This is one of our favorite episodes of the year. We will recap our 2022 privacy and security predictions and then make new predictions for 2023. Aside from the obvious predictions like “ransomware will increase”, our predictions will give you what we think you are going to be hearing about that you should worry about in 2023.
More info at HelpMeWithHIPAA.com/387
As is our custom, we take one week off each year from creating new content just to give us a break. It also gives our sound engineer, Bojan Sabioncello, a chance to shine while he goes through all the outtakes he deals with all year. He gets in front of the mic to share how awful we treat him yet, he is still around after all these years.
Thanks to Bojan for his skill in making us sound so good every week.
Thanks to all our listeners who have been with us and share our podcast with others. We are here because of you.
As always, remember, HIPAA is not about compliance, it is about patient care.
When you think of a power outage happening to you or your business, you probably think of an outage lasting a few hours. Not the case with the recent massive power outage experienced in Moore County NC recently. So, that begs the question, do you have a response plan for experiencing a power outage lasting a week or more? You should.
More info at HelpMeWithHIPAA.com/386
The holidays are upon us and everyone is getting excited about buying presents for friends and loved ones. Cyber criminals are excited too because it means even more opportunities to attack us. Today, we are discussing an article from ZDnet about three new ways attackers are trying to trick you.
More info at HelpMeWithHIPAA.com/385
OCR recently released a video on their Recognized Security Practices initiative. The intent is to teach HIPAA regulated entities on what Recognized Security Practices is and what is required to prove its implementation in your organizations. We will review the video today and give you some key takeaways from it.
More info at HelpMeWithHIPAA.com/384
As we celebrate Thanksgiving, we thought it would be a good idea to cover three reasons why you should be thankful. Or better yet, three situations you should be thankful that you’re not caught up in…. unless, unfortunately, you are.
More info at HelpMeWithHIPAA.com/383
The healthcare industry is not immune to cyberattacks. In fact, it's one of the most vulnerable industries. To protect patient safety and data security, hospitals and healthcare providers need to implement better cybersecurity measures. Today, we review a paper from the office of Senator Mark Warner (VA) that discusses policy options for the healthcare sector.
More info at HelpMeWithHIPAA.com/382
What is your Incident Response Plan? If you said “Oh, we’ll just call IT,” then you need to listen to this podcast. We will review the October 2022 OCR Newsletter that discusses nine procedures that entities should consider including in the incident procedures.
More info at HelpMeWithHIPAA.com/381
Keeping up on ways to protect your business from a cyber attack can feel intimidating, especially because of the continuously changing methods criminals use to social engineer us. The bottom line is it only takes one click at any time by anyone to open the door to the attackers.
More info at HelpMeWithHIPAA.com/380
As you know, each year we record a Halloween episode. This year we are covering very scary decisions that have come back to haunt several organizations, including an organization’s decision not to report a cyber attack, an entity that thought they’d just stroke a check for fines assessed and everything would be OK, and a provider who posted PHI on social media. Listen in and learn what NOT to do.
More info at HelpMeWithHIPAA.com/379
Do you remember the saying “there’s an app for that”? Apps certainly are cool and convenient, but can you tell whether they are malicious or not? Today, we discuss and give you some vetting tips you can use before you download apps.
More info at HelpMeWithHIPAA.com/378
More and more the healthcare industry is using connected medical devices that do cool things, like creating efficiencies in the delivery of patient care and automating tasks for healthcare providers and their staff. But, what about the security of these connected devices? Has anyone thought about that? Well, Ponemon and Cynerio did a study on just that topic and the results are very concerning.
More info at HelpMeWithHIPAA.com/377
OCR’s right of access initiative keeps on churning with three more cases, making a total of 41 violations of patient right of access so far. Dentists are a known problem when it comes to doing anything for HIPAA privacy and security, including right of access requirements. But, they are quickly learning all about OCR enforcements of HIPAA violations.
More info at HelpMeWithHIPAA.com/376
Every year we review the Ponemon Institute’s Cost of a Data Breach report. It's always interesting because we learn that it's not just about the money. We learn what really makes a difference in our privacy and security program, what we can do that can make the biggest positive impact in the overall cost or a data breach and, more importantly, what things make the biggest negative impact.
More info at HelpMeWithHIPAA.com/375
We follow a lot of the Ponemon studies. They help us see changes and trends and make better recommendations to our clients. We are going to cover their annual cost of an insider breach study. This global study covers insider incidents and provides five signs your organization is at risk.
More info at HelpMeWithHIPAA.com/374
The ongoing, rapidly changing cyber war has created a need for us to change our viewpoint on cybersecurity. Yes, we need to worry about cyber hygiene and continue working on ways to secure our systems, networks and data. However, there is also a need to take the “plan for the worst but hope for the best” approach and start focusing on cyber resilience.
More info at HelpMeWithHIPAA.com/373
David admits that as a kid he would dumpster dive for “treasures” people threw away. We’ve heard more than once of clients who have gone dumpster diving to retrieve documents containing PHI that were mistakenly thrown away in the regular trash. But, a recent OCR announcement highlights one dermatology group that had quite the trashy privacy violation.
