Celebrating Nurses – Cornerstones of the “Human Firewall”

In their roles as both care giver and care coordinator, nurses generate, transmit, transcribe, and interact with enormous amounts of information using a dizzying array of devices. Not surprisingly, nurses play a critical role in keeping patients’ protected health information (PHI) safe. Nurses, you are amazing!!  In the course of a single hospital shift, a hospital nurse may interact with a single patient’s record 10-20 times – or more – depending on the intensity of the care and length o ...

Missing the Target of HIPAA – Part 3

If you haven't read my previous two blogs on this topic I encourage you to do so.  The first blog stresses the importance of being risk management proficient over being a HIPAA “expert”. The second blog deals with being accountable in your work actions, which means not only are you responsible for your actions, but your actions can be independently verified.  These two “factors” can go a long way to protecting your organization from the risks of a breach and from substantial penalties and fine ...

Cybersecurity: Have you hardened your systems?

We perform HIPAA Risk Assessments (Security Risk Analysis) for very small practices to large healthcare organizations, plus business associates that include software, big data, and marketing companies.  We know the focus of the assessment needs to be security; therefore, we run an industry standard (NIST based) scan checking computers for HIPAA compliance.  (NIST stands for National Institute of Standards and Technology) Our findings show that the average covered entity is about 15% compliant and the ...

Why your Meaningful Use SRA is not enough

Many covered entities had a high level Security Risk Analysis (SRA) performed to "check the box" for meeting the Meaningful Use requirement.  The HHS OCR has now performed enough audits, however, to know that a risk assessment isn't enough - Covered Entities need to take corrective action. With MACRA and HIPAA both requiring an SRA and HIPAA requiring a prioritized list of risks, corrective action plans, and a risk management process, it's time to have a proper risk assessment performed and take cor ...

Missing the HIPAA Target – Part 2

In my previous blog, I stressed compliance is not about being an expert on HIPAA regulations, but being risk management proficient ― the ability to identify vulnerabilities and threats facing your organization, and to take steps to eliminate, minimize or manage them.  I usually refer to the next step as "ownership", but I’m not really a fan of the term.  A common synonym is "possession".  You can own something, but it doesn’t mean you are committed to taking care of it or ensuring a positive ou ...

5 Tips for Creating an Information Security Culture

Engaging clinical staff in information security can be an uphill challenge. For people doing the tangible, social, and physical work of healthcare, a Security Officer’s cautions regarding the invisible threat of cyber-theft can seem like science fiction paranoia. Further, among the healthcare practitioners who do recognize information security as a relevant concern, a substantial number still see it as an “IT issue.”  And finally, as if those barriers weren’t enough, the mere mention of “HIPA ...

One small step for man, one giant leap for privacy!

“To err is human”… a pretty obvious statement. So if we all know we are going to make mistakes, why not add an extra level of security to mitigate the effects of the mistake? I am sure we have all been in the predicament of sending John C. an email, but when we clicked on our contacts list we accidentally sent it to John B. I have conversations constantly with clients and friends about encrypting their email to protect themselves and often get the same set of questions… “Isn’t that e ...

HIMSS17 – Are medical devices the weak link in cyber security?

According to a post on HIPAA Journal, 60% of healthcare organizations have already introduced networked medical devices into their technical infrastructure. Networked medical devices are the healthcare version of the “internet of things” (IoT) – smart devices that communicate with applications, such as the EHR, and with one another without human intervention. The problem – many medical devices aren’t cyber-secure!  89% of the organizations reporting the use of networked medical devices also repor ...

Missing the Target of HIPAA

Universally when working with new clients, they tell me, “I can’t learn all these HIPAA regulations and requirements.  I don’t have the time or the desire to be an expert on HIPAA!”  My response is, “That is absolutely correct!  You shouldn’t be an expert on HIPAA; that is my job.  What you and all your staff should be is risk management proficient.” Most times that draws the deer-in-the-headlights stare.  Not much comfort is taken from my response. Usually the conversation proceed ...

HIMSS17 – OCR’s Expectations for HIPAA Compliance

Lessons Learned at HIMSS17 The Office for Civil Rights (OCR) made it clear at HIMSS17 - it’s time for the healthcare industry to take action NOW.  Here are the top messages we heard across multiple presentations by HHS (OCR, CMS), FDA, FTC, law firms, and cyber security firms. The following were made very clear to attendees.  Please note, these are not all from HHS, some were heard multiple times from various sources.  The point is, learn and take action. Ignorance of the HIPAA law is no e ...

1 2 3 4 5 6 7 12