On Password Security Summary (06/08/12)
by Alicia Hasty

With all the recent websites that have been compromised because of weak password security, it is important for us to take a look at our own password security. This article proposes a number of methods which you may use in order to increase password security. There are two main recommendations: have a strong password on every internet service and make sure you do not reuse a password on multiple services.

A strong password will be harder to decrypt than a weak password. If the password contains a series of upper and lower case letter, numbers, and special characters it will take longer for the hackers to decrypt than a weak password with only a few lower case letters. However, this does not mean the password will not be decrypted. Also, you do not know if a website even encrypts the password in the first place. Very few websites will just keep the password in plain text, although that is less common nowadays. If the password is kept in plain text, then anyone who hacks the website automatically has your password. This leads to the importance of suggestion two.

A unique password should be used on each website. If this is the case, then even if your password is stolen you only have to change your password on the one website. Also, it does not allow the hacker to have access to all of your other accounts which use the same password (especially websites containing your financial information). The article recommends you use a password manager program if you are unable to remember multiple passwords for all of your different accounts. That way, you only need to remember the password to the password manager account. It will keep track of which password you used on which website.

HIPAA Audit Results Released Summary (06/16/12)
by Alicia Hasty

The Office for Civil Rights (OCR) is performing a series of audits of healthcare providers in order to check the security and privacy of patient information as it relates to HIPAA privacy rules. The initial sample of 20 audits was completed in March. These results show a lack of compliance to many of the HIPAA privacy rules. The article discusses some of the findings.

Smaller entities had a higher rate of non-compliance than larger entities based on this sample study. The cut-off for a small entity was considered $50 million in revenue. According to this study, although small covered entities consisted of only 30% (6 out of the 20) of the total sample size, they consisted of 77% of privacy deficiencies and 61% of security deficiencies. Security seems to the largest problem faced by these covered entities. Of the deficiencies found, 65% were related to the Security Rule, 26% were related to the Privacy Rule, and 9% related to the Breach Notification Rule. The largest security issues involved: user activity monitoring, contingency planning, authentication/integrity, media reuse and destruction, risk assessment, and granting and modifying user access.

The article then recommends that other covered entities use this data from the sample audit to prepare themselves for the next few rounds of audits relating to the HIPAA security and privacy compliance efforts.