Podcasts about ephi

  • 25PODCASTS
  • 43EPISODES
  • 34mAVG DURATION
  • 1MONTHLY NEW EPISODE
  • Jan 17, 2025LATEST

POPULARITY

20172018201920202021202220232024


Best podcasts about ephi

Latest podcast episodes about ephi

Help Me With HIPAA
HIPAA Security Changes Are Here: We Saw This Coming - Ep 492

Help Me With HIPAA

Play Episode Listen Later Jan 17, 2025 56:43


Hold onto your compliance hats—big changes are brewing for HIPAA's Security Rule! The Notice of Proposed Rulemaking (NPRM) is officially out for public comment, and it's clear HHA and OCR are on a mission to modernize and tighten the safeguards for electronic protected health information (ePHI). From clarifying risk analysis expectations to making security requirements less, well, “vague,” these updates aim to bolster patient safety and data protection while keeping pace with today's tech-driven world. But with great updates come great responsibilities for covered entities and business associates alike, so now's the perfect time to weigh in and help shape the final rule before it's set in stone. More info at HelpMeWithHIPAA.com/492

hipaa ocr coming ep hha hipaa security security rule ephi proposed rulemaking nprm
Rosenfeld Review Podcast
Rock Climbing and Security UX

Rosenfeld Review Podcast

Play Episode Listen Later Dec 2, 2024 34:16


Just as a rock climber meticulously checks their gear and follows strict safety protocols to navigate treacherous heights, security UX professionals must also anticipate risks and design safeguards to ensure a smooth and safe journey for users in a digital landscape. In Lou's interview with Heidi Trost, author of Human-Centered Security: How to Design Systems that are Both Safe and Usable, Heidi highlights the critical safety protocols climbers and belayers follow, which mirror the precautions needed in system design to mitigate human error and anxiety. This analogy sets the stage for a broader discussion on security user experience challenges. Heidi stresses the necessity of cross-disciplinary collaboration, especially when dealing with sensitive data like personally identifiable information (PII) and electronic protected health information (EPHI). She points out how involving legal and security teams early can streamline projects and improve outcomes. Designers, as facilitators, must bridge the gap between complex security concepts and user comprehension. Heidi's book helps them do this by using personas to understand how the dynamic between users, security UX, and threat actors shapes. Lou and Heidi's conversation explores the evolution of multi-factor authentication (MFA) and its unintended consequences. What started as a simple 6-digit code morphed into a troublesome fatigue for users. Heidi underscores the importance of iterative design to adapt to these evolving challenges, likening the chaos of security interactions to a relentless ping-pong match. As they look ahead, Louis and Heidi discuss the rapid evolution of AI in security contexts, emphasizing the balance between technological advancement and user protection. With AI assistants poised to know more about individuals than ever, designers must remain vigilant to prevent potential misuse. Their conversation is an invitation for professionals to rethink how they approach security UX and design, encouraging a proactive stance in this ever-changing landscape.

Hälsa för ohälsosamma
135. Preventiv hälsa – ett paradigmskifte

Hälsa för ohälsosamma

Play Episode Listen Later Nov 7, 2024 57:30


Privata hälsotester kan förebygga sjukdom och bespara miljardbelopp, berättar Werlabs vd Henrik Forsberg i dagens avsnitt. Vi tar också reda på hur Henrik Jönsson egentligen mår och vem på EPHI som har lägst blodtryck.

The Dental Marketer
MME: The FBI's Warning and Tips to Protect Your Email Inbox | Reuben Kamp

