Healthcare Data Privacy

Internet of Medical Things Resilience Partnership Act Approved

Posted by HIPAA Journal

The passage of the Internet of Medical Things Resilience Partnership Act has been approved by the U.S. House of Representatives.

The main aim of the bill is to establish a public-private stakeholder partnership, which will be tasked with developing a cybersecurity framework that can be adopted by medical device manufacturers and other stakeholders to prevent data breaches and make medical devices more resilient to cyberattacks.

The range of medical devices now being used in healthcare is considerable and the number is only likely to grow. As more devices are introduced, the risk to patients increases. These devices are currently used in hospitals, worn by patients, fitted surgically, or used at home. The devices include drug infusion pumps, ventilators, radiological technologies, pacemakers, and monitors.

If appropriate safeguards are not incorporated into the devices, they will be vulnerable to attack. Those attacks could be performed to gain access to the data stored or recorded by the devices, to use the devices to launch attacks on healthcare networks, or to alter the function of the devices to cause patients harm. What is certain is that if nothing is done, the devices will be attacked and healthcare organizations and patients are likely to be harmed.

The Internet of Medical Things Resilience Partnership Act was introduced by Representatives Dave Trott (D-MI) and Susan Brooks (R-IN) last week. Rep Brooks said, “It is essential to provide a framework for companies and consumers to follow so we can ensure that the medical devices countless Americans rely on and systems that keep track of our health data are protected.”

“In our nation’s hospitals, technology has helped provide better quality and more efficient health care, but the perpetual evolution of technology – its greatest strength – is also its greatest vulnerability,” explained Rep. Trott.

The bill suggests the working group should be led by the U.S. Food and Drug Administration (FDA), and should include representatives from the National Institute of Standards and Technology (NIST), the HHS’ Office of the National Coordinator for Health Information Technology (ONC), the Cybersecurity and Communications Reliability Division of the Federal Communications Commission (FCC), and the National Cyber Security Alliance (NCSA).

At least three representatives of each of the following groups should also join the working group: health care providers, health insurance providers, medical device manufacturers, cloud computing, wireless network providers, health information technology, web-based mobile application developers, and hardware and software developers.

The group will be tasked with developing a cybersecurity framework for medical devices based on existing cybersecurity frameworks, guidance, and best practices. The working group should also identify high priority gaps for which new or revised standards are needed, and develop an action plan to ensure those gaps are addressed.

The working group will be required to submit its report no later than 18 months from the passing of the  Internet of Medical Things Resilience Partnership Act.

The post Internet of Medical Things Resilience Partnership Act Approved appeared first on HIPAA Journal.

53% of Businesses Have Misconfigured Secure Cloud Storage Services

Posted by HIPAA Journal

The healthcare industry has embraced the cloud. Many healthcare organizations now use secure cloud storage services to host web applications or store files containing electronic protected health information (ePHI).

However, just because secure cloud storage services are used, it does not mean data breaches will not occur, and neither does it guarantee compliance with HIPAA. Misconfigured secure cloud storage services are leaking sensitive data and many organizations are unaware sensitive information is exposed.

A Business Associate Agreement Does Not Guarantee HIPAA Compliance

Prior to using any cloud storage service, HIPAA-covered entities must obtain a signed business associate agreement from their service providers.

Obtaining a signed, HIPAA-compliant business associate agreement prior to the uploading any ePHI to the cloud is an important element of HIPAA compliance, but a BAA alone will not guarantee compliance. ePHI can easily be exposed if cloud storage services are not configured correctly.

As Microsoft explains, “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

Configure your account correctly and your data will be secure. Make a mistake and data will be exposed and you could easily violate HIPAA Rules.

Misconfigured Secure Cloud Storage Services

When it comes to secure cloud storage, many organizations believe their cloud environments have been secured, but that is often not the case. How many businesses are leaving data exposed? According to a recent study by cloud threat defense firm RedLock, more than half of businesses have made mistakes that have exposed sensitive data in the cloud.

The report reveals many organizations are not following established security best practices, such as using multi-factor authentication for all privileged account users. To make matters worse, many businesses are failing to monitor their cloud environments which means data is being exposed, but not detected.

