The European Union’s General Data Protection Regulation (GDPR) goes into effect May 25^th, about two weeks from now.  In the news it is often being called “overreaching” and “impractical,” but its objective is to place control of personal data back in the hands of the EU citizens.  Maybe I’m “old school” (aka dinosaur), but I believe in privacy and the ability to protect my data.  Why? Look at these recent events.

Let’s start with the Facebook breach of 85 million users.  Most people joined Facebook to maintain relationships with family and friends.  It’s free and convenient.  But that old saying, “There is no such thing as a free lunch” is really true. Facebook is “free” because they are collecting and selling your data: your likes, dislikes, preferences, habits, and on and on.  No one who joined FB ever thought their data would be illegally used to alter a presidential election.  Or that foreign nations would use the platform to influence our election process using fake news.

A few weeks ago, the news reported that the major DNA testing services such as AncestryDNA and 23AndMe are all collecting their customer’s DNA information and creating massive databases.  People haven’t paid attention to – or chose to ignore – the privacy agreement included in the kit.  And yes, they do state that they can keep and use your data.  What are their plans for the data and these databases? Time will tell.  But if they choose to use your data improperly, the chances of you finding out about it are slim.

Probably the highest profile news item this past month is the possible capture of the Golden State Killer, the most prolific unsolved crime spree in U.S. history.  Why is this included in this blog?  GEDmatch, a very small genetics matching service was key to cracking this case.  People can upload their DNA analysis results into GEDmatch to locate possible relatives.  The police uploaded the DNA information of the Golden State Killer into GEDmatch and searched for possible relatives.  The police traced family trees back to people who lived in the 1800s and reviewed genetic data of several thousand people to arrive at the suspect.  Think about that!  If the police can do that, anyone can, including cyber criminals.  The value and impact of your genetic “fingerprint” has yet to be determined, but I’m confident it will increase over time.

Ten years ago, I could not have imagined how hard I work now to protect my personal information.  I have no doubt in the future I will have to work even harder to protect personal data including my genetic information.  Many companies are building extensive databases on all of us through our day to day activities, such as Facebook and Equifax.  Should I have the right to understand the data being collected about me and how it will be used?  Should I have the right to have my data deleted by a company I choose not to support?  I say yes!  And that is what the European Union General Data Protection Regulations (GDPR) strives to deliver.  By today’s technology standards, GDPR seems far reaching and overbearing because some requirements may not be practical to implement.  Over time however, technology will evolve to solve these limitations.  Facebook has publicly stated it will be GDPR compliant.  As a result of the breach, I requested my Facebook account be deleted and discovered it could take two weeks to delete my account!  That means the deletion is not automatic – people are involved, and it’s possible that all data won’t be deleted.  Yes, I think we need a personal data “undo” button!

If your organization is concerned about GDPR and how it can affect your business, don’t hesitate to contact us at: compliance@thirdrock.com.  We’ve recently added GDPR readiness assessments to our CyberCompass™ software.  Third Rock’s CyberCompass™ software automates and simplifies cyber risk management for companies of all types and sizes.

Protect your Clients. Protect your Organization. Protect Yourself.™

We’re often told, “I’ve done a security risk assessment,” or “We had one of those done by a company.”  When we ask if they have 1) an SRA report, 2) a risk management plan with prioritized corrective actions, 3) a disaster recovery plan, 4) an emergency response plan, 5) a breach notification plan, 6) current training and in use, 7) current policies and procedures; we get blank stares.  We’ve also performed SRAs after some of the large, “known” compliance consulting firms have performed an SRA.  What we find is that they have done a very poor job of actually creating for you, the client, a clear, easy to use, gap analysis of what you must do to protect your data.

First of all, forget about being compliant, that is NOT the goal.  The goal is to protect your clients’ personal data which in turn will protect your business from suffering a costly breach.  How do you protect your clients’ data, you might ask?  Start with a valid security risk assessment that actually checks that you are doing the correct things to protect the valuable data (PHI, PCI, PII, UCI, personal data, etc.)

