Healthcare Information Security

Cybersecurity News

Overseeing healthcare mergers from a security perspective

By Patrick Ouellette

- When much of a healthcare organization’s growth is derived from acquisition, there are undoubtedly a lot of moving parts. As the parent organization takes on new hospitals or practices, it must ensure that its IT and business strategies are implemented within the recent acquisitions.

Ray Hawkins, Genesis Healthcare information security officer (ISO), told HealthITSecurity.com in Part 2 of this Q&A that Genesis has a limited but very consistent application portfolio and it makes every effort to get new organizations onto that portfolio. For Hawkins, a synchronous environment is critical to managing IT security.

Read Part 1: Governing IT security across a multi-provider organization

How does bringing on new organizations affect your environment?

  • OCR HIPAA Settlements Highlight PHI Disclosure, Compliance
  • Report: HealthCare.gov rollout lacked CMS accountability
  • Assessing Bitcoin’s benefits, security risks in healthcare
  • WEDI Healthcare Cybersecurity Primer Calls For Culture Change
  • Additional Data Breach Bills Lack Federal Standards
  • Email Top Health Data Security Risk, Survey Finds
  • Information Security Weaknesses in MN Health Insurance Exchange
  • HIPAA and Patient Privacy at Heart of Maryland Bill
  • Stolen Laptop Leads to Possible Healthcare Data Breach in KS
  • Ark., Md. Providers Notify Patients of Health Data Breaches
  • Device Theft Could Compromise PII in Tenn. and Ind.
  • Hackers upload malware onto HealthCare.Gov test server
  • Where is the Greatest Health Data Breach Risk for Providers?
  • OCR HIPAA Audit Program Part of 2016 Budget Plan
  • Appeals court: Sutter record exposure didn’t violate CMIA
  • Three Data Security Notices Sent to Calif. Patients
  • MA billing company reaches $140K health data breach settlement
  • How Secure Messaging Closed UofLSD ‘Technology Gap’
  • Regulations Drive Healthcare Cloud Security, Risk Standards
  • (ISC)2 offers tips for federal cybersecurity talent shortage
  • Medical Identity Theft Increases 21%, Says Ponemon Study
  • Health System, Pharma Firm Report Cybersecurity Incidents
  • Public cloud survey cites security perception as an obstacle
  • Florida attorneys claim state bill violates patient privacy
  • How Health Data Security, Healthcare CISOs Are Evolving
  • Senators Seek HHS Health Data Breach Prevention Measures
  • GAO: CMS, other agencies inconsistent in breach response
  • HITRUST honing Common Security Framework for 2013
  • Cybersecurity Risk Management Focus in HITRUST Catalogue
  • Creating strong healthcare cloud encryption keys
  • Mobile security patent impact on healthcare organizations
  • Medical Device Security Focus in Recent NCCoE Collaboration
  • St. Mary’s Janesville Hospital reports health data breach
  • Cybersecurity Attacks Hit 87% of Organizations in 2016
  • Laptop With PHI Stolen From Ga. Health Employee’s Car
  • Privacy & Security Tiger Team preps for HITPC meeting
  • Why Data Breach Prevention Will Steer HIMSS15
  • San Antonio laptop with child vaccination records stolen
  • Secure Messaging Key Focal Point for Most Wired Hospitals
  • HITRUST Creates Group to Improve Health Information Security
  • Wisconsin hospital reveals data breach, computer virus
  • Securing data coming in and out of a healthcare organization
  • Most Hospitals Consider EHR Security in Contingency Planning
  • Health Data Privacy Concerns Discussed in FTC Settlement
  • DoD, VA take aim at EHR security, privacy
  • Considering Healthcare Data Privacy with Health Data Sharing
  • Healthcare CIO: Providers have increased focus in security
  • IU School of Medicine updates data breach procedures
  • Patient portal privacy: Authentication, password management
  • OCR Highlights Proper Healthcare Cyberattack Response
  • How Premier Nephrology Utilizes Secure Messaging
  • DHS Mobile Device Security Study Urges Federal Improvements
  • Potential Data Breaches From Break-in, Computer Glitch
  • PHI Data Breach Announced Following Audit
  • Mitigating common healthcare cloud IT security issues
  • Potential Health Data Breach, 40,000 Patient Records Stolen
  • Tiger Team assesses BA responsibilities for data intermediaries
  • Phishing Attack May Impact PHI of 3.4K at CA Treatment Center
  • Why a Culture Change is needed for Healthcare Data Security
  • The Opportunity and Challenge in Healthcare Data Security
  • Survey: Data breach risk biggest concern for mHealth use
  • Factoring Security Into Health Data Disclosure Management
  • Using independent accreditation bodies for OCR security audits
  • Breaking Down HIPAA Rules: Data Breach Notification
  • Coordinating a healthcare CISO’s responsibilities, policies
  • Encrypting healthcare data at rest: NIST best practices
  • HITRUST Works Toward Stronger Patient Privacy Methods
  • Will NAIC Cybersecurity Regulations Affect Healthcare Industry?
  • X-ray film scam exposes 17k patients to possible data breach
  • Healthcare Endpoint Attacks Cost the Industry $1.3B Annually
  • Maintaining Medical Device Cybersecurity in an Evolving Industry
  • etHIN bolsters communication with direct secure messaging
  • Did Failed Administrative Safeguards Cause Two Data Breaches?
  • How a Texas Org. Improved its Medical Device Security
  • Winchester Hospital IS Director talks IT security evolution
  • Lawrence Melrose Medical Electronic Record reports data breach
  • FDASIA workgroup meets to analyze health IT patient safety
  • Dorn VA medical center faces class action lawsuit
  • Ransomware Attack Hits KY Hospital, Patient Files Encrypted
  • Employee Theft Results in PHI Data Breach for 16K Children
  • OCR and WEDI assess HIPAA Omnibus changes for BAs
  • HHS requests comment on HIPAA’s role in mental health reports
  • Survey Finds Cloud Security, IoT Security Potentially Lacking
  • Reintroduced Meaningful Use Bill Quickly Gains Support
  • Unauthorized PHI Access at Coney Island Hospital Impacts 3.4K
  • Survey reveals healthcare data security priorities, concerns
  • Potential CalOptima PHI Data Breach Affects 56K Members
  • ONC Privacy and Security panelists discuss security methods
  • Oklahoma Updates Patient Privacy Law for FBI Database
  • Wash. Memorial VA endures 1,519-patient health data breach
  • How Will Healthcare Privacy and Security Fare in 2015?
  • Two-Factor Authentication Use Increases, ONC Finds
  • Understanding Health Data Security and Print Infrastructure
  • PHI Security Concerns Could Stop Hospital System ​Sale
  • De-Identification of Data: Breaking Down HIPAA Rules
  • Senators Present Bill Aimed at Health IT Security Standards
  • How a critical access hospital chooses IT security products
  • HIPAA Privacy Rule: OCR offers new guidance on same-sex marriage
  • USH-Pruitt reports two data breaches in two weeks
  • ONC’s Lucia Savage Talks Healthcare Interoperability
  • Our job post-acquisition is to work as quickly as we can to pull new employees at new sites into our IT processes and systems. We’ll swap out desktops and laptops so the new organization’s infrastructure is matching the rest of our sites. It’s far easier for us to do that in the short run versus extending it out because we run into support issues if we have too many different architectures out there in our environment. Not much is virtual, as we have one single data center and we do a tremendous amount of virtualization within the data center. So the preponderance of our server systems from production tier 1 on through any sort of testing environments, more than 50 percent of what we have is virtualized.

