Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

The State of HIPAA Privacy and Security with Mac McMillan

Posted on May 12, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Late last year HIPAA Omnibus went into effect and changed the world of HIPAA as we know it. The consequences of a HIPAA violation for both covered entities and now business associates has gotten more severe and HIPAA audits are becoming a real reality for many healthcare organizations.

I had a chance to sit down with Mac McMillan, co-founder of Cynergistek, to talk about the state of HIPAA privacy and security. We cover a broad range of HIPAA related topics including what an organization should do to make sure they’re HIPAA compliant and ready for any future HIPAA audits. Every organization in healthcare can benefit from watching this interview with Mac McMillan.

About Mac McMillan
For nearly 30 years Mac McMllan has served in senior level positions in both government and industry responsible for security and risk management. In 2003 he co-founded CynergisTek, whose mission is to make quality IT security consulting available and accessible to organizations across industries and regardless of size or complexity.

Why HIPAA isn’t Enough to Keep Patient Data Secure

Posted on March 21, 2014 I Written By

The following is a guest blog post by Takeshi Suganuma, Senior Director of Security at Proficio.
Takeshi Suganuma
Just meeting minimum HIPAA safeguards is not enough to keep patient data secure. This should come as no surprise when you consider that HIPAA was developed as a general framework to protect PHI for organizations ranging from small medical practices to very large healthcare providers and payers. After all, one size seldom fits all.

While HIPAA is a general, prescriptive framework for security controls and procedures, HIPAA disclosure rules and penalties are very specific and have increased impact as a result of the Omnibus Final Rule enacted last year. The CIOs and CSOs we talk to are not willing to risk their organization’s reputation by just implementing the minimum HIPAA safeguards.

The collection, analysis, and monitoring of security events is a prime example of where medium to large-sized organizations must do much more than just record and examine activity as prescribed by HIPAA.

The challenge to effectively monitor and prioritize security alerts is exacerbated by the changing security threat landscape. Unlike the visible incursions of the past, new attacks employ slow and low strategies. Attackers are often able to sys­tematically pinpoint security weaknesses and then cover all traces of their presence as they move on to penetrate the other critical IT assets.

Hackers are using multiple attack vectors including exploiting vulnerabilities in medical devices and printers. Networked medical devices represent a significant security challenge for hospitals, because their IT teams cannot upgrade the underlying operating system embedded into these devices. Many medical devices using older versions of Windows and Linux have known security vulnerabilities and are at risk of malware contamination.

Insider threats comprise a significant risk for healthcare organizations. Examples of insider threats include employees who inappropriately access the medical records, consultants who unintentionally breach an organization’s confidentiality, and disgruntled employees seeking to harm their employer. Insider activity can be much more difficult to pinpoint than conventional external activity as insiders have more privileges than an external attacker. Security event monitoring and advanced correlation techniques are needed to identify such suspicious behavior. For example, a single event, such as inappropriate access of a VIP’s medical records, might go unnoticed, but when the same person is monitored saving files to a USB drive or exhibiting unusual email activity, these correlated events should trigger a high priority alert.

The volume of security alerts generated in even a mid-size hospital is staggering – tens of millions a day. Without a tool to centrally collect and correlate security events, it is extremely difficult to detect and prioritize threats that could lead to a PHI data breach. Log management and SIEM systems are part of the solution, but these are complex to administer and require regular tweaking to reflect new security and compliance use cases.

Technology alone is just a starting point. Unfortunately, hackers don’t restrict their activities to local business hours and nor should the teams responsible for the security of their organization. Effective security event monitoring requires technology, process, and people. Many healthcare organizations that lack in-house IT security resources are turning to Managed Security Service Providers (MSSPs) who provide around-the-clock Security Operation Center (SOC) services.

The challenge for today’s security teams, whether internal or outsourced, is to accurately prioritize alerts and provide actionable intelligence that allows a fast and effective response to critical issues. Tomorrow’s goal is to move beyond reporting incidents to anticipating the types of suspicious behaviors and patterns of multi-stage attacks that could lead to data being compromised. Multi-vector event correlation, asset modeling, user profiling, threat intelligence and predictive analytics are among the techniques used to achieve preventive threat detection. The end game is a preemptive defense where real-time analysis of events triggers an automated response to prevent an attack.

The increasing cost of litigation and the loss of reputation that result from an impermissible disclosure of PHI are driving healthcare organizations to build robust security controls and monitor and correlate real-time security events. HIPAA guidelines are a great start, but not enough if CIOs want to sleep easily at night.