IT Administrative Rights and Requirements

This case illustrates why a HIPAA Security Officer must have administrative rights access to their organization’s IT infrastructure. Although the compliance officer may not know what to do with this access, it is required so you have control over your network. Should the need arise to replace your IT administrator or IT vendor, you won’t be held hostage. Also, this demonstrates the necessity to check references and BEFORE you terminate someone, be sure their access has been removed.


In the incident below, a fired IT administrator used his elevated access to disable firewalls, delete company data, remove email security filters, and block the business from its own systems—crippling operations. If only a single IT employee holds full administrative control, the organization becomes vulnerable to sabotage, insider threats, and operational paralysis if that person is unavailable, leaves unexpectedly, or acts maliciously.

For HIPAA-regulated entities, losing access to security systems or audit logs can also prevent breach detection and reporting, creating compliance violations and potential fines. A HIPAA Security Officer with administrative rights ensures independent oversight, immediate access to critical systems, and the ability to secure PHI systems without relying solely on IT staff—safeguarding both security and compliance.

If you need assistance with IT services, we work with some of the best in the industry. Use the Contact Us page and we will send our recommendations.

5 Felony Charges for Palm Coast IT Administrator Accused of Launching Cyber Attack on His Company After He’s Fired

Taken from Flagler Live

A 41-year-old resident of Palm Coast was arrested on five felony charges following a Florida Department of Law Enforcement investigation that found him to have allegedly carried out a cyber-attack on his company’s computer infrastructure in retaliation for the company firing him. The attack crippled some of the company’s functions. 

“Dude I think I got my company in a choke hold,” the father of two young children, is alleged to have written in a message to someone after the cyber-attack. 

The Spice and Tea Exchange, an online and in-store retailer originally founded in St. Augustine and based in Palm Harbor, hired an IT System Administrator in mid-October 2024. (The FDLE refers to it as The Spice and Tea Company.) He was fired last Jan. 14. “Within minutes, the company’s firewall, E-mail, and physical security was infiltrated,” FDLE’s warrant states, resulting “in completed deletion of company data.”

A human resources executive at the company told the FDLE investigator that while his position was being eliminated, he had “displayed very concerning behaviors while employed,” such as having a short fuse. The day of the firing he was working from home. The HR executive called him at noon to let him know he was fired. The conversation lasted just under 10 minutes. 

According to the warrant, he “made several threatening statements prior to terminating the call. For one, [he] had stated ‘your company is not prepared for what is coming your way.’”

Almost as soon as he was fired the company would have disconnected him from its firewall and restricted access. That was to be done while the HR executive was still on the phone with him. But in what appeared to have been a movie-like race between IT employees, he was a step ahead of his ex-IT colleague at the Spice and Tea Exchange. He’d logged into the system at the same time that his colleague was racing to restrict access. He “overtook” him and the entirety of the business’ email access. The company “immediately lost access to the company firewall and emails,” the warrant states. He removed the firewall and obstructed business “continuity.” 

He’d left one of his company laptops at the office. His colleague opened it–there was no expectation of privacy with a company laptop–and noticed that had his logon to his Chrome and Gmail accounts was automatic, and that it was syncing his other devices with his work computer, a violation of company policy. Within an hour or so of his firing, his history showed he had searched for “Florida Unemployment” and “Palm Coast Lawyers.” 

The colleague also discovered that an email filtering service blocking spam and malware had been removed, requiring 3,800 emails to be manually approved. The company was no longer able to log into its own firewall and eventually learned from the Sisco Meraki Company, which provided the firewall data for the Exchange, that the company was deleted from Meraki’s database. So, there were no logs of the attack he allegedly orchestrated. 

FDLE confirmed that the last user to make changes to the account had a username of his first initial and last name. FDLE also subpoenaed information from Google and was informed by Charter Communications of further data that led to his house in Palm Coast. Circuit Judge Chris France signed a search warrant, which was served on April 25. 

He acknowledged his role when he was IT administrator but denied accessing the firewall. 

France signed the FDLE warrant for his arrest on July 7. On Wednesday, he was driving his vehicle on State Road 11 in Flagler County when he was pulled over by a Flagler County Sheriff’s deputy, arrested, and taken to jail, where he was booked and soon released on $25,000 bond. 

He faces three charges of computer fraud, a charge of tampering with computer intellectual property and a charge of unlawful use of a two-way communication device. Four of the charges are third-degree felonies, each with a maximum penalty of five years in prison. One of the charges is a second-degree felony, with a 15-year maximum if convicted.

What does “Recognized Security Practices” mean?

