The CynergisTek Blog

Read the latest blog posts by CynergisTek’s team of experts related to healthcare security, privacy and compliance. Have a topic that you would like us to cover? Email us to tell us what you are interested in.

Privacy Issues Unique to Research and Research Institutions

Covered entities deal with many complex privacy and information security issues, but institutions that conduct research have an additional level of complexity. Key to understanding the implications of privacy obligations in research is understanding the multiple regulations that could apply to human subject research.

By |February 27th, 2017|

Death, Taxes … and Breach Reporting

It is said that the only two certainties in life are death and taxes. If you are a HIPAA covered entity, you can add reporting breaches of unsecured protected health information (PHI) to the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). For breaches involving less than 500 individuals, the Breach Notification Rule requires a covered entity to submit information to HHS at least annually through OCR’s breach reporting portal on the HHS website. For the 2016 calendar year the deadline for reporting breaches affecting fewer than 500 individuals is March 1, 2017.

By |February 14th, 2017|

HIMSS17 Preview: Hacker Demos

CynergisTek's Senior Penetration Tester John Nye provides a preview of his HIMSS17 hacker demos, "Wireless Worries", "Mobile Devices and Portable Hacks", and "The Problem with Wetware."

By |February 8th, 2017|

Time for Enlightened Leadership on IT Security in 2017

2017 is here, and, like any new year, promises both opportunities and challenges. The question is, what will we do with it? Will it be a year of great progress, one of marking time, or worse yet one of falling further behind? Meeting the cybersecurity challenges of the future is a job for leaders. There should be no doubt that healthcare institutions are under attack on a regular basis now from external threats, while continuing to face the insidious abuse of insiders. As the old saying goes, “they have it coming and going.”

By |January 27th, 2017|

New Year, Same Challenges

If you are reading this blog post, you have survived 2016. By most accounts, it was a rough year in regards to the state of security in healthcare. Cyber attacks have been no exception to this calculation. We saw the announcements of some of the biggest breaches in history, the continued proliferation of ransomware, and even the recent reports that Russia was meddling in U.S. politics through attacks on IT security.

By |January 19th, 2017|

OCR Issues Guidance Emphasizing Importance of Audit Controls

OCR recently published its January Cyber Awareness Newsletter that provides guidance on how organizations should comply with the audit controls standard. The HIPAA Security Rule (45 CFR 164.312(b)) requires a covered entity or business associate is required to implement hardware, software, and/or procedural mechanisms that record and examine activity in electronic information systems that contain or use electronic protected health information.

By |January 16th, 2017|

Top Blog Posts and Infographics of 2016

There is no denying that 2016 was the year of determining how to respond to healthcare privacy and security threats. Top headlines included everything from ransomware disrupting hospitals’ ability to care for patients, to negligent insiders’ actions compromising patient information, to business associates not securing its customers’ sensitive data. Throughout the year CynergisTek’s subject matter experts wrote several blog posts to address the latest headlines, incidents, threats and regulatory actions in healthcare. Below are some of our top blog posts and the most popular infographic we published.

By |January 3rd, 2017|

2016 HIPAA Privacy & Security Workshop Recap

2016 was a very busy year for healthcare IT professionals. Cyberattacks targeted at provider organizations proved that they have the capability to disrupt operations for prolonged periods of time. These attacks not only cost money to the institutions affected, but also disrupted their ability to treat and serve patients. OCR issued nearly $30M in fines during 2016 and kicked off the next round of HIPAA compliance audits for both covered entities and business associates. To help address these challenges, CynergisTek hosted 27 HIPAA Privacy and Security Workshops in various cities throughout the country.

By |December 19th, 2016|

Designating Hybrid Entity Status Under HIPAA in a University Setting

My colleague David Holtzman recently wrote a blog post on the OCR resolution agreement with the University of Massachusetts at Amherst (UMass). UMass designated itself as a hybrid entity but did not appropriately identify and designate all applicable functions that engaged in health care activities as inside the health care components (HCC) of its hybrid entity structure under HIPAA. Why might this not be as easy as it sounds?

By |December 6th, 2016|