BOARD CERTIFICATION EXAM STUDY GUIDES Lower Extremity Trauma
[Click on Image to Enlarge]
ME-P Free Advertising Consultation
The “Medical Executive-Post” is about connecting doctors, health care executives and modern consulting advisors. It’s about free-enterprise, business, practice, policy, personal financial planning and wealth building capitalism. We have an attitude that’s independent, outspoken, intelligent and so Next-Gen; often edgy, usually controversial. And, our consultants “got fly”, just like U. Read it! Write it! Post it! “Medical Executive-Post”. Call or email us for your FREE advertising and sales consultation TODAY [678.779.8597] Email: MarcinkoAdvisors@outlook.com
Medical & Surgical e-Consent Forms
ePodiatryConsentForms.com
iMBA Inc., OFFICES
Suite #5901 Wilbanks Drive, Norcross, Georgia, 30092 USA [1.678.779.8597]. Our location is real and we are now virtually enabled to assist new long distance clients and out-of-town colleagues.
ME-P Publishing
SEEKING INDUSTRY INFO PARTNERS?
If you want the opportunity to work with leading health care industry insiders, innovators and watchers, the “ME-P” may be right for you? We are unbiased and operate at the nexus of theoretical and applied R&D. Collaborate with us and you’ll put your brand in front of a smart & tightly focused demographic; one at the forefront of our emerging healthcare free marketplace of informed and professional “movers and shakers.” Our Ad Rate Card is available upon request [678-779-8597].
A computer that could break the encryption that safeguards your private information on the internet. A machine that can design powerful new drugs by precisely simulating the behavior of individual molecules. A device that optimizes complex supply chains to help companies get the parts they need and assemble them in the most efficient way possible.
These are all examples of how an emerging technology — the quantum computer — could change our world.
These computers work by harnessing quantum physics — the strange, often counterintuitive laws that govern the universe at its smallest scales and coldest temperatures. Today’s quantum computers are rudimentary and error-prone. But if more advanced and robust versions can be made, they have the potential to rapidly crunch through certain problems that would take current computers years. That’s why governments, companies and research labs around the world are working feverishly toward this goal.
Quantum computers will not replace our familiar “classical” computers. Rather, the two types of machines could work together to solve problems that stymie classical computers, potentially supercharging scientific research in fields such as materials and drug discovery, giving a boost to industry and upending cybersecurity as we know it.
Posted on September 18, 2025 by Dr. David Edward Marcinko MBA MEd CMP™
By Carol Miller RN MBA
***
***
New-Wave Technology
To help hospitals and health systems comply with Health Insurance Portability and Accountability Act regulations, best practices are emerging for securing all electronic communication – cloud, wireless, and texting – of protected health information. These new technologies will continually be evolving with hospitals, providers and patients move to new means of communication. Below is a description of how each are impacted by HIPAA.
Cloud Solutions. Cloud solutions are becoming a needed commodity in treating patients today but also present a risk to privacy and security violation. Despite the advantages of cloud computing, organizations are often hesitant to use it because of concerns about security and compliance. Specifically, they fear potential unauthorized access to patient data and the accompanying liability and reputation damage resulting from the need to report HIPAA breaches. While these concerns are understandable, a review of data on HIPAA breaches published by the HHS shows that these concerns are misplaced. In fact, by using a cloud-based service with an appropriate security and compliance infrastructure, a facility can significantly reduce its compliance risk.
Because HIPAA compliance involves stringent privacy and security protections for electronic health information (PHI), many cloud providers are balking at signing new Business-Associate agreements. Most cloud-technology providers, such as Box and Dropbox, do not include the built-in privacy protections that guarantee HIPAA compliance. Because many cloud storage companies store plaintext data on their servers, PHI is especially vulnerable to breaches and compliance violations.
Mobility Solutions. The recent launches of Apple Health and Google Fit have stirred a lot of interest in health application development. It is important that hospitals and providers understand the laws around PHI and HIPAA compliance for any healthcare-focused mobile application or software. While not all healthcare applications fall under HIPAA rules, those that collect, store, or share personally identifiable health information with covered entities (such as hospitals and providers) must be HIPAA-compliant.
For years, hospitals have wanted to bring computers into exam rooms, waiting rooms, and treatment rooms to eliminate hard-to-read patient charts, making sure everyone treating the patient was seeing the same information, assuring that everything was recorded as it occurred, and enabling doctors, nurses, and technicians to stay connected to vital information and services wherever they were throughout the hospital. Many hospitals have adopted Computer on Wheels (COWs) or tablets but many of these were hard to use, had poor touchscreen interface and did not last long on a battery. Ipads seem to be the logical replacement as long as the iPad can comply with HIPAA rules.
HIPAA was written nearly 30 years ago, before mobile health applications were ever envisioned. Because of this, some areas of the law make it hard to determine which applications must be HIPAA- compliant and which are exempt. Considering the numerous ways security breaches can occur with a mobile device, it is not wonder that HHS is very leery about how PHI is handled on smartphones, wearables, and portable devices.
If the applications are going to send or share health data to a hospital, doctor or other covered entity, it MUST be HIPAA-compliant. Adhering to the Privacy and Security Rules of HIPAA is essential, especially considering the dangers that come with handling protected health data on a device. Examples include:
Phones, tablets, and wearables can be easily stolen and lost, meaning PHI could be compromised
Social media and email are easily accessible by the device, making it easy for users to post information that breaches HIPAA privacy laws.