The problem appears to be getting worse. RedLock’s last analysis for Q2 revealed 40% of businesses had misconfigured at least one of their cloud storage services – Amazon Simple Storage Service (Amazon S3) for example. A new analysis, published in its latest Cloud Security Trends Report, shows that percentage jumped to 53% between June and September 2017.

Key Findings

  • 53% of organizations have at least one exposed cloud storage service
  • 38% of users exposed data through compromised administrative user accounts
  • 81% are not managing host vulnerabilities in the cloud
  • 37% of databases accept inbound connection requests from suspicious IP addresses
  • 64% of databases are not encrypted
  • 45% of Center of Internet Security (CIS) compliance checks are failed
  • 48% of Payment Card Industry Data Security Standard (PCI DSS) compliance checks fail
  • 250 organizations were found to be leaking credentials to their cloud environments on internet-facing web servers

Cloud Misconfigurations Result in Data Breaches

One need look no further than the widespread misconfigured MongoDB installations that were discovered by hackers in January 2017. Misconfigured databases were plundered, data deleted, and ransom demands issued. More than 26,000 MongoDB databases were hijacked and held for ransom.

Is it not just small organizations that are making errors that are resulting in data exposure and data breaches. The Equifax data breach, which saw the records of more than 143 million Americans exposed, was the result of the failure to address a known vulnerability in Apache Struts; a framework that supported its dispute portal web application. Equifax CEO Richard Smith recently told the House Energy and Commerce Committee that the missed patch was due to a mistake by a single employee.

British insurance giant Aviva found out one of its cloud environments had been ‘hacked’ and was being used to mine Bitcoin. Kubernetes administration consoles were used to gain access to its cloud environment with ease. Its administration consoles lacked passwords.

RedLock is not the only company to report on the problem. IBM X-Force said it has tracked more than 1.3 billion records that were exposed as a result of misconfigured servers up to September 2017.

Training will only go so far. You can train your employees never to leave the firewall turned off, yet occasionally that happens. Bad errors can also occur in the cloud that will similarly lead to data breaches. Leave the door open to hackers and they will infiltrate cloud environments, steal data, and hold organizations to ransom.

What organizations must do is to make sure all doors have been closed and locked. Unless organizations proactively monitor their cloud environments, they will be unaware there is a problem until it is too late.

The post 53% of Businesses Have Misconfigured Secure Cloud Storage Services appeared first on HIPAA Journal.

Is WhatsApp HIPAA Compliant?

Posted by HIPAA Journal

When WhatsApp announced it was introducing end-to-end encryption, it opened up the prospect of healthcare organizations using the platform as an almost free secure messaging app, but is WhatsApp HIPAA compliant?

Many healthcare employees have been asking if WhatsApp is HIPAA compliant, and some healthcare professionals are already using the text messaging app to send protected health information (PHI).

However, while WhatsApp does offer far greater protection than SMS messages and some other text messaging platforms, WhatsApp is NOT HIPAA compliant for several reasons.

Why Isn’t WhatsApp HIPAA Compliant?

First, it is important to point out that no software platform or messaging app can be truly HIPAA compliant, because HIPAA compliance is not about software. It is about users. Software can support HIPAA compliance and incorporate all the necessary safeguards to ensure the confidentiality, integrity, and availability of ePHI, but those controls can easily be undone by users.

HIPAA does not demand that encryption is used. Provided an alternate, equivalent measure is implemented in its place, encryption is not required. Since WhatsApp now includes end-to-end encryption, this aspect of HIPAA is satisfied.

Access controls are also required – See 45 CFR § 164.312(a)(1). This is one area where WhatsApp is not HIPAA compliant. If WhatsApp is installed on a smartphone, anyone with access to that smartphone will be able to view the messages in the user’s WhatsApp account, without the need to enter in any usernames and passwords. That means any ePHI included in conversations would also be accessible. Additional security controls may be installed on a smartphone to authenticate users before the device can be accessed, but even when those controls have been applied, notifications about new messages can often be seen without opening the App or unlocking the device.

HIPAA also requires audit controls – See 45 CFR § 164.312(b). This is another area where WhatsApp is not HIPAA compliant. Messages and attachments are saved, although they can easily be deleted. There is also no HIPAA compliant audit trail maintained in WhatsApp. All data in the account would also need to be backed up. Currently, if you switch phones, your account will be preserved, but your messages will not.

