Data Breach, News Events, Risk Analysis/Risk Management

Sutter Health Breach Update

This past week, Sutter Health released a statement stating that they are notifying 2,582 patients that personal information was included in billing documents a former employee emailed to their personal account without authorization. For all but two of the affected patients, no Social Security numbers, financial information or driver’s license data were included.

Despite the incident occurring on April 23, 2013, the breach was only discovered “during a thorough review of the former employee’s email activity and computer access.” The internal investigation began on August 27, 2015, more than two years after the incident. What stands out in this instance was the inability for Sutter Health to discover, mitigate, and remediate this incident within a reasonable timeframe. When it comes to HIPAA, breaches must be reported to HHS and the individuals affected without unreasonable delay and in no case later than 60 days following discovery of a breach or when it reasonably should have been known that a breach occurred.

The last point is key and clearly indicates the need for tools that allow organizations to better understand when PHI or other types of sensitive data leave their network. The best option to track and stop data from leaving your network is a Data Loss Prevention (DLP) solution. In this incident, the third large data breach involving Sutter Health, they have found “no evidence that any of the patient information was used or disclosed to others.” Since the data was sent to a personal email account, it is unlikely, truly impossible, that Sutter Health can determine with 100% certainty that the patient information was not disclosed inappropriately and this is reflected in their offering affected individuals one year of free credit monitoring.

In some other breach cases, however, data is available to forensically determine with certainty what happened after a breach occurred, and sometimes long after a breach occurred. If this is the case, then the information existed when the breach actually occurred. The takeaway in those instances is that logs or other forensic data were not reviewed proactively to catch the breach sooner.  In a digital information world with bigger and bigger data hurtling down the road faster and faster, no one seems to be watching the gauges for trouble!

With the many tools available and the ease with which an employee can move data outside of an organization, a DLP solution is a necessity. Not only would your organization be able to watch sensitive information flowing into, throughout, and out of your network without impacting performance, you can lock down many of those outlets for data leakage. In addition to performing a HIPAA Risk Analysis and publishing policies and procedures, DLP can help your organization maintain compliance with regulations such as HIPAA, Red Flags Rule, PCI, and other state and Federal privacy regulations. As the costs for remediating a breach rise, DLP becomes a more prudent decision that can offer real value as well as peace of mind.

If you are interested in learning more about DLP or other related services, contact RISC Management and Consulting, LLC at 800.648.4358 or visit



Cyber Security, Data Breach, Education, Tip of the Week

What is Cybercrime?

Cybercrime is the “use of a computer as an instrument to further illegal ends, such as committing fraud, trafficking in child pornography and intellectual property, stealing identifies, or violating privacy” according to the Encyclopaedia Britannica (2014, November 2). This topic became one of the top priorities for the Attorney General Eric Holder of the Department of Justice. The key areas include internet stalking, computer hacking and intellectual property, and forensics.

Some examples of major achievements includes 21 individuals charged in the United States for alleged roles in International Internet Fraud Scheme as reported by Ferrer (2014, December 8). Another example came from Haag (2014, December 8) involving prosecution of Internet Hacktivist Group Anonymous. The 3rd example was reported in 2011 but it is important to mention to raise awareness on the severity cybercrime has developed into. On November 4, 2011 a Malaysian citizen was sentenced for 10 years imprisonment by the United States District Judge Dora Irizarry for his crime of hacking into the Federal Reserve Bank and other private financial institutions. In this last example, the Secret Service took an aggressive stance in the investigation of computer intrusions and other cybercrimes.


RISC and VA in HIMSS15


Cybercrime. (2014, November 2). Encyclopaedia Britannica, Inc. Retrieved from

U.S. Attorneys. (2014, December 23). Priorities areas: Cybercrime. Retrieved from

Business Continuity, Cyber Security, Data Breach, Education, News Events, Tip of the Week, Upcoming Events

Come visit with RISC at HIMSS15 in Chicago!

Come visit with RISC at HIMSS15 in Chicago!