1. Answer every question honestly.
   1. Make sure you meet the current requirements of HIPAA, HITECH, and the omnibus rule.
      1. Policies and Procedures have to be written or updated after 2013.
      2. Business Associate agreement has to be written or updated after 2013.
      3. An SRA must be performed annually and after each breach occurs.
2. Ask for verification from IT or your MSP about the following:
   1. Actually perform a computer operating system assessment.  This will help you know whether your computers have been hardened and what to correct on each type of operating system.
   2. Proof that the backups can be restored.
   3. An inventory listing of every piece of equipment on the network.
   4. A data flow diagram of every place sensitive data exists; not just where it is known to exist, search and discovery everywhere it exists.
   5. Also note, penetration testing, network inventory, data inventory, network vulnerability testing should all be Standard Operating Procedures, not just part of your assessment.
3. Take the results of the assessment and create an action item list in prioritized order of risk.

Key signs the company is NOT offering you a current, useful or valid Security Risk Assessment

1. It’s performed on paper.  Seriously, it’s 2018.  We’ve had personal computers for over 35 years; we’ve had the web application over 20 years.
2. It’s in a spreadsheet.  A little better, but do they merge all of the questions and provide a prioritized list of corrective actions?  (A risk management plan.)
3. Do they offer any assistance in remediation or do they leave you with a document that you don’t know how to use to improve your data security?

Think before you spend your valuable money on an assessment that won’t help you protect your data.

If your organization needs a security risk assessment, compliance management plan, or cyber security plan; or you have concerns about your cyber security and would like to improve your cyber confidence and compliance, please contact us at:  info@thirdrock.com

Protect your Clients. Protect your Organization. Protect Yourself.™

In our conversations with healthcare practice managers and CIOs – whether at small-to-medium practices, dental offices, outpatient facilities, or hospitals – we’ve found that few leaders feel confident in their organization’s ability to protect against and respond to cyber threats. Managers of smaller organizations have told us “It’s like a monster out there just waiting to get us, and there’s nothing we can do about it.”

Even CIOs at larger organizations who feel confident about having the right technologies and procedures in place admit that they have little interaction with the Compliance Office that manages staff education and little control over mobile devices. The result – they feel exposed, just waiting to see/hear where a breach has occurred.

As a general rule, frightening already frightened people does not promote the kind of thoughtful, proactive behavior required for a sustainable approach to cybersecurity. To get that kind of behavior, organizational leaders and their staff need to feel cyber confident – not just that the IT department is doing its job, but that they themselves feel knowledgeable about the threats they are facing and how to defend against them. So what can leaders do to increase their own cyber confidence and promote a culture of cyber confidence within their organizations?

1. Complete a Security Risk Assessment – Trying to secure your organization without a thorough assessment of its particular vulnerabilities is like trying to diagnose a patient’s illness based on the survey results of “the most common illnesses for men age 35-50.” Organizations face many of the same threats, but the vulnerabilities vary significantly from one organization to the next. The formal Security Risk Assessment is typically a coordinated assessment of all departments in an organization at the same time. 
2. Locate – and document the location – of all your business data. Your business data – customer records, employee records, financial transaction data – should be inventoried as carefully as any other business assets. To ensure that it is protected, you must first know where it is! Again, this is NOT just a job for IT. Mobile devices, printers and fax machines (yes fax machines are still alive and well), medication dispensing machines, and the computer workstations scattered around every department in your organization are all likely repositories of business data. Note the location, serial number, and data types on each device.
3. Train your workforce – Cybersecurity is now part of everyone’s job. Be sure every member of your workforce – including student interns, volunteers, clerical staff, and managers – receives cybersecurity training and can demonstrate the correct procedures for safeguarding customer data. See Ed Jones’ post on How to Grow Cyber Security Awareness Heroes for more detail on this topic. 
4. Implement up-to-date Information Security Policies & Procedures – If you purchase templates, be sure to customize them to accurately reflect the data management practices and technologies at your organization. And purchasing them is not enough – each Policy and Procedure must be implemented. That means making sure every member of the workforce is aware of and understands the policies and procedures that apply to their respective role and that managers or members of the compliance team follow up, observe, and retrain as necessary to ensure they are being followed.
5. Implement a Risk Management Process – A Risk Management Plan is exactly what it sounds like – a plan for addressing each of the risks identified in the Security Risk Assessment. It should cover all departments and be reviewed regularly to assess progress on any corrective actions. We recommend reviewing the plan at least monthly. Integrating the review into monthly staff meetings, if you have them, is a good way to build cybersecurity and risk management into your standard operating procedures. 

