On January 17, 2013, the long-awaited HHS HIPAA Omnibus Rule was posted on the Federal Register and has been the subject of much fanfare in the press. According to HHS Secretary Kathleen Sebelius; "the new rule will help protect patient…
Over the past year, Redspin (along with many others), has reported that breaches of protected health information (PHI) are at epidemic levels. We've all based this assertion on quantitative statistics. The Breach Notification Rule requires that healthcare providers report "large"…
Redspin now offers a Business Associate Risk Analysis service that helps hospitals and other covered entities understand where their highest BA risk lies so that they can take preventive measures and/or implement contingency plans to mitigate that risk.
ePHI is also an asset, something of great value to the provider. Three news items regarding recent healthcare data breaches make this abundantly clear
What the HIPAA Security Rule and the OCR audit protocols fail to dictate is the comprehensive security testing that is also required to truly be compliant.
With the HIPAA Compliance Audit Protocol Published, many of Redspin’s methodology in place since 2005 has been confirmed as in line with HIPAA Audits.
This is a painful illustration of the both the seriousness of protecting patient health data and the challenges that healthcare organizations face in comprehensively addressing IT security risk.
Cyber insurance provides an opportunity to address residual risk in your information security program to offset the costs due to a data breach of ePHI. However, individuals polices, coverage and exclusions are highly variable, so just like any security control it’s important to understand your security risk profile before an appropriate security insurance policy can be defined. An assessment, such as a HIPAA Security Risk Analysis should be the first step in any insurance policy strategy. Here’s why: A) You’ll have to do it anyway, B) The safest approach is to avoid a breach in the first place, C) Your risk profile will enable a better tailored policy.
Redspin’s thoughts and insights on State 2 after providing security risk analysis (SRA) services to dozens of hospitals for Stage 1 of Meaningful Use.
Covered entities and eligible providers must now address the issue of encryption of “data at rest” as part of their security risk analysis process. This shines a spotlight on the existing encryption references within the HIPAA Security Rule. Encryption of ePHI is specifically covered under 45 CFR 164.312(a)(2)(iv) which reads; “Implement a mechanism to encrypt and decrypt electronic protected health information.” However, since it is categorized as an “addressable control,” it is not specifically mandated.