X
Health IT Privacy & Security

OCR Guidance on Ensuring Equal Access to Emergency Services During Hurricane Florence

Official guidance from the Office for Civil Rights

Nathan E Botts 0 23367 Article rating: 5.0

As Hurricane Florence makes landfall, the HHS Office for Civil Rights (OCR) and its federal partners remain in close coordination to help ensure that emergency officials effectively address the needs of at-risk populations as part of disaster response. If you believe that a person or organization covered by the Privacy and Security Rules (a "covered entity") violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR. For additional information about how to file a complaint, visit OCR's web page on filing complaints at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware

Nathan E Botts 0 21958 Article rating: No rating

I woke up to a flood of news about ransomware today. By virtue of being down here in Australia, a lot happens in business hours around the world while we're sleeping but conversely, that's given me some time to collate information whilst everyone else is taking a break. The WannaCry incident is both new and scary in some ways and more of the same old stuff in others. Here's what I know and what the masses out there need to understand about this and indeed about ransomware in general.

Ransomware Fact Sheet

Guidance from the U.S. Department of Human Services

Nathan E Botts 0 12767 Article rating: No rating

From the HHS Ransomware Fact Sheet:

A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015).1 Ransomware exploits human and technical weaknesses to gain access to an organization’s technical infrastructure in order to deny the organization access to its own data by encrypting that data.

Everything you wanted to know about SQL injection

But were afraid to ask...

Nathan E Botts 0 13864 Article rating: No rating

From the Troy Hunt article:

"The indictment also suggest that the hackers, in most cases, did not employ particularly sophisticated methods to gain initial entry into the corporate networks. The papers show that in most cases, the breach was made via SQL injection flaws -- a threat that has been thoroughly documented and understood for well over than a decade."

Health app developers, what are your questions about HIPAA?

A resource from the US Office for Civil Rights

Nathan E Botts 0 19867 Article rating: No rating

From the OCR website: 

We are experiencing an explosion of technology using data about the health of individuals in innovative ways to improve health outcomes. Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is safe and secure and will be used and disclosed only as approved or expected. Such protections are sometimes required by federal and state laws, including the HIPAA Privacy, Security and Breach Notification Rules.

Ranked Health: Curated Health Apps & Devices

Health app rankings by clinicians, researchers, & patients

Nathan E Botts 0 15018 Article rating: No rating

From the Ranked Health website: 

RANKED Health is a project run by the Hacking Medicine Institute (HMi), a non-profit organization spun out of MIT’s Hacking Medicine program. This project is designed to review and rank healthcare focused applications, providing independent, unbiased and accurate information to accelerate patient and provider adoption of clinically proven and high-quality digital health solutions. In addition to identifying best-in-class healthcare applications for better health monitoring and disease management, RANKED Health also helps uncover unsafe and ineffective apps on the market.

Mobile Health Apps Interactive Tool

Find out which federal laws you need to follow

Nathan E Botts 0 11853 Article rating: No rating

From the Federal Trade Commission website: 

Does your mobile app collect, create, or share consumer information? Does it diagnose or treat a disease or health condition? Then this tool will help you figure out which – and it may be more than one – federal laws apply. It’s not meant to be legal advice about all of your compliance obligations, but it will give you a snapshot of a few important laws and regulations from three federal agencies.

Business Associate Contracts

Sample Business Associate Agreement Provisions provided by the Office of Civil Rights

Nathan E Botts 0 10143 Article rating: No rating

From the OCR website:

A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.  A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. 

How your data is collected and commoditised via “free” online services

The fiscal impact of data breach

Nathan E Botts 0 33840 Article rating: No rating

I get a lot of people popping up with data breaches for Have I been pwned (HIBP). There’s an interesting story in that itself actually, one I must get around to writing in the future as folks come from all sorts of different backgrounds and offer up data they’ve come across in various locations. Recently someone sent me a list of various data breaches they’d obtained.

