Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Healthcare Orgs May Be Ramping Up Cybersecurity Efforts

Posted on August 18, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As I’ve noted (too) many times in the past, healthcare organizations don’t have a great track record when it comes to cybersecurity. Compared to other industries, healthcare organizations spend relatively little on IT security overall, and despite harangues from people like myself, this has remained the case for many years.

However, a small new survey by HIMSS suggests that the tide may be turning. It’s not incredibly surprising to hear, as health it leaders have been facing increasingly frequent cybersecurity attacks. A case in point: In a recent study by Netwrix Corp., more than half of healthcare organizations reported struggling with malware, and that’s just one of many ongoing cyber security threats.

The HIMSS cybersecurity survey, which tallies responses from 126 IT leaders, concluded that security professionals are focusing on medical device security, and that patient safety, data breaches and malware were their top three concerns.

In the survey, HIMSS found that 71% of respondents were allocating some of their budgets toward cybersecurity and that 80% said that their organization employed dedicated cybersecurity staff.

Meanwhile, 78% of respondents were able to identify a cybersecurity staffing ratio (i.e. the number of cybersecurity specialists versus other employees), and 53% said the ratio was 1:500 which, according to HIMSS is considered the right ratio for information-centric, risk-averse businesses with considerable Internet exposure.

Also of note, it seems that budgets for cybersecurity are getting more substantial. Of the 71% of respondents whose organizations are budgeting for cybersecurity efforts, 60% allocated 3% or more of their overall budget to the problem. And that’s not all. Eleven percent of respondents said that they were allocating more than 10% of the budget to cybersecurity, which is fairly impressive.

Other stats from the survey included that 60% of respondents said their organizations employed a senior information security leader such as a Chief Information Security Officer.  In its press release covering the survey, it noted that CISOs and other top security leaders are adopting cybersecurity programs that cut across several areas, including procurement and education/training. The security leaders are also adopting the NIST Cybersecurity Framework.

According to HIMSS, 85% of respondents said they conduct a risk assessment at least once a year, and that 75% of them regularly conduct penetration testing. Meanwhile, 75% said they had some type of insider threat management program in place within their healthcare organization.

One final note: In the report, HIMSS noted that acute care providers had more specific concerns was cybersecurity than non-acute care providers. Over the next few years, as individual practices merge with larger ones, and everyone gets swept up into ACOs, I wonder if that distinction will even matter anymore.

My take is that when smaller organizations work with big ones, everyone’s tech is set up reach the level better-capitalized players have achieved, and that will standardize everyone’s concerns. What do you think?

Despite Privacy Worries, Consumers Trust Apple With Their Health Data

Posted on August 14, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

These days, everyone seems to want access to consumer health data. We’re talking not just about healthcare companies, but also financial firms, insurance companies and technology giants like Apple, Google and Amazon.

Consumers have every reason to be concerned how their data is used, as companies outside of the healthcare realm, in particular, might use it in ways that make them uncomfortable. After all, these health-related companies may not have to follow HIPAA rules. Not only that, laws that govern data collection of any kind are still evolving on the state and federal level. It’s just not clear where privacy rules for health data are going.

Troubling ambiguities like these may be why 37% of the 1,000-plus people responding to a new Twitter poll said they wouldn’t share their data with anyone. Perhaps they’ve begun to realize that companies like Google could do a lot of harm if they act recklessly with the health data they’re accumulating.

Nonetheless, there’s at least one company they trust more than others with their PHI, according to the poll, which was conducted by a CNBC writer. That company is Apple, says columnist Christina Farr. When asked which companies they trust with the health data, 41% picked Apple. Meanwhile, Google and Amazon came in at 14% and 8% respectively. That’s a pretty big gap.

Why do consumers trust Apple more than other technology companies?  It’s far from clear. But Andrew Boyd, a professor of biomedical and health information sciences at the University of Illinois, suggests that it’s because Apple has taken steps to foster trust. “Apple has done a big push around health and privacy to breed familiarity and comfort,” Boyd told CNBC.

