They say you never know until it hits you. Whoever “they” are, they’ve got a point – especially if the “it” is failing to secure someone’s personal, protected health information (PHI). Once this sensitive data is divulged, the genie is out of the bottle – and the impact can be staggering.  

Just ask Advocate Health System, past bearers of a $5.5 million fine from the Office of Civil Rights (OCR) for allowing 4 million records to be breached (in 3 separate occasions), back in 2013. Among the security lapses was an unencrypted laptop containing patient records, stolen from an employee’s car.

Even more than the costly, regulatory fines that may come with HIPAA violations, ($100 to $50,000 per incident, depending on your degree of negligence, such as failures to do risk assessments and encrypt devices), the real issue is your customer’s welfare. If their personal, protected health information is made public, it damages them personally. Not only will you have lost the trust of someone you’ve sworn to “do no harm to,” but they may even decide to take legal action against you for damages.  

Read more

In the world of compliance requirements, two types of business practices are generally distinguished. The first, known as the “private sector,” are those regulations that apply to the for-profit, commercial industry. These may include HIPAA (for protected health information), SOX (for financial reporting), GLB (pertaining to information sharing), and others.

The “public sector,” on the other hand, is the business of the US Federal Government, and may include these governing security controls as well as the requirements of FISMA.

FISMA, or the Federal Information Security Management Act (enacted in 2002 and modernized in 2014) requires all agencies to protect sensitive data, according to the relevant information security guidelines of the FIPS 199 & 200 publications, and the technical configurations found in the NIST (National Information Security and Technology) 800 series, especially SP-800-53. 

Read more
Right Encryption

Protecting your Patient’s Privacy –

it’s a necessity for sensitive data like protected health information (PHI). 

And yet, HIPAA regulations can seem a bit vague about exactly how should be done. Actually, that’s intentional; HIPAA wasn’t intended to endorse specific technical solutions. 

Read more

Your patients value your counsel, and are willing to share with you their deepest, personal struggles. As a therapist, you handle that information as a sacred trust. Unfortunately, that trust may be broken – however unintended – through an unwise use of technology.  

No doubt, technology allows for flexibility in the way you share and store protected health information; you harness the tools that best fit the needs of your practice. 

Have you thought about a HIPAA Compliant Email Solution for you (Therapists)?

Read more

When it comes to deploying applications and services at scale, the ability to use efficient, containerized pieces of software has clearly changed the game. 

Containers are highly valued for their portability and ability to run on various environments – including local desktops, virtual and physical servers, test and production environments, and in private or public clouds. As widespread adoption of containers continues, Gartner’s prediction that more than “70% of global organizations will run containerized applications by 2022” certainly seems accurate. 

But what about security, particularly for healthcare applications? The good news is container systems like Kubernetes can be HIPAA Compliant, with the right security measures applied. (If you paused reading the last sentence and thought Kuber-what?, here’s a quick overview):

Read more

In part-1 of our interview with Ricoh Danielson, we discussed how a comprehensive, “real world” penetration test (also known as ethical hacking) can help you fix the gaps in your company’s security. 

Why do you need it? 

Let’s take a moment to recap why you need it: for those in healthcare especially, cybercrime represents an enormous risk to both patients and health organizations. The beauty of an objective pen test report from someone “outside” your organization is that the IT team as well as executives can see their security blind spots, and leverage this “early detection” to make changes. Your sensitive patient data can be better protected, while saving you a bundle in potential breach costs, downtime, and remediation. 

That said, let’s continue our conversation with Ricoh:

Read more

Part 1 of an interview with Ricoh Danielson, Information Security Expert

Ricoh Danielson is an impressive guy. From his time serving as a US Army Combat soldier in Iraq, to becoming a legal advocate for veterans in their battle to receive PTSD treatment; then later developing his security expertise in digital forensics for law enforcement and the military, Ricoh has dedicated himself to a singular passion: protecting others.

Now a leader in Information Security, Ricoh has turned his sights on healthcare – an industry frequently targeted for cyber attack. It was a privilege to speak with him recently about how healthcare organizations can improve their critical security posture, and specifically, the need for penetration testing – a practice that fits in well with a comprehensive, HIPAA compliance program:

Read more

You like saving everything to your hard drive – it’s what you do. Then your laptop or tablet gets lifted, right out of your car.  

Sure, you thought it was safer to have sensitive information under your own watchful eye – except when it was on your car seat, while you went to the 7-11 to get gum. (Expensive gum!)  

Then again, computer hard drives have been stolen right out of offices, and cell phones with private health data have fallen into the wrong hands, leading to serious breaches. Which brings up a question:

Is sensitive data – such as Protected Health Information (PHI) that passes through your Office 365 apps and remains on your hard drive – really safer than in the cloud?

Read more

“Have you seen the video?” It’s a query for a connected world, bringing the world up close. From cell phones to visual doorbells – even police body cams – video helps tell a story – and maybe solve a crime. 

Now imagine this crime is an attempt to steal your company data, or disable your website. It might even be your employee (61% of IT leaders do believe their employees maliciously put their sensitive data at risk, according to a 2019 survey), or one of your contractors.

Chances are, there won’t be a video; however if a digital record of system events exists, then you’re in business. With these logs, crucial questions can now be answered: Who accessed the system? How was a breach attempted? What was the extent of the damage, if any? Armed with this data, audit logs help you stay proactive, able to track and possibly prevent future malicious activity.

Read more

One of the clear lessons of our recent pandemic has been that an invisible virus can do great harm to a body, if only given a “portal” through which to enter. The “attack vectors” are varied, if not deceptive: airborne, on surfaces, and even by those who show no symptoms.

Fortunately, we’ve learned firsthand how the vigilant use of protections – while not a guarantee – does help limit transmission, keeping us and our communities safer.

Read more

Our certifications