Healthcare Information Security Podcast

Physician credentialing and healthcare billing are two areas that can be dramatically improved by using AI technologies, said Harman Dhawan, CEO and founder of Bikham Healthcare, a revenue cycle management services firm that is applying AI to its services offerings.

Connected health devices - ranging from health gadgets and applications used by consumers to IoT devices used in healthcare settings - raise numerous security and privacy issues that must be addressed, according to attorney Justin S. Daniels and consultant Jodi R. Daniels.

Several critical security vulnerabilities in the firmware of control panels powering current models of pneumatic tube system stations made by Swisslog Healthcare could allow attackers to gain control of targeted hospitals' tube networks, says Ben Seri of the security firm Armis, which discovered the flaws.

The framework for how cyber insurance policies are designed for healthcare sector organizations is evolving, especially as more entities experience "high impact" ransomware incidents, says former healthcare CISO Sumit Sehgal.

The U.S. government should more closely collaborate with Big Tech companies to better respond to the surge in ransomware attacks and other cybercrimes hitting healthcare and other sectors, says crisis management and investigations attorney Bill Moran.

Evolving ransomware attacks pose a growing threat to the integrity of electronic health records, says Michael Hamilton, CISO at the security firm CI Security, who calls for heightened attention to EHR security.

A recent Supreme Court ruling in a Facebook case offers important lessons to the healthcare sector, says regulatory attorney Paul Hales, who describes the case and its implications.

Attackers targeting the healthcare sector are frequently exploiting unprotected internet-facing databases and unsecured network devices, including "shadow IT," says David Sygula, a senior analyst at the security firm CybelAngel.

Third-party software component vulnerabilities in medical devices are among several cyber-related health technology hazards posing significant risks to healthcare entities and their patients, say researchers Chad Waters and Juuso Leinonen of ECRI, a not-for-profit patient safety organization.

Recently released NIST guidance aims to help healthcare providers better address the security risks posed by picture archiving and communication systems. Michael Holt, a contributor to the document, describes how to put the guidance to use.

Many organizations that are relying on network segmentation to secure connected medical devices are making mistakes that put the devices, data and networks at risk, says Daniel dos Santos, research manager at Forescout Technologies.

Two key elements of building an effective incident response plan for ransomware attacks are strong asset management and accurate data classification, says security consultant David Chaddock.

If they were offered a substantial monetary payment or they faced certain challenging circumstances, some of those planning to enter the healthcare field admit they'd be willing to unlawfully obtain and disclose patient information, says Chul Woo Yoo, co-author of a recent study by three universities.

Healthcare provider organizations, pharmaceutical companies and medical device manufacturers all must take critical security steps to avoid becoming victims of data breaches during the COVID-19 pandemic, says technology attorney and former physicist Phil Crowley.

To ensure data integrity and patient safety, healthcare organizations must tackle a number of medical device security challenges, ranging from asset management to patching, says security expert Evan Francen, who offers tips.

Implementing robust access controls in healthcare settings can be particularly challenging for several reasons. But Fisher-Titus Medical Center is making progress in strengthening authentication and other security controls, says Peter Jacob, the hospital's manager of IT operations.

The recent string of hacker attacks in the healthcare sector is a reminder of the need for organizations to re-assess whether they're following best practices to secure remote access to sensitive data, says security expert Gary Glover.

After helping a hospital to pass an audit that assessed compliance with requirements of the HITECH Act "meaningful use" electronic health record incentive program, CISO Mitch Stewart offers this audit prep advice: Beef up your risk assessment.

Many covered entities aren't taking the steps needed to reduce the risks involved when business associates access protected health information, says attorney David Holtzman, who analyzes results of the Healthcare Information Security Today survey.

Although it's been about 18 months since the HIPAA Omnibus Rule went into effect, many healthcare organizations are still struggling to comply with certain provisions, says security expert Tom Walsh.

Florence Comite, M.D., a pioneer in the evolving practice of "precision medicine," describes what's needed to protect patient privacy as more genetic and other sensitive data is collected about individuals to personalize their care.

Application security, especially for medical devices, needs to be a higher priority because vulnerable apps can create patient safety issues, expose patient information and raise the risk for ID theft and fraud, says security specialist Mike Weber.

As federal regulators plan to resume random HIPAA compliance audits in 2015, organizations should prepare by conducting their own mock audits, advise attorneys Alisa Chestler and Donna Fraiche.

It's time to consider amending the HIPAA Privacy Rule to enable the sharing of certain research data, without patients' authorization, to help improve the quality of care, contends Douglas Fridsma, M.D., a former federal health IT leader.

