HIPAA Risk Analysis, Risk Assessment, & Evaluation: Is There a Difference?

We hear the terms risk assessment, risk analysis, and evaluation used routinely in healthcare settings, often in the context of HIPAA compliance. The big question: is there a material difference between these terms from a HIPAA regulatory perspective? Answering this question correctly is critical to maintaining HIPAA compliance and staying out of hot water with regulators. Many organizations that have misunderstood and misapplied these terms have ended up facing multi-million-dollar settlements with the Office for Civil Rights (OCR) for failure to comply with the HIPAA Security Rule. Read More

New NIST Guidance on Compliance with the HIPAA Security Rule

NIST has released new guidance for covered entities to comply with the HIPAA Security Rule. The publication is titled: "Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide". This blog post provides a summary of key points in the new NIST publication alongside Meditology’s analysis and further recommendations in support of NIST’s guidance. Read More

PCI DSS v4.0 Released: Compliance Requirements for Healthcare Organizations

The PCI Security Standards Council has released the much-anticipated PCI DSS version 4.0 this week. The update is several years in the making and includes significant control requirement overhauls. Healthcare organizations must update policies, procedures, and control requirements to maintain compliance with the new PCI v4.0 standard. This blog post provides details about the new requirements for PCI v4.0 and the timing for compliance for healthcare entities. Read More

Shields Up: Russia/Ukraine Cyberwar Preparation & Response for Healthcare

Healthcare organizations are scrambling to adjust their cybersecurity preparation and response capabilities in the wake of potential cyberattacks stemming from the ongoing conflict between Russia and Ukraine. Meditology has been monitoring the situation closely and advising our healthcare clients on the latest threat vectors and response approaches. This blog post provides guidance for US-based healthcare entities for preparing and responding to cyberattacks and cyberwar tactics deployed as part of this ongoing conflict. Read More

Case Study: Ransomware Locks Up 80% of 54-Hospital Health System

The U.S. Department of Health and Human Services (HHS) recently published an insightful ‘lessons learned’ document that chronicles a large-scale ransomware attack on the Health Service Executive (HSE) of Ireland. This blog provides a summary of the ransomware event, insights from HHS, and analysis and recommendations from Meditology based on our experience with helping healthcare organizations prevent and respond to ransomware attacks. Read More

Healthcare SOC 2 FAQs

Cyberattacks against healthcare organizations and their business associate vendors have begun to threaten patient safety and fundamental business operations. As a result, SOC 2 audit reports have become one of the most common and cost-effective vehicles for healthcare organizations to demonstrate adoption of controls relevant to security, availability, confidentiality, processing integrity and privacy. We have compiled these SOC 2 frequently asked questions to support healthcare organizations and vendors supporting the healthcare ecosystem that are looking to pursue SOC 2 examinations. Read More

Urgent Alert: Log4j Java/Apache Logging Vulnerability

A far-spanning zero-day vulnerability was exposed this week for the ubiquitous open-sourced logging utility called Log4j. Meditology is actively working with our clients and the third-party vendor population to understand the extent of deployment of Log4j and the impact and risk exposure it may create for healthcare organizations. This blog provides a short summary of the Log4j vulnerability as well as recommendations for remediation and risk mitigation for organizations and their third-party vendors. Read More

Healthcare Security Risk Assessment & HIPAA Security Risk Analysis FAQs

Are you able to answer these questions about your security risk assessment process? Is a security risk assessment the same as a HIPAA security risk analysis? Does my organization need to assess every individual asset in our environment as part of a security risk assessment? Does a security certification like SOC 2 Type II, HITRUST CSF, or ISO count as a security risk assessment? Is a penetration test required for a security risk assessment? Is a HIPAA compliance review or gap assessment the same as a HIPAA Security Risk Analysis? Check out our security risk assessment FAQ to answer these and other related questions. Read More