He noted that Apple has announced plans to make aggregated health information available on smartphones. Next, it plans to integrate other medical data, such as lab results, which usually aren’t part of an integrated health record, Farr points out. Apple has also promised users that it won’t sell health data to advertisers or third-party developers.

Ideally, other companies should be following in Apple’s footsteps, suggests health data privacy expert Lucia Savage, who responded to the Twitter poll.

Savage, who is currently serving as chief privacy and regulatory officer at Omada Health, believes that any company that collects health data should at least provide consumers with a summary of the data they collect on their users and promise not to sell it. (She didn’t say so directly, but we know most non-healthcare firms can’t be bothered with such niceties.)

I think we all look forward to the day when every company takes health data privacy seriously. But giants like Google, with effectively infinite resources, are still pushing the envelope, and we can only expect its competitors to do the same thing. Unless consumers mount a massive protest, or there’s a radical change in federal law, I suspect most non-healthcare firms will keep using health data however they please.

Healthcare Security Cartoon – Fun Friday

Posted on August 11, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

It’s Friday and school is beginning in a lot of places around the country. I know we’re ready for school to start in our house. They moved it up a couple weeks in Las Vegas and so we had a short summer, but we’re excited for the rhythm that school brings.

The last Friday in summer seems the perfect time for a Fun Friday blog post. This cartoon was shared by Fogo Data centers that highlights the always challenging balance between security and convenience.

Do your security policies seem a bit like this picture? Or do you edge on the other side of too convenient and not secure enough?

Healthcare Cybersecurity Cartoon – Fun Friday

Posted on July 21, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This week’s Fun Friday comes from the #IoMTchat (Internet of Medical Things) and was shared by Rasu Shrestha. This cartoon has so many good elements including the great password sticky note. As in most humor, this isn’t too far from the truth.

Rasu is spot on in his tweet too. Key to cybersecurity in healthcare is understanding employee behaviors and motivators. You’ll never change the culture and improve cybersecurity if you don’t understand your employees’ needs.

One Hospital Faces Rebuild After Brutal Cyberattack

Posted on July 20, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Countless businesses were hit hard by the recent Petya ransomware attack, but few as hard as Princeton, West Virginia-based Princeton Community Hospital. After struggling with the aftermath of the Petya attack, the hospital had to rebuild its entire network and reinstall its core systems.

The Petya assault, which hit in late June, pounded large firms across the globe, including Nuance, Merck, advertiser WPP, Danish shipping and transport firm Maersk and legal firm DLA Piper.  The list of Petya victims also includes PCH, a 267-bed facility based in the southern part of the state.

After the attack, IT staffers first concluded that the hospital had emerged from the attack relatively unscathed. Hospital leaders noted that they are continuing to provide all inpatient care and services, as well as all other patient care services such as surgeries, therapeutics, diagnostics, lab and radiology, but was experiencing some delays in processing radiology information for non-emergent patients. Also, for a while the hospital diverted all non-emergency ambulance visits away from its emergency department.

However, within a few days executives found that its IT troubles weren’t over. “Our data appears secure, intact, and not hacked into; yet we are unable to access the data from the old devices in the network,” said the hospital in a post on Facebook.

To recover from the Petya attack, PCH decided that it had to install 53 new computers throughout the hospital offering clean access to its Meditech EMR system, as well as installing new hard drives on all devices throughout the system and building out an entirely new network.

When you consider how much time its IT staff must’ve logged bringing basic systems online, rebuilding computers and network infrastructure, it seems clear that the hospital took a major financial blow when Petya hit.

Not only that, I have little doubt that PCH faces doubts in the community about its security.  Few patients understand much, if anything, about cyberattacks, but they do want to feel that their hospital has things under control. Having to admit that your network has been compromised isn’t good for business, even if much bigger companies in and outside the healthcare business were brought to the knees by the same attack. It may not be fair, but that’s the way it is.

