The FDA’s New Medical Device Development Tools (MDDT) Program

The US Food and Drug Administration (FDA) announced a new Medical Device Development Tools (MDDT) program on October 20, 2020. The MDDT includes information security evaluation criteria for assigning risk ratings to medical device security vulnerabilities. This blog post provides a summary of the FDA’s MDDT program and its applicability for supporting medical device security programs for healthcare delivery organizations. Read More

NIST SP 800-53 Rev 5: Sizing Up the New Security Standard in Town

The National Institute of Standards and Technology (NIST) has announced an updated version of their flagship security controls framework NIST Special Publication (SP) 800-53. The new version, Revision 5 or “Rev 5”, update is the first overhaul of the NIST SP 800-53 framework in over seven years and represents critical updates that reflect the modern cyber threat landscape. This blog post will help provide some insight into the new controls framework version, its differences from prior iterations and other related standards, and its applicability for healthcare organizations. Read More

The Pandemic of Poor Passwords

In almost 20 years of penetration testing and compliance, there is one theme that I have seen that has consistently led to unauthorized access to sensitive information and systems: BAD PASSWORDS. Bad passwords are a disease that has affected most healthcare organizations domestically and globally. The stats from recent breach reports and regulatory bodies indicate that this outbreak is having a material financial and operational impact on our industry. Read More

Provocative PCI-DSS v4.0 | New Requirements and Timing Updates

The PCI Security Standards Council has fielded an unprecedented amount of feedback in 2019 and 2020 related to the much-anticipated release of PCI-DSS v4.0 due out early next year. There are several provisions that are proving controversial and generating a healthy debate about effective security controls to stem the torrent of payment card breaches. This blog post provides an overview of some of the more controversial changes proposed in the new PCI standard set for release in 2021. Read More

Navigating the Library of Medical Device Security Standards

Multiple government and industry entities provide regulations and standards for securing medical devices. To date, relevant regulations and standards have not carried meaningful incentives or disincentives for providers to invest time, resources, and energy to tackle this problem. Private industry consortia provide more prescriptive guidance, but there is no clear, concise framework or standard that is comprehensive and prescriptive enough to tackle the challenge. The result is a hodge-podge of guidance, frameworks, and tools that lacks cohesion. However, each standard and regulatory reference can be valuable inputs to medical device security programs if applied in the appropriate areas. Read More

SOC 2 Remote Audit Guidance

Game-changing shifts are underway for audit, risk, and compliance programs looking to leverage third-party SOC 2 attestations to validate compliance with industry-standard security requirements. The pandemic has driven entire workforces into remote operation at precisely the same time when the demand for independent inspection and validation of security controls for third-party vendors has reached peak levels. Read More

Finding a Cure for Healthcare Interoperability Risks | Analysis of the 21st Century Cures Act and ONC’s Cures Act Final Rule

In May 2020, while the healthcare industry grappled with the outbreak of a global pandemic, the US Department of Health and Human Services (HHS) quietly issued a Final Rule that has major implications for the secure electronic delivery of health information to patients via third-party platforms and apps. Increased interoperability between systems has many potential benefits for patients, but it also introduces a larger technology footprint for sensitive patient information including Protected Health Information (PHI). Read More

Buyer Beware: Keys to Selecting a HITRUST Assessor

Not all HITRUST assessor organizations are created equal. Your selection of a HITRUST assessor firm can have a material impact on your ability to achieve certification within targeted budgets and timeframes. Failure to achieve certification or delays in the process can jeopardize key contracts and cost the business irrecoverable time and money. This blog is a quick reference guide for selecting a qualified and experienced assessor to help your organization achieve certification on time and within budget. Read More