Then there is the issue of what happens to ePHI in a WhatsApp account on a personal device after the user leaves the company. Controls would need to be incorporated to ensure all messages containing ePHI are permanently erased. That would be a logistical nightmare for any covered entity, as it could not be performed remotely, finding messages would be next to impossible, and users would likely object to their WhatsApp being deleted.

Regardless of the features of WhatsApp and how well data is protected in transit, at the time of writing, WhatsApp will not sign a business associate agreement with a HIPAA covered entity. If HIPAA covered entities want to use WhatsApp, before any ePHI is sent, a HIPAA compliant business associate agreement must be signed with WhatsApp. Even though WhatsApp does not read text messages, that does not mean that no business associate agreement would be required.

So, Is WhatsApp HIPAA compliant? In its current form no. When it comes to WhatsApp and HIPAA compliance, even if covered entities were to use additional controls to prevent accidental disclosures, until WhatsApp is willing to sign a BAA, the service cannot be used to send ePHI without violating HIPAA Rules.

The post Is WhatsApp HIPAA Compliant? appeared first on HIPAA Journal.

Does HIPAA Require Identity Theft Protection Services to Be Offered to Data Breach Victims?

Posted by HIPAA Journal

The HIPAA Breach Notification Rule requires covered entities to issue notifications to individuals after their ePHI has been exposed or stolen, but what about credit monitoring and identity theft protection services? Must they be offered?

HIPAA does not stipulate whether credit monitoring and identity theft protection services should be provided to individuals impacted by a data breach. The decision whether or not to provide those services is left to the discretion of the covered entity.

However, following a breach of unsecured protected health information, HIPAA-covered entities are required to provide breach victims with details of the steps that should be taken to mitigate risk and protect themselves from harm.

Those steps include obtaining a credit report from credit reporting agencies – Equifax, Experian, and TransUnion. The credit reporting bureaus must provide consumers with a free credit report once every 12 months if requested.

Breach victims should be instructed to monitor their accounts for any sign of fraudulent activity and should be told what to do if suspicious activity is identified. They should also be told to monitor their Explanation of Benefits statements for benefits that they have not received. Information should also be provided on placing a fraud alert and freeze on their credit files.

While HIPAA does not require covered entities to offer credit monitoring and identity theft protection services, state laws may differ. From October 1, 2015, a breach of Connecticut residents’ names and Social Security numbers requires the breached entity to provide a minimum of 12 months of “appropriate identity theft prevention services, and if applicable, identity theft mitigation services.”

In California, while it is not mandatory to provide credit monitoring and identity theft protection services to breach victims, if those services are provided they must be free of charge and for a minimum of 12 months. State laws are frequently updated, so covered entities should keep up to date with new legislation introduced in the states in which their patients and members reside.

Even though it may not be mandatory for healthcare organizations to provide identity theft protection services to breach victims, many choose to do so. Providing those services can help to reducing the fallout from a data breach.

Credit monitoring services should be provided to data breach victims for 12 or 24 months, if credit/debit card numbers, Social Security numbers, and/or bank account information is believed to have been stolen.

Credit monitoring services inform breach victims when credit monitoring companies receive notifications of applications for credit, loans, or when personal information is changed – changes of address or phone number for example.

Identity theft protection services cover a much broader range of activities, some of which may not show up on credit reports. These include the use of personal documentation such as Social Security numbers, Driver’s license numbers, medical ID numbers, and passport numbers.

The decision about which services to offer should be based on the level of risk breach victims are likely to face. The level of risk will be determined by the nature of the attack, the likelihood of data being used for identity theft and fraud, the risk of data being sold on, and types of data that have been exposed.

The post Does HIPAA Require Identity Theft Protection Services to Be Offered to Data Breach Victims? appeared first on HIPAA Journal.

What are the Differences Between a HIPAA Business Associate and HIPAA Covered Entity

Posted by HIPAA Journal

The terms covered entity and business associate are used extensively in HIPAA legislation, but what are the differences between a HIPAA business associate and HIPAA covered entity?

What Are HIPAA Covered Entities?

