HIPAA Guidelines

Written by David Y 

August 29, 2022

Health Insurance Portability and Accountability Act (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule. The HIPAA Privacy Rule creates national standards to protect individuals’ medical records and other personal health information (PHI). Organizations that have to be HIPAA compliant first need to understand what PHI data they have, where PHI data resides, who their business associates are, their legal contracts, current policies, and controls in place. HIPAA violations can have fines can be up to 1.5 million per year. Breach notification costs, attorney fees, lawsuits, etc. can also be many thousands. This also doesn’t include additional laws and industry regulations in U.S. states, European Union, PCI, etc. A risk management framework, proper security controls, a solid technology infrastructure, and training are all needed to meet such requirements.

Email phishing targeting small businesses

Written by David Y 

August 29, 2022

Small businesses are increasingly having targeted attacks where staff members are being impersonated in order to extract information, gather login credentials, and/or financial gain. Small businesses often don’t have the technology and security controls that a larger organization would have to protect against email phishing. Most small businesses utilize cloud email providers such as Google or Azure that provide some protection against phishing but are limited in what more sophisticated mail gateway and phishing identification products are able to identify. A combination of good technology to identify and proactively block email phishing attacks and also awareness training for staff is needed to have a higher chance of a email phishing attack being successful. Effective email phishing identification technology or mail gateway with limited false positives should utilize AI and automation to identify the continually adapting techniques used by cybercriminals in email based phishing attacks.