That being said, PCH seems to have done a good job keeping the community it serves aware what was going on after the Petya dust settled. It also made the almost certainly painful decision to rebuild key IT assets relatively quickly, which might not have been feasible for a bigger organization.

All told, it seems that PCH survived Petya successfully as any other business might have, and better than some. Let’s hope the pace of global cyberattacks doesn’t speed up further. While PCH might have rebounded successfully after Petya, there’s only so much any hospital can take.

A Programmatic Approach to Print Security

Posted on July 17, 2017 I Written By

The following is a guest blog post by Sean Hughes, EVP Managed Document Services at CynergisTek.

Print devices are a necessary tool to support our workflows but at the same time represent an increasing threat to the security of our environment.

Most organizations today have a variety of devices; printers, copiers, scanners, thermal printers and even fax machines that make up their “print fleet”. This complex fleet often represents a wide variety of manufacturers, makes and models of devices critical to supporting the business of healthcare.

Healthcare organizations continue to print a tremendous amount of paper as evidenced by an estimated 11% increase in print despite the introduction of the EHR and other new systems (ERPs, CRMs, etc.). More paper generally means more devices, and more devices means more risk, resulting in increased security and privacy concerns.

Look inside most healthcare organizations today and even those with a Managed Print Services program (MPS) probably have a very disjointed management responsibility of their inventory. Printers are most often the responsibility of IT, copiers run through supply chain with the manufacturer providing support, and fax machines may even be part of Telecommunications. Those organizations that have an MPS provider probably don’t have all devices managed under that program – what about devices in research or off-site locations, or what if you have an academic medical facility or are part of a university?

These devices do have a couple of things in common that are of concern – they are somehow connected to your network and they hold or process PHI.

This fact and the associated risk requires an organization to look at how these devices are being managed and whether the responsibility for security and privacy are being met. Are they part of your overall security program, does your third party manage that for you, do you even know where they all are and what risks are in your fleet today?  If multiple organizations manage, do they follow consistent security practices?

Not being able to answer these questions is a source of concern and probably means that the risk is real. So how do we resolve this?

We need to take a programmatic approach to print and print security to ensure we are addressing the whole. Let’s lay out some steps to accomplish this.

  • Know your environment – the first thing we must do is identify ALL print devices in our organization. This includes printers, scanners, copiers, thermals, and fax machines, whether they are facility owned, third-party managed, networked or local, or sitting in a storage room.
  • Assess your risk – perform a comprehensive security risk assessment of the entire fleet and develop a remediation plan. This is not a one-time event but rather needs to be part of your overall security plan.
  • Assign singular ownership of assets – either through an internal program or a third-party program, the healthcare organization should fold all print-related devices into a single program for accountability and management.
  • Workflow optimization – you probably have millions of dollars of software in your organization that is the source of the output of these devices. Even more was spent securing the environment these applications are housed in, and accessed from, to make sure the data is secure and privacy is maintained. The data in those systems is at its lowest price point, most optimal from a workflow efficiency standpoint, and most secure — yet every time we hit print we multiply the cost, decrease the operational efficiency and increase the risk to that data.
  • Decrease risk – while it is great that we identify all the devices, assess and document risk and develop a mitigation/remediation plan, the goal should be to put controls in place to stem the proliferation of devices and ultimately to begin the process of decreasing the unnecessary devices thereby eliminating the risk associated to those devices.

The concept of trying to reduce the number of printers from a cost perspective is not new to healthcare. However, many have achieved mixed results, even those that have used an MPS partner. The reason that happens is generally because they are focused on the wrong things.

The best way to accomplish a cost-effective print program is to understand what is driving the need or want for printers, and that is volume. You don’t need a print device if you don’t need to print. I know it sounds like I am talking about the nirvana that is the paperless environment but I am not. This is simply understanding what and where is unnecessary to print and eliminating it, thereby eliminating the underlying need for the associated device, and with it the inherent security risk as well as the privacy concern of the printed page. Refocusing on volume helps us to solve many problems simultaneously.

Putting a program in place that provides this visibility, and using that data to make the decisions on device reduction can significantly reduce your current risk. Couple this with security and privacy as part of your acquisition determination, and you can make intelligent decisions that ensure you only add those devices you need, and when you do add a device it meets your security and privacy requirements. More often than not the first line of defense in IT is better management of the environment.

The Fight For Patient Health Data Access Is Just Beginning

Posted on July 11, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

When some of us fight to give patients more access to their health records, we pitch everyone on the benefits it can offer — and act as though everyone feels the same way.  But as most of us know, in their heart of hearts, many healthcare industry groups aren’t exactly thrilled about sharing their clinical data.

I’ve seen this first hand, far too many times. As I noted in a previous column, some providers all but refuse to provide me with my health data, and others act like they’re doing me a big favor by deigning to share it. Yet others have put daunting processes in place for collecting your records or make you wait weeks or months for your data. Unfortunately, the truth, however inconvenient it may be, is that they have reasons to act this way.

Sure, in public, hospital execs argue for sharing data with both patients and other institutions. They all know that this can increase patient engagement and boost population health. But in private, they worry that sharing such data will encourage patients to go to other hospitals at will, and possibly arm their competitors in their battle for market share.

Medical groups have their own concerns. Physicians understand that putting data in patient’s hands can lead to better patient self-management, which can tangibly improve outcomes. That’s pretty important in an era when government and commercial payers are demanding measurably improved outcomes.

Still, though they might not admit it, doctors don’t want to deluge patients with a flood of data which could cause them to worry about inconsequential issues, or feel that data-equipped patients will challenge their judgment. And can we please admit that some simply don’t like ceding power over their domain?

Given all of this, I wasn’t surprised to read that several groups are working to improve patients’ access to their health data. Nor was it news to me that such groups are struggling (though it was interesting to hear what they’re doing to help).

MedCity News spoke to the cofounder of one such group, Share for Cures, which works to encourage patients to share their health data for medical research. The group also hopes to foster other forms of patient health data sharing.

Cofounder Jennifer King told MCN that patients face a technology barrier to accessing such records. For example, she notes, existing digital health tools may offer limited interoperability with other data sets, and patients may not be sure how to use portals. Her group is working to remove these obstacles, but “it’s still not easy,” King told a reporter.

Meanwhile, she notes, almost every hospital has implemented a customized medical record, which can often block data sharing even if the hospitals buy EMRs from the same vendor. Meanwhile, if patients have multiple doctors, at least a few will have EMRs that don’t play well with others, so sharing records between them may not be possible, King said.

To address such data sharing issues, King’s nonprofit has created a platform called SHARE, an acronym for System for Health and Research Data Exchange. SHARE lets users collect and aggregate health and wellness data from multiple sources, including physician EMRs, drug stores, mobile health apps and almost half the hospitals in the U.S.

Not only does SHARE make it easy for patients to access their own data, it’s also simple to share that data with medical research teams. This approach offers researchers an important set of benefits, notably the ability to be sure patients have consented to having their data used, King notes. “One of the ways around [HIPAA] is that patient are the true owners,” she said. “With direct patient authorization…it’s not a HIPAA issue because it’s not the doctor sharing it with someone else. It’s the patient sharing it.”

Unfortunately (and this is me talking again) the platform faces the same challenges as any other data sharing initiative.

In this case, the problem is that like other interoperability solutions, SHARE can only amass data that providers are actually able to share, and that leaves a lot of them out of the picture. In other words, it can’t do much to solve the underlying problem. Another major issue is that if patients are reluctant to use even something as simplified as a portal, they’re not to likely to use SHARE either.

I’m all in favor of pushing for greater patient data access, for personal as well as professional reasons. And I’m glad to hear that there are groups springing up to address the problem, which is obviously pretty substantial. I suspect, though, that this is just the beginning of the fight for patient data access.

