{"id":2015,"date":"2012-08-16T00:00:00","date_gmt":"2012-08-16T00:00:00","guid":{"rendered":"http:\/\/otava.test\/solutions-for-the-top-5-security-vulnerabilities\/"},"modified":"2012-08-16T00:00:00","modified_gmt":"2012-08-16T00:00:00","slug":"solutions-for-the-top-5-security-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/","title":{"rendered":"Solutions for the Top 5 Security Vulnerabilities"},"content":{"rendered":"

A recent article from HealthCareITNews.com details the top five security vulnerabilities that \u201ccould mean trouble\u201d – that is, result in a data breach. While these risks are entirely valid, the article doesn\u2019t offer tactical solutions or alternatives to reduce said risks. [Note: these security vulnerabilities should be of concern in any industry, not just healthcare – i.e., financial, ecommerce, software, etc.].<\/p>\n

So I thought I would respond:<\/p>\n

Theft.<\/strong>
\nThe article acknowledges that lost or stolen media, often in the form of a backup tape or laptop, were the culprit for a data breach. The Sutter Health incident involving a break-in and theft of a desktop computer is used as an example. But the article fails to provide a way to prevent the loss of innumerable patient records by media theft.<\/p>\n

Keeping ePHI (electronic protected health information) or other sensitive information on secure networks, and not physical devices can greatly decrease the potential risk of allowing thieves access to ePHI. With remote access to networks using mobile devices, the use of two-factor authentication is greatly recommended – it verifies the identity and access level of the user trying reach the data. Read more about this here: Keep ePHI on Secure Networks, Not Mobile Devices, Recommends OCR<\/a><\/em>.<\/p>\n

In addition to keeping data in HIPAA compliant data centers<\/a> with standardized network security in place, investing in an offsite backup<\/a> solution that doesn\u2019t use tapes can help prevent a data breach.<\/p>\n

Mobile devices.<\/strong>
\nSimilar to the theft issue, mobile devices \u201cdon\u2019t have the same level of security controls as computer systems,\u201d the article claims. In addition to keeping ePHI\/sensitive data off of physical devices, a BYOD (Bring Your Own Device) and mobile policy can standardize users\u2019 behavior when it comes to transmitting, storing and accessing data.<\/p>\n

A solid set of policies and procedures, as well as a security awareness and training program can ensure your employees know what is expected when it comes to the use of mobile devices.<\/p>\n

Dissemination of data.<\/strong>
\nTarget data sharing between healthcare organizations and third-parties, the article claims the lack of security, tracking and auditing capabilities as a source of data breaches. The article states those that transmit data must \u201cinvest in technology and processes that protect the data in transit and at rest.\u201d But what kind of specific technology could do that?<\/p>\n

SSL certificates can secure the transit of information from a web server to the user by starting a secure session and encrypting shared data. Encryption for data at rest and in transit should follow the U.S. government, NIST-approved (National Institute of Standards and Technology) AES-256 (Advanced Encryption Standard). Additionally, using SFTP (Secure File Transfer Protocol) to transfer files can help secure and validate the identity of users.<\/p>\n

Outsourcing to business associates or third-party vendors.<\/strong>
\nThe article mentions the growth in outsourcing, and the need for business associates, vendors and partners to follow national regulations (HIPAA, PCI<\/a>, SOX<\/a>, etc.). The article mentions pre-contract assessments of business associates, and post-contract compliance assessments, but more due diligence should be done pre-contract to minimize as much risk as possible.<\/p>\n

Start by asking managed hosting<\/a> providers for a copy of their Report on Compliance (ROC), for any type of compliance. This means they\u2019ve invested in an independent audit of their facilities and services and were found to be operating at 100% compliance with the standards.<\/p>\n

A HIPAA hosting<\/a> provider should also be able to provide documented policies and procedures of their security practices, dates and signed documentation of employee training, and a comprehensive Business Associate Agreement<\/a> (BAA) outlining their responsibilities and incident response protocol.<\/p>\n

The cloud.<\/strong>
\nThe article gets kind of vague here, stating that cloud computing<\/a> is popular because it\u2019s cost-efficient to outsource both storage and compliance out to a provider, yet it \u201cadds another layer of potential breach exposure to a healthcare organization.\u201d However, that idea is quickly becoming outdated as cloud providers focus more on security as\u00a0organizations move their information to the cloud. The article concludes by stating the responsibility of securing information in the cloud is ultimately on the shoulders of a covered entity, which is true, but can be alleviated by doing their due diligence as described above.<\/p>\n

Another article I wrote, Outsourcing Cloud Computing Security<\/a><\/em>, outlines sample questions to ask your potential new HIPAA cloud hosting<\/a> provider. Cloud Computing and Compliance<\/a><\/em> also explains the difference between Software\/Infrastructure-as-a-Service.<\/p>\n

Healthcare Organizations: Seeking a Cloud Provider? BAAs Required<\/a><\/em> quotes David S. Holtzman of the HIPAA enforcement entity, OCR (Office of Civil Rights):<\/p>\n

