Security as Part of the M & A Due Diligence Process

Security as Part of the M & A Due Diligence Process Technical and financial due diligence have long been a part of the review performed by an acquiring company prior to a merger or acquisition (M & A). Cyber security has finally become an important business concern, and this requires information security to also be addressed with as much importance. Without appropriate security due diligence, the acquiring company runs the risk of introducing significant business and technology risk into their organization. One doesn’t have to look too hard to see an example where this did not occur; the Verizon acquisition [...]

Healthcare Startups Likely on Compliance Hook for GDPR

By Christopher Gerg, Datica CTO & CSO Guest Blog Post You’ve developed a healthcare application and started that business in the U.S. Check. You work with healthcare data of U.S. citizens. Check. You are in the early stages of funding and building your business. Check. So, what’s the big hoopla over the new European Regulation that goes into effect this month (May 2018) and what does that have to do with your business? GDPR, which is an acronym for the General Data Protection Regulation, developed out of an effort to protect the data privacy of European citizens. Well, Europeans are [...]

Cybersecurity Opportunities in CMS Interagency Group Plans

The Centers for Medicare & Medicaid Services (CMS) recently announced plans to form an interagency group to figure out how to minimize the regulatory barriers of federal anti-kickback laws. While the primary motivation for the formation of this group is to address barriers that have slowed providers’ move to value-based care, this is the perfect opportunity to discuss potential modifications or exemptions to support collaborative healthcare industry cybersecurity efforts. Cybersecurity exemptions and modifications that should be addressed were identified by the HHS Healthcare Cybersecurity Task Force in their 2017 Report on Improving Healthcare Cybersecurity in the Healthcare Industry. Specifically, we [...]

Health Data Security and Risk: An Overview of What Lies Ahead

According to a recent Accenture report on the Cost of Cybercrime, healthcare is fifth on the list for the highest cost of cybercrime with an annualized cost of $12.47 million, with the financial services industry having the highest annualized cost of $18.28 million. The report also notes that while large organizations experience a higher proportion of costs related to malicious code, insiders and Denial of Service attacks, smaller organizations experience a higher proportion of costs related to phishing, social engineering, malware and stolen devices. The report also notes that organizations can recognize significant cost savings by deploying Identity and Access [...]

HHS Healthcare Industry Cybersecurity Task Force Delivers Report to Congress

On June 2, 2017, the HHS Healthcare Industry Cybersecurity Task Force released our final Report on Improving Cybersecurity in the Health Care Industry to Congress. The Task Force report demonstrates the urgency and complexity of the cybersecurity risks facing the health care industry and calls for collaboration between public and private industry to protect our systems and patients from cyber threats. Our Task Force recognized that security issues are patient safety issues. There are six (6) imperatives developed by the Task Force that forms the basis for the report. Each imperative includes a set of recommendations and associated action items [...]

Best Practices for Securely Deploying Connected Medical Devices

Medical device security, and the risks associated with those devices is getting increased attention. A recent article in The Hill highlighted the concern the FDA and private industry have regarding these devices. The FDA has issued both pre-and post-market guidance, with goals to improve the security of connected medical devices in the development and manufacture processes. In March 2017, OWASP, the Open Web Application Security Project released a set of best practices for securely deploying connected medical devices. The OWASP best practices contain seven high-level categories encompassing thirty-two recommendations: -Purchasing Controls -Perimeter Defenses -Network Security Controls -Interface and Central Station [...]

How Tech is Changing the Healthcare Customer Experience

A recent Telus international article explored the way big data and tech trends are changing the healthcare customer experience. Specifically, it explored how telemedicine, data driven medical care, the use of wearables and using this technology for clinical benefit, patient-centered care, and patient privacy issues and concerns about data security will transform the experience for both provider and patient. Prior to the implementation of the HIPAA Privacy and Security Rules, very little attention, if any, was paid to healthcare data privacy by patients. HIPAA, as well as frequent data security breaches has elevated the concepts of patient data privacy and [...]

