The much anticipated executive order titled “Improving Critical Infrastructure Cybersecurity” was recently unveiled by the White House. As much praise as the President’s order garnered, there are still many unknowns about how the order impacts not just healthcare but all major industries in the United States. In the era of HIPAA, HITECH, SOX and another dozen regulatory security compliance acronyms how should the order be regarded? Potential, nothing more.
To understand what the executive [ Read More ]
On January 17, 2013, the long-awaited HHS HIPAA Omnibus Rule was posted on the Federal Register and has been the subject of much fanfare in the press. According to HHS Secretary Kathleen Sebelius; “the new rule will help protect patient privacy and safeguard patient’s health information in an ever-expanding digital age.” Leon Rodriguez, Director of HHS’ Office of Civil Rights (OCR), described the Omnibus rule-making as “the most sweeping changes to the HIPAA Privacy and Security Rules [ Read More ]
Over the past year, Redspin (along with many others), has reported that breaches of protected health information (PHI) are at epidemic levels. We’ve all based this assertion on quantitative statistics. The Breach Notification Rule requires that healthcare providers report “large” PHI breaches (defined as those affecting >500 records) to HHS which then publishes those details on its website, the so-called “Wall of Shame.” Numerous presentations, news articles, blog posts, and tweets have reported [ Read More ]
I recently presented the case for covered entities to be more proactive in regard to their business associate’s IT security posture. The audience included over 50 healthcare CISOs. Most of them agreed that the risk of PHI breach among their business associates was “an unknown,” or “very hard to measure” or even “likely to be very high.”
After my talk, one CISO said to me “My organization has dozens of business associates. What is the ROI of conducting a risk analysis on our exposure [ Read More ]