Listener Questions and Input

We have gotten a flurry of listener questions and comments lately.  Since it is so much easier to do an episode based you listener questions that writing up a whole plan we are definitely doing those today.    We really do read and respond to as many as we can.  So...

CCPA and HIPAA Require Consideration

If you haven’t heard of it before there is a thing called the California Consumer Privacy Act (CCPA).  It is considered the first version of a GDPR-type legislation on this side of the pond.   It becomes effective Jan 1, 2020.  There are many folks that think the CCPA...

5 Medical Records Uses and Disclosures Rules

Today we discuss 5 medical record uses and disclosures rules that I have been covering recently in training.  Medical records are always around for those of us in healthcare.  It is so easy to forget that the rules apply to more than just data breaches and social...

Cybersecurity Tips and Trends

We need to keep up with our education just like everyone else to keep up with cybersecurity tips and trends. Donna hit some training at SecureWorld and sat in on a 6-hr online seminar offered by Dark Reading. All of that thinking and learning means we have...

Consider ransom payments BEFORE attacks

The debate continues in ransomware attacks, do you make the ransom payments or not?  Lately, we have seen many payments being announced.  This should be in your incident response plan ransomware playbook.  These decisions should be discussed now, not when an attack...

False Claims Settlement – No Risk Analysis

False claims settlements over meaningful use money have popped into the news again.  The provider was sued by whistleblowers and the DOJ for not doing a security risk analysis but attesting to one to get the meaningful use payments anyway.  There is...

Specific BA Liabilities

This new BA liabilities guidance from OCR is important because it defines clearly all the things we hear misstated over and over.  Several of our Top 10 Wrong HIPAA Statements episode are addressed in the simple ten item list. Today we will discuss the announcement...

Vendor Pays $1M + 5 Yr Action Plan

The multi-state settlement with Medical Informatics Engineering makes the OCR settlement seem like a cake walk.  The vendor agrees to pay OCR $100,000 with a standard 2-year corrective action plan.  The states get $900,000 plus 5 years of very specific corrective...

How Do You Sanction?

Sanction policies are often vague or even overlooked in many privacy and security programs.  The whole point of a sanction policy is to list out the consequences for failure to follow our policies and procedures.  With a vague or non-existent policy consequences...

Maturity Assessments

Maturity is something we expect from respected folks or grown folks but what about your privacy and security program, do you check it’s maturity?  You have all of these plans, policies, procedures, and training but is it actually meeting your needs?  Time to talk...

No PHI exposed. Really?

The latest HIPAA PHI breach violation settlement with OCR was announced recently.  Ironically, the settlement was announced just after the reduction of maximum penalties was announced by HHS with Touchstone Medical Imaging was for $3,000,000.  Just how bad was this...

HIPAA Penalties Dropping

Headlines everywhere are telling us all that the HIPAA penalties are being “slashed” or “capped” or “reduced”.  What is the real story and what does it mean to the rest of us?  Great time to talk about what you should consider if you think you will be facing any HIPAA...

Smile You Are On Camera

We are all being watched.  Cameras are everywhere today.  With the advent of dashcams, home security camera systems, CCTV in cities and businesses we are caught on camera somewhere every day.  What does that mean when you also have privacy concerns to address like, I...

3 Supply Chain Security Stories

Supply chain security is becoming a regular discussion due to some major issues that have occurred this year.  We have talked many times about vetting business associates.  When people talk about supply chain security it isn’t just the business associate you contract...

Alexa and HIPAA Round 2

We discussed this whole Alexa and HIPAA thing before.  This week came the big announcement from Amazon that had headlines telling us that Alexa is HIPAA compliant with some slick new medical skills. Time to talk about her again.  Let’s see what the announcement really...

We Are Shutting It Down

It is hard to believe we are recording our 200th episode.  Some might even say it is close to a miracle that David and Donna could stay focused on one thing for this long. Probably very true.  Our passion for what we do here is more than most people would think.  We...

