Questions? Call (855) 670-8780 or email   Visit us on LinkedIN  

Healthcare Data Breaches: Who Wants PHI?


January 12, 2016



In the previous blog post, we discussed the types of entities who need protected health information (PHI) to conduct their business or provide their services. Now, let’s discuss what entities or individuals are typically interested in obtaining this PHI.

Who is Interested in Obtaining PHI?

There is no single group of people or type of organization stealing PHI for unlawful purposes. However, by looking at the 18 PHI identifiers listed below, we can see that the type of information collected and protected under HIPAA can be used for many purposes that negatively affect those whose PHI is compromised.

Read More

Topics: Protected Health Information, HIPAA, Covered Entities, Business Associates, Health Information, Privacy, Privacy Rule, PHI, Data Breach, Security, HIMSS16, Information, healthcare, Illegal Use, Unlawful Use

Violación de Datos Medicos: Quien quiere (PHI)


January 12, 2016




En la publicación del blog anterior, hablamos de los tipos de entidades que necesitan Información Medical Protegida (PHI) para llevar a cabo sus negocios o prestar sus servicios. Ahora, vamos a discutir lo que estas entidades o individuos están típicamente interesados en obtener de esta PHI.

¿Quién está interesado en obtener la PHI?

No hay un solo grupo de personas o tipo de organización robando PHI para fines ilícitos. Sin embargo, al mirar los 18 identificadores PHI, que se enumeran a continuación, podemos ver que el tipo de información recogida y protegida por HIPAA, se puede utilizar para muchos propósitos que afectan negativamente a aquellos cuya PHI se ve comprometida.

Read More

Topics: HIPAA, PHI, HIMSS16, Entidades Cubiertas, Cuidado Medico, Afiliados Comerciales, Violación de datos, Información de Cuidado Médico, : Información Medica Protegida, Regla de Privacidad, Uso Ilícito, Uso Ilegal, Información de Salud, Seguridad, Privacidad

Healthcare Data Breaches: Who Needs PHI to Conduct Business?


January 6, 2016



As promised in my introductory blog post, I will be writing a blog series exploring several issues regarding healthcare data breaches. Specifically, I will address the importance of proactively preventing them rather than reacting to them after the damage is done.

Who Needs PHI to Conduct Business?

Individually identifiable health information held or transmitted by a Covered Entity or Business Associate is protected under the HIPAA Privacy Rule and is formally called Protected Health Information (PHI).

PHI can be any record form or medium: electronic, paper, or oral. PHI can also include demographic information and relate to an individual’s past, present, or future physical or mental health or condition, the provision of healthcare to the individual, or the payment status for the provision of healthcare to the individual.

Individuals, organizations, and agencies that fall under the HIPAA definitions of a Covered Entity or a Business Associate must comply with the HIPAA/HITECH Rules in order to adequately protect the privacy and security of PHI while also providing individuals specific access to their PHI.

Read More

Topics: Protected Health Information, HIPAA, Covered Entities, Business Associates, Health Information, Business Associate Agreement, Privacy, PHI, HITECH, HIMSS, Data Breach, Security, healthcare

Violación de Datos Médicos: Quien necesita (PHI) para hacer negocios?


January 6, 2016



Como prometí en mi blog de ​​introducción, voy a escribir una serie de publicaciones, para explorar varios temas relacionados a la violación de datos en el sistema médico. En concreto, voy a estar refiriéndome a la importancia de actuar y prevenir en forma proactiva, en lugar de reaccionar, después que el daño está hecho.

Read More

Topics: HIPAA, PHI, HITECH, HIMSS, Entidades Cubiertas, Cuidado Medico, Información Medica, Acuerdo con Afiliados Comerciales, Afiliados Comerciales, Violación de datos, : Información Medica Protegida, Seguridad, Privacidad

Healthcare Data Breaches: Preventing Instead of Reacting


December 22, 2015



With the advent of technology and globalization, the movement of personal data has taken a turn to a “business need” when it comes to data sharing between entities and countries. Technology has allowed business entities to transform their business models into international ones more easily than ever before. And because data sharing has become a “need” to ensure success for these entities, the personal data that is processed becomes valuable not only to the person the data belongs to and the business that uses it, but for many individuals and organizations out there that want this data for their own, often unlawful, purposes.

