The National Institute of Standards and Technology (NIST) has announced an updated version of their flagship security controls framework NIST Special Publication (SP) 800-53. The new version, Revision 5 or “Rev 5”, update is the first overhaul of the NIST SP 800-53 framework in over seven years and represents critical updates that reflect the modern cyber threat landscape. This blog post will help provide some insight into the new controls framework version, its differences from prior iterations and other related standards, and its applicability for healthcare organizations. Read More

In almost 20 years of penetration testing and compliance, there is one theme that I have seen that has consistently led to unauthorized access to sensitive information and systems: BAD PASSWORDS. Bad passwords are a disease that has affected most healthcare organizations domestically and globally. The stats from recent breach reports and regulatory bodies indicate that this outbreak is having a material financial and operational impact on our industry. Read More

The PCI Security Standards Council has fielded an unprecedented amount of feedback in 2019 and 2020 related to the much-anticipated release of PCI DSS v4.0 due out early next year. There are several provisions that are proving controversial and generating a healthy debate about effective security controls to stem the torrent of payment card breaches. This blog post provides an overview of some of the more controversial changes proposed in the new PCI standard set for release in 2021. Read More

Multiple government and industry entities provide regulations and standards for securing medical devices. To date, relevant regulations and standards have not carried meaningful incentives or disincentives for providers to invest time, resources, and energy to tackle this problem. Private industry consortia provide more prescriptive guidance, but there is no clear, concise framework or standard that is comprehensive and prescriptive enough to tackle the challenge. The result is a hodge-podge of guidance, frameworks, and tools that lacks cohesion. However, each standard and regulatory reference can be valuable inputs to medical device security programs if applied in the appropriate areas. Read More

Game-changing shifts are underway for audit, risk, and compliance programs looking to leverage third-party SOC 2 attestations to validate compliance with industry-standard security requirements. The pandemic has driven entire workforces into remote operation at precisely the same time when the demand for independent inspection and validation of security controls for third-party vendors has reached peak levels. Read More

In May 2020, while the healthcare industry grappled with the outbreak of a global pandemic, the US Department of Health and Human Services (HHS) quietly issued a Final Rule that has major implications for the secure electronic delivery of health information to patients via third-party platforms and apps. Increased interoperability between systems has many potential benefits for patients, but it also introduces a larger technology footprint for sensitive patient information including Protected Health Information (PHI). Read More

Not all HITRUST assessor organizations are created equal. Your selection of a HITRUST assessor firm can have a material impact on your ability to achieve certification within targeted budgets and timeframes. Failure to achieve certification or delays in the process can jeopardize key contracts and cost the business irrecoverable time and money. This blog is a quick reference guide for selecting a qualified and experienced assessor to help your organization achieve certification on time and within budget. Read More

Healthcare has once again topped the list of the highest average breach cost per industry segment according to the 2020 IBM Cost of a Data Breach Report. The perennial data breach report is in its 15th year and is once again administered by the highly regarded Ponemon Institute. Healthcare has been the top cost sector for breaches for last 10 years running, peaking at $10m per breach in 2018 and leveling back to $7.13m this year. Healthcare remains atop the costliest sectors for breaches, followed closely by the Energy and Financial Services industries. Read More