Data Breach Today Podcast

Join Matthew Radcliffe & Rob Sebaugh - as we explore how to fix security gaps in privacy for healthcare organizations.

What are the key elements of a successful identity security program, and what are common pitfalls organizations experience when launching one? SailPoint healthcare experts Matthew Radcliffe and Rob Sebaugh detail myths and realities of today's cloud-based identity security deployment strategies.

How can CISOs put the cyberthreat intelligence data they receive into practice? Kunal Sehgal, former director of global cyber resilience at Standard Chartered Bank, discusses how different industries use cyberthreat intelligence and explains misconceptions about sharing information.

At-home fitness gear and other connected health devices pose growing potential security and privacy risks not only to the health data of consumers, but also to the environments in which individuals use these products, says Ondrej Krehel, CEO of cybersecurity and digital forensics firm LIFARS LLC.

Ransomware, phishing, extortion scams - they all are popular now with COVID-19 themes. But socially-engineered attacks were already on the rise before the pandemic, say Olesia Klevchuk and Nishant Taneja of Barracuda. They share insight on the evolution of cloud-based email defenses.

Enterprises globally are suddenly challenged to support and secure the largest remote workforce in history. Michael Goldgof of Barracuda shares insight on how to scale up this capacity securely, maximizing existing tools.

Cloud maturity and confidence are growing, but security leaders are still reluctant to host highly sensitive data in the cloud. These are findings of a new Barracuda Networks survey. Chris Hill and Gemma Allen of Barracuda explore the results and what they mean.

"Zero trust" is arguably the cybersecurity buzzword of 2019, but what exactly does it mean? Jack Koons of Unisys provides his perspective.

To prepare to comply with Australia's new breach notification law, which goes into effect in February, organizations should start reviewing their cybersecurity posture and incidence response mechanisms, says Leonard Kleinman, RSA's chief cybersecurity advisor-APJ.

From ransomware to targeted social engineering attacks, the threats to healthcare entities have changed enormously. Isn't it time for healthcare's cybersecurity strategy to change, too? That's the premise of Optum's Aaron Rinehart.

Why is the Asia-Pacific region lagging far behind Europe and the United States in detecting data breaches? Rob van der Ende, vice president at FireEye's Mandiant, analyzes the results of the firm's new M-Trends Report 2016 for the Asia-Pacific Region and pinpoints breach detection shortcomings.

Because hackers often find a way to stick around or repeat their network intrusions after remediation efforts are completed, organizations need to ramp up their "continuous detection" efforts, says security expert Wendi Whitmore of CrowdStrike.

Data security expert Kate Borten, a former CISO who's a featured speaker at the June 11 Healthcare Information Security Summit in Boston, warns healthcare organizations against overlooking key data protection steps.

As the next wave of medical school graduates begins clinical training at healthcare organization across the U.S., it's critical these new clinicians be prepared to protect patient privacy, says healthcare attorney and professor Julie Agris.

Massive breaches, such as the recent hacker attack on health insurer Anthem, highlight why it's important for organizations to understand their breach notification obligations under state laws as well as HIPAA, says attorney Brad Rostolsky.

The recent hack attacks targeting Sony Pictures and the U.S. Postal Service illustrate why all organizations - and not just healthcare entities - need to make safeguarding health-related information a top priority, says attorney Susan A. Miller.

Because the healthcare sector is a growing target for cybercriminals, organizations must implement security practices that look beyond HIPAA compliance and also address business associate risks, says risk management expert Kenneth Peterson.

By bundling insecure Web, network, cloud and mobile interfaces, and rushing to market, Internet of Things device makers are compounding the breach risks facing consumers, warns HP's Daniel Miessler.

The EU is expected to approve in October an updated data protection law that spells out uniform breach notification requirements, security expert Jacky Wagner explains. The measure would apply to any business that targets Europeans.

To help prevent data breaches involving business associates, healthcare organizations need to develop vendor management programs with razor-sharp requirements, says risk management expert Rocco Grillo.

Healthcare organizations are becoming a bigger target for cybercriminals because so much more clinical and financial information is now stored in potentially vulnerable information systems, says security expert Mac McMillan.

In the wake of the Target breach, the University of Pittsburgh Medical Center has ramped up Internet monitoring to detect early if the organization is a target for attacks, says John Houston, UPMC's security and privacy leader.

