Tag Archives: compliance

[ISN] What are Top HIPAA Compliance Concerns, Obstacles?

healthitsecurity.com/news/what-are-top-hipaa-compliance-concerns-obstacles By Elizabeth Snell Health IT Security January 25, 2016 Maintaining HIPAA compliance should always be a key area for leaders in the healthcare industry, but as technology continues to evolve, there are numerous factors coming into play that could affect how organizations keep patient data secure. But what type of obstacles are standing in provider’s’ way? Are there certain difficulties when it comes to HIPAA compliance? We’ve previously discussed the legal perspective on HIPAA regulations, and various experts in the field have claimed that “it’s not a matter of if, but a matter of when” a data breach will take place. Recent OCR HIPAA settlements not only show that size is not a factor when it comes to enforcement, but that organizations need to be mindful of everything from physical safeguards to conducting regular risk assessments. Technical advancements have also proven to be potentially beneficial to covered entities. Whether an organization is looking to implement secure messaging options or potentially invest in cloud storage, privacy and security issues cannot be overlooked. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Oncology group slapped with $750K HIPAA fine

http://www.healthcareitnews.com/news/oncology-group-slapped-750k-hipaa-fine By Erin McCann Managing Editor Healthcare IT News September 2, 2015 Healthcare security folks, listen up: Failing to encrypt portable devices and laptops containing patient data could result in a serious HIPAA fine, as one Indiana-based health group can now attest to. Cancer Care Group, a large radiation oncology practice in Indianapolis, is reevaluating its privacy and security practices after it was slapped with a $750,000 HIPAA settlement from the Department of Health and Human Services. It agreed to pay the sum to settle alleged HIPAA violations involving a breach that occurred three years ago. Back in August 2012, Cancer Care reported a HIPAA security breach to the the Office for Civil Rights, after an unencrypted server backup media and laptop was stolen from an employee’s car. Officials discovered the device contained the protected health information, Social Security numbers and insurance data for some 55,000 patients. Following an investigation launched by the Office for Civil Rights, the HHS division responsible for investigating HIPAA compliance, it was discovered that even before the breach Cancer Care was in “widespread non-compliance with the HIPAA Security Rule,” HHS said in a Sept. 2 statement. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Pwn2Own loses HP as its sponsor amid new cyberweapon restrictions

http://arstechnica.com/tech-policy/2015/09/pwn2own-loses-hp-as-its-sponsor-amid-new-cyberweapon-restrictions/ By Dan Goodin Ars Technica Sep 3, 2015 The next scheduled Pwn2Own hacking competition has lost Hewlett-Packard as its longstanding sponsor amid legal concerns that the company could run afoul of recent changes to an international treaty that governs software exploits. Dragos Ruiu, organizer of both Pwn2Own and the PacSec West security conference in Japan, said HP lawyers spent more than $1 million researching the recent changes to the so-called Wassenaar Arrangement. He said they ultimately concluded that the legal uncertainty and compliance hurdles were too high for them to move forward. “I am left being kind of grumpy now that HP is not involved,” Ruiu told Ars. He said that he plans to organize a scaled-down hacking competition to fill the void at this year’s conference, which is scheduled for November 11 and 12. Pwn2Own has become one of the more closely followed events among security professionals. The hacking competition offers hundreds of thousands of dollars for exploits that target software vulnerabilities found in Windows, OS X, iOS, and Android. Besides highlighting the relative ease of exploiting bugs, the contest allows HP’s Tipping Point division to update its intrusion prevention software with definitions that detect and block such attacks. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] More than 80% of healthcare IT leaders say their systems have been compromised

http://www.computerworld.com/article/2975988/healthcare-it/more-than-80-of-healthcare-it-leaders-say-their-systems-have-been-compromised.html By Lucas Mearian Computerworld Aug 27, 2015 Eighty-one percent of healthcare executives say their organizations have been compromised by at least one malware, botnet or other kind of cyberattack during the past two years, according to a survey by KPMG. The KPMG report also states that only half of those executives feel that they are adequately prepared to prevent future attacks. The attacks place sensitive patient data at risk of exposure, KPMG said. The 2015 KPMG Healthcare Cybersecurity Survey polled 223 CIOs, CTOs, chief security officers and chief compliance officers at healthcare providers and health plans. Sixty-six percent of the IT executives at healthcare plans who were surveyed said they were prepared to fend off attacks. Based on revenue, larger organizations are better prepared than smaller ones, KPMG said. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] High-Profile Patients Prompt Internal Health Data Breaches