Despite substantial concerns about privacy and security, a large majority of U.S. consumers support the use and exchange of electronic health records by their healthcare providers, say Office of the National Coordinator for Health IT researchers.

A new alliance is promoting software specifications, including patient ID matching, that could help propel secure national exchange of health data, says David Whitlinger, who's a leader of the effort.

A Connecticut Supreme Court ruling paving the way for a case involving accusations of negligence stemming from an alleged violation of HIPAA privacy standards could potentially have an impact on data breach cases, the plaintiff's attorney says.

Offering HIPAA compliance refresher training to hospital staff members is urgent, says privacy attorney Brad Rostolsky, because of the risks that could come with treating patients infected with Ebola.

Although compliance with new FDA guidance recommending that medical device makers bake cybersecurity into the design of their products is voluntary, the guidelines likely will become de facto standards, says privacy attorney Ellen Giblin. Find out why.

While the security of the HealthCare.gov website has improved, and the next open enrollment for Obamacare will go more smoothly, there's still plenty of work to be done, says Curt Kwak, former CIO of the Washington state health insurance exchange.

HIPAA attorney Brad Rostolsky expects to see a ramping up of federal investigations concerning the inappropriate sale of protected health information for marketing purposes. Find out why.

Healthcare providers that decide to accept consumer-generated health or fitness data from wearable devices, such as the upcoming Apple Watch, need to develop a plan for protecting the privacy of that information, says privacy attorney Scot Ganow.

Healthcare data breaches, such as the recent hacking incident at Community Health Systems, point to the need to improve data governance programs, say two security experts, who offer breach prevention insights.

Healthcare organizations can't afford to procrastinate in thoroughly documenting their HIPAA compliance efforts because the restart of federal audits is looming, security expert Tom Walsh warns.

Compliance attorney Betsy Hodge discusses the last remaining HIPAA Omnibus deadline that's quickly approaching for covered entities and business associates, and the impact of the final rule nearly one year after its enforcement began.

When patient data is used for secondary purposes, such as research, it must be de-identified. But is this process consistently reliable in protecting patient privacy? Two experts describe the challenges.

A new study of hospitals shows that, in general, those that routinely use EHRs don't submit higher claims for insurance payments than institutions that have yet to adopt EHRs, says researcher Julia Adler-Milstein.

BYOD poses some of the biggest privacy and security risks facing the healthcare sector, but the efforts of the new IBM/Apple alliance could help address concerns about using personally owned mobile devices, says IBM's Dan Pelino.

Sorting through the privacy issues involved when giving patients access to their healthcare records via a Web portal is a challenging task, says federal adviser Micky Tripathi, who outlines some of the key issues involved.

Since leaving the Office of the National Coordinator for Health IT, Farzad Mostashari has launched a new entity to help independent physicians and small practices form accountable care organizations.

Taking steps to ensure patient privacy is protected as more records are exchanged among provider organizations will be a top challenge for ONC's next chief privacy officer, says the office's outgoing privacy chief, Joy Pritts.

Healthcare organizations that base their information security programs on HIPAA compliance are making a major blunder, says security consultant Brad Keller, who explains why that strategy is short-sighted.

A critical step in the successful implementation of role-based access control at healthcare organizations is first committing to do time-intensive prep work, says security expert Christopher Paidhrin of PeaceHealth.

CIO John Halamka, M.D., a well-known blogger, says information security accounts for about half of his work at Beth Israel Deaconess Medical Center. He explains why that's the case and discusses a variety of projects, including a test of Google Glass.

Healthcare organizations and their business associates should take a number of crucial steps to prepare for potential breach investigations and HIPAA compliance audits by the Department of Health and Human Services, HIPAA expert Reza Chapman says.

One of the biggest misunderstandings about the Heartbleed bug in the healthcare sector is that it only affects websites and Web servers. In fact, medical devices are also at risk for the vulnerability, says security expert Mike Ahmadi.

Business associate agreements should not be a dumping ground for healthcare entities to make demands on their vendors with provisions that go beyond specific HIPAA privacy and security regulations, says attorney Gerry Hinkley.

As 10 regional health information exchanges in New York become interconnected into a statewide network, consistency in core privacy and security policies is proving essential, says David Whitlinger, executive director of the statewide initiative.

Although access to electronic health information is expanding to more users, including patients, many healthcare organizations are still reluctant to use advanced methods of authentication, says Jeff Cobb, CISO at Capella HealthCare.

While the 2014 Healthcare Information Security Today survey indicates more healthcare entities are performing HIPAA security risk assessments, smaller providers and business associates are still struggling with this task, says security expert Kate Borten.