It’s true that IT plays a significant role in assessing and securing your organization’s data stores, but everyone plays a role in keeping your organization’s business data secure. Taking these steps to secure the data and address the risks under your own control will have the added benefit of increasing your own cyber confidence and building a culture of cyber confidence.

If your organization needs a security risk assessment, compliance management plan, or cyber security plan; or you have concerns about your cyber security and would like to improve your cyber confidence and compliance, please contact us at:  info@thirdrock.com

Protect your Clients. Protect your Organization. Protect Yourself.™

I attended the national HIMSS 2018 conference in Las Vegas a few weeks ago.  43,000+ roaming loose in Vegas, primarily in a few hotels and the Sands Expo Center.  It was mayhem.  I attended the Cyber Security Symposium all day Monday.  Six sessions focused on cyber security and best practices.  I then attended the keynote speech by Eric Schmidt, the CEO of Alphabet, the parent company of Google. Tuesday was primarily more sessions and a few minutes out in the expo “acres” wandering around trying to get my bearings and locate a few people and vendors.  Wednesday and Thursday were spent seeking partners that we thought might offer beneficial products and services to our customers.  I’ll try to summarize each “section” of the event I experienced, hopefully offering some insight and benefit to you and your organization.

Cyber Security Symposium

First, all of the speakers and presentations were excellent.  HIMSS does a great job finding top notch speakers on relevant topics.

The cyber symposium confirmed our approach here at Third Rock is on track with NIST, GDPR, OCR, and large healthcare CIO/CISOs approach.

High Points / Lessons Learned made throughout the various presentations.

1. It’s about Cyber Risk – Managing it and Correcting Issues
2. Cybersecurity requires a Holistic Approach – People, Process, Technology (BINGO, I think I’ve heard someone/company preaching this.)
3. Perform a Third Party Assessment that includes a cyber security assessment
4. Backups that will restore and not be corrupted/infected/hijacked.
5. Data Inventory – Data Flow – DO IT, NOW!!!
6. Shadow data is a problem – keep on top of it.  (Data the IT dept doesn’t really know about.)
7. Equipment inventory – there are more computers on your network than you think – HONEST
8. Policies & Procedures are necessary and they need to be USED and operational, law firms don’t do this well.
9. Security Play Books – Scripted Scenarios for responding to issues – know what to do before it happens
   1. Like Disaster Recovery Runbooks, but for Breach Response.
10. The NIST CSF is the standard – USE it as the basis, reference.  HITRUST CSF complicates it, why bother.
    1. CSFs are high level guides, you need step-by-step policies and procedures that become standard operating procedures.
11. COMMUNICATE with Executives, Management, ALL departments.  Do NOT ASSUME they know.  They DON’T.
12. Provide daily status, simple color charts
13. Enable, don’t inhibit.
    1. Reduce friction.  Implement Policies and Procedures as beneficial Standard Operating Procedures.
14. Use compliance as a gap analysis (assessment) tool and score card.
15. AUDIT YOUR Business Associates – NOW.
16. Every organization needs a privacy and security leader.
17. If you declare an issue in your risk register (Issues) the OCR will not FINE you.
    1. Almost ALL OCR settlements cited Risk Assessment as a critical lapse of compliance!
    2. Trying to hide you’re mismanagement and lack of cyber security, which is non-compliance, will COST you in fines.
18. Risk Management is how to achieve improved cyber security.
    1. Use Compliance standard (HIPAA, GDPR, NIST 800-171) as the gap analysis and benchmark / scorecard.