HIPAA covered entities are healthcare providers, health plans, and healthcare clearinghouses that electronically transmit health information for transactions covered by HHS standards.

Healthcare providers include hospitals and clinics, doctors, dentists, chiropractors, psychologists, pharmacies and nursing homes. Health plans include health insurance companies, company health plans, government programs that pay for healthcare, and HMO’s. Healthcare clearinghouses include transcription service companies that format data to make it compliant and organizations that process non-standard health information.

Even if an entity is a healthcare provider, health plan or healthcare clearinghouse, they are not considered a HIPAA covered entity if they do not transmit any information electronically for transactions that HHS has adopted standards. In such cases, the entity would not be required to comply with HIPAA Rules.

Legally, the HIPAA Privacy Rule only applies to covered entities, although since covered entities usually require the services of vendors, which may need access to PHI in order to perform certain tasks, the HIPAA Privacy Rule permits covered entities to share PHI with those companies.

Before PHI can be shared, vendors must agree to use the PHI only for the tasks that they have been contracted to perform. They must also agree not to disclose the PHI to other entities, and must implement safeguards to ensure the confidentiality, integrity, and availability of PHI. Covered entities must obtain ‘satisfactory assurances,’ in writing, in the form of a contract, that HIPAA Rules will be followed.

What is a HIPAA Business Associate?

A HIPAA business associate is any entity, be that an individual or a company, that is provided with access to protected health information to perform services for a HIPAA covered entity.

Software providers, whose solutions interact with systems that contain ePHI, are considered business associates, as are cloud service providers, cloud platforms, document storage companies (physical and electronic storage), collection agencies, medical billing companies, asset and document recycling companies, answering services, attorneys, actuaries, consultants, medical device manufacturers, transcription companies, CPA firms, third party administrators, medical couriers, and marketing firms. Business associates of covered entities must also comply with HIPAA Rules and can be fined directly by regulators for noncompliance.

Business associates of HIPAA covered entities must sign a contract with the covered entity, termed a business associate agreement or BAA, that outlines the responsibilities of the business associate and explains that the business associate is required to comply with HIPAA Rules.

It is the responsibility of a business associate to ensure that if any subcontractors are used, they too agree to comply with HIPAA Rules and sign a BAA. Information on when a business associate agreement is not required are detailed here.

While a business associate must agree to comply with HIPAA Rules and is responsible for ensuring the confidentiality, integrity, and availability of PHI in its possession, it is the responsibility of a covered entity to ensure that all business associates are complying with HIPAA Rules. If a business associate fails to comply with HIPAA Rules, it is the responsibility of the covered entity to take action to ensure noncompliance is corrected or the contract with the business associate is terminated.

The HHS has developed a tool that explains the differences between a HIPAA business associate and a HIPAA covered entity. You can use the tool to determine if you are a covered entity or a business associate and whether HIPAA Rules must be followed.

The post What are the Differences Between a HIPAA Business Associate and HIPAA Covered Entity appeared first on HIPAA Journal.

Government Accountability Office Report Confirms Widespread Security Failures at 24 Federal Agencies

Posted by HIPAA Journal

A Government Accountability Office report has shown federal agencies are struggling to implement effective information security programs and are placing data systems and data at risk of compromise.

In its report to Congress – Federal Information Security – Weaknesses Continue to Indicate Need for Effective Implementation of Policies and Practices – GAO explained, “The emergence of increasingly sophisticated threats and continuous reporting of cyber incidents underscores the continuing and urgent need for effective information security.” However, “Systems used by federal agencies are often riddled with security vulnerabilities—both known and unknown.”

GAO explained that “The Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies in the executive branch to develop, document, and implement an information security program and evaluate it for effectiveness.”

Every year, each federal agency is required to have information security program and practices reviewed by its inspector general, or an external auditor, to determine the effectiveness of the program and practices. In 2016, 24 federal agencies were inspected, but only 7 of those agencies were determined to have effective information security programs.

Critical security weaknesses were discovered during those audits that could lead to a system compromise and the exposure and theft of sensitive data. Security weaknesses were found at 24 federal agencies, including the Department of Health and Human Services, Department of Veteran Affairs, and Internal Revenue Service.

