The Risks of a HIPAA Security Risk Analysis

Posted on by Dan Berger Posted in Main | Leave a comment
Believe it or not, there are even risks inherent in conducting a HIPAA security risk assessment. The first risk is in defaulting to a "do-it-yourself" process. Clearly many organizations are capable of doing this work themselves. But many others are not. So before making the decision to stay in-house or to find a competent outside vendor, ask yourself these questions: 1. Do we have sufficient expertise, particularly in IT security, to identify threats, external and internal vulnerabilities, and other risks [ Read More ]

BYOD Security – The Next Problem? Data Sprawl

Posted on by David Carlino Posted in Main | 2 Comments
Submitted by David Carlino Mobile devices are designed to store less data than traditional laptops and desktop workstations. Cloud-based storage continues to enable a steady migration away from local device storage. Due to local storage limits, mobile users are increasingly turning to a wide array of cloud storage options to maintain and access their data. This is very helpful when a device is lost or stolen but there are unintended consequences in complexity, security, and risk... Enabling increased “mobile” storage [ Read More ]

Largest HIPAA Compliance Settlement – A Prescription for IT Security Health

Posted on by Dan Berger Posted in Main | Leave a comment
The key to Redspin’s rapid rise as the leader in HIPAA compliance for healthcare providers has been our unyielding focus on IT security. Last week’s news that OCR had reached a $4.8 million settlement agreement with New York-Presbyterian hospital and Columbia University Medical Center relating to HIPAA compliance violations further affirms our position. What started as an investigation of a 6,800 record ePHI breach became a multi-million dollar black-eye for those providers. At the source of the breach was an [ Read More ]

OpenSSL Vulnerability Discovered

Posted on by Dan Berger Posted in Main | Leave a comment
A two year old vulnerability in OpenSSL--the default cryptographic library used in many software applications (including web servers, operating systems, email, and instant-messaging clients)--has been discovered. This vulnerability could make it possible for external parties to mine server memory for data including private encryption keys, passwords, and other credentials. If you are hosting a web server using a vulnerable version of OpenSSL (including most variants of Linux), it is recommended that you: * Patch the OpenSSL vulnerability * Revoke and [ Read More ]

Expect a HIPAA Security Audit – But Guess Who Will Conduct It?

Posted on by Dan Berger Posted in Main | Leave a comment
The 2009 HITECH Act deputized the Office of Civil Rights (OCR) to conduct HIPAA security audits under the auspices of the Department of Health and Human Services’ (HHS). But as it turns out, OCR is not the only HIPAA enforcer in town. State attorneys general can claim a similar right to audit; in fact several were initially trained by OCR to do so. In the second half of 2013, the Center for Medicare Services (CMS) began conducting audits of eligible [ Read More ]

Mobile Device Management: Protection But Not Panacea

Posted on by Dan Berger Posted in Main | Leave a comment
A Mobile Device Management (MDM) solution is a single security tool that must work in concert with many other IT operations to achieve information security. Choosing the right MDM requires significant forethought. Implementing all the controls correctly for all end-users requires cooperation with system owners. Maintaining secure configurations and accurate device information requires ongoing support. Choosing, implementing, and maintaining your MDM are each complex tasks with their own inherent risks. Without attention to each link in the chain, vulnerabilities to [ Read More ]

Why Risk an Incomplete HIPAA Risk Assessment?

Posted on by Dan Berger Posted in Main | Leave a comment
Covered entities and their business associates must conduct periodic HIPAA risk assessments (aka: HIPAA risk analysis) under the HIPAA Security Rule and Omnibus Final Rule. For eligible covered entities, a HIPAA risk assessment is also a core requirement of their Stage 1 and Stage 2 attestations for the EHR Meaningful Use Incentive Program. Both HHS' Office of Civil Rights (OCR) and Center for Medicare Services (CMS) have conducted hundreds of HIPAA audits over the past 18 months. OCR, the lead [ Read More ]

The Biggest Oversight in HIPAA Security Risk Assessments – Security!

Posted on by Dan Berger Posted in Main | Leave a comment
There are many HIPAA consultants, law firms, software companies, cloud service providers, and others who will happily provide you with a quote for a HIPAA security risk analysis. Neither the HIPAA Security Rule nor the respective references in Meaningful Use prescribe the exact form or format of a HIPAA Security Risk Analysis. So it is not surprising that so many enterprising professionals will offer their “version” of how a third-party firm can address this scope of work. What is surprising [ Read More ]

How Ethical Hacking Can Bolster Enterprise Security

Posted on by Dan Berger Posted in Main | Leave a comment
Ethical hacking sounds like an oxymoron. If you are someone who is responsible for the confidentiality, integrity, and availability of data on your network, isn’t getting hacked the last thing you would want? Don’t worry! Ethical hacking projects (or assessments) don’t involve doing any damage to your network. Sometimes, though, the best way to understand exactly how a real hacker would attack your assets is to simulate a real-world attack. Think of the pain that Target and its customers might [ Read More ]

Healthcare IT Security Makes Strange Bedfellows

Posted on by Dan Berger Posted in Main | Leave a comment
UPDATE January 12, 2013: House of Representatives Passes Bill Requiring Additional Security Requirments on the administration of HealthCare.gov Last week, it was reported that House Majority Leader Eric Cantor (Rep – VA) intends to draft legislation early in 2014 that would strengthen the IT security requirements of the Obama Administration in regard to the HealthCare.gov website. With more than 2 million Americans now enrolled in health plans through HealthCare.gov, Cantor believes that a stricter set of data security requirements should [ Read More ]
Twitter Facebook Facebook