Eric Schmidt included a few interesting points in his typical chairman of the board or CEO inspiring talk about what’s to come.

1. MOVE to the CLOUD now!  (Whether it’s google’s, AWS, or a vendor, do it.)  It will save you time, money and improve performance, security and compliance.
2. Embrace new technology, it will allow you to catch-up with the other industries and transform healthcare.  Stop using the fax machine, it’s DEAD.  Harness the power of IT for the benefit of the patient.
3. It was implied that based on history, innovation will come from outside the Healthcare technology giants. It will take consumer focused technology companies to bring real change to healthcare.

What the OCR had to say about HIPAA Compliance Issues and Continued Fines

1. Lack of Security Risk Analysis
2. Lack of Business Associates agreement and auditing of BAs.
3. Lack of Risk Management Plan to Manage Identified Risks, e.g. Encryption
   1. If you don’t have a risk register in prioritized order, your assessment isn’t worth much.
4. Lack of Transmission Security
5. Lack of Appropriate Auditing
6. Lack of Patching of Software
7. Insider Threats
8. Improper Disposal of equipment and media
9. Insufficient Data Backup (inability to restore)
10. Lack of Contingency Planning (and emergency response planning)
11. CMS will start auditing for Disaster Recovering and Emergency Response Plans in May 2018.
    1. Make sure you prioritize the systems based on CIA importance in your DR plan.

Hope some of this info was helpful.

Sign up for our newsletter to see all of the new services and Trusted Alliance Partners Third Rock will be announcing over the next few months.

Protect your Clients. Protect your Organization. Protect Yourself.™

In many organizations, cyber security is perceived as one of those “important-but-not-urgent” issues that keep getting put off in deference to the pressing issues of the day – insurance denials, staffing, readmissions, patient no-shows, supply shortages…the list goes on.  It’s not that organizational leaders are doing nothing. In most organizations, the basic pieces, such as a HIPAA-compliant EHR, firewall, anti-virus software, and staff training, are all in place. It is these very safeguards, though, that can give leaders a false sense of security, making them complacent about day-to-day risk management. For instance, how vigilant are you about each of the following:

1. Reviewing the audit log from your EHR system for suspicious activity – and following up?
2. Reviewing the network activity log and addressing any suspicious patterns?
3. Ensuring that system and facility access for all departing employees is completed at the time of departure?
4. Ensuring that all software patches are implemented asap after release?
5. Regularly reviewing and addressing the issues identified in your Security Risk Assessment (we recommend at least monthly)?
6. Conducting ongoing security training for all members of the workforce (not just once per year)?
7. Applying sanctions to members of the workforce – including physicians – who put information security at risk with unsafe practices?
8. Ensuring the security of new medical devices before deploying them on the network?
9. Documenting and periodically reviewing all “security incidents”?
10. Completing a new Security Risk Assessment after a major organizational, facility or IT change?

Don’t get me wrong – I know it’s hard to do all of this! It requires time, money, and knowledgeable staff.

Here’s my take on overcoming these three very common roadblocks to risk management.

Time – “I don’t have time…My staff doesn’t have time.”

Ask yourself, “When I am breached, where will I find the time to deal with the fallout?” Spending 1-2 hours per week (e.g., first thing every Fri morning) delegating and following up on the issues above could greatly minimize your risk of a breach, the extent of a breach if one happened, and the OCR fine should a breach or random audit occur.

Money – “It costs too much…Those costs shouldn’t come out of my budget – that’s IT’s responsibility.”