Player Data and Wearable Tech Security and Privacy

In a recent New York Times piece, Marc Tracy discussed the implications of the recent University of Michigan football team’s decision to enter into a contract with Nike worth $170 million dollars. A clause in the contract could allow Nike to collect personal data from University of Michigan athletes through wearable technology such as GPS trackers, heart rate monitors and other devices that track and log other biological and personal information. While Tracy reviews the issues associated with athletes’ rights in college sports, I am primarily concerned with the issues of privacy, security and wearable technology. A recent analysis of [...]

HHS Issues Ransomware Guidance

HHS issued Ransomware guidance recently that clarified that a ransomware attack involving ePHI (electronic Protected Health Information) is a HIPAA breach unless the Covered Entity of Business Associate can demonstrate that there is a low probability that the PHI has been compromised. Ransomware is a type of malicious software that denies access to data, generally by encrypting the data with a private encryption key that is only provided once the ransom is paid. Sometimes the ransomware will steal, destroy or export data from information systems. According to the guidance, since early 2016 there have been, on average, 4,000 ransomware attacks [...]

OCR Crosswalk Between NIST Cybersecurity Framework and the HIPAA Security Rule

Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity was issued by President Obama in 2013, and called for the development of a voluntary risk-based cybersecurity framework (CSF) that is “prioritized, flexible, repeatable, performance-based, and cost-effective.” In response, the National Institute of Standards and Technology developed the NIST Cybersecurity Framework. The Framework was designed to help organizations manage and reduce cybersecurity risk, and to promote risk and cybersecurity management communications. Healthcare and health technology companies must comply with numerous state and federal requirements, including HIPAA. In an effort to help companies improve their cybersecurity strategy, the US Department of Health and [...]

Vulnerability Assessment vs. Penetration Testing—Which One is Right for You?

Many organizations conduct vulnerability assessments, while fewer conduct regular third-party penetration tests. Both are critical components of a Vulnerability and Threat Management program. Vulnerability assessments identify security vulnerabilities in an environment, such as applications, networks, etc. Testing should produce a prioritized list of vulnerabilities, and how to remediate them. The goal is to identify the issues and to help the company direct their resources to the vulnerabilities that introduce the greatest risk to the enterprise. While there are many different definitions of a penetration test, I tend to lean towards a test that aims to breach the information security of [...]

The NIST Cybersecurity Framework

Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, was issued by President Obama in 2013, and called for the development of a voluntary risk-based cybersecurity framework (CSF) that is “prioritized, flexible, repeatable, performance-based, and cost-effective.” In response, the National Institute of Standards and Technology developed the NIST Cybersecurity Framework. The Framework is voluntary, and is based on existing standards, guidelines, and practices for reducing cyber risks to critical infrastructure including the CCS CSC, COBIT, ISO/IEC 27001:2013, and NIST SP 800-53 Rev. 4. The Framework was designed to help organizations manage and reduce cybersecurity risk, and to promote risk and cybersecurity [...]

HITRUST – What it is, Benefits and Determining if it is for Your Company

Among other mandates, Title II of HIPAA defined policies and procedures and provided guidelines for maintaining the privacy and security of individually identifiable health information. Its Administrative Simplification (AS) rules directed the Department of Health and Human Services (HHS) to draft rules aimed at streamlining the health care industry in the use and dissemination of health care information. HHS drafted five (5) baseline rules that make up HIPAA: The Privacy Rule, Transaction and Code Set Rule, the Security Rule, the Unique Identifier Rule, and the Enforcement Rule. In 2009, HIPAA was supplemented by the Health Information Technology for Economic and [...]

Business Associate –What Are Your Obligations?

If your company creates, receives, maintains or transmits Personal Health Information (PHI) on behalf of a Covered Entity and is not a member of the Workforce of the Covered Entity, or is a company that provides accounting, legal, processing or administration, data analysis or aggregation, financial services or something similar that needs PHI to perform the services, then you are a Business Associate. This includes vendors of Personal Health Records (PHRs) that provide the PHR on behalf of a Covered Entity. Cloud services companies such as Amazon Web Services (AWS) are also Business Associates as they receive, maintain and transmit [...]

Load More Posts