What are some of the most important aspects in managing vendor security risk when taking on third parties to handle sensitive data? Mitch Parker, CISO of Indiana University Health, explains the critical steps his organization is taking in its approach to vendor risk.
Delayed enforcement of the "strong customer authentication" requirements for online transactions under the European Union's PSD2 regulation is hampering efforts to enhance security. That's why the European Banking Authority should act quickly to develop a new timeline.
Proponents of the potential adoption of a national unique patient identifier had been hopeful that the Senate would follow the House's lead in lifting a 20-year ban on funding for federal regulators to work on development. But now they face two substantial hurdles.
Why did U.S. President Donald Trump discuss cybersecurity firm CrowdStrike with the president of Ukraine, saying "the server, they say Ukraine has it"? Experts say Trump appears to be referring to one or more conspiracy theories, none of which have a basis in reality.
The movement to lift the longstanding Congressional ban on federal regulators funding the development or adoption of a national unique patient identifier appears to have hit a roadblock. Here's an update.
A Minnesota county that originally reported last December that a hacking incident affected about 600 individuals now says about 118,000 may have had healthcare data exposed. What's behind the huge spike?
A mishap involving the mailing of breach notification letters has led a Tennessee hospice to issue a "corrective" privacy breach notification. The incident is yet another example of why healthcare organizations need to carefully scrutinize their breach response and notification processes.
HHS has slapped a Florida healthcare provider with an $85,000 settlement for failing to provide a mother with timely access to fetal monitoring records. The settlement with Bayfront Health St. Petersburg is the agency's first enforcement action in its "HIPAA right of access initiative."
The federal tally of major health data breaches has spiked over the last month, mostly because of the American Medical Collection Agency incident, which led to nearly two dozen breach reports from the firm's affected clients.
Providence Health Plan says some of its members were among the nearly 3 million individuals affected by a data breach revealed by health plan administrator Dominion National in June. What lessons are emerging from that security incident and others involving third parties?
Do criminal organizations prefer to target organizations that hold cyber insurance policies? A ProPublica report suggests that because cyber insurance policyholders are more likely to pay ransoms, they're a more frequent target. But some cybersecurity experts have expressed skepticism.
Google and the University of Chicago Medical Center have filed motions to dismiss a class action lawsuit that alleges patients' records were not properly de-identified by the hospital before they were shared with Google for research. Legal experts offer an analysis of the privacy case.
The Department of Health and Human Services has issued proposed changes to privacy rules related to the sharing of patient records created by federally assisted substance use disorder treatment programs. Do the proposals go too far, or not far enough?
Organizations need to create a "defensible" cybersecurity program that has a mandate and executive endorsement, says Gartner's Tom Scholtz. I. Here are some points to keep in mind when drafting a program.
Progressive companies seeking to improve their security are increasingly adopting bug bounty programs. The theory is that rewarding outside researchers improves security outcomes. But in practice, bug bounty programs can be messy and actually create perverse incentives, says bug-hunting expert Katie Moussouris.