Meditology’s knowledge base of research demonstrates our understanding of complex challenges faced by organizations around the country.

Thought Leadership

Offering fresh perspective from the front lines of Healthcare IT, Meditology Services thought leadership draws on trends and expert ideas to create industry standards. With more than 20 years of dedicated healthcare IT, Meditology is pleased to offer insightful tools, expert advice and valuable information for healthcare providers and IT professionals. Click below to access the latest trends, recent articles, case studies and expert commentary from one of the industry’s top thought leaders, all in one location.


November 12th, 2019
Blog Post by Meditology Services ITRM Partner Brian Selfridge | While many healthcare entities have addressed some fundamental information security capabilities, our industry is still regarded in many ways as lagging behind other industries that are popular targets of data predators. Healthcare CISOs are grappling with the next phase of security risk management: How to move from inception to growth, maturity and ultimately a robust, proactive security environment that can meaningfully address the complexity and dynamic nature of our industry.
October 23rd, 2019
Wednesday, October 23rd at 2PM EST | Like insects, healthcare organizations are complex creatures grappling for survival against a wide array of predators seeking to impair, consume or destroy them. The healthcare ecosystem and threats are evolving rapidly and healthcare organizations are struggling to adapt and mature programs to keep pace. This webinar will discuss the various stages of healthcare security program maturity and methods to adapt and make programs more secure and able to survive the next wave of evolving threats.
October 7th, 2019
Blog Post by Mary Potter, Consultant and Project Delivery Manager at Meditology Services | It’s a typical Monday. An inbox full of emails, a calendar full of appointments and a fresh cup of coffee nearby. The phone rings and it’s a patient calling to a report a possible inappropriate disclosure of their information. The patient’s mother is irate that a sensitive diagnosis was revealed in child support discussions. She is certain that the information came from your hospital. After calming the caller, you start your investigation and quickly find out that the breach was likely caused by an employee of your population health vendor.
September 12th, 2019
Thursday, September 12th at 3PM EST | A lost laptop resulted in a $2.75 million settlement with the U.S. Department of Health and Human Services, Office for Civil Rights, and began a remediation odyssey that continues today at University of Mississippi Medical Center (UMMC). This webinar features Steve Waite, UMMC’s Executive Director of Compliance, sharing the epic tale of the medical center’s travails in navigating the scrutiny attached to an OCR action.
September 5th, 2019
Just as a spider spins a web to catch unsuspecting insects, cybercriminals spin clever traps to capture patient data from healthcare organizations. Healthcare security executives must work on evolving their data security programs to avoid being caught in a dangerous web that can threaten patient health, security and privacy. Discover how your organization can evolve into a more secure entity designed to protect against current and emerging threats in the healthcare ecosystem.
July 31st, 2019
Many organizations make assumptions regarding the security and integrity of their IT systems and network without ever confirming that these assumptions are valid. Oftentimes it is not until an actual security incident occurs that the security risk is exposed, and the response capabilities are tested, and by then it is too late to prevent damage to the organization. This case study provides more in-depth information regarding a hacking healthcare engagement.
July 9th, 2019
By Jaymin Patel, ITRM Associate at Meditology Services | GDPR has been a real game changer and has raised the bar when it comes to data breach notification and protecting personal data privacy. Following in the footsteps of the GDPR, the U.S. has seen several states issue significant changes concerning their data breach notification laws. This blog elaborates on on new and upcoming breach notification laws.
June 27th, 2019
Thursday, June 27th at 1PM EST | Presented by Keith Henkell, Director at Meditology Services and Nancy Ripari, Senior Vice President and Partner at Huntzinger Group. Join this webinar to learn how the partnership between Meditology and Huntzinger can help you cover all the bases of due diligence for a potential merger, acquisition, or affiliation while saving both time and money.
June 20th, 2019
Meditology Services is a top-ranked provider of information risk management, cybersecurity, privacy, and regulatory compliance consulting services exclusively for healthcare organizations. Download our Meditology Services Overview to learn more.
June 18th, 2019
In the world of nature, metamorphosis is the development process that most insects experience on their way to full maturity. Like insects, healthcare organizations are complex creatures grappling for survival against a wide array of predators seeking to impair, consume or destroy them. Insects approach security challenges by using metamorphosis and adaptation to strengthen their defenses and escape harm. Healthcare information security functions have had to make substantive adaptations leading into 2019 to protect data and healthcare entities.
June 4th, 2019
There is a dynamic duo in healthcare data security assurance: HITRUST CSF certification and SOC 2 attestation. Aligning your data security program with healthcare standards contained in HITRUST CSF and the SOC 2 attestation can bring numerous benefits. Pursuing these together in a full-scale security initiative offers an efficient approach to securing healthcare data. How can a combination approach to HITRUST certification and SOC 2 attestation can benefit your organization?
