Network Security Alerts For Everyone – Ep 158

In the past few weeks, the nerd news has been full of network security alerts and discussions about issues potentially lurking on every network, especially smaller ones.  These are not the things we normally worry about either.  You usually think Windows, Office,...

Cyber Experts Agree We Are Not Alone

Secureworld Atlanta just finished up.  Turns out cyber experts do agree about many of the same issues we discuss here.  Two days of discussions amongst CISOs, ISOs, security techies, etc. about what to worry about and what to do for cyber protections.  Yes, there was...

What Data Do You Protect?

Have you considered that there are other valuable information assets to protect than just your PHI? Most healthcare privacy and security programs only focus on PHI and HIPAA requirements.  If you are already doing the work why not include all of your valuable...

Digital Spring Cleaning

This time of year many of us think about cleaning out closets and switching seasons.  Spring cleaning is a ritual for some while others just think it is a good idea if they had time.  While I certainly land in the latter category for household chores when it comes to...

Risk OR Gap Analysis THAT Is The Question

There is a frequent issue with people understanding what a Security Risk Analysis includes. In fact, there is so much confusion we often see documents presented as a risk analysis that is actually a gap analysis. It happens so often that OCR is trying to address it in...

5 Laws of HIPAA Cybersecurity

Back in January, I read an article in Forbes titled: The Five Laws Of Cybersecurity.  When reading it, I realized that it was a great message to our listeners but it needed a HIPAA flavor added to it.  In this episode, we add our thoughts to this article and turn it...

Insiders – Don’t Accept Candy From Strangers

More news on the insider front makes it necessary to point out, again, how susceptible healthcare is to insiders failures. HIPAA For MSPs by David Sims Insiders - Don't Accept Candy From Strangers 00:00:00 00:00:00 In a second we will cover the topic for today.  There...

Physicians and Security Officers

Physicians and Security Officers aren’t usually in the same episode but today we have done it. The American Medical Association (AMA) did a survey of physicians and their thoughts about privacy and security practices. It was interesting to hear their responses....

Ready for extreme vendor vetting?

Are you ready for extreme vendor vetting? Many vendors have been pushing back against any covered entity or business associate that asked them to answer questions about their privacy and security programs. They believe signing a business associate agreement (BAA)...

National HIPAA Summit News

The National HIPAA Summit always features some interesting news from OCR concerning guidance, enforcement, and audits.  This year was no different.  In this episode, we discuss the highlights as we interpreted them anyway. HIPAA For MSPs by David Sims National HIPAA...

Cyberscary Trends

Cybersecurity trends sound scary when you hear us talk about some of this stuff.  Cyberscary is actually what we decided to call it.  The good news is we do talk about other things sometimes. There are two reports that came out in recent weeks have gotten my attention...

Cybersecurity and the Law

Cybersecurity legal requirements keep changing at the state, federal, and international level.  Most of the changes are just trying to keep up with the constantly changing landscape of threats in cyberspace.  Today we call in an expert, Mitzi Hill, to talk to us about...

6 Listener Questions

We get questions from listeners on a pretty regular basis.  When they come in from an email we do our best to reply with an answer.  Sometimes they get backed up for us to get them on the show, however.  Today we are covering some of those, in fact, we are covering 6...

Uber Health HIPAA

News abounds about Uber and other ride-sharing services taking people to their doctor appointments.  They say they will be HIPAA compliant. Today we look at what they say that means as we discuss Uber Health HIPAA.   HIPAA For MSPs by J. David Sims Uber Health HIPAA...

Does Healthcare Suck At Cybersecurity?

If cybercrime truly is the number one problem with mankind and healthcare is the number one cyber attacked industry is it because healthcare sucks at cybersecurity?  We could certainly make an argument for many answers to that question. However, a recent report...

Cyber Issues Around Every Corner

If it seems like cyber issues are around every corner these days, you aren’t imagining things.  In episode 128 way back in November 2017, we discussed the fact that we thought there were signs of a coming cyber storm.  Today we look at what is going on and see if we...

