Blogs » The Redspin Report

The latest updates on penetration testing, breaches, and healthcare security.

Redspin Provides Public Comments on Proposed Stage 2 Meaningful Use (NPRM)

Posted on by Dan Berger Posted in Main | Leave a comment
Redspin has provided security risk analysis (SRA) services to dozens of hospitals, helping them meet Core Measure 14 of the Stage 1 Meaningful Use EHR Incentive Program. As one of the leading experts in IT security, we take a comprehensive approach to these engagements. As such, our primary focus is to help our clients truly safeguard PHI from data breach by expanding beyond a strict interpretation of the Stage 1 Rule. It is from that vantage point that we are [ Read More ]

Stage 2 Meaningful Use: The Next Step in HIPAA Security Risk Assessments

Posted on by Dan Berger Posted in Main | Leave a comment
At first read, the security risk analysis (SRA) provisions of the proposed Stage 2 “meaningful use” regulations appear to have changed only slightly from those in Stage 1. The language in the draft rule is nearly identical to Stage 1, with one notable addition highlighted below: “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), [ Read More ]

A Blue Note: Looking Deeper at the 2009 PHI Breach at BlueCross BlueShield Tennessee

Posted on by Dan Berger Posted in Main | 1 Comment
The cost of a significant data breach of protected health information (PHI) has been a popular topic in the news recently. The new ANSI publication“The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security” debuted with much fanfare in D.C. earlier this month. White House Cybersecurity Czar Howard Schultz kicked off a March 5th press conference where the release of the report was announced. His participation helped elevate the issue to a national audience. The [ Read More ]

The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security

Posted on by Dan Berger Posted in Main | 1 Comment
On Monday, March 5th, I was invited to a press conference in Washington, D.C. announcing the release of “The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security,” published by the American National Standards Institute (ANSI). The honorable Howard A. Schmidt, White House Cybersecurity Czar, kicked off the event. Mr. Schmidt commented that “in the continuum of the cybersecurity issues we look at, (healthcare security) is obviously critical as this is one that affects [ Read More ]

Stage 2 Meaningful Use – Addressing Encryption/Security

Posted on by Dan Berger Posted in Main | Leave a comment
Last week, Health and Human Services Secretary Kathleen Sebelius reported that the number of  hospitals using electronic health records (EHR) has more than doubled in the last two years from 16 to 35 percent.  She also said that 85 percent of all hospitals now report that by 2015 they intend to participate in The Centers for Medicare and Medicaid Services’ (CMS) EHR incentive program. Also last week, CMS released the proposed Stage 2 Meaningful Use requirements for public comment.  The [ Read More ]

Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)

Posted on by Dan Berger Posted in Main | Leave a comment
I wasn't the most popular person around the office printer late yesterday afternoon.  It was right after HHS and CMS finally released the proposed rule for Stage 2 of the EHR Meaningful Use Incentive Program. Earlier in the week, rumors regarding the release of the 445-page document swirled around the HIMSS12 Conference. Perhaps because it was in Las Vegas, Stage 2 seemed to take on its own celebrity status. HIMSS participants arrived early for the 8:30AM "Achieving Meaningful Use Symposium" [ Read More ]

HIPAA Security Risk Analysis. – Are You One Of The 3,300?

Posted on by Dan Berger Posted in Main | Leave a comment
Get 'er Done! I’m referring of course to the HIPAA Security Risk Analysis requirement of the Stage 1 EHR Meaningful Use Incentive Plan. Between 85%-90% of the 5,000+ eligible hospitals say they plan to qualify for Stage 1, yet data from the Centers for Medicare & Medicaid Servicesshows less than 25% have attested and received payment as of November 30, 2011. So for the 3,300 or so other hospitals – this is no time to procrastinate. Time flies, whether you’re having fun [ Read More ]

How Internal Penetration Testing Can Help Your Organization

Posted on by John Abraham Posted in Main | Leave a comment
Every IT department faces the challenge of having to apply limited resources (headcount, technology, 3rd party assessments) against a plethora of potential security risks. Choosing wisely is often the difference between an effective security strategy and an ineffective one. With that in mind and a number of possible assessment approaches available, what benefits can be gained from an internal penetration test? First, since security terminology is often misunderstood, let’s first define internal penetration testing. An internal pen test is a [ Read More ]

“Enforcement Promotes Compliance” – HIPAA Audits Just Around the Corner

Posted on by Dan Berger Posted in Main | Leave a comment
Earlier this month, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released further details on its plan to audit 150 covered entities under its pilot HIPAA audit program. Periodic audits of the HIPAA privacy, security and breach notification standards are required of the HHS Secretary under Section 13411 of the 2009 HITECH Act (2009). In June of 2011, OCR awarded a $9.2 million contract to the consulting firm KPMG to develop an audit methodology [ Read More ]

Healthcare IT Security – Who is Responsible, Really?

Posted on by Chris Brown Posted in Main | Leave a comment
In any complex, cross-functional business challenge, responsibility and authority must be distributed intelligently while at the same time prove a process of internal dispute resolutions. An information security program is one such complex and multifarious business necessity. At its heart, information security is a method of managing risk to information and information systems, and reducing uncertainty relative to organizational objectives; it is a balance. But the success of an information security program depends upon the ability of an organization to [ Read More ]