." Walsh notes that the most common reasons given by the OCR for financial settlements and fines are failure to:…..

    Read More

  • 2017-03-10

    Study: 68 percent of healthcare organizations have compromised email credentials

    Hackers gain access through phishing and key-logging attacks. The Evolve IP report found that more than 76 percent of these stolen passwords can be found on the dark web.
    More than two-thirds of healthcare organizations have employees with compromised email credentials, according to a new study from Evolve IP, a cloud services provider.

    Dual-authentication or two-factor authentication is the one method that can prevent a cyber breach from happening, according to Tom Walsh, founder and managing partner of tw-Security. And users must also be held accountable for their actions.
    "We're trying to advocate a principle of privacy: It's called the minimal necessary-privacy," Walsh said. "The principle of least privilege, in the security world, the idea is the same: Only give access to information as it's appropriate in order for someone do their job function."

    Read More

  • 2017-03-06

    $60 Million Fraud Case Involves Hospice Patients' EHRs

    Federal prosecutors have filed criminal charges against 16 individuals who were allegedly part of a $60 million Medicare and Medicaid fraud case involving falsifying electronic health records of hospice patients to bill for care they did not need. Keith Fricke, partner and principal consultant of tw-Security notes that in the case against Harris and his co-conspirators, the alleged fraud involved the sharing of logon accounts and passwords..... 

    Read More

  • 2017-03-02

    OIG: HHS Making Info Security Progress, But Still Has Gaps

    Many of the ongoing HHS security weaknesses identified in the HHS Office of Inspector General's ' fiscal 2016 review of HHS compliance with the Federal Information Security Modernization Act of 2014 - including those related to continuous monitoring, configuration management and identity and access management - are also common at many healthcare organizations, some security experts say.

    Real-time monitoring is a necessity," says Keith Fricke, partner and principal consultant at tw-Security. "Hundreds or thousands of digital events take place in an organization's computing environment every minute. Identifying events of concern amidst that volume is not possible for IT staff to do manually. You can't respond, contain and remediate these bad events if you can't detect them in the first place.".......

    Read More

  • 2017-01-07

    A New In-Depth Analysis of Anthem Breach - Insurance Commissioners Conclude Nation-State Involved, Reach Settlement with Insurer

    Seven state insurance commissioners, in a new report on their investigation into the massive cyberattack against health insurer Anthem Inc. in February 2015, offer a detailed account of what happened in the incident, which began with a phishing campaign...

    Lessons Learned:
    Keith Fricke, principal consultant at tw-Security, adds: "There are no guarantees that social engineering awareness training will 100 percent prevent successful social engineering attacks, but it will help reduce the risk. Using and maintaining advanced malware protection and patching security vulnerabilities remain important as risk management measures."

    Read More

  • 2016-12-30

    tw-Security is pleased to introduce John Cathey, MBA, CBCP, PMP, tw-Security Principal Consultant! 

    John has over 15 years of experience in tactical disaster recovery, business impact analysis, high availability strategies design and implementation. A Certified Business Continuity Professional (CBCP) and Project Management Professional. 

    View PDF

  • 2016-12-28

    Mark Dill - Top Healthcare IT Expert


    Mark Dill, tw-Security Partner and Principal Consultant

    Recognized by Health Data Management magazine as one of the ‘50 Top Healthcare IT Experts in December 2016 

  • 2016-12-22

    Major Breach: Insurer Blames System Integrator

    Community Health Plan of Washington, a not-for-profit insurance company, says a security vulnerability on the computer network of a business associate that provides it with technical services resulted in a breach affecting nearly 400,000 individuals.

    Keith Fricke, partner and principal consultant at tw-Security notes that "news of this [CHPW] breach aligns with metrics HHS publishes each quarter identifying that roughly 30 percent of reported healthcare breaches are due to business associates."…..
    Fricke advises healthcare organizations to "start with risk analyses on business associates that have direct remote access into your network or are vendors to whom you have entrusted the storage or processing of large amounts of PHI. Also, make sure cyber …..


    Read More

  • 2016-12-22

    2016 Top 50 Healthcare Experts

    Health Data Management released their 2016 list of the top 50 healthcare experts in the field on December 22, including tw-Security's own Mark Dill, CISM, CRISC. View the full list on

    Read More

  • 2016-12-19

    L.A. County: Major Breach Stemmed from Phishing Attack

    The County of Los Angeles is notifying 756,000 individuals of a breach that occurred five months ago stemming from a phishing scheme that tricked more than 100 county employees. Bank account and payment card information, Social Security numbers and health-related ...... 