5 Breaches Equals 1 Big Settlement

 As expected, OCR has continued to announce enforcement actions in 2018.  This one is a bit different than any previous resolution in that there are 5 breaches in one settlement across multiple locations in a single organization. It is also important to note that all...

HIPAA Made Easy???

HIPAA made easy is a topic we have discussed many times before but today we are going to cover it specifically.  So often we get requests for the “easiest way” to do HIPAA. This isn’t something to check off a list and have it done. It is something that you do every...

6 Cybersecurity Lessons In The News

Cybersecurity is in the news a lot lately. Particularly a lot of news just since the beginning of the year. As usual, we review all the news looking for important things to share with our clients and listeners.  There are just so many different stories to choose from...

Cybersecurity Outside The Office

In December, the OCR newsletter was titled Cybersecurity While on Holiday.  First, how very British of them!  Second, is it just when on holiday?  The same rules apply anytime you are on the road with technology and access to the internet.  We see this as something...

OCR Ends 2017 With A Bang

At the beginning of 2017, OCR announced several settlements.  Then, the settlement announcements stopped in May as there were leadership changes that continue to happen.  In fact, the only reason this announcement seemed to come out was that it was included in a...

Meltdown – Patch Baby Patch

Unless you never listen to nerd-speak you have to have heard the discussion about Meltdown and Spectre over the last few weeks. It is a perfect time to talk about what patch management really means in your cybersecurity protections.  We try our best to discuss it with...

7 Educated Guesses About 2018

Here we go starting another year!  It is amazing that this is the third new year we have covered on HMWH.  There are so many things that have happened over that time and as we head into 2018, so many things to look into our crystal ball and make 7 educated guesses...

Pay Now Or Pay Even More Later

Is HIPAA compliance expensive?  Or, is it short-sighted to only worry about what HIPAA compliance costs?  A new report from Ponemon Institute, The True Cost of Compliance with Data Protection Regulations, looks at compliance costs across several industries and...

Cybersecurity Naughty List 2017

As 2017 comes to a close, we are making our lists and checking them twice.  Time to find out who we thought was more naughty than nice this year.  This cybersecurity naughty list discussion includes everything from big news data breaches such as Equifax and Uber down...

Five Phishing Findings From Google

A new report on phishing was recently released titled: Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials. The report of findings from a study that was done by Google, University of California, Berkeley, and the International Computer...

SOC2 certification is not HIPAA compliance

Recently, we have dealt with our clients struggling with vendors in the vetting process.  Particularly, tech vendors of any sort.  There is a belief that SOC2 covers them for HIPAA.  Many vendors have written off the HIPAA compliance requirements by simply saying “We...

5 Things To Do Before Year’s End

It is hard to believe another year is coming to an end. It is time to review 2017 and plan for 2018.  That means it is time to make your list of 5 Things To Do Before Year’s End. Just in case you need some help with that list, we made one for you! HIPAA For MSPs by J....

Text Messaging Is Not Secure

Text messaging is often the preferred method of communication for many people today.  It does have great advantages with its simplicity, instant delivery, and convenience.  However, I did not mention security on that list.  Text messaging is not secure by default....

Is There A Cyber Storm Brewing On The Horizon?

Lately, there have been a lot of articles in the nerd news services about various problems and vulnerabilities looming on the horizon or happening right now.  Usually, there are one or two in a normal week or so that really get our attention.  The last few weeks...

HIPAA Horror Stories 2017

Happy Halloween from the Help Me With HIPAA team!  Each year we have done a special scary episode for Halloween.  Last year we took you on a tour of a haunted house.  This year for HIPAA Horror Stories V3 we get to hear a campfire horror story.  So gather around and...

Social Media, Marketing, and HIPAA

When it comes to social media, marketing, and HIPAA things can get a little dicey. There are certainly many cases where using social media has gone awry in health care cases.  However, when handled correctly, you can actually use social media, marketing, and HIPAA in...

Onboarding and Termination Checklists

Onboarding and termination checklists are often treated as a paperwork hassle.  However, we have seen many times where taking the time to attend to those hassles could have saved time, money and closed open security holes that are very dangerous.  HIPAA requires us to...