The Dental Marketer

Play Episode Listen Later May 20, 2024


Have you ever considered how vulnerable your practice might be to a cyberattack? In this episode, Reuben and I delve into the alarming issue of cybersecurity threats targeting the dental industry. With recent warnings from the FBI about credible threats, it's clear that dental practices need to take cybersecurity seriously. We explore the potential consequences of these threats, the crucial need for comprehensive security awareness training for staff members, and essential steps to prevent email-based attacks.The conversation goes in-depth into why using Microsoft 365 for enhanced email security is a game-changer for dental offices. Reuben also discuss the importance of working with IT experts to set up robust cybersecurity measures. Whether you're a dental professional or someone concerned about the security of sensitive patient information, this episode offers loads of practical advice. Don't miss out on this vital information that could protect your practice from devastating cyber attacks.What You'll Learn in This Episode:What are the credible cybersecurity threats currently targeting dental practices?Why is security awareness training crucial for dental office staff?What steps you can take to prevent email-based threatsHow Microsoft 365 can enhance your dental practice's email securityWhy should dental practices consider consulting IT companies for cybersecurity solutions?Take action today to secure your dental practice's email communications and protect sensitive patient information!‍‍Sponsors:For DSO integrations, startup solutions, and all your dental IT needs, let our sponsors, Darkhorse Tech, help out so you can focus on providing the amazing care that you do. For 1 month of FREE service, visit their link today! https://thedentalmarketer.lpages.co/darkhorse-deal/‍You can reach out to Reuben Kamp here:Website: https://www.darkhorsetech.com/Email: sales@darkhorsetech.comPhone: 800-868-4504Facebook: https://www.facebook.com/DarkhorseTech‍Mentions and Links: Businesses/Services:Henry ScheinAspen Dental‍Organizations:HIPAAFBIChange HealthcareUnitedHealthcare‍Software/Tools:DentrixEaglesoftOpen DentalChatGPTOutlookMicrosoft 365G Suite‍People:Bill Gates‍If you want your questions answered on Monday Morning Episodes, ask me on these platforms:My Newsletter: https://thedentalmarketer.lpages.co/newsletter/The Dental Marketer Society Facebook Group: https://www.facebook.com/groups/2031814726927041‍Episode Transcript (Auto-Generated - Please Excuse Errors)‍Michael: Hey, Ruben. So talk to us. What's happening right now for this Monday morning episode, we're going to be talking about something specific when it comes to security, Michael: What's going on? Reuben: Emergency pod. First of all, emergency pod, Michael. Michael: All Reuben: right. You know, those, uh, Reuben: those sirens Instagram are overused, but in this case it Reuben: does apply. FBI warns of credible cybersecurity threats of the dental industry. that's why we're talking today. Michael: Okay. So what's happening. This happened. One of the articles we're looking at is on may 8th, so Michael: like not less than a week ago, less than a week, a couple of days ago, something's going on specifically with this cyber security threat. To all Michael: dental practices everywhere in the nation or Reuben: yeah, so it is morphed into that over the last few days. So basically, uh, the FBI was monitoring, uh, a hacking group, Reuben: connected to change healthcare, connected to United Healthcare, connected to Henry Schein, connected to Aspen. You know, all these groups have obviously made the Reuben: headlines in the last uh, year or so uh, change healthcare, obviously being uh, most recent, Reuben: they were actually investigating a threat because they were attacking the plastics. Surgery market. And Reuben: then they shifted their focus to Reuben: oral surgery. And that's kind of, that was the, the Reuben: splashy update from last week, right? Reuben: May 6th, May 8th. And now the FBI uh, FBI is Reuben: basically saying general dentistry is now being targeted as well. So, Reuben: See, it went from outside the dental industry to a dental, you know, specialty. And now to the majority of dental practices out there are you Uh, actively being targeted. Michael: So then a couple of things, I mean, we Michael: obviously want to know what to look out for, but what's the consequences here? Michael: If let's just say. We did end up accidentally doing something that we weren't supposed to do, like Michael: opening up an email or clicking specific Michael: link, you know, stuff we don't really know. Reuben: Yeah. Let's all the way to the end is you're bankrupting of practice, right? We Reuben: go back one step that is, you know, uh, the Reuben: overwhelming majority of practices that suffer a cybersecurity attack go out of business. All right. So we're starting at the end, we're working backwards. So that, that means. you, Or if you are a doctor or a staff member, you Reuben: clicked on a staff member, clicked on it. an email, a link that downloaded a payload to your office, right? Ransomware is, is most of what we're talking about here. Reuben: And that ransomware, let's say you're running Dentrix or Eagle software, open dental, one of these, uh, you know, server based practice management Reuben: softwares, that ransomware was able to embed itself into your practice management software, right? Patient health information, Reuben: uh, x rays, uh, social security numbers, medical history. You know, all the stuff that we call protected health information or EPHI electronic protected health and Reuben: they get that data and they exfiltrate it or take it out of the office, that is a Reuben: breach, which then feeds me into most practices that go through a breach, go out of business, and then you're, you're no longer an owner of a practice, you're an associated at another practice. I guess that is actually the last step. And that Reuben: is why this is so important is because Reuben: it's so darn easy to protect yourself from this Reuben: happening. But only 6 percent of the dental offices out there are HIPAA compliant. So hackers go, wow, we have a 94 percent Reuben: chance of getting into this office. Thank God. But, and that's why, Reuben: Honestly, it's like Dennis and the, the only really industry Reuben: less compliant the dentistry, Reuben: you guys can make fun of them is chiropractors. Reuben: So, Hey, those are the industries that, that are go after because of the lowest hanging fruit. if you Reuben: have dogs at your house, and Michael, you know, Reuben: I have, you know, 10, 000 dogs that live with me, Reuben: a robber does not want to come rob my house, because they're going to be attacked by a bunch of dogs. they want to attack the house. That the owners are on vacation, there's no animals, it's dark, you know, they Reuben: are opportunistic just like any other profession. So Reuben: that is why they're going after the dental industry specifically. Michael: Gotcha. Something you mentioned, man, where you said staff members click on it. I think the most common Michael: thing. I mean, one of the practices I worked at the actual doctor clicked on it and Michael: ended up paying. But like with, when it comes to the staff members. Do they need to receive specific training for this? Or Reuben: yeah, we call it security awareness training or SAT for short. Uh, not to be confused with the test Reuben: that is, it is coming back now. turns out it's a great predictor. If you're going to be okay at college, Reuben: um, I digress. So basically security awareness training trains your staff. who, You Reuben: know, you got to give to them. They're Reuben: busy. They're your phone calls. There's patients in front of them. They're scheduling, their billing, they're checking people out. There's Reuben: a lot going on. So you kind of have to, you know, if they do have an email come through Reuben: and it looks like it's from UPS, or it looks like it's, you know, from a Reuben: credible source and they don't, they don't have their guard up and they click Reuben: on it. It's Reuben: really hard to come down Reuben: on that person right? Reuben: You're expecting a lot out of them. And, and, and also, you know, be, have your, you know, your hat on your cyber Reuben: hat on and be vigilant at all times for through. So it's really important that you set up like. Let's not do a free Gmail account, right? That Reuben: has no security protection. Reuben: It's really important that you have an email system. I recommend Microsoft Reuben: 365 for all businesses that will stop those emails from coming in to begin with, because it never made it through Reuben: the spam filter. Right. Uh, the phishing filter. Reuben: So what's it worth that your staff. Doesn't even have to see that email that's worth a lot, right? Reuben: And then secondarily, let's say it is something that's more sophisticated, right? AI is obviously Reuben: playing a huge role in these emerging threats because it's no longer, you know, Prince of Nigeria Reuben: asking you for money who doesn't speak good English. It's like a perfectly crafted Reuben: email that's written by, uh, Beauty. so what security awareness training does is it, uh, it's a campaign. So like, if Reuben: I set this up, I'll randomly send out emails to your employees, right? If they click on a message that they Reuben: shouldn't have. have. Reuben: They are forced Reuben: down the training loop of, okay, Reuben: you have to go to school to realize like, what does a real email looks like? You know, is this Reuben: an external sender? Is it an internal sender? So it Reuben: really, it's just another, uh, training element, but you know, we're in the prevention business, right? I don't, I don't want Reuben: to clean stuff up. I want to play default. I want to block stuff from happening. And Reuben: of course the client wants that too. Michael: Gotcha. Okay. So then right now, what steps can we do or what to look out for? What can we look out for? What steps can we do when it comes to preventing this threat that's happening today? Absolutely. And Reuben: I'm going to focus on email because that is, the Reuben: FBI is, the warning is specifically tied to email. It's the easy, again, we talked about ease of Reuben: access is the easiest way to get into a Reuben: business is to send someone email. I can Reuben: send Bill Gates an email right now. Right. It Reuben: It doesn't matter. I have his email. I get sent to him. and so there's hundreds, thousands of practices out there that use Reuben: friendly smiles at gmail. com. So the Reuben: to action is sign up for a Microsoft account. It's Reuben: going to do two things. One, uh, it's going to give you that increased protection we talked about. Reuben: Two, It's more professional, right? It's more professional to receive an email, not from friendly smiles at gmail. com, Reuben: but office at friendly smiles. com, right? You're using your domain name. Reuben: tied to your website. It's professional. Maybe you have a signature. It just gives your, the people you're communicating with Reuben: patients, staff labs. an air that, you know, you are a professional Reuben: business. So, it Reuben: just have to be for cybersecurity. It can be to kind of raise your professionalism as Reuben: a business. Gotcha. So get that first. Microsoft three, six, five. Reuben: Microsoft 365. It's a, it's a suite of products, right? We use Microsoft 365 Reuben: for open dental cloud hosting, but we also use Microsoft 365 for email for Microsoft teams, for one drive. So Reuben: there's a lot to it, but we're really specifically talking about, email or some people refer to as outlook, which Reuben: is a specific email product that Microsoft offers. Okay. Michael: Okay. So we do that next steps. Would that be the only step or that's it? Reuben: We're only going to focus on. Protecting yourself from the credible threat Reuben: the FBI, we can have a hour long about all the other stuff you need to do, but please, the takeaway from this is really bolster your email security. Michael: Gotcha. Okay. So get that So if we have it already, we don't got to worry about Reuben: IT company check it your it company, check it out, Ask them a question. Hey, am I doing Reuben: I need to do? If you don't have an it company, I run one. I Reuben: can help you out, but there's a lot of companies out there. So, either, you know, if you have an incumbent IT company, just reach Reuben: out to them, say, Hey, Can you guys get me set up with this? Or hey, I'm running this. Is there anything better we can do? Cause Reuben: there are some nuances there that are a little technical, but you know, you as the, uh, you as the client really shouldn't really have to worry about setting that up. Gotcha. Michael: Awesome, man. Any other pieces of advice you wanted to mention in this episode? Reuben: The FBI got involved, so they don't just like, Reuben: uh, creep into the dental industry, Reuben: uh, just cause they get bored. Reuben: So this is, it's a credible threat and just, it's a great reminder to just do the, Reuben: honestly, I'm just asking you guys to do the bare minimum here. Reuben: it's just sign up for secure email, which is also a HIPAA Reuben: compliance requirement, just. Just for the record. Yeah. Michael: Is that the only option? Microsoft Office Michael: 365? Or we can go with another one? Reuben: I mean, G Suite is also an option. So there is free Gmail right at gmail. com. And G Suite is Google's business version. And Reuben: that, that does have a much higher level of security than the free Gmail. You Reuben: do have to add, uh, an encryption element to it to make it HIPAA compliant, but I Reuben: just bring up Microsoft 365 because it is the lowest expense, easiest way to do this. Oh, lowest expense. how Michael: much is it? Reuben: Four bucks an email. Man. Yeah. So it's Michael: pretty easy. It's Reuben: cheaper than G suite. Yeah. It's, it's just, and then you don't have to worry about the whole. Encryption piece, uh, like you do with G suite. So Reuben: that's why I mentioned Microsoft 365 and also most it companies have a relationship with Microsoft and they can set this up for you. Gotcha. Michael: Awesome. Ruben, thank you so much for this. We appreciate it. Anybody listening go take action right now. Michael: And if anyone has further questions, where can they reach out to you? Reuben: Hey, sales at dark horse tech. com. I'm all over Facebook. You can bother me Reuben: on there or 800 868 4504 be happy to help anybody out. Thanks Awesome. Michael: that's going to be in the show notes below and Ruben, thank you for being with me on this Monday morning episode. Reuben: Thanks Michael.

Hälsa för ohälsosamma
121. Snusförsäljning på apoteket

Hälsa för ohälsosamma

Play Episode Listen Later Apr 25, 2024 46:38


Psykiatern David Eberhard har skrivit rapporten Nikotin och hjärnan för EPHI. I podden berättar han vad beroende är, hur det fungerar och när det är farligt, och varför den som uppfann snuspåsar förtjänar Nobelpriset i medicin.

healthsystemCIO.com
Exploring the ePHI Cyber Crisis & How to Fix It

healthsystemCIO.com

Play Episode Listen Later Apr 9, 2024 57:10


It's the dirty little secret among healthcare cyber professionals -- they don't know where all their ePHI is; not even close. And while those professionals are not to blame (healthcare workflows and, thus, data flows are messy business); they do have to get their arms around the problem. The first step? Understand it. In this unique webinar, we'll explore the results of a Ponemon study on the state of ePHI in healthcare to learn just how bad the problem is and where the data might be. Then, we'll explore ways to secure it and, in the process, hopefully give cyber professionals one less reason to be up at night. Source: Exploring the ePHI Cyber Crisis & How to Fix It on healthsystemcio.com - healthsystemCIO.com is the sole online-only publication dedicated to exclusively and comprehensively serving the information needs of healthcare CIOs.

The Regeneration Will Be Funded
Sustainability Data for Supply Chains - Ephi Banaynal dela Cruz (Context Nature)

The Regeneration Will Be Funded

Play Episode Listen Later Mar 21, 2024 41:14


Ephi Banaynal dela Cruz is the co-founder and CEO of Context Nature. https://www.contextnature.com/

CodeCast | Medical Billing and Coding Insights
Did you know this is a HIPAA violation?

CodeCast | Medical Billing and Coding Insights

Play Episode Listen Later Feb 20, 2024 13:33


In this week's episode of the CodeCast podcast Terry discusses collecting information on medical practice websites. How you collect data on a website is equally as important as the data itself. If a patient doesn't mention a medical condition, their information may still be considered as PHI. Terry covers requirements, such as PHE and ePHI […] The post Did you know this is a HIPAA violation? appeared first on Terry Fletcher Consulting, Inc..

hipaa violation phi phe ephi codecast terry fletcher consulting
The Politics of Ending Malnutrition - Challenging Conversations with Decision Makers
Episode 6 (part 2): Niger & Ethiopia . Understanding NIPN.

The Politics of Ending Malnutrition - Challenging Conversations with Decision Makers

Play Episode Listen Later Nov 29, 2023 48:33


In this episode (No. 6, part 2), N4D interview several country actors, about the National Information Platform for Nutrition (NIPN). N4D have been working closely with global and country actors over the past year as part of an evaluation of NIPN commissioned by GIZ-C4N. This innovative and highly successful programme which is currently implemented in 9 countries, is gathering momentum with the prospect of being adapted and adopted in other country contexts. In this podcast:Niger: Balarabe, Mohammed and Mababou discuss how proud they are of the hard won achievements with implementing NIPN in Niger. Key amongst these has been the systematic collation and cleaning of complex data sets, the analysis of this data based on priority policy focussed questions including nutrition and climate change, gender disparities and food systems considerations. They also discuss the tough decisions they have had to take and enormous amount of collective effort to get NIPN to where it is now….as central to Niger's efforts to monitor progress with tackling malnutrition.Ethiopia: Dr Aregash Samuel Hefebo from EPHI in Ethiopia explains why this Public Health Institute under the MoH is such a good fit for NIPN in terms of its role vis is a vis the National Food and Nutrition Strategy and the monitoring of this strategy's implementation. She also describes the areas NIPN Ethiopia are excelling in like the posting of meta data sets on the NIPN dashboard in a country where the data sharing culture is weak as well as how NIPN plans to devolve to 6 regions where EPHI currently have offices.Learn about our work and read our report about NIPN hereVisit:NIPN | GIZ | NIPN Niger | NIPN EthiopiaPlease join the debate! Credits: Recorded edited and published by: N4D & Nutriat.coTheme tune: Saraweto, used with kind permission of Just East of Jazz© N4D Group 2023 Hosted on Acast. See acast.com/privacy for more information.

The Best Business Podcast With Daryl Urbanski
Creating a Safer Internet: How to Unleash Growth and Social Impact through Trust and Safety with Vejeps Ephi Kingsly

The Best Business Podcast With Daryl Urbanski

Play Episode Listen Later Nov 24, 2023 43:29


This insightful interview features Vejeps Ephi Kingsly, an esteemed professional in the field of Trust and Safety at Genpact. With over a decade's experience and notable contributions to internet platforms around the globe, Kingsly passionately discusses building value and promoting safety in the digital realm. With a skillset honed by years of practical applications, he offers compelling insights into the intersection of technology, ethics, and social impact. Both tech enthusiasts and professionals in the field will benefit from Kingsly's thoughtful reflections and practical advice, deriving valuable lessons on navigating the digital landscape responsibly and effectively.Here are the reasons why you should listen to the full interview:Learn how to recognize the intrinsic value of understanding the fundamentals of any subject before diving into complexities, through Kingsly's eloquent analogy of a wobbly table.Discover the transformative power of challenges turned into opportunities, as Kingsly compellingly articulates how to punch above your weight and maximize scarce resources. Understand the importance of continuous learning and cultivating a supportive culture, as Kingsly reveals his unique philosophy on team development and individual growth.ResourcesGenpactLinkedIn TrustandsafetyxyzInterview Highlights The Significance of Understanding FundamentalsKingsly emphasizes the importance of establishing foundational knowledge before diving into advanced concepts like generative AI."Fundamentals are fundamental for a reason. Without them, it's like having a wobbly table."Maximizing Challenges into OpportunitiesThe conversation delved into Kingsly's approach to difficulties as stepping stones for growth and innovation.He advises individuals to leverage their capabilities and do more with limited resources."My biggest challenges have always been opportunities."Continuous Learning and Team CultureKingsly identifies continuous learning as a vital skill for personal and professional development.He also highlights the significance of a supportive team culture in shaping individual behaviors and skills."It's more important to build an ecosystem of support."The Impact of Market Incentives on Societal ProgressKingsly responsively distils the complex theme of market incentives and societal progress."In free markets, there's an incentive to be better, to be excellent."Support the show