    A Growing Problem
    Keith Fricke, partner and principal consultant at tw-Security, says a key to educating users about phishing includes conducting "periodic internal phishing campaigns to track click metrics and provide awareness training to those falling victim to the tests."…..

    Read More

  • 2016-12-08

    HHS Offers Tips on Mitigating DDoS Risks

    Latest cyber alert spells out critical steps to take to prevent falling victim to distributed denial-of-service attacks. To illustrate the risk DDoS attacks pose, the alert, makes reference to an arrest tied to the 2014 DDoS attack on Children's Hospital of Boston and also the October internet of things-related botnet attack on internet service provider Dyn, which reportedly affected some electronic health record vendors' websites.

    DDoS attacks could also become more sinister, says Keith Fricke, partner and principal consultant at tw-Security. "DDoS attacks resemble ransomware in the sense that both prevent access to information," he says. "Criminals could sustain a DDoS and demand a ransom to stop" in order to…..
    Fricke adds another tip to the OCR Action List. "Get in the habit of downloading security patches and keep them on file even if you aren't able to….

    Read More

  • 2016-12-07

    HIMSS Privacy & Security Forum, Boston, MA

    What a great conference! A big thank you to HIMSS for inviting Tom Walsh and Mark Dill to present at The HIMSS and Healthcare IT News Privacy & Security Forum in Boston, Dec. 5-7.
    The photo is of Mark describing a playbook flowchart during his “Cybersecurity Incident Response: How to Survive an Attack” session. Tom presented on “Best Practices in Identity and Access Management”. 

  • 2016-11-21

    OIG: HHS Needs to Push Secure Health Data Exchange

    In its report, the HHS Office of Inspector General identifies 10 top management and performance challenges facing HHS as it strives to fulfill its mission "to enhance the health and well-being of Americans by providing effective health and human services and by fostering sound, sustained advances in the sciences underlying medicine, public health and social services."

    Read More

  • 2016-11-17

    What Happens to Data, Systems If Obamacare Is Repealed?

    If President-elect Donald Trump fulfills a campaign promise of repealing Obamacare - which could result in the dismantling of and state health insurance exchanges - great caution will be needed to protect the data of millions of consumers contained in those systems.

    Read More

  • 2016-10-18

    Hack-proofing ID and Access Management

    Managing user privileges is among the most basic practices in any security strategy. Establishing a process also paves the way for other tactics, like provisioning and bridging the gap between IT and HR, that can keep internal and external threats at bay.

    Read More

  • 2016-09-20

    Healthcare Insider Crime Cases Spotlight Challenges

    Three recent criminal cases involving hospital insiders who allegedly committed a variety of fraud, identity theft or egregious privacy violations that victimized patients highlight just how difficult it is to mitigate insider threats.

    Read More

  • 2016-09-12

    Report on VA Contractor Security Weaknesses Offers Lessons

    A watchdog agency report highlighting data security violations by a Department of Veterans Affairs medical contractor offers a reminder to all healthcare organizations about similar risks their business associates can pose - especially if BAs are inadequately monitored.

    Read More

  • 2016-08-22

    Feds Plan to Investigate More Healthcare Breaches

    The HHS Office for Civil Rights, which enforces rules surrounding HIPAA, has announced it will investigate breaches of protected health information affecting fewer than 500 individuals.
    In September 2015, the HHS Office of Inspector General recommended that OCR begin posting smaller data breaches on its public web site, and OCR now is doing that. The site previously only listed breaches affecting 500 or more individuals.

    Read More

  • 2016-07-27

    Athens Orthopedic Clinic Confirms Dark Overlord Attack, Data Was Offered for Sale on the Dark Web

    A Georgia-based orthopedic clinic has confirmed it's one of the victims of cyberattacks by a hacker calling himself "The Dark Overlord". The hacker recently posted for sale on the dark web copies of databases he claims contain 10 million records stolen from four U.S. healthcare sector organizations

    Read More

  • 2016-07-21

    Preventing Breaches Involving Personal Email

    A recently reported health data breach in Colorado offers a reminder that organizations must take precautions to prevent and detect data leakage involving current and former employees inappropriately using personal email.

