Equifax note

September 12th, 2017

I share a tweaked version from the SANS Institute. In my opinion, steps 3, 4, and 5 are the most useful. #3 costs $5-10 per bureau and requires you to unfreeze each as needed - so be advised. I add that annualcreditreport.com is the only legitimate (by that I mean truly direct to the bureaus AND free of charge) way to check your credit once per year at the three main bureaus. Due to the volume of activity at the bureaus now, calling the phone numbers below may be the most effective way to act.

In addition to the options below for this incident, remember to stay wary, skeptical, and safe; do not click stuff that you do not trust.

Jim

Equifax is one of four credit rating services, called Credit Bureaus; the other three are ExperianTrans Union and Innovis. These companies harvest and sell your financial data and credit ratings, plus that of effectively every United States citizen. Equifax announced that they were hacked between mid-May through July 2017 and discovered the incident on 29 July. Over 143 million records may be compromised, including names, Social Security Numbers, addresses and, in some instances, driver's license numbers. This is a big deal. If your credit card gets compromised, that can be changed. SSNs, birth dates and full names are MUCH harder to change. This is not your fault. Companies collect a huge amount of data about people, data that you have no control over nor is there much you can do to protect it. This situation is Equifax's fault. Like all major incidents, be prepared for the details to change over the coming days as new information is learned and shared. Here are some steps that you might consider.

  1. Equifax Website: Equifax has created a website where you can learn more about the incident. One of the options they offer is you can check to see if your data is believed to be compromised. While this is a nice feature, operate under the assumption that your data has been hacked as Equifax could be wrong and/or is still trying to figure out what happened.
  2. Credit Monitoring: You can sign up for free for Equifax's TrustedID credit monitoring service (Note: you may be asked to come back later to set it up, it appears that Equifax is scrambling to get the free registration service functional. In addition, if you sign-up for the free service, you may limit certain legal recourse which you might have otherwise had.). Credit monitoring does NOT protect you from credit card fraud, this is a common misconception. What a credit monitoring service does is notify you when someone is attempting to commit Identity Fraud in your name, such as registering for a new credit card or bank loan. Some services also help you recover from Identity Theft. Here is an excellent write-up by Brian Krebs on the limitations of Credit Monitoring.
  3. Security Freeze: This is the action that does the most to protect you. Unfortunately, few people know about it. A security freeze locks your credit scores so no one can access them. This means that while your credit score is frozen, no bank or financial organization (such as a credit card company) can check what your credit score is, which means no one will give you (or a criminal pretending to be you!) a loan or credit card. The challenge is that you have to manually setup and pay for a security freeze with each of the four credit bureaus. In addition, if you want to get a new loan or credit card, you then have to manually unlock your credit service. But then again, how often do you apply for a new loan or credit card? Brian Krebs has an outstanding writeup of what a Security Freeze is and how to get one. Here are the details where you can submit for a credit freeze with each of the four credit bureaus.
  4. Monitor Financial Accounts: Watch your bank and credit card accounts carefully. Many of them have a service where they notify you (via text or email) if a bank withdrawal or credit card charge is over a certain limit, or they can send you daily reports of your activity. We highly recommend that you enable at least one of these.
  5. Social Engineering Attacks: Be warned, in the coming days and weeks, cyber attackers will take advantage of this incident and launch millions of phishing emails, phone calls, or text messages trying to fool people. This is why we have an active security awareness program, to help you understand and defend against attacks like these.

If you do get hit with Identity Fraud, the FTC has created a site to help you recover. The Equifax situation will be fluid, so expect frequent new updates and findings. However, the behaviors above apply regardless of how the situation changes, so we recommend that you focus on those.

FREEZING UPDATE, from a commenter named Mike on Krebs' blog

SPECIFIC PHONE MENU OPTIONS TO SELECT:

Equifax: 866-349-5191 choose option 3 for a "Security Freeze"

Experian: 888-397-3742
- Press 2 "To learn about fraud or ADD A SECURITY FREEZE"
- Press 2 "for security freeze options"
- Press 1 "to place a security freeze"
- Press 2 "…for all others"
- Enter your info when prompted

Transunion: 888-909-8872
- Choose option 3, you'll be prompted to enter your zip code, SSN, and so on

Innovis: 800-540-2505
- Press 1 for English
- Press 3 "to place or manage an active duty alert or a SECURITY FREEZE"
- Press 2 "to place or manage a SECURITY FREEZE"
- Enter your info when prompted

Each automated system will try to push you to the company's website, ignore that! Some even make it sound as if you must go to their website to set up a credit freeze. But be patient, and you will soon hear an option to set up a credit freeze.

 

Posted by Jim Sherrill | Topic: News  | Category: Security

MIPS Overview

December 1st, 2016

It's time for more changes in how providers navigate Medicare payments, welcome to MACRA and MIPS. MIPS consolidates and changes the MU, PQRS, and VBM programs. Here are the more tedious program names from these acronyms: Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) -- Notice the clever nested acronym: Children's Health Insurance Program (CHIP) --, Merit-based Incentive Payment System (MIPS), Meaningful Use (MU), Physician Quality Reporting System (PQRS), and Value-Based Payment Modifier (VBM). The stated intent of these revised government programs is to achieve the "Triple Aim" of higher quality, lower spending, and better patient outcomes.

