Last January, we did an episode with a 2016 Compliance Management Plan. We even created a reminder poster for it you could download. The episode was about providing a compliance management plan guideline for compliance officers who are trying to find a way to fit this in your with all your other job duties. That episode was very popular and the poster was downloaded by new folks even in December. This episode reviews that compliance management plan and adds a bit more to it for "extra credit". W...
Jan 06, 2017•43 min•Ep. 85
Every day it seems we read about more healthcare cyber attacks. As the news keeps breaking with more details on the wide variety of cases, we have plenty of work to do just to keep up. Today, there are so many cases to talk about we couldn't even decide what to call the episode. More details at https://HelpMeWith HIPAA.com/84
Dec 30, 2016•40 min•Ep. 84
Listen in to outtakes from this year's episodes. We need something lighter to celebrate the holidays!
Dec 23, 2016•9 min
For a change there was a bipartisan bill passed with some big impacts on healthcare. HIPAA 21st Century Cures Act implications are, of course, our focus. Today, we review some thoughts on the bill that was signed into law this week. More notes at https://HelpMeWithHIPAA.com/83
Dec 16, 2016•34 min•Ep. 83
Recorded during our first live broadcast, this episode covers several OCR announcements. We start with the OCR phishing alert. Followed by that we discuss OCR's guidance that said you should consider multi-factor authentication in your risk analysis. There have also been more resolution agreements that we haven't covered on an episode so we hit those, as well. Since it was a live show we also take some questions! For more: https://HelpMeWithHIPAA.com/82
Dec 13, 2016•46 min•Ep. 82
Phishing attacks in healthcare are on the rise just like every other industry. However, unlike many other targets, phishing attacks in healthcare have a much higher return on investment if the phisherman gets anyone to take the bait. We've talked multiple times how healthcare is now a major target for hackers. Then, it only makes sense that we will see a continued rise in efforts aimed at phishing attacks in healthcare. Types of phishing: Phishing - spray and pray - grab an email list and let it...
Dec 02, 2016•46 min•Ep. 81
We are holding episode 81 for ransom during the Thanksgiving holiday. For our black Friday episode we hope you enjoy this replay of our most popular episode. Stay tuned! Episode 81 will be released next Friday. We will be discussing the different types of phishing, how they work and how you can resist the bait.
Nov 25, 2016•45 min
In early Oct the long awaited guidance on HIPAA Compliant Cloud was released by HHS / OCR. There wasn't a lot of shocking information for us since it just restated, maybe more clearly, that cloud services providers (CSPs) must sign a BAA and meet certain obligations as a BA. Hopefully, this will address all the cases where some CSPs would use "slight of hand" with phrasing to claim they didn't have to be a HIPAA compliance cloud provider. The amount of "all ya gotta do is" type of misinformation...
Nov 18, 2016•42 min•Ep. 80
This week is basically part 2 from last week. We left off just before reviewing the OCR audits and enforcement updates announced at the NIST / OCR Security Conference 2016. Get more details at HelpMeWithHIPAA.com/79
Nov 11, 2016•44 min•Ep. 79
Donna shares information from the 2016 NIST/OCR Annual Conference on Safeguarding Healthcare Information. Learn what she thought was interesting to share with you. More information at https://HelpMeWithHIPAA.com/78
Nov 04, 2016•43 min•Ep. 78
We tour the HIPAA haunted house in this year's Halloween episode! Cybersecurity has become a big concern over the last 18 months. Breaches in 2015 have given way to ransomware along with more daring breaches in 2016. What is really happening on your computers, networks, and the Internet every second is terrifying in several ways. There are plenty of amazing and good things happening at the speed of light but so are the bad ones..... For more details go to HelpMeWithHIPAA.com/77...
