Category Archives: Main

Largest HIPAA Compliance Settlement – A Prescription for IT Security Health

Posted on by Dan Berger Posted in Main | Leave a comment
The key to Redspin’s rapid rise as the leader in HIPAA compliance for healthcare providers has been our unyielding focus on IT security. Last week’s news that OCR had reached a $4.8 million settlement agreement with New York-Presbyterian hospital and Columbia University Medical Center relating to HIPAA compliance violations further affirms our position. What started as an investigation of a 6,800 record ePHI breach became a multi-million dollar black-eye for those providers. At the source of the breach was an [ Read More ]

OpenSSL Vulnerability Discovered

Posted on by Dan Berger Posted in Main | Leave a comment
A two year old vulnerability in OpenSSL--the default cryptographic library used in many software applications (including web servers, operating systems, email, and instant-messaging clients)--has been discovered. This vulnerability could make it possible for external parties to mine server memory for data including private encryption keys, passwords, and other credentials. If you are hosting a web server using a vulnerable version of OpenSSL (including most variants of Linux), it is recommended that you: * Patch the OpenSSL vulnerability * Revoke and [ Read More ]

Expect a HIPAA Security Audit – But Guess Who Will Conduct It?

Posted on by Dan Berger Posted in Main | Leave a comment
The 2009 HITECH Act deputized the Office of Civil Rights (OCR) to conduct HIPAA security audits under the auspices of the Department of Health and Human Services’ (HHS). But as it turns out, OCR is not the only HIPAA enforcer in town. State attorneys general can claim a similar right to audit; in fact several were initially trained by OCR to do so. In the second half of 2013, the Center for Medicare Services (CMS) began conducting audits of eligible [ Read More ]

Mobile Device Management: Protection But Not Panacea

Posted on by Dan Berger Posted in Main | Leave a comment
A Mobile Device Management (MDM) solution is a single security tool that must work in concert with many other IT operations to achieve information security. Choosing the right MDM requires significant forethought. Implementing all the controls correctly for all end-users requires cooperation with system owners. Maintaining secure configurations and accurate device information requires ongoing support. Choosing, implementing, and maintaining your MDM are each complex tasks with their own inherent risks. Without attention to each link in the chain, vulnerabilities to [ Read More ]

Why Risk an Incomplete HIPAA Risk Assessment?

Posted on by Dan Berger Posted in Main | 1 Comment
Covered entities and their business associates must conduct periodic HIPAA risk assessments (aka: HIPAA risk analysis) under the HIPAA Security Rule and Omnibus Final Rule. For eligible covered entities, a HIPAA risk assessment is also a core requirement of their Stage 1 and Stage 2 attestations for the EHR Meaningful Use Incentive Program. Both HHS' Office of Civil Rights (OCR) and Center for Medicare Services (CMS) have conducted hundreds of HIPAA audits over the past 18 months. OCR, the lead [ Read More ]

The Biggest Oversight in HIPAA Security Risk Assessments – Security!

Posted on by Dan Berger Posted in Main | Leave a comment
There are many HIPAA consultants, law firms, software companies, cloud service providers, and others who will happily provide you with a quote for a HIPAA security risk analysis. Neither the HIPAA Security Rule nor the respective references in Meaningful Use prescribe the exact form or format of a HIPAA Security Risk Analysis. So it is not surprising that so many enterprising professionals will offer their “version” of how a third-party firm can address this scope of work. What is surprising [ Read More ]

How Ethical Hacking Can Bolster Enterprise Security

Posted on by Dan Berger Posted in Main | Leave a comment
Ethical hacking sounds like an oxymoron. If you are someone who is responsible for the confidentiality, integrity, and availability of data on your network, isn’t getting hacked the last thing you would want? Don’t worry! Ethical hacking projects (or assessments) don’t involve doing any damage to your network. Sometimes, though, the best way to understand exactly how a real hacker would attack your assets is to simulate a real-world attack. Think of the pain that Target and its customers might [ Read More ]

Healthcare IT Security Makes Strange Bedfellows

Posted on by Dan Berger Posted in Main | Leave a comment
UPDATE January 12, 2013: House of Representatives Passes Bill Requiring Additional Security Requirments on the administration of Last week, it was reported that House Majority Leader Eric Cantor (Rep – VA) intends to draft legislation early in 2014 that would strengthen the IT security requirements of the Obama Administration in regard to the website. With more than 2 million Americans now enrolled in health plans through, Cantor believes that a stricter set of data security requirements should [ Read More ]

HIPAA Security: Stage 2 Meaningful Use, Encryption, and Patient Portals

Posted on by Dan Berger Posted in Main | Leave a comment
A recent interview with Dan Berger, President and CEO, Redspin Inc. Q. You mention that there is “more focus on the EHR in stage 2”. What kinds of things do you think CMS is really looking for? A. What I think has happened, in comparison to stage 1 where the onus was really basically on a provider using a certified EHR system in order to be even eligible for an incentive program, I think the onus has moved on to [ Read More ]

60 Days After Discovery: HIPAA Incident Response… and Breach Notification

Posted on by David Carlino Posted in Main | Leave a comment
All organizations regulated by HIPAA must now document and report security incidents. The path from investigation to notification begins with discovery and initial investigation of the security incident, followed by a determination as to whether there was a security breach and a subsequent privacy breach, followed by breach notification. Most simply: first the security investigation, next the privacy investigation and lastly breach notification. In a perfect world... There are many ways that a security or privacy incident can be discovered. [ Read More ]