Until someone comes up with a solution that makes it easy and comfortable for providers to share data, while diffusing their competitive concerns, it’s just going to be more of the same old, same old. I’m not going to hold my breath waiting for that to happen.

The Petya Global Malware Incident Hitting Nuance, Merck, and Many Others

Posted on July 3, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The Petya Malware (or NotPetya or ExPetya) has really hit healthcare in a big way. The biggest impact on the healthcare IT world was the damage it caused to Nuance, but it also hit Merck and some other healthcare systems. After a shaky start to their communication strategy, Nuance seems to finally at least be updating their customers who saw a lot of downtime from when it first started on June 28 until now. This rogue Nuance employee account has been pretty interesting to watch as well. There’s a lesson there about corporate social media policies during a crisis.

Petya was originally classified as ransomware, but experts are now suggesting that it’s not ransomware since it has no way to recover from the damage it’s doing. It’s amazing to think how pernicious a piece of malware is that just destroys whatever it can access. That’s pretty scary as a CIO and it’s no surprise that Petya, WannaCry, and other malware/ransomware is making CIOs “cry.”

It’s been eye opening to see how many healthcare organizations have depended on Nuance’s services and quite frankly the vast number of services they offer healthcare. It’s been extremely damaging for many healthcare organizations and has them rethinking their cloud strategy and even leaving Nuance for competitors like MModal. I’m surprised MModal’s social team hasn’t at least tweeted something about their services still being available online and not affected by Petya.

I’ll be interested to see how this impacts Nuance’s business. Nuance is giving away free versions of their Dragon Medical voice recognition software to customers who can’t use Nuance’s transcription business. Long term I wonder if this will actually help Nuance convert more customers from transcription to voice recognition. In the past 5 days, Nuance’s stock price has droppped $1.54 per share. Considering the lack of effective alternatives and the near monopoly they have in many areas, I’ll be surprised if their business is severely damaged.

As I do with most ransomware and malware incidents, I try not to be too harsh on those experiencing these incidents. The reality is that it can and will happen to all of us. It’s just a question of when and how hard we’ll be hit. It’s the new reality of this hyper connected world. Adding to the intrigue of Petya is that it seems to have been targeted mostly at the Ukraine and companies like Nuance and Merck were just collateral damage. Yet, what damage it’s done.

Earlier today David Chou offered some suggestions on how to prevent ransomware attacks that are worth considering at every organization. The one that stands out most to me with these most recent attacks is proper backups. Here is my simple 3 keys to effective backups:

Layers – Given all the various forms of ransomware, malware, natural disasters, etc, it’s important that you incorporate layers of backups. A real time backup of your systems is great until it replicates the malware in real time to your backup server. Then you’re up a creek without a paddle. An off site backup is great until your off site location has an issue. You need to have layers of backup that take into account all of the ways your data could go bad, be compromised, etc.

Simple – This may seem like a contradiction to the first point, but it’s not. You can have layers of backups and still keep the approach simple and straightforward. Far too often I see organizations with complex backup schemes which are impossible to monitor and therefore stop working effectively. The KISS principle is a good one with backups. If you make it too complex then you’ll never realize that it’s actually failing on you. There’s nothing worse than a failed backup when you think it’s running fine.

Test – If you’ve never tested your backups by actually restoring them, then you’re playing russian roulette with your data. It’s well known that many backups complete without actually backing up the data properly. The only way to know if your backup really worked is to do a test restore of the data. Make sure you have regularly scheduled tests that actually restore your data to a backup server. Otherwise, don’t be surprised if and when your backup doesn’t restore properly when it’s really needed. Malware events are stressful enough. Knowing you have a good backup that can be restored can soften the blow.

Backups won’t solve all of your problems related to malware, but it’s one extremely important step in the process and a great place to start. Now I’m going to go and run some backups on my own systems and test the restore.