The Yolanda and Cornelius Show
new Members Class and Teaching at Ephi

The Yolanda and Cornelius Show

Play Episode Listen Later Oct 4, 2023 32:27


This is a snippet of teaching in the New Members Class! We are growing and trying to teach those our Doctrine!

healthsystemCIO.com
Follow the ePHI – Keys to Protecting Your Most Sensitive Data

healthsystemCIO.com

Play Episode Listen Later Aug 4, 2023 54:23


Healthcare IT executives understand that the most serious risks are the ones you don't know exist. As such, it's imperative to understand where ePHI sits inside and outside the organization and, in today's complex technology environment, that can be any number of places. In this timely webinar, we'll speak to leaders who are working hard to find and follow ePHI wherever it goes so it can be guarded with the appropriate security controls. With breaches having ever more serious ramifications, this is one hour of education you can't afford to miss. Source: Follow the ePHI – Keys to Protecting Your Most Sensitive Data on healthsystemcio.com - healthsystemCIO.com is the sole online-only publication dedicated to exclusively and comprehensively serving the information needs of healthcare CIOs.

Ledarredaktionen
Är plastpåseskatten bra eller dålig?

Ledarredaktionen

Play Episode Listen Later Mar 20, 2023 36:59


20 mars. Den omdiskuterade plastpåseskatten firar snart treårsjubileum. Har den fungerat som det är tänkt? Är det en missförstådd skatt? Har den haft oförutsedda eller oönskade konsekvenser? Andreas Ericson diskuterar med Åsa Stenmarck, plastsamordnare hos Naturvårdsverket, Runar Brännlund, professor emeritus i nationalekonomi vid Umeå universitet, och Sofia Höglund som utvärderat skatten för tankesmedjan EPHI.

eller ume naturv sofia h ephi stenmarck andreas ericson
Group Practice Tech
Episode 308: [Risk Management] Unlocking the Mysteries and Benefits of a Risk Analysis with PCT

Group Practice Tech

Play Episode Listen Later Feb 24, 2023 35:45


Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech. In our latest episode, we dive deep on the process of HIPAA security risk analysis in a group practice context. We discuss why risk analysis is overwhelming; reframing the way you consider risk analysis; remembering what you are doing right; the recent annual report to Congress from HHS and the Office of Civil Rights (OCR); general requirements for a risk analysis; how PCT approaches risk analysis (in 2 hours!); categories of risk; the tangible benefits of risk analysis in group practice; risk mitigation plans; and approaching risk analysis without burning out. Listen here: https://personcenteredtech.com/group/podcast/ For more, visit our website. Resources PCT's HIPAA Risk Analysis & Risk Mitigation Service for mental health group practices -- have us perform your risk analysis and do all the heavy lifting of this foundational HIPAA requirement   HHS' Guidance on Risk Analysis   HHS Office of Civil Rights emphasized the need for increased compliance with the Risk Analysis requirement in the recently (2/17/2023) released Annual Report to Congress on Breaches of Unsecured Protected Health Information: "Risk Analysis. The Security Rule requires regulated entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the covered entity or business associate. Failures to conduct a risk analysis leave regulated entities vulnerable to breaches of unsecured ePHI as cybersecurity attacks are increasing."

Hälsa för ohälsosamma
92. Lite nikotin piggar upp

Hälsa för ohälsosamma

Play Episode Listen Later Feb 10, 2023 31:28


Professor och läkaren Fredrik Nyström kan inte låta bli att provocera. Slutsatsen av hans forskning om vad som händer i kroppen när man stoppar in en prilla under läppen har publicerats och visar – ingenting. Så gott som ingenting händer i kroppen när man stoppar in en snus i munnen.  Han blir intervjuad av EPHI:s VD Marie Söderqvist om vilka slutsatser man borde dra av hans resultat. 

HealthcareNOW Radio - Insights and Discussion on Healthcare, Healthcare Information Technology and More
1st Talk Compliance: Employee Snooping & Insider Threats with Raymond Ribble, CEO/Founder at SPHER

HealthcareNOW Radio - Insights and Discussion on Healthcare, Healthcare Information Technology and More

Play Episode Listen Later Jan 24, 2023 29:16


Host Catherine Short welcomes Raymond Ribble, CEO and Founder at SPHER, Inc., on the topic of “Employee Snooping & Insider Threats.” Snooping and Insider threats are exactly why user monitoring and ePHI access strategies are vital to the security of sensitive patient information and data protection. With so much attention and money surrounding cybersecurity in the healthcare industry, malicious employees may decide to purposefully disclose patient information. Since employees and contractors may have knowledge of your network setup, vulnerabilities, and access codes, snooping employees with malicious intent hold the key to exposing your organization to a series of unwanted risks and threats. Listen as they identify signs of unauthorized access, provide guidelines to prevent snooping, and offer procedures to detect insider threats. To stream our Station live 24/7 visit www.HealthcareNOWRadio.com or ask your Smart Device to “….Play Healthcare NOW Radio”. Find all of our network podcasts on your favorite podcast platforms and be sure to subscribe and like us. Learn more at www.healthcarenowradio.com/listen

1st Talk Compliance
Employee Snooping & Insider Threats

1st Talk Compliance

Play Episode Listen Later Jan 10, 2023 29:16


1st Talk Compliance features guest Raymond Ribble, CEO and Founder at SPHER, Inc., on the topic of “Employee Snooping & Insider Threats.” Ray joins our host Catherine Short to discuss snooping and insider threats and why user monitoring and ePHI access strategies are vital to the security of sensitive patient information and data protection. With so much attention and money surrounding cybersecurity in the healthcare industry, malicious employees may decide to purposefully disclose patient information. Since employees and contractors may have knowledge of your network setup, vulnerabilities, and access codes, snooping employees with malicious intent hold the key to exposing your organization to a series of unwanted risks and threats. Listen as we identify signs of unauthorized access, provide guidelines to prevent snooping, and offer procedures to detect insider threats.

1st Talk Compliance
Employee Snooping & Insider Threats

1st Talk Compliance

Play Episode Listen Later Jan 10, 2023 29:16


1st Talk Compliance features guest Raymond Ribble, CEO and Founder at SPHER, Inc., on the topic of “Employee Snooping & Insider Threats.” Ray joins our host Catherine Short to discuss snooping and insider threats and why user monitoring and ePHI access strategies are vital to the security of sensitive patient information and data protection. With so much attention and money surrounding cybersecurity in the healthcare industry, malicious employees may decide to purposefully disclose patient information. Since employees and contractors may have knowledge of your network setup, vulnerabilities, and access codes, snooping employees with malicious intent hold the key to exposing your organization to a series of unwanted risks and threats. Listen as we identify signs of unauthorized access, provide guidelines to prevent snooping, and offer procedures to detect insider threats.

Ledarredaktionen
Vad händer i Storbritannien?

