The CynergisTek Blog

Read the latest blog posts by CynergisTek’s team of experts related to healthcare security, privacy and compliance. Have a topic that you would like us to cover? Email us to tell us what you are interested in.

Top Blog Posts and Infographics of 2016

There is no denying that 2016 was the year of determining how to respond to healthcare privacy and security threats. Top headlines included everything from ransomware disrupting hospitals’ ability to care for patients, to negligent insiders’ actions compromising patient information, to business associates not securing its customers’ sensitive data. Throughout the year CynergisTek’s subject matter experts wrote several blog posts to address the latest headlines, incidents, threats and regulatory actions in healthcare. Below are some of our top blog posts and the most popular infographic we published.

By |January 3rd, 2017|

2016 HIPAA Privacy & Security Workshop Recap

2016 was a very busy year for healthcare IT professionals. Cyberattacks targeted at provider organizations proved that they have the capability to disrupt operations for prolonged periods of time. These attacks not only cost money to the institutions affected, but also disrupted their ability to treat and serve patients. OCR issued nearly $30M in fines during 2016 and kicked off the next round of HIPAA compliance audits for both covered entities and business associates. To help address these challenges, CynergisTek hosted 27 HIPAA Privacy and Security Workshops in various cities throughout the country.

By |December 19th, 2016|

Designating Hybrid Entity Status Under HIPAA in a University Setting

My colleague David Holtzman recently wrote a blog post on the OCR resolution agreement with the University of Massachusetts at Amherst (UMass). UMass designated itself as a hybrid entity but did not appropriately identify and designate all applicable functions that engaged in health care activities as inside the health care components (HCC) of its hybrid entity structure under HIPAA. Why might this not be as easy as it sounds?

By |December 6th, 2016|

CynergisTek’s OCR Mock Audit Service

Verify Your HIPAA Compliance and Test Your OCR Audit Readiness CynergisTek offers an OCR Mock Audit service designed to verify healthcare organizations’ compliance with HIPAA Privacy, Security and Breach Notification Rules, and test

By |December 5th, 2016|

UMass HIPAA Settlement is a Clarion Call to Colleges and Universities

The University of Massachusetts at Amherst (UMass) agreed to a settlement with the Office for Civil Rights (OCR) over allegations that it had violated the HIPAA Privacy and Security Rules after a 2013 incident that resulted in the unauthorized disclosure of patient information of 1,670 individuals. The settlement includes a $650,000 penalty and a two-year corrective action plan.

By |November 23rd, 2016|

Penetration Testing Methodologies: In the Clear

There are many important aspects to consider in any given penetration test. I have talked at length in other blog posts about many of these considerations. There is one important aspect I have not written much about. It is critically important to determine the amount of foreknowledge that the tester should get. This aspect has a plethora of names but is almost always referred to with the “box” descriptor. In college, I was taught white box, gray box, and black box as the three levels of disclosure related to a penetration test. Many, including CynergisTek, use the term “crystal” in place of “white”. Really, the names are just descriptors – the concept remains the same and that is what’s most crucial.

By |November 23rd, 2016|