Information Security Blog

“New Era” for Healthcare Data Security

These Healthcare links are part of a weekly series, Ethical Hacker Roundup, featuring recent information security and cyber security related articles that we’ve read over and thought worth sharing.

These articles were emailed to us, shared on Twitter @pivotpointsec and our Google+ page, and read in RSS subscriptions this week.

New HIPAA Rules Mandate Tighter Security

As we reported recently in this blog, the new HITECH privacy and security update to HIPAA as just been released. This new baseline for handling health information mandates stronger security – along with tougher audits and stronger penalties – for healthcare providers and their third-party partners.

Healthcare organizations also must contend with meaningful use requirements, which are meant to drive improved electronic health record (EHR) data capture and information sharing. Adding the new HITECH privacy and security mandates atop the “MU” requirements might scare some healthcare entities away from addressing MU. Yet the trend is moving inexorably towards patients being able to access their own EHR.

As Adam Levin blogged in the Huffington Post, “To have current, accurate and reliable data about a patient’s medical history just a click away… will save money, time and … lives.” But attacks to steal and sell personal health data “…are also ultimately made possible by the digitization of medical records…”

Against this backdrop, it’s no wonder that, according to the most recent Healthcare Information and Management Systems Society (HIMSS) survey, more and more healthcare organizations are choosing to undertake a risk assessment.

Yet Another Report Blasts Healthcare Cybersecurity Readiness

A year-long examination of cybersecurity by The Washington Post shows that health care is among the most vulnerable industries to cybercrime – a big reason being that it has failed to address known problems with outdated systems. As one expert quipped: “I have never seen an industry with more gaping security holes. If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”

No wonder so many government and industry sources have expressed concern that health care presents “… an inviting target to activist hackers, cyberwarriors, criminals and terrorists.” Among the scariest breaches posted by the U.S. Department of Health & Human Services under the HITECH act are these that according to FierceHealthIT will literally “freak you out“:

  • A surgical practice in Illinois its server owned and encrypted by hackers, who demanded ransom in exchange for the decryption key. Over 7,000 patients had their names, social security numbers, credit card numbers and various clinical data compromised.
  • Medical students at Stanford University and elsewhere, by their own admission were creating bogus identities on Facebook in order to post information about patients. (FierceHealthcare blogged recently on a number of high-profile patient privacy violiations on social media sites.)
  • The Veteran’s Administration reported a staggering 173 breaches involving malware-infected medical devices between 2009 and 2011 – these did everything from disrupt patients’ glucose monitoring to cancel patient appointments to shutting down a sleep lab.
  • Studies by major medical centers and the Government Accountability Office have noted recently that defibrillators, insulin pumps and other common medical devices are vulnerable to hacking and infested with malware. It’s disconcerting that cyberthugs could deliver a fatal shock via someone’s pacemaker from across the planet.

mHealth Security Legislation Drafted

Georgia Representative Hank Johnson has released draft legislation that proposes a way to regulate how the developers of mHealth and other mobile applications collect personal data. Called the “Application Privacy, Protection and Security (APPS) Act of 2013, it would require developers to disclose how they collect personal data and what parties have access to it. It also proposes informing consumers about what information is collected and how long it could be stored – as well as enabling them to “opt out” from having their data collected and shared.

If enacted, the legislation charges the Federal Trade Commission (FTC) with enforcing the privacy rules.

Healthcare IT Security

Pivot Point Security has the right combination of Information Security/Compliance domain expertise, healthcare industry knowledge and experience, and organizational character to help you define and execute on the best course of action so you can know you’re secure and prove you’re compliant. See how we can help.



Best Practices for Firing A Network Security Administrator

Firing A Network Security AdministratorWant to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Free Whitepaper: Stop Wasting Money on Penetration Testing


Penetration Testing is most frequently performed to:

  • Substantiate the net effectiveness of a mature control environment
  • Prove to a third party that an environment is secure/trustworthy
  • Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
  • To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

ISO 27001 RoadmapHave no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Download: ISO 27001 Vendor Selection Toolkit

“ISOOur ISO 27001 Toolkit will help you to select an ISO 27001 consulting firm.
  • Review the Issues Critical to Your Environment
  • "Vet" Vendor Qualifications
  • Compare the Top 3 Vendors
  • Sample RFP Included

Is ISO 27001 Right for (Y)our Organization?


Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

  • How to deal with increasing threats
  • How to manage multiple regulatory requirements
  • How to handle client requests for attestation
  • To validate that significant changes did not have unanticipated results

Free Whitepaper: Five Best Practices for SIEM


The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

Download: Information Security Attestation Guide

Information Security GuideA Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Download: A Best Practices Guide to Database Security

database security roadmap

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

About the Author:

Marketing at Pivot Point Security


  1. Daniel Cheney  April 29, 2013

    Can the Health Care industry really be “regulated” into realizing the critical condition of our PHI data that they collect? It doesn’t seem to be working! This infographic by Linoma Software indicates that it is continuing to get worst. Here’s the link:

    I speak from experience that the costs of prevention are far, far less than the cost of recovery in the event or a data breach. What is missing here to get the industry to move on this critical issue?


Add a Comment

Share This