Oct 28, 2016•46 min•Ep. 77
Ransomware and HIPAA have been a topic on the podcast multiple times. They are some of our most popular episodes, in fact. Recently, we realized we haven't discussed the OCR guidance on ransomware and HIPAA. On July 11, 2016, HHS.gov featured a new post from Jocelyn Samuels the Director of the Office for Civil Rights (OCR). The title is catchy: Your Money or Your PHI: New Guidance on Ransomware . This episode is a review of that post and the fact sheet with OCR guidance on ransomware and HIPAA t...
Oct 21, 2016•38 min•Ep. 76
Everything going on today with hurricanes and such makes it is a great time to talk about this. We mention it all the time but this episode is going to be just about what DR/BC means and what you can do to be prepared in advance. So, this episode covers disaster recovery planning under HIPAA but any business can learn from our topics! What is DR/BC Planning? Who should do it? Is this another big expense? What is involved in building and maintaining DR/BC plans? General elements of a plan Get mor...
Oct 14, 2016•45 min•Ep. 75
Last year Sen. Lamar Alexander and Sen. Patty Murray asked for answers to some questions concerning cybersecurity in healthcare. They were interested in understanding what CMS and HHS were doing to protect patients from fraud. It seems as though they were wondering if HIPAA security updates where needed. We discussed the Senators request in episode 31 : https://helpmewithhipaa.com/episode-31-enforcement-efforts-ocr-increase-2016/ Their letter asked: What CMS and HHS is doing to monitor medical i...
Oct 07, 2016•45 min•Ep. 74
BAs are in the HIPAA spotlight now more than ever. TheDarkOverlord was clearly using some BA applications to infiltrate networks and exfiltrate PHI. OIG reviewed Alaska VA system after breaches and the report specifically points to the need to monitor BAs OCR audits of BAs are about to start. Previously said end of September but now saying October In this episode we discuss what all this means. More at HelpMeWithHIPAA.com/73
Sep 30, 2016•44 min•Ep. 73
Did you hear that maximum penalties for HIPAA violations are being adjusted for inflation? It has quietly happened. Here is how. Check out the Federal Register entry from September 6, 2016. If you aren't in to reading yourself, don't worry, you know Donna did it. Well, at least the HIPAA parts. Learn more at: HelpMeWithHIPAA.com/72
Sep 23, 2016•37 min•Ep. 72
OCR recently released another memo concerning compliance enforcement efforts. They say effective August 2016, they have started an initiative to more widely investigate breaches involving under 500 patients. That means that OCR small breach investigations will begin happening immediately. In the past, the policy had been to investigate all breaches over 500 patients but not under. More information at HelpMeWithHIPAA.com/71
Sep 16, 2016•35 min•Ep. 71
OCR published a memo on Aug 1, 2016. The title is "Do you know who your employees are?". It is a great reminder about insider threats that we should all worry about regularly. Quoted directly from the memo. ============================ Although all insider threats are not malicious or intentional, the effect of these threats can be damaging to a Covered Entity and Business Associate and have a negative impact on the confidentiality, integrity, and availability of its ePHI. According to a survey ...
Sep 09, 2016•37 min•Ep. 70
So far in 2016 there have been 10 resolution agreements announced. One more and this year will equal the number of agreements in all of 2015 & 2014! The latest two also include the largest one announced yet - $5.5m with Advocate Health. Before that though was The University of Mississippi Medical Center - Ole Missto those of us in the SEC world. It wasn't something to "shake a stick at" with a$2.75m resolution amount. The total amount for those 10 announcements so far in 2016 = $20,314,800 O...
