Implementing SOC 2 Requirements for Cloud Environments

SOC 2 compliance provides a structured approach to ensuring data security, availability, and processing integrity, among other aspects. This article will dive into the specifics of SOC 2 and its impact on cloud security, shedding light on the technical controls, best practices, and the vital role of third-party attestations in bolstering trust between service providers… Read More

Understanding the Difference Between HIPAA and HITRUST

Within the world of healthcare compliance and information security, there’s been increasing confusion around some terms and organizations. We’ve heard a bit about some of this confusion, specifically around HITRUST and HIPAA.  Both are connected to the preservation of health information, yet they fulfill separate functions and are founded on differing principles. This article clarifies… Read More

HIPAA and the Use of Online Tracking for Marketing Purposes

Due to some recent actions against online medical providers like BetterHealth and GoodRX, the Department of Health and Human Services has released a new warning for covered entities regarding the tracking methods they use on their websites.  While web tracking has become a typical technology for most businesses, it’s not a cut-and-dry proposition for healthcare… Read More

HIPAA and Internal Security Controls

In June 2023, the US. The Department of Health and Human Services (HHS) reached an agreement with Yakima Valley Memorial Hospital over a significant breach of privacy and security rules. Specifically, HHS found that several security guards had inappropriately accessed the private records of up to 419 patients.  This settlement demonstrated administrative and internal security… Read More

HIPAA, Security Incidents, and Reportable Events

In the interconnected world of digital health information, safeguarding Protected Health Information is paramount. Healthcare providers must legally follow the Health Insurance Portability and Accountability Act (HIPAA) to protect patient privacy and maintain trust, and this compliance includes understanding what it means to identify and deal with security incidents. Among these, the concepts of security… Read More

What Does the HIPAA Security Rule Say About Mobile Computing?

With modern computing increasingly moving into a mobile paradigm of remote workers, laptops, and smart devices, the threat to security in various industries is only increasing. This is no more true than in healthcare, where HIPAA breaches related to mobile devices are becoming more common.  This article will discuss the HIPAA security rule, how it… Read More

What Are the Proposed Rule Changes to HIPAA Coming in 2023?

In response to changes in the medical industry due to COVID-19, the Department of Health and Human Services (HHS) and Substance Abuse and Mental Health Services Administration (SAMHSA) have put forth a Notice of Proposed Rulemaking to streamline how doctors can access mental health information.  This article will discuss this rule change and why it… Read More

Maintaining HIPAA Compliance with IoT Devices

In previous blog posts, we’ve discussed the role of technology and HIPAA (related explicitly to HITECH regulations). However, the growth of intelligent devices and the Internet of Things (IoT) has led to a sea change in how Covered Entities (CEs) and Business Associates (BAs) manage their patients. Likewise, it adds new wrinkles to how these… Read More

Protected Health Information, File Sharing and Email

Protecting patient information is a crucial and necessary part of healthcare… but so is communicating effectively with patients. Considering that email continues to be the most common form of electronic communication, it stands to reason that providers meet patients where they are.  However, HIPAA regulations have rather strict requirements for protecting PHI, and plain email… Read More

OMG USB! Physical Media and Protecting PHI

Imagine this scenario: you’ve received some test results from some procedure. Those results are to be moved between institutions because you have doctors in different departments of a healthcare system.  Normally, we’d think that these institutions would electronically transmit these results through some secure channel… but then you see that your doctor has your results,… Read More

What is NIST 800-66?

Securing protected health information (PHI) is one of the paramount cybersecurity concerns of many organizations, both inside and outside the healthcare industry. This information, if released to unauthorized parties, could lead to significant personal harm to patients that organizations must avoid at all costs.  The Healthcare Insurance Portability and Accessibility Act (HIPAA) governs the protection… Read More

What Are Health Industry Cybersecurity Practices (HICP)?

Any organization in the healthcare industry knows that cybersecurity is a critical component of doing business. So much so, in fact, that any enterprise handling protected health information (PHI) must implement and maintain strict cybersecurity and privacy controls to protect patient data from unauthorized disclosure.  However, understanding that HIPAA is a requirement for operation doesn’t… Read More

The HIPAA Security Rule and Risk Management

The Healthcare Insurance Portability and Accountability Act (HIPAA) is one of the more complex regulations in the U.S., due in no small part to the complicated and open-ended nature of the law.  What should companies do? In this case, covered organizations are turning to risk-based assessments to help them support their security approaches.  Here, we… Read More

Survival Guidance! FedRAMP and FISMA Resource for Assessing the Security Controls in Federal Information Systems and Organizations

Survival Guidance! MichaelPeters.org and LazarusAlliance.com is making our auditor’s resource for assessing the security controls in federal information systems and organizations free. This is a resource based on the NIST 800-53A framework you may freely use to conduct your organization’s FedRAMP, HIPAA or best practice based security audits. Your results are private and the output… Read More

Survival Guidance! Resource for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

HIPAA Survival Guidance! MichaelPeters.org and LazarusAlliance.com is making our auditor’s resource for implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule free. This is a resource you may freely use to conduct your organization’s HIPAA security audits. Your results are private and the output is sent to you without charge. It’s just on… Read More

Expanding Security Breach Notification Requirements in California

A new amendment to California’s security breach notification law will raise the stakes for businesses required to give notice of a data security breach affecting California residents. California Senate Bill 24 (“SB 24”), signed by Governor Brown on August 31, 2011, imposes detailed new requirements for the content of security breach notices. Significantly, SB 24… Read More