Will your company be impacted by GDPR?

Four years after its adoption by the European Parliament, the General Data Protection Regulations (GDPR) – a set of compliance requirements designed to give individuals greater control over their personal data in an increasingly digital economy- finally went into effect on May 25, 2018.

GDPR’s overall scope is broad, impacting all personal data (ie, any data that can be used to directly or indirectly identify a living person, including genetic, psychological, cultural, religious and/or socioeconomic).

GDPR’s Global Reach
Among its many reforms, GDPR also seeks to protect sensitive patient data (protected health information, PHI) by ensuring it is collected…

What’s all the Hype about Kubernetes?

The claim: Kubernetes takes traditional infrastructure deployments to the next level…

Kubernetes, or “K8s” as its popularly known, comes from a Greek word meaning “pilot,” or “helmsman.” Based on the original, internal Google code used to run their search, ads, and apps (and geekily named after the Star Trek: Voyager Borg drone known as ‘Seven of Nine’), it purports to warp infrastructure automation into new frontiers of efficiency and scalability. We asked Gil Vidals, David Breise, and Rick Montezuma of HIPAA Vault to explain – on a practical level – what the hype is all about.

What is Kubernetes, or K8s?

David:…

Public vs Private HIPAA Cloud Hosting

The numbers are in …

More and more, companies are migrating to the public cloud. In fact, a recent survey of over 200 IT managers revealed that 84% have opted for using public cloud infrastructure over corporate data centers. Of those, 49% are utilizing the Google Cloud Platform (GCP). (Interestingly, the hybrid cloud is also becoming part of the conversation for the tech giant, but that’s another article).

The primary drivers to the public cloud, and GCP in particular, include: security, cost-efficiency, instant scalability, greater speeds, and higher availability. Let’s look at what…

HIPAA Encryption for your PHI Data

Protecting your Patient’s Privacy with HIPAA Encrytion…

HIPAA encryption is a necessity for sensitive data like protected health information (PHI). HIPAA regulations require it. Today, most providers realize that encryption is the technique of choice; however, this seems to be the extent of most people’s knowledge.

If you are a manager, or involved in projects involving patient information in electronic health records (EHR), then it behooves you to know at least the basics of HIPAA encryption, as well as where and when should it be applied.

There…

Phishing in the Wrong Pond

Have you heard the one about the company that decided to plan a “Phishing trip” for their employees?

Back in 2016, Atlantic Health System circulated a juicy email, promising employees a raise if they would simply respond with some key verification information. The information included employee id, date of birth, and home zip code. Roughly a quarter of the Health system’s 5,000 employees took the bait and opened the email; 2/3 of that group actually provided the requested information.

The company’s test proved insightful, and highlighted an all-too-common threat: an adversary with malicious intent can easily target “inter-office” email, capitializing on…

Is Gmail HIPAA Compliant ?

Still one of the most popular online searches in regard to HIPAA, the answer is clear: as a standalone service, Gmail by itself is not HIPAA compliant, but it can be.  Even though Google employs some of the best security measures available, sending electronic protected health information (ePHI) using a regular Gmail account is explicitly prohibited by Google’s terms of service.

Google does, however, offer an enterprise solution for HIPAA compliance with their Google Apps platform. If you enter into a Business Associate Agreement (BAA) with Google, you will be able to use their Google…

Hurricanes and HIPAA

How the HIPAA Emergency Plan Applies in Times of Disaster

In September of 2018, the powerful tropical storm known as Florence slammed into the eastern seaboard, causing catastrophic flooding and leaving 53 deaths in its wake. With a peak wind intensity of 140 mph, the long-lasting storm became the wettest tropical cyclone recorded in the Carolinas, dumping as much as 36 inches of rain on Elizabethtown, North Carolina. A public health emergency was subsequently declared for North Carolina, South
Carolina, and Virginia.

Along with the general public, healthcare providers also faced significant challenges created by the massive storm. Effective communications – always…

Physical Safeguards for HIPAA, Part 2: Workstation Use

In part 1 of this series, we learned that a laptop containing sensitive, protected health information (PHI) was stolen from the car of a West Virginia Health System employee. To make matters worse, the hard drive containing PHI was unencrypted, leaving the data open to access by unauthorized users.

While unfortunate, the occurrence does serve to highlight key issues concerning HIPAA security. As we saw in Part 1, regulations pertaining to data encryption and facility access security must be reviewed thoroughly, and robust security policies (lincluding locks on doors, cameras, restricted area signs, etc.) applied. Closely related to this…

Physical Safeguards for HIPAA, Part 1: Facility Access

A recent, potential breach of protected health information (PHI) – including social security numbers, financial information, and medial data – was reported by a major health system in West Virginia. The cause? A stolen laptop, taken from an employee’s car.

Despite equipping the laptop with security tools (including password protection), the health system failed to encrypt the laptop’s hard drive, allowing unauthorized users potential access to the sensitive, PHI data of over 40,000 patients.

Far from being overly restrictive, the HIPAA Security Rule was intended for just such situations; namely, to help organizations protect patients from having their personal Information divulged…

OpenVAS – Open Vulnerability Assessment System

If you’re looking for an open source software framework that is used for vulnerability scans and vulnerability management, the Open Vulnerability Assessment System (OpenVAS) is a first rate tool. First developed by Greenbone Networks, OpenVAS is a framework of services and tools supported by an open-source community that promotes vulnerability analysis and management. OpenVAS can be downloaded as binary packages, source packages, or a virtual appliance, or by using the terminal and executing the command “apt-get install openvas.”

The OpenVAS tool can provide a comprehensive security test of an IP address, and performed from an externally hosted server, will provide…