Whose budget will pay the breach remediation costs? One medium-sized medical practice (20⁺ providers) spent more than $1 million on patient notifications alone after experiencing a breach. Cyber insurance will cover some of the costs, but most organizations are under-insured and find themselves paying legal fees, increased operational costs, and fines while experiencing decreased revenues due to the negative reputational impact. Don’t be penny wise and pound foolish. Find the money to invest in information security before a breach occurs. And if the accounting system is a barrier, lobby your peers and CFO to make “information security” a line item in everyone’s budget.

Knowledge/Skill – “I don’t know how…My people don’t know how.”

The OCR adheres to the general legal guideline that “ignorance is no excuse.” Numerous free resources are available on the OCR’s website, and multiple vendors offer relatively low-cost HIPAA training courses for clinical staff and compliance officers. There are also service providers that can provide monthly or quarterly cyber security support services if your own IT staff lack that expertise. Teach yourself, go to training, or find someone knowledgeable to help you. Don’t let ignorance keep you from protecting some of your organization’s most valuable assets – your patients’ information and your professional reputation.

Contact us today – 512.310.0020 or info@thirdrock.com for more information on completing a security risk assessment, developing a risk management program, or becoming a Partner to make these or related services available to your clients.

Protect your Patients. Protect your Organization. Protect Yourself!

I recently wrote about insurance companies raising the bar on business to protect their valuable data to acquire cyber liability insurance.  But, it’s not just insurance companies that are raising the bar. Governments around the globe are now requiring all types of companies to be compliant with some type of standard to better protect the data they possess.  What many people don’t realize is these standards are all based on the protection of personal/private/confidential/sensitive/valuable information or data.  Whether it’s HIPAA, NIST 171, GDPR, FISMA, ISO-27001 or another cyber security standard, the goal is to protect the customer or client’s data as a requirement of doing business.  The governments want businesses to make it more difficult for cyber criminals to steal valuable data.  If you look at the core of these various compliance standards you’ll find they all begin by requiring a risk assessment and then move towards a more holistic approach to cyber risk management.

What does holistic approach mean?

When you talk about cybersecurity most people think of software or hardware solutions to protect the systems or data by preventing bad actors from damaging or accessing data.  For example, everyone needs to be running the latest anti-virus with automatic updates turned on.  But the truth is, human error is the cause of over 65% of breaches.  Which means we need to include cybersecurity training as part of our solution.  Since all employees are not the CIO’s responsibility, we now have all department heads involved.  Therefore, we need to start with leadership.  The company leadership needs to make cybersecurity a priority.

What’s the value of your data?

One of the first steps in a cybersecurity program or plan is to identify all valuable data and where it is stored and transmitted.  Many overlook the first part of this, identifying the valuable data.  For example, if you ask most healthcare providers “Which is more valuable on the darkweb, a credit card or a patient record?”, they will respond that the credit card is more valuable.  The fact is the patient record (PHI) is worth 50 times the credit card.  This means healthcare providers with PHI are 50 times more valuable to cyber criminals.  The next part of this is to identify where the PHI resides.  Again, many healthcare providers think that because they use a HIPAA approved EMR (patient management system) they are protected.  But, most have billing personnel that export 100% of the data to a local workstation, then save it in the download folder on the desktop, or on a shared network drive unencrypted.  The PHI is usually saved unencrypted in the browser cache too.  It’s just waiting to be stolen or locked by the criminals.

Why start with an assessment?

Most business owners or managers of smaller companies don’t understand the value of a full Security Risk Analysis or Risk Assessment which is required by most of these compliance standards.  A risk assessment provides you with a list of issues that need to be addressed.  By prioritizing this list you create a risk management plan to address the issues and improve the protection of your valuable data.  As you work through and correct issues you change the culture of your work environment to be more aware of protecting the data and creating a culture of resilience.  Over time the policies and procedures become Standard Operating Procedures for your business.  You simply operate more securely, greatly reducing your likelihood of a breach.

What’s the goal?

So, what’s the goal of all these different compliance standards?  Why does the government care?  Why are the governments sticking their noses in company business?  It’s actually to protect the business!  Protecting the individual’s personal information helps to protect a company’s reputation and maintain the trust of its customers, ultimately keeping the company in business and profitable.

Are you ready to begin protecting your valuable data and creating your own culture of resilience?

Contact us for a third-party Security Risk Assessment: 512.310.0020 or info@thirdrock.com.

Protect your Clients. Protect your Organization. Protect Yourself.™

For decades, healthcare medical devices functioned as freestanding tools. Glucometers, lasers, infusion pumps, pressure monitors, neonatal incubators, heart monitors – each serving its unique function independently of the others. With the widespread implementation of electronic health records (EHRs), however, and the push for increased digitization of health information, these devices have increasingly been networked into the patient information ecosystem.  They now transmit PHI between a myriad of systems including the EHR system, bed management, supply chain management, and billing systems.

The variety and use of these devices have proliferated. The HIMSS Medical Device Security Workgroup reports that hospitals and similar healthcare delivery organizations typically have “300% to 400% more medical equipment than IT devices.” In a study of US hospitals cited in Wired Magazine (3/02/17), ZingBox reported an average of 10-15 connected devices per bed. That translates into approximately 4500 connected medical devices for the average 300-bed community hospital – and up to 75,000 devices for a large metro medical center with 5,000 beds!

Are devices vulnerable to hacking?

To date, the number of medical device breaches and the number of patient records exposed by those breaches has been seemingly negligible when compared to the large-scale data losses due to hacks of healthcare organizations’ primary IT systems or losses of unencrypted mobile devices. But there have been hacks, and there are several reasons to expect medical devices to be increasingly exploited:

• As more medical device developers rely on off-the-shelf operating systems to speed development and/or facilitate integration with other systems, the vulnerabilities of the parent code are transferred to the devices, increasing their vulnerability.
• The increased networking of devices makes them a more attractive target for hackers because they provide additional points of entry to other systems.
• A Trend Micro study found a large number of devices to be discoverable on Shodan, a search engine routine for connected devices.

In fact, a study by Ponemon Institute found that 67% of medical device makers expect an attack on their devices in the next 12 months!

Didn’t the FDA pass regulations to fix this?

Yes – and no, depending on who you ask. The FDA is quoted in many news articles saying that medical device manufacturers are responsible for complying with “quality system regulations” (QSRs), which include requirements for addressing cybersecurity risks, but both law firms and industry executives say the compliance environment remains murky:

• Some devices have been downgraded from “Class III” – high risk and mandatory compliance – to “Class I” – low risk and “unregulated,” though they still could pose a cybersecurity risk.
• Once a device is in use, it’s not clear whether the device manufacturer or the healthcare delivery organization is responsible for continued patching as cyber threats evolve.
• The FDA doesn’t actually test medical devices for their compliance with the QSRs.
• Reporting of device malfunctions, including cybersecurity breaches, to the FDA is voluntary.

Know-how and budget are also factors.

Because cybersecurity of devices is still a relatively new concern in the medical device and healthcare delivery industries, lack of knowledge regarding both the threat and the appropriate risk management responses remains a problem. The ZingBox study also found that 70% of healthcare IT decision-makers believe that the same security solutions used for laptops and servers are sufficient for all their connected medical devices, a misconception that the report goes on to explain.

Despite two-thirds of medical device manufacturers anticipating an attack on their devices, only 15% of study respondents anticipate taking measures to mitigate the risk! Senior executives in the field say it usually comes down to budget and production deadlines. Because cybersecurity protections don’t improve device performance in terms of clinical care, it is often looked upon as a cost. Similarly, when cybersecurity flaws are discovered too far into the development process, decision makers often determine that the rework required to build in the cybersecurity protections is too costly. So devices go to market with known cybersecurity flaws.

So what to do?

As a healthcare delivery organization, you are the gatekeeper between the medical device vendors and patients. Regardless of who is technically at fault for a medical device breach, if a breach were to occur, it would be your patients’ information lost and your reputation damaged!  Thus it is up to you and your organization to set the standard for medical devices coming into your organization and to include medical devices in your annual security risk assessment.

