Blogs » The Redspin Report

The latest updates on penetration testing, breaches, and healthcare security.

A Blue Note: Looking Deeper at the 2009 PHI Breach at BlueCross BlueShield Tennessee

Posted on by Dan Berger Posted in Main | 1 Comment
The cost of a significant data breach of protected health information (PHI) has been a popular topic in the news recently. The new ANSI publication“The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security” debuted with much fanfare in D.C. earlier this month. White House Cybersecurity Czar Howard Schultz kicked off a March 5th press conference where the release of the report was announced. His participation helped elevate the issue to a national audience. The [ Read More ]

The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security

Posted on by Dan Berger Posted in Main | 1 Comment
On Monday, March 5th, I was invited to a press conference in Washington, D.C. announcing the release of “The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security,” published by the American National Standards Institute (ANSI). The honorable Howard A. Schmidt, White House Cybersecurity Czar, kicked off the event. Mr. Schmidt commented that “in the continuum of the cybersecurity issues we look at, (healthcare security) is obviously critical as this is one that affects [ Read More ]

Stage 2 Meaningful Use – Addressing Encryption/Security

Posted on by Dan Berger Posted in Main | Leave a comment
Last week, Health and Human Services Secretary Kathleen Sebelius reported that the number of  hospitals using electronic health records (EHR) has more than doubled in the last two years from 16 to 35 percent.  She also said that 85 percent of all hospitals now report that by 2015 they intend to participate in The Centers for Medicare and Medicaid Services’ (CMS) EHR incentive program. Also last week, CMS released the proposed Stage 2 Meaningful Use requirements for public comment.  The [ Read More ]

Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)

Posted on by Dan Berger Posted in Main | Leave a comment
I wasn't the most popular person around the office printer late yesterday afternoon.  It was right after HHS and CMS finally released the proposed rule for Stage 2 of the EHR Meaningful Use Incentive Program. Earlier in the week, rumors regarding the release of the 445-page document swirled around the HIMSS12 Conference. Perhaps because it was in Las Vegas, Stage 2 seemed to take on its own celebrity status. HIMSS participants arrived early for the 8:30AM "Achieving Meaningful Use Symposium" [ Read More ]

HIPAA Security Risk Analysis. – Are You One Of The 3,300?

Posted on by Dan Berger Posted in Main | Leave a comment
Get 'er Done! I’m referring of course to the HIPAA Security Risk Analysis requirement of the Stage 1 EHR Meaningful Use Incentive Plan. Between 85%-90% of the 5,000+ eligible hospitals say they plan to qualify for Stage 1, yet data from the Centers for Medicare & Medicaid Servicesshows less than 25% have attested and received payment as of November 30, 2011. So for the 3,300 or so other hospitals – this is no time to procrastinate. Time flies, whether you’re having fun [ Read More ]

How Internal Penetration Testing Can Help Your Organization

Posted on by John Abraham Posted in Main | Leave a comment
Every IT department faces the challenge of having to apply limited resources (headcount, technology, 3rd party assessments) against a plethora of potential security risks. Choosing wisely is often the difference between an effective security strategy and an ineffective one. With that in mind and a number of possible assessment approaches available, what benefits can be gained from an internal penetration test? First, since security terminology is often misunderstood, let’s first define internal penetration testing. An internal pen test is a [ Read More ]

“Enforcement Promotes Compliance” – HIPAA Audits Just Around the Corner

Posted on by Dan Berger Posted in Main | Leave a comment
Earlier this month, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released further details on its plan to audit 150 covered entities under its pilot HIPAA audit program. Periodic audits of the HIPAA privacy, security and breach notification standards are required of the HHS Secretary under Section 13411 of the 2009 HITECH Act (2009). In June of 2011, OCR awarded a $9.2 million contract to the consulting firm KPMG to develop an audit methodology [ Read More ]

Healthcare IT Security – Who is Responsible, Really?

Posted on by Chris Brown Posted in Main | Leave a comment
In any complex, cross-functional business challenge, responsibility and authority must be distributed intelligently while at the same time prove a process of internal dispute resolutions. An information security program is one such complex and multifarious business necessity. At its heart, information security is a method of managing risk to information and information systems, and reducing uncertainty relative to organizational objectives; it is a balance. But the success of an information security program depends upon the ability of an organization to [ Read More ]

The “Yelp for Security Tools” – SecTools.Org 2011 Update

Posted on by Mark Marshall Posted in Main | Leave a comment
Gordon Lyon, better known by his online alias of Fyodor and as the creator of the very popular (and awesome) tool Nmap has released the results of the Nmap 2010 User Survey which he performs every couple of years. The survey is filled out by members of the Nmap-Hackers mailing list, one of several mailing lists that Fyodor maintains which is made up of many smart minds in the security world. The 2010 survey had more than 3000 participants throw [ Read More ]

Wireless security controls are often too lax for the data they need to protect

Posted on by John Abraham Posted in Main | Leave a comment
At Redspin we are often asked to perform wireless security assessments for organizations that have recently deployed or upgraded their wireless infrastructure with top-of-the-line access points (APs), controllers and wireless intrusion detection systems (WIDS). Many deployments are to support inter-office mobility – a need that has gone from a rising tide to a tsunami in parallel with the mass adoption of mobile devices such as smart phones and Apple iPads. Virtually every CIO and CSO that I meet these days [ Read More ]