A “Reasonable” Approach to HIPAA Risk Analysis

Posted on March 17, 2011 by Dan Berger in Main | Leave a comment

The Office of Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule (45 C.F.R. §§ 164.302 – 318.). But with so much recent interest in IT security driven by the “meaningful use” incentive program, we want to share some our observations and perspectives from recent Redspin client engagements in the healthcare industry. All electronic protected health information (ePHI) created, received, maintained or transmitted by an organization is subject to the Security Rule. … →

Increased Penalties for Healthcare Privacy and Security Violations? Batten Down the Hatches!

Posted on February 23, 2011 by Dan Berger in Main | 1 Comment

The 2009 HITECH Act authorized the Health and Human Resources Office for Civil Rights (HHS OCR) to add teeth to existing security and privacy regulations, and they’ve obviously taken the responsibility seriously. On the same day that HHS OCR imposed a whopping $4.3 million dollar fine on Maryland-based Cignet Health for violating a provision of the HIPAA Privacy Rule, we also learned that HHS OCR intends to tighten healthcare data breach regulations further and to increase financial penalties across the … →

8 “Simple” Rules for Protecting PHI

Posted on February 19, 2011 by Dan Berger in Main | 1 Comment

In the popular TV series: “8 Simple Rules for Dating My Teenage Daughter,” the rules may have been a bit exaggerated but they sure made their point. (Rule #1: Use your hands on my daughter and you’ll lose them after). Likewise, my “8 Simple Rules for Protecting PHI” strike a similar chord – no threats to bodily harm, but certain transgressions may be bad enough to result in personnel sanctions or even loss of employment. This is serious stuff. And … →

Healthcare Web Applications – The Security Achilles Heel (Part 2)

Posted on January 27, 2011 by Dan Berger in Main | Leave a comment

Last June, one of my colleagues at Redspin blogged about his concern that security flaws in software applications that house ePHI (electronic protected health information) represent a big threat. We had just completed a security assessment for a client and had found it relatively easy to access their customer portal using a common SQL injection technique. ePHI records represent tempting targets for cyber crime as they typically include a wealth of personal info (name and address, SSN’s, credit card numbers, … →

Unreal Repeal: Healthcare Reform and HITECH

Posted on January 24, 2011 by Dan Berger in Main | 2 Comments

Last Wednesday, Republicans in the House of Representatives (+3 Democrats) voted to repeal the health-care reforms signed into law by President Obama less than 1 year ago. Although the 245-189 vote made good on a GOP mid-term election promise, it was largely symbolic. The Senate is not likely to consider (much less pass) the bill, nor would it ever get past an Obama veto. Yet, reform of reform is in the air. Spending cuts as the path to deficit reduction … →

REDSPIN CHIMES IN ON MEANINGFUL USE

Posted on January 14, 2011 by Dan Berger in Main | Leave a comment

A few days ago, members of the College of Healthcare Information Management Executives (CHIME) testified before a federal panel in Washington, D.C. The hearing was entitled “Real World Experience Working with Meaningful Use.” The panel consisted of members of the Implementation Workgroup of the HIT Standards Committee, who in turn report to David Blumenthal, M.D., HIT’s national coordinator. CHIME representatives shared their direct experiences mainly to convey the challenges hospitals are facing in meeting the HITECH requirements for achieving “meaningful … →

The Top 10 Coast-to-Coast

Posted on January 11, 2011 by Dan Berger in Main | Leave a comment

On January 4th, Kroll, a worldwide risk consultancy firm headquartered in New York, released their “top 10 data security issues for 2011.” Two days later, we published Redspin’s “top 10 security issues for 2011.” (I promise, we didn’t read their version first!) So aside from the coincidence, it’s the differences between the two lists that really caught my eye. Maybe it’s an East Coast-West Coast thing. Or maybe they wear their Bruno Maglis a little tight, while we’re sporting Vibram … →

“It’s time to get connected,” says David Blumenthal. But make sure your IT security is healthy!

Posted on December 23, 2010 by Dan Berger in Main | Leave a comment

HHS delivered an early Christmas present today with its announcement that registration for the Medicare and Medicaid electronic health record (EHR) system incentive programs opens on January 3rd. Blumenthal, head of the HHS Office of the National Coordinator for Health Information Technology is urging inter-connectivity for the benefit of patient, providers, payers, employees, the national interest and all mankind. While visions of sugar plums and super information health highways are dancing in his head, let’s take a moment to reflect … →

» Dan Berger