Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Targeted Security Assessments
Targeted Security Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Learning Center
Learning Center
Articles
Articles
Whitepapers
Whitepapers
Case Studies
Case Studies
Events & Live Webinars
Events & Live Webinars
On-Demand Webinars
On-Demand Webinars
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility

Blog

The Schellman Blog

Stay up to date with the latest compliance news from the Schellman blog.

DOUG KANNEY

Doug Kanney is a Principal at Schellman based in Columbus, Ohio. Doug leads the HITRUST and HIPAA service lines and assists with methodology and service delivery across the SOC, PCI-DSS, and ISO service lines. Doug has more than 17 years of combined audit experience in public accounting. Doug has provided professional services for multiple Global 1000, Fortune 500, and regional companies during the course of his career.

Blog Feature

By: DOUG KANNEY
June 13th, 2019

On May 24th, The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a fact sheet on direct liability of Business Associates under HIPAA. For reference, if an organization is unsure about if it is a Business Associate, a good resource can be found here.

Blog Feature

HIPAA | Healthcare

By: DOUG KANNEY
April 11th, 2019

“Do I really need to retain all my HIPAA audit logs for 6 years?”

Blog Feature

By: DOUG KANNEY
December 10th, 2018

EXECUTIVE SUMMARY Anthem has settled a data breach case for $115 million. It is one of the largest settlements ever and holds lessons for healthcare risk managers. • The breach was traced to one employee clicking on a link. • Investigators cited insufficient monitoring of key logs. • The case illustrates the importance of a robust risk analysis/risk management program. Anthem’s recent $115 million settlement — one of the largest ever in a consumer data breach — shows how costly a breach can be for a healthcare organization. Risk managers should remember that even a much smaller breach could be financially devastating. A California federal district judge approved the settlement resolving a 2015 data breach at Anthem that exposed the data of 78 million members. The settlement will be divided among 19.1 million plaintiffs in the class-action lawsuit. Each can claim up to $10,000 to cover out-of-pocket expenses related to the breach and can receive free credit monitoring services beyond what Anthem has already provided. (The settlement agreement is available online at: https://bit.ly/2jx3ehy.) While the numbers and costs associated with this breach are staggering, the issues at the root of it are quite simple, says Dianne J. Bourque, JD, an attorney with the Mintz law firm in Boston. “Someone clicked on a phishing email, intruders gained access to Anthem’s PHI [protected health information], and the ensuing enforcement action revealed that Anthem has no enterprisewide risk analysis,” Bourque says. “We see this fact pattern almost daily. The only thing different about the Anthem case is the large number of individuals affected.” “The Anthem breach should stand as a reminder to healthcare risk managers that this could easily happen to their organizations if they don’t pay attention to compliance fundamentals, especially a comprehensive security risk analysis, ongoing employee training — both formal and informal — and information system activity review,” she added. The Anthem breach should strike fear in healthcare leaders, says Mark Bower, general manager and chief revenue officer with Egress Software in Boston. “This is a shot across the bow for every CEO, CIO, and CFO,” Bower says. “Not every organization can absorb settlements of this size, not to mention the ongoing management and escalation costs, punitive fines from regulations like HIPAA and GDPR [General Data Protection Regulation], and revenue losses from customer churn that are also associated with data breaches.” The class-action suit shows that consumers possess a healthy appetite for compensation following a breach of their data, Bower says. Organizations that handle PHI, especially highly sensitive patient data, should use this to gauge what is acceptable financial risk when securing data, and invest in technology and training accordingly, he says.

Blog Feature

By: DOUG KANNEY
July 25th, 2018

The question of what is considered Protected Health Information (PHI) / Electronic Protected Health Information (ePHI) seems like it should be very simple to answer.  Unfortunately, it’s not always straightforward, and different situations can leave organizations struggling to fully understand if the information they have is or isn’t PHI/ePHI.  But such knowledge is actually critical, because recognizing what constitutes PHI/ePHI and where it resides is a crucial building block for creating a HIPAA compliance program.

Blog Feature

HIPAA | HIPAA Express

By: DOUG KANNEY
July 18th, 2018

According to the United States Department of Transportation, more than 50% of the combined total of fatal and injury crashes occur at or near intersections. It makes sense then for drivers to take special care when navigating these spots on the road.

Blog Feature

By: DOUG KANNEY
August 18th, 2016

A recent Experian Data Breach Resolution and Ponemon Institute study discovered that 55 percent of companies have experienced a data breach due to employee error, and 60 percent of companies believe their employees do not know about the company’s security risks. Furthermore, 66 percent of survey participants admitted that employees are their biggest challenge when developing and implementing data security protocols.

Blog Feature

HIPAA | Cybersecurity | HITRUST

By: DOUG KANNEY
June 27th, 2016

In 2015 alone, 112 million healthcare records were compromised. If there’s one thing we can count on in the years to come, it would be increasingly sophisticated cybersecurity attacks that specifically target healthcare organizations. Why healthcare? Here are a few reasons.

Blog Feature

HIPAA

By: DOUG KANNEY
June 16th, 2016

The Office for Civil Rights (OCR) released its second round of HIPAA compliance audits at the end of March. Despite the negativity that usually surrounds audits, this should be seen as a good thing. Think of audits as powerful compliance tools that will help you identify and address risks and vulnerabilities related to protected health information (PHI). Here’s what you need to know to prepare your healthcare company for this new round of audits: