Houston Astros Hipaa

HIPAA, Hackers, and the Houston Astros

Full disclosure.  I’m a Dodger fan.  I used to wear my little league jersey to Dodger Stadium when I was 8.  In case you’re not a baseball fan, the Houston Astros admitted to stealing opposing team’s signs during the 2017 season.   They setup video monitors in the dugout that captured the catcher’s signals to the pitcher, and relayed what type of pitch was coming.

They used a trash can lid to message the Astros’ batters in real time.  A “bang” meant a change – up (slower pitch); no “bang” meant a fastball (faster pitch).  In football, this would be like the defense knowing if the offense was running or passing on every down.  In 2017, the Dodgers played the Astros in the World Series.  It was the first time since 1988, that the Dodgers played in the World Series.

 

Recently, I’ve been thinking a lot about what the Astros did.  And specifically, how do their actions correlate to HIPAA and Hackers?  I know it’s a stretch.  But this will be a limber blog.

 

Ok, so what can we learn?

 

At the highest level, the Astros stole the 2017 World Series from the Dodgers.  Hackers steal or encrypt your data.  The #1 risk to your practice is a ransomware attack or a data breach.  Hackers deploy malware to infiltrate your network, which ultimately encrypts your data.  You can’t get into your network unless you pay a ransom in exchange for a decryption key.  The Astros stole the Dodgers championship trophy, and their entire 2017 legacy.

 

 

The Astros decoded the opposing teams’ catcher to pitcher signals.  Hackers decode your passwords.  Many practices we speak with don’t take password management seriously, or at all.  Common passwords like “password123” or “asdfghjkl;” are known by hackers.  Making passwords difficult and demanding employees to change them periodically will help protect your data.  In addition, be very careful with your wi-fi.  Manufactures set “easy” passwords, so wi-fi is easy to install.  However, many businesses never change the out- of – box passwords.  Guess who knows this?

 

The Astros utilized technology to steal and relay signs.  So do criminals.  Video monitors were installed in the clubhouse and algorithms were used to decode the catcher’s signs and relay them to the clubhouse.  Apparently, baseball is not all hot dogs and beer.  Hackers are also getting more sophisticated.  In 2019, a Wisconsin-based company that manages a remote data backup service that works with hundreds of dental offices across the country, fell victim to an attack.  Basically, instead of a 1:1 attack, the hacker went 1:400 and used sophisticated techniques to multiply their attack and payoffs.  All 400 dental offices were shut down at once.  This 1 to many attack is now a trend.  A similar attack hit 100 Colorado dental offices.  However, it’s not all dental.  This strategy can hit any healthcare provider if you are not prepared.

 

Astros management knew players were cheating and did nothing to stop it.  As the Doctor or Office Manager you own the responsibility of protecting the privacy and security of your patient information.  HIPAA law requires you to implement administrative, technical, and physical safeguards to keep patient data private and secure.  A critical safeguard is to train your employees.  They are your first line of defense.  If they develop bad habits, like the Astro players, it’s under your watch.  Ultimately, your players are your responsibility.  They need to be trained and monitored.

 

The Astros hid their cheating.  However, some teams suspected their behaviors and adjusted.  As the details continue to come out, some players have discussed their observations.  The whistle wasn’t blown until recently, however, the Nationals who played the Astros in the 2019 World Series, were warned.  Here’s your warning.  Hackers may already be in your network.  They may be the Astros of 2017.  We have clients where hackers got into their e-mail system and started e-mailing employees as the doctor or office manager.  Think of e-mails like, “Wire $100,000 to my wife’s bank account.”  Or, “Buy $1,000 worth of Apple gift cards immediately and scratch off the codes so I can send them to my patients.”  Make your own adjustments now.  Assume hackers will get into your system and warn your employees to NEVER wire funds.  Or create a “code” so you are 100% sure e-mail requests are legit.  So long as your code can’t be broken.

 

 

It took Major League Baseball 3 years to identify and publicize the Astros’ scandal.  MLB took way too long to research and discipline the Astros.  And even after 3 years, it’s been handled poorly.  Players are angry.  Fans are angry (can you tell?).  The penalties don’t fit the crime, and  Baseball’s reputation is damaged.  The HIPAA Breach Notification rule requires you to notify your patients if their data is compromised.  A data breach is bad enough.  However, not handling it correctly can lead to reputational risk and penalties for data breach mismanagement.  MLB is the perfect example of how not to handle a crisis.

I’m starting to feel like the Astros are more and more like

Hackers than when I started writing this.  Here are some tips so you don’t get Astro’d:

  1. Backup your data offsite. Use 256-bit encryption.  Have a secondary source of backup.
  2. Test your backup restoration procedures with your IT provider.
  3. Train your employees. Openly discuss ransomware and current hacking trends.
  4. Install firewalls and anti-virus software. Update all operating systems.
  5. Monitor your employees and your network.
  6. Develop a password management process and stick to it.
  7. Perform a scan of your IP address to determine vulnerabilities.
  8. Obtain cyber-insurance that includes an incident response plan.
  9. Prepare for a data breach and know how to respond.
  10. Take a Risk Assessment (click here)

 

 

I was at Game 7 (not in full uniform), with my 80 year – old parents, who had never attended a World Series game.  The Dodgers lost.  The Astros celebrated.  The Astros cheated.  We can all learn from cheaters.  The Astros’ Opening Day of the 2020 season is next month.  However, your Opening Day is every day.  Don’t get Astro’d.

 

Jeff Broudy is CEO of PCIHIPAA a leading cyber- security and compliance company serving thousands of medical and dental offices nationwide.  Their award-winning OfficeSafe platform, makes compliance easy, and protects practices from losses due to data breaches, fines, audits, and cyberattacks.

Share