We will continue to add content as these programs develop and our products evolve to meet the new requirements. MACRA is 2,171 pages, so some of this information may change. Let's take a sip from the MIPS firehose now:

  • Each provider will receive a MIPS Score from 0 to 100
  • MIPS scores will be public and recalculated each year
  • Scores determine providers' yearly Bonus or Penalty

Four MIPS Performance Categories, for 2017 (percentages shift in 2018 and beyond)
Quality - 60%
Advancing Care Information - 25%
Clinical Practice Improvement Activities - 15%
Resource Use - 0%, but will be weighted and used for 2018 and beyond

Four MIPS Participation Options, for 2017
    No participation: Organizations not exempt from MIPS that do not send in any 2017 data will receive a negative 4% payment adjustment.
    Report one measure for a minimum 90-day period: One Quality, ACI, or CPIA measure will earn enough MIPS points (3 points, yes three, is the no-penalty threshold) to avoid a penalty and possibly earn a small incentive.
    Report more than one measure for a minimum 90-day period: More than one measure in any or all of the Quality, ACI, or CPIA categories avoids a penalty, maximizes the MIPS score, and potentially earns the highest possible incentive.
    Participate in an Advanced Alternative Payment Models (APM): Organizations that sufficiently participate through an Advanced APM earn a 5% Part B bonus and are exempt from MIPS.

Who is Eligible for MIPS
Physician
Physician assistant
Nurse practitioner
Clinical nurse specialist
Certified registered nurse anesthetist

In 2019 and beyond, these providers are added for MIPS:

Physical and Occupational Therapists
Speech-language Pathologists
Audiologists
Nurse Midwives
Clinical Social Workers
Clinical Psychologists
Dietitians/Nutritional Professionals

Who is Exempt from MIPS
First-year Medicare providers
Providers with a low volume of Medicare patients (less than $30,000 Medicare Part B or less than 100 Medicare patients)
Qualifying participants in eligible APM.Possibly exempt: Rural health clinics or Federally Qualified Health Clinics (FQHCs)

How do I know if I'm ready to participate in MIPS?

  1. Check that your electronic health record is certified by the Office of the National Coordinator for Health Information Technology. If it is, it should be ready to capture information for the MIPS Advancing Care Information category and certain measures for the Quality category.
  2. Consider using a qualified clinical data registry or a registry to extract and submit your quality data.
  3. Use the websites below to explore the MIPS data your practice can choose to send in. Check to see which measures and activities best fit your practice.

Where to learn more

https://qpp.cms.gov/

https://qpp.cms.gov/learn/qpp

https://qpp.cms.gov/measures/performance

https://qpp.cms.gov/learn/getprepared

https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/Value-Based-Programs/MACRA-MIPS-and-APMs/MACRA-MIPS-and-APMs.html

https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/Value-Based-Programs/MACRA-MIPS-and-APMs/MACRA-Quality-Payment-Program-webinar-slides-10-26-16.pdf

 

Posted by Jim Sherrill | Topic: News

Subject Line - IT'S A TRAP!

October 20th, 2016

"Business E-mail Compromise," or BEC, is the name for malicious attempts to use a fake Reply-to field or a fake Display Name to compromise humans' money or information. For example, an attacker sends an e-mail with the Display Name set as that of the CEO. Employees without alert skepticism may respond to the implied trusted request, not noticing that the money or data is actually going to the attacker.

Here are the top ten recent BEC Subject Lines, in descending frequency:

  • Request
  • Payment
  • Urgent
  • hello
  • hi
  • Follow up
  • NO DATA
  • Quick One
  • Urgent Request
  • [blank]


The first five make up over 20% of the imposter e-mails.

In contrast, please review a list from one month of one address at MSA - one of our defensive layers blocks these messages from ever arriving in an Inbox. These messages have malicious content that encrypts files and forces you to pay a ransom or restore from a safe backup. Notice the variety in Subject Lines as well as the improbable From names & e-mail addresses. 

email block list


If you are not blocking these messages, please use caution and common sense before opening or previewing anything like these samples!



Posted by Jim Sherrill | Topic: News  | Category: Security

Maintain composure, do not click

September 20th, 2016

There are many versions now of the encrypting "ransomware" programs. Some not only encrypt your business documents but also delete critical files from your server and stop your operations entirely! The only sound way out after infection is to restore from backup - paying the ransom is almost never recommended.

How to reduce risk

  • As always, never open ANY suspicious attachments (e.g. zipped .js, .wsf or .vbs files)
  • Keep recent backup copies of important data in a secure place either online or offline
  • Ensure that your system and applications are fully updated and patched

 

Posted by Jim Sherrill | Topic: Tips  | Category: Security

MicroMD PM: Editing Day Sheets

February 9th, 2016

Once the day sheet has been erased, you can no longer edit location, procedure codes, fees, or rendering provider. However, you can still edit service facility, diagnosis codes, place of service, modifiers, date of service, diagnosis pointers, and billing provider; highlighted in red boxes below:

If you must change one of the items on the sequence that cannot be edited after the day sheet has been erased, you will have to void that sequence and then re-post it.

 

Tip credit belongs to J. Kishel at Henry Schein MicroMD!

 

Posted by Jim Sherrill | Topic: Tips

Medical Software Associates. 1021 McCallie Avenue. Chattanooga, TN 37403