Ledarredaktionen

Play Episode Listen Later Oct 4, 2022 35:38


4 oktober. Hur går det för nytillträdda premiärministern Liz Truss? Varför störtdök pundet så plötsligt? Vad händer i brittisk politik just nu, och vad väntar framöver? Andreas Ericson diskuterar med Marie Söderqvist vid tankesmedjan EPHI, samt ledarredaktionens Mattias Svensson och ledarsidans mediekrönikör Janerik Larsson.

The Sunday Night Army
The Music Series: EPHI

The Sunday Night Army

Play Episode Listen Later Sep 4, 2022 20:19


On this episode I chat with Oakland, California indie artist EPHI about her music, latest track SEVEN and the album “Boozy Wtrmln” Find everything about the show Here

Coffee with Coker
Episode 103: What is a Security Risk Analysis, and Why Do I Need One?

Coffee with Coker

Play Episode Listen Later Jun 30, 2022 33:42


DeAnn Tucker and Roz Cordini join Mark Reiboldt to explain the need for a security risk analysis within healthcare organizations. Many organizations are missing one critical component when performing a security risk analysis. Learn what elements organizations usually miss and how to conduct a security risk analysis properly.   Podcast Information Follow our feed in Apple Podcasts, Google Podcasts, Spotify, Audible, or your preferred podcast provider. Like what you hear? Leave a review! We welcome all feedback from our listeners. Email us questions on any of the topics we discuss or questions about issues that interest you. You can also provide recommendations on matters for future episodes.  Please email us: feedback@cokergroup.com Connect with us on LinkedIn: Coker Group Company Page Follow us on Twitter: @cokergroup Follow us on Instagram: @cokergroup Follow us on Facebook: @cokerconsulting   Episode Synopsis Did you know Health and Human Services requires an annual security risk analysis? If a breach of information occurs, OCR will request the last 2-3 years of security risk analyses to verify your organization has performed the analysis and taken steps to implement the remediation plan. Aside from the requirement, performing a security risk analysis also safeguards electronic protected health information (ePHI) by identifying potential vulnerabilities before a criminal exploits them. Click to listen to the episode.   Extras Security Rule 45 CFR 164.308 Guidance on Risk Analysis Requirements under the HIPAA Security Rule 5 Mistakes Covered Entities and Business Associates Made During a Security Risk Analysis

Vigilantes Radio Podcast
The Ephi Interview.

Vigilantes Radio Podcast

Play Episode Listen Later May 20, 2022 22:47


ephi
1st Talk Compliance
How to Prevent Employee Snooping and Insider Threats – Audio Version of the Webinar

1st Talk Compliance

Play Episode Listen Later May 11, 2022 62:23


Raymond Ribble is the CEO and Founder at SPHER, Inc. a market-leading compliance analytics, cyber-security solution addressing: HIPAA compliance, State Privacy Laws, and ePHI security threats and our presenter for this webinar. Snooping and Insider threats are exactly why user monitoring and ePHI access strategies are vital to the security of sensitive patient information and data protection. While it is an unsettling thought, not all cybersecurity incidents are traced from employee negligence. With so much attention and money surrounding cybersecurity in the healthcare industry, malicious employees may decide to purposefully disclose patient information. Since employees and contractors may have knowledge of your network setup, vulnerabilities, and access codes, snooping employees with malicious intent hold the key to exposing your organization to a series of unwanted risks and threats.

1st Talk Compliance
How to Prevent Employee Snooping and Insider Threats – Audio Version of the Webinar

1st Talk Compliance

Play Episode Listen Later May 11, 2022 62:23


Raymond Ribble is the CEO and Founder at SPHER, Inc. a market-leading compliance analytics, cyber-security solution addressing: HIPAA compliance, State Privacy Laws, and ePHI security threats and our presenter for this webinar. Snooping and Insider threats are exactly why user monitoring and ePHI access strategies are vital to the security of sensitive patient information and data protection. While it is an unsettling thought, not all cybersecurity incidents are traced from employee negligence. With so much attention and money surrounding cybersecurity in the healthcare industry, malicious employees may decide to purposefully disclose patient information. Since employees and contractors may have knowledge of your network setup, vulnerabilities, and access codes, snooping employees with malicious intent hold the key to exposing your organization to a series of unwanted risks and threats.

Ledarredaktionen
Maten, staten och moralen

Ledarredaktionen

Play Episode Listen Later Feb 8, 2022 40:24


8 februari. Lena Andersson har skrivit essän "Att äta eller inte äta – om kostråd för verkliga människor” för tankesmedjan Environment and Public Health Institute, EPHI. Hon samtalar med Mattias Svensson om människosynen bakom orimliga kostråd.

NerdFT Radio
Episode #26 Pixlverse Squad ft @Ephi & @Diakou

NerdFT Radio

Play Episode Listen Later Feb 7, 2022 43:10


Pixl Pets are here and we celebrate it with a special podcast with Metaverse Designer @Ephi and Creative Game Director @Diakou of the Pixlverse team. We look into their nerdy background stories and how they became a part of one of the most anticipated Metaverse Platforms of 2022. We then dive into their play-to-earn game Pixl Pets, which will be the flagship game, and discuss the current metaverse landscape. Let us know what you think! Questions? Comments? https://twitter.com/NerdFTRadio Follow us on Twitter! https://twitter.com/Crypto_Crier https://twitter.com/RedsoxguyEth Follow us on Instagram @NerdFT_Radio! DISCLAIMER: All of the information discussed in our podcast is for entertainment purposes only. As with any financial endeavor, do your own research. --- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/app --- Send in a voice message: https://anchor.fm/nerdftradio/message Support this podcast: https://anchor.fm/nerdftradio/support

squad ephi
Startups: Digitalization to Realization
Taking Flight with Ephi Blanshey of Blanshey Aviation

Startups: Digitalization to Realization

Play Episode Listen Later Jan 4, 2021 31:48


If you’ve ever wondered what it would be like to jump off of a mountain and glide uninhibited across the sky, today’s guest is bringing you one step closer to that reality. He believes that the current transportation options available limit our movement by confining us to land. Why drive when we could be flying?My guest today is Ephi Blanshey. He’s the younger half of the father and son duo behind Blanshey Aviation. They’re currently designing an electric propulsion system to improve the experience of lightweight flying for hang gliding machines. In today’s episode, we’ll learn about the origins of these design ideas that originated with Ephi’s father, Vladimir. We’ll also talk about the reasons they’ve moved away from a combustion engine model, and how the newer electric engines benefit the design. Ephi tells us about their CAD design and 3D printing tools, and names some of the helpful forums he’s found for anyone out there interested in using Solid Edge. Are you ready to take to the skies and enter the next generation of mobility? Some Questions I Ask:What’s the origin of Blanshey Aviation? (1:24)When did the trike first appear as a recreational vehicle? (4:02)How was design approached in the early days? (7:47)How did you move into electric aviation? (10:31)What do the next 3-5 years look like for your company? (16:26)What online communities have you found to be the most useful? (20:41)How are you assembling the products you make? (23:42)What You’ll Learn in This Episode:The complex logistics of hang gliding (2:24)The problems associated with using a combustion engine to fly (6:27)How Blanshey uses Solid Edge (13:09)The unique challenges for this type of aviation (18:33)The 3D printer they use and how it’s modified as needed (21:57)How & where testing takes place (25:09)Advice to other entrepreneurs (26:28)Resources:Hacker NewsFacebook GroupsSolid Edge Community ForumSiemens BlogConnect with Ephi Blanshey:Email/ TwitterInstagramConnect with John Fox: LinkedInTwitter See acast.com/privacy for privacy and opt-out information.