\n

If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don\u2019t use the cloud service.<\/p>\n<\/blockquote>\n

The article also lists important provisions in your cloud contract to minimize security vulnerabilities and ultimately protect your PHI.<\/p>\n

References
\n5 Security Vulnerabilities That Could Mean Trouble<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

A recent article from HealthCareITNews.com details the top five security vulnerabilities that \u201ccould mean trouble\u201d – that is, result in a data breach. While these risks are entirely valid, the article doesn\u2019t offer tactical solutions or alternatives to reduce said risks. [Note: these security vulnerabilities should be of concern in any industry, not just healthcare – i.e., financial, ecommerce, software, etc.]. So I thought I would respond: Theft. The article acknowledges that lost or stolen media, often in the form of a backup tape or laptop, were the culprit for a data breach. The Sutter Health incident involving a break-in and theft of a desktop computer is used as an example. But the article fails to provide a way to prevent the loss of innumerable patient records by media theft. Keeping ePHI (electronic protected health information) or other sensitive information on secure networks, and not physical devices can greatly decrease the potential risk of allowing thieves access to ePHI. With remote access to networks using mobile devices, the use of two-factor authentication is greatly recommended – it verifies the identity and access level of the user trying reach the data. Read more about this here: Keep ePHI on Secure Networks,…<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"other_category":[],"class_list":["post-2015","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"acf":[],"yoast_head":"\nSolutions for the Top 5 Security Vulnerabilities | OTAVA<\/title>\n<meta name=\"description\" content=\"If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don\u2019t use the cloud service.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Solutions for the Top 5 Security Vulnerabilities\" \/>\n<meta property=\"og:description\" content=\"If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don\u2019t use the cloud service.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/\" \/>\n<meta property=\"og:site_name\" content=\"OTAVA\" \/>\n<meta property=\"article:published_time\" content=\"2012-08-16T00:00:00+00:00\" \/>\n<meta name=\"author\" content=\"Irma Brillantes\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Irma Brillantes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/\"},\"author\":{\"name\":\"Irma Brillantes\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\"},\"headline\":\"Solutions for the Top 5 Security Vulnerabilities\",\"datePublished\":\"2012-08-16T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/\"},\"wordCount\":813,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/\",\"url\":\"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/\",\"name\":\"Solutions for the Top 5 Security Vulnerabilities | OTAVA\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/#website\"},\"datePublished\":\"2012-08-16T00:00:00+00:00\",\"description\":\"If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don\u2019t use the cloud service.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.otava.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Solutions for the Top 5 Security Vulnerabilities\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.otava.com\/#website\",\"url\":\"https:\/\/www.otava.com\/\",\"name\":\"OTAVA\u00ae\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.otava.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.otava.com\/#organization\",\"name\":\"OTAVA\u00ae\",\"url\":\"https:\/\/www.otava.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"caption\":\"OTAVA\u00ae\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\",\"name\":\"Irma Brillantes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"caption\":\"Irma Brillantes\"},\"url\":\"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Solutions for the Top 5 Security Vulnerabilities | OTAVA","description":"If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don\u2019t use the cloud service.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/","og_locale":"en_US","og_type":"article","og_title":"Solutions for the Top 5 Security Vulnerabilities","og_description":"If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don\u2019t use the cloud service.","og_url":"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/","og_site_name":"OTAVA","article_published_time":"2012-08-16T00:00:00+00:00","author":"Irma Brillantes","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Irma Brillantes","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/#article","isPartOf":{"@id":"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/"},"author":{"name":"Irma Brillantes","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263"},"headline":"Solutions for the Top 5 Security Vulnerabilities","datePublished":"2012-08-16T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/"},"wordCount":813,"commentCount":0,"publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/","url":"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/","name":"Solutions for the Top 5 Security Vulnerabilities | OTAVA","isPartOf":{"@id":"https:\/\/www.otava.com\/#website"},"datePublished":"2012-08-16T00:00:00+00:00","description":"If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don\u2019t use the cloud service.","breadcrumb":{"@id":"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.otava.com\/blog\/solutions-for-the-top-5-security-vulnerabilities\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.otava.com\/"},{"@type":"ListItem","position":2,"name":"Solutions for the Top 5 Security Vulnerabilities"}]},{"@type":"WebSite","@id":"https:\/\/www.otava.com\/#website","url":"https:\/\/www.otava.com\/","name":"OTAVA\u00ae","description":"","publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.otava.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.otava.com\/#organization","name":"OTAVA\u00ae","url":"https:\/\/www.otava.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","caption":"OTAVA\u00ae"},"image":{"@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263","name":"Irma Brillantes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","caption":"Irma Brillantes"},"url":"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/"}]}},"_links":{"self":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/2015","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/comments?post=2015"}],"version-history":[{"count":0,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/2015\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/media?parent=2015"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/categories?post=2015"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/tags?post=2015"},{"taxonomy":"other_category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/other_category?post=2015"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}