As a Security and Privacy Professional with a legal background, my focus is on understanding domestic regulations like HIPAA/HITECH and comparing these to international regulations like the EU’s Data Protection Directive. My experience includes reading, dissecting, and comparing complicated laws and regulations and the management of compliance assessment projects. Therefore, I am excited about this opportunity to share information regarding the importance and sensitivity of protected healthcare information (PHI), potential consequences of a data breach, and the impact of HIPAA/HITECH rules.

Covered Entities and Business Associates must adhere to the HIPAA/HITECH rules domestically. The controls that these entities must implement are not just there to “comply” with HIPAA/HITECH, but more importantly to prevent a data breach and protect the PHI that these entities rely on to survive as a business. This data is sensitive in nature and must be protected from the moment the entity receives it to the moment it leaves their complete control. With Business Associates receiving much speculation over the last few years, they along with Covered Entities must ensure they do their due diligence to ensure any other party (Business Associate) they work with in connection to this PHI, is also complying with the same controls in an effort to safeguard this data.

I will be writing a series of blog posts that will explore this theme by identifying key topics that are intertwined and connect with Covered Entities and Business Associates who share this sensitive data when conducting business together. Specifically, each post in the series will address one of the following six questions:

Read More

Topics: data security, compliance, healthcare

Violación de Datos Médicos: Prevenir en lugar de Reaccionar


December 22, 2015



Con la llegada de la tecnología y la globalización, el movimiento de datos personales ha dado un giro hacia una "necesidad empresarial" a la hora de compartir datos entre negocios y países. La tecnología ha permitido a las entidades empresariales transformar sus modelos de negocios y traspasar las barreras  internacionales con más facilidad que nunca. Y debido a que el intercambio de datos se ha convertido en una "necesidad" para asegurar el éxito de estas entidades; los datos personales que se procesan se convierten en una valiosa pieza, no sólo para la persona que los posee y el negocio que los utiliza, pero también para muchas personas y organizaciones que quieren obtener estos datos para sí mismos, a menudo para propósitos ilegales.

Read More

Topics: HIPAA, PHI, HITECH, HIMSS, Entidades Cubiertas, Cuidado Medico, Afiliados Comerciales, Violación de datos, Información Medica Personal

