The following is a précis of some recent authored or co-authored Cybersecurity Healthcare & Regulatory Compliance Articles, Publications and White Papers
The Digitization of the Healthcare Industry: Using Technology to Transform Care - Sept 2016
Over the past few years, few industries have seen such dramatic changes as in healthcare. On the one hand, the healthcare sector is strong and growing, with a value of $3.2 trillion in the United States. With the dust finally settling on the Affordable Care Act, more than 10 million newly insured Americans are bringing significant revenues to an industry shifting to more retail-like business, clinical, and operating models.
On the other hand, few sectors are experiencing such disruption. The new business models are more vulnerable to competition, increasing the pressure to reduce costs and meet stringent customer demands. Many are moving to risk-sharing, pay-for-value plans. In fact, a new task force of providers, insurers, and employers has committed to shifting 75 percent of business into contracts with incentives for health outcomes, quality, and cost management by 2020. And companies must continue to secure the most valuable data on earth - electronic medical records - from a black market willing to pay top dollar for healthcare information.
Security in Healthcare: Bolstering Connectivity and Protecting Patients - April 2016
Connectivity and the Internet of Things (IoT) are pushing the boundaries of healthcare treatment. Medical professionals can access patient data and real-time health status in a way that can dramatically enhance their understanding of the progression of a disease and improve their response to patient health incidents. Medical equipment can automatically identify system failures and even generate maintenance tickets. Remote treatment allows doctors and patients to communicate no matter where they are.
But this connectivity comes at a price. More devices and more communication increase the opportunities for attackers to breach defenses. On the one hand, the healthcare industry has been resistant to changes because it fears that interfering with critical systems could harm patients. On the other hand, not investing in security may not only affect patient healthcare if systems are disrupted but also injure well-being if their private records are stolen.
Combating Cybercrime in the Healthcare Industry - April 2015
Healthcare security breaches are making headlines with escalating frequency. Consequently, the need to safeguard personal health information (PHI) and other nonpublic data looms more urgent with each passing day. Yet, healthcare organizations are unable to respond. They’re currently starved of cash, thanks largely to declining Medicare and insurance reimbursements as well as the growing trend to pay by results rather than pay by procedures.
While recent developments shine an unsettling public spotlight on healthcare crime, to security experts in the industry, the concern goes far deeper than the mainstream news. A vast number of breaches aren’t even reported. In fact, 80 percent of medical record thefts remain unnoticed for months, and sometimes years, according to Cisco® Security healthcare expert Richard Staynings.
CIO Barometer - Healthcare and Cybersecurity: The Pressure is on - January 2014
As major security breaches continue to top the news, governments and organizations respond with new regulations, increased oversight and stiffer penalties. Public tolerance is slipping, too. Simultaneously, increased demand for mobility and expanding supply chains, along with a desire to link IT systems to industrial control systems, adds to risk. Cybersecurity has taken center stage for healthcare CIOs, evidenced by responses to CSC’s 2013 CIO Barometer survey.
The fifth annual CIO Barometer represents the views of more than 680 IT man- agers, directors and officers working for organizations spread across 18 countries. For those operating in the healthcare sector, cybersecurity consistently appeared as a priority and challenge, regardless of whether the subject was innovation, management or cost.
The Cyber Threat to Healthcare - June 2013
Healthcare is undergoing a fundamental transformation in the way that the industry operates and does business. This is equally true for healthcare payers, providers and life sciences organizations. Growing regulatory requirements for payers and providers to move to electronic medical records, new coding, telehealth and telemedicine, and secure electronic communications is combining with downward price pressure from government, insurance and consumers to force all aspects of healthcare to be leaner and more efficient while at the same time more secure. “Do more with less”, is the message coming from all sides.
At the same time, the life sciences and pharmaceutical industry is coming under increasing pressure as lucrative US and European patents expire or are ignored by generic manufacturers overseas, often with the support or blessing of their national governments and court systems. The re-formulation or re-branding of patents has essentially been killed off and governments from all countries are forcing down drug prices anyway they can, thus eating into profits and research and development funds.
There has also been a major change in the risks that the healthcare industry faces and the dramatic rise in the cyber risk over the past few years. If you didn’t realize it, this Cybersecurity risk now out-weights all other risks COMBINED to the Healthcare industry!
New Healthcare, New risks. CSC World - Spring/Summer 2013
The healthcare industry is venturing into a world of tremendous opportunity — and tremendous risk. By linking systems and medical devices to the Internet, adopting electronic health records and implementing regulatory reforms, the industry is drastically improving healthcare for all of us. But the changes are also creating a health IT landscape fraught with security challenges.
New Data Breach Rules Have Big Impact - February 2013
The Omnibus Final Rule on HIPAA and HITECH amendments was published on January 25, 2013. It makes sweeping changes in a number of areas which, while they appear to be minor, may have a major impact not only on HIPAA “covered entities” but also on business associates and their subcontractors who may have access to, or a need to use Personal Health Information (PHI.) This white paper seeks to address only one primary change – “How does the new rule impact information security incident response and data breach notification?”
How Hospitals Can Immunize Against Hackers, CSC World Magazine - Winter 2013
Cybercrime and data breaches are among the most commonly cited worries keeping healthcare CIOs awake at night. Recent surveys show that roughly three-quarters of healthcare organizations have suffered some kind of data breach or security incident in the past 12 months.
Hospitals and other healthcare organizations need to broaden their focus on compliance and pursue a robust, integrated, enterprise-type approach to securing data and other key assets. Under the U.S. Health Information Technology for Economic and Clinical Health Act, hospitals and other organizations can be fined up to $1.5 million per year for serious security incidents.
Doing it Right - Getting a Jump on Privacy and Security - July 2012
New data sources, changing regulations, and tighter enforcement of privacy and security rules are requiring healthcare leaders to be vigilant about protecting sensitive health information. More data are coming from more sources than ever before, including remote monitoring, mobile devices, and social media. Additionally, the stakes are higher as new enforcement efforts take effect and the HIPAA audit program reaches its stride.
From Cyber Compliance to Cyber Confidence - November 2012
Cyber crime and data breaches are among the most commonly cited things that keep healthcare CIOs up at night. Given the level of preparedness that many organizations have today, this is not surprising.
Recent surveys show that roughly three quarters of healthcare organizations have suffered some kind of data breach or security incident in the past 12 months. Among small healthcare organizations (with 250 employees or fewer), the figure is an astonishing 91%. According to the Department of Health and Human Services, over 19 million people have had their health information compromised and since the breach notification rule went into effect just a few years ago.
What’s New in HIPAA Compliance: Key Steps to Completing the Meaningful Use Risk Assessment - August 2011
Privacy and security have become mission-critical for hospitals. Achieving full HIPAA compliance and satisfying the Meaningful Use Risk Assessment requirement may sound daunting, but it is very much a goal within reach.
Privacy and security have become mission-critical issues for hospital executives now that the proposed changes to the HIPAA regulations are about to be finalized and the risk assessment requirement for the electronic health record (EHR) incentive program is in full force. Organizations can no longer think of privacy and security as a set of disjointed or poorly-enforced HIPAA requirements. The new requirements extend to the activities of covered entities, as well as those of their business associates, and the rules are being strongly enforced. The Office for Civil Rights (OCR) has already assumed a more active role in investigating entities that have experienced breaches and privacy incidents, in some cases issuing million-dollar plus fines.
Microsoft MITS Compliance Planning Guide - August 2006
The Management of Information Technology Security (MITS) standard is an Operational Security Standard promulgated by Treasury Board Secretariat (TBS) that identifies a minimum baseline standard of care for IT Security within the Government of Canada (GoC). All GoC departments and agencies must comply with MITS by December 2006. This Microsoft MITS Compliance Planning Guide is designed to help IT managers and other key stakeholders within the GoC understand how Microsoft products and services can help them comply with many of the mandatory requirements identified in the MITS standard.
Microsoft Regulatory Compliance Planning Guide - June 2006
The Regulatory Compliance Planning Guide helps you understand what you need to do to comply with various regulations. The guide shows how various regulations drive specific requirements for specific IT controls. The guide also shows the Microsoft software and solutions that can help address those control requirements. This guide covers a variety of regulations, including the ever-popular Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), and European Union Data Protection Directive (EUDPD).