FrankenStorm Sandy,

Day 4 of SANDY Recovery continues.

TIPS OF THE DAY:

Tip #1: Check your INSURANCE POLICY for UTILITIES INTERRUPTION RIDER.

TIP #2 – Several clients are getting new computers that will get paid for by the insurance company

———

JOKE OF THE DAY:

NYC has a NEW COCKTAIL!

A guy walks into the bar and says “Barkeep, Give me a SANDY!”
Bartender: What’s a Sandy?
Customer:  You know, a WATERED DOWN Manhattan

——

Day 3 Update

Brainlink Crisis Contact Info
support@brainlink.com
Raj – 917-685-7731

Day 3 of SANDY Recovery continues.  Most of our clients are back online (rest, whenever ConEd restores power).

If you (or people you love) need assistance of any type – food, transport, IT support, etc, please contact me.

RECOMMENDED RESOURCES #3

1) FLEXIBLE OFFICE SPACE in Manhattan

We’re getting a lot of requests for OFFICE SPACE IN MANHATTAN outside the blackout zones.
I recommend OFFICELINKS – www.officelink.com or email contact@officelinks.com

2) TRANSPORT

The MTA has published a map of the active Subway & LIRR lines
SCHEDULE – http://www.mta.info/sites/default/files/pdf/StormNov1SubServiceA103112.pdf
MAP – http://www.mta.info/sites/default/files/pdf/HurricaneRecoveryMapOct312012.pdf

3) FOOD

Wazi, CEO of LetsOrderNow.com is providing food to anyone/everyone who requests it.
Contact Wazi at 1.212.OrderNow (673.3766)
wazi@letsordernow.com

Funny Picture of the Day

Day 2 BRAINLINK UPDATE:
All our clients who are not in the ConEd/LIPA power outage areas are back online!

So, if you or your office needs help, give me a call. We can assist.

We’re also working with vendors to get special deals and offers for UPSes, new Servers, etc.

-Raj Goel

917-685-7731

raj@brainlink.com

RECOMMENDED RESOURCES:
Here are some resources for business owners who need help:

1. Low Interest Loans for disaster recovery: Both the SBA and the USDA provide low interest loans to business owners to help them repair and replace property and equipment that have been destroyed by the hurricane. Disaster assistance is available through the U.S. Small Business Administration (SBA) http://www.sba.gov/content/disaster-assistance

2. Economic Injury Disaster Loans: These loans are available for businesses that suffer “substantial economic injury.” http://www.sba.gov/content/economic-injury-disaster-loans

3. Free Legal Services: There are free legal services available for your business through FEMA for areas the President declares a disaster to help provide you legal assistance with filing insurance claims, landlord issues, etc. Additional information on this can be found at: http://www.fema.gov/additional-assistance and http://www.disasterlegalaid.org/

4. Tax Relief: For areas that the government federally declares a disaster, business owners can apply for tax relief, which allows for expedited refunds or delayed tax filings. Additional information on these programs can be found at: http://www.irs.gov/Businesses/Small-Businesses-&-Self-Employed/Disaster-Assistance-and-Emergency-Relief-for-Individuals-and-Businesses-1

5. Online Questionnaire and Application For Assistance: Business owners can fill out an online questionnaire to see which types of assistance you qualify for, and fill in an online application by going to: http://www.disasterassistance.gov/

6. Instructions on Cleaning Up after a Hurricane: The Center for Disease Control and Prevention (CDC) has provided instructions on cleaning up your office after a hurricane, such as how to remove drywall, clean surfaces, etc. This can be found at: http://www.bt.cdc.gov/disasters/floods/cleanupwater.asp

NEW YORK HAS A NEW T-SHIRT

http://media.caglecartoons.com/media/cartoons/127/2012/10/30/121390_600.jpg

———–

BEST JOKE HEARD YESTERDAY:

They should have called the storm A-Rod.
Why?
That way, it wouldn’t have hit anything

As you prepare for the storm, you should ensure you have the following:

6) If we have severe flooding, subway/bus shutdowns, do you & your staff know to STAY HOME / WORK FROM HOME Mon & Tuesday?

My staff has been instructed to
A) take care of themselves & their families
B) work from home (ONLY if they are safe, there are no health & safety issues)
C) Assist others.  If you’re safe, and your neighbors aren’t – lend them a hand.

Have you communicated that to your staff?  A day of downtime is cheaper than endangering staff.
Using telecommuting dramatically decreases downtime / increased productivity.

If you need help in getting any of this done, feel free to contact me.

Also see What’s the Difference between Disaster Recovery and Business Continuity?

