Lack of Awareness – Still a Barrier to Cybersecurity Effectiveness

A recent study conducted by HIMSS Analytics and reported in the HIPAA Journal indicated that more than 78% of the IT executives, managers, and staff surveyed identified employees’ lack of security awareness as a primary concern – despite 85% of the same survey respondents claiming to have an educational program in place designed to create awareness! Clearly a one-time – or even annual – training program isn’t enough. So how can healthcare executives improve information security awareness withou ...

Cyber Security: Have you hardened your systems?

We perform HIPAA Risk Assessments (Security Risk Analysis) for very small practices to large healthcare organizations, plus business associates that include software, big data, and marketing companies.  We know the focus of the assessment needs to be security; therefore, we run an industry standard (NIST based) scan checking computers for HIPAA compliance.  (NIST stands for National Institute of Standards and Technology) Our findings show that the average covered entity is about 15% compliant and the ...

The greatest threat comes from within

Sometimes it is easy to forget that the greatest threat is from within. In today’s focus on cyber-security world, we tend to focus on keeping people out of our network as a primary method to keep our sensitive data, such as ePHI, safe. While that is incredibly important, we should make sure not to overlook the threat posed by those we do grant access. How much of a threat is it? Well, roughly half of all attacks originate from inside the company - and not all are with malicious intent. Part of the prob ...

Why your Meaningful Use SRA is not enough

Many covered entities had a high level Security Risk Analysis (SRA) performed to "check the box" for meeting the Meaningful Use requirement.  The HHS OCR has now performed enough audits, however, to know that a risk assessment isn't enough - Covered Entities need to take corrective action. With MACRA and HIPAA both requiring an SRA and HIPAA requiring a prioritized list of risks, corrective action plans, and a risk management process, it's time to have a proper risk assessment performed and take cor ...

Missing the HIPAA Target – Part 2

In my previous blog, I stressed compliance is not about being an expert on HIPAA regulations, but being risk management proficient ― the ability to identify vulnerabilities and threats facing your organization, and to take steps to eliminate, minimize or manage them.  I usually refer to the next step as "ownership", but I’m not really a fan of the term.  A common synonym is "possession".  You can own something, but it doesn’t mean you are committed to taking care of it or ensuring a positive ou ...

5 Tips for Creating an Information Security Culture

Engaging clinical staff in information security can be an uphill challenge. For people doing the tangible, social, and physical work of healthcare, a Security Officer’s cautions regarding the invisible threat of cyber-theft can seem like science fiction paranoia. Further, among the healthcare practitioners who do recognize information security as a relevant concern, a substantial number still see it as an “IT issue.”  And finally, as if those barriers weren’t enough, the mere mention of “HIPA ...

One small step for man, one giant leap for privacy!

“To err is human”… a pretty obvious statement. So if we all know we are going to make mistakes, why not add an extra level of security to mitigate the effects of the mistake? I am sure we have all been in the predicament of sending John C. an email, but when we clicked on our contacts list we accidentally sent it to John B. I have conversations constantly with clients and friends about encrypting their email to protect themselves and often get the same set of questions… “Isn’t that e ...

Focus on Security: Special Cyber Security Briefing Event

PLEASE JOIN US ON FRIDAY, MARCH 24TH, 7:30 am -8:30 am Kerby Lane Round Rock, 2120 N Mays St, Round Rock, Tx for a BUSINESS OWNER AND LEADERSHIP BRIEFING on CYBER SECURITY ISSUES THAT ARE IMPACTING SMALL AND MID-SIZED BUSINESSES IN CENTRAL TEXAS Here’s why we think it’s important you attend: We’re seeing story after story of large corporations falling victim to cyber-attacks, but not enough attention is being placed on how small and mid-sized businesses are impacted at even greater freque ...

HIMSS17 – Are medical devices the weak link in cyber security?

According to a post on HIPAA Journal, 60% of healthcare organizations have already introduced networked medical devices into their technical infrastructure. Networked medical devices are the healthcare version of the “internet of things” (IoT) – smart devices that communicate with applications, such as the EHR, and with one another without human intervention. The problem – many medical devices aren’t cyber-secure!  89% of the organizations reporting the use of networked medical devices also repor ...

Missing the Target of HIPAA

Universally when working with new clients, they tell me, “I can’t learn all these HIPAA regulations and requirements.  I don’t have the time or the desire to be an expert on HIPAA!”  My response is, “That is absolutely correct!  You shouldn’t be an expert on HIPAA; that is my job.  What you and all your staff should be is risk management proficient.” Most times that draws the deer-in-the-headlights stare.  Not much comfort is taken from my response. Usually the conversation proceed ...

1 2 3 4 5 6 14