2012

The ROI of Business Associate Security Risk Management

November 28, 2012
Redspin
Healthcare Security, HIPAA, Main, Security Risk Management
0 Comments

Redspin now offers a Business Associate Risk Analysis service that helps hospitals and other covered entities understand where their highest BA risk lies so that they can take preventive measures and/or implement contingency plans to mitigate that risk.

Why PHI Data Security is a Form of Asset Management

ePHI is also an asset, something of great value to the provider. Three news items regarding recent healthcare data breaches make this abundantly clear

Why Preparing for an OCR HIPAA Audit May Lead to a False Sense of Security

What the HIPAA Security Rule and the OCR audit protocols fail to dictate is the comprehensive security testing that is also required to truly be compliant.

Official HIPAA Compliance Audit Protocol Published

With the HIPAA Compliance Audit Protocol Published, many of Redspin's methodology in place since 2005 has been confirmed as in line with HIPAA Audits.

HIPAA Enforcement Heats Up in the Coldest State

June 27, 2012
Redspin
Healthcare Security, HIPAA, Main, Security Risk Management
0 Comments

This is a painful illustration of the both the seriousness of protecting patient health data and the challenges that healthcare organizations face in comprehensively addressing IT security risk.

The First Step In Cyber Insurance: Know Your Risk And What You’re Insuring Against.

June 5, 2012
Redspin
Breaches, Healthcare Security, HIPAA, Main, Security Risk Management
0 Comments

Cyber insurance provides an opportunity to address residual risk in your information security program to offset the costs due to a data breach of ePHI. However, individuals polices, coverage and exclusions are highly variable, so just like any security control it's important to understand your security risk profile before an appropriate security insurance policy can be defined. An assessment, such as a HIPAA Security Risk Analysis should be the first step in any insurance policy strategy. Here's why: A) You'll have to do it anyway, B) The safest approach is to avoid a breach in the first place, C) Your risk profile will enable a better tailored policy.

Redspin Provides Public Comments on Proposed Stage 2 Meaningful Use (NPRM)

May 7, 2012
Redspin
Healthcare Security, HIPAA, Main, Security Risk Management
0 Comments

Redspin's thoughts and insights on State 2 after providing security risk analysis (SRA) services to dozens of hospitals for Stage 1 of Meaningful Use.

Stage 2 Meaningful Use: The Next Step in HIPAA Security Risk Assessments

May 2, 2012
Redspin
Healthcare Security, HIPAA, Main, Security Risk Management
0 Comments

Covered entities and eligible providers must now address the issue of encryption of “data at rest” as part of their security risk analysis process. This shines a spotlight on the existing encryption references within the HIPAA Security Rule. Encryption of ePHI is specifically covered under 45 CFR 164.312(a)(2)(iv) which reads; "Implement a mechanism to encrypt and decrypt electronic protected health information.” However, since it is categorized as an “addressable control,” it is not specifically mandated.

A Blue Note: Looking Deeper at the 2009 PHI Breach at BlueCross BlueShield Tennessee

March 17, 2012
Redspin
Breaches, Healthcare Security, HIPAA, Main
1 Comment

Did BCBST get off easy? Well, they certainly did a good job of damage control. But in today’s environment, I doubt anyone could follow suit. BCBST very likely benefitted from HHS/OCR not being in position to immediately enforce the Breach Rule given that the HITECH Act itself has only just been enacted a few months prior to the breach. Now, some 2½ years later, they’ve had a chance to implement a stronger IT security program, including the encryption of its PHI data-at-rest, a step we at Redspin strongly advocate. Also, no cases of ID theft or fraud have come to light as a result of their breach.

The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security

March 8, 2012
Redspin
Breaches, Healthcare Security, HIPAA, Main, Security Risk Management
1 Comment

At the end of the report, the authors suggest a new methodology for applying quantitative risk analysis to healthcare IT security called “PHIve.” Its end-goal is to enable an organization to calculate how much they should invest to reduce the risk of data breach.

IT Security Blog