HHS OIG: HHS Information Security Program Rated ‘Not Effective’
Apr12

HHS OIG: HHS Information Security Program Rated ‘Not Effective’

The Department of Health and Human Services Office of Inspector General has published the findings of its annual evaluation of the HHS information security programs and practices, as required by the Federal Information Security Modernization Act of 2014 (FISMA). It was determined that the HHS information security program has not yet reached the level of maturity to be considered effective. The independent audit was conducted on behalf of the HHS’ OIG by Ernst & Young (EY) to determine compliance with FISMA reporting metrics and to assess whether the overall security program of the HHS met the required information security standards. The HHS was assessed against the Identify, Protect, Detect, Respond, and Recover functional areas of the Cybersecurity Framework across the FISMA domains: Risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring (ISCM), incident response, and contingency planning. The levels of maturity for information security are Level 1 (Ad hoc policies);...

Read More
Adventist Health Physicians Network Fined $40,000 for Privacy Breach
Apr12

Adventist Health Physicians Network Fined $40,000 for Privacy Breach

Adventist Health Physicians Network in Simi Valley, California has been ordered to pay $40,000 in civil momentary penalties by the Ventura County District Attorney as part of a civil privacy settlement to resolve a patient privacy case that affected 3,797 patients. The privacy breach occurred in 2018 and involved an impermissible disclosure of physical documents containing private and confidential medical data. The Simi Valley hospital had used a storage facility Simi Valley for storing physical patient records; however, when payments stopped being to the storage facility, the hospital lost access to the storage unit and the contents were put up for sale at a public auction in October 2018. The individual who bought the contents of the storage unit at the auction discovered boxes of paperwork in the unit that contained the sensitive medical data of patients of Adventist Health. The hospital was notified, and the files were promptly collected and secured. Adventist Health conducted an investigation into the incident and was satisfied that none of the information in the storage unit...

Read More
HHS Information Blocking and Interoperability Regulations Now in Effect
Apr09

HHS Information Blocking and Interoperability Regulations Now in Effect

The new information blocking and interoperability regulations developed by the Department of Health and Human Services as part of the 21st Century Cures Act took effect on Monday this week. It has been over a year since the final rule was released, and now the benefits of the information blocking and interoperability provisions can now be realized. The final rule defines information blocking and stipulates the penalties for providers that engage in activities that interfere with access, exchange, and use of electronic health information (EHI). The final rule also gives patients new rights over their healthcare data and allows them to request it be sent to the application of their choosing. The compliance date was April 5, 2021, after which healthcare providers, certified health IT developers, and health information exchanges must comply with the provisions of the final rule. For the first 18 months from April 5, 2021, the information blocking provision only applies to a subset of EHI detailed in the US Core Data for Interoperability (v1). Core EHI includes clinical notes,...

Read More
Fresh Gravity Confirmed as HIPAA Compliant by Compliancy Group
Apr09

Fresh Gravity Confirmed as HIPAA Compliant by Compliancy Group

The business and technology consulting firm Fresh Gravity has been confirmed by Compliancy Group as having taken all necessary steps to demonstrate compliance with the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and Omnibus Rule, and the requirements of the HITECH Act. Fresh Gravity assists enterprises with their digital transformation journey through the use of state-of-the-art technologies. The company serves a broad range of clients in the life sciences and the healthcare industry, including pharma firms, medical device manufacturers, contract research organizations, and many payors and healthcare providers. The services provided to those healthcare organizations and companies often involve access to protected health information, which makes Fresh Gravity a business associate under HIPAA. That means Fresh Gravity is required to comply with the provisions of the HIPAA Rules. In order to ensure that Fresh Gravity was fully compliant with the HIPAA Rules, the company partnered with Compliancy Group and adopted its proprietary HIPAA methodology. Following that...

Read More
CISA Releases Tool for Assessing Post Compromise Activity in Microsoft 365 Environments
Apr09

CISA Releases Tool for Assessing Post Compromise Activity in Microsoft 365 Environments

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to accompany the open-source PowerShell-based Sparrow detection tool released in December 2020 to help network defenders detect potential compromised accounts in their Azure, Microsoft 365, and Office 365 environments. Sparrow was created following the SolarWinds cyberattack to help network defenders identify whether their cloud environments had been compromised. The new tool, named Aviary, is a Splunk-based dashboard that can be used to visualize and analyze data outputs from the Sparrow tool to identify post-compromise threat activity in Azure, Microsoft 365, and Office 365 accounts. The Aviary dashboard helps network defenders analyze PowerShell logs and analyze mailbox sign-ins to determine if the activity is legitimate. Through the dashboard, PowerShell usage by employees can also be examined along with Azure AD domains to determine if they have been modified. CISA is encouraging network defenders to review the previously released AA21-008A alert on detecting post compromise activity in...

Read More