Category Archives: Main

OpenSSL Vulnerability Discovered

Posted on by Dan Berger Posted in Main | Leave a comment
A two year old vulnerability in OpenSSL--the default cryptographic library used in many software applications (including web servers, operating systems, email, and instant-messaging clients)--has been discovered. This vulnerability could make it possible for external parties to mine server memory for data including private encryption keys, passwords, and other credentials. If you are hosting a web server using a vulnerable version of OpenSSL (including most variants of Linux), it is recommended that you: * Patch the OpenSSL vulnerability * Revoke and [ Read More ]

Expect a HIPAA Security Audit – But Guess Who Will Conduct It?

Posted on by Dan Berger Posted in Main | Leave a comment
The 2009 HITECH Act deputized the Office of Civil Rights (OCR) to conduct HIPAA security audits under the auspices of the Department of Health and Human Services’ (HHS). But as it turns out, OCR is not the only HIPAA enforcer in town. State attorneys general can claim a similar right to audit; in fact several were initially trained by OCR to do so. In the second half of 2013, the Center for Medicare Services (CMS) began conducting audits of eligible [ Read More ]

Mobile Device Management: Protection But Not Panacea

Posted on by Dan Berger Posted in Main | Leave a comment
A Mobile Device Management (MDM) solution is a single security tool that must work in concert with many other IT operations to achieve information security. Choosing the right MDM requires significant forethought. Implementing all the controls correctly for all end-users requires cooperation with system owners. Maintaining secure configurations and accurate device information requires ongoing support. Choosing, implementing, and maintaining your MDM are each complex tasks with their own inherent risks. Without attention to each link in the chain, vulnerabilities to [ Read More ]

Why Risk an Incomplete HIPAA Risk Assessment?

Posted on by Dan Berger Posted in Main | 1 Comment
Covered entities and their business associates must conduct periodic HIPAA risk assessments (aka: HIPAA risk analysis) under the HIPAA Security Rule and Omnibus Final Rule. For eligible covered entities, a HIPAA risk assessment is also a core requirement of their Stage 1 and Stage 2 attestations for the EHR Meaningful Use Incentive Program. Both HHS' Office of Civil Rights (OCR) and Center for Medicare Services (CMS) have conducted hundreds of HIPAA audits over the past 18 months. OCR, the lead [ Read More ]

The Biggest Oversight in HIPAA Security Risk Assessments – Security!

Posted on by Dan Berger Posted in Main | Leave a comment
There are many HIPAA consultants, law firms, software companies, cloud service providers, and others who will happily provide you with a quote for a HIPAA security risk analysis. Neither the HIPAA Security Rule nor the respective references in Meaningful Use prescribe the exact form or format of a HIPAA Security Risk Analysis. So it is not surprising that so many enterprising professionals will offer their “version” of how a third-party firm can address this scope of work. What is surprising [ Read More ]

How Ethical Hacking Can Bolster Enterprise Security

Posted on by Dan Berger Posted in Main | Leave a comment
Ethical hacking sounds like an oxymoron. If you are someone who is responsible for the confidentiality, integrity, and availability of data on your network, isn’t getting hacked the last thing you would want? Don’t worry! Ethical hacking projects (or assessments) don’t involve doing any damage to your network. Sometimes, though, the best way to understand exactly how a real hacker would attack your assets is to simulate a real-world attack. Think of the pain that Target and its customers might [ Read More ]

Healthcare IT Security Makes Strange Bedfellows

Posted on by Dan Berger Posted in Main | Leave a comment
UPDATE January 12, 2013: House of Representatives Passes Bill Requiring Additional Security Requirments on the administration of HealthCare.gov Last week, it was reported that House Majority Leader Eric Cantor (Rep – VA) intends to draft legislation early in 2014 that would strengthen the IT security requirements of the Obama Administration in regard to the HealthCare.gov website. With more than 2 million Americans now enrolled in health plans through HealthCare.gov, Cantor believes that a stricter set of data security requirements should [ Read More ]

HIPAA Security: Stage 2 Meaningful Use, Encryption, and Patient Portals

Posted on by Dan Berger Posted in Main | Leave a comment
A recent interview with Dan Berger, President and CEO, Redspin Inc. Q. You mention that there is “more focus on the EHR in stage 2”. What kinds of things do you think CMS is really looking for? A. What I think has happened, in comparison to stage 1 where the onus was really basically on a provider using a certified EHR system in order to be even eligible for an incentive program, I think the onus has moved on to [ Read More ]

60 Days After Discovery: HIPAA Incident Response… and Breach Notification

Posted on by David Carlino Posted in Main | Leave a comment
All organizations regulated by HIPAA must now document and report security incidents. The path from investigation to notification begins with discovery and initial investigation of the security incident, followed by a determination as to whether there was a security breach and a subsequent privacy breach, followed by breach notification. Most simply: first the security investigation, next the privacy investigation and lastly breach notification. In a perfect world... There are many ways that a security or privacy incident can be discovered. [ Read More ]

Web Application Security Assessments – 2013 OWASP Top Ten

Posted on by Jimmy Mesta Posted in Main | Leave a comment
The Open Web Application Security Project (OWASP) Top Ten project is an ongoing resource for application developers, IT professionals, and security experts outlining and identifying some of the most critical risks facing organizations today.  The 2013 release marks the tenth year of the OWASP Top Ten project. Here at Redspin, we utilize the OWASP Top Ten in our Application Security assessments and members of our team have founded an OWASP chapter right here in Santa Barbara!  We have introduced the [ Read More ]