April 13, 2018 •
As a security consultant, I’ve been in a lot of hospitals, clinics and practices—and I’ve seen a lot of “worry” over the cybersecurity threat landscape. I’d like to see more of this worry translate into action, because it’s just not happening.Other than worry, what can healthcare institutions and their IT/IS leaders do to protect electronic personal health information (ePHI)? I have been part of three major healthcare breaches and post-breach forensics revealed that two of them could have been limited in scope if they had been actively monitoring and alerting to changes inside their IT networks.
Active Monitoring • Compliance • MDR
January 26, 2018 •
This morning I read that Apple is letting you keep your medical records on your iPhone or Apple Watch and it got me thinking: How secure will this data be? How well will people work to protect their personal health data? I am a cybersecurity guy and I am a skeptic, so let me give you some facts and then some things to think about.
Mobile Security • Security Awareness
August 16, 2017 •
I’ve been an information security assessor (PCI, HIPAA, ISO, etc.) for a long time and it’s always interesting to find out why a company has brought me in to do an assessment.Is the goal to shore up their existing security environment, or just check a compliance box to make one of their clients or vendors happy? The answer to that question will usually determine the assessment’s success.
Compliance • Security Assessments
June 5, 2017 •
As an IT security assessment professional, my job is to look at companies’ data security zones and their network perimeter compliance. I am looking at the normal stuff: Firewalls, servers and hardening standards as required by PCI, HIPAA, ISO 27001, etc.Without properly implemented and maintained security technologies in place, it’s impossible to protect your perimeter from compromise. But are you truly clear on what that perimeter is?
Cloud Security • Network Security • Security Assessments
May 21, 2017 •
Last week was a rough one in the IT world, as organizations around the globe scrambled to avoid being caught up in the WannaCry ransomware attack. If your organization was spared this round, it doesn’t mean you should pat yourself on the back and move on, business as usual. Fact is, most organizations aren’t at a state of security maturity that affords them this level of comfort.Read on for my list of 5 things any IT professional can learn from the WannaCry ransomware attack.
Endpoint Security • Ransomware • Security Awareness
March 17, 2017 •
The U.S. Department of Health and Human Services maintains an online database that HIT cybersecurity pros refer to as the “HHS Wall of Shame.” It’s an exhaustive listing of all healthcare data breaches resulting in the loss of 500 or more PHI records. No one wants to end up there, but the fact is, 318 healthcare organizations were listed on the HHS Wall of Shame in 2016. Altogether, these breaches were responsible for the loss of more than 16 million records.Understanding the security gaps that could put your organization on the Wall of Shame starts with conducting a proper risk assessment on a regular basis. In my experience, however, most organizations don’t ever get started. Read on to learn about the four common HIT cybersecurity gaps that can put you on the Wall of Shame, and how to close them.
Security Assessments • Vulnerability Management
December 1, 2016 •
Employees are one of the most overlooked and most dangerous areas of security risk in an organization. The human element is susceptible to all types of attack and error, not to mention their ability to act with malicious intent.While human security risk can never be completely eliminated, it can be significantly reduced. Read this ControlScan blog post to learn how.
Access Control • Malware • Security Awareness
October 25, 2016 •
Countless healthcare organizations have been targeted recently by cyber attacks, and many were caught with little to no IT security safeguards in place. The most frustrating thing is that it could have been prevented if proactive security measures had been taken.