Medical Record Release Fees

Medical record release is becoming a heated topic.  There are several parties involved in the discussion.  Of course, the patient and their rights to the medical record comes first.  Then, you have the providers trying to meet their obligations to supply the records....

HIPAA Summit 2019 News

We come bearing news from the 2019 HIPAA Summit, today.  Officially, it was The 28th Annual National HIPAA Summit.  The event happened in March from Washington, DC.  Thankfully, they have offered a webcast option along with onsite attendance for years.  I sat in on...

Real Hacker Stories On DarkNet Diaries

It is helpful to understand what is really going on out there in the cyber world when you are training and planning your defenses.  Hearing how the hackers got into systems or maybe how the security team found them and shut them down is a very interesting way to do...

2 Third Party Breach Stories

It is important to think about what could happen if one of your vendors is the reason you become another business listed in data breach statistics. Third-party data breaches can impact your business even when it doesn’t involve your data.  These stories show how...

Cyber Insurance Coverage 2019 with John Miller

John Miller, CEO of Sterling Seacrest Partners, was with us back at the beginning of our podcast experiment. Over 100 episodes ago, in February 2017 on episode 89, we first talked with him about cyber insurance policies. Today we’ve brought John back to discuss how...

Ransomware Is Getting Scarier

Ransomware is getting scarier even if you don’t know it yet.  It appears that the lull we enjoyed through the last bit of 2018 may be over.  Not only are the incidents increasing but the mechanisms and ransom demands are changing.  Yes, no matter how we looked at it...

Cybersecurity Roles Are Tough

There are several recent studies and articles that discuss the world from the viewpoint of the people who have the cybersecurity roles in your IT staff.  Their days are packed just trying to keep everything working and secure.  As much as we have been after IT folks...

Email Is Dangerous

If you spend time every day worrying about the risks in using email, you might be a security professional.  Email is dangerous even if you don’t realize it.  Imagine that you are just walking along a bridge safely.  What you don’t realize is the pit that is just a few...

3 Million Reasons IT Must Be Audited

OCR got to toot its own horn in a big press release on Feb 7.  Not only did they announce another settlement that happened in December that we had not heard about but they also recapped the record-setting year they had with enforcement cases in 2018. The last OCR...

Top 10 Wrong HIPAA Statements

As with many things, HIPAA “experts” are everywhere.  There is also a lot of misinformation, confusion, and downright bad advice being handed out by people who think they understand HIPAA more than they actually do.  Wrong HIPAA statements can be found on a lot of...

5 Threats and 10 Protection Practices

The Cybersecurity Act of 2015 (CSA) called for adapting our critical infrastructure to better handle cybersecurity issues using private and public partnerships.  Section 405(d) of CSA calls for “Aligning Health Care Industry Security Approaches.”  A task force has...

Privacy Day and Other News You Need

Since January 28th is National Data Privacy Day, let’s be #PrivacyAware in today’s episode.  Privacy Day has been around for a while.  It is “international effort to empower individuals and business to respect privacy, safeguard data and enable trust”.  We are all...

Passwords are a necessary evil

Passwords are a necessary evil in our online and digital world.  There are lots of tools out there that help us deal with them but you have to use them every day in some way unless you are completed unsecured or off the grid.  LastPass recently released an interesting...

7 Predictions for 2019

Today we cover the things we are keeping an eye on for 2019.  Yes, it is 2019, I can not believe how quickly we have gone through almost 2 decades of the 21st century. Our top 7 predictions for 2019 may not surprise you.  But, that shouldn’t stop us from...

Are HIPAA changes coming?

In case you have missed it there have been several headlines about HIPAA changes in the last month.  What is that all about and what should you worry about?  Today we are discussing if HIPAA changes are will be coming this year.  Even better we will tell you what we...

It’s Raining Settlements

OCR has continued to hand out settlements to close out 2018.  Maybe two more isn’t what you would consider raining.  At the rate these last few announcements have come out vs normal rates, though, it is definitely raining!  While these last two do pale in comparison...