May 31st, 2019
Does your security program effectively address constantly evolving threats, or does it simply check the “Meets Regulatory Requirements” box? Meditology Services provides security risk assessment services specifically tailored to the unique needs of healthcare organizations.
May 29th, 2019
Wednesday, May 29th at 1PM EST | Presented by Bethany Page, ITRM Manager & CISO and Lisa Siedzik, ITRM Manager at Meditology Services. A well-designed cybersecurity staffing strategy can help organizations to not only SURVIVE but THRIVE in harsh conditions.
May 9th, 2019
Choosing between two high-priority security initiatives like HITRUST CSF certification and SOC 2 attestation can be a difficult choice. Increasingly healthcare organizations and their business associates are considering pursuing these security initiatives in tandem. Obtaining both certifications as part of one security initiative provides a cost-effective means of demonstrating data protection through effective security and privacy practices.
April 30th, 2019
A new structure for HIPAA violation Civil Monetary Penalties (CMP) was announced by the OCR on April 26, 2019. This change greatly reduces the financial risk of HIPAA breach violations for covered entities that can demonstrate updated security risk management plans, policies and procedures for sensitive patient data.
April 23rd, 2019
At the recent HIMSS conference, the OCR provided an Enforcement Update where they outlined how they plan to approach enforcement with healthcare covered entities in 2019. As security and privacy consultants and advisors with our ears to the ground, we keep our eyes peeled for these important regulatory trends. What are the top trends that will have the biggest impact to healthcare security and privacy policy?
March 27th, 2019
Wednesday, March 27th at 1PM EST | Presented by Brian Selfridge, Meditology IT Risk Management Partner and Ankit Patel, Meditology IT Risk Management Manager.
February 20th, 2019
Medical device and IoT unmanaged devices have introduced a significant hurdle for security teams to protect critical healthcare information and systems. A strategic direction for managing medical devices should be captured in a formal medical device security program and strategic plan. And while the “device” itself should be carefully evaluated for security risks, additional focus should be given to the middleware and platforms running behind the scenes.
February 11th, 2019
By CORL CEO and Meditology Partner Cliff Baker | Even as third-party data breach activity continues to grow, the importance of third-party data security in board-level risk management strategy is not growing to match the need. In November 2018, the Ponemon Institute reported that among U.S. firms surveyed, 61 percent experienced a breach caused by third parties, which is up from the previous year at 56 percent. However, only 46 percent of firms surveyed say managing relationship risk is a priority.
January 16th, 2019
Physicians and practice managers understand the importance of HIPAA compliance but often do not have dedicated IT Security and HIPAA Privacy resources. Meditology’s Physician Security and Privacy Compliance Services are tailored to the needs of primary care and specialty practices ranging in size and complexity from single physician to 200+ physicians.
January 15th, 2019
Cyber Hygiene consists of the practices and steps required to ward off potential viruses, data hijack attempts and intruders invading your information systems. Good hygiene is a major part of preventative healthcare for humans, but also for healthcare information systems. But just setting up employee training, policies and procedures is only covering the surface area of good cyber hygiene. Audits are akin to going for a health check up or dental cleaning. But what about other preventative measures before the annual “checkup”?
January 13th, 2019
The black market values patient medical records 10 to 40 times higher than credit card and Social Security Administration data, multiple reports show. Read this article featuring Meditology Services ITRM Managing Director Nadia Fahim-Koster and CORL Technologies CEO Cliff Baker to learn more.
November 30th, 2018
How confident are you that all of your Business Associates have up-to-date Business Associate Agreements (BAAs), that all of those BAAs are current with HITECH requirements, and that your BAs have security and privacy programs that will meet your organization’s or HIPAA’s requirements?
November 19th, 2018
Every pipeline has a capacity limit. Problems begin when the flow is clogged or overwhelmed. First as a small leak, then a rupture occurs where the whole pipeline is in jeopardy. Only we are not talking about fluids drowning us, it is the increasing volume of Healthcare Security Audits. How can businesses meet the security demands of healthcare clients and provide meaningful and timely responses to their security audit questionnaires?
October 29th, 2018
Healthcare environments are a sought-after target for malicious hackers due to the high black-market value of Protected Health Information (PHI). Download our data sheet to learn more.
October 11th, 2018
Presented on Thursday, October 11th, 2018 by Brian Selfridge, Meditology IT Risk Management Partner and Kevin Henry, Meditology IT Risk Management Manager.
October 9th, 2018
The shortage of cybersecurity professionals is well documented across all technology industries; however, the healthcare industry ranks at the top for demand and shortages. This white paper examines the most common survival strategies to overcome challenges in cybersecurity recruiting, retention and allocation of resources for healthcare information security programs.
October 1st, 2018
Are you part of a health care organization that is having a difficult time filling information security positions needed? Perhaps many security projects are slowing down to a trickle or coming to a complete standstill as your security program initiatives get backed up. Don’t worry, you are not alone. According to ISC2, the global information security workforce shortage is expected to hit almost two million by 2022, demonstrating a staggering 20% increase from 2015.
September 25th, 2018
Presented by Nadia Fahim-Koster, Managing Director of ITRM at Meditology Services and Jana Courmier, VP of Privacy, Compliance & Accreditation at Tivity Health at the 2018 AHIMA Convention & Exhibit | Privacy, Cybersecurity and Information Governance Institute.
September 25th, 2018
Just as the U.S. Space Program has dwindled its staff in recent years and partnered with private industry for support, healthcare organizations are also feeling the pinch of not enough qualified IT and Security staff members to navigate the largely uncharted territory of cyberspace. Is your healthcare organization having a difficult time filling information security and privacy positions? Perhaps many security projects are slowing down or coming to a complete standstill as your security program initiatives get backed up.
September 18th, 2018
Each time a shuttle, rocket, person or animal is shot into space, spectators watch because we can visualize and imagine the risks. We understand a lack of oxygen, gravitational force, water and food creates extreme survival difficulties. However, the risks and dangers of operating health practices in cyberspace are less visible. There is no “blast-off” of your health record or financial information rocketing into the unknown with a huge fuel cloud to mark the occasion. Still, the information is going into the great, wide unknown, often without adequate information security and risk analysis and protections.
September 11th, 2018
At the beginning of space exploration, lost satellites and flight equipment was probably not high on the space program’s priority list. Once satellites were launched and replaced, then the topic of lost “space junk” emerged. Medical device and IoT inventory management poses a similar issue in our industry. Not knowing where devices are located is a red flag in managing data security; as a treasure trove of data may be resident on the devices themselves.
August 28th, 2018
For decades, we’ve imagined the different life forms we might encounter while traveling in space. The series Star Trek has entertained generations by imagining how things might be different in another galaxy. Likewise, in healthcare; Europe’s newly revised security and privacy directives under the General Data Protection Regulation (GDPR) have us feeling like we need to update security and privacy programs to meet the standards of another galaxy. Many CISOs and Privacy executives are asking the questions, “Does GDPR apply to us?” or “How will GDPR be enforced for US-based healthcare organizations?”
August 23rd, 2018
Security and compliance teams are your organization’s “mission control centers” for ensuring that the mission of healthcare delivery is conducted safely and effectively. Mission control has been raising alarms of late to notify leadership that information security breaches are on the rise.
August 22nd, 2018
Do you have confidence that your privacy program complies with applicable regulatory requirements? How confident are you that all your Business Associates have up-to-date BAAs, that all BAAs are current with HITECH requirements, and that your BAs have privacy programs that will meet your organization’s or HIPAA’s privacy standards?
August 21st, 2018
Many healthcare entities struggle to identify which medical devices are active or inactive on their network. Improperly secured devices pose high risks for patient harm or an information breach. Limited staff means that many security teams are stretched too thin to properly handle medical device security, increasing the risk of information mishandling or breaches.
August 3rd, 2018
The HITRUST Common Security Framework (CSF) Assurance Program is the most widely adopted framework and set of tools in the healthcare industry for evaluating an organization’s information risks and/or compliance state.
June 22nd, 2018
Are any of your information security or privacy projects in jeopardy due to resources constraints? Staffing shortages are a major bottleneck due to high-demand limited supply of experienced professionals.
June 21st, 2018
Presented on Thursday, June 21st, 2018 by Brian Selfridge, Meditology IT Risk Management Partner and Kevin Henry, IT Risk Management Senior Associate
June 19th, 2018
In our latest blog post, Meditology Services IT Risk Management Consultant Maliha Charania analyzes some common misconceptions women may have about cybersecurity jobs. She also presents strategies cybersecurity professionals can follow to encourage women to opt for cybersecurity as their career.
June 6th, 2018
Traditional audit response requires security questionnaires to be funneled through already over-burdened corporate Information Security teams. What is the MARRS Advantage?
May 31st, 2018
Presented on Thursday, May 31st, 2018 by Brian Selfridge, Meditology IT Risk Management Partner
May 10th, 2018
Presented on Thursday, May 10th, 2018 by Brian Selfridge, Meditology IT Risk Management Partner
April 11th, 2018
Healthcare organizations continue to face dangers from cyberspace. These dangers include evolving new threats to patient information and the critical systems that support delivery of health care services.