Cost of a Breach, Proper Medical Record Disposal, and Delayed Breach Notifications

Posted on June 22, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Time for a quick roundup of HIPAA related tweets from around the Twittersphere. Check out these tweets and we’ll add in a bit of our commentary.


Matt’s correct that it’s not all avoidable, but at $380 per record that’s expensive. Breaches are expensive everywhere, but especially in healthcare. When you look at how insecure various industries are, my guess is that healthcare would be near the top of the list as well. That’s a problem.


I’m with Danika Brinda as well. I have no idea why this is still happening. Are people really that uneducated and naive when it comes to disposal of paper medical records? Hire a company with a great reputation if you’re not sure how to do it properly yourself.


Happens all the time. The fine for the delay is more than the damage of the breach itself. There should be no reason organization’s delay in their efforts to notify patients of a breach. Doing so can be a very expensive prospect. Plus, it’s the right thing to do for the patients.

Compromise Assessments & Penetration Testing in Healthcare

Posted on June 21, 2017 I Written By

The following is a guest blog post by Steven Marco, CISA, ITIL, HP SA and President of HIPAA One®.
Steven Marco - HIPAA expert
As healthcare providers continue to embrace technology, are patients being left vulnerable? If a recent incident involving patient portals is any indication, then the answer is a resounding “yes.”

True Health Diagnostics, a Frisco, TX-based healthcare services company recently became aware of a security flaw in their patient portal after an IT consultant logged in to view their test results and accessed other patient’s records by accident.  Upon investigating the issue it was determined that because True Health uses sequential numbers on their patient record PDF files, users of the patient portal could easily alter a digit in the URL and therefore view the medical information of other patients (also known as Forceful Browsing).

This recent event should serve as both a reminder and a warning to healthcare organizations using patient portals that in order to prevent a similar disclosure, implementing (and testing!) safeguards is necessary. There are two different actions an organization can take to either understand the scope of a breach and/or assess their level of security to prevent a disclosure.

Compromise Assessment: Due-Diligence Task

A compromise assessment is a due-diligence task used to verify that an organization hasn’t experienced a security breach. Essentially, it answers the question: “Have we been breached?”

Completed by a group of whitehat hackers or IS professionals, the goal is to access an organization’s various systems and verify if/when they were comprised and estimate the damage/exposure that has/could be done on their customer’s data. By gaining an understanding of the extent of the breach, the organization can in turn create a plan to remedy the issue and notify the appropriate parties of the disclosure.

Penetration Testing: Proactive Approach

In simple terms, conducting a penetration test is a proactive approach to finding any security deficiencies before a breach occurs or hackers find a way in. A penetration test answers to the question “How secure are we?”

By performing an authorized simulated attack, organizations can gain a much greater understanding of their security infrastructure. Although penetration testing alone will not ensure a network is compliant or secure, it will identify gaps between the existence threats and controls that an organization has in place.

Penetration testing has many other benefits, including:

  • Revealing where procedures may be failing – Especially if insecure services are being used for administration or if critical security patches are missing due to inadequate configuration and change management processes/procedures.
  • Exposing poor password policy – Including the use of default or weak passwords, password reuse and use of incremental passwords.
  • Justification to management – For approval of additional security technologies. For example: Showing upper management that penetration testers were able to hack into the system and email the entire customer database.
  • Acts as a “second set of eyes” – Critical if using an independent provider when hosting ePHI/PII.

Interested in more details on penetration testing? Check out HIPAA One’s penetration testing blog post.

About Steven Marco
Steven Marco is the President of HIPAA One®, leading provider of HIPAA Risk Assessment software for practices of all sizes.  HIPAA One is a proud sponsor of EMR and HIPAA and the effort to make HIPAA compliance more accessible for all practices.  Are you HIPAA Compliant?  Take HIPAA One’s 5 minute HIPAA security and compliance quiz to see if your organization is risk or learn more at HIPAAOne.com.