Start by requesting information from your device vendors about each of the device types on your network using the Manufacturer Disclosure Statement for Medical Device Security ((MDS)²) which was collaboratively developed by the National Electrical Manufacturers Association (NEMA) and the Health Information and Management Systems Society (HIMSS).

Finally, if you have questions about assessing the risk of an Internet-connected device or need help completing a comprehensive Security Risk Assessment, contact us at info@ThirdRock.com or 512.310.0020.

With each New Year, we always look back and review the significant events of the previous year.  By all accounts, 2017 was a wild and woolly year!  World and national politics, the stock market, terrorism and acts of mass violence, devastating hurricanes, and forest fires! The digital world saw big changes as well with the repeal of net-neutrality and some major cyber breaches.   The Equifax breach effectively impacted half the population of the United States. Uber affected another 57 million people.  Yahoo announced that 3 billion accounts had been impacted by breaches of their systems.

So, what will 2018 bring?  I’ll wager a few dollars that we’ll see some spectacular breaches this year.  However, I’m willing to guarantee that we’ll see more government regulations to address cybercrime.  Not as a result of Equifax, Uber or any 2017 breach, but by regulations that have already been made into laws and will take effect in 2018.  In fact, it has already happened.  If you are a Department of Defense contractor, and your company has access to Confidential Unclassified Information (CUI), which covers about everything they do, you are subject to new Defense Federal Acquisition Regulations Supplement (DFARS) per NIST SP 800-171 effective January 1^st.  What all that means is if your company does business with the military, you are subject to a set of rules very similar to HIPAA that are designed to protect data important to our Nation’s defense.

Not far behind is GDPR.  Although not well known in the US, it will have major impact on our businesses.  GDPR is the European Union’s General Data Protection Regulation which goes into effect May 25^th this year.  Most companies doing business in Europe are subject to this law and it has far reaching implications.  The focus of the law is the EU citizen’s rights to protection of their personal data.  A person in the EU can make significant demands on a US based business with respect to their data.  Any company selling products and services in the EU is affected.

Lastly, the finance and insurance industry are implementing a new Data Security law which is based on NIST standards and is also very similar to HIPAA.  It is designed to protect our personal data as well.  New York state has adopted the law and other states are following suit.  It is expected to be adopted nationwide this year.

This trend of increased regulations to protect our personal data will continue as companies race to collect more data on each of us.  Google, Amazon, Microsoft, Facebook all collect data about us to generate more revenue.  All have suffered significant breaches in 2017.  I never authorized Equifax to collect my most valuable data and yet I am affected by their incompetence and lack of regard for the welfare of the people whose data they collect.  In 2018, I think we need all the help we can get to protect our data!

If your company collects, processes or stores people’s sensitive data you’ll probably be affected by new regulations that require you to protect that data from loss or theft.  The first step to protecting data is to perform the appropriate security assessment in accordance with the compliance standard for that data.

Do you need help implementing and understanding these new regulations?

Email us at info@thirdrock.com or give us a call at 512.310.0020.  We’d be more than happy to help!

Protect your Clients. Protect your Organization. Protect Yourself.™

MACRA Deadline Approaching – Schedule your SRA today!

In an effort to help medical practices maximize their Medicare reimbursements by meeting MACRA requirements, Third Rock is offering a 20% discount for our Security Risk Assessment package if you schedule your SRA with Third Rock by December 8th.

Our tool, CompassDB, makes doing an SRA fast and easy.

Our package offer includes:

✓ Security Risk Assessment and detailed report
✓ A Security Risk Management consultant available onsite or online
✓ Custom Policies and Procedures
✓ Prioritized Corrective Action Plan
✓ On-demand training for Staff and Compliance Officers
✓ One year access to our online compliance management tool
✓ Remote customer service for one year

Contact Julie Rennecker at 512-310-0020  x113 today to schedule your SRA.

Questions?  Email Julie.Rennecker@thirdrock.com