Booth 8175 – Cybersecurity Command Center, a HIMSS Knowledge Center

RISC and Virtual Auditor will be presenting at 12:15 pm – 12:45 pm CT on Tuesday, April 14th on Information Security Compliance Monitoring & Documentation

Location 8175 – Level 3 – Hall B1

Title: Effective Information Security in Healthcare

Description: RISC Management & Consulting

Why Do Healthcare Data Breaches Keep Happening? Learn the necessary foundational elements for an effective data privacy and information security program from industry expert Chris Heuman. RISC will demonstrate the key elements lacking from many security programs, and real world solutions to fill the gaps. Learn the most often used phrase after an incident or Data Breach has occurred and what you can do about it!

Remember to add Session ID: CS13 to your personal HIMSS15 calendar!

For more information click here
For More Information Click Here

Feel free to stop at our booth and chat about compliance challenges you may be experiencing. RISC and Virtual Auditor can help you determine the most effective and efficient solution for your organization.

To Register Click Here
To Register Click Here



Hotel Reservation Click Here
Hotel Reservation Click Here
Schedule at a Glance Click Here
Schedule at a Glance Click Here



Join the GCC HIMSS Chapter at HIMSS15

Chicago welcomes the 2015 Healthcare Information and Management Systems Society (HIMSS) Annual Conference & Exhibition, April 12-16, 2015, at McCormick Place. The GCC HIMSS Chapter will be hosting the event this year.  There’s an expected attendance of over 38,000 healthcare industry professionals ready to discuss health IT issues and view innovative solutions designed to transform healthcare. There are more than 300 education programs, preconference symposiums, workshops, 1200 exhibitors, networking, and special features such as the new Cybersecurity Command Center.

Thought leaders who will be acting as keynotes at the upcoming event, includes George W. Bush, 43rd President of the United States, leads a strong roster of speakers that also includes Alex Gourlay, President, Walgreens; Bruce D. Broussard, President & CEO, Humana; and Jeremy Gutsche, Founder of and Author of “Exploiting Chaos.”

To learn more about this year’s keynote speakers, visit


HIMSS15 New Attendee Orientation | Webinar

April 1, 2015 — 2:00 PM – 3:00 PM CT
Virtual Event

Session ID: CO1

Designed for those who are attending the HIMSS15 Annual Conference & Exhibition for the first time, HIMSS staff will provide orientation in detail across the many programs and offerings available to attendees while providing tips and techniques for getting the most out of your conference experience.

Learning Objectives:

  • Provide an overview of the HIMSS15 Annual Conference & Exhibition
  • Identify ways for first time attendees to maximize their Conference experience
  • Review opportunities among the three pillars of Education, Exhibition, and Networking

Or follow this link for a short video if you are a first time conference attendee:

Business Continuity, Cyber Security, Data Breach, Disaster Recovery, Education, HIPAA / HITECH Enforcement, Tip of the Week, Vulnerability Testing & Management

Is Your Organization’s New Years Resolution to Be More Secure?

Is Your Organization’s New Years Resolution to Be More Secure? If not, it should be!

However, that is too easy to say, and very hard to accomplish. The current threat environment is expanding far faster than the controls can hope to keep up with. A CISOs / CSOs job has never been harder; a trend that will continue this year and on into the future. If you don’t believe that call up organization’s like SONY, ebay (one of the least talked-about giant data breaches of the year), Target, JPMorgan Chase, Home Depot, Community Health Systems, or the 321 other healthcare organizations reporting breaches affecting over 83 million individuals! In fact, healthcare breaches accounted for a whopping 42.3% of data breaches included in the just-published Identity Theft Resource Center 2014 Data Breach Report(1).

Threat vectors include all of the usual suspects that we have been talking about for years. But the massive proliferation of data, accelerating migration to remote and teleworkers, and huge increase in activity of nation-states, organized crime, and hacktivists all make the CISOs / CSOs job next to impossible. It’s not a matter of whether an incident will happen to a modern connected company, but when.

