SOC 2 Remote Audit Guidance

Game-changing shifts are underway for audit, risk, and compliance programs looking to leverage third-party SOC 2 attestations to validate compliance with industry-standard security requirements. The pandemic has driven entire workforces into remote operation at precisely the same time when the demand for independent inspection and validation of security controls for third-party vendors has reached peak levels. Read More

Finding a Cure for Healthcare Interoperability Risks | Analysis of the 21st Century Cures Act and ONC’s Cures Act Final Rule

In May 2020, while the healthcare industry grappled with the outbreak of a global pandemic, the US Department of Health and Human Services (HHS) quietly issued a Final Rule that has major implications for the secure electronic delivery of health information to patients via third-party platforms and apps. Increased interoperability between systems has many potential benefits for patients, but it also introduces a larger technology footprint for sensitive patient information including Protected Health Information (PHI). Read More

Buyer Beware: Keys to Selecting a HITRUST Assessor

Not all HITRUST assessor organizations are created equal. Your selection of a HITRUST assessor firm can have a material impact on your ability to achieve certification within targeted budgets and timeframes. Failure to achieve certification or delays in the process can jeopardize key contracts and cost the business irrecoverable time and money. This blog is a quick reference guide for selecting a qualified and experienced assessor to help your organization achieve certification on time and within budget. Read More

Healthcare Breach Trends: Analysis of the 2020 IBM & Ponemon Data Breach Report

Healthcare has once again topped the list of the highest average breach cost per industry segment according to the 2020 IBM Cost of a Data Breach Report. The perennial data breach report is in its 15th year and is once again administered by the highly regarded Ponemon Institute. Healthcare has been the top cost sector for breaches for last 10 years running, peaking at $10m per breach in 2018 and leveling back to $7.13m this year. Healthcare remains atop the costliest sectors for breaches, followed closely by the Energy and Financial Services industries. Read More

Enterprise Risk Reporting: The Healthcare CISO’s Achilles Heel

Information security leaders and risk management teams for healthcare entities have struggled to update their reporting models to keep pace with the increasing variety and complexity of risks facing the modern healthcare ecosystem. The inability to effectively communicate meaningful security metrics that drive informed risk decisions from the business has become the Achilles heel for many healthcare CISOs. Read More

HITRUST Certification FAQs

This blog article is recommended for any organizations that are considering pursuing HITRUST certification, recertification, or alignment with HITRUST CSF security control requirements. HITRUST stands for the Health Information Trust Alliance. HITRUST is a non-profit organization that created and maintains the HITRUST Common Security Framework ("CSF") and HITRUST Assurance Program. HITRUST was developed specifically for the healthcare industry and provides a framework for organizations to comply with various regulations and standards based on the organization's size, types of systems deployed, and applicable regulatory requirements. Read More

OCR Presents: 2019-2020 Year in Review

I recently had the opportunity to deliver a presentation alongside leadership from the Office for Civil Rights (OCR) on the state of HIPAA Security Rule compliance and enforcement. The ability to get visibility into third-party data supply chains and their respective security and compliance postures will soon become the paramount mandate for information security programs. Effective healthcare security and compliance programs of the next decade must quickly adjust their orientation in 2020 towards the inspection and protection of downstream vendors and systems responsible for critical business functions.  Read More

HITRUST Assessment Scoping Changes

The HITRUST Alliance recently issued updates to the assessment scoping factor questions in MyCSF for HITRUST CSF Validated Assessments and HITRUST CSF Readiness Assessments. The change is designed to reduce the number of repeat requirement statements that are marked as “Not Applicable”. This blog article is recommended for any organizations that are currently pursuing HITRUST certification, recertification, or are considering aligning with HITRUST CSF security control requirements. Read More