Blogs » The Redspin Report

The latest updates on penetration testing, breaches, and healthcare security.

Redspin Events in September

Posted on by mmak Posted in Main | Leave a comment
Redspin will be participating in several great healthcare and security conferences this September. Make sure you tune in to get useful information about IT security, policy compliance, and penetration testing! Stanford Medicine X  (Palo Alto, CA) "Practical Information and Security Risk Management for ePatients" by Redspin VP Chris Campbell September 6 @ 9:20am HIMSS Privacy and Security Forum (Boston, MA) Look for Redspin's co-exhibition with EMC September 8-9 The Summit of the Southeast (Nashville, TN) September 15 Cyber Security Summit (New [ Read More ]

OIG Finds NASA Web Application Security Lacking. Is it Time to Assess Yours?

Posted on by Dan Berger Posted in Main | Leave a comment
On July 10, 2014 the Office of Inspector General (OIG) released an evaluation of the effectiveness of NASA's efforts to secure its publicly accessible web applications. While OIG noted some improvement over the past few years, it found "deficiencies... that leave the Agency's publicly available web applications at risk of compromise." Of specific concern was that the identification of vulnerabilities were not prioritized by seriousness of impact (i.e risk rating) nor was the underlying cause of the vulnerabilities determined. The [ Read More ]

Why I Disagree With Google’s Founders About the Healthcare Market

Posted on by Dan Berger Posted in Main | Leave a comment
Google's founders, Sergey Brin and Larry Page, were recently asked at a conference if they could imagine Google becoming a healthcare company. They both said "no" and explained their reasoning as follows. Brin felt the regulatory obstacles would "dissuade a lot of entrepreneurs" from entering the market and added "it's just a painful business to be in." Page gave an example of what he thought could be a useful medical research tool and said "that's almost impossible to do because [ Read More ]

The Risks of a HIPAA Security Risk Analysis

Posted on by Dan Berger Posted in Main | Leave a comment
Believe it or not, there are even risks inherent in conducting a HIPAA security risk assessment. The first risk is in defaulting to a "do-it-yourself" process. Clearly many organizations are capable of doing this work themselves. But many others are not. So before making the decision to stay in-house or to find a competent outside vendor, ask yourself these questions: 1. Do we have sufficient expertise, particularly in IT security, to identify threats, external and internal vulnerabilities, and other risks [ Read More ]

BYOD Security – The Next Problem? Data Sprawl

Posted on by David Carlino Posted in Main | 1 Comment
Submitted by David Carlino Mobile devices are designed to store less data than traditional laptops and desktop workstations. Cloud-based storage continues to enable a steady migration away from local device storage. Due to local storage limits, mobile users are increasingly turning to a wide array of cloud storage options to maintain and access their data. This is very helpful when a device is lost or stolen but there are unintended consequences in complexity, security, and risk... Enabling increased “mobile” storage [ Read More ]

Largest HIPAA Compliance Settlement – A Prescription for IT Security Health

Posted on by Dan Berger Posted in Main | Leave a comment
The key to Redspin’s rapid rise as the leader in HIPAA compliance for healthcare providers has been our unyielding focus on IT security. Last week’s news that OCR had reached a $4.8 million settlement agreement with New York-Presbyterian hospital and Columbia University Medical Center relating to HIPAA compliance violations further affirms our position. What started as an investigation of a 6,800 record ePHI breach became a multi-million dollar black-eye for those providers. At the source of the breach was an [ Read More ]

OpenSSL Vulnerability Discovered

Posted on by Dan Berger Posted in Main | Leave a comment
A two year old vulnerability in OpenSSL--the default cryptographic library used in many software applications (including web servers, operating systems, email, and instant-messaging clients)--has been discovered. This vulnerability could make it possible for external parties to mine server memory for data including private encryption keys, passwords, and other credentials. If you are hosting a web server using a vulnerable version of OpenSSL (including most variants of Linux), it is recommended that you: * Patch the OpenSSL vulnerability * Revoke and [ Read More ]

Expect a HIPAA Security Audit – But Guess Who Will Conduct It?

Posted on by Dan Berger Posted in Main | Leave a comment
The 2009 HITECH Act deputized the Office of Civil Rights (OCR) to conduct HIPAA security audits under the auspices of the Department of Health and Human Services’ (HHS). But as it turns out, OCR is not the only HIPAA enforcer in town. State attorneys general can claim a similar right to audit; in fact several were initially trained by OCR to do so. In the second half of 2013, the Center for Medicare Services (CMS) began conducting audits of eligible [ Read More ]

Mobile Device Management: Protection But Not Panacea

Posted on by Dan Berger Posted in Main | Leave a comment
A Mobile Device Management (MDM) solution is a single security tool that must work in concert with many other IT operations to achieve information security. Choosing the right MDM requires significant forethought. Implementing all the controls correctly for all end-users requires cooperation with system owners. Maintaining secure configurations and accurate device information requires ongoing support. Choosing, implementing, and maintaining your MDM are each complex tasks with their own inherent risks. Without attention to each link in the chain, vulnerabilities to [ Read More ]

Why Risk an Incomplete HIPAA Risk Assessment?

Posted on by Dan Berger Posted in Main | Leave a comment
Covered entities and their business associates must conduct periodic HIPAA risk assessments (aka: HIPAA risk analysis) under the HIPAA Security Rule and Omnibus Final Rule. For eligible covered entities, a HIPAA risk assessment is also a core requirement of their Stage 1 and Stage 2 attestations for the EHR Meaningful Use Incentive Program. Both HHS' Office of Civil Rights (OCR) and Center for Medicare Services (CMS) have conducted hundreds of HIPAA audits over the past 18 months. OCR, the lead [ Read More ]