Is Your Security Risk Assessment (SRA) Valid?

We're often told, "I've done a security risk assessment," or "We had one of those done by a company."  When we ask if they have 1) an SRA report, 2) a risk management plan with prioritized corrective actions, 3) a disaster recovery plan, 4) an emergency response plan, 5) a breach notification plan, 6) current training and in use, 7) current policies and procedures; we get blank stares.  We've also performed SRAs after some of the large, "known" compliance consulting firms have performed an SRA.  What ...

HIMSS 2018 – Take Aways

I attended the national HIMSS 2018 conference in Las Vegas a few weeks ago.  43,000+ roaming loose in Vegas, primarily in a few hotels and the Sands Expo Center.  It was mayhem.  I attended the Cyber Security Symposium all day Monday.  Six sessions focused on cyber security and best practices.  I then attended the keynote speech by Eric Schmidt, the CEO of Alphabet, the parent company of Google. Tuesday was primarily more sessions and a few minutes out in the expo "acres" wandering around trying to ...

After the Risk Assessment, Then What? How Often Do I Need to Check?

As we noted previously, there are numerous requirements for HIPAA compliance.  A follow-up question often heard is “How often do I have to do these things?” Risk assessments officially need to be performed on an annual basis but regularly reviewing your risk remediation plan throughout the year is a business “best practice” for any organization. Policies and Procedures need to be reviewed and changed depending upon federal law changes and changes in your organization.  New processes, new tec ...

After the Risk Assessment, Then What? Planning for Emergency Events

As we noted previously, there are numerous requirements for HIPAA compliance.  Being prepared for future emergency events is often identified in the Risk Assessment as a HIPAA compliance requirement that needs to be addressed. Preparing for future events is often overlooked by many healthcare entities.  Just dealing with the issues of the day can take up the majority of your time.  However, being prepared for future events, besides being a HIPAA requirement, also makes good business sense. What HIP ...