Monthly Archives: January 2011

Managing Business Associate Risk under HIPAA and HITECH

Posted on January 31, 2011 by John Abraham in Main | Leave a comment

The bar has been raised on how covered entities manage Business Associates (BAs); the HITECH Act breach notification requirements, penalties for electronic protected health information (ePHI) disclosure, and the expectation that Business Associates be compliant with the HIPAA Security Rule mean that covered entities need to ensure proper due-diligence when managing BAs. In a perfect world, you could do your own security evaluation of each BA or even hire a company like Redspin to perform a HIPAA Risk Analysis to …

Healthcare Web Applications – The Security Achilles Heel (Part 2)

Posted on January 27, 2011 by Dan Berger in Main | Leave a comment

Last June, one of my colleagues at Redspin blogged about his concern that security flaws in software applications that house ePHI (electronic protected health information) represent a big threat. We had just completed a security assessment for a client and had found it relatively easy to access their customer portal using a common SQL injection technique. ePHI  records represent tempting targets for cyber crime as they typically include a wealth of personal info (name and address, SSN’s, credit card numbers, …

Design and Security

Posted on January 27, 2011 by David Bailey in Main | Leave a comment

Why is Apple successful? Design. I don’t mean they make great looking hardware. I also don’t mean they make great looking software. Design is much more than looks. Donald Norman’s The Design of Everyday Things goes into detail about how good design is more about usability than looks. In good design, everything just works. Why is most software awful? Let me give you an example: I’m trying to write a document in my editor. I want to make a hyperlink. …

A Light in the Dark for EMR?

Posted on January 25, 2011 by David Bailey in Main | Leave a comment

The top complaint I hear about healthcare IT systems when talking with clients is lack of interoperability. Once you pick one vendor for one system, you pretty much have to stick with them for everything. If you want information from one department or system to work with another department or system, everything has to come from the same vendor. The Wall Street Journal recently had a great interview with Eric Schmidt, former Chairman/CEO of Google. In it he touches on …

The Weakest Links

Posted on January 25, 2011 by James Makil in Main | 1 Comment

I remember back in the day when I was reading ‘The Art of Deception’ by Kevin Mitnick in which he said “ …the social engineer is able to take advantage of people to obtain information with or without the use of technology”. We all know the reasons as to why someone would want to social engineer their way into a company-cause its easier than breaking into a firewall or VPN to gain access into the company’s internal network. Many of …

Unreal Repeal: Healthcare Reform and HITECH

Posted on January 24, 2011 by Dan Berger in Main | 2 Comments

Last Wednesday, Republicans in the House of Representatives (+3 Democrats) voted to repeal the health-care reforms signed into law by President Obama less than 1 year ago. Although the 245-189 vote made good on a GOP mid-term election promise, it was largely symbolic. The Senate is not likely to consider (much less pass) the bill, nor would it ever get past an Obama veto. Yet, reform of reform is in the air. Spending cuts as the path to deficit reduction …

Getting Started With Corporate iPad and iPhone Mobile Security

Posted on January 21, 2011 by mmarshall in Main | Leave a comment

Mobile devices like the iPhone and iPad are a top security concern for 2011. The first step to addressing this risk is to put a security policy in place that addresses mobile devices. We recently released a free Mobile Security Policy template to help folks get started. If you don’t have a mobile security policy yet, use our template to get started. If you already have one in place you can review ours and see if there are any additional …

Twitter Stems Growth of Fast-Spreading Worm

Posted on January 20, 2011 by David Shaw in Main | Leave a comment

Twitter feeds have been abuzz with talk of the latest Twitter worm that lures victims into a “scareware” page telling them they have a virus, only to subsequently infect them with real malware. Twitter engineers have done a stellar job reducing the spread of the malware from thousands of results this morning to none this afternoon. The caveat here is that the worm seems to be adjusting from direct links to goo.gl (Google’s URL shortener) links. These may be harder …

How do you really know if your Business Associate is adequately protecting your ePHI?

Posted on January 20, 2011 by perlbot in Main | Leave a comment

The HIPAA Security Rule now applies to Business Associates. We anxiously await for the final modifications due to be released in March. However, the problem is your Business Associates have access to your ePHI right now. There really is no time to wait for the auditing requirements in the HITECH Act to be further defined. You’ve identified all your business associates and have contracts in place that require them to protect your data. But what else can you do now …

Business Associates: The HITECH Act requires BAs to be compliant with the HIPAA Security Rule – that’s a good thing.

Posted on January 17, 2011 by John Abraham in Main | Leave a comment

Managing vendors and business partners is hard in any industry, but when the data is sensitive ePHI, you are trying to achieve EHR meaningful use and there are penalties like the HITECH Act’s breach notification requirements, it can be even more daunting. Fortunately, one aspect of the HITECH Act can minimize security risk and facilitate managing Business Associates (BAs). Under the HITECH Act Business Associates need to be compliant with the HIPAA Security Rule. According to the HITECH Act Section 13401(a): …

1 2 3   Next »