More info at HelpMeWithHIPAA.com/372
Should we be questioning other people and vendors we work with about the trust we should have in them? The answer is yes. Are they protecting and securing the patient data we entrust them with? Trust, but verify is something we talk about a lot. So, I ask you… should you be trusted? And can you prove it?
More info at HelpMeWithHIPAA.com/371
Privacy laws are being passed in more and more states every year. Even non-healthcare businesses are finding they must follow privacy laws in the states they do business in. Conducting a privacy assessment is a great way to understand what data you have that needs protecting, what things can go wrong and then, of those things that can go wrong, which ones we can try to prevent.
More info at HelpMeWithHIPAA.com/370
In order to protect PHI, you have to know where it is stored and how it comes in, goes out and moves around your organization. This includes marketing analytic tools used on websites and patient portals. They could be transmitting PHI to social media platforms. Very unnerving, right?
More info at HelpMeWithHIPAA.com/369
It’s that time again folks! October is Cybersecurity Awareness Month. This year’s theme is “It’s easy to stay safe online” with a weekly focus on key behaviors to help protect your important data. Using these free training tools and practicing basic cybersecurity behaviors, you are much more likely to stay safe online.
More info at HelpMeWithHIPAA.com/368
A new security rule guide that we’ve all been waiting for! NIST has developed a cybersecurity resource guide on implementing the HIPAA Security Rule. It provides key activities, descriptions and sample questions to help covered entities and business associates comply with the HIPAA Security Rule. This guide has tons of good information in it. So, listen in as we discuss some of the cool stuff we picked out.
More info at HelpMeWithHIPAA.com/367
OCR recently announced the resolution of 12 investigations. Eleven were for patient right of access violations and one was a big dollar settlement of a security incident at Oklahoma State University Center for Health Services. Lots to cover and learn in this episode. So, pay attention, folks.
More info at HelpMeWithHIPAA.com/366
Today’s podcast episode is all about why we worry about supply chain issues, why we keep talking about the HiC SCRiM guidance, and why the first day of the PriSec Boot Camp is supply chain risk management. We’ll review several supply chain breaches, one where there were 660 providers hit at once. As you probably have guessed, these breaches involved ransomware attacks.
More info at HelpMeWithHIPAA.com/365
It can be a stressful time when you are adding a new vendor or switching vendors for your critical services. This is the time to create a plan and do a risk analysis to make sure everything gets transitioned and set up properly. Things can go wrong if there’s no plan in place. Today, we review some tips to help you prepare for a vendor transition.
More info at HelpMeWithHIPAA.com/364
When you're shopping for cybersecurity insurance, the applications can be intense. You'll need to provide a lot of details about your current security protections, and you may be asked to complete a security audit. This is because insurance companies want to be sure that they're not insuring businesses that aren't doing everything they can to protect themselves from cyber attacks. This episode we discuss what questions you may encounter on your cyber insurance applications.
Ransomware tactics are constantly changing. Understanding the protections we use today will not be enough down the road is key. We must constantly adjust and adapt our security protections to protect against these attacks. Today, we are going to discuss ransomware stats and key points from two recent reports that can help you create a response plan for ransomware attacks.
More info at HelpMeWithHIPAA.com/362
We use passwords for everything. Creating a unique, secure password for every website and application is hard to remember, right? So, why hasn’t someone figured out how to get rid of passwords? Well, today we are going to talk about the FIDO password killer solution.
More info at HelpMeWithHIPAA.com/361
How many of us know what we don’t know, or at least, willing to admit we don't know what we don't know? Today, we are going to find out as we cover a few potential data breach scenarios and ask “what would you do - report it or not?”
More info at HelpMeWithHIPAA.com/360
Today, we are going to give you our six takeaways from the 15th annual Verizon Data Breach Investigation Report. We like these reports because they give us an indication of what's going on in the cyber world, what we need to be looking for and looking out for.
More info at HelpMeWithHIPAA.com/359
We get this question all of the time: How do they get in? How do the bad guys get in and attack my network? Seems like a simple question, right? Well there’s not always a clear cut answer. The first thing you need to understand is that cybersecurity isn't a problem you solve. It's a chronic condition that you have to manage.
More info at HelpMeWithHIPAA.com/358
Recently, a Cybersecurity Advisory was released worldwide to MSPs and their customers. We will take a look into what this guidance is, how it applies, and what needs to be done about it. This is BIG and we all better be paying attention.
More info at HelpMeWithHIPAA.com/357
The new Maryland and Kentucky data security laws are designed to help protect insurance companies from cyber attacks by implementing cybersecurity standards, developing, implementing, and maintaining a written information security program. Their service providers are also required to implement such programs which include a requirement to report cyber security incidents within 3 days of discovery.
