Much of the focus in recent news is on attacks on retailers and the financial industry. It is easy to see the results of these money-motivated attacks in the form of large thefts of money or credit cards. As a result, it may surprise you to know your health care information is under attack. You are mistaken if you think that HIPAA’s data security protections are working to protect it. Health care organizations are not meeting the security table stakes. By rushing to implement electronic health records without minimum viable security, health care organizations are leaving the door wide open for criminals. How Bad Is It? A recent study by the Ponemon institute revealed that 94% of medical institutions have[…]

At the RSA conference, I attended a panel discussion entitled “Changing User Behavior: The Science of Awareness.” The panel focused on explaining the failure of traditional awareness efforts, and made suggestions about what improved solutions might look like. During the panel, surrounded by a room full of security professionals, it hit me: we are technologists trying to figure out how to solve a communication problem. Maybe security’s “people problem” is relying on the wrong people to solve this challenge. Are People The Problem? Our industry is quick to put the blame on “users” when security problems occur. Whether it is the takeover of CNN and the AP’s twitter feeds, or a hack of Target’s HVAC contractor leading to their breach, people are[…]

While the headlines are dominated with tales about recent breaches at Target, Neiman Marcus, and others, those businesses will survive. What about smaller companies? Turns out that just last year, two separate title and escrow companies have had to shut their doors after suffering cyber attacks. Leaked emails from a small regional bank resulted a successful theft of money from a client. And thieves are using the access that small accounting and financial management firms have to individual and corporate bank accounts to steal hundreds of thousands of dollars. What do these incidents all have in common? They are all financial industry firms. And they are all relatively small. Most of them neglected to provide even the minimum viable security[…]

Should Reasonably Have Known The HIPAA Breach Notification Rule has an interesting turn of phrase: “should reasonably have known”.  A company is liable if they reasonably should have known about a breach.  So what is reasonable?  The latest 2013 rulemaking gives some guidance on that:  §164.404(a)(2) expands that to reasonably should have known by exercising reasonable diligence.  And then goes on to define it as “business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances”.  Further adding that as soon as a workforce member or other agent has knowledge or should have had knowledge of the breach, the clock on notification starts. So, you’ve got some relatively vague definitions of what’s reasonable, and as soon as someone[…]

I recently got directed to this article called First-Hand Experience with a Patient Data Security Breach. It is a really good breakdown of the elements of what happens during a breach and the subsequent events. It starts with the theft of a laptop from an employee’s car.   After the theft was reported, they looked at a recent backup of the machine and learned that the laptop contained data files about healthcare patients. Well, not directly. It contained logs of problems with health information systems, and within those logs were the healthcare records. Oops. While the laptop did not belong to a healthcare provider directly, it still managed to have files that were important and potentially could result in a breach according to[…]

Section §164.308 of the Health Insurance Portability and Accountability Act (HIPAA) covers security management and assigning overall responsibility for security policies to an individual in the organization. This article focuses on the required HIPAA administrative safeguards covered in subsections §164.308(a)(1) and (a)(2) describing policies and responsibilities. Section (a)(2) is a simple requirement. The organization must identify an individual as the Security Official who is responsible for the policies and procedures that bring the organization into compliance with the law. The Security Official is responsible for communicating these policies effectively to all workforce members. These policies must also cover the workforce and training requirements discussed in section §164.308 which will be covered in a later article. In order to be HIPAA compliant,[…]