Last week, Health and Human Services Secretary Kathleen Sebelius reported that the number of hospitals using electronic health records (EHR) has more than doubled in the last two years from 16 to 35 percent. She also said that 85 percent…
Covered entities and eligible providers must now address the issue of encryption of “data at rest” as part of their security risk analysis process. This shines a spotlight on the existing encryption references within the HIPAA Security Rule. Encryption of ePHI is specifically covered under 45 CFR 164.312(a)(2)(iv) which reads; "Implement a mechanism to encrypt and decrypt electronic protected health information.” However, since it is categorized as an “addressable control,” it is not specifically mandated.
Did BCBST get off easy? Well, they certainly did a good job of damage control. But in today’s environment, I doubt anyone could follow suit. BCBST very likely benefitted from HHS/OCR not being in position to immediately enforce the Breach Rule given that the HITECH Act itself has only just been enacted a few months prior to the breach. Now, some 2½ years later, they’ve had a chance to implement a stronger IT security program, including the encryption of its PHI data-at-rest, a step we at Redspin strongly advocate. Also, no cases of ID theft or fraud have come to light as a result of their breach.
At the end of the report, the authors suggest a new methodology for applying quantitative risk analysis to healthcare IT security called “PHIve.” Its end-goal is to enable an organization to calculate how much they should invest to reduce the risk of data breach.
This week's trip to Vegas saw the Stage 2 release being treated like a celebrity viewing party.
The HIPAA Security Risk Analysis requirement of the Stage 1 EHR Meaningful Use Incentive Plan is here to stay! Make sure you are compliant! Redspin's top of the line assessments will set you on the right path.
Every IT department faces the challenge of having to apply limited resources (headcount, technology, 3rd party assessments) against a plethora of potential security risks. Choosing wisely is often the difference between an effective security strategy and an ineffective one. With that in mind and a number of possible assessment approaches available, what benefits can be gained from an internal penetration test?
Audits are coming.
IT organizations in the healthcare industry are being asked to make increasingly complex and subtle decisions. IT everywhere is being asked to do more and be responsible for more. Enabling the business to meaningfully engage IT, and creating a way that provides the businesses with the right information to make decisions is key to the perceived and actual success of an IT department. The road to engaging all parts of the business is difficult, but it has also been shown to be a hallmark of successful organizations.
Fyodor is at it again, improving upon one of the go to websites for security experts world wide.