25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

How Secure are Your Medical Devices?

How secure are medical devices? According to a data security study presented at the recent DerbyCon Security Conference, not very, it would appear. Not only can hackers gain access to MRIs, drug infusion pumps, X-ray machines and other radiology and medical equipment, even a couple of patients have discovered they can access their drug pumps and increase their morphine dosage. In some cases it doesn’t actually take much technical skill at all to gain access to medical devices. A quick search on the internet can reveal the login credentials for machines from many manufacturers. Of course, anyone looking to gain access to a medical device, and potentially the network it is connected to, would need to know where to look. That is not a difficult task, according to the researchers. The search engine Shodan contains lists of thousands of networked medical devices, and even gives names of the devices, what they do, where they are located (what hospital and where exactly in that hospital) and even the doctors who are assigned to use the equipment in some cases. The latter is worrying, as...

Read More

OCR Confirms Phase 2 HIPAA Compliance Audits to Commence Early 2016

The Director of the Department of Health and Human Services’ Office for Civil Rights, Jocelyn Samuels, has confirmed the second phase of the HIPAA compliance audits will be commencing in early 2016. No more delays are expected. HIPAA-covered entities will soon have their compliance efforts put to the test and Business Associates will also not escape. They too will be assessed on compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Samuels recently wrote to the HHS Inspector General following strong criticism received about the OCR’s enforcement activities in addition to inconsistencies enforcing HIPAA Rules. At present, the OCR relies heavily on reports of privacy violations from the general public and the self-reporting of data breaches to identify HIPAA violations and to choose which entities to investigate. The agency has yet to develop a permanent HIPAA-compliance audit program, even though such a program was much talked about early in Leon Rodriguez’s tenure as head of the OCR. According to a recent OIG report, released on Tuesday, “Without fully...

Read More

OIG Criticizes OCR for Lax Enforcement Standards and Poor Oversight of Covered Entities

Take a look at the Department of Health and Human Services’ Office for Civil Rights website and you will discover relatively few financial penalties have been issued for HIPAA Privacy violations. Even apparently serious violations of HIPAA Rules have not always resulted in financial penalties being issued. Out of the thousands of data breaches listed on the website, only a tiny percentage have resulted in a financial penalties being issued, with the OCR often favoring other enforcement actions. This has not gone unnoticed by the Office of the Inspector General (OIG). The OIG has just published the findings from two studies conducted on the OCR to assess how well the agency is enforcing HIPAA Rules. Poor Oversight of HIPAA Covered Entities   The first study was conducted to assess the OCR’s oversight of covered entities’ compliance with the Privacy Rule. OIG investigators took a sample of Medicare Part B providers that had reported data breaches to the OCR between September 2009 and March 2011. The OIG then assessed the extent to which those organizations had addressed five privacy...

Read More

Breach of Patient Data Reported by Barrington Orthopedic Specialists

Barrington Orthopedic Specialists, an Illinois-based healthcare provider, has reported it has suffered a breach of patient data after a laptop computer and an EMG machine were stolen from a vehicle while being transported between its facilities. The equipment theft took place at some point between August 14 and August 18, 2015, and was discovered by Barrington Orthopedic Specialists (BAS) on August 18. Following the discovery of the theft, BAS informed law enforcement officers and an investigation was launched to determine the extent of the breach wand which patients had been affected. That investigation has now been concluded. The data breach is understood to have affected 1,009 individuals and resulted in their names, dates of birth, and EMG test results and reports potentially being exposed to criminals. According to the breach notice issued by BAS, no Social Security numbers, financial data, insurance information or contact details were stored on the equipment. The risk of identity theft and fraud faced by the victims is therefore believed to be particularly low. As such the...

Read More

HealthCare.gov Security Vulnerability Critical, Says OIG

A “critical” HealthCare.gov security vulnerability has been discovered which could potentially be exploited by hackers looking to gain access to highly confidential data, according to the Department of Health and Human Services’ Office of the Inspector General. The government’s team of ethical hackers were let loose on the HealthCare.gov website, and discovered a critical weakness in its otherwise robust security features. The team used standard techniques known as vulnerability scanning, which simulate an attack by malicious outsiders. The scans therefore assessed security vulnerabilities that could realistically be exploited by external hackers. The team of “white hat” hackers discovered the vulnerability, although they were not able to exploit it to gain access to data due to a range of other security defenses installed to safeguard stored data. The HealthCare.gov website is the gateway to taxpayer-subsidized health plans and is used by 36 states, with those health plans subscribed to by millions of Americans. The data potentially accessible through the site is extensive. The...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist