Completing a HIPAA Security Risk Analysis well requires executive team engagement and support and a cross functional business team. Here’s today’s big tip – Don’t throw the project over the transom to the CIO or CISO. It’s a much bigger business risk management program and not an “IT project”. Assemble the right cross-functional team and set business risk management goals at the onset. Here’s how…
Archive | December, 2011
Over the past couple of months, it has become very apparent that HIPAA enforcement is in effect, on the upswing and the consequences are serious. A recent hire by the Office of Civil Rights (OCR), however, means enforcement may soon ramp up even more.
Did you know that Covered Entities and Business Associates (and, soon, their subcontractors) must consider “security reminders” as part of their security awareness and training programs under the final HIPAA security rule (see 45 CFR 164.308(a)(5)). The final rule provides that a “security reminder” includes “periodic security updates” but provides no further guidance on how to meet this requirement.
Healthcare today cannot afford the inefficient practices of the past in managing its many security responsibilities. It is not unusual to find healthcare organizations with multiple service providers for similar monitoring services or disparate services that could be managed by one provider. The overhead and inefficiencies can be better managed…For instance multiple alarm companies for different facilities within their system as opposed to one provider servicing, maintaining and monitoring all alarm systems. Even in situations where organizations have grown through acquisition and all alarms systems are not similar this is still possible. Integrating all physical security controls alone would accrue cost savings for many organizations. However the real savings and benefits are gained when we integrate both the physical with the logical security programs.
The HIPAA Security Final Rule, reinforced by the HITECH Act, requires every CE and BA, in accordance with the security standards general rules (§164.306), to have a security management process in place “to implement policies and procedures to prevent, detect, contain, and correct security violations.” Here’s today’s big tip – Know the letter and the intent of the regulations; specifically, in this case, know what is required for Risk Analysis and Risk Management. Here’s how…
We are very pleased to announce the launch of the HIPAA-HITECH Blue Ribbon Panel™, a series of monthly live web events featuring healthcare industry experts offering relevant updates and discussing ramifications of the evolving HIPAA-HITECH regulations. Our first live web event is Thursday, July 14 at 5pm ET / 4pm CT / 2pm PT.
How did we possibly live without the Internet? How can one survive in business without a constant connection? We all connect wherever we can and that’s fine as long as we understand the risks and take precautions when using public WiFi services.
Are you prepared to meet new HIPAA Security Rule compliance requirements mandating a very defined set of over 50 policies and procedures to manage Administrative, Physical and Technical safeguards for PHI?
Recently, between citizens and security experts, there has been a lot of talk about nuclear weapons, terrorism and peace treaties. At the end of the day, the question remains how do we protect a country and its citizens from attack? If that is really the purpose of the summits, the meetings and Washington, why isn’t […]
As an Information Security professional I think it is increasingly important to understand the difference between IT Risk and Information Risks. You should also understand the advantages in enabling business strategies by ensuring that you brand each one of these risks accordingly. Here are my high level definitions: IT Risks – The probability that a […]