Here’s a 3d Model of Sandy’s RAIN TOWERS –

In March 2012, BCBS of Tennessee agreed to pay $ 1.5M for HIPAA data breaches. BCBSoTenn failed to encrypt hard drives containing voicemail files.

Is YOUR medical practice encrypting hard drives and flash drives embedded within

• Laptops
• Desktops
• Servers
• Copiers
• Voice Mail systems
• And other smart systems

The settlement is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/resolution_agreement_and_cap.pdf.

• What does 2012 hold for HIPAA/ HITECH compliance?
• EHR Meaningful Use Stage 2 A High Priority for HHS – Are You Prepared?
• HIPAA In The News (May 2012)
• Google’s New Privacy Policy: What You Need To Know

New Year’s Eve Burglary Triggers Medical Records Firm’s Bankruptcy

Still think HIPAA compliance is strictly for the big guys?

Still think your small medical practice or medical billing business is safe from hackers, criminals and litigators?

From the Wall Street Journal:
The New Year’s Eve burglary of a California office building has led to the collapse of a national medical records firm.

Impairment Resources LLC filed for bankruptcy Friday after the break-in at its San Diego headquarters led to the electronic escape of detailed medical information for roughly 14,000 people, according to papers filed in U.S. Bankruptcy Court in Wilmington, Del. That information included patient addresses, social security numbers and medical diagnoses.

Police never caught the criminals, and company executives were required by law to report the breach to state attorneys general and the Department of Labor’s Office of Inspector General. Some of those agencies, including the Department of Labor, are still investigating the matter, the company said in court papers.

- http://blogs.wsj.com/bankruptcy/2012/03/12/burglary-triggers-medical-records-firm%E2%80%99s-collapse/

$100,000 Fine Levied on Physician Group

If your company needs another reminder that policies and procedures, risk assessments, documentation and training are critical elements for HIPAA compliance programs, we have another corrective action plan – and monetary fine – that should be utilized as a “teachable moment” for health care providers and business associates alike.

Phoenix Cardiac Surgery, P.C. has agreed to pay a $100,000 fine and implement a corrective action plan under a Resolution Agreement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) after a lengthy investigation into potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

OCR investigated the physician practice following a report that it had been posting clinical and surgical appointments on a publicly accessible Internet-based calendar. OCR’s investigation, dating back to 2003, found that Phoenix Cardiac Surgery had failed to implement sufficient policies and procedures to appropriately safeguard patient information. OCR also concluded that the physician practice did not adequately document employee training on the Privacy and Security Rules, identify a security official, conduct a risk analysis, or obtain satisfactory assurances in business associate agreements with Internet-based calendar and email providers. In a press release announcing the Phoenix Cardiac Surgery settlement, OCR Director Leon Rodriquez expressed the agency’s hope that health care providers “pay careful attention” to the Resolution Agreement and the expectation that all providers, “no matter the size,” fully comply with the Privacy and Security Rules.

- http://www.jdsupra.com/post/documentViewer.aspx?fid=28efff74-2781-485c-b366-d75563ca0e8f

• What does 2012 hold for HIPAA/ HITECH compliance?
• EHR Meaningful Use Stage 2 A High Priority for HHS – Are You Prepared?
• Google’s New Privacy Policy: What You Need To Know
• Learn from the Blue Cross Blue Shield of Tennessee HIPAA breach

By Catherine G. Patsos, Esq.

Earlier this year, the Department of Health and Human Services (HHS) cited EHRs as one of the agency’s top priorities in its regulatory agenda for 2012. Yet according to a recent study released by Computer Services Corporation (CSC), many providers are not ready to meet the recently proposed requirements of Stage 2 Meaningful Use (MU).

In its regulatory agenda, HHS states that it “continues to encourage health care providers to become meaningful users of health information technology by accelerating health IT adoption and promoting electronic health records to help improve the quality of health care, reduce cost, and ultimately, improve health outcomes.”

According to the CSC study, however, eligible providers (EPs) either deferred or were exempted from several Stage 1 MU requirements. Many of these requirements related to improving care coordination and patient involvement, which are measures that will likely be required for Stage 2 MU. Specifically, medication reconciliation, providing patients with access to electronic health information and providing summary records at transitions in care were among the requirements most often deferred by EPs.

Some of the biggest challenges for EPs in Stage 2 will be allowing patients to review and download their electronic health information and transmitting summary-of-care records at transitions of care. According to the CSC study, only 12% and 24%, respectively, were prepared to fulfill these requirements. There has also been much criticism of the proposed Stage 2 requirement that at least 10% of patients view their own electronic health information, because fulfilling this requirement is not within providers’ control.

