10 Technology Tips to Avoid HIPAA Violations – Guest Author at Newegg Business

This week I wrote a guest article for Newegg’s Business blog, Hardboiled. I walked through my 10 Technology Tips on How to Avoid HIPAA Violations.

Take a read!

/s/ HH @LegalLevity

Why Compliance Matters to You; or it Should.

Not long ago I got into an argument with an information security (“infosec”) person about that dirty word we all love to hate, compliance <shudder>. This person’s position was that compliance does not matter and does not advance the state of security “at all.” Sadly, these anti-compliance opinions are remarkably commonplace and often have the inverse effect of what the individual really wants, buy-in from decision makers. The impact of anti-comp opinions on our organizations is pervasive, invasive, and overwhelming.

Non-techies are Technology Empaths

The organizations we work for echo our opinions on tech and infosec. So, if you espouse an anti-comp opinion, the employees around you, as well as those you support and train will begin to hold those same beliefs. For a large majority of the workplace, the infosec team operates with borderline magical abilities, which means that those who are not technically inclined will adopt the team’s opinions.  Put simply, ask yourself a question: if you ran a company and your infosec team did not believe that compliance advanced the state of security, how much would you invest in data security; training; or infosec infrastructure? The answer is as little as possible, because if compliance does not matter to my infosec team, then why should it matter to me?

Data Breaches in 2015:

How many of you received a letter from AnthemPremera, or Carefirst regarding the theft of your PHI from an unencrypted server? These three BCBS company breaches saw the loss of ~93million PHI records in the span of six months. In tandem with BCBS, the Office of Personnel Management (“OPM”) discovered catastrophic on-going breaches resulting in ~22 million stolen records, many of which were from top secret security clearance applications. From OPM to BCBS, over 105 million people have had their data stolen this year. The inevitable lawsuits stemming from those breaches will revolve around two primary questions: whether the entities failed to meet industry standards and whether they violated the law; a.k.a. compliance.

Audits and investigations:

Investigations are coming. If you had any doubts or questions about whether the federal government was committed to enforcement actions and audits, read my article on the New Normal of HIPAA breaches, audits, and enforcement. Quickly, the OCR is out there and coming for you whether or not a breach or theft occurs. The OCR plans on auditing 10% of every covered entity and 5% of every business associate, regardless of whether a breach occurred. Add to this ramped up investigatory presence the expanding range of penalties, both company and personal, and the case for compliance begins to crystalize. These efforts are not limited to the HIPAA sector either, the FTC recently released its “Start with Security: Guide for Business” that promises to be a foundation of the FTC’s legal efforts against companies who fail to meet the minimum thresholds of these guidelines.  Simply put, no matter what sector you are in, government efforts and spending are ramping up, often at exponential rates, to ensure that organizations with data are in compliance with the law.

Compliance is your friend

Compliance is no longer a four-letter word relegated to the low rung on the budgetary spreadsheet next to birthday cakes and dry erase markers. Compliance departments are becoming larger, more robust, and increasingly well funded every year. What many anti-compliance advocates do not realize is that compliance does advance the state of security because it gives you a toolbox of legal authority to grab attention and justify spending on what matters to you: advancing information security within your organization.  Not only is an anti-comp attitude unproductive, but it can literally impact your ability to do your job or even keep your job. Compliance means you, as an infosec professional, can get that buy-in on that project, tech upgrade, or conference you need to do your job. If you aren’t advocating for compliance in your organization, you should be, because its advocating for yourself.

It’s simple – advocate now, or pay later.

/s/ HH @LegalLevity

On Moving to St. Louis from San Diego

Log Day 397:

Water continues to fall unabated from the sky. When we moved here, I literally did not even own an umbrella or something called a “raincoat.” I cannot express to you how disconcerting it is to have hundreds of gallons of water spew off my home like a roman candle and people simply go about their business as if everything is normal.

No matter how much it rains the locals do not seem concerned, but I have begun to plan construction for a wall around our home to keep out the water. *Update, as seen below, my initial “levees” (local dialect) have failed. The chickens have taken to the lifeboats in hopes of surviving the flood waters, I wish them the best of buh gawk. Because honestly people, when is this something that should ever happen?

For awhile there cars were floating down the street, accompanied by cats on pizza boxes. Add to the River St. Louis above our very own geyser below and poop just got very real. Apparently, there are massive concrete tunnels (not created by aliens) underneath the city that carry water away to dispose of it and even these tunnels are completely full.


Despite these water logged challenges, we shall persevere. We will continue our water envelope shipments to California in hopes of alleviating some of the problems; in exchange for avocados, limon Cheetos and fish tacos.


Bedraggled in St. Louis and missing chickens

P.S. Avocados are running dangerously low.

Newegg Business Review of My HIPAA Breach Data Analysis

The great people over at Newegg Business did a review and analysis of my recent post analyzing the data from HIPAA Breaches since 2009.

Take a look!

Most HIPAA Violations Stem from Network Server Breaches

/s/ HH @LegalLevity