HIMSS Privacy & Security Forum – West 2014 Wrap-Up

Andrew Hicks, Managing Principal, Coalfire

The first HIMSS Privacy & Security Forum in the western U.S. proved to be a success and was attended by over 300 people including attendees (CEs and BAs), speakers, exhibitors, and partners.  We reconnected with several clients and met new friends at our booth, which was located right in the middle of the action.  We also co-hosted a dinner with our partner, Voltage Security, and enjoyed catching up with old acquaintances and meeting new ones.
The agenda was full of hot topics including the opening keynote address by Jim Doggett, Senior Vice President, Chief Security Officer & Chief Technology Risk Officer at Kaiser Permanente, who spoke about the advances in technology that are dramatically changing the risk landscape for healthcare organizations.  Mr. Doggett pointed out how privacy and security initiatives must evolve constantly to address new and growing threats. One interesting slide he shared with the audience was this one (slide #4), which shows the plethora of technologies where data resides and must be protected.
Another challenge we heard about from several attendees was around the issue of de-identification.  Organizations need to understand why the de-identification of protected health information (PHI) is important, especially since it provides Safe Harbor in the event of a breach. Covered entities and their business associates currently face the challenge of realizing value from healthcare data while protecting patient privacy and de-identification can provide a way to satisfy both needs…there’s more information on this topic in this perspective paper.
Iliana Peters from the OCR drew a huge crowd when she presented the HIPAA Update that provided an overview of the permanent audit program they plan to launch on October 1st.  An important item to note here is that they will not allow any ‘back and forth’ during the desk and onsite audits; there will be just one chance to get it right, therefore it’s important that you get your house in order in the form of evidence libraries and the like, so you can be ready in the fall.  More info about audit preparation can be found in this perspective paper.
A well-attended panel about the latest issues surrounding medical device security was nicely represented by both the technology side (Kevin Fu, Associate Professor at the University of Michigan) and the application side (Tom August, Director of Information Security at Sharp Healthcare).  Attendees were glued to this session as they tallied up their estimated medical device numbers to 50,000, 100,000 and more.  Mr. Fu and Mr. August said that as more data from medical devices are fed into EHRs on a provider’s network, finding ways to secure and protect the devices from viruses and other cyber threats has become a vital part of any comprehensive security program.  More about the latest and greatest on medical device security can be found in this perspective paper.
Finally, the topic of virtualization was addressed by panelists in discussions ranging from ‘how do I protect data in a BYOD world?’ to ‘how can I boost networking and security?’  They also covered the recent HIMSS Analytics Cloud Survey and these challenges around cloud security:

  • A lack of HHS guidance on how HIPAA applies to cloud computing.
  • What if a cloud vendor was unaware it was hosting PHI for a covered entity?
  • No guidance or audit protocols specific to business associates exist today.
  • How to handle patient rights and breaches when you may not know what information you have?

In a nutshell, many speakers pointed out the message in the Information Week article about how Target and the other retail giants that were breached recently were actually more secure than today’s average healthcare organization.  So the key message echoed at the conference was simply this:  Compliance does not equal security.  This is exactly what we’ve been helping our clients with – a full-fledged, comprehensive risk management program that protects your data wherever it resides so that your HIPAA compliance goes beyond just a check in the box.

Andrew Hicks


Andrew Hicks — Managing Principal, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS