The Latest News on Security, Privacy & Compliance
The industry has seen a lot of activity over the past few weeks as the year wraps up. This month's newsletter includes: 
  • A message to healthcare vendors about the importance of security
  • A podcast addressing recent activity across the industry, including recent OCR enforcement and an outlook of 2016
  • New infographic that highlights the benefits of having a CISO and reviews the evolving role of the CISO
  • A special announcement about David Holtzman, VP of compliance at CynergisTek 
  • The importance of two-factor authentication

  • FBI has alerted two separate hospitals about cyberattacks that caused breaches

Please email us if you have any questions or would like us to cover different topics in the next newsletter. 
Message to Healthcare Vendors: It's Time to Think Security

Mac McMillan recently moderated a panel discussion at the HIMSS Privacy & Security Forum in Boston and wanted to ask some of the country's top hospitals about how they handle issues relevant to their business associates. "It's been three years now that it was hopefully made clear to them that they have responsibility," said Mac. "They're not necessarily embracing that responsibility. How do you fight that and what are you doing around vendor management?" All of the panelists agreed it is a complicated pain point and each explained their approach, ranging from standard terms in the contract, third party assessments, and being selective when choosing a vendor. The all agreed that vendors are much more marketable if they can demonstrate security, yet many cannot.


Podcast: Privacy & Security Updates and Outlook

In this podcast, Mac McMillan of CynergisTek and Marianne McGee of HealthInfoSecurity.com discuss OCR's recent HIPAA enforcement and the future of enforcement for non-compliance. They also discuss trends the industry can anticipate for 2016. They conclude the podcast with some of the biggest challenges that keep the industry up at night such as hacking and insider access.


David Holtzman Named as Top 50 HIT Expert

CynergisTek is proud to announce that David Holtzman, VP of Compliance, was named in Health Data Management's Top 50 Healthcare IT Experts list. The experts were selected based upon sharing their knowledge with the industry.  David was featured among several other prominent healthcare IT leaders including, John Halamka, CIO, Beth Israel; Karen DeSalvo, National Coordinator for Health Information Technology, Office of the National Coordinator for Health Information Technology; and Mark Dill, Director of Information Security, Cleveland Clinic.


New Infographic: The Benefits of Having a CISO

One of the fastest-growing positions in healthcare security is that of Chief Information Security Officer (CISO). Having a CISO appointed results in many benefits to an organization. In fact, one study showed a reduction of the cost of data breaches by over $12 per capita when an organization had an appointed CISO.

Unfortunately, only 66% of healthcare organizations currently employ a CISO, and there is often a debate about where to place the CISO within the organizational chart. Some of the benefits of having a dedicated CISO include:
  • Culture of awareness
  • Thorough risk assessment
  • Proactive security is more cost effective than reactive security
  • Privacy best practices
  • Business associate management
  View the infographic>>

Two-Factor Authentication 

With all of the recent hacks and news that healthcare is a target, the time has come to implement two-factor authentication.  "If you're relying on passwords to protect information or to protect access, you've already lost the battle," said Mac McMillan. "We're fast approaching a time where the threat is such that we have to do something better than user name and password. Two-factor authentication makes it 10 times harder for the bad guys to do something."

Read this article>>

FBI Alerts Two Hospitals of Cyberattacks 

Recently the FBI has had to alert hospitals they were the victims of a cyberattack. First,  the FBI notified Owensboro Health of "suspicious network activity involving third parties". Upon notification the hospital investigated and discovered a breach. Mac McMillan suggests anti-malware solutions and points out that, "most keystroke logging software can be stopped before it's installed or quarantined and eliminated quickly".  Then on December 8, MaineGeneral Health announced a breach that was also first detected by the FBI. In this incident the FBI alerted them, "of the detection of certain MaineGeneral data on an external website, which is not accessible by the general public."

These two incidents demonstrate how important it is to ramp up cybersecurity and breach detection rather than rely on others to detect the breach. Mac McMillan suggested that the industry needs to recognize it's in a fight with a capable adversary and cyber criminals, and it's time to enhance their security posture, and, in particular, the ability to detect anomalous behaviors and known bad actors."

Upcoming Educational Events


CynergisTek executives are speaking at several conferences in early 2016, such as MUSE and HIMSS. CynergisTek is also providing several free HIPAA Privacy and Security Workshops across the nation. Click here for more details on all upcoming educational events.

Want a printable version of this month's newsletter?