http://healthitsecurity.com/news/high-profile-patients-prompt-internal-health-data-breaches By Sara Heath HealthITSecurity.com August 21, 2015 No matter the many safeguards against hacking and cyberattacks are put into place in hospital records, sometimes hospitals need to protect against their own employees’ nosiness as well. Such was the case for the Carilion Clinic, a not-for-profit clinic located in Roanoke, VA. According to a Roanoke Times report, Carilion has disciplined or fired 14 employees for looking at a high-profile patient file that they had not been given access to. Although Chris Turnbull, a clinic spokesperson, did not identify the employees or the patient whose information was breached, he did explain that patient files tend to be handled by many people in the clinic and that the clinic has compliance officers who monitor the file activity. Whenever an employee accesses the file, the filing system documents the activity and tracks whether the employee had viable cause to access the file. Compliance officers are in charge of tracking privacy concerns by accepting complaints or monitoring high-profile patients. Carilion Clinic is a HIPAA-covered entity and adhered to appropriate disciplinary standards in properly punishing employees or terminating their employment. The Roanoke Times report did not disclose which, or how many, employees were fired. Under HIPAA, these employees may also face criminal prosecution, a $50,000 fine, or a one-year prison sentence. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Overcoming paralysis – why financial services organisations have to race to update their Windows Server strategy

http://www.bobsguide.com/guide/news/2015/Jul/6/overcoming-paralysis-why-financial-services-organisations-have-to-race-to-update-their-windows-server-strategy.html By Dave Foreman, ECS, Practice Director Bob’s Guide July 6, 2015 Most of the technical support teams we work with know their Microsoft Server operating system inside out and have hardly lifted their phone to call Microsoft support in years. But this well-oiled machine is about to become IT departments’ biggest headache. With the end of Microsoft’s support for Server 2003 on July 14th 2015, migration from this rather old operating system has escalated from being a niggling worry to a high-risk agenda item. Only a handful of businesses have started their migration and even they will have to rely on Microsoft extended support. But this is not a cost-effective or risk-free option in the long term. At some point a new vulnerability in the operating system will be discovered and exploited; businesses will be exposed and the regulators will have a stronger case for non-compliance. According to the credit card industry’s PCI Security Council standards, if an unsupported operating system is Internet-facing, it will be logged as an automatic compliance failure. CIOs are caught between a rock and a hard place. Nobody wants to be caught in a position where they have to answer tough questions about plans to meet compliance and mitigate risk. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] A Review of Common HIPAA Technical Safeguards

http://healthitsecurity.com/news/a-review-of-common-hipaa-technical-safeguards By Elizabeth Snell Health IT Security June 26, 2015 HIPAA technical safeguards are just one piece of the larger health data security plan that covered entities and their business associates must put together. However, it is a very important aspect. Over the next few weeks, HealthITSecurity.com will discuss some common examples of all three HIPAA safeguards, and how they could potentially benefit healthcare organizations. Not all types of safeguards are appropriate or necessary for every covered entity. But by having a comprehensive understanding of what is required by HIPAA and the HITECH Act, and how various safeguards can be used, organizations will be able to identify which ones are most applicable. From there, they can create and implement the right data security protections for their daily workflow and ensure they maintain HIPAA compliance. As previously mentioned, HIPAA technical safeguards are an important part to keeping sensitive health data secure. Whether a small primary care clinic is debating health data encryption options or a large HIE is considering BYOD for employees, understanding the basics of HIPAA technical safeguards is essential. What are HIPAA technical safeguards? The HIPAA Security Rule describes technical safeguards as ““the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” However, an important note is that the Security Rule does not require specific technology solutions. Rather, healthcare organizations need to determine reasonable and appropriate security measures for their own needs and characteristics. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Coast Guard Needs Better PHI Security, Says OIG Report

http://healthitsecurity.com/news/coast-guard-needs-better-phi-security-says-oig-report By Elizabeth Snell Health IT Secutity May 21, 2015 The US Coast Guard (USCG) must do a better job in its PHI security measures, according to a recent report from the Office of the Inspector General (OIG). Specifically, USCG lacks a strong organizational approach to resolving privacy issues, the report stated, which leads to the agency having challenges when it comes to effectively protecting PHI. “We evaluated the safeguards for sensitive personally identifiable information and protected health information (privacy data) maintained by USCG,” OIG explained in its report. “Our objectives were to determine whether the USCG’s plans and activities instill a culture of privacy and whether the USCG ensures compliance with the Privacy Act of 1974, as amended, [HIPAA], and other privacy and security laws and regulations.” OIG outlined five areas that USCG needs to resolve in order to improve its PHI security: […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail