December 7, 2020

Just over a month after federal agencies sounded the alarm about a wave of damaging ransomware attacks targeting health care systems across the country, Texas Children’s own network environment has remained secure from cyber threats thanks to a coordinated effort mounted and led by the Information Services (IS) team.

Even before this most recent ransomware threat emerged, Texas Children’s had taken a holistic approach to keeping our network safe – relying on the vigilance of our workforce, enhanced digital security capabilities, continuous proactive monitoring by the IS Security Operations Center, and unwavering executive support, according to Assistant Vice President Teresa Tonthat.

But as hospitals and medical facilities nationwide scrambled to protect their networks from disruption in the past few weeks, our IS team partnered with Operational Resilience to quickly initiate their well-established Incident Response Command structure. This kept our leaders informed about potential impacts to operations if a ransomware attack did occur.

IS also collaborated with colleagues throughout the Texas Medical Center to stay abreast of the rapidly evolving tactics that threat actors were using and measures to prevent them, and leveraged high-fidelity intelligence data about the ransomware threat from trusted partners.

“At the end of the day, our team is not only in the business of cybersecurity – we’re in the business of enabling patient care for children and women,” Tonthat said, acknowledging that Texas Children’s may fall victim to a cyberattack at any time and must always be prepared to maintain operations, with or without digital connectivity.

“When an attack does occur, we need to remain resilient and continue to provide safe, quality care.”

Taking action to secure our systems

Ransomware locks a computer system to prevent the owner or organization from accessing data until they pay a ransom. Federal authorities announced in late October that malicious groups in Eastern Europe were targeting the U.S. health care sector with attacks to produce data theft and disruption of health care services.

To secure Texas Children’s network amid this serious threat, IS worked diligently to enhance our security capabilities by confirming all access to web-based e-mail and file storage sites are blocked, implementing multi-factor authentication and password rotation of privileged accounts, hardening our data backup and restoration capabilities, creating access to Microsoft 365 in case of a disaster, and taking new steps to protect Epic – one of the organization’s most critical applications.

Two strategies were particularly effective and will continue to improve and enhance network security in the days and weeks ahead. The first involved upgrading our remote VPN technology to allow IS to validate security health of all devices connected to our network remotely.

The second strategy was the deployment of a button within Microsoft Outlook that allows any Texas Children’s team member to easily report suspicious or potentially dangerous email messages with a simple click of the mouse. IS provided instructions for the Phish Alert Button and details about which emails to report in a recent newsletter.

Making cybersecurity a priority

Promoting cybersecurity awareness among Texas Children’s workforce was a priority for IS well before the large-scale ransomware attacks began. Since 2017, the team has run a quarterly and occasionally monthly phishing campaign to remind our employees how important it is stay vigilant about potential threats.

In the campaign, IS sends a phishing simulation email that contains a link. The email is designed to look suspicious and raise red flags that should alert our workforce of the possibility of phishing, and prevent them from clicking the link as instructed.

In the most recent phishing campaign deployed in October, only 0.4% of more than 19,000 recipients clicked the link in the email – the lowest rate since the campaign began three years ago, when 18% of recipients clicked the link in the first phishing simulation email.

“We ask our workforce to embed security into their day-to-day practices, as we do with quality. Make it part of our DNA,” Tonthat said. “We need to remain vigilant and adopt smart cybersecurity practices in our personal lives, as well.”

November 3, 2020

Following a global communication last week about the need to stay vigilant in the face of rising large-scale and coordinated ransomware attacks targeting health care systems across the country, Texas Children’s continues to closely monitor this significant threat. To keep our team members further informed, below is a brief Q&A on what is taking place, how it could potentially impact Texas Children’s and what you can do to help.

What is ransomware?
Ransomware locks a computer system to prevent the owner or organization from accessing data until they pay a ransom. If a ransomware attack were to impact Texas Children’s, it could potentially have significant impacts across our digital systems, including PeopleSoft, EPIC, Microsoft Office (i.e., email, Teams, OneDrive, etc.), and more.

What do we know about this latest ransomware attack?
The U.S. Department of Homeland Security (DHS) has issued a warning about a significant, “imminent and credible” ransomware threat to hospitals and health care providers being perpetrated by cybercriminals based in Eastern Europe, including one called UNC 1878. The threat appears to involve a combination of phishing, Trickbot malware and Ryuk ransomware, which were recently deployed against dozens of health care organizations, including Universal Health Services.

What is being done nationwide at this time?
The Federal Bureau of Investigation (FBI) and DHS issued bulletins about this threat on October 29. The FBI and the DHS-Cybersecurity and Infrastructure Security Agency have also issued a Joint Cybersecurity Advisory report. To learn more, click here.

What is being done at Texas Children’s?
The federal government has recommended that hospitals and health care providers implement the necessary security measures as soon as possible, and Texas Children’s is working diligently to do just that. Additionally, given that our response may escalate quickly in the event of an attack, we have asked our senior leaders to review their business continuity plans with their teams to ensure we are prepared for any potential network disruptions. Although our Information Services (IS) team has worked diligently to keep Texas Children’s secure during these types of malicious attacks, every employee shares a responsibility to protect our digital environment.

What can you do to help?
Help protect Texas Children’s by heightening your awareness of external emails from unknown senders, and by carefully considering before clicking on website links and opening email attachments. In particular, pay close attention to any unusual email that engages you to click over to a file sharing site, such as Google Drive. Putting this vigilance into practice in the workplace could also help you avoid potential phishing scams and ransomware attacks sent to your own personal email.

What do I do if I receive a suspicious email?
While there are several ways ransomware can be transmitted across an organization, the most common is email, where an employee may be deceived into clicking a link or opening an attachment from a fraudulent account. If you receive a suspicious message, refrain from opening the email or any attachments, and do not click any links. Simply delete the message from your inbox and notify IS Security by emailing isservicedesk@texaschildrens.org.

If you have any questions about information security or phishing, please call the IS Service Desk at 832-824-3512.

How do I sign up for emergency alerts through Everbridge?

In the event that Texas Children’s is impacted by a ransomware attack, our IS team may be required to shut down all or parts of our network, including email. Should this happen, Everbridge emergency text messaging would serve as a primary means of communicating with our workforce.

If you are not currently receiving emergency text communications from Everbridge, please sign up for alerts by following the instructions below:

  • For TCH employees: Add your mobile phone number to your profile in MOLI to begin receiving these messages. Upon logging in to MOLI, simply click on “Personal Information” and then “Phone Numbers.” From there, you will see an area to add your mobile phone.
  • For BCM employees: To opt-in for emergency text messages, please click here and then log in with your username and password. From there, you will be prompted to submit a mobile phone number.
October 27, 2020

Social Media is used by billions of people all across the globe. Many of us use social media to communicate with friends and family, post photos and videos, market products, promote brands, connect to customers and foster new business relationships. When it comes to social media restrictions involving patients in health care, potential risk may expose patient information, breach of data, and violation of patient privacy.

Are you balancing patient privacy through Social Media?

Restricting the privacy of patients’ protected health information (PHI) is one of the most significant concerns related to social media use. In view of the fact that boundaries between appropriate versus inappropriate and personal versus professional use of social media can easily be obscured, managing privacy risks can be challenging. For example, numerous instances have occurred in which healthcare workers have posted pictures of, or confidential information about, patients on professional or personal social media pages without the patients’ consent. Therefore whether intentional or not, the likelihood of exposure and patient privacy rights is increased.

What are the risks?

The risks of sharing too much information on social media platforms can have devastating effects on both healthcare organizations and employees if patient specific information is shared. Healthcare employees should avoid potentially hazardous mistakes while using social media and medical blogs to avoid Health Insurance Portability and Accountability Act (HIPPA) violations altogether.