For more details go to HelpMeWithHIPAA.com/356
Incident response planning is important to every business. You don’t want to figure out how to manage the business and respond to an incident on the fly. These plans should be reviewed and updated regularly. Today we review a brand new guide from the Healthcare & Public Health Sector Coordinating Council on Operational Continuity - Cyber Incident.
More info at HelpMeWithHIPAA.com/355
Over the last couple years, we’ve had some high-profile cybersecurity compromises and data breaches. And this trend is not slowing down. Today, we review a recent study of the top cyber threats to healthcare organizations. The results reinforce that PriSec teams require everyone to participate.
More info at HelpMeWithHIPAA.com/354
Recently, we’ve had a couple things come up which involved tricky places that HIPAA has applied that most people might not think of. So, we thought we'd throw them out there and have a little bit of fun discussing them.
More info at HelpMeWithHIPAA.com/353
Cybercrime is a booming business. In 2021, the US experienced an unprecedented increase in cyber attacks with criminals making $6.9 billion online. In today’s podcast, we review the FBI’s Internet Crime Report for 2021.
More info at HelpMeWithHIPAA.com/352
It is crucial for every business to understand the security practices of their vendors. And also to make sure that those vendors are vetting their vendors. A cyber attack at a link in your supply chain can drastically affect your business. Evidence: the Okta breach.
More info at HelpMeWithHIPAA.com/351
Have you heard the one about three dentists and a psychiatrist walk into... an OCR investigation? OCR has announced their first set of enforcement actions of 2022, and just in time for our 350th episode. These involve patient right of access and improper disclosure violations.
More info at HelpMeWithHIPAA.com/350
Donna made many notes from the HIPAA Summit. Today, she and David will share six of her top picks, including the difference between an incident and a breach, how a “check the box compliance program” is not a privacy and security program, importance of understanding what your vendor’s incident response plans are and more.
More info at HelpMeWithHIPAA.com/349
If you are a regular listener of the podcast, you know how Donna loves to “HIPAA-geek out” over the National HIPAA Summit each year. This year’s National HIPAA Summit did not disappoint. Today, we discuss a few points made concerning enforcement of HIPAA related cases by three arms of the federal government.
More info at HelpMeWithHIPAA.com/348
Cyber threats are a growing risk that is becoming increasingly difficult to avoid. Small and medium businesses are not immune to these cyber threats. They are a growing business risk. The first step in preventing cyber threats is awareness.
More info at HelpMeWithHIPAA.com/347
Security events can have a significant impact on your business. It’s important to understand the magnitude of what’s going on and what the risks are. Having a plan in place to deal with privacy and security events can make it better, but not having one can make it worse.
More info at HelpMeWithHIPAA.com/346
The harsh realities of cybersecurity are not always easy to hear, but they are the one thing that we cannot compromise on as they can have a huge impact on our lives. We must remain cyber aware and be vigilant in order to combat cyber threats.
More info at HelpMeWithHIPAA.com/345
Kardon, Help Me With HIPAA and HIPAA for MSPs is hosting the first PriSec Boot Camp in Louisville, KY on Sep 12, 13, 14 and 15. This ain’t yo Momma’s privacy and security. It is a one of a kind event designed for those who need to understand and manage a privacy and security program. Listen to today’s podcast to learn all about it.
More info at HelpMeWithHIPAA.com/344
Encryption can give you a false sense of security. Just because your device or your data is encrypted doesn’t mean it is secure. You have to understand how encryption works in order to understand how it doesn't work.
More info at HelpMeWithHIPAA.com/343
Securing your website is often overlooked in planning discussions and business risk management decisions. Building a website is pretty easy these days, but keep in mind users expect to have a safe online experience too. Just like with social media sites, a lot can go wrong with a forgotten website.
More info at HelpMeWithHIPAA.com/342
More and more SMBs are turning to MSPs to help secure their networks, protect their assets from cyber attacks and meet compliance obligations. MSPs are looking to add new services to meet the SMB market demand. Today, we review a few of our observations for SMBs and MSPs from a recent report on the focus for small businesses in the next few years.
More info at HelpMeWithHIPAA.com/341
Honeypots are an important tool in the cybersecurity arsenal. They can be used to observe how attackers work and what their activities, intentions and strategies are. This information can help organizations better understand and defend against cyber attacks.
More info at HelpMeWithHIPAA.com/340
Social media has become a very important part of our lives. It is the easiest way to connect with friends, family and even promote your business. If not secured properly, it can also be an easy way for someone to hack into your account and become “you” or be the spokesperson for your business.
More info at HelpMeWithHIPAA.com/339
A proper incident response plan is one that details your response to a data breach, cyber attack or other event. Without a proper plan, things can go horribly awry. In this episode, we discuss the steps to properly respond to a security incident and then give you seven ways you can completely screw it up.
More info at HelpMeWithHIPAA.com/338
The unknown is the most dangerous. It's a saying that should be taken into account when protecting your most valuable asset - your data. Today we talk about why creating an asset inventory of your hardware, software and data is an important first step to being able to protect it.
More info at HelpMeWithHIPAA.com/337