Continuous Compliance & Assurance Addresses PCI Business as Usual Guidance


December 29, 2014



In the aftermath of the last 12 months of payment card breaches, the PCI Security Council has announced new guidance addressing compliance practices they call “ Business As Usual (BAU)”.
As outlined, this program focuses on stressing the following:
  • Increased Education and Awareness
  • Greater Flexibility
  • Make Security a Shared Responsibility
From a technical perspective the program focuses on:
· Monitoring security control operations
· Detecting and respond to security control failures
· Understanding how changes in the organization affect security controls
· Conducting periodic security control assessments, and identify and respond to vulnerabilities
Unfortunately, there is not much information on how to implement a program to manage the “Business As Usual” Approach or how to enforce and monitor it.
CompliancePoint has been evangelizing the “Continuous Compliance and Assurance Program” as a way to address the shortcomings of Point in Time Assessments (PITA) and ensure that organizations are maintaining compliance and a strong security posture throughout the year.
Over the last 8 years of delivering PCI DSS assessments to customers, the same question keeps coming up, “Once I get compliant with PCI DSS, how do I stay compliant?” The challenge is that organizations are dynamic and change occurs constantly. These changes can significantly impact compliance levels or even introduce critical vulnerabilities into the organization and infrastructures.
To address this issue, an organization must adopt a program/process that assigns, monitors, escalates and reports the mandatory compliance and security tasks/events that need to be performed regularly at various intervals throughout the year. Failure to perform these tasks not only can put the organization in a non-compliant status but could result in a breach situation.
The program must combine assessment and validation services with a software into a single solution that will automate the workflow of assigning mandatory tasks, monitor that the tasks are being completed on time and provide an escalation process. In addition, the technology should provide real-time visibility into the customer’s compliance and security levels.
The other aspect of “Business as Usual” is making security a shared responsibility. Without a program in place that promotes delegation and monitoring of responsibilities of the compliance/security controls within the PCI Standard and pushes the required tasks down to the asset owners, the compliance officers have no control on whether these task are being completed or if they are being completed according to the standard. Defining ownership and assigning control responsibility is a critical step. Almost as critical, is the process to define the control methodologies or how controls are implemented. This information is important on the automation of tasks and as documentation for the auditor.
I am very encouraged that the PCI Security Council is recognizing that there is a critical need to implement a process or program (such as the Continuous Compliance and Assurance program) to ensure the PCI Compliance controls are being managed and monitored on an ongoing basis and this is the only way to ensure a secure and compliant environment. If this year has taught us anything, it is the PCI DSS compliance is a lot more than a check box.
Read More

How Can I Make My Audit Results More Predictable?


August 14, 2014



By Jon Long

The only thing more stressful than a final exam is going into that exam feeling unprepared. Did I study the right topics? Will I have enough time? Do I feel confident in my understanding of the material? A looming audit is no different— feeling unprepared can be nerve-racking.

Read More

How to Maintain Legal Compliance Management


August 8, 2014



Three ways Continuous Compliance and Assurance simplifies security
Legal compliance management is an everyday concern for risk management teams looking to protect information flows and access points. By implementing Continuous Compliance and Assurance (CCA) – an ongoing process of proactive risk management that delivers predictable, transparent and cost-effective results to meet information security goals – companies gain three important legal compliance management advantages:
  1. Efficiency: CCA empowers companies to proactively manage their information security in real-time. Rather than a reactive approach to security breaches or attacks that expose vulnerabilities in the control framework, CCA improves legal compliance management efficiency by leveraging technology to stay ahead of potential threats.
  2. Cost-effective: Unfavorable audit findings can result in the need for quick (and costly) solutions. By utilizing technology like CCA to continuously monitor legal compliance management, companies can be more cost-effective and eliminate expensive audit surprises.
  3. Predictable: When companies outsource expertise and leverage technology to monitor and control legal compliance management in real-time, they can be more confident about their information security and the predictability of their audit results.
Read More

The Best Compliance Management Systems


August 8, 2014



How technology tools can make information security efficient and predictable
For many risk managers, compliance management systems can be a scary concept. It suggests that something can be left to run on its own, without oversight, and run correctly to protect a given function or framework. All too often, automated solutions lead to oversights, audit surprises, cost overruns and other negative outcomes.
The best kinds of compliance management systems combine human and artificial intelligence to improve information security and real-time assurance. Instead of stove-piped software that lacks cohesive intelligence, smart compliance management systems include enhanced transparency for rules and vulnerabilities and empower risk managers to gain greater control over the compliance process, not less.
Searching for smart compliance management systems has led more and more risk managers to Continuous Compliance and Assurance (CCA), an ongoing process of proactive risk management that delivers predictable, transparent and cost-effective results to meet information security goals. It features an automated digital dashboard that empowers risk managers to review performance against goals, adjust rules and demonstrate compliance as a present and ongoing position instead of a point-in-time snapshot.
As a result, compliance management systems are anything but scary. With the implementation of CCA, it’s the best defense against the lengthy, costly audits risk managers fear.
To receive more information, please click "Contact" to the right or call us at (855) 670-8780.
Read More

Subscribe to Our Blog Via Email

Recent Posts