Healthcare Information Security Podcast

In discussing Colorado's foray into cloud computing, Colorado Chief Information Security Officer Seth Kulakow discusses the demands the cloud presents governments and offers advice for IT security professionals on building their careers.

Federal HIPAA privacy and security rule compliance audits of healthcare organizations and their business associates likely will start later this year, says Susan McAndrew, deputy director for privacy in the HHS Office for Civil Rights.

HealthcareInfoSecurity Week in Review: May 8, 2010

Reacting to physician demand, one of the nation's largest malpractice insurers now offers coverage of expenses associated with healthcare information breaches. In an exclusive interview, Bill Fleming, assistant vice president at The Doctors Company, describes the new Cyberguard program, which provides coverage of the costs involved in: Defending cases involving unauthorized access to information; Regulatory enforcement action by federal or state agencies; Notifying patients of breaches as required under the HITECH Act; Offering patients free credit monitoring services; and

'I Wanted to Prosecute Hackers' Kim Peretti, former senior counsel with the Department of Justice, led the successful prosecution to put TJX/Heartland conspirator Albert Gonzalez and his co-conspirators behind bars. In an exclusive interview she discusses: How she started her career; Keys to her success; Advice to young professionals just starting out "I hadn't thought of criminal law, but I was very interested in seeing what I could do in prosecuting hackers."

A review of this week's top news items, including: Red Flags: Preventing ID Theft Breach List to Name Solo Practices HIPAA Violation Leads to Prison Term After listening to this overview, be sure to check out all of the week's news and views at HealthcareInfoSecurity.com

HIPAA enforcement was the top news story in April. Listen to this audio for an overview of the month's top news items, including: HIPAA Audits Inching Closer to Reality CIO John Glaser: Encryption a Priority When Will PHR Rules be Ready?

Before healthcare organizations can prepare to comply with the HITECH breach notification rule, they must understand its complex details. In an exclusive interview, attorney Deven McGraw sorts through the major provisions in laymen's terms.

Social networking provides physicians with an effective way to communicate with patients without raising security concerns, says Jeff Livingston, M.D.

Interview with Allan Bachman of the Association of Certified Fraud Examiners The magnitude of fraud schemes has grown - the scale and the losses. But the basics of fraud investigation remain sound. And if there's one thing people should know up front, says Allan Bachman of the Association of Certified Fraud Examiners (ACFE), it's this: "In their initial stages, fraud and stupidity look an awful lot alike." In other words, an investigator who stumbles upon what appears to be just a stupid mistake might want to dig further. Stupidity often ends up being cleverly disguised fraud, Bachman says. In an interview with Editorial Director Tom Field, Bachman discusses: Current fraud trends; When a breach becomes an actual investigation; What it takes to be a fraud examiner today. Bachman, CFE, MBA, is responsible for seminar development and the educational content of all ACFE conferences and online learning. Most recently he worked in Higher Education as director of an audit unit and was project manager on severa

All healthcare organizations should create a detailed plan for meeting the requirements of the HITECH breach notification rule, says attorney Gerry Hinkley.

For physician group practices, security should not be an afterthought to operational issues when implementing electronic health records, says security expert Jack Daniel of Concordant.

A review of this week's top news items, including: Breach Alert: Copiers Are a Risk HITECH Act Compliance for Business Associates Privacy Concerns a Roadblock to PHRs After listening to this overview, be sure to check out all of the week's news and views at HealthcareInfoSecurity.com

Healthcare organizations must revamp their business associate contracts to help ensure compliance with the HITECH Act's breach notification rule, says security expert Tom Walsh. In an interview, Walsh points out that under the rule, business associates, such as banks, billing firms and software companies, that have access to protected health information must report breaches to their healthcare partners, such as hospitals and physician groups, as well as affected patients. He advises healthcare organizations revamping contracts to: Spell out what breach-related information the business associate must collect to meet HITECH requirements. Specify who the business associate should contact by phone at a healthcare organization in the event of a breach, and prohibit the use of e-mail for notification. Require the business associate to have insurance to cover the cost of breach-related expenses. Spell out that the business associate must comply with all aspects of the HIPAA security rule. Require the business