The CSC study recommends that providers not wait until the Stage 2 final rule is issued to begin to operationalize Stage 2 MU requirements, particularly with regard to engaging patients and coordinating care. Specifically, the CSC study cites three areas in which providers should begin building capabilities:

1. Providing patients access to electronic health information;
2. Establishing means to communicate with patients electronically; and
3. Exchanging patient information at transitions of care.

The CSC study can be accessed at http://assets1.csc.com/health_services/downloads/CSC_Moving_Ahead_with_Stage_2_of_Meaningful_Use.pdf.

Catherine Patsos is a health care attorney with extensive experience in representing health care providers. She concentrates her practice in health care reimbursement, regulatory and compliance matters, and fraud and abuse issues. For more information, visit www.healthcarelawllc.com

• What does 2012 hold for HIPAA/ HITECH compliance?
• HIPAA In The News (May 2012)
• Google’s New Privacy Policy: What You Need To Know
• Learn from the Blue Cross Blue Shield of Tennessee HIPAA breach

For many medical practices, the default answer is “more of the same”.

That’s also the wrong answer.

In November 2011

• NIST (National Institute of Standards and Technology) released the HIPAA Security Rule toolkit
• The Joint Commission (JCAHO) issued guidance stating health care professionals should not use text messaging for orders
• US Dept of Health and Human Services (HHS) released updated HIPAA enforcement highlights

In the past few weeks

• HHS fined a 2-physician Cardiology group $ 100,000 for HIPAA Violations
• A National Medical Records company declared bankruptcy due to HIPAA penalties.
• The HHS wall of shame grew significantly larger.

If you haven’t had an HIPAA Security Rule mandated Information Security Compliance Audit within the past 24 months, let’s talk. If you have questions about what your employees, contractors and Business Associates can and cannot do, with patient data, let’s talk.

In the past 12 months, we

• Conducted an in-depth HIPAA compliance audit for a major RHIO (Regional Health Interchange Organization) in NYC
• Assisted several IT firms in conducting IT Security and Compliance audits for their clients
• Educated several thousand CISSPs in Privacy and Security challenges with Cloud Computing across the USA
• Provided Ethics CLE and CPE training to several hundred attorneys and accountants

If you have questions about Data Privacy, Computer Security, HIPAA/HITECH, PCI-DSS, RED FLAG or other compliance issues, call me at 917-685-7731 or email raj@brainlink.com

If you want to really grow your practice in this economy, let’s meet.

• EHR Meaningful Use Stage 2 A High Priority for HHS – Are You Prepared?
• HIPAA In The News (May 2012)
• Google’s New Privacy Policy: What You Need To Know
• Learn from the Blue Cross Blue Shield of Tennessee HIPAA breach

On March 1st, Google implemented a new, unified privacy policy that affects the browsing history and information Google has on you, both past and present. Prior to this change, your Google history of the searches you made and sites you visited was not shared with Google’s other services, particularly advertisers. Naturally, Google is one of the biggest media and marketing companies in the world, and your preferences and search information is pure gold from a marketing standpoint. Marketers armed with that information would know exactly what products and services to display to you as you use the search engine.

However, your search history can reveal a lot about you including details on your location, interests, age, sexual orientation, religion, health concerns and more. If you want to keep Google from combining your web history with the data they have gathered about you in their other products, such as YouTube or Google Plus, you may want to remove all items from your web history and stop your web history from being recorded in the future. To do this, sign into your Google Account and go to the “History” section, then select “Remove All History.”

Of course, clearing the web history in your Google account will not prevent Google from gathering and storing your preferences, searches and information and using it for internal purposes. It also does not change the fact that any information gathered and stored by Google could be obtained and used against you by law enforcement.

With web history enabled, Google will keep these records indefinitely; with it disabled, they will be partially anonymized after 18 months, and certain kinds of uses, including sending you customized search results, will be prevented. This brings up a whole other topic of what kind of information should you post about yourself (or store) online.

If you would like to learn more about how to protect yourself, your kids and employees from Social Media, then watch the video at http://www.brainlink.com/
blog/what-to-teach-your-kids-employees-and-interns-about-social-media/

• What Attorneys Should Know About Cyberforensics
• What does 2012 hold for HIPAA/ HITECH compliance?
• EHR Meaningful Use Stage 2 A High Priority for HHS – Are You Prepared?
• HIPAA In The News (May 2012)
• Learn from the Blue Cross Blue Shield of Tennessee HIPAA breach