Sep 02, 2016•44 min•Ep. 69
The OCR audits have begun. On Wednesday, July 13, audit selected CEs where invited to a webinar. OCR staff walked through the processes they can expect for the audit and expectations for their participation. The OCR published information from the webinar so we had to check it out and share what we learned with you guys. For more details visit HelpMeWithHIPAA.com/68
Aug 26, 2016•47 min•Ep. 68
Say it ain't so! Pokemon and a HIPAA breach really? REALLY! Creatures are showing up in offices and hospitals just like everywhere else. The concept of keeping people active and engaged with their surroundings while playing a video game seems like a great idea from a healthcare standpoint. And then you actually do a risk assessment of it - this is where the wheels fall off that good idea train. Get more details as HelpMeWithHIPAA.com/67
Aug 19, 2016•36 min•Ep. 67
We first talked about this in Ep 62. Darknet sale of healthcare records. Now, more information is coming out and it gets more unfortunate for patients every time we read more. Deep Dot Web broke the news: https://www.deepdotweb.com/2016/06/26/655000-healthcare-records-patients-being-sold/ We picked it up on Data Breaches.net because they were trying to figure out who the entities actually were in each case: https://www.databreaches.net/damn-anyone-know-what-facilities-these-are/ Get more info at...
Aug 12, 2016•39 min•Ep. 66
What happened? March 23, 2013 Oregon Health & Science University notified HHS of a breach due to a stolen unencrypted laptop. May 1, 2013 OCR notifies them they are investigating the incident July 28, 2013 Oregon Health & Science University notified HHS of another breach resulting from storing ePHI at an internet-based service provider without a business associate agreement November 8, 2013 OCR notifies them they are investigating the new incident July 18, 2016 settlement announced for $...
Aug 05, 2016•45 min•Ep. 65
OCR recently sent out a message on their listserv asking if your CE or BA was ready for an incident. We have been discussing security incidents a lot lately so it is nice that OCR has brought it up. Because we have seen various Incident response reports recently, so we were working on an episode anyway. So this episode is a review of Security Incident Response Plan development. Let's first be clear, this isn't just about HIPAA. We also have been reviewing the Economist Intelligence Unit 2013 (EI...
Jul 29, 2016•37 min•Ep. 64
There has been a lot of news and industry discussions about Medical Device security. Medical Devices are just like a computer, so they also need security to protect the information on them. For more go to HelpMeWithHIPAA.com/63
Jul 22, 2016•42 min•Ep. 63
A business associate is getting this OCR resolution , $650,000 and a two-year settlement. CHCS in Philadelphia is a BA to 6 skilled nursing clinics in the Philadelphia area. Entities like this do the business part of healthcare and the other clinics don’t have to worry about it. An unencrypted iPhone that wasn’t password protected had PHI on it. Patterson Dental Supply Inc. helps manage dental practice information for various providers. One of the clinics they help service is Massachusetts Gener...
Jul 15, 2016•40 min•Ep. 62
Since 2010, ID Experts has sponsored this Ponemon Institute study which has been tracking data breach trends of patient data at healthcare organizations. The annual economic impact of a data breach has risen over the past six years, as has the frequency of data breaches. Criminal attacks and internal threats are the leading cause of healthcare breaches. Evolving cyber attack threats such as ransomware and malware are of primary concern for 2016. At the same time, internal issues such as employee...
Jul 08, 2016•33 min•Ep. 61
As always, during times of crisis and chaos things do become confused and incorrect statements are made. It is a normal occurrence in troubling situations. But, we need to address it specifically to clear up a few points. There was no "special waiver from the White House". There was no need for one at all. People, even in a crisis, should not be invoking HIPAA over caring for the patient properly. The hospitals talked about implementing their crisis plan - why wasn't HIPAA addressed in the plan....
Jul 01, 2016•31 min•Ep. 60
Today’s podcast is a little different from our normal ones. We are covering a wide variety of subjects involving HIPAA, OCR, HHS, and PHI rather than one specific topic. For more go to HelpMeWithHIPAA.com/59
Jun 24, 2016•42 min•Ep. 59
Preventing ransomware is a major concern for every business today. If not, it should be. This episode covers understanding ransomware and methods for preventing it. Is ransomware a phi breach? April record number of cases and not slowing down 8 hospitals (more by the time we record) already hit. Training and vigilance is best defense Ransomware attacks continue to evolve to be "smarter" For more see HelpMeWithHIPAA.com/58...
Jun 17, 2016•36 min•Ep. 58