We have talked in the past about the Office for Civil Rights conducting a minimum of a 12 month look back for data security/ HIPAA compliance efforts. If an organization suffers a breach, with proper documentation fines may be waived. This is known as “Recognized Security Practices”. Every organization will have different documentation based on their network configuration and how data flows in and out of your information systems. This isn’t really anything new since data security requirements have been in place since the Security Rule was enacted. There have been updates over the last few years, and they are making some new revisions requiring covered entities and business associates to document their efforts now more than ever. NIST SP800-66 Rev. 2

This includes ensuring your policies and procedures are documented and followed by your staff. Our online system makes this task must easier by enabling the HIPAA compliance officer to download and share certain policies for employees to review. Plus, the confidentiality and acceptable use agreement that is signed via DocuSign demonstrates you have advised your employees they must follow your policies and procedures.

Another part of this documentation should be reports from your IT department/vendor. Again, depending on how you access ePHI (electronic protected health information), reports will vary from practice to practice. Some suggested reports are:

  1. Managed devices. You can use this as your inventory list instead of completing the list in your package. However, we still recommend documenting which devices have been used to access and/or store ePHI.
  2. In the report above, this may contain operating systems, patches / updates that have been applied, IP addresses, User ID, and a device name. All of this is useful information, and if the report does not contain this information, you need to look for another report.
  3. Software lists are very important since you can see if any employee has downloaded unauthorized software or if a computer has been compromised.
  4. Device health reports typically include information on anti-virus, last log in, some record failed logins, or that is in a different report. These are must have reports.
  5. Access logs may be located within the software the IT vendor utilizes to manage your network, within your domain controller, and within your EHR/PM software. These reports must be reviewed to ensure employees are only accessing ePHI based on their job function and to look for outside intrusions.
  6. Backup reports should demonstrate when backups are performed and to ensure they are successful.
  7. Summary reports are useful, but you must make sure you review them, and they can be lengthy.

There are times when certain devices cannot be updated or upgraded due to the nature of the equipment and the cost to do so. This would not necessarily be a violation if you demonstrate other means to protect your system. For example, either removing the outdated equipment from internet access or placing it on a separate network so it would not be accessible by other drives that contain ePHI. Your IT vendor should be able to guide you through the proper process based on your particular network.

Annual audits by a third party are highly recommended unless your IT vendor specializes in network security. Often, these two types of companies work well together. The IT vendor handles the day-to-day operations, and the network security companies hardens the systems.

Some organizations complain that this costs too much money. Trust me, this is much less expensive than a data breach. Plus, if you plan on obtaining cyber liability insurance, carriers are now asking detailed questions about data security and compliance efforts. If you do have a data breach and you do not have “qualified documentation”, your claim could be denied. Of course, the term “qualified documentation” is open to interpretation. They do have an outlandish wish list from what I have seen. Although I have always been a proponent of this insurance, I am starting to believe unless you already have a policy, you may not be able to obtain one. If you do apply now, you will need to have HEAVY data security in place. Which you should have anyway!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

How to protect your organization from phishing attacks

It is a known fact that hackers target the healthcare sector because the data is so valuable. The cost of healthcare data breaches increased from a total average of $7.13M in 2020 to $9.23M in 2021. The average breach cost rose $1.07M for those who had remote access. Organizations in the U.S. has lost $2.4B to business email scams. They have estimated that cybercrime topped $6T worldwide.

So, how do hackers get in and what can you do to protect yourself?

Remember, there isn’t ONE magic setting to protect you from all threats, it takes layers of security!

Organizations must have solid network security in place. Firewalls are a necessity in today’s world. You can set specific parameters to ensure employees can go where they need to, and block where they do not. You can also set security policies that block other countries.

Utilizing real-time anti-virus and anti-malware software also helps. This won’t help if an employee clicks on a link or picks up malware on the internet unless the system alerts the user BEFORE they click! For example, if an employee is surfing the web (and no they should not surf on a work computer), and they visit a website that has been infected, your anti-virus / anti-malware software should alert you with a warning.

Although there are brut attacks, but most hackers come in via through a phishing attempt. Often, an employee makes a simple mistake like clicking on a link or an attachment in an email. Even though I talk about this ALL the time and say NEVER do this…people still do.
Email scammers use several ways to trick employees to gain access to information. Including getting employees to send wire transfers, send a list of employee’s social security numbers, or to make purchases they are not aware of. Alan Suderman at Fortune cited a case where thieves hacked the email account of the organization’s bookkeeper, then inserted themselves into a long email thread, sent messages asking to change the wire payment instructions for a grant recipient, and made off with $650,000.
You think this can’t happen to you, but I know of a practice that someone hacked an email account and changed the bank information for payments from an insurance carrier, they lost about $100K.

