Risk
2/15/2013
11:11 AM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

New HIPAA Omnibus Rule Changes Health IT Security Landscape

Rule means more audits and increased penalties if compliance is not achieved

(PR NewsChannel) / CHICAGO / Healthcare providers are now facing an immediate need to provide security risk assessments and testing to meet compliance requirements with HIPAA. On January 17, 2013, a new omnibus HIPAA privacy and security rule was released, bringing with it more audits and increased penalties if compliance is not achieved. This requirement is the beginning of a new, and very necessary, push towards Health IT security and data protection.

In a series of in-depth research interviews conducted with CIO executives from some of the largest hospitalists in the U.S., one of the top 'worst-case' security scenarios keeping them up at night is how to prepare for a data-at-rest breach caused by loss or theft of a mobile device. Furthermore, fines are no longer restricted to massive data breaches, as HHS confirmed it received a $50,000 settlement from a breach in Idaho stemming from a lost laptop that only involved 441 patients in January 2013. While technology-based vulnerabilities are part of the problem, most executives agree that operational and people-related processes pose the biggest risk of an incident, a problem that can only be solved through better education, training and change management.

"As healthcare organizations rush to adopt new technologies, security often takes a back-burner which causes near and long-term problems in managing risk." said Parham Eftekhari, EVP Research, HealthTech Council. "With penalties in the recent Omnibus up to $1.5 million per violation, it is critical healthcare executives understand how IT deployments create risk, and what they can do to mitigate their exposure."

The other top security challenges facing healthcare executives in addition to maintaining HIPPA compliance and privacy laws, are: securing data-at-rest, data in the cloud, information sharing, BYOD/mobile device management, providing patients secure access to their health records, operational and process risk management, employee risk/security awareness and training.

The national HealthTech Council executives providing this research and leading action groups are convening at the invitation-only HealthTech Meeting April 21-23 in Chicago to collaborate with some of the industry's leading solution providers to discuss these new policies and solutions for the future. Due to the recent events, HealthTech is urging security companies and other technology providers in Health IT Security to get involved because of the immediate demand for these solutions.

The HealthTech Council is reviewing industry experts to lead roundtable strategy sessions at the upcoming HealthTech Council Meeting in April, including: "The Mobile Revolution: Remote Care without Compromising Security and Quality"; "Operational Risk Management: People, Process, Technology";"Help, My Data Has Been Breached!: Insights on Threat Prevention, Detection, Response"; "People and Culture: Healthcare Transformation's Biggest Challenge"; and "Future Legal & Compliance Considerations that Will Impact You." These sessions will allow healthcare professionals and solution providers to discuss best practices and lessons learned based on the most important topics affecting the Health IT Security ecosystem.

About HealthTech: The HealthTech Council provides executive-level collaboration, information sharing and education on the strategic and operational impact of information technology on the healthcare industry. As a research based organization, HealthTech is focused on cutting-edge issues including Informatics, Risk Management, Interoperability, mHealth, Security/Privacy, Cloud Computing, Information Sharing, Compliance, Telemedicine and IT's role in supporting ACOs, Population Management and pay-for-performance. Through its semi-annual HealthTech Council Meeting, Action Committees, publications and workshops, HealthTech provides unique peer-to-peer forums for executive-level sharing of best practices and lessons learned resulting in actionable strategic plans and industry-wide solutions. HealthTech views IT as a strategic business asset, not a cost-center, resulting in content designed for both IT (CIO, CMIO) and non-IT (CMO, COO, CFO, Director/VP) executives from hospitals, health care providers, industry, academia and government. www.HealthTechCouncil.org

MEDIA CONTACT

Kirby Watkins

PR Contact

HealthTech Council

202.815.7406 Mobile

202.351.0569 Fax

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.