Most of the agencies were discovered to have weaknesses in five control areas, including access controls, segregation of duties, configuration management controls, contingency planning, and agency-wide security management.

The Food and Drug Administration (FDA) was found to have “A significant number of security control weaknesses that jeopardize the confidentiality, integrity, and availability of its information systems and industry and public health data.”

“The National Aeronautical and Space Administration, Nuclear Regulatory Commission, Office of Personnel Management, and the Department of Veteran Affairs had not always effectively implemented access controls over selected high-impact systems.”

“The Internal Revenue Service had weaknesses in information security controls that limited its effectiveness in protecting the confidentiality, integrity, and availability of financial and sensitive taxpayer data.”

All agencies had weaknesses in their access controls, 223 configuration management weaknesses were identified at 23 of the 24 agencies. More than half of the agencies did not segregate incompatible duties to prevent unauthorized actions or unauthorized access to assets or records. 623 security management weaknesses across the 24 agencies, and 20 of the 24 agencies had weaknesses in implementing a security training program.

No new recommendations were made in the report, as previous audits have highlighted the vulnerabilities and hundreds of recommendations have previously been made by inspectors general to address those vulnerabilities.

GAO points out that “Until agencies correct longstanding control deficiencies and address our and agency inspectors general’s recommendations, federal IT systems will remain at increased and unnecessary risk of attack or compromise. We continue to monitor the agencies’ progress on those recommendations.”

The post Government Accountability Office Report Confirms Widespread Security Failures at 24 Federal Agencies appeared first on HIPAA Journal.

Privacy and Security Awareness Lacking in 70% of Employees

Posted by HIPAA Journal

When it comes to privacy and security awareness, many U.S. workers still have a lot to learn. Best practices for privacy and security are still not well understood by 70% of U.S. employees, according to a recent study by MediaPro, a provider of privacy and security awareness training.

For the study, MediaPro surveyed 1,012 U.S. employees and asked them a range of questions to determine their understanding of privacy and security, whether they followed industry best practices, and to find out what types of risky behaviors they engage in. 19.7% of respondents came from the healthcare industry – the best represented industry in the study.

Respondents were rated on their overall privacy and security awareness scores, being categorized as a hero, novice, or a risk to their organization. 70% of respondents were categorized as a novice or risk. Last year when the study was conducted, 88% of U.S. workers were rated as a novice or risk.

Last year, only 12% of respondents ranked as a hero. This year the percentage increased to 30% – A good sign that some employees have responded to training and are taking more care at work. Worryingly, while the percentage of novices fell from 72% last year to 51% in 2017, the number of individuals classed as a risk increased from 16% in 2016 to 19% this year.

Tom Pendergast, chief strategist for security, privacy, and compliance at MediaPro explained that in the risk category, there are two areas that have been consistently poor over the past two years: Physical security and safe remote working/mobile computing. In the latter category, one of the biggest risks was connecting to insecure Wi-Fi networks. The percentage of respondents that admitted doing this jumped from 45% last year to 62.3% this year – Overall, 19% of respondents admitted to risky practices when working remotely.

The overall scores across six of the eight categories being tested improved year over year, with notable improvements in identifying malware and phishing threats, reporting incidents, working remotely, identifying personal information, and cloud computing.

The two areas where there was decline were physical security – such as allowing individuals into a facility without checking identification – and social media security  – such as posting personal and sensitive company information on social media accounts.

Perhaps the biggest risk faced by organizations today is phishing. Phishing emails are the primary method of delivering malware and ransomware and obtaining sensitive information such as login credentials.

Respondents were tested on their phishing awareness and were presented with four emails, which they were asked to rate as legitimate or phishy. 8% of respondents were unable to identify the phishing emails correctly. Out of the phishing emails tested, the email offering a stock tip from a well-known investor fooled the highest number of respondents. 92% of respondents were able to identify a phishing email with a potentially malicious attachment, up from 75% last year.

The post Privacy and Security Awareness Lacking in 70% of Employees appeared first on HIPAA Journal.

OCR Clarifies HIPAA Rules on Disclosures to Family, Friends and Other Individuals

Posted by HIPAA Journal

The recent attack in Las Vegas has prompted the Department of Health and Human Services’ Office for Civil Rights to clarify HIPAA Rules on disclosures to family, friends and other individuals.

