1-888-PIVOT-POINT | 1-888-748-6876

These Healthcare links are part of a weekly series, Ethical Hacker Roundup, featuring the information security and cyber security related articles that we’ve read over and thought worth sharing.

These articles have were emailed to us, shared on Twitter @pivotpointsec, Google Plus and read in RSS subscriptions this week.


How do patients feel about their EHR privacy?

The Office of the National Coordinator for Health IT announced that they will be surveying Healthcare patients. In the survey, they will ask the patients about their concerns related to EHR privacy and security. They will also ask if they have withheld information from their doctors due to these concerns.

It will be interesting to see the results to the survey, as the end goal of IT security risk management projects is to ensure that the patient’s information is safe.


Healthcare in The Cloud

Did you know that 58% of Healthcare providers are already planning (or are in process) to adopt the cloud into their IT infrastructure?

According to Forrester Research, the cloud industry will reach $241 billion by 2020. With the knowledge of provider adoption and the size of market, it is no surprise that venture capital firm, KPCB, plans on investing in the cloud.

The cloud has many benefits to the Healthcare industry, but there are also risks. The parties facing these risks range from the cloud provider to that third-party vendor’s third-party vendors’. To address these risks, we believe ISO 27001 Certification is an optimal choice for a Healthcare organization’s ISMS. We would not be surprised if KPCB requires that companies they invest in must become ISO 27001 certified as part of the transaction.

Healthcare Cloud Data Ownership

Following the previous article is a new document from SearchHealthIT. In the PDF, the author shares how it is not only the Healthcare provider that is responsible for customer data. The outsource vendor is also responsible for the data security and must comply with HIPAA requirements by use of a framework.

“In some ways, this requirement falls into a gray area. It applies to medical practitioners and providers.”

…the HIPAA Security Rule states that covered entities that outsource some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements.”

Many of our Healthcare customers are using ISO 27002 controls because they map to HIPAA. The use of ISO 27002 controls also puts the organizations in a position to move towards ISO 27001 certification.

Google Patient Data

Due to improper server configuration, the confidential medical records of over 20,000 patients treated at two Orange County, California hospitals were made available on Google and Yahoo. Among the information were:

  • Patient names
  • Blood pressures
  • Lab results
  • Medication allergies
  • Body-mass index

The information that was made publicly available was from patients seen between February and August 2011. However, it was not until recently that the records were discovered online. In response to the data breach, the hospital’s patients were notified by mail of the incident.

What would you have done differently? Please comment with your thoughts.

Healthcare IT Security

Pivot Point Security has the right combination of Information Security/Compliance domain expertise, healthcare industry knowledge and experience, and organizational character to help you define and execute on the best course of action so you can know you’re secure and prove you’re compliant. See how we can help.


Don’t miss out on the Ethical Hacker Roundup

The series is published on Fridays and we are open to your link suggestions. If you would like to submit an article, reach out to us through email.

Be sure to catch the weekly roundups by subscribing to the Pivot Point Security blog via RSS or email.