What to do if you are a Ransomware victim – latest guidance from HHS

In an earlier post, Clint Eschberger explained that the Best Defense Against Ransomware is a Good Backup. So hopefully your backups are in order - multiple, off-site, and tested.In addition to your internal processes for getting your organization back online, the HHS just issued the following guidance for reporting ransomware incidents and obtaining guidance.If  your organization is the victim of a ransomware attack, HHS recommends the following steps:Please contact your FBI Field Office ...

After the Risk Assessment, Then What? How Often Do I Need to Check?

As we noted previously, there are numerous requirements for HIPAA compliance.  A follow-up question often heard is “How often do I have to do these things?”Risk assessments officially need to be performed on an annual basis but regularly reviewing your risk remediation plan throughout the year is a business “best practice” for any organization.Policies and Procedures need to be reviewed and changed depending upon federal law changes and changes in your organization.  New processes, new tec ...

After the Risk Assessment, Then What? Planning for Emergency Events

As we noted previously, there are numerous requirements for HIPAA compliance.  Being prepared for future emergency events is often identified in the Risk Assessment as a HIPAA compliance requirement that needs to be addressed.Preparing for future events is often overlooked by many healthcare entities.  Just dealing with the issues of the day can take up the majority of your time.  However, being prepared for future events, besides being a HIPAA requirement, also makes good business sense.What HIP ...

HIPAA/HITECH Security Risk Analysis Myths and Facts

As we continue to work with more health care providers, covered entities, and business associates we see confusion about HIPAA/HITECH compliance requirements. Some providers are even in denial. They believe they are being compliant by just having staff take short on-line "HIPAA" training courses.  But that falls well short of what is required to be compliant, and many of these on-line training courses are not up to date with current HIPAA regulations, nor do they cover cyber-security, which is now a must h ...

Road Blocks to Creating Your Contingency Plan

Why Everyone Needs Help Creating a BC/DR (Contingency) Plan Creating a contingency plan is a huge undertaking.  It’s a major project for any company, small or large.  It’s a major project for any company, small or large; an integration effort which requires a large amount of time from experts across the company and often outside the company, including executives, managers, staff, vendors and consultants.While creating a contingency plan for a large health care provider I realized part of the pro ...

BCDR is the operations plan

I have been involved with assessing Business Continuity and Disaster Recovery (BCDR) plans and their development for over 25 years.  It always seems that DR planning is an afterthought and starts with system backups.   Typically, companies build out their IT infrastructure based on the business requirements. When it's finished someone asks, "How do we recover this if something bad happens?"  That's not 100% true, but most companies don't really plan well for a major disaster.  The proliferation of netw ...