8042124352
FALL 2016
 |
 |
 |
 |
HIPAA TURNED '20' IN AUGUST In recognition of the 20-year anniversary of HIPAA, we compiled a useful list of popular HIPAA articles - from the history of the regulation to common violations and how to fix them.
What's the difference between HIPAA, HITECH and the Omnibus Rule?
HIPAA has had the complicated history of regulatory revisions, clarifications, and guidance documents from various agencies, and it is still largely misunderstood.
HIPAA is a confusing regulation. Since its enactment on August 21, 1996, it has covered topics as diverse as insurance coverage of unemployed people, efficiency of health care administration, data security, and more recently the improvement of healthcare outcomes. HIPAA has had the complicated history of regulatory revisions, clarifications, and guidance documents from various agencies, and it is still largely misunderstood.
In commemoration of HIPAA’s 20-year anniversary, we’ve attempted to provide a novel, yet informative and practical break-down of the regulation including the changes it has undergone throughout the years.
DOWNLOAD INFOSEC TIP POSTERS
 |
 |
IoT Devices Make Ideal Soldiers for Cyber Criminals
We all remember gazing in wonder at the armies of elite empirical storm troopers as they collectively marched into battle to subdue the rebel forces in those early Star Wars movies. Many of us recall the machines spotlighted in the Terminator series which led the battle against the humans. Science fiction is good at conjuring up creative visions of the technical forces we may combat in the future, but even the most creative science fiction writer couldn’t have come up with the idea of an army of cameras attacking our Internet infrastructure; Yet, that is what happened.
On October 21st, 2016 a collected army of some 50,000 cameras were utilized in an effective attack aimed at Dyn, a major Internet infrastructure company headquartered in New Hampshire. The attack resulted in severed access for some of the largest and most prominent web-based organizations in the world such as Amazon, Twitter, Netflix and Spotify.
|
 |
Over-securing PHI is a dangerous HIPAA violation.
Over-securing protected health information (PHI) means protecting the security of PHI so much that patient care or medical research becomes compromised. It may seem strange to hear this from a security firm. After all, security is where HALOCK makes its living. But if your security controls take priority over your medical mission, then you’re doing HIPAA wrong.
How serious is over-securing PHI? As early as 2004, a study published in the Annals of Surgery demonstrated a significant drop in approvals for medical research due to concerns about of the Privacy Rule. A 2013 report by the Bipartisan Policy Center stated that misinterpretations of the HIPAA Privacy Rule were interfering with health research. And during client HIPAA risk assessments, HALOCK regularly encounters situations in which IT teams feel that they must impose strict controls on clinical access to PHI so they are “better safe than sorry,” even when the patient is more safe with their PHI being accessible to clinicians.
 |
|
 |
Answering the question: "Are my security devices HIPAA compliant?"
Would you be surprised to learn that there is no HIPAA requirement that tells organizations to use a firewall? How about an intrusion detection system (IDS)? Nope. And no requirements for a data loss prevention tool (DLP) either, or a proxy server, or even a security information and event management system (SIEM).
All too often, clients will request a “HIPAA review of my firewall.” We see devices being marketed with “HIPAA policies,” “GLBA configurations,” or “PCI DSS rules” built in. But to be frank, we are dubious about the validity of these requests or claims. If you read the HIPAA Security Rule, the reason for our doubts becomes clear; the regulation provides very little specificity about which safeguards to implement and how safeguards are to work. HIPAA only requires that controls are reasonable and appropriate, and that you determine what “reasonable and appropriate” means through a risk assessment.
|
HALOCK Security Labs
1834 Walden Office Square | Suite 200 | Schaumburg, IL 60173
P: 8042124352
https://www.halock.com
1834 Walden Office Square | Suite 200 | Schaumburg, IL 60173
P: 8042124352
https://www.halock.com
© 2018 HALOCK Security Labs. All rights Reserved.