Healthcare Information Security

Cybersecurity News

Overseeing healthcare mergers from a security perspective

- When much of a healthcare organization’s growth is derived from acquisition, there are undoubtedly a lot of moving parts. As the parent organization takes on new hospitals or practices, it must ensure that its IT and business strategies are implemented within the recent acquisitions.

Ray Hawkins, Genesis Healthcare information security officer (ISO), told in Part 2 of this Q&A that Genesis has a limited but very consistent application portfolio and it makes every effort to get new organizations onto that portfolio. For Hawkins, a synchronous environment is critical to managing IT security.

Read Part 1: Governing IT security across a multi-provider organization

How does bringing on new organizations affect your environment?

  • Is There an Ethical Obligation for Health Data Sharing?
  • Data Breach Response Best Practices Guide Released by DOJ
  • More Patients Using Health IT, Value Online EHR Access
  • Reviewing EHR patient portal authentication levels
  • Fairfax County, Va. reports data breach to 1,499 patients
  • HIMSS13 video: Organizational security best practices
  • How will Windows XP end of support affect health IT security?
  • Legal ramifications of large health data breaches
  • How does cloud computing factor into health data breaches?
  • How safe is minors’ patient data from hackers?
  • $25K OCR HIPAA Settlement for Physical Therapy Provider
  • Walgreens HIPAA Violation Upheld in Indiana Court
  • Utilizing Business Associate Agreements in Breach Prevention
  • OCR Aims to Improve Smaller Data Breach Investigation Process
  • HIPAA Regulations and Family Medical History
  • NH-ISAC, SANS align cybersecurity information sharing expertise
  • North Country Hospital in battle with ex-employee over breach
  • St. Joseph data breach affects 405,000
  • Final ONC Roadmap Highlights Health Data Privacy, Security
  • High-Profile Patients Prompt Internal Health Data Breaches
  • Walgreens pharmacist patient data breach raises questions
  • Patient Privacy Addressed in Recent HHS Confidentiality Rule
  • HIPAA Regulations Not Data Exchange Barrier, Says Halamka
  • Mass. Hospital Hit With $200K OCR HIPAA Settlement
  • PHI Data Breaches After Unsecure Email, Cybersecurity Attack
  • Reviewing Medical Device Security Guidelines
  • Blue Shield, DMHC of Calif. release Social Security numbers
  • Can SSL Decryption Prevent Healthcare Data Breaches?
  • 2015 Healthcare Security Predictions Show Cybersecurity Need
  • Kaiser Permanente, Surefile still at odds over ePHI security debate
  • Florida physician group notifies 4,400 patients of breach
  • How Does Data De-Identification Affect Clinical Research?
  • Healthcare providers must force security issue with vendors
  • FDA Has Medical Device Cybersecurity Concerns in Abbott Labs
  • Horizon BCBS officials appear before NJ Senate panel
  • Arizona behavioral health patients experience data breach
  • Colorado Medicaid notifies 1,918 patients of data breach
  • How Will DeSalvo Nomination Affect Health Privacy, Security?
  • Diversnet releases MobiSecure 4.5
  • Hackers access Michigan Health patient SSNs
  • How Do Opt-In Policies Affect HIE Patient Privacy?
  • HITRUST Updates Healthcare Cybersecurity Approach
  • ONC Joint HIT Committee Discusses HIPAA Regulation Report
  • A look back at CDT HIPAA Omnibus Rule commentary
  • Federal Health IT Strategic Plan Focuses on Interoperability
  • DirectTrust meets ONC HIE security accreditation goals
  • Understanding the NIST Cybersecurity Framework in healthcare
  • Secure Messaging Increases 30% from 2013-14, ONC Says
  • Paper records stolen from CaroMont employee car
  • How Can the NIST Cybersecurity Framework Improve?
  • Tiger Team offers HITPC behavioral health recommendations
  • 3 Critical Steps for Managing Third-Party Access to Your EHR
  • Houston HealthConnect Talks Health Data Security at HIMSS
  • CHIME launches CSO education, collaboration initiative
  • Can Smart Cards Reduce the Risk of Medical Identity Theft?
  • National Coordinator Names New ONC Chief Privacy Officer
  • Rocky Mountain Spine Clinic notifies patients of breach
  • Vendors to showcase secure solutions at HIMSS14
  • PHI Exposed in Colorado Through Discharge Paperwork
  • Kaiser Permanente notifies patients of email data breach
  • Lawsuit Filed to Avoid Potential Health Data Exposure Fines
  • A Review of Common HIPAA Physical Safeguards
  • Indianapolis hospital reports patient mailing data exposure
  • Healthcare Cloud Adoption Slow Due to HIPAA, Survey Finds
  • Healthcare Cloud Services: 5 Uses You Didn’t Know About
  • Patient Health Data Second-Most Stolen Data Type, Says Study
  • Security Industry Association releases new Privacy Framework
  • End-Point Devices Pose Challenges to Healthcare Cybersecurity
  • HIPAA Security Rule requirements: Technical safeguard review
  • EHR Data Potentially Exposed in Vendor Healthcare Data Breach
  • Healthcare provider focuses when selecting a security product
  • US-CERT Updates Cybersecurity Incident Notification Guidelines
  • Breaking Down the HIPAA Administrative Simplification Rules
  • Comments Sought on Healthcare Cybersecurity Draft Guide
  • WellPoint and HHS agree to health data breach resolution
  • NIST set to release final cybersecurity framework on Feb. 12
  • Potential Healthcare Data Breaches in NY and Calif
  • OCR Urges End-to-End Security, Verified HTTPS to Protect PHI
  • How a community hospital CIO stays ahead of the security curve
  • United HomeCare Services informs patients of data breach
  • Health Data Security Part of OIG Health Reform Plan
  • Study shows patient consent, concerns crucial to HIEs
  • National Cybersecurity Strategy Suggested in New Report
  • Ensuring HIPAA compliance among inpatient, outpatient docs
  • HIMSS Analytics report cites mobile security as top concern
  • Tying together healthcare public and private cloud security
  • Johns Hopkins privacy breach update: Patient counseling
  • Laptop containing patient information stolen from SIU
  • How Health Privacy Regulations Hinder Telehealth Adoption
  • Oregon Health Insurance Exchange Suffers 18th Breach
  • Heartbleed bug lessons learned: Having a remediation plan
  • HIPAA Privacy Rule: Authorized patient data disclosures
  • Healthcare Authentication Factors: Breaking Down HIPAA
  • New Software Enables Secure EHR Data Linkage, Study Finds
  • Kaiser Permanente reports 2011 research server malware attack
  • HITRUST cyber threat briefing reviews CHSI breach,
  • How a critical access hospital chooses IT security products
  • What Are Top Mobile Health Security Concerns in 2016?
  • HHS requests comment on HIPAA’s role in mental health reports
  • Vendors gearing up for HIPAA compliance with audit programs
  • Our job post-acquisition is to work as quickly as we can to pull new employees at new sites into our IT processes and systems. We’ll swap out desktops and laptops so the new organization’s infrastructure is matching the rest of our sites. It’s far easier for us to do that in the short run versus extending it out because we run into support issues if we have too many different architectures out there in our environment. Not much is virtual, as we have one single data center and we do a tremendous amount of virtualization within the data center. So the preponderance of our server systems from production tier 1 on through any sort of testing environments, more than 50 percent of what we have is virtualized.