Common examples of social media HIPAA violations include:

  • Posting verbal “gossip” about a patient to unauthorized individuals, even if the name is not disclosed.
  • Sharing of photographs, or any form of PHI without written consent from a patient.
  • A mistaken belief that posts are private or have been deleted when they are still visible to the public.
  • Sharing of seemingly innocent comments or pictures, such as a workplace lunch which happens to have visible patient files underneath.
What can you do to reduce risks?

It has become common practice for people to discuss the events of their day via social media, but for a healthcare provider, doing so maybe illegal. To reduce risk to your organization, you can start by following company policy in accordance with social media and patient privacy. You want take responsibility and use your best judgment to avoid making costly mistakes. If you think twice before you post patient information, you align with HIPAA compliance involving patient data. Patient privacy is vital and should be protected at all times.

Prohibit or set limitations on the photographic use of cellphones and other portable electronic devices as part of organizational policy.

When posting content containing patient identifiable information to the organization’s social media sites, ensure patient consent is obtained. The consent should explicitly state how the information will be used. Have someone who is familiar with HIPAA and state privacy regulations review social media content to ensure information does not violate patient confidentiality.

Be aware that responding to a patient post or review on a social media site might violate HIPAA or state privacy laws.

Understand the technical limitations and terms and conditions of any social media sites that you plan to use. For example, information sent via messaging functions likely is not encrypted, and the site might maintain the right to access any personal information.

October 19, 2020

 

In an unprecedented year, Texas Children’s is celebrating National Health IT (HIT) Week to honor our Information Services (IS) staff. The organization salutes IS especially for their performance in meeting the multiple unanticipated challenges of COVID-19 while keeping the organization’s day-to-day operations safe and secure.

It’s also an opportunity for Texas Children’s to recognize and celebrate the amazing accomplishments resulting from partnerships between IS staff and our clinical and operational collaborators. For example:

Click here to learn how Jackie Ward, Vice President of Nursing and Dr. Eric Williams, System Chief Quality Officer, use technologies like Teams to support Texas Children’s clinical operations during the COVID-19 pandemic.

Click here to learn how Mark Mullarkey, Executive Vice President and President of Texas Children’s Health Plan; and Weldon Gage, Executive Vice President and Chief Financial Officer, use technologies like Teams to support Texas Children’s business operations during the pandemic.

Since 2006, the Healthcare Information Management Systems Society (HIMSS) has observed National HIT Week to demonstrate the power of information and technology to transform health.

Why is managing your online privacy a concern?

Everyone can agree that privacy matters. In today’s digital world keeping prying eyes away from your private data has become a daunting task. Every time you browse, talk online, and type, your activity is being tracked, monitored and analyzed. Your personal information is being collected, siphoned off, and sold from business to business, with a plethora of aggregated data resting on severs all around the world.

What can you do to protect online privacy?

One must take a few simple steps to ensure some basic changes. There are several smart ways to help protect your privacy online. You can start by not oversharing your information on social media. Providing too much information on Facebook, Twitter, and Instagram could make it easier for attackers to obtain personal information, which could allow them to steal your identity or to access your financial information. For example, could an identity thief determine your favorite color or the street you grew up on from digging through your Facebook account? If so, you may want to reconsider your answers. This information is sometimes used as security questions to change passwords on financial accounts.

When you interact online you can begin to take back control of your digital privacy to protect private data. It’s not necessary for you to have technical know-how, as anyone can do it. You will just need a little bit of time and effort to know what to look for.

Tips for online privacy
  • Protect Your Accounts with a Password Manager
  • Stay Safe on Public Wi-Fi Networks with a VPN
  • Browse the Web Anonymously with a Private Browser
  • Browse the Web Securely with HTTPS Everywhere
  • Block Ads and Trackers with an Ad Blocker
  • Search the Web Anonymously with a Private Search Engine
  • Protect Your Messages and Emails with Encrypted Messaging
  • Protect Your Home Wi-Fi Network
  • Update the Privacy Settings on Your Social Media Accounts
  • Be Wary of Smart Devices
  • Check Your Phone’s Location Sharing Settings
October 12, 2020

Everyone has their own style when it comes to managing a work desk. Some people are neat and tidy while others prefer to have a scattered environment. Studies have proven that a clean and organized work environment helps to boost productivity and morale. However, there are major security concerns to help protect the confidentiality and integrity of company data.