    Read More

  • 2016-07-08

    Security 'No. 1 Priority' in VA IT Transformation, Mid-Year Report Spotlights Initiatives to Protect Vets' Data,

    Read More

  • 2016-06-22

    Largest Joint HHS , DOJ Takedown

    Charge 301 Individuals in $900 Million Healthcare Fraud 'Sweep', Doctors, Nurses Among Those Arrested in Largest Joint HHS, DOJ 'Takedown' to Date

    Read More

  • 2016-06-14

    Will HITRUST and the AIS Federal Program Enable Easy Sharing of Security Info?

    HITRUST an industry consortium enables healthcare stakeholders to collect and share cyber threat information has real value, but this year a free threat-sharing service was created by the Department of Homeland Security Cyber Information Sharing and Collaboration Program, called Automated Indicator Sharing, or AIS. Some fear that having two separate security analysis initiatives may not result in reductions in cyber threats.

    Read More

  • 2016-06-09

    Monitoring of Medical Device Security to Be Scrutinized; OIG Also Criticizes Washington State Health Insurance Exchange's Security Measures

    A federal watchdog agency has updated its priorities for security-related reviews of Department of Health and Human Services' agencies and programs this year. For example, it now plans to investigate whether monitoring of medical device security controls is adequate. It also separately issued a review of the Washington state health insurance exchange, citing several security weaknesses, including vulnerability scanning, that could potentially put sensitive data at risk.

    Read More

  • 2016-06-08

    OCR: Step Up Patching of Third-Party Apps; Cyber Awareness Notice Focuses on Risks, Mitigation Steps

    Read More

  • 2016-06-02

    NFL Players' Medical Information Stolen, But Laptop Theft Incident Likely Not Covered Under HIPAA

    Read More

  • 2016-06-02

    NFL Players' Medical Information Stolen, But Laptop Theft Incident Likely Not Covered Under HIPAA

    Read More

  • 2016-05-31

    Analysis: HHS Precision Medicine Security Framework, Is It Enough to Safeguard Sensitive Patient Data?

    Read More

  • 2016-05-31

    Ransomware: Healthcare Fights Back, Regulator, Lawmakers Mull New Steps to Protect Targeted Entities

    Read More

  • 2016-05-31

    Ransomeware: Healthcare Fights Back

    Ransomware: Healthcare Fights Back, Regulator, Lawmakers Mull New Steps to Protect Targeted Entities

    Read More

  • 2016-05-23

    Risky data practices jeopardize providers' security

    Read More

  • 2016-05-16

    Hacker Attacks in Healthcare

    What's Changed in 2016 So Far? Hacks Are Still Common, But Fewer Patients Affected

    Read More

  • 2016-05-11

    Transcribed Medical Records Exposed on the Web

    Transcribed Medical Records Exposed on the Web; Experts Offer Insights on How to Avoid Similar Security Blunders

    Read More

  • 2016-04-28

    Medicare's New Physician Payment Plan

    Medicare's New Physician Payment Plan: Impact on Security, Analyzing Proposal to End Part of HITECH Act's EHR Incentive Program

    Read More

  • 2016-04-19

    Healthcare Portals, Patient Photos Pose Possible Data Security Gaps, Information Management

    Healthcare Portals, Patient Photos Pose Possible Data Security Gaps, Information Management

    Read More

  • 2016-02-26

    Anthem Breach: Lessons One Year Later What Others Can Learn About Breach Prevention, Detection and Response

    Read More

  • 2016-02-22

    10 Steps to Reduce Your Ransomware Risks, Health Data Management

    Read More

  • 2016-02-18

    Hollywood Hospital Pays Ransom to Unlock Data, 9 Steps to Take to Avoid Being the Next Extortion Victim

    Read More

  • 2016-01-27

    Health providers extend their embrace of the cloud

    Read More

  • 2016-01-26

    Hard Drives Lost, Affecting Nearly 1 Million

    Read More

  • 2016-01-26

    Hard Drives Lost, Affecting Nearly 1 Million

    Read More

  • 2016-01-13

    If EHR Incentive Program Ending, What's Next?

    Read More

  • 2015-11-19

    Email Breaches Lead to 'Wall of Shame'

    Read More

  • 2015-11-11

    Clinic Breach Involved Authorized User

    Read More

  • 2015-10-28

    When Should IT Security Be Outsourced?