    What is Genesis’s mobile strategy?

    We have a fairly robust mobile deployment. I think we’re on the front edge of putting mobile into our environment. We definitely see a strategic, business-aligned fit with moving to mobile systems and mobile applications. The future is really not seeing those carts on wheels all over a clinical setting and instead seeing the caregivers using smaller and more nimble devices. We’re two years into that type of deployment, so we feel fairly comfortable that we not only went through the process of doing that early, we also received a lot of lessons learned. We’re better positioned long-term to build on that strategy, where it won’t just be cost savings but also enable our clinical workers to not have such monolithic equipment that they have to call around just to do their work.

    Are there any current projects your team is working on?

    In terms of projects, the big things on my team’s plate that we stay very focused on is constant improvement within our SIM. I think you’re going to see higher expectations from auditors to really look at how well we can monitor events that happen on a network and while being able to articulate what users are doing and when they’re doing it. As the risk landscape becomes more challenging to us, we have to have really strong systems that can aggregate all of these neat tools that we’re putting out there and make sense of them for us. We’re really pushing vendors to provide strong solutions in that space.

    Another area that a lot of organizations are dealing with is how to address texting issues with physicians and other caretakers. The way they’re personally use mobile is creeping into the work place. How can we provide a strong solution or mitigate risk around users texting between each other during work. The solution space isn’t the strongest around that, but that’s certainly a project that we’re evaluating.

    How has the HIPAA Omnibus Rule affected the way you connect with vendors?

    The thing that gave vendor management a lot more urgency and color was the amount of retailer breaches last year, such as Target or Neimann Marcus. We want to do vendor management right from the engagement part through the way we structure the BAAs. We need to know who our vendors are that have access to patient or employee data, what agreements are in place and which ones are the high-risk vendors.

    From a physical security standpoint, for example, we don’t centrally manage how and when an organization locks their doors. That’s their domain to handle, but we have to put out guidance for the right ways to engage vendors.


    SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

    HIPAA Compliance
    Data Breaches

    Our privacy policy

    no, thanks