Blogs » The Redspin Report

The latest updates on penetration testing, breaches, and healthcare security.

Web Application Security Assessments – 2013 OWASP Top Ten

Posted on by Jimmy Mesta Posted in Main | Leave a comment
The Open Web Application Security Project (OWASP) Top Ten project is an ongoing resource for application developers, IT professionals, and security experts outlining and identifying some of the most critical risks facing organizations today.  The 2013 release marks the tenth year of the OWASP Top Ten project. Here at Redspin, we utilize the OWASP Top Ten in our Application Security assessments and members of our team have founded an OWASP chapter right here in Santa Barbara!  We have introduced the [ Read More ]

Healthcare IT Security – The "Not So Big Easy"

Posted on by Dan Berger Posted in Main | Leave a comment
HIMSS, the healthcare industry’s standard bearer for the promotion of information technology (IT), held its 13th annual conference in New Orleans last month. Nearly 35,000 people attended the event including former president Bill Clinton, fellow politicos James Carville and Karl Rove, and bow-tied Dr. Farzad Mostashari, HHS’s National Coordinator for Health Information Technology. Interoperability and exchange were the hot topics of the week, further jazzed by the recently announced CommonWell Health Alliance – a 6-party partnership between Cerner, McKesson, Allscripts, [ Read More ]

The Executive Order on Cybersecurity – What Does It Mean for Healthcare?

Posted on by Christopher Campbell Posted in Main | Leave a comment
The much anticipated executive order titled “Improving Critical Infrastructure Cybersecurity” was recently unveiled by the White House. As much praise as the President’s order garnered, there are still many unknowns about how the order impacts not just healthcare but all major industries in the United States. In the era of HIPAA, HITECH, SOX and another dozen regulatory security compliance acronyms how should the order be regarded? Potential, nothing more. To understand what the executive order means and doesn’t mean we [ Read More ]

Did You Miss the HIPAA Omnibus?

Posted on by Dan Berger Posted in Main | 1 Comment
On January 17, 2013, the long-awaited HHS HIPAA Omnibus Rule was posted on the Federal Register and has been the subject of much fanfare in the press.  According to HHS Secretary Kathleen Sebelius; “the new rule will help protect patient privacy and safeguard patient’s health information in an ever-expanding digital age.” Leon Rodriguez, Director of HHS’ Office of Civil Rights (OCR), described the Omnibus rule-making as “the most sweeping changes to the HIPAA Privacy and Security Rules since they were [ Read More ]

Small PHI Breaches, Big Problems

Posted on by Dan Berger Posted in Main | Leave a comment
Over the past year, Redspin (along with many others), has reported that breaches of protected health information (PHI) are at epidemic levels. We've all based this assertion on quantitative statistics. The Breach Notification Rule requires that healthcare providers report "large" PHI breaches (defined as those affecting >500 records) to HHS which then publishes those details on its website, the so-called "Wall of Shame." Numerous presentations, news articles, blog posts, and tweets have reported on the most egregious offenses and the [ Read More ]

The ROI of Business Associate Security Risk Management

Posted on by Dan Berger Posted in Main | Leave a comment
I recently presented the case for covered entities to be more proactive in regard to their business associate’s IT security posture. The audience included over 50 healthcare CISOs. Most of them agreed that the risk of PHI breach among their business associates was “an unknown,” or “very hard to measure” or even “likely to be very high.” After my talk, one CISO said to me “My organization has dozens of business associates. What is the ROI of conducting a risk [ Read More ]

Why PHI Data Security is a Form of Asset Management

Posted on by Dan Berger Posted in Main | Leave a comment
Asset management is broadly defined as any system that monitors and maintains things of value to an entity or group. In regard to safeguarding the security of electronic health records, we often think of it as a custodial responsibility. Healthcare providers safeguard PHI primarily so that the patient confidentiality is not breached. But in fact, that information is also an asset, something of great value to the provider. Three news items regarding recent healthcare data breaches make this abundantly clear: [ Read More ]

Why Preparing for an OCR HIPAA Audit May Lead to a False Sense of Security

Posted on by Jenn Miller Posted in Main | Leave a comment
Many healthcare organizations breathed a collective sigh of relief when the Office of Civil Rights (OCR) under the Department of Health and Human Services (HHS) finally made their HIPAA audit protocol publicly available this past June. It can be accessed here. As a refresher, Section 13411 of the 2009 HITECH Act required that HHS “provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of (HITECH and HIPAA), comply with such requirements.” [ Read More ]

Official HIPAA Compliance Audit Protocol Published

Posted on by Dan Berger Posted in Main | Leave a comment
The Department of Health and Human Services’ Offices for Civil Rights (OCR) have finally published the official protocol and detailed procedures guiding their HIPAA Audit program. The protocol, developed by subcontractor KMPG together with OCR, includes 77 evaluation areas for security and another 88 areas for privacy/breach notification. Here’s a link to the publication which is conveniently keyword searchable. http://ocrnotifications.hhs.gov/hipaa.html Of particular interest to Redspin is the section dedicated to IT security. As former White House Cybersecurity Czar Howard Schmidt [ Read More ]

HIPAA Enforcement Heats Up in the Coldest State

Posted on by Dan Berger Posted in Main | Leave a comment
The Health and Human Services (HHS) Office of Civil Rights (OCR) has increased enforcement actions over the past several months, including reaching several breach resolution agreements with covered entities. OCR has also informed an additional 90 organizations of its intent to conduct HIPAA security audits before the end of the year. None of this is particularly surprising. For almost a year now, OCR has signaled that they intend to take their HIPAA enforcement responsibilities seriously and there certainly have been [ Read More ]