Memo: Train your staff on the use of password management software

Aligned Risk Management recommends password management software for all staff and especially for staff who work with a large number of external web application accounts. A password manager can help encourage the use of long, complex, and unique passwords. A password manager can reduce the need for users to commit their passwords to memory, making […]

Memo: Stop periodic password changes

Requiring users to change passwords periodically may encourage them to create less secure passwords. It may have worked 20 years ago, but it doesn’t work anymore. Stop it. Just stop it. According to cybersecurity firm SecureState, password complexity policies combined with password aging policies consistently lead, on large systems, to a predictable percentage of passwords […]

Critical Parts of a Quality Risk Management Plan (Part 1)

A Risk Management Plan is the part of your compliance approach that plans, identifies, and analyzes risks. Parts of a Risk Management Plan Risk Planning Risk Identification Risk Analysis Risk Response Plans Risk Register Risk Planning Risk is defined by the Project Management Institute as an uncertain event or condition that, if it occurs, has […]

Does HIPAA and the HITECH Act Impact Medical Device and Pharma Companies?

The Question: Are medical device or pharmaceutical companies designated as a qualifying entity subject to HIPAA and HITECH? The Answer: Yes. Classifying the entity Are medical device or pharmaceutical companies designated as a qualifying entity subject to HIPAA and the HITECH Act? Yes. In general, a provider that “transmits any health information in electronic form […]

Memo: subsidiary websites

The question We have our [redacted] website but just found that our substance abuse team has created another website that just specifically address addiction and the services provided. The only association it has with our office is a small little logo at the bottom of the page. And the telephone number listed goes directly to […]

Memo: about two-factor authentication

Two-factor authentication (2FA), or multi-factor authentication, is a security process in which the user provides two means of identification from separate categories of credentials; one is something memorized, such as a security code or password, and the other is typically a physical token, such as a card or a previously-authenticated smartphone. A common example of […]

Memo: requirements of a Business Associate Agreement (BAA)

According to the US Department of Health and Human Services, a written contract between a covered entity and a business associate must: establish the permitted and required uses and disclosures of protected health information by the business associate; provide that the business associate will not use or further disclose the information other than as permitted […]

Memo: use of email by healthcare providers to discuss health issues and treatment with patients

From Health and Human Services “Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as […]

Memo: SOC vs NIST

NIST SP 800-30: Guide for Conducting Risk Assessments NIST Special Publication 800-30 provides guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39. Risk assessments, carried out at all three tiers in the risk management hierarchy, are part of an overall risk management process—providing senior leaders/executives with […]