Pharmacy, IT, & Me: Your Informatics Pharmacist Podcast
180. What is the HIPAA Security Rule?

Pharmacy, IT, & Me: Your Informatics Pharmacist Podcast

Play Episode Listen Later Mar 23, 2020 4:44


180. What is the HIPAA Security Rule? Intended Audience: EveryoneThe HIPAA Security Rule is related to the HIPAA Privacy Rule, though HIPAA Security Rule covers the safeguards in relation to ePHI. Today's episode, we quickly go over the requirements in the HIPAA Security Rule. Follow us on social media! Twitter: @pharmacyitme Instagram: @pharmacyinformatics LinkedIn: https://www.linkedin.com/company/pharmacyitme/ Website: Pharmacy IT & Me Email: tony@pharmacyitme.com Follow Tony's personal Twitter account at @tonydaopharmd Network with other pharmacists at Pharmacists Connect!http://pharmacistsconnect.com For more information on pharmacy informatics, check out some of the following useful links: ASHP's Section of Pharmacy Informatics and Technology: https://www.ashp.org/Pharmacy-Informaticist/Section-of-Pharmacy-Informatics-and-Technology/ HIMSS Pharmacy Informatics Community: https://www.himss.org/library/pharmacy-informatics Disclaimer: Views expressed are my own and do not reflect thoughts and opinions of any entity with which I have been, am now, or will be affiliated.This podcast is powered by Pinecast.

technology pinecast hipaa security security rule ephi hipaa privacy rule pharmacy informatics
ProactiveIT Cyber Security Daily
Episode 18 - $5 Million Bonus Round Episode

ProactiveIT Cyber Security Daily

Play Episode Listen Later Dec 6, 2019 14:53


An update on the CYRUSOne Data Center Ransomware attack. New Linux Vulnerability let's attackers hijack VPN Sessions. New PCI Security standards for contactless payments. Microsoft releases security advisory for Microsoft Hello for Business. Hackerone pays $20,000 bounty for but found on their own site and rogue employee accessed ePHI they weren't supposed to access in Nebraska

HealthcareNOW Radio - Insights and Discussion on Healthcare, Healthcare Information Technology and More

Host Catherine Short talks to Cristin Gardner, Director of Consumer Products & Markets at Life Image a healthcare network for exchanging clinical and operational information including medical images, about “Upholding HIPAA OCR Compliance & Streamlining Patient Access to Medical Data.” Digital innovation is transforming healthcare. The federal government has recently made significant pushes to make healthcare more consumer-friendly by creating easier access to health information and ePHI through technology. Healthcare providers have an obligation to conform to HIPAA regulations and guidance from the ONC around sharing data with patients that evolve alongside changes in the healthcare and technology landscape. Want to stream our station live? Visit www.HealthcareNOWRadio.com. Find all of our show podcasts on your favorite podcast channel and of course on Apple Podcasts in your iTunes store or here: https://podcasts.apple.com/us/podcast/healthcarenow-radio/id1301407966?mt=2

Defrag This
31: How to Prepare for a HIPAA Audit

Defrag This

Play Episode Listen Later Jul 30, 2018 19:59


How would you like to walk into an HIPAA audit? Most will go in wondering - or worrying - if the security measures in place reflect their company’s due diligence to protect their ePHI (electronic protected health information). Others will have the forethought to be proactive in their situation and know they have done what is necessary to protect the information for which they are responsible. We want you to be the latter.

Finding Genius Podcast
Ephi Zlotnick, CEO And Co-Founder Of Lucid Exchange–A Global, Decentralized Blockchain-Based Exchange For Securities, Currencies, And Commodities

Finding Genius Podcast

Play Episode Listen Later Oct 23, 2017 21:31


Lucid Exchange is a global, decentralized exchange that allows its users to tokenize and trade various securities, currencies, and commodities through the use of TRD tokens. Users will need to enter the exchange with TRD tokens, which they can then use to exchange for currencies, securities, and commodities such as gold, crude oil, rice, or coffee, and trade with other users. Fully US regulation compliant, Lucid Exchange's goal is to introduce a new standard of transparency and efficiency for the cost and speed of exchanges. Over the next year, Lucid exchange plans to make their platform more user-friendly, as well as create a mobile platform for its users. For more information, or to get started trading, visit www.lucidexchange.io.

Defrag This
2: Encryption in a Unified Security Posture

Defrag This

Play Episode Listen Later May 5, 2017 8:40


Businesses in healthcare struggle with double standards, highly complex security infrastructure that is disjointed and redundant. Lawmakers have a real hard time understanding and the terminology that is needed to enact laws around technology. A perfect example is how “encryption” is labeled as something that is “addressable” vs. “required” under HIPAA. Congress saying that encryption is not a requirement does a serious disservice to those who need to make decision for their company. Encryption is a HIPAA requirement despite what the law says because there is no circumstance in which ePHI should not be encrypted. If your business is breached and you didn’t have the proper security controls such as encryption in place, your business is open to fines into the millions of dollars as well as nasty civil suits by those affected by a breach. But encrypting everything is easier said than done.

Security Insider - Podcast Edition
HIPAA Compliance, Business Associates, and Data Security

Security Insider - Podcast Edition

Play Episode Listen Later Feb 17, 2017 21:24


As Covered Entities take electronic Protected Health Information (ePHI) move to the cloud, they need to understand the important role of having a Business Associate Agreement (BAA) in place and how to ensure that they are meeting HIPAA compliance when ePHI is outside of their walls. Download this podcast to learn about: What is considered electronic Protected Health Information (ePHI) The role of Business Associates (BA) as defined by the Department of Health and Human Services Storing ePHI in the Cloud and meeting HIPAA compliance Key takeaways that vendors can implement today for improved security

Help Me With HIPAA
Insider Threats: Do you know who your employees are? - Ep 70

Help Me With HIPAA

Play Episode Listen Later Sep 9, 2016 37:03


OCR published a memo on Aug 1, 2016.  The title is "Do you know who your employees are?".  It is a great reminder about insider threats that we should all worry about regularly. Quoted directly from the memo. ============================ Although all insider threats are not malicious or intentional, the effect of these threats can be damaging to a Covered Entity and Business Associate and have a negative impact on the confidentiality, integrity, and availability of its ePHI. According to a survey recently conducted by Accenture and HfS Research, 69% of organization representatives surveyed had experienced an insider attempt or success at data theft or corruption. Further, it was reported by a Covered Entity that one of their employees had unauthorized access to 5,400 patient’s ePHI for almost 4 years. For more visit: HelpMeWithHIPAA.com/70

Help Me With HIPAA
OCR resolution agreement - OHSU - EP 65

Help Me With HIPAA

Play Episode Listen Later Aug 5, 2016 44:40


What happened? March 23, 2013 Oregon Health & Science University notified HHS of a breach due to a stolen unencrypted laptop. May 1, 2013 OCR notifies them they are investigating the incident July 28, 2013 Oregon Health & Science University notified HHS of another breach resulting from storing ePHI at an internet-based service provider without a business associate agreement November 8, 2013 OCR notifies them they are investigating the new incident July 18, 2016 settlement announced for $2.7 million and a 3 year CAP   What can we learn from this?  Go to Help Me WithHIPAA.com/65

Security Insider - Podcast Edition
HIPAA, HITRUST, Security, and their Relationships

Security Insider - Podcast Edition

Play Episode Listen Later Apr 11, 2016 20:32


HIPAA requires covered organizations to implement technical safeguards to protect all electronic personal healthcare information (ePHI), making specific reference to encryption, access controls, encryption key management, risk management, auditing, and monitoring of ePHI information. By knowing the relationship of HIPAA and HITRUST, covered entities and business associates can better understand their requirements for protecting ePHI. Download this podcast to learn about: The difference between HIPAA and HITRUST The difference between meeting compliance and managing security risk Protecting ePHI with encryption and key management How Townsend Security is helping covered entities protect ePHI

Help Me With HIPAA
Episode 24: To BAA or not to BAA, that is the question....