Following Hurricane Irma and Hurricane Maria, OCR issued a partial waiver of certain provisions of the HIPAA Privacy Rule in the disaster areas of both hurricanes. OCR sometimes, but not always, issued such a waiver after a natural disaster when a public health emergency has been declared.

However, OCR did not issue a HIPAA Privacy Rule waiver after the attack in Las Vegas, and neither was a waiver issued following the Orlando nightclub shootings in 2016. OCR does not usually issue waivers of HIPAA Rules following shootings and other man-made disasters. Healthcare organizations involved in the treatment of victims of the Las Vegas shootings were required to continue to follow the provisions of the HIPAA Privacy Rule.

In its reminder about HIPAA Rules on disclosures to family, friends and other individuals, OCR explained that the HIPAA Privacy Rule allows healthcare organizations to disclose PHI to family, friends, and other individuals that have been identified by a patient as being involved in his or her care. PHI may also be shared to help identity or locate individuals involved in a patient’s care, or to notify them of the patient’s location, health status, or death.

In an emergency situation, covered entities should try to obtain verbal permission from the patient to share information, although when this is not possible, such as when a patient is incapacitated, it is down to the professional judgement of the covered entity to determine whether sharing information is in the patient’s best interest.

In the case of natural disasters, PHI may need to be shared with disaster relief organizations to assist with disaster relief efforts. While permission should be obtained, it is not necessary if obtaining permission would interfere with the organization’s ability to respond to an emergency situation.

The HIPAA Privacy Rule permits covered entities to inform the media about a specific patient’s general health condition (critical, stable, deceased, or treated and released) if a request is made about a patient that is mentioned by name, provided the patient has not previously objected to the sharing of such information, in which case the patient’s request should be honored.

Any sharing of other information, such as test results, details of an illness, or other health information, must generally only be shared if permission has first been obtained from the patient in writing.

Whenever PHI is shared, the minimum necessary standard applies and any PHI shared must be limited to the minimum necessary information to achieve the purpose for which the information is shared.

The provisions of the HIPAA Privacy Rule are detailed in: 45 CFR 164.510(b) – Disclosures to family, friends, and other individuals involved in a patient’s care; 45 CFR 164.510(a) – Disclosures to the media and individuals not involved in a patient’s care; 45 CFR 164.508 – HIPAA authorizations; 45 CFR §§ 164.502(b) and 45 CFR §§ 164.514(d) – The minimum necessary standard.

The post OCR Clarifies HIPAA Rules on Disclosures to Family, Friends and Other Individuals appeared first on HIPAA Journal.

NIST Updates its Risk Management Framework for Information Systems and Organizations

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has updated its Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (SP 800-37) – The first time the Risk Management Framework has been updated in the seven years since it was first published.

NIST was called upon to update the Framework by the Defense Science Board, the Office of Management and Budget, and the President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.

Because of the importance of information risk management to an organization’s overall risk management strategy, the C-Suite needs to get more involved in the implementation of information risk management processes. Security and privacy need to be taken into account when larger risk management decisions are being made.

The Information Risk Management Framework is typically implemented at the system level, the realm of the Chief Information Security Officer (CISO) and Chief Information Officer (CIO). However, NIST found that organizations often fail to communicate issues effectively with the C-suite.

One of the main aims of the update is to provide closer linkage and communication risk management processes at the system and organization level with those of the C-Suite. More C-suite involvement will help to ensure that the Risk Management Framework is more effective when it is implemented.

The update will help to institutionalize critical enterprise-wide risk management preparatory activities enabling more cost-effective execution of the Framework at the system and operational level. NIST has also unified security and privacy concepts into the Framework to help organizations develop a more integrated approach to risk management.

The discussion draft of the updated NIST Risk Management Framework is open for comments until November 3, 2017. NIST said, “This draft is intended to promote discussion on the new organizational preparation step and the other innovations introduced in RMF 2.0.” Public comments will accepted when the public draft of the guidance is issued in November 2017.

NIST hopes to release the final draft of the updated Risk Management Framework for Information Systems and Organizations in January 2018, and the final publication in March 2018.

The post NIST Updates its Risk Management Framework for Information Systems and Organizations appeared first on HIPAA Journal.