Interview with Robert Richardson, Director of CSI How vulnerable are organizations to cyber attack? It depends on your definition of "vulnerable," says Robert Richardson, Director of the Computer Security Institute (CSI). "There's vulnerable," he says, "and then there's likely to be attacked." In an interview about current threats, Richardson discusses: Ramifications of the Google attacks; Security implications of Web 2.0 technologies; What organizations can do now to minimize their risks. Richardson has served on the CSI staff since 2003, having worked IT in various capacities for twenty years. He's given keynote presentations on three continents, often speaking about the CSI Computer Crime and Security Survey, an undertaking he directs each year. Prior to CSI, he was Senior Editor of CMP's Communications Convergence magazine for two years, where his beats included telecom security, wireless, Internet messaging, and next-generation phone systems. Before that, Robert was a frequent contributor to magazine

Insights from the outgoing CIO at Partners Healthcare System in Boston.

Interview with Prof. Sree Sreenivasan of the Columbia Graduate School of Journalism Social media aren't just coming - they're here. And senior leaders need to understand how to maximize Facebook, LinkedIn, Twitter and other popular sites, as well as how to protect their organizations from very real security risks. In an exclusive interview, Prof. Sree Sreenivasan, Dean of Student Affairs at the Columbia Graduate School of Journalism, discusses: What's most misunderstood about social media; How organizations can benefit most; Ways senior leaders can improve their own professional lives. Sreenivasan is a technology expert and dean of student affairs at the Journalism School, where he teaches in the digital journalism program. He specializes in explaining technology to consumers/readers/viewers/users. For more than eight years, he served as technology reporter for WABC-TV and WNBC-TV in NYC and now occasionally appears on various TV shows to talk tech. For more than six years, he wrote a Web Tips column fo

Shifting from desktop PCs to thin clients can provide a more secure way for clinicians to access electronic health records, says Dee Cantrell, R.N., chief information officer at Emory Healthcare in Atlanta. In an interview, the CIO of the integrated delivery system, which is affiliated with Emory University and includes four hospitals and a 1,500-physician clinic, outlines her risk management strategy. For example, she describes why Emory is: Growing its information security team as a result of implementing EHRs and computerized physician order entry; Taking a different approach to encryption than many other provider organizations; Experimenting with several different approaches to two-factor authentication; and Offering annual security education to all clinicians.

Interview with Gartner's Roberta Witty Organizations have made strides in business continuity/disaster recovery (BC/DR) planning. But BC/DR professionals need to sharpen their business skills to truly protect their organizations. This is the stance taken by Roberta Witty, research VP at Gartner. In an exclusive interview, Witty offers candid insight on: Today's top BC/DR challenges; Where organizations are most vulnerable; What BC/DR professionals need to do to be more effective. Witty is part of the Compliance, Risk and Leadership group within Gartner. Her primary area of focus is business continuity management and disaster recovery. She is the role specialty lead for the Gartner for IT Leaders (GITL) business continuity manager role. She is also a GITL Premier coach for Security and Risk. Prior to joining Gartner, Witty managed the global technology risk management function for the corporate trust business of The Chase Manhattan Bank. In this role, she was responsible for awareness, advisory and compli

Interview with H. Peet Rapp of ISACA's Cloud Work Group Everyone is talking about cloud computing these days - but are they having the right conversations? H. Peet Rapp is an information security auditor who sits on ISACA's Cloud Computing Work Group, and he's co-author of the white paper Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives. In an exclusive interview, Rapp discusses: Cloud computing trends; What's most misunderstood about the cloud; How organizations should proceed with their own cloud deployments. Rapp entered the IT audit/compliance profession in 2003, after publishing the widely read paper "An IT Executive's Overview of the Sarbanes-Oxley Act of 2002." With his firm, Rapp Consulting, he has audited, provided risk assessments and developed IT control frameworks for more than 70 organizations and developed a reduced IT control set for non-accelerated filers.