Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)

Posted on by Dan Berger Posted in Main | Leave a comment
I wasn't the most popular person around the office printer late yesterday afternoon.  It was right after HHS and CMS finally released the proposed rule for Stage 2 of the EHR Meaningful Use Incentive Program. Earlier in the week, rumors regarding the release of the 445-page document swirled around the HIMSS12 Conference. Perhaps because it was in Las Vegas, Stage 2 seemed to take on its own celebrity status. HIMSS participants arrived early for the 8:30AM "Achieving Meaningful Use Symposium" [ Read More ]

HIPAA Security Risk Analysis. – Are You One Of The 3,300?

Posted on by Dan Berger Posted in Main | Leave a comment
Get 'er Done! I’m referring of course to the HIPAA Security Risk Analysis requirement of the Stage 1 EHR Meaningful Use Incentive Plan. Between 85%-90% of the 5,000+ eligible hospitals say they plan to qualify for Stage 1, yet data from the Centers for Medicare & Medicaid Servicesshows less than 25% have attested and received payment as of November 30, 2011. So for the 3,300 or so other hospitals – this is no time to procrastinate. Time flies, whether you’re having fun [ Read More ]

How Internal Penetration Testing Can Help Your Organization

Posted on by John Abraham Posted in Main | Leave a comment
Every IT department faces the challenge of having to apply limited resources (headcount, technology, 3rd party assessments) against a plethora of potential security risks. Choosing wisely is often the difference between an effective security strategy and an ineffective one. With that in mind and a number of possible assessment approaches available, what benefits can be gained from an internal penetration test? First, since security terminology is often misunderstood, let’s first define internal penetration testing. An internal pen test is a [ Read More ]

“Enforcement Promotes Compliance” – HIPAA Audits Just Around the Corner

Posted on by Dan Berger Posted in Main | Leave a comment
Earlier this month, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released further details on its plan to audit 150 covered entities under its pilot HIPAA audit program. Periodic audits of the HIPAA privacy, security and breach notification standards are required of the HHS Secretary under Section 13411 of the 2009 HITECH Act (2009). In June of 2011, OCR awarded a $9.2 million contract to the consulting firm KPMG to develop an audit methodology [ Read More ]

Healthcare IT Security – Who is Responsible, Really?

Posted on by Chris Brown Posted in Main | Leave a comment
In any complex, cross-functional business challenge, responsibility and authority must be distributed intelligently while at the same time prove a process of internal dispute resolutions. An information security program is one such complex and multifarious business necessity. At its heart, information security is a method of managing risk to information and information systems, and reducing uncertainty relative to organizational objectives; it is a balance. But the success of an information security program depends upon the ability of an organization to [ Read More ]

The “Yelp for Security Tools” – SecTools.Org 2011 Update

Posted on by Mark Marshall Posted in Main | Leave a comment
Gordon Lyon, better known by his online alias of Fyodor and as the creator of the very popular (and awesome) tool Nmap has released the results of the Nmap 2010 User Survey which he performs every couple of years. The survey is filled out by members of the Nmap-Hackers mailing list, one of several mailing lists that Fyodor maintains which is made up of many smart minds in the security world. The 2010 survey had more than 3000 participants throw [ Read More ]

Wireless security controls are often too lax for the data they need to protect

Posted on by John Abraham Posted in Main | Leave a comment
At Redspin we are often asked to perform wireless security assessments for organizations that have recently deployed or upgraded their wireless infrastructure with top-of-the-line access points (APs), controllers and wireless intrusion detection systems (WIDS). Many deployments are to support inter-office mobility – a need that has gone from a rising tide to a tsunami in parallel with the mass adoption of mobile devices such as smart phones and Apple iPads. Virtually every CIO and CSO that I meet these days [ Read More ]

Healthcare Data Breaches-Insider Job, Cybercrime, or Both?

Posted on by Dan Berger Posted in Main | Leave a comment
As required by section 13402(e) (4) of the HITECH Act, the HHS Secretary must post a list of breaches of protected health information (PHI)  impacting 500 or more individuals. In the past 2 years, over 11.8 million Americans have been affected in nearly 330 separate incidents. This information is contained in a publicly searchable and downloadable database. Thus many organizations (including Redspin) have published “PHI breach reports” which summarize the data and offer conclusions based on the results of the past [ Read More ]

Happy Birthday Healthcare Breach Notification Rule

Posted on by Dan Berger Posted in Main | Leave a comment
I wasn’t the only one celebrating a birthday last week. It's been exactly two years since the breach notification rule, mandated by the HITECH Act, took effect. Since then, 330 major health information breaches affecting 11.8 million individuals have been reported to the Department of Health and Human Services' Office for Civil Rights (OCR). And while major breaches are those that impact the largest number of Americans (500 or more per incident), it is worth noting that another 30,500 smaller [ Read More ]

Importing and Working with Nmap Scans in Metasploit Framework 4

Posted on by Mark Marshall Posted in Main | Leave a comment
Importing Nmap scans directly into Metasploit is one of the best time-saving tricks you can accomplish while using the Metasploit Framework. Once the full Nmap data is happily in your PostgreSQL database and accessible to Metasploit you can do all kinds of cool things with it that will save you lots of time and frustration on a large penetration test. For this example I'm assuming you've got a fully functional PostgreSQL database already configured and accessible to Metasploit. This is [ Read More ]
Twitter Facebook Facebook