There is no denying that 2016 was the year of determining how to respond to healthcare privacy and security threats. Top headlines included everything from ransomware disrupting hospitals’ ability to care for patients, to negligent insiders’ actions compromising patient information, to business associates not securing its customers’ sensitive data. Throughout the year CynergisTek’s subject matter experts wrote several blog posts to address the latest headlines, incidents, threats and regulatory actions in healthcare. Below are some of our top blog posts and the most popular infographic we published.
2016 was a very busy year for healthcare IT professionals. Cyberattacks targeted at provider organizations proved that they have the capability to disrupt operations for prolonged periods of time. These attacks not only cost money to the institutions affected, but also disrupted their ability to treat and serve patients. OCR issued nearly $30M in fines during 2016 and kicked off the next round of HIPAA compliance audits for both covered entities and business associates. To help address these challenges, CynergisTek hosted 27 HIPAA Privacy and Security Workshops in various cities throughout the country.
My colleague David Holtzman recently wrote a blog post on the OCR resolution agreement with the University of Massachusetts at Amherst (UMass). UMass designated itself as a hybrid entity but did not appropriately identify and designate all applicable functions that engaged in health care activities as inside the health care components (HCC) of its hybrid entity structure under HIPAA. Why might this not be as easy as it sounds?
Verify Your HIPAA Compliance and Test Your OCR Audit Readiness CynergisTek offers an OCR Mock Audit service designed to verify healthcare organizations’ compliance with HIPAA Privacy, Security and Breach Notification Rules, and test
The Office for Civil Rights (OCR) sent a notice that warns of a phishing email scam. The email is for an audit notification and appears to be legitimate at first glance, as it is on an HHS letterhead and includes Director Samuels' signature. Please read OCR's notice below to learn what to watch for if you receive this type of email.
The University of Massachusetts at Amherst (UMass) agreed to a settlement with the Office for Civil Rights (OCR) over allegations that it had violated the HIPAA Privacy and Security Rules after a 2013 incident that resulted in the unauthorized disclosure of patient information of 1,670 individuals. The settlement includes a $650,000 penalty and a two-year corrective action plan.
There are many important aspects to consider in any given penetration test. I have talked at length in other blog posts about many of these considerations. There is one important aspect I have not written much about. It is critically important to determine the amount of foreknowledge that the tester should get. This aspect has a plethora of names but is almost always referred to with the “box” descriptor. In college, I was taught white box, gray box, and black box as the three levels of disclosure related to a penetration test. Many, including CynergisTek, use the term “crystal” in place of “white”. Really, the names are just descriptors – the concept remains the same and that is what’s most crucial.
Our company has many ties to the military and veterans. CynergisTek’s co-founder and CEO Mac McMillan, himself a 21 year veteran of the Marine Corps and former Director of Defense for two Defense Agencies, recently
Based on recent news and the headline of this article, you are likely expecting this will be a discussion of the irresponsible actions of the MedSec and Muddy Waters organizations that outed St. Jude Medical
Background Around 8:00 p.m. on September 20th hackers who were upset about being outed by Brian Krebs, a well-known security and IT journalist, attacked his website with what was then