April 2nd, 2018
The 2018 HIPAA Summit provided a tremendous opportunity to learn how your security management peers address vendor security risk assessments.
February 5th, 2018
Written by Meditology's IT Risk Management leader Nadia Fahim-Koster, Managing Director
January 23rd, 2018
This January 2018 paper provides an update to our initial Microsoft Office 365 Security for Healthcare Organizations paper originally released in 2017. The latest leading practices for securely deploying Office 365 security features in healthcare settings are detailed in this document.
December 14th, 2017
Presented by Cliff Baker, Meditology Services and Adam Greene, Davis Wright Tremaine, LLP
November 14th, 2017
Presented by Nadia Fahim-Koster and Kevin Henry
November 9th, 2017
Written by Bethany Page, Manager, IT Risk Management
October 11th, 2017
Webinar presentation replay Presenters: Tyrone Jeffress, ITRM Director and Brian Selfridge, ITRM Partner
October 10th, 2017
This whitepaper discusses key strategies for recruiting, addressing immediate shortage needs and long-term branding and cross-department efforts to keep your staff growing into the future.
October 2nd, 2017
By Maliha Charania, IT Risk Management
September 25th, 2017
By Caitlin Robertson, IT Risk Management
September 20th, 2017
Meditology IT Risk Management Partner, Brian Selfridge recently presented alongside Paul Kerr at the Healthcare Security Forum, a conference sponsored by HIMSS Boston Regional Chapter.
September 18th, 2017
By Tyrone Jeffress, ITRM Director
August 31st, 2017
This report explores the business drivers for healthcare security certifications and focuses on one of the most common and achievable certifications, the SOC 2 certification created by the American Institute of Certified Public Accountants (AICPA).
August 29th, 2017
Bethany Page, ITRM Manager and CISO presented a timely presentation on SOC 2 and other Healthcare Security Certifications
July 25th, 2017
Presented by ITRM Consultant Kevin Sacco at DEFCON2017. Ethical Hacking – let one of the good guys hack you first!
July 20th, 2017
Ryan Freeman Jones, Senior Manager and Kevin Henry, Senior Associate presented a timely webinar on Security Due Diligence for Healthcare Mergers and Acquisitions
July 17th, 2017
by Maliha Charania, ITRM Intern
June 27th, 2017
This whitepaper details ransomware trends and their impact on the healthcare industry, updates on recent ransomware attacks significantly impacting healthcare organizations, and recommendations for preventing and responding to ransomware incidents.
June 20th, 2017
Meditology's IT Risk Management Director, Tyrone Jeffress recently presented at the 2017 Annual HITRUST Conference in Grapevine, TX.
June 19th, 2017
Meditology's IT Risk Management leader Nadia Fahim-Koster, Managing Director recently presented at the 2017 Annual HITRUST Conference in Grapevine, TX along with Martin Ignatovski Chief Compliance Officer with Eye Care Leaders.
June 15th, 2017
Meditology's IT Risk Management Partner Brian Selfridge, recently presented at the 2017 Annual HITRUST Conference in Grapevine, TX along with Anahi Santiago, CISO of Christiana Care
June 6th, 2017
Webinar and Presentation Presented by IT Risk Management Partner, Brian Selfridge on cybersecurity trends to look out for in 2017 and beyond
May 29th, 2017
by Nadia Fahim-Koster, Director, IT Risk Management
May 2nd, 2017
By Qasim Ijaz
April 18th, 2017
Recommended steps to follow when performing security and compliance due diligence for mergers and acquired entities in healthcare
March 1st, 2017
Timely report outlining the risks and impacts associated with medical device security, which also provides leading practices for developing medical device security programs.
February 14th, 2017
Information security and privacy have evolved into mission critical business functions for healthcare organizations heading into 2017. The healthcare industry is presented with a perfect cyber storm resulting from the proliferation of health information across platforms and third parties, an increased utility of patient information on the black market, shortages in cyber security skill sets, vulnerable medical devices, and targeted threats including ransomware.
February 7th, 2017
The evolution and advances in healthcare information technology are driving innovative technical solutions to improve organizational efficiency, population health, and patient outcomes across the continuum of care. Healthcare organizations ranging from providers, payers, and Business Associates have looked in recent years to take advantage of cloud-hosted platforms like Microsoft's Office 365 solution to drive efficiencies and boost productivity admidst growing resource and budget constraints.
December 7th, 2016
Meditology Partner, Brian Selfridge's featured article on the HITRUST Blog