Blogs » The Redspin Report

The latest updates on penetration testing, breaches, and healthcare security.

The ROI of Business Associate Security Risk Management

Posted on by Dan Berger Posted in Main | Leave a comment
I recently presented the case for covered entities to be more proactive in regard to their business associate’s IT security posture. The audience included over 50 healthcare CISOs. Most of them agreed that the risk of PHI breach among their business associates was “an unknown,” or “very hard to measure” or even “likely to be very high.” After my talk, one CISO said to me “My organization has dozens of business associates. What is the ROI of conducting a risk [ Read More ]

Why PHI Data Security is a Form of Asset Management

Posted on by Dan Berger Posted in Main | Leave a comment
Asset management is broadly defined as any system that monitors and maintains things of value to an entity or group. In regard to safeguarding the security of electronic health records, we often think of it as a custodial responsibility. Healthcare providers safeguard PHI primarily so that the patient confidentiality is not breached. But in fact, that information is also an asset, something of great value to the provider. Three news items regarding recent healthcare data breaches make this abundantly clear: [ Read More ]

Why Preparing for an OCR HIPAA Audit May Lead to a False Sense of Security

Posted on by Jenn Miller Posted in Main | Leave a comment
Many healthcare organizations breathed a collective sigh of relief when the Office of Civil Rights (OCR) under the Department of Health and Human Services (HHS) finally made their HIPAA audit protocol publicly available this past June. It can be accessed here. As a refresher, Section 13411 of the 2009 HITECH Act required that HHS “provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of (HITECH and HIPAA), comply with such requirements.” [ Read More ]

Official HIPAA Compliance Audit Protocol Published

Posted on by Dan Berger Posted in Main | Leave a comment
The Department of Health and Human Services’ Offices for Civil Rights (OCR) have finally published the official protocol and detailed procedures guiding their HIPAA Audit program. The protocol, developed by subcontractor KMPG together with OCR, includes 77 evaluation areas for security and another 88 areas for privacy/breach notification. Here’s a link to the publication which is conveniently keyword searchable. http://ocrnotifications.hhs.gov/hipaa.html Of particular interest to Redspin is the section dedicated to IT security. As former White House Cybersecurity Czar Howard Schmidt [ Read More ]

HIPAA Enforcement Heats Up in the Coldest State

Posted on by Dan Berger Posted in Main | Leave a comment
The Health and Human Services (HHS) Office of Civil Rights (OCR) has increased enforcement actions over the past several months, including reaching several breach resolution agreements with covered entities. OCR has also informed an additional 90 organizations of its intent to conduct HIPAA security audits before the end of the year. None of this is particularly surprising. For almost a year now, OCR has signaled that they intend to take their HIPAA enforcement responsibilities seriously and there certainly have been [ Read More ]

The First Step In Cyber Insurance: Know Your Risk And What You’re Insuring Against.

Posted on by John Abraham Posted in Main | Leave a comment
Cyber insurance provides an opportunity to address residual risk in your information security program to offset the costs due to a data breach of ePHI. However, individuals polices, coverage and exclusions are highly variable, so just like any security control it's important to understand your security risk profile before an appropriate security insurance policy can be defined. An assessment, such as a HIPAA Security Risk Analysis should be the first step in any insurance policy strategy. Here's why: You'll have [ Read More ]

Redspin Provides Public Comments on Proposed Stage 2 Meaningful Use (NPRM)

Posted on by Dan Berger Posted in Main | Leave a comment
Redspin has provided security risk analysis (SRA) services to dozens of hospitals, helping them meet Core Measure 14 of the Stage 1 Meaningful Use EHR Incentive Program. As one of the leading experts in IT security, we take a comprehensive approach to these engagements. As such, our primary focus is to help our clients truly safeguard PHI from data breach by expanding beyond a strict interpretation of the Stage 1 Rule. It is from that vantage point that we are [ Read More ]

Stage 2 Meaningful Use: The Next Step in HIPAA Security Risk Assessments

Posted on by Dan Berger Posted in Main | Leave a comment
At first read, the security risk analysis (SRA) provisions of the proposed Stage 2 “meaningful use” regulations appear to have changed only slightly from those in Stage 1. The language in the draft rule is nearly identical to Stage 1, with one notable addition highlighted below: “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), [ Read More ]

A Blue Note: Looking Deeper at the 2009 PHI Breach at BlueCross BlueShield Tennessee

Posted on by Dan Berger Posted in Main | 1 Comment
The cost of a significant data breach of protected health information (PHI) has been a popular topic in the news recently. The new ANSI publication“The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security” debuted with much fanfare in D.C. earlier this month. White House Cybersecurity Czar Howard Schultz kicked off a March 5th press conference where the release of the report was announced. His participation helped elevate the issue to a national audience. The [ Read More ]

The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security

Posted on by Dan Berger Posted in Main | 1 Comment
On Monday, March 5th, I was invited to a press conference in Washington, D.C. announcing the release of “The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security,” published by the American National Standards Institute (ANSI). The honorable Howard A. Schmidt, White House Cybersecurity Czar, kicked off the event. Mr. Schmidt commented that “in the continuum of the cybersecurity issues we look at, (healthcare security) is obviously critical as this is one that affects [ Read More ]