Information Security Blog

Ethical Hacker Roundup – Healthcare Cloud & Privacy

Ethical Hacker Roundup – Healthcare Cloud & Privacy

These Healthcare links are part of a weekly series, Ethical Hacker Roundup, featuring the information security and cyber security related articles that we’ve read over and thought worth sharing.

These articles have were emailed to us, shared on Twitter @pivotpointsec, Google Plus and read in RSS subscriptions this week.


How do patients feel about their EHR privacy?

The Office of the National Coordinator for Health IT announced that they will be surveying Healthcare patients. In the survey, they will ask the patients about their concerns related to EHR privacy and security. They will also ask if they have withheld information from their doctors due to these concerns.

It will be interesting to see the results to the survey, as the end goal of IT security risk management projects is to ensure that the patient’s information is safe.


Healthcare in The Cloud

Did you know that 58% of Healthcare providers are already planning (or are in process) to adopt the cloud into their IT infrastructure?

According to Forrester Research, the cloud industry will reach $241 billion by 2020. With the knowledge of provider adoption and the size of market, it is no surprise that venture capital firm, KPCB, plans on investing in the cloud.

The cloud has many benefits to the Healthcare industry, but there are also risks. The parties facing these risks range from the cloud provider to that third-party vendor’s third-party vendors’. To address these risks, we believe ISO 27001 Certification is an optimal choice for a Healthcare organization’s ISMS. We would not be surprised if KPCB requires that companies they invest in must become ISO 27001 certified as part of the transaction.

Healthcare Cloud Data Ownership

Following the previous article is a new document from SearchHealthIT. In the PDF, the author shares how it is not only the Healthcare provider that is responsible for customer data. The outsource vendor is also responsible for the data security and must comply with HIPAA requirements by use of a framework.

“In some ways, this requirement falls into a gray area. It applies to medical practitioners and providers.”

…the HIPAA Security Rule states that covered entities that outsource some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements.”

Many of our Healthcare customers are using ISO 27002 controls because they map to HIPAA. The use of ISO 27002 controls also puts the organizations in a position to move towards ISO 27001 certification.

Google Patient Data

Due to improper server configuration, the confidential medical records of over 20,000 patients treated at two Orange County, California hospitals were made available on Google and Yahoo. Among the information were:

  • Patient names
  • Blood pressures
  • Lab results
  • Medication allergies
  • Body-mass index

The information that was made publicly available was from patients seen between February and August 2011. However, it was not until recently that the records were discovered online. In response to the data breach, the hospital’s patients were notified by mail of the incident.

What would you have done differently? Please comment with your thoughts.

Healthcare IT Security

Pivot Point Security has the right combination of Information Security/Compliance domain expertise, healthcare industry knowledge and experience, and organizational character to help you define and execute on the best course of action so you can know you’re secure and prove you’re compliant. See how we can help.


Don’t miss out on the Ethical Hacker Roundup

The series is published on Fridays and we are open to your link suggestions. If you would like to submit an article, reach out to us through email.

Be sure to catch the weekly roundups by subscribing to the Pivot Point Security blog via RSS or email.


Is ISO 27001 Right for (Y)our Organization?


Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

  • How to deal with increasing threats
  • How to manage multiple regulatory requirements
  • How to handle client requests for attestation
  • To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

ISO 27001 RoadmapHave no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Download: ISO 27001 Vendor Selection Toolkit

“ISOOur ISO 27001 Toolkit will help you to select an ISO 27001 consulting firm.
  • Review the Issues Critical to Your Environment
  • "Vet" Vendor Qualifications
  • Compare the Top 3 Vendors
  • Sample RFP Included

Download: Information Security Attestation Guide

Information Security GuideA Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

About the Author:

Marketing at Pivot Point Security

Add a Comment

Share This