Help Me With HIPAA

Play Episode Listen Later Oct 23, 2015 37:16


Description Business Associates and required BAAs are discussed often but not resolved quickly. Let's talk about some ideas and issues that go with BAAs. Links FindHealthcareIT HIPAAforMSPS.com Kardon Compliance Notes Who is a BA? A business partner who provides a service to a CE or BA that requires them to CReMaT PHI. Anyone with persistent access to ePHI whether they do anything with it or not is irrelevant - the fact that they CAN do things is what matters. Complexity is increasing Dietitians at hospital needs info on the scripts for the diet but the employer never stores, accesses, or has persistent access to it but the workforce needs to see it. CE should train them on Privacy rules.BA means it is not your data but you have it or have access to it from the owner of CE. Medical director could be a BA or could be workforce member depending on the contract they have with the employer. ACO formed by hospital as a completely separate legal entity But the ACO is staffed by hospital employees Plus the hospital provides IT services to the ACO legal entity Now that would make the hospital a BA of the ACO which is really the hospital. So, the hospital is a BA to itself Maintaining PHI vs. maintaining facilities with PHI Data center where you store your servers. Are they a BA? NO. They are just the landlord for your server - so they aren't a BA YES. Physical, Administrative, Technical Safeguards are used to protect it, though You are outsourcing part of your obligations because they are doing a all of the physical safeguards for you so you should make them a BA Can be argued both ways but 2 out of 3 lawyers said BA plus a poll of room says they are a BA not just a landlord BCBS of TN left drives at old office and landlord was securing the site Why is there was no BAA if that is the case was the OCR response Resolution didn't mention the BA argument but it was an expensive fine that clearly showed the OCR lawyers didn't see they were protected sitting in a closet of the facility you used to lease. If you sell server space and store encrypted PHI you are a BA under current guidance. Many will argue this point though. You have to be prepared to decide for yourself Even if you don't treat them like a BA, then you should have an agreement of some sort that protects the PHI OCR working on Cloud Computing Guidance Security Rule from early in this century couldn't really consider all the things that are done today Before cloud computing when everyone has their own servers in their offices or owned huge data centers You can't just counter this issue with making everyone sign a BAA, though. Bad for the business that signs them and either fails to comply or does the work they may not need to be doing. Bad for you because you are managing contracts that don't need to be managed and opening up cans of worms we haven't even found yet. Make a decision about your business and be prepared to explain your logic If you are doing the work of a BA you are still a BA without signing a BAA Included in BAA We are not lawyers but we are talking about the contracts just a little bit here Ask your attorney for advice on this stuff, don't relay on us or any other consultant for that advice Also, get a HIPAA attorney - not a tax attorney You should be reading these things, not just sign them Indemnification can be included and you need to know what you are committing to Insurance requirements Yours, mine, ours for cybersecurity What does it really cover - not just if you have it New complexity to negotiations because you don't cover a max level that your big groups need State law requirements 60 days - how far down the BA tail could it go with 60 days to notify Shorten the days but not too short But give them time to figure stuff out unless you want to know about incidents that turn out to be ok Breach notification responsibilities Can the BA notify a huge number of people within 60 days do they even have the resources to make that happen? De-identification of PHI clause is there to prevent selling of data They don't have to take out the doctor's name if they take out all other PHI That means some of your valuable info could end up in a file that gets sold because it has no PHI in it. Indemnification What liability limits are you going to include If I am acting reasonable then I shouldn't have to bear the whole burden but if I am reckless then it is fair to put most of the burden on you The Security Rule may not go far enough but you can up the ante in your agreements Should you require encryption be used both at rest and in transit Agreements may start to specify exactly what security standards you must adopt which creates new problems Assessing BAs I have a BAA so I don't have to worry - not a good idea Does HIPAA even apply if they are off shore? US Law doesn't apply in other countries - do you know where your PHI really lives? CE is not responsible for acts of BA with a signed BAA but If you are aware of a pattern of non-compliance then you would be liable How much do you want to be unaware of vs aware of in advance of a problem happening What PHI are you talking about is key in assessing each situation Medical only Demographics SSN and Credit Cards Is it mental health, domestic abuse, STDs, etc with special limitations Just because you have SAS70, SSAE16, or SOC 1, 2, or 3 assessment doesn't mean it was a good assessment nor does it mean that it covers what you need covered for HIPAA Does provide a benchmark but that isn't necessarily enough for HIPAA A sophisticated BA questionnaire is where most CEs are moving until standards are made more specific Provides more specifics about the compliance programs Training Who is really in charge for you to deal with in a crisis Do you audit the BA after the fact? Once you learn problems you have to deal with them Would you rather know or not know, that is the question Easiest / Quickest way to know is just let the tech geeks talk to each other and form their own opinions of what is happening Let us handle the questions to ask We have to deal with each other any way No one else really understands If you are a BA then have something you can show the CE/BA clients proactively before they ask

Help Me With HIPAA
Episode 22: So you think you're covered by cybersecurity insurance. Well...

Help Me With HIPAA

Play Episode Listen Later Oct 9, 2015 28:46


Cybersecurity coverage being challenged in court has some important points that all businesses should consider. Links FindHealthcareIT HIPAAforMSPS.com Kardon Compliance Help Me With HIPAA  Notes COLUMBIA CASUALTY COMPANY v. COTTAGE HEALTH SYSTEM Data breach occurred Breach announcement said: Between October 8, 2013 and December 2, 2013, PHI of approximately 32,500 patients on the CEs servers weredisclosed to the public via the internet. Hospital got voicemail message from a third party, who informed it that he was able to read the PHI online. Patients seen Sept. 29, 2009, to Dec. 2, 2013 included names, addresses, DOB, MR#, Acct#, diag, lab results and procedures performed. No financial information or Social Security numbers were involved Insync, their IT vendor at the time, left anonymous access for FTP traffic active on an internet servers on or about Oct. 8, 2012. The change allowed ePHI to become available to the public via Google's internet search engine. The server was taken offline immediately on Dec 2 once the call came in. Insync doesn't mention healthcare on their website any more People make mistakes even the IT folks - theirs are just big ones Law Suits and Investigations Civil Suit filed January 27, 2014 and settled December 2014 $4,125 million along with related expenses and attorneys'fees 50,917 patients included in the settlement On-going investigation for HIPAA violations currently Involves CA Dept of Justice and likely OCR The DOJ Proceeding will determine whether Cottage complied with itsobligations under HIPAA and any other pertinent state and federal laws and may potentially result in the imposition of fines, sanctions or penalties. Insurer Columbia Casualty filed suit Saying they shouldn't have to pay the claim for the $4.1 nor any expense they have or will incur over this case Columbia also seeks a declaration of its entitlement to reimbursement in full from Cottage for any and all attorney's fees or related costs or expenses Columbia has paid or will pay in connection with the defense and settlement of the class action lawsuit and any related proceedings and an award of damages consistent with such declaration. INSYNC, the IT company, does not maintain sufficient liquid assets to contribute towards the proposed settlement fund and does not maintain liability insurance that applies with respect to the privacy claims asserted in the Underlying Action. Why does Columbia think they shouldn't pay? The Columbia Policy contains the following exclusion: Whether in connection with any First Party Coverage or any Liability Coverage, the Insurer shall not be liable to pay any Loss: Failure to Follow Minimum Required Practices based upon, directly or indirectly arising out of, or in any way involving... Any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured's application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing; This Policy shall be null and void if the Application contains any misrepresentation or omission: a. made with the intent to deceive, or b. which materially affects either the acceptance of the risk or the hazard assumed by the Insurer under thePolicy. The Columbia Policy application contained the following questions that were answered by the hospital Do you check for security patches to your systems at least weeklyand implement them within 30 days? • Yes Do you replace factory default settings to ensure your informationsecurity systems are securely configured? • Yes Do you re-assess your exposure to information security andprivacy threats at least yearly, and enhance your risk controls inresponse to changes? • Yes Do you outsource your information security management to aqualified firm specializing in security or have staff responsible forand trained in information security? • Yes Whenever you entrust sensitive information to 3rd parties doyou... contractually require all such 3rd parties to protect thisinformation with safeguards at least as good as your own • Yes perform due diligence on each such 3rd party to ensure thattheir safeguards for protecting sensitive information meet your standards (e.g. conduct security/privacy audits or review findings of independent security/privacy auditors) • Yes Audit all such 3rd parities at least once per year to ensure thatthey continuously satisfy your standards for safeguardingsensitive information? • Yes Require them to either have sufficient liquid assets ormaintain enough insurance to cover their liability arising froma breach of privacy or confidentiality. • Yes (Which INSYNC did not) Do you have a way to detect unauthorized access or attempts toaccess sensitive information? • Yes Do you control and track all changes to your network to ensure itremains secure? • Yes Failure to Follow Minimum Required Practices is clear according to the ins company which is why they shouldn't have to pay failure to replace factory default settings its failure to ensure that its information security systems were securely configured failure to regularly check and maintain security patches on its systems failure to regularly re-assess its information security exposure and enhance risk controls failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers failure to control and track all changes to its network to ensure it remains secure Final Notes If you don't have coverage you really should be looking at it because this isn't going to get easier as these things continue to occur. If you do have coverage you should revisit that application and check that you are following the standards you said you were doing in the policy. This probably won't be the first time this kind of thing comes up. If you are a BA, you should check yourself and your coverage because your clients may start asking you what you have covered in order to do business with them.

DeftmusicRadio

ephi
Help Me With HIPAA
Episode 18: Email isn't secure, really, it isn't

Help Me With HIPAA

Play Episode Listen Later Sep 11, 2015 49:20


Let's review email systems and how they can be secured for ePHI and other sensitive data. Find Healthcare IT HIPAA For MSPs Kardon Compliance Alston Article on Email Security   Notes Leigh from Florida sent us an email asking for us to explain some more specifics about email. She had been listening to Episode 8: HIPAA Myths Part 2 which mentioned it but she had specific questions how can email be secured. This couldn't be covered in a quick 5 minute HIPAA answer episode so we are doing a whole episode.  How does email work - for "real people" to understand Compare to the post office since that is the way it was originally modeled to match Why that isn't secure at all, really http://www.healthcareitnews.com/news/hipaa-breach-letters-go-out-after-email-hack (article on email hacked and it had patient info in it) open transmissions and many different servers Misconceptions I use a password so it is secure I use https so it is secure I use TLS so it is secure I use updated Outlook with Hosted Exchange so that should be secure Secure email via End to end encryption tools - each party knows the key Messaging system - you get an email telling you to log in to get the secure email Hosted services that allow for specific types of messaging Hosted exchange Plug-in apps Secured internal only messaging systems Very specific set up to secure the mail database on your internal server Controls you have in place to prevent email to other domains outside the secure system (usually software required) Some systems are automatic encryption / others require you to hit a button on the mail to send it secured. Secure messaging systems for internal discussions that don't use email whole new way of communications in forums / chats instead of email Texting also matters but that is a different episode we can touch on it here A word about spear phishing - excellent example this week from a client

Help Me With HIPAA
Episode 16: Seven Steps for Nurturing a Culture of Compliance

Help Me With HIPAA

Play Episode Listen Later Aug 28, 2015 36:15


Culture of compliance is the phrase OCR uses when defining what they are looking for in an audit or investigation. They also use the phrase robust compliance program in the same manner. Using these steps is a great way to make sure your organization is following their lead. Links ComplyAssistant Compliance Management Solution  Spher EHR Access Monitoring Solution FindHealthcareIT HIPAAforMSPS.com Kardon Compliance Notes 7 steps to improving your Privacy & Security policies and procedures and nurturing a Culture of Compliance: Designate a Compliance (Privacy & Security) OfficerFirst, the law requires you do this. But, if no one is in charge then nothing will happen, we all know that to be the case. Or, in a vacuum of leadership someone else will take charge and handle things the way they think they should be done without the support of management.  Train and educate your staff and BA partnersConstantly restating the same information over and over in a variety of ways may be annoying to some but that means they have heard it! Also, don't forget to work with your BA partners to confirm they actually understand what HIPAA compliance requires in their organizations. Implement an ongoing Compliance maintenance solutionThis is what we talk about using tools such as ComplyAssistant, Spher, and professional MSP monitoring and management applications. Either use the tools or develop manual internal controls and processes to accomplish those same documentation and audit tasks on a regular basis.  Conduct regular and complete audits and monitoring of all ePHI systems If you are ignoring it then so will everyone else in your organization. Monitor and respond to Incidents in a timely manner (State & Federal regulations)We all freak out together as soon as we know something could havehappened to our PHI. Adhere to a strict breach remediation protocolDefine your breach plan and use it every time. After any case that it was used, then review it to make sure you don't need to change or add things in the plan. Create a open line of communication for management and staffThe law requires you to never retaliate towards any person who files a complaint or reports a problem including a breach. If you don't make it clear that you fully support that rule and all workforce members are free to ask any question, file any complaint, and report any concern then you will likely be missing things just because someone was afraid to tell.    

Security Insider - Podcast Edition
Protect PHI & Manage Risk - HIPAA Compliance

Security Insider - Podcast Edition

Play Episode Listen Later Apr 19, 2012 19:28


The frequency of data breaches in healthcare have increased 32% in the past year and cost an estimated $6.5 billion annually. Fortunately, if you are protecting your Personal Health Information (PHI) with proper encryption and key management, you are exempt from a breach notification. Learn how ow a company can achieve Safe Harbor status in the event of a breach, as well as best practices for encryption, key management, and secure system logging.