    What is Genesis’s mobile strategy?

    We have a fairly robust mobile deployment. I think we’re on the front edge of putting mobile into our environment. We definitely see a strategic, business-aligned fit with moving to mobile systems and mobile applications. The future is really not seeing those carts on wheels all over a clinical setting and instead seeing the caregivers using smaller and more nimble devices. We’re two years into that type of deployment, so we feel fairly comfortable that we not only went through the process of doing that early, we also received a lot of lessons learned. We’re better positioned long-term to build on that strategy, where it won’t just be cost savings but also enable our clinical workers to not have such monolithic equipment that they have to call around just to do their work.

    Are there any current projects your team is working on?

    In terms of projects, the big things on my team’s plate that we stay very focused on is constant improvement within our SIM. I think you’re going to see higher expectations from auditors to really look at how well we can monitor events that happen on a network and while being able to articulate what users are doing and when they’re doing it. As the risk landscape becomes more challenging to us, we have to have really strong systems that can aggregate all of these neat tools that we’re putting out there and make sense of them for us. We’re really pushing vendors to provide strong solutions in that space.

    Another area that a lot of organizations are dealing with is how to address texting issues with physicians and other caretakers. The way they’re personally use mobile is creeping into the work place. How can we provide a strong solution or mitigate risk around users texting between each other during work. The solution space isn’t the strongest around that, but that’s certainly a project that we’re evaluating.

    How has the HIPAA Omnibus Rule affected the way you connect with vendors?

    The thing that gave vendor management a lot more urgency and color was the amount of retailer breaches last year, such as Target or Neimann Marcus. We want to do vendor management right from the engagement part through the way we structure the BAAs. We need to know who our vendors are that have access to patient or employee data, what agreements are in place and which ones are the high-risk vendors.

    From a physical security standpoint, for example, we don’t centrally manage how and when an organization locks their doors. That’s their domain to handle, but we have to put out guidance for the right ways to engage vendors.

    X

    SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

    HIPAA Compliance
    BYOD
    Cybersecurity
    Data Breaches
    Ransomware

    Our privacy policy

    no, thanks