According to surveys of U.S. and U.K. matrimonial attorneys, more and more of them are asking (or requiring) their clients to disclose Facebook, Twitter, LinkedIn, and other social media credentials to the attorney start of the case. The retained counsel has no wish to be surprised in court, by finding out that his or her client said or posted things online that are detrimental to the case.
As a Cyberforensics consultant, I ask the following questions when working when lawyers in order for my clients to get the best results possible when fighting matrimonial cases:

1. Does your client (the wife, husband or partner) have a legal right to the computer or smartphone? If the device is jointly owned, then we can image and analyze it. If the device is owned by the other person’s employer, or is somehow construed as private property, then we do not have the legal right to analyze it, without a court order.
2. Has a PRESERVATION LETTER been issued to the opposing side?
3. Has either side retained an expert to acquire multiple copies of legallycompliant forensics images? If both sides agree that the image is forensically sound, then both sides can invest resources in evidence analysis, not re-acquisition.
4. How many devices are owned by the couple? Computers, laptops, smartphones, etc.
5. Do they have any shared passwords to email, online banking, Facebook, LinkedIn, etc? If yes, then we ask the attorney retaining us to determine (and advise us in writing) whether their client still has a legal right to those passwords, now that the divorce process has started. 6) What are we looking for? Financial records? Evidence of online romances? Deleted files and documents? The best way to minimize forensics costs is to limit what we need to look for. Every client has something to hide. Guide your forensics investigator – frame the request as narrowly as possible. For example, “find me financial records” or “we suspect he’s hiding funds offshore” or “she’s got a shopping addiction” or “we suspect he’s having an affair.”
6. Has anyone used non-forensics software to try an undelete files or used a non-forensic computer technician to gather evidence? If so, then there’s a possibility that the evidence is spoiled and cannot be used in court. Based on my experience, even when the evidence cannot be presented in court, it often results in negotiated settlements.
7. Is there any suspicion of child pornography (CP) on the device(s)? Under current Federal laws, if we encounter more than three items of CP, we are legally obligated to stop work and report it to the FBI, Secret Service and ICE. Unlike any other form of evidence, mere possession of CP by an attorney (or their consultants) is illegal under federal law, and attorneys have been prosecuted for possessing CP while they were conducting research on behalf of their clients. See the case of Attorney Leo Thomas Flynn at http://www.brunolaw.com/prosecution-serves-as-warning.html

Below are several case studies that illustrate the above points:

1. In a case, the family kept using the shared computer(s) months after the divorce was filed. Analysis of the data revealed that the husband had lied to the wife, and his attorney, about what he did with the couple’s sextapes. While this evidence could not be used in court, it assisted the wife’s attorney in negotiating a favorable settlement. Polluted data may not be used in court (but it can provide leverage when negotiating!).
2. In another case, the husband fled from his native country to the USA 18 months ago. The wife followed suit six months later. She brought the family laptop with her, and presented it to her US attorney as evidence. Having established the dates of his departure, and her departure from their native country, we started the analysis. We located some financial records. We also found large stashes of adult imagery from dating sites – both male and female dating profiles. The initial conclusion we drew was that the husband was having a homosexual affair, or was bi-sexual, due to the prevalence of both male and female dating profiles. Upon review, the wife rejected the analysis. The discrepancies in the dates of profiles led us to re-interview the wife, with counsel present. During this re-interview, we discovered that after the husband had fled, the wife’s sister has used the laptop to engage in online dating for the intervening six months. Because the client allowed her sister to use the laptop for six months, and did not communicate this with the attorney, all digital evidence had to be thrown out, because it was spoiled.

Defending Against Cyber Evidence
When defending against cyber-evidence, determine the legality of the evidence. In most cases, the evidence was spoiled or may have been collected illegally. Determine the correctness of evidence – the data may have been collected legally – but was it collected and analyzed correctly? In one case, the client was charged with 107 counts, based on the fact that he clicked on one link, and the popup downloaded 50 images on the hard drive. Analysis by the author was able to prove that these were the result of popups downloading multiple images per click, and should therefore be counted as 1 violation per popup or webpage. In the end, the client was charged with five counts – a far cry from the initial 107.

Social Media & Cloud Evidence
While we cannot gather forensic evidence from cloud providers (Facebook, Gmail, Twitter, World-ofWarcraft (WOW), Farmville, etc.), in many cases, once references to these services have been located on the clients’ hard drives, you can subpoena log files from these providers. Facebook, WOW, and EZpass are great places to acquire digital evidence.

This article was originally published in the April 2012 issue of NYCLA’s New York Country Newspaper.

Upcoming CLE events:
April 24, 2012 — NYCLA—What should attorneys know about CyberForensics?
May 15, 2012 — NYCLA—Cybersecurity: Risks, Best Practices and Security Challenges

• Google’s New Privacy Policy: What You Need To Know