Search Articles

My Take: Risk analysis isn't a nice-to-have document you dust off for audits—it's the thing that tells you phishing is coming and encryption matters. OCR keeps hammering this same nail because most covered entities still don't get it: if you haven't done a real risk analysis, you're just hoping nothing bad happens.

My Take: Mental health records are the crown jewels for attackers—far more damaging than credit cards—yet counseling centers often run on shoestring budgets with IT security to match. If you're a small healthcare provider handling sensitive data, you can't afford to treat cybersecurity as optional anymore; HHS is running out of patience with the "we're too small to be a target" excuse.

My Take: Medical device security is where compliance theater meets actual life-or-death consequences—no amount of HIPAA documentation matters if someone can remotely drive a wheelchair off a curb. If you're auditing medical IoT, stop asking for policies and start asking: "Show me how you're segmenting this thing from the network and what happens when Bluetooth auth fails."

My Take: Props to Covenant for not paying—refusing to fund criminal operations is the right call even when it hurts. But here's the hard truth: if Qilin got in and exfiltrated 478k records, your HIPAA "compliance" program failed at the only job that actually matters.