Monthly Archives: May 2011

OIG’s Review of CMS HIPAA Security Rule Oversight – What a Scathing Report Means For You

Posted on May 30, 2011 by John Abraham in Main | Leave a comment

The OIG (the Office of Inspector General – the audit arm of the Department of Health& Human Services)  recently released their report on the CMS’s (Centers for Medicare & Medicaid Services) oversight and enforcement regarding hospitals’ HIPAA Security Rule implementation. In the scathing report* the OIG clearly characterizes the current regulatory compliance efforts by the CMS as lax. While the report is full of interesting statistics about the extent that the hospitals it audited as part of the analysis were …

HIPAA Security Risk Analysis: Compliance vs Security

Posted on May 23, 2011 by John Abraham in Main | Leave a comment

Security vs Compliance As an independent provider of security assessments, we are keenly aware of the 2 primary drivers of an objective security assessment – security or compliance. Roughly, these two views of risk management can be thought of as follows: Security: For organizations in this camp, ensuring that ePHI is protected is mission critical to the business. Any impact to data security would be viewed as negatively impacting business value: whether it be monetary, brand value or customer loyalty, …

Bank Account Takeover Fraud – Draft FFIEC Guidance

Posted on May 20, 2011 by mmarshall in Main | Comments Off

Account takeover fraud remains a major problem for financial institutions and small businesses that are impacted. The FBI recently warned about increased Wire Transfer Fraud to Chinese Companies.  Typically the hackers compromise the workstation of an employee who has the ability to initiate wire-transfers.  Once the user logs on to their online banking the hackers steal the credentials and or take over the users session.  Now that the hackers control the workstation and the account credentials they initiate a wire transfer from the …

Inspector General Takes ONC to Task Over Lack of General Security Controls

Posted on May 18, 2011 by Dan Berger in Main | 1 Comment

We wouldn’t be so bold as to say “I told you so,” but for months Redspin has been publicly calling on the ONC to beef up the security controls and measures in the “meaningful use” EHR incentive plan, the Federal Strategic Health IT Plan, and the HIPAA Security Rule itself. In fact just two weeks ago, we offered the following public comments on the Strategic Plan: “Next, the “security risk analysis” identified as Core Measure 15 should be defined as …

Building Assurance through HIPAA Security, Washington D.C., May 10th-11th

Posted on May 15, 2011 by Dan Berger in Main | Leave a comment

Last Monday night, I boarded a “red-eye” flight from LAX to Dulles to attend the OCR/NIST HIPAA Security Conference. I landed at 6:15AM, did a quick change into my business attire, grabbed some coffee, rented a car, and found my way to the Ronald Reagan Building at 1600 Pennsylvania Avenue, 3 blocks from The White House. I thankfully arrived just before the breakfast buffet ended and took a seat at the back of the conference ballroom. The room was packed …

Public Comments on The Federal Health IT Strategic Plan, 2011-2015

Posted on May 6, 2011 by Dan Berger in Main | Leave a comment

One of the ONC’s key responsibilities is to provide strategic leadership to the public and private sector. Mandated under the HITECH Act of 2009, the ONC must publish and update its strategic plan for improving healthcare through the use of information technology. The Federal Health IT Strategic Plan, 2011-2015, first released in draft form in March 2011, paints a rapidly evolving health IT landscape. It sets 5 overriding goals for “unlocking the vast promise of electronic health information to improve …

Sony PSN Breach – How Bad Was Their Security? A look Into Error Messages…

Posted on May 5, 2011 by mmarshall in Main | Leave a comment

There is lots of buzz based on the congressional testimony on how lax the security was on the Sony PlayStation Network.   Since there were no sources cited in the testimony we wondered if there is publicly available info to corroborate that view point.  A bit of digging in some of the public forums turned up some interesting information.  It turns out users periodically have reported getting errors when trying to access the Playstation Network.  While the fact that they were unable to access …

How to Apply for Meaningful Use

Posted on May 4, 2011 by mmarshall in Main | Leave a comment

If you are an eligible hospital or eligible professional then meaningful use incentives and qualifying for them is likely top on your mind. If you are a vendor of EHR technology you have been working to get your software certified for meaningful use so your customers can qualify for the incentives. Many organizations are in the midst of a tremendous amount of work to meet meaningful use and qualify for the incentives.   Based on our conversations most organizations have not yet …

PlayStation Network Hack – What You Don’t Know Can Hurt You

Posted on May 1, 2011 by Dan Berger in Main | 1 Comment

In a press conference late last week, Sony PlayStation Network executives confirmed that the recent hacking incident that exposed personally identifiable information and credit card numbers of all or part of the user database, was an exploit of a known vulnerability – just not one known to Sony. The “external intrusion” has left 77 million PlayStation Network and Qrirocity users without access to the services or their personal data stored there for the past 10 days.  In the press conference, …