Is “Sorry” Good Enough? Insights from UHG’s Change Healthcare Testimony
On Wednesday, May 1, Andrew Witty, CEO of United Health Group (UHG), appeared before two congressional committees to discuss the recent Change Healthcare Breach. Mr. Witty expressed deep regret for the significant disruption the incident caused throughout the healthcare sector. During his testimony, he provided insight into how the attack happened, evaluated United Health Group’s […]
Congressional Scrutiny of Healthcare Cyber Risks
On April 16th, healthcare industry leaders gathered in Washington, DC to testify to the Energy and Commerce Health Subcommittee on the topic of “Examining Health Sector Cybersecurity in the Wake of the Change Healthcare Attack.” The insights these leaders shared around the sector-wide risks facing healthcare and the potential steps forward to address them were […]
Charting a Wellness Plan for Healthcare Cybersecurity
The journey to cybersecurity resilience in healthcare is not a solo endeavor. It requires coordination among several pivotal organizations. At the heart of this collaborative effort is the Health Sector Coordinating Council Cybersecurity Working Group (HSCC CWG), a team designated by the U.S. government as a critical infrastructure advisory council. The HSCC CWG exemplifies a […]
How to Successfully Navigate HIPAA Cybersecurity Requirements
In a world where technology evolves faster than we can say “cybersecurity,” one might wonder if the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is still relevant. Surprisingly, it’s not just relevant; it’s an unsung guardian of our healthcare data. Compliance with HIPAA is essential for healthcare organizations to maintain data security and […]
The Evolution and Impact of NIST CSF 2.0
NIST, or the U.S. National Institute of Standards and Technology, is at the forefront of the evolving realm of cybersecurity. Their goal is to provide recommendations that can be used as guideposts for industry best practices and more efficient ways of working However, cybersecurity is notoriously difficult to build standards around because the threat landscape […]
How the 405(d) Program and Task Group is Helping Healthcare Security
Healthcare organizations continue to be prime targets for malicious actors. OCR data in a recent Health IT Security article showed more than 127 breaches reported so far in 2022 had impacted over 6 million individuals. In addition to increased threats, the healthcare industry has the highest cost per incident at $9.23 million, up $2 million […]
How Proposed 2021 HIPAA Changes Will Affect Your Healthcare IT
On January 21, 2021, an important development in cybersecurity news was released. The United States Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) issued Notice of Proposed Rulemaking (NPRM) to modify the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act […]
Recommendations on NIST Resource Guide
Fortified recently responded to an opportunity from NIST to comment on the utility of NIST Special Publication (SP) 800-66, Revision 1, commonly referred to as the Resource Guide. The Resource Guide and other industry standards are critical to the success of our clients to safeguard electronic protected health information (ePHI) and personally identifiable information (PII). […]
Is Electronic Protected Health Information (ePHI) Getting Outside Your Healthcare Organization?
Under HIPAA regulations, health information or data that can be used to identify an individual patient is categorized as protected health information (PHI) and must undergo a wide range of practices explicitly designed to protect patient confidentiality. Covered entities must implement processes and controls to ensure confidentiality, integrity, and availability of physical PHI and electronic […]
Benefits of Continuous HIPAA Analysis
The HIPAA Security Rule Administrative Safeguards includes requirements that covered entities “implement policies and procedures to prevent, detect, contain and correct security violations.” This standard requires both Risk Analysis and Risk Management. The Risk Analysis implementation specification requires covered entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the […]