The Office of Civil Rights (OCR) is reminding healthcare organizations that conducting a gap analysis is not enough to meet the risk analysis requirements of the HIPAA security rule. Providers must establish reasonable security measures and evaluate all potential risks to patient data. While gap analysis can enhance a risk assessment, it cannot replace it. Failure to conduct a thorough and accurate risk analysis can result in costly settlements, as seen in the case of Fresenius Medical Care North America.
An investigation into a recent cyberattack on government computer systems in Bermuda has found no evidence of unauthorized access to personal information. Premier David Burt