I know of a company that the CEO email was hacked and being monitored, once the scammers knew who they talked to on the phone and who they did not, then the call came in to make a $65K wire transfer. POOF! Just like that $65K was gone.
YES, THIS HAPPENS! Keep in mind, if the caller or the email is asking for private information or money, verify BEFORE releasing it.

• Unless you are expecting an email from someone, DO NOT CLICK!
• If you get an email from someone you know and were not expecting it, pick up the phone and call them!
• If there is a link, open a web browser and open your account from there.
• If it is URGENT and requires you to act immediately, it is more than likely a hacker/spammer.
• If it says your credit card has been charged for something and you didn’t charge it, call your card company or your bank, do not call the number in the email or call the number in the voice mail.
• If they have all your information except the code on the back and ask you to verify the card by giving them the number, DO NOT.
• Government, state, and local authorities will not call you and demand payment immediately. Ignore these completely.
• Again, if money or personal information is involved, VERIFY!

Scammers share their success stories with other scammers, while ransomware hackers will hit you again if you pay. There is no honor among thieves.

All sizes of organizations need to be on high alert, from large hospitals to small single provider practices. I have used this analogy before, the World Wide Web it the modern version of the Wild Wild West. The biggest difference is you can’t see the bad guys coming into town to prepare. You must prepare for the unknown and the unseen.
There are companies that offer Phishing training. Then, they try to get your employees to take the bait. This has been a success at most companies. Educating your staff is JOB ONE! They can be your best ally, or your weakest link. You can build a fortress around your data, and one click can bring it down.

Continuous security awareness training is vital in your fight against these bad actors. Organizations must teach employees to be watchful for phishing attacks and stopping them by simply not engaging in emails and on the web.

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Healthcare Cyber Attacks went up almost 90% in 2017

By Aris Medical Solutions

There were 132 reported breaches under investigation from Health and Human Services’ (HHS) Office for Civil Rights (OCR) in 2017 related to Hacking/IT Incident. As you review the report you can see how many were related to email and desktop computers.

Click here to see a list of current data breaches: OCR breach portal

So how does this happen? More than likely it has been caused by an unsuspecting employee. Healthcare is typically targeted with ransomware through social engineering. Practices need to be vigilant in educating their staff to be extremely careful when it comes to clicking on emails or surfing the web with their work computers. That is why we always recommend work computers be used exclusively for work. Plus, personal email addresses should never be utilized to communicate with patients or vendors for a number of reasons, this being just one!

There were many server attacks as well. This can happen in the same manner, especially when someone is logged in with administrative rights when they should be logged in as a user instead.

When it comes to cloud storage or cloud based EHRs, these too can be hacked although it is not as common. Most of the time this is caused by a misconfiguration in the network.

What can you do to prevent this from happening to you?

First of all, conduct a full HIPAA Security Risk Analysis, you need to know where your data is in order to create a Risk Management Plan to protect your organization.
Secondly, continual education on new threats to inform your employees how to be diligent.
Most of all, make sure your IT professional is a network security specialist. Doing your own network security is not longer an option, you must utilize a professional to ensure your network is secure. This includes your websites and cloud services.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.

“Protecting Organizations through Automation, Education, and Support”

File sharing and cloud computing, is it permitted under HIPAA?

 

By Aris Medical Solutions

 

With all of the new technology that we have access to, many vendors are targeting healthcare with promises of ease of use and the ability to communicate with other healthcare providers. Before you agree to “share” or open your “portal” you must ensure the vendor or service you are going to use actually understands HIPAA and the requirements.

File sharing and cloud computing are here to stay. As we move forward with sharing patient data amongst our peers, you will need to be vigilant with your security.

Here are a few things to review:

  1. Network misconfigurations are very common, review your data flow, including how data is transmitted and stored.
  2. Backup your data!
  3. When access is given to an employee, contractor, or vendor, once the need for access is no longer required, terminate their access credentials immediately.
  4. Although most providers do not think hackers are a problem for them, they are! Your network security is vital and you must use a trained professional to set up your network and your file sharing configuration. If your IT professional does not specialize in network security, then hire a network security auditor to conduct a vulnerability scan after you have implemented your systems. A good vendor will mitigate your risks as they scan your network.
  5. Make sure you have a HIPAA compliant business associate agreement in place.
  6. Review the service agreement. Make sure it includes specific business expectations.
  7. Invest in cyber liability insurance.

File sharing and cloud computing are wonderful tools that can be used in healthcare if setup properly and securely.

 

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Practice call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

©2025 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC