New HITRUST Reservation System for Scheduling Quality Assurance of Validated Assessments

On April 15th 2021, HITRUST® announced a new reservation system for scheduling quality assurance for validated assessments. For all validated assessments submitted on or before June 30th 2021, HITRUST will continue to process on a first come, first served basis. Any assessments that will be submitted on or after July 1st 2021, will require Assessed Entities to schedule the start of quality assurance (QA) procedures within the HITRUST MyCSF® platform. Read More

How Hackers Hold Hospitals, and Your Health, for Ransom | WebMD

Article by Paul Frysh, WebMD | Brian Selfridge knew his time was up. From his perch in a locked conference room with the blinds half closed, he could see two members of the hospital IT team rounding the corner with what looked like a clear sense of purpose. He suppressed a smile as he watched the pair running circles around each other. One of them -- brow furrowed, eyes buried in an open laptop -- walked right past his room, saying, "He's right here! He's got to be!" Read More

HIPAA Risk Analysis Fundamentals: Industry Tested, OCR Approved

Risk analysis is one of four required implementation specifications in the Security Management Process section of the HIPAA Security Rule. The rule requires covered entities to “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].” Too often, we see healthcare organizations missing the mark on aligning with the Risk Analysis requirements as defined in the HIPAA Security Rule and running afoul of OCR and regulators in the process. Read More

Healthcare's Microsoft Exchange Critical Exposure

Over 30,000 organizations, including healthcare entities, have been infiltrated by a Chinese-affiliated espionage group via zero-day vulnerabilities in Microsoft Exchange email servers. The attack has wide-ranging impacts for healthcare organizations, a majority of which use Microsoft to provide email services. This blog article provides an overview of the Microsoft Exchange breach, its origins, and the latest recommendations for mitigation from Microsoft, the CISA, and Meditology’s technical security and ethical hacking experts. Read More

Winds of Change: SOC 2 & Securing the Supply Chain

Groundbreaking cyberattacks against third-party vendors that support the healthcare ecosystem have begun to threaten patient safety and fundamental business operations for healthcare organizations. As a result, cybersecurity certifications like SOC 2 are fast becoming a mandate for vendors that participate in the healthcare supply chain. Read More

How to Strengthen Your Security Program

Health systems are experiencing a barrage of cybersecurity attacks. Establishing a strong security program is paramount to thwart bad actors’ plans of gaining access to critical data and systems. The majority of health systems have a security program in place, but programs will continually need to be strengthened and refined. What can health systems proactively do to continually enhance their security programs? KLAS reached out to five healthcare-focused cybersecurity firms and asked: “What can health systems do today to avoid pitfalls and gaps in their security programs?” Read More

New HITECH Amendment Provides HIPAA Safe Harbor for HITRUST Adoption

On January 5, 2021, the President signed bill HR 7898 into law that amends the HITECH Act to require the Department of Health and Human Services and OCR to recognize and promote best practice security for meeting HIPAA requirements. Specifically, the new law incentivizes covered entities and business associates to adopt industry best practices including HITRUST CSF certifications and NIST CSF standards. Read More

When Clouds Collide: Mitigating Federated Identity Attacks

The NSA has issued a cybersecurity advisory for cloud attack techniques currently in use by malicious actors that abuse federated identity trust models. This new approach allows attackers to jump across cloud-hosted platforms undetected and move from less-protected environments to more sensitive cloud applications like Microsoft Office365 email. Read More