Do you have a clean desk?

With countless employees processing client files, contracts, names and addresses, social security numbers, and financial information, sensitive data is left on desks at the end of each work day. Therefore whether intentional or not, the likelihood of exposure is increased.

What are the risks?

Having important papers exposed on your desk with private details, deals, and employees’ information can make the company more susceptible to fraud, a security breach or information theft. Locking your computer screen, removing sensitive post-its, printouts and even USB drives at the end of the day will significantly reduce risk.

What can you do to reduce risks?

You can start by creating a basic list of items that are allowed in your work area to help maintain a clean space. By knowing what items are allowed on your desk, helps to better understand company policy and be more efficient with end of day clean-ups.

Here are some things to consider for your clean desk to reduce risk:

  • Always lock your computer if not in use
  • Avoid leaving your computer or laptop unattended for long periods of time
  • Make sure your computer requires a password to log in
  • Contact the help desk if your computer doesn’t display a screen saver
  • Remove all scrap paper containing confidential company information that should be shredded and avoid throwing into waste baskets
  • Ensure that no important documents are left on copy machines during anytime of the day
  • Lock up and safely store all client folders, contracts and company data in a secured file cabinet or safe
  • Do not hide passwords under your keyboard or display on a monitor
  • Remove all sticky notes containing client, personal, or company information on monitors or visible to others
October 5, 2020

What is Vishing?

Vishing is an electronic fraud tactic using voice or voice over IP (VoIP) phishing to trick individuals into revealing critical financial or personal information to unauthorized entities. Vishing is the phone’s version of email phishing and uses automated voice messages to steal confidential information. Vishing attacks use a spoofed caller ID, or a toll free number which can make an attacker appear to come from a known number that entices an individual to pick up the phone.

Common vishing scams

Compromised bank or credit card account
Whether it’s a person or a prerecorded message on the other end, you’ll be told there’s an issue with your account or a payment you made. You may be asked for your login credentials to fix the problem or asked to make a new payment. Instead of giving out your information, hang up and call your financial institution on their publicly available number.

Medicare or Social Security scam
Phone calls are the No. 1 method scammers use to reach older adults, according to the Federal Trade Commission. Thieves pose as Medicare reps and often during Medicare open enrollment season and try to extract financial information from the victim, such as their Medicare number or bank account details. Then the scammer will either fraudulently use the victim’s Medicare benefits or steal their money. Scammers may also claim to be from the Social Security Administration and threaten to suspend or cancel the victim’s Social Security number.

What can you do to protect yourself against Vishing?

Attackers use Vishing because their targets do not have time to think a situation through prior to providing information. A victim can easily be confused by alarming claims and disclose valuable information. Vishing attacks can be focused on all employees, or against employees that mainly deal with people outside the organization. Departments like Marketing, Sales, the help desk and HR are good to include in vishing security tests.

Block Robocalls
A robocall is an automated phone call that usually delivers a recorded message. Scammers will also use auto-dialers to make a large number of calls in a matter of minutes, so they have a better chance of reaching a real person. There are several applications you can install from the play store and app store to help stop the unwanted calls. Some of the mobile apps you can install are Robocall Blocker, RoboKiller: Spam Call Blocker, Hiya, Nomorbo, Truecaller and many others.

Don’t answer unfamiliar numbers
Sometimes even blocking phone numbers won’t stop vishing attempts because scammers use software to scramble their real phone number. For example, scammers often mimic the area code and the first three digits of your phone number to trick you into thinking it’s a local call. If you block one number, scammers will simply call you from another.

If you answer the phone and then hang up immediately, the scammer will know that your line is active. However, if you do not pick up the phone, scammers will eventually consider your number to be dead. Resist the urge to answer the call, and you should see the frequency with which you receive robocalls begin to fall.