Healthcare organizations can take several key steps to help avoid the scrutiny of their state's attorney general and defend against possible class action lawsuits in the aftermath of data breaches, says privacy attorney David Navetta.

The ongoing epidemic of health data breaches involving unencrypted laptops demonstrates why many healthcare organizations need to conduct more meaningful risk assessments, says security expert Dan Berger.

The healthcare industry is becoming a bigger target for cybercriminals, so cyber-attack drills planned for this year are an important step toward identifying security best practices, says Ray Biondo, CISO of insurer Health Care Service Corp.

Providing patients with more transparency into who's electronically requesting their health information can not only improve data privacy, but also help patients catch record errors and ID theft, says David Staggs, a participant in a new pilot.

Despite the new instructions on breach notification in the HIPAA Omnibus Rule, there's still plenty of uncertainty about what constitutes a "compromise" of data that triggers notification, says privacy attorney Adam Greene.

Under the HIPAA Omnibus Rule, security incidents are presumed to be reportable data breaches unless healthcare organizations demonstrate through a four-factor assessment that risks are low, explains privacy expert Kate Borten.

Kathryn Marchesini, a privacy adviser at the Office of the National Coordinator for Health IT, outlines the three most important steps healthcare organizations should take to avoid breaches of information on mobile devices.

Thor Ryan, chief security officer at the Alaska Department of Health and Social Services, offers lessons learned as a result of his organization's $1.7 million settlement following a HIPAA compliance investigation triggered by a small breach incident.

The UK Information Commissioner's Office has released a new security guide for small and midsized businesses. Simon Rice of the ICO discusses the guide and how to use it to avoid being breached.

Georgia Tech Research Institute is beta testing a malware intelligence system that research scientist Chris Smoak contends will help corporate and government security officials share information about the attacks they confront.

One of the biggest mistakes companies make after a major data breach is communicating with the news media, consumers and others before all the facts are clear, says attorney Ronald Raether.

An omnibus package of regulations that includes a final version of extensive HIPAA modifications, which have been pending since 2010, as well as a final version of the HIPAA breach notification rule has moved one major step closer to completion.

Because winning the support of CEOs for any new project requires demonstrating a return on investment, information security professionals need to more precisely quantify the potential payoff of their suggested spending on technologies and training, according to a new report.

High-profile class action lawsuits filed in the wake of major health information breaches will prove to be a strong catalyst for ramped up data security, a panel of attorneys says.

One reason why encryption is not more broadly used in healthcare is that so many organizations lack an updated risk assessment that identifies the role the technology can play in preventing breaches, says attorney Amy Leopard.

The first step toward avoiding a data breach: Be aware of and learn from other organizations' mistakes. Listen to hear attorney David Szabo's top three tips for breach prevention and detection.

Notifying patients about a healthcare information breach requires a "difficult balancing act" by entities to ensure that risks are not exaggerated, says attorney Robert Belfort, an expert in HIPAA compliance, fraud and abuse.

One good way to prepare for a HIPAA compliance audit is to read a recent government report that identified vulnerabilities that could lead to breaches, says attorney Timothy McCrystal.

One good way to prepare for a HIPAA compliance audit is to read a recent government report that identified vulnerabilities discovered in seven audits, says attorney Timothy McCrystal.

The ongoing delay in the release of final versions of HIPAA modifications and the HIPAA breach notification rule makes it more difficult for healthcare organizations to set information security investment priorities, says hospital privacy officer Kari Myrold.

Ron Kloewer, CIO at 25-bed Montgomery County Memorial Hospital, explains why the critical access facility's spending on information security will grow in 2011.

Staff training, aggressive breach prevention efforts and strong sanctions for violating policies are key to creating a corporate culture that values privacy and security, says Alan Dowling, the new CEO of the American Health Information Management Association.

Healthcare organizations need to improve the methods they use to objectively assess the severity of a security incident and whether it should be reported, says David Parks, a privacy officer and attorney.

When it comes to managing relationships with business associates to help with HITECH Act compliance, healthcare organizations could learn some lessons from the banking industry.

Interview with Christopher Hourihan, manager, development and programs, Health Information Trust Alliance

Interview with Kathryn Roe of The Health Law Consultancy