Category Archives: Main

The Biggest Oversight in HIPAA Security Risk Assessments – Security!

Posted on by Dan Berger Posted in Main | Leave a comment
There are many HIPAA consultants, law firms, software companies, cloud service providers, and others who will happily provide you with a quote for a HIPAA security risk analysis. Neither the HIPAA Security Rule nor the respective references in Meaningful Use prescribe the exact form or format of a HIPAA Security Risk Analysis. So it is not surprising that so many enterprising professionals will offer their “version” of how a third-party firm can address this scope of work. What is surprising [ Read More ]

How Ethical Hacking Can Bolster Enterprise Security

Posted on by Dan Berger Posted in Main | Leave a comment
Ethical hacking sounds like an oxymoron. If you are someone who is responsible for the confidentiality, integrity, and availability of data on your network, isn’t getting hacked the last thing you would want? Don’t worry! Ethical hacking projects (or assessments) don’t involve doing any damage to your network. Sometimes, though, the best way to understand exactly how a real hacker would attack your assets is to simulate a real-world attack. Think of the pain that Target and its customers might [ Read More ]

Healthcare IT Security Makes Strange Bedfellows

Posted on by Dan Berger Posted in Main | Leave a comment
UPDATE January 12, 2013: House of Representatives Passes Bill Requiring Additional Security Requirments on the administration of HealthCare.gov Last week, it was reported that House Majority Leader Eric Cantor (Rep – VA) intends to draft legislation early in 2014 that would strengthen the IT security requirements of the Obama Administration in regard to the HealthCare.gov website. With more than 2 million Americans now enrolled in health plans through HealthCare.gov, Cantor believes that a stricter set of data security requirements should [ Read More ]

HIPAA Security: Stage 2 Meaningful Use, Encryption, and Patient Portals

Posted on by Dan Berger Posted in Main | Leave a comment
A recent interview with Dan Berger, President and CEO, Redspin Inc. Q. You mention that there is “more focus on the EHR in stage 2”. What kinds of things do you think CMS is really looking for? A. What I think has happened, in comparison to stage 1 where the onus was really basically on a provider using a certified EHR system in order to be even eligible for an incentive program, I think the onus has moved on to [ Read More ]

60 Days After Discovery: HIPAA Incident Response… and Breach Notification

Posted on by David Carlino Posted in Main | Leave a comment
All organizations regulated by HIPAA must now document and report security incidents. The path from investigation to notification begins with discovery and initial investigation of the security incident, followed by a determination as to whether there was a security breach and a subsequent privacy breach, followed by breach notification. Most simply: first the security investigation, next the privacy investigation and lastly breach notification. In a perfect world... There are many ways that a security or privacy incident can be discovered. [ Read More ]

Web Application Security Assessments – 2013 OWASP Top Ten

Posted on by Jimmy Mesta Posted in Main | Leave a comment
The Open Web Application Security Project (OWASP) Top Ten project is an ongoing resource for application developers, IT professionals, and security experts outlining and identifying some of the most critical risks facing organizations today.  The 2013 release marks the tenth year of the OWASP Top Ten project. Here at Redspin, we utilize the OWASP Top Ten in our Application Security assessments and members of our team have founded an OWASP chapter right here in Santa Barbara!  We have introduced the [ Read More ]

Healthcare IT Security – The "Not So Big Easy"

Posted on by Dan Berger Posted in Main | Leave a comment
HIMSS, the healthcare industry’s standard bearer for the promotion of information technology (IT), held its 13th annual conference in New Orleans last month. Nearly 35,000 people attended the event including former president Bill Clinton, fellow politicos James Carville and Karl Rove, and bow-tied Dr. Farzad Mostashari, HHS’s National Coordinator for Health Information Technology. Interoperability and exchange were the hot topics of the week, further jazzed by the recently announced CommonWell Health Alliance – a 6-party partnership between Cerner, McKesson, Allscripts, [ Read More ]

The Executive Order on Cybersecurity – What Does It Mean for Healthcare?

Posted on by Christopher Campbell Posted in Main | Leave a comment
The much anticipated executive order titled “Improving Critical Infrastructure Cybersecurity” was recently unveiled by the White House. As much praise as the President’s order garnered, there are still many unknowns about how the order impacts not just healthcare but all major industries in the United States. In the era of HIPAA, HITECH, SOX and another dozen regulatory security compliance acronyms how should the order be regarded? Potential, nothing more. To understand what the executive order means and doesn’t mean we [ Read More ]

Did You Miss the HIPAA Omnibus?

Posted on by Dan Berger Posted in Main | 1 Comment
On January 17, 2013, the long-awaited HHS HIPAA Omnibus Rule was posted on the Federal Register and has been the subject of much fanfare in the press.  According to HHS Secretary Kathleen Sebelius; “the new rule will help protect patient privacy and safeguard patient’s health information in an ever-expanding digital age.” Leon Rodriguez, Director of HHS’ Office of Civil Rights (OCR), described the Omnibus rule-making as “the most sweeping changes to the HIPAA Privacy and Security Rules since they were [ Read More ]

Small PHI Breaches, Big Problems

Posted on by Dan Berger Posted in Main | Leave a comment
Over the past year, Redspin (along with many others), has reported that breaches of protected health information (PHI) are at epidemic levels. We've all based this assertion on quantitative statistics. The Breach Notification Rule requires that healthcare providers report "large" PHI breaches (defined as those affecting >500 records) to HHS which then publishes those details on its website, the so-called "Wall of Shame." Numerous presentations, news articles, blog posts, and tweets have reported on the most egregious offenses and the [ Read More ]