Mac McMillan

Mac McMillan

About Mac McMillan

Considered a subject matter expert in health information security and regulatory compliance, Mac McMillan is a regular contributor to industry publications and speaker at industry conferences. He was recently recognized by Becker’s Hospital Review as one of the influential leaders in healthcare IT and brings nearly 40 years of experience from both Government and private sector positions.

Time for Enlightened Leadership on IT Security in 2017

2017 is here, and, like any new year, promises both opportunities and challenges. The question is, what will we do with it? Will it be a year of great progress, one of marking time, or worse yet one of falling further behind? Meeting the cybersecurity challenges of the future is a job for leaders. There should be no doubt that healthcare institutions are under attack on a regular basis now from external threats, while continuing to face the insidious abuse of insiders. As the old saying goes, “they have it coming and going.”

When Business Masquerades As Social Conscience

Based on recent news and the headline of this article, you are likely expecting this will be a discussion of the irresponsible actions of the MedSec and Muddy Waters organizations that outed St. Jude Medical by disclosing vulnerabilities in the medical devices they make. Certainly this is not something I condone or support as the right path to an acceptable end, as it raised fears in the people using those devices, gave the criminal element harmful information and quite possibly

When Sam Wasn’t Sam

Let’s look seriously and objectively at the dangers inherent in maintaining current systems of user privileging Sam was just another network engineer assigned to the server team at the hospital. Each engineer had two sets of credentials, one with and one without elevated privileges, and they had all been told not to use the one with privileges when just accessing the network or routine services such as email. But Sam always liked to do things his own way, and saw

Protecting Information Assets with Data Loss Prevention

The modern healthcare ecosystem is all about data and what we can do with it, which is why Data Loss Prevention (DLP) tools should be on everyone’s list of priority solutions to implement. I used to say that DLP solutions paid for themselves based on their ability to control exfiltration, and therefore reduce the risk of breaches, but these solutions are becoming far more important than that. DLP tools have the ability to help users take control of information and

Same Old, Same Old: Why Are Providers So Far Behind on IT Security?

Last week, the Brookings Institute published a very well-written report that accurately illustrated the current threat environment and identified the specific issues that seem to continue to plague healthcare in its efforts to fight cyber incidents. The shame of it was there was no ‘new’ news.  In fact, this week seemed like deja vu as Larry Ponemon published his sixth annual report on healthcare cybersecurity, which unfortunately, reflected a lot of the same issues as last years, or even the last

Cybersecurity Insurance Coverage

Even before the days of high-profile, massive PHI breaches from Anthem and other health organizations, it was up to cyber insurance companies to pay for damages from data leaks. Since breaches typically cost millions in settlements, mitigation and crisis management, it made sense that health care systems lean on cyber insurance companies to foot the bill.

Improving Health Data Security with a ‘Sandbox’ Approach

When I was a kid just about everyone had a sandbox, and if you didn’t, you wanted a friend who did. Sandboxes were great terrain to fight your toy soldiers on and for building off-road tracks for your Matchbox cars. That of course is not the sandbox I’m talking about today, but the analogy with respect to having one – or wanting one – could very well be one in the same.

Is It Time To Revisit The HIPAA Security Rule?

I’ve not spoken to a single security professional, meaning someone who carries the experience, training and certifications to be called a CISO, who believes that they can adequately protect the healthcare organization they serve by simply being compliant with HIPAA. It’s time we let the air out of that balloon. The last couple of years, and in particular last year, showed everyone that data security in healthcare was no longer for the faint of heart. Securing healthcare today is the

eBay Security Breach: 6 Lessons to Learn

The eBay security breach was announced on May 21, 2014 affecting 145 million users. The hacker(s) were able to gain access to eBay’s network through an employee’s login credentials and gain access to information such as usernames, passwords, physical addresses, phone numbers, and date of birth. Passwords were also available to the hacker(s), however the likelihood of them being compromised is low because the passwords were in an encrypted form.