    Read More

  • 2015-10-27

    Texas Mental Health Center Hacked

    Read More

  • 2015-10-08

    Analyzing ONC's Interoperability Roadmap

    Read More

  • 2015-10-08

    Risk Analysis, Encryption Stressed in HITECH Act Final Rules

    Risk Analysis, Encryption Stressed in HITECH Act Final Rules

    Read More

  • 2015-10-02

    Obstacles to HDEP

    Privacy, Security Obstacles to Health Data Exchange Persist (GAO report on interoperability), October 2, 2015

    Read More

  • 2015-09-24

    OIG: Obamacare Data Repository Had Security Flaws

    OIG: Obamacare Data Repository Had Security Flaws (OIG report on HHS database security flaws)

    Read More

  • 2015-09-22

    Analysis: HHS' Revised Strategic Health IT Plan (Feedback on the Federal strategic health plan)

    Read More

  • 2015-09-21

    3 Ways to Reduce Danger of Getting Hacked

    Read More

  • 2015-09-17

    The Best Defense: How to Prevent a Hacking

    Read More

  • 2015-08-13

    How Should DoD Secure Health Records?

    Read More

  • 2015-08-11

    Is Your Entity More Secure than HHS?

    Read More

  • 2015-08-11

    Is Your Entity More Secure than HHS?

    Read More

  • 2015-08-03

    EHR Cyberattack Affected 3.9 Million

    EHR Cyberattack Affected 3.9 Million,

    Read More

  • 2015-07-28

    Keeping Old Patient Data from Causing HIPAA Headache

    What happened to the old servers, retired medical equipment, personal digital devices, pagers, copiers, fax machines, printers, floppies and disks, tape reels and other technologies that held protected health information and are no longer used? Do you have documentation in-house or from the contractor showing a chain of custody and proof that the PHI on these devices no longer exists? Is there proof that destruction followed best practice guidelines from the National Institute of Standards and Technology?

    Read More

  • 2015-07-07

    Preventing Insider Breaches at BAs

    Preventing Insider Breaches at BAs (breaches involving business associates)

    Read More

  • 2015-06-26

    Shoring Up Security

    Read More

  • 2015-06-11

    Survey Shows Compliance Overconfidence

    Survey Shows Compliance Overconfidence, June 11, 2015

    Read More

  • 2015-05-18

    What The Departure Of ONC's DeSalvo Would Means For Health IT

    What The Departure Of ONC's DeSalvo Would Means For Health IT, May 18, 2015

    Read More

  • 2015-04-17

    What "HIPAA-compliant" really means

    Read More

  • 2015-04-15

    Top 10 Things to See and Do at HIMSS2015 (Attend "What Does 'HIPAA Compliant' Mean?")

    Read More

  • 2015-04-13

    Why Data Breach Prevention Will Steer HIMSS15

    Read More

  • 2015-03-27

    Hacker Attacks: InfoSec Strategy Impact

    Read More

  • 2015-03-24

    Analysis: HITECH Stage 3 Security Rules

    Read More

  • 2015-02-17

    HIPAA preparation: An expedition without end

    Read More

  • 2015-02-12

    HIPAA preparedness: A Journey without end

    Read More

  • 2015-02-12

    HIPAA preparedness: A journey without end

    "A good compliance officer's job is to make sure that through this journey, you're staying on the right tracks."
    When Tom Walsh became the first information security manager for a large, multi-hospital system in Kansas City in 1992, people outside the organization had little idea of what the job entailed.
    "Since then, my goal has been to have one boring day — but it has never happened," says Walsh, founder and CEO of tw-Security, a firm focused on protecting clients' information resources.
    Walsh will moderate "Navigating the Practical and Legal Aspects of HIPAA," an all-day workshop, on April 12 at HIMSS15 in Chicago.
    He describes the pursuit of HIPAA compliance as a "perpetual journey" shaped at times by new technology and data-sharing requirements that didn't even exist when the rules were finalized.
    For example, according to the National Institute of Standards and Technology, a security risk assessment should be conducted…… 

    Read More

  • 2015-01-26

    Reporting HIPAA Breaches

    Reporting HIPAA Breaches: A New Approach, January 26, 2015

    Read More


Latest News