Data breach incident handling must be a part of your data privacy and information security program. Balancing the need for speed of response, especially prompted by state-level data breach rules, with accuracy and responsible forensic activities is a tough challenge. It becomes tougher when interested parties such as the CEO, who suddenly realized that information security is important, compliance, legal, IT Management, public relations, the cyber security insurance carrier and their forensic experts, and the press all want constant feedback and a complete understanding of what happened, who did it, and how much is this going to cost us? from the word, “Go!”

Hopefully all of these parties were interested when the CISO / CSO asked to run a data breach incident drill last year in order to test the capabilities, response time, and training of all relevant parties to respond to such an incident. From our experience performing risk assessments, they were not, and a drill has never been completed.

Don’t let a real incident be the first time you test your data privacy and information security incident response plan. Remember a successful program is built on statements of policy, supporting procedures, tools, checklists, logs, forms, and training. If a real incident is your first test, chances are you are looking at a poor result, and a poor result is more likely to lead to fines and firings.

Since an incident is a matter of When Not If, testing your incident response plan should not be seen as optional or subject to perpetual procrastination!

Lastly, remember that while Information Technology (I.T.) is the system owner and the primary source of information in the event of an incident or breach, the problem is a business issue, not an I.T. issue! Consider addressing requirements and response in your Business Continuity Plan (BCP). BCP procrastination is a topic for another article!

Happy New Year and we’ll secure you in 2015

The team at RISC Management


Cyber Security, Data Breach, Education, Tip of the Week, Vulnerability Testing & Management

“Band-Aids Before Blood”

“Band-Aids Before Blood”

 John T. Schelewitz- Director of Sales, Virtual Auditor, LLC

As a salesperson accountable for the positioning of compliance and security solutions to the Healthcare and Financial verticals, I often find myself in a unique position.  This position being, how to digest the following; “We have quite a few other projects on the table”, “We have not budgeted for that”, “We performed an audit/assessment a few years ago”, “We are content with our current status” and related.

VA appliance

Before I get ahead of myself, there is success had in simply gaining a response.  Well, that may solely be of value to me and not those interested in my quota attainment so, I digress….  My concern is this, if there is not a plan to have band-aids on hand, how do you plan to address the inevitable blood?  According to a recent analysis by a leading IT security firm, of the small portions of IT budgeting set aside for security, corporations often spend as little as 10 percent on incident response, 30 percent on detection and the rest on prevention.  That is, if there is any spending.  And all of that only if there is concern that results in the establishment of defined needs, requirements and initiatives.

More often than not, action, or should I say reaction, is brought about by the sight of blood.

“Instead of merely blocking threats at the perimeter of a network, a multilayer cyber response that protects every critical component inside the network as well as external connection points is a more effective, proactive approach” (CardVault, 2014, para. 3).  This statement reflects the sentiment of a leading cyber security attorney. With external and internal threats both on the rise and inevitable, can your organization afford to be in a reactive position?  The thought of “This won’t happen to my network” is about as realistic as a unicorn monitoring USB usage.

My advice is this; Put a fluid security plan in place to address devices, systems, applications, and users.  This plan must address the enterprise from the firewall to the desktop.  Processes, controls and accountability are critical in this planning.  This plan will include human and appliance elements.  Ultimately, you must understand that your network is exposed 24x7x365.  At any point during this time, there may be blood.  Do you have band-aids?  VA logo


CardVault. (2014). Expect a cyber-breach: It will happen. Are you Ready? Retrieved from

Tips from the RISC and VA team

Don’t let the fear of a data breach keep you awake at night: Schedule a vulnerability assessment and learn ways you can protect your systems.

  • Run a data breach response drill to practice on a scenario so there is less panic when responding to the real thing.
  • Spend a few minutes learning how to improve privacy protections and security safeguards.
  • Visit and to learn a great deal more about the various tools we offer to enable healthcare organizations, financial institutions, universities, and business of any size, to effectively monitor, enforce, and audit your confidential information.