Talking To The Boss About HIPAA

How do you talk to the boss about HIPAA? That is a regular question we get around here.  The staff responsible for compliance gets trained and understands what needs to be done but they don’t get leadership support.  Over the years we have had to have those...

OCR Audit Updates Phase 2

During the NIST OCR HIPAA Security Conference we covered in the last two episodes, there was also a session on OCR Audit Updates. OCR gave an update on the information gleaned so far from the compliance desk audits that were started in 2016. Their presentation...

NIST OCR Security Conference Part Deux

This is the second episode covering the things David has to share from the NIST OCR Security conference: Safeguarding Health Information. There are many great points he picked up. As we review them, we keep coming back to the reminder that HIPAA is about patient care...

NIST and OCR Security Conference

The NIST and OCR annual security conference has come around again.  This year, David attended the conference via webcast and shares his notes on the first day of the conference. Before the conference discussion, however, we have to touch on the announcement from...

Disaster Recovery Preparations

We recorded this Disaster Recovery Preparations episode on the day that Harvey was hitting Houston and had no idea just how bad that disaster would eventually become for those on the gulf coast.  On the day we publish this episode, we are both personally involved in...

Should I Use A Local, Data Center, Or Cloud Server?

Every time we discuss HIPAA server security issues it opens a debate about where is the best place to keep your servers.  There are three options that we are going to discuss today. Should I use a local, data center, or cloud server under HIPAA? Help Me With HIPAA by...

What Is Reasonable And Appropriate?

The HIPAA legal reference and guidance mentions reasonable and appropriate all over the place. Many times that concept creates confusion. How do you determine what is reasonable or appropriate for any environment? HIPAA For MSPs by David Sims What is Reasonable &...

Alexa Plus HIPAA Plus Other Questions

Alexa plus HIPAA is a rabbit hole we thought about avoiding.  But sometimes you are just destined to discuss a topic you try to avoid.  When that question came in this week on top of the ones we had already planned to cover it was just too perfect.  So this episode...

Security Incident Investigations Find More Than Expected

Sometimes following the news lets you find things like security incident investigations with interesting details.  But, these cases were different than most.  Even better than that, we learned how a fish tank help hackers!  There were just too many parts of these...

Incident Response Plans V2

Incident response plans have been a topic of our show several times. But, these days we just can’t get enough of a good thing! Actually, there is a reason we are covering it in this episode.  I was reviewing a Business Associate Due Diligence from a software...

Compliance Officer Personal Liability?

Compliance officer personal liability for the compliance of the company. Is that a thing? The recent settlement with a compliance officer says maybe so. The May 2017 settlement agreement between the Treasury Department’s Financial Crimes Enforcement Network...

OCR Cyber Newsletter: Mic Drop For Cloud Providers

The monthly OCR Cyber Newsletter for June had some interesting points.  The fact that OCR mentions multiple times and in multiple ways that they do not endorse, certify, or recommend specific technology or products should serve as their “OCR mic drop...

NotPetya, Windows, and Ransomware

This is not another episode about preventing and responding to the NotPetya ransomware. There are countless articles about those topics.  We are discussing the bigger picture today.  In this episode, NotPetya, Windows, and Ransomware, we discuss what happened in the...

Breach Reporting Costs and Decisions 2017

Breach reporting costs in 2017 are proving to be something you should understand before a crisis, not after the crisis hits.  In June, the NY State Attorney General announced a settlement with CoPilot, a healthcare services company that illegally deferred notice of...

What Is MDM And Why Do I Want It?

What is MDM and why do you want it?  Mobile devices are susceptible to malware attacks, phishing, and other security vulnerabilities just the same as laptops and desktops.  The systems most of us have in place are directed at managing the security for laptops and...

eCW Whistleblower

There are countless times we have covered the “my EHR vendor handles HIPAA for me” misconception. The recent $155 million whistleblower lawsuit settlement between eClinicalWorks (eCW) and the government really brings it home how wrong you can be about EHR...

5 Stages Of Grief During A Cyber Attack

The 5 stages of grief during a cyber attack really do follow the process of dealing with grief in those familiar 5 stages. Many don’t realize that ransomware attacks aren’t always just the result of someone clicking in an email and running a program.  As...