HIPAA Security Conference 2016Donna shares information from the NIST/OCR HIPAA Security Conference 2016.  It is held each year in Washington DC on Safeguarding Healthcare Information.  Sitting in via the webcast Donna enjoyed hearing the nerdy stuff, as always.

Learn what she thought was interesting enough to share with you in this episode of Help Me With HIPAA.


HIPAA For MSPs by David Sims HIPAA Security Conference 2016
00:00:00 00:00:00

HIPAA Security Conference 2016 topics included:

  • Digital Identities in Health
  • Business Associate Liability and Other Issues
  • Addressing Healthcare Cybersecurity Challenges through Standards-based Solutions
  • Updates from the Office of the National Coordinator for Health Information Technology
  • Updates from the Health Care Industry Cybersecurity Task Force
  • Best Defense Tactics Against Ransomware
  • An Update from the Federal Trade Commission
  • Update on OCR’s Compliance and Enforcement Activities
  • An Update from the Federal Trade Commission

Speakers from HHS / OCR included

  • Jocelyn Samuels – Director
  • Deven McGraw, Deputy Director, Health Information Privacy
  • Iliana Peters, Senior Advisor, Compliance and Enforcement
  • Lucia Savage, Chief Privacy Officer HHS Office of the National Coordinator or Health Information Technology
  • Steve Curren, Director, Office of Emergency Management, Division of Resilience HHS Assistant Secretary for Preparedness and Response

NIST Speakers included:

  • Phil Lam,National Strategy for Trusted Identities in Cyberspace
  • Gavin O’Brien, National Cybersecurity Center of Excellence
  • Jeff Cichonski, Applied Cybersecurity Division


  • Cora Han, FTC Division of Privacy and Identity Protection

Donna’s Session Notes

  • More breaches being reviewed and Advocate settlement may not be the largest
  • Advocate failed a long list of issues including an unencrypted laptop left in an unlocked car
  • Looking for digital ID options like one tough login and then tap cards
  • No matter what you use for auth to risk assessments often
  • Can’t just give strong IDs to doctors but the staff needs them too
  • Docs don’t want to have their face in the computer – eye contact matters
  • NIST CSF to HIPAA crosswalk only meeting 19 of 98 elements
    • You’re batting .194
    • Your kid brings home a test score of 19
  • Weak passwords account for a large number of major breaches
  • We are looking at HIPAA 3.0 coming soon – security guidance definite for 2017
  • New guidance being worked on now
    • Social media
    • Text messaging
    • Sharing PHI with friends / family due to Orlando issues
  • Breach totals this year will be huge 17K to 24K breaches

Quotes of note from speakers and panel members:

  • Trust is essential in healthcare – J Samuels
  • Some breaches are like a canary in mine – J Samuels
  • Average time in a single patient account is 45 seconds
  • HIPAA security enforcement requires a carrot and stick approach
  • Cybersecurity prophylaxis = counter measures
  • We don’t like being ignored! – several OCR representatives

BAs are big concerns for everyone

  • New generation of BAAs coming with vetting and specific responsibilities
  • Be sure to vet your high risk BAs
    • Don’t give 100K patient records to “some guy with a computer in his basement”
  • Worry more about smaller less established BAs
  • Assessment must be done pre-engagement and someone with tech skills to ask or review questions
  • Template BAAs will fall by the wayside – too much more required based on relationship
  • Evaluate CIA – all of it – Availability matters – no holding PHI hostage for payment
  • Often a shared responsibility
  • Auditing not required but you will sometimes need to know “what did you know & when did you know it”
  • You don’t have to turn over every rock but you also can’t say not my problem.
  • Overseas BAs should be well vetted – country laws
  • If they are willing to send you their complete RA you should worry – that is supposed to be a highly confidential doc

Lots of ransomware discussions

  • Our ransomware and HIPAA episode
  • Computer hygiene matters
  • Need for a cyber “neighborhood watch” to tell others what is happening
  • Malvertising
  • Smartphones with lock screen until ransom is paid
  • If you pay they know you are vulnerable and may pay more or be attacked again
  • Ransomware can also drop off key loggers and back doors – are you sure they are out
  • Have a plan or you will be in big trouble

Medical devices are a big issue

  • One group’s assessment of med devices
    • 6K devices found
    • 4k attached to network
    • 400 different models
    • by 100 different vendors
  • Many med devices have no encryption option – only around 5% do
  • Disposal and service of devices require a BAA
  • Ask how long they will be supporting devices that you buy – some have XP or 7 still

That is enough for now – we haven’t covered it all.  But, the next topics are the status of OCR audits and enforcements activity.  Those will have to be in their own episode next week so we will have a HIPAA Security Conference 2016 part 2!