October 14, 2016
Have you tested your breach incident response process?
By Gerry Blass
Adding a cybersecurity tactical simulation test to an overall information security risk assessment is a must in today’s world. It is a sure bet that attacks and breaches will continue to occur and so the need for functional assessments, mitigation, awareness and response are key to protecting your organizations confidential information.
August 25, 2016
How to avoid HIPAA penalties based on some of the largest!
By Gerry Blass
Reviewing some of the largest fines can help healthcare organizations learn how to avoid them should an incident occur. Many experts say that it isn’t IF an incident will occur, it’s WHEN. Here is a sample list of how to be ready for an OCR audit due to either an incident or routine phase two audit protocols:
- Be a functional organization by properly funding your information security program
- Empower your Chief Information Security Officer (CISO)
- Conduct periodic risk assessments (HIPAA rules, OCR Phase 2 protocols, NIST (including Cybersecurity framework), PCI, Intrusion vulnerabilty scanning, external penetration testing, phishing exercises, etc)
- Implement and maintain operational policies, procedures and plans (e.g facility security plans, etc)
- Educate the workforce on a periodic general basis and focused as needed
- Implement a process to assess third party business associates for information security risk and contracts
- Mitigate known risk in the order of highest to lowest
- Protect vulnerable PHI in transit and at rest
- Be prepared for an OCR audit, now based on phase 2 protocols
- Be prepared to respond to an incident
August 5, 2016
Third party (BA) contract and privacy and security risk management
By Gerry Blass
The HITECH-OMNIBUS final rule stepped up the requirements and for both CEs and BAs and both must now include the new requirements in their information privacy and security risk analysis and management program.