Annual Blooper Show 2018

Enjoy the holidays with some outtakes from this year’s recordings. Each year our Croatian sound editor, Bojan, compiles his favorite package of our issues to share his pain with our listeners.  Listen in to hear how much he has to work to make us sound so much...

Should Have Said No Comment

The allergy practice settlement that was recently announced will be known as the “no comment” settlement in my mind.  As always, there are lessons to be learned from this announcement and the way OCR handled it.  This settlement brings up a lot of discussions about...

New Cybersecurity Agency and Office?

There have been several announcements about cybersecurity agencies and offices lately.  Some announcements are from the Department of Homeland Security (DHS) and some are from Health and Human Services (HHS).  What are they talking about and what does it mean to you?...

2018 Predictions – How Did We Do?

 It is hard to believe we are coming to the end of another year.  Seems like just yesterday we recorded our 7 Educated Guesses About 2018.  Today we review our 2018 predictions, ummmm, educated guesses for 2018 and see how we did.     HIPAA For MSPs by David...

Listener Message Potpourri

Listener message potpourri means we will be hitting several different topics in this episode. We get emails and messages from listeners a lot these days. While we do our best to respond we can’t say we are consistent. That is why we do these episodes...

Certification Is Not What You Think

In the recent NIST OCR security conference, a panel member said the terms “HIPAA compliant” and “HIPAA certified” made her cringe.  We agree.  The Anthem settlement has a lot of people asking about certifications for cybersecurity since Anthem was technically HITRUST...

Anthem Settlement Lessons

The 2015 Anthem data breach could have been a watershed moment for HIPAA privacy and security in many ways.  It remains to be seen if the settlement with OCR turns out to be another one.  Either way, the historic breach and historic settlement have many lessons for us...

5 Horror movie quotes for HIPAA stories

Time for the annual Halloween episode!  5 horror movie quotes are this year’s theme.  We have 5 horror movie quotes that are matched up to HIPAA data breach stories. HIPAA For MSPs by David Sims 5 Horror movie quotes for HIPAA stories 00:00:00 00:00:00 5 Horror Movie...

We are #CyberAware

We are #CyberAware is the tag for the National Cybersecurity Awareness Month campaign.  Each year this campaign is run by the National Cybersecurity Alliance. In 2018, Kardon, Security First IT,  and HMWH are all signed up to be champions and publish information for...

6 Takeaways From The Filming Settlements

What should we learn from the recent OCR filming settlements?  This time it was three settlements in one that related to a fourth.  There is more here than the headline-grabbing dollar amounts.  These settlements are the best specific guidance you can get from OCR....

3 Stories Techs Should Hear

Understanding all of the technical workings of networks and computers is one thing.  Often tech folks will say that they understand HIPAA but what that really means is they understand the technical requirements of HIPAA.  The overconfidence sometimes works against...

CIS 20 and HIPAA

CIS 20 or SANS 20 is the name to reference a list of security controls that are intended to be used in the absence of any framework like NIST or HIPAA requirements.  If you are trying to get the most bang for your buck and you know you are way behind on your security...

How Much Does Trust Matter In Healthcare?

Trust for businesses, especially, healthcare could be the difference maker between success and failure. Have you seen the report about consumer online digital trust and what it means to all businesses? The report,  The Global State of Online Digital Trust  A Frost...

Snooping Is A Serious Problem

I can tell you from experience snooping is a serious problem that haunts all entities with health information to protect.  Even if you don’t know it is haunting you, it is.  You will learn to fear it eventually.  The extent of improper record access (which we will...

Securing Home Networks

Securing home networks matters more now than ever before.  We are a very connected society. That creates great opportunities and new challenges every day.  Especially, for those tasked with securing all that connectivity.  One opportunity that gets a lot of people...

Crisis Communications Plans

We live in a world of instant communications.  During a crisis, our normal standards of communications can be very limited.  How many different issues have you addressed for communications in a crisis in your plans?  We mention the business continuity and disaster...