Help Me With Hipaa

We often get questions from both the tech staff and security officers about what should be documented regularly and why it should be done.  There are 3 reports you need to get from your tech team on a regular basis IMHO. Today, we will discuss those three reports, why you need them and what to do with them. More at HelpMeWithHIPAA.com/166

One of the discussions you must always be prepared to have is that size does not matter when it comes to privacy and security issues.  Does size matter? Not as much as most people think and not in the ways that most people think either. More at https://HelpMeWithHIPAA.com/165

Want to know how to save money in a data breach?  You have to have a plan before you have the data breach to keep you from making costly mistakes.  Everyone knows a data breach can be expensive but there are studies that show us what makes them more expensive and what helps you save money.  The annual Ponemon cost of a data breach study has been published. IBM sponsors the study each year and it is one of the best tools for us to prepare for the cost of a data breach.  If you have any valuable data at all you should review the report to get an estimate of what the cost of a data breach would be for your organization. Let’s dig into some numbers and add a bit of perspective, shall we?   Go to HelpMeWithHIPAA.com/164 for more details.  

Our most downloaded episode Is from way back in May of 2016.  HIPAA Access Logs Audits was our 54th episode. It is hard to believe it was that long ago!  Today we are doing a deeper dive into how many layers exist when it comes to access logs to see if you have thought of all of them. Which of the logs really matter and what do you do with them? For more go to HelpMeWithHIPAA.com/163

We all live in a world that revolves around communication tools today. Messaging failures are often the reason privacy breaches occur. In fact, we have 3 to share with you today. Messaging failures can occur in ways you never dreamed of until it happens to someone you know - not you, of course.  Today’s episode covers 4 different stories about messaging failures. For more go to HelpMeWithHIPAA.com/162

OCR continues setting examples with the recent announcement of the $4,348,000 civil money penalty (CMP) that they imposed on MD Anderson.  A review of the details shows us once again that the enforcement of HIPAA obligations is not something they decide to do in a willy-nilly way.  It is specific and designed to set examples of what is expected. Most headlines are about that $4.3 million in penalties but to us, that is not what is the most interesting and important thing to note in this case.  More at HelpMeWithHIPAA.com/161

Medical device inventory is a challenge for most organizations.  Just as with computers and mobile devices, though, you can’t understand your risks and security requirements if you don’t know what you have out there.  A medical device treasure hunt is what it turns out to be when you make a dedicated effort to find them all in your organization. How do you find them all and how do you worry about protecting them all? More information at HelpMeWithHIPAA.com/160

It happens out of the blue.  You get a letter that tells you that there has been a complaint filed and an investigation has been opened by OCR.  That may not be the best day of your life. Just the thought of opening one of those letters can make some people feel queasy.  If you have ever experienced that moment you don’t have it high on your lists of things to do again. Let’s review the kinds of things you may be asked to answer when under and investigation. For more go to HelpMeWithHIPAA.com/159

In the past few weeks, the nerd news has been full of network security alerts and discussions about issues potentially lurking on every network, especially smaller ones.  These are not the things we normally worry about either. You usually think Windows, Office, Adobe, etc patches are the main alerts to worry about on your network. These are new alerts that could be in every network you use including home, public wifi, and work. Per usual, we are here to explain them as best we can - in English.  Tech folks you should listen up to what we expect you to be doing for our listeners who rely on you, too. For more information go to HelpMeWithHIPAA.com/158    

Secureworld Atlanta just finished up.  Turns out cyber experts do agree about many of the same issues we discuss here.  Two days of discussions amongst CISOs, ISOs, security techies, etc. about what to worry about and what to do for cyber protections.  Yes, there was a lot of really nerdy discussions but the good news is the central themes do not require geek speak to share with you. Learn more at HelpMeWithHIPAA.com/157

Have you considered that there are other valuable information assets to protect than just PHI?  Most healthcare privacy and security programs only focus on PHI and HIPAA requirements. If you are already doing the work why not include all of your valuable information assets.  It is time to ask yourself what data should we protect?   For more go to HelpMeWithHIPAA.com/156

This time of year many of us think about cleaning out closets and switching seasons.  By clearing out your digital clutter you can double check the security of your devices and reduce your attack surface at the same time.  Plus, it is way easier than cleaning out the old hall closet that may have monsters lurking in the back of it.  Make the time to clean your digital clutter at least once or twice a year and you will feel better for it.  Why not do digital spring cleaning, too? For more go to HelpMeWithHIPAA.com/155

There is a frequent issue with people understanding what a Security Risk Analysis includes. In fact, there is so much confusion we often see documents presented as a risk analysis that is actually a gap analysis. It happens so often that OCR is trying to address it in their April newsletter. We are going to take a stab at explaining what gap analysis reports look like vs what a security risk analysis report really includes when done properly. For more information: HelpMeWithHIPAA.com/154

Back in January, I read an article in Forbes titled: The Five Laws Of Cybersecurity.  When reading it I realized that it was a great message to our listeners but it needed a HIPAA flavor added it to it.  This episode we add our thoughts to his article and turn it into 5 Laws of HIPAA Cybersecurity. For more details HelpMeWithHIPAA.com/153

More news on the insider front makes it necessary to point out, again, how susceptible healthcare is to insider failures. HelpMeWithHIPAA.com/152

The American Medical Association (AMA) did a survey of physicians and their thoughts about privacy and security practices. It was interesting to hear their responses. Also, when a group of Security Officers gets together for a chat some people glaze over.  For nerds like us, it is an exciting discussion. Today we are going to discuss the Security Officer panel topics and the AMA report presentation from the National HIPAA Summit. HelpMeWithHIPAA.com/151

Are you ready for extreme vendor vetting? Many vendors have been pushing back against any covered entity or business associate that asked them to answer questions about their privacy and security programs. They believe signing a business associate agreement (BAA) meets the legal requirements and that is all they must do. Well, the times they are a changing - again.  There are many different factors making it necessary to ask these type questions and not just accept a BAA as reasonable assurances. What are those factors and how things are changing are the topics we discuss in this episode.   For more go to HelpMeWithHIPAA.com/150

The National HIPAA Summit always features some interesting news from OCR concerning guidance, enforcement, and audits.  This year was no different. In this episode, we discuss the highlights as we interpreted them anyway. More at HelpMeWithHIPAA.com/149

Cybersecurity trends sound scary when you hear us talk about some of this stuff.  Cyberscary is actually what we decided to call it.  The good news is we do talk about other things sometimes. There are two reports that came out in recent weeks have gotten my attention and just have to be discussed with you guys. More info at HelpMeWithHIPAA.com/148

Cybersecurity legal requirements keep changing at the state, federal, and international level.  Most of the changes are just trying to keep up with the constantly changing landscape of threats in cyberspace. Today we call in an expert, Mitzi Hill, to talk to us about those cybersecurity legal requirements.  How those changes may impact your business and your privacy and security program is certainly something we don’t want to lose track of in the mix. More information at HelpMeWithHIPAA.com/147