Understanding Cross Site Request Forgery

Mechanics of a CSRF Attack

Nathan E Botts 0 7093 Article rating: No rating

Cross site request forgery is one of those attacks which remains enormously effective yet is frequently misunderstood. I’ve been running a bunch of security workshops for web developers around the globe recently and this is one of the topics we cover that often results in blank stares when I first ask about it. It usually unfolds that the developers have multiple resources at risk of a CSRF attack and if it’s not a classic web form style resource, then it’s frequently an API somewhere (you’re passing anti-forgery tokens to any APIs you wouldn’t want fraudulently called, right?!).

Microsoft Regional Director

Nathan E Botts 0 5112 Article rating: No rating
Microsoft Regional Director

This was not what I was expecting earlier this week:

I am delighted to welcome you to the Microsoft Regional Director program!

Microsoft Regional Director

More specifically, the nomination I received some weeks back was not what I expected and this week’s message was what I’d dared not get my hopes up too much about.

A bit of context first – I’m not going to work for Microsoft and despite the title of “Microsoft Regional Director”, I’m no more an employee than what I was (and still am) an MVP. The MVP title remains and what the Regional Director status does is turns that up to 11. Here’s what they told me in the email:

The competition for admission to this program was intense. Your selection is a tribute to your deep technical and business knowledge, your community leadership, and your ability to connect with Microsoft customers, partners, prospects, and product group professionals.

There’s a good little piece on what the Microsoft Regional Director Program is plus a list of the folks that I join on the program which will include many familiar names if you travel in Microsoft circles. I’ll join them representing the Asia Pacific region and I expect it will give me better access to the right people in Microsoft (although in fairness, I’ve never felt this has been a challenge in the past) as well as obviously carrying kudos which helps when talking to the various organisations I work with.

As with the MVP program, independence is still key and also as with the MVP program, I suspect I’ll continue to face a barrage of “well you have to say that, because Microsoft” responses from time to time. I’ll continue to get my phone and tablet Apple, my browser from Google and my laptops from Lenovo, but I’ll also continue to love working in Visual Studio with ASP.NET and publishing it up to Azure. That’s what independence looks like.

I’m really grateful to have this recognition, particularly because it’s comes as a result of just doing what I genuinely love. I’m really enjoying creating Pluralsight courses, travelling the world to speak and spend time with organisations in workshops and seeing Have I been pwned continue to grow in unexpected ways, all of which give me an opportunity to showcase many wonderful technologies, including those from Microsoft. All of that only works because I have an audience though so a big thanks to everyone who’s helped me along the way by consuming the things I create and enabling me to have these opportunities.

Meaningful Use Stage 2 & HIPAA

The Relationship between HIPAA and Meaningful Use Privacy & Security

Nathan E Botts 0 8580 Article rating: No rating

The Health Insurance Portability and Accountability Act (HIPAA) Rules provide federal protections for patient health information held by Covered Entities (CEs) and Business Associates (BAs) and give patients an array of rights with respect to that information. Regulations includes the Privacy Rule, which protects the privacy of individually identifiable health information; the Security Rule, which sets national standards for the security of electronic Protected Health Information (ePHI); and the Breach Notification Rule, which requires CEs and BAs to provide notification following a breach of unsecured Protected Health Information (PHI). CEs must comply with the HIPAA Privacy,10 Security,11 and Breach Notification12 Rules. BAs must comply with the HIPAA Security Rule and Breach Notification Rule as well as certain provisions of the HIPAA Privacy Rule.

RSS

 

Google Ads
Google Ads
Google Ads
All information, thought, and references provided on Health eConsultation is intended for informational and educational purposes only. Health eConsutlation currently makes no attempt at HIPAA privacy compliance. Any trade names used are information and details given for the convenience of users and do not constitute an endorsement from Health eConsultation.
Use this site at your own risk, and do not use the information to make medical or legal decisions without first seeking guidance from a medical or legal professional.
Plain and simple, ads are used to help pay for the cost of the server and resources required to serve Health eConsultation members and provide an objective resource of health information and health education. Subscribers of Health eConsultation can access the site without having to view ads.