The NIST and OCR annual security conference has come around again.  This year, David attended the conference via webcast and shares his notes on the first day of the conference.

Before the conference discussion, however, we have to touch on the announcement from Equifax about their HUGE data breach.

HIPAA For MSPs by David Sims NIST & OCR Security Conference
00:00:00 00:00:00

NIST and OCR Security Conference

The Equifax Breach

Equifax has announced a massive data breach.  The breach is the largest yet and by a company that we all have very little choice in them getting your data.  The current numbers published indicate that the breach includes 143 million consumers data.  That is half of the US population counting children.  Unfortunately, it is common in cases like these that first number announced is not the final total.  That remains to be seen.  This is Equifax’s third breach in the last two years.

They offer a website to determine if your name may be included here:

There is also some discussion of potential insider training done by executives of the company before the announcement.  We will be watching this one for sure.

Caution should be taken if you plan to take them up on their offers for Equifax identity protection.  By accepting their offer you are agreeing to never sue them either individually or in a class action suit.

What should you do?

Check your credit reports from Equifax, Experian, and TransUnion — for free — by visiting Accounts or activity that you don’t recognize could indicate identity theft. Visit to find out what to do.

Consider placing a credit freeze on your files. A credit freeze makes it harder for someone to open a new account in your name. Keep in mind that a credit freeze won’t prevent a thief from making charges to your existing accounts.

Monitor your existing credit card and bank accounts closely for charges you don’t recognize.

If you decide against a credit freeze, consider placing a fraud alert on your files. A fraud alert warns creditors that you may be an identity theft victim and that they should verify that anyone seeking credit in your name really is you.

Use an ID theft and credit monitoring and response solution. You want a company that monitors your identity, not just your credit. You also want a company that has a response team that can respond to problems and helps you when something happens.  David is a fan of Zander Insurance.  Donna has just signed Kardon up for an employee benefits program from IDExperts.  Their monitoring service is the

File your taxes early — as soon as you have the tax information you need before a scammer can. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Respond right away to letters from the IRS.

NIST and OCR Conference

HHS Office for Civil Rights Director Roger Severino opened the conference.  This is the speech where he mentions that from an enforcement standpoint he is looking for a “big, juicy case” to use to set an example for others.  When he asked what his biggest priority for HIPAA enforcement in the coming year would be he replied.  “I’m looking for the big juicy, most egregious cases out there.  I do want to underscore that I want people to come into compliance without enforcement whenever possible.”

NIST and OCR CHIME Priorities for healthcare security

The Keynote Address featured Russ Branzell, President, and CEO of College of Healthcare Information Management Executives (CHIME).  This discussion including a great review of security priorities in healthcare. That list includes many things we have mentioned in several episodes but it a perfect summary of those priorities.

The Year in Review: The Current Cybersecurity Threat Landscape
was covered by Steve Curren, Director, Office of Emergency Management, Division of Resilience HHS Assistant Secretary for Preparedness and Response.  There are many resources available that aren’t being used by everyone out there.

As we continue to see advancements in the resources available to address compliance it is still hard to make sure people are able to understand what it all means.  There is a definite reason to keep an eye on things because they are trying to meet the needs of organizations who need help getting their security in line.  However, it is clear that you are up against a lot of serious threats when organizations the size of Equifax is incapable of protecting the data they have on file.