To qualify for Meaningful Use an organization must use an approved EHR application. The standards that EHR technology must meet to be approved for Meaningful Use are defined in 45 CFR 170.302. We are often asked if our HIPAA Risk Analysis covers Certification of their EHR Technology to 45 CFR 170.302 (General certification criteria for Complete EHRs or EHR Modules). The short answer is no. That scope of work has already been completed. Here is how the EHR Technology certification … →
Account takeover fraud remains a major problem for financial institutions and small businesses that are impacted. The FBI recently warned about increased Wire Transfer Fraud to Chinese Companies. Typically the hackers compromise the workstation of an employee who has the ability to initiate wire-transfers. Once the user logs on to their online banking the hackers steal the credentials and or take over the users session. Now that the hackers control the workstation and the account credentials they initiate a wire transfer from the … →
There is lots of buzz based on the congressional testimony on how lax the security was on the Sony PlayStation Network. Since there were no sources cited in the testimony we wondered if there is publicly available info to corroborate that view point. A bit of digging in some of the public forums turned up some interesting information. It turns out users periodically have reported getting errors when trying to access the Playstation Network. While the fact that they were unable to access … →
If you are an eligible hospital or eligible professional then meaningful use incentives and qualifying for them is likely top on your mind. If you are a vendor of EHR technology you have been working to get your software certified for meaningful use so your customers can qualify for the incentives. Many organizations are in the midst of a tremendous amount of work to meet meaningful use and qualify for the incentives. Based on our conversations most organizations have not yet … →
We regularly are asked to explain the PCI merchant levels to customers. The merchant levels are a pretty straightforward grouping of merchants by credit card transaction volume. Each of the Cardbrands (Visa, Mastercard, American Express, Discover and JCB) list the transaction volumes for the different merchant levels on their websites. While all companies that store, process or transmit Card Holder data are required to comply with the entire Data Security Standard, how the merchant is required to validate that compliance … →
Cloud computing seems to be on the forefront of everyone’s mind. The promise of increased performance and reduced costs is a compelling story. A major challenge is determining if or how cloud computing can be done securely. To that end NIST recently released two useful documents. Cloud security best practices and a definition of cloud computing. It seems everyone has a different meaning when discussing cloud computing, so it’s nice to see NIST taking a stab at defining it. … →
As any reasonably sized covered entity will attest, it is not unusual to have hundreds of Business Associates (partners who have access to ePHI). While your own security may be adequate to protect your ePHI, a breach by a Business Associate will result in substantial impact and the data breach is required to be disclosed. The process of ensuring they are protecting your ePHI is a bit easier since the HITECH act mandated that Business Associates must be HIPAA compliant. … →
Nasdaq has acknowledged that suspicious files were found on some of its systems. The files were apparently a result of hackers gaining access to at least one of their servers. →
Mobile devices like the iPhone and iPad are a top security concern for 2011. The first step to addressing this risk is to put a security policy in place that addresses mobile devices. We recently released a free Mobile Security Policy template to help folks get started. If you don’t have a mobile security policy yet, use our template to get started. If you already have one in place you can review ours and see if there are any additional … →
The rumors of IPV4′s demise and the impending move to IPV6 have been going around for the last fifteen years. IPV4 defines an address in numerical format such as 209.85.143.104. With the growth in the number of systems the folks allocating addresses (ARIN) realized that we were going to run out of address space. Thus we got a new standard called IPV6. IPV6 is a longer address and uses alphanumeric characters to provide a nearly inexhaustible supply of addresses. Waiting … →
