Other Articles:


HIPAA Understood: Information Access Management

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, I will provide suggestions on how to achieve compliance based on what I have seen work most effectively.


If you have accepted “the golden rule” of HIPAA, then you will most likely already have achieved compliance with this rule under previous rules. The rule:

“164.308(a)(4)(i) Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part”

Get it yet? You need to document your information access management processes in policies and procedures. I have talked about this throughout this series thus far and I will continue to do so as this is a very important part of compliance with the HIPAA final security rule. Now you don’t want to just slap something into word and call it a policy. Make sure you document accurate and up to date information regarding how ePHI is accessed within your organization, ensure you include who is authorized access, when and how they are authorized access and how employees are authorized and cleared for access. This is yet another simple rule to comply with yet a lengthy task as this documentation needs to be kept up to date.

Find out how our friendly security experts can help you today

Get more info

Follow Spohn

Other Posts

HIPAA Understood: Termination Procedures

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

HIPAA Understood: Workforce Clearance Procedure

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

Organizational Requirements

About the Anatomy of a Cybersecurity Program Series In this blog series, I will be walking you through many of the specific controls that fall into the domains mentioned above. My goal is to give you some insight into the issues, and potential remedies we encounter daily while performing these assessments. Please utilize the suggestions … Continued

A Head in the Sand Approach Leaves Many Networks Vulnerable

Many responsible for networks security take a “Head in the Sand” approach to ‘Cybersecurity Risk Assessments’! Following a previous information security breach, I was speaking with an industry colleague who shared with me that he had been in discussions with the victim organization regarding a technology that would allow them to identify and address vulnerabilities … Continued

HIPAA Understood: Authorization and/or Supervision

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

HIPAA Understood: Workforce Security

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

Privileged Access Management 

About the Anatomy of a Cybersecurity Program Series In this blog series, I will be walking you through many of the specific controls that fall into the domains mentioned above. My goal is to give you some insight into the issues, and potential remedies we encounter daily while performing these assessments. Please utilize the suggestions … Continued

HIPAA Understood: Assigned Security Responsibility

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

SamSam and Atlanta: Don’t be the Next Victim

Over the last 5 years, we have seen a number of shifts in security technologies and targets. One thing that’s been evident is that no one is immune. In the past 12 months we have seen breaches affect HBO and Equifax in the corporate world; more than 200,000 systems affected in over 100 countries in … Continued

HIPAA Understood: Information System Activity Review

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

HIPAA Understood: 164.308(a)(1)(ii)(C) Sanction Policy

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

HIPAA Understood: 164.308(a)(1)(ii)(B) Risk Management

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

Data Classification: Start Here!

About the Anatomy of a Cybersecurity Program Series In this blog series, I will be walking you through many of the specific controls that fall into the domains mentioned above. My goal is to give you some insight into the issues, and potential remedies we encounter daily while performing these assessments. Please utilize the suggestions … Continued

HIPAA Understood: Rule 164.308(a)(1)(ii)(A) Risk Analysis

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

HIPAA Understood: 164.308 Administrative

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

Anatomy of a Cybersecurity Program

Our Enterprise Security Risk Assessment is one of our most frequently requested services. This assessment is often performed against industry best practice or can be mapped to several different regulatory compliance standards including: HIPAA, NIST, FFIEC, etc. The goal of this service is to not only evaluate the technical controls that are required to safeguard … Continued

HIPAA Understood: An Introduction

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

Social Engineering: Hacking the Human Brain

How do you hack a network with every modern safeguard and tool in place and a seasoned team of veteran professionals at the helm of your IT department? Surprisingly enough it doesn’t take that much. After all, who needs to be an all-star hacker looking for a small crack to wiggle through if they can … Continued

The Equifax Hack – A Huge Deal

Important Updates 9/13/17  – Since the last posting it was discovered that Equifax had the default login credentials of “admin” for user and password on an Argentina server which exposed the personal information of 14,000 employees. 9/14/17  – The actual exploit that disclosed the 143 million US credit records was CVE-2017-5638. It was announced/released March … Continued

Cybersecurity Cultures Aren’t Built in a Day

Do your users look at every link in every email with suspicion – even if it appears to come from an internal email address?  Do they look at each social media link as a potential danger to the well being of their friends and family? Or do they think it’s crazy they can’t share the … Continued

ePHI – Most Valuable Data Records Sold on the Dark Web

“HIPAA Security Officers – Your networks really ARE the PRIMARY target of the ‘Bad Guys’, ‘Bad Actors’, ‘Hackers’, etc. Whatever you want to call them, make no mistake – you are charged with safeguarding what they want. Do your security countermeasures rise to the level of the threat or are you simply content with being … Continued

What Cyber Security Certification Do We Need?

  That is the question (or something very similar) that I invariably get after presenting the results of a security engagement where the seemingly obvious were exploited.  These are the kinds of exploits that lead to administrator-level access to systems in hours (or even minutes), and that could expose sensitive organizational data or PII. Whenever … Continued