The State of Security, Privacy & Compliance
In This Issue
Cybersecurity Needs to Get Better
The Medical Device Security Threat
Infographic on HIMSS Cybersecurity Survey
OCR Issues HIPAA Penalty 
OCR & CMS Release HIPAA Factsheet 
A Primer On Healthcare Encryption
Privacy Concerns For HealthCare.Gov
McMillan Named As Influential HIT Leader
Compliance Q&A
Quick Links
Privacy & Security Services
Technical Testing Services
Managed Services
Where You'll Find Us


August 2015
Top Articles
Cybersecurity: Things Are Getting Worse, But Need to Get Better
On July 20th, CynergisTek's CEO Mac McMillan addressed the need to be proactive about cybersecurity during his opening keynote at the CHIME Lead Forum in Denver. In his presentation, "What is Cybersecurity and Why Is It Crucial to Your Organization?," McMillan challenged the audience to think strategically and proactively about the growing threats that attack healthcare providers. 

He elaborated on what CynergisTek believes to be the top threat factors for healthcare IT leaders, which include "increased reliance, insider abuse, questionable vendors, device-facilitated threats, malware, mobility, identity theft and fraud, theft and losses, hacking and cyber crime, and the shortage of CISOs to help protect an organization from the threats."
e8Can Medical Devices Be Hacked Like Remote Control Cars?
Modern Healthcare asked this question after a hack into a Jeep that gave hackers remote control over the car. One has to consider how viable it is after the recent MEDJACK hack found  vulnerabilities in certain diagnostic, therapeutic and life support equipment. During the pre-approval process, the FDA recommends submitting documentation regarding cybersecurity, but the industry still does not have enough regulation on the issue of medical device security.  
b8Infographic: HIMSS Cybersecurity Survey Results
HIMSS recently released the results of its 2015 Cybersecurity Survey, which surveyed healthcare leaders across the industry on key topics related to their awareness and readiness for cyber attacks. The survey and results reiterate the need to create awareness among healthcare professionals and was the first cybersecurity themed survey conducted by HIMSS. A few points to highlight:
  • Two-thirds of respondents reported that their organization had recently experienced a "significant" cyber event.
  • A majority of respondents lack confidence in their organization's ability to defend against zero-day attacks, with only 17% expressing confidence.
  • Nearly 70% of respondents rated phishing attacks as their top future threat of concern.
c8$218,000 HIPAA Enforcement Fine
The Office for Civil Rights issued a $218,000 penalty to a Boston-area hospital after investigating two security incidents. The incidents included peer-to-peer sharing of documents without first assessing risk, as well as theft of an unencrypted laptop.

Jocelyn Samuels, OCR director, points out that, "Organizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications." Samuels adds that, "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."

This most recent example of enforcement provides great lessons for everyone in the industry to learn. Some key takeaways include:
  • Cloud computing strategies should include policies, training and safeguards
  • Multiple incidents can be lumped into one investigation and fine
  • The importance of risk assessments 
f8OCR & CMS Issue HIPAA Overview Factsheet

The Office for Civil Rights (OCR), in cooperation with the Centers for Medicare and Medicaid Services (CMS) recently released a factsheet on HIPAA for healthcare providers and their business associates. This seven page factsheet gives a basic overview of the HIPAA Privacy, Security and Breach Notification Rules, including how the information is protected by the rules and who must comply with the rules. It also explains how OCR enforces HIPAA Rules through efforts such as corrective action plans and fines for non-compliance.

j8A Primer On Healthcare Encryption
In July, Dr. Michael Mathews, CynergisTek COO, began a four-part blog post series for HealthITExchange . In the first post, he provides a brief primer on encryption, while the remainder of the series will address integrity and nonrepudiation, as well as encryption of data at rest versus at motion.
g8Privacy Fears As Gears Up For Open Enrollment This Fall
With the recent attacks on government-operated databases and large health insurers, there are many reasons that systems supporting the Affordable Care Act could be targets as we near open-enrollment. Experts, including David Holtzman of CynergisTek, told HealthcareInfoSecurity why it is imperative to ensure that sensitive information is properly safeguarded now.    
h8Becker's Hospital Review Recognizes Mac McMillan As Influential Health IT Leader 
Becker's Hospital Review recently recognized CynergisTek CEO Mac McMillan in multiple lists of influential leaders in health IT. First, the staff selected McMillan as one of the "50 Leaders in Health IT". This list included many well known executives from the government, vendors and healthcare providers. Becker's Hospital Review also named him in the reader-nominated list of "21 Health IT Leaders to Know".
i8Compliance Q&A: Where to Find Samples of HIPAA Policies & Procedures
This month's Q&A is a compliance related question regarding HIPAA policies and procedures. David Holtzman addresses it with some industry resources.

Where can my organization find sample policies and procedures that would fulfill the requirements of the HIPAA Rules?


It can be a challenge to take a one-size-fits-all approach when developing effective health information privacy and security policies because every organization and its needs are different. The HIPAA Collaborative of Wisconsin offers a nearly complete selection of privacy, security and breach notification policies that are intended to help organizations with their HIPAA compliance. Another resource is the policies and procedure manual developed by the California Office for Health Information Integrity, the agency that sets state standards for government health information privacy and security. Keep in mind, the CAL-OHII address state law requirements that are more prescriptive than HIPAA, but these requirements are clearly identified within each policy.

Thank you for reading this month's newsletter. Have a question about security, privacy or compliance that you'd like to have us answer in next month's newsletter? Reply to this email and we'll get the appropriate subject matter expert in touch with you. If you want a printable version of the August newsletter click the download button for a PDF version.


The CynergisTek Team