Push notifications and other user communications can violate HIPAA laws if they contain PHI
Users may intentionally or unintentionally share personally identifiable information, even if the application’s intended use doesn’t account for it
Not all users take advanage of the password-protected screen-lock feature, making data visible and accessible to anyone who comes in contact with the device
Devices like the iPhone do not include physical keyboards, so users are more likely to use basic passwords that are not as safe as complex options.
This protected health information can include everything from medical records and images to scheduled appointment dates. Regardless of the device, it is important to take all the steps possible to comply with HIPAA guidelines.
Texting. Text (or SMS) messaging has become nearly ubiquitous on mobile devices. According to one survey, approximately 72 percent of mobile phone users send text messages. Clinical care is not immune from the trend, and in fact physicians appear to be embracing texting on par with the general population. Another survey found that 73 percent of physicians text other physicians about work.
(Source: Journal of AHIMA, “HIPAA Compliance for Clinician Texting”, by Adam Green, April 2012)
Texting can offer providers numerous advantages for clinical care. It may be the fastest and most efficient means of sending information in a given situation, especially with factors such as background noise, spotty wireless network coverage, lack of access to a desktop or laptop, and a flood of e-mails clogging inboxes. Further, texting is device neutral—it will work on personal or provider-supplied devices of all shapes and sizes. Because of these advantages, physicians may utilize texting to communicate clinical information, whether authorized to do so or not.
All forms of communication involve some level of risk. Text messaging merely represents a different set of risks that, like other communication technologies, needs to be managed appropriately to ensure both privacy and security of the information exchanged.
Text messages may reside on a mobile device indefinitely, where the information can be exposed to unauthorized third parties due to theft, loss, or recycling of the device. Text messages often can be accessed without any level of authentication, meaning that anyone who has access to the mobile phone may have access to all text messages on the device without the need to enter a password.
Texts also are generally not subject to central monitoring by the IT department. Although text messages communicated wirelessly are usually encrypted by the carrier, interception and decryption of such messages can be done with inexpensive equipment and freely available software (although a substantial level of sophistication is needed. If text messages are used to make decisions about patient care, then they may be subject to the rights of access and amendment. There is a risk of noncompliance with the privacy rule if the covered entity cannot provide patients with access to or amend such text messages.
According to 2012 data from CTIA–The Wireless Association, U.S. citizens alone exchange nearly 200 billion text messages every month. So it’s not surprising that an increasing number of clinicians are using text messaging to exchange clinical information, along with a wide range of other modes — smartphones, pagers, computerized physician order entry, emails, etc. Electronic communication is certainly faster, can be more efficient, enhances clinical collaboration and enables clinicians to focus on patient care. But with these benefits comes an increased risk of security breaches.
(Source: Clarifying the Confusion about HIPAA – Compliant Texting, by Megan Hardiman and Terry Edwards, May 2013)
Unfortunately, vendor hype about the Health Insurance Portability and Accountability Act is causing many hospitals and health systems to implement stop-gap measures that address part — but not all — of a problem. To identify all vulnerabilities, health care leaders need to consider not only text messaging, but all mechanisms by which protected health information in electronic form is transmitted — as well as the security of those mechanisms.
Mobile device-to-mobile device SMS text messages are generally not secure because they lack encryption. The sender does not know with certainty that his or her message is indeed received by the intended recipient. In addition, telecommunications vendor/wireless carrier may store the text messages. Recent HHS guidance indicates text messaging, as a means of communicating PHI, can be permissible under HIPAA depending in large part on the adequacy of the controls used. A hospital or provider may be approved for texting after performing a risk analysis or implementing a third-party messaging solution that incorporates measures to establish a secure communication platform that will allow texting on approved mobile devices.
A study reported in Computer World in May 2013 by the Ponemon Institute with 577 healthcare and It professional in facilities that ranged from fewer than 100 beds to over 500 beds stated that fifty-one percent of the respondents felt HIPAA compliance requirements can be a barrier to providing effective patient care. Specifically HIPAA reduces time available for patient care (85% of the respondents), makes access to electronic patient information difficult (79% of the respondents) and restricts the use of electronic mobile communications (56% of the respondents). The study stated “respondents agreed that the deficient communications tools currently in use decrease productivity and limit the time doctors have to spend with patients. “ They also stated “they recognized the value of implementing smartphones, text messaging and other modern forms of communications, but cited overly restrictive security policies as a primary reason why these technologies were not used.” Clinicians in the survey stated that only 45% of each workday is spent with patients; the remaining 55% is spent communicating and collaborating with other clinicians and using the electronic medical record and other clinical IT systems.
Several other statements made were:
Because of the need for security, hospitals and other healthcare organizations continue to use older, outdate technology such as pagers, email and facsimile machines. The use of older technology can also delay patient discharges – now taking an average of 102 minutes.
The Ponemon Institute estimated that the lengthy discharge process costs the U.S. hospital industry more than $3.189 billion a year in lost revenue, with another $5 billion lost through decrease doctor productivity and use of outdated technology. Secure text messaging could cut discharge time by 50 minutes.
(Source: Computer World, “HIPAA rules, outdate tech cost U.S. hospitals $3.38 B a year”, by Lucas Mearian, May, 2013)
Several suggestions offered for these preferred mobile devises are: 1) ensure encryption and access to individuals who need to have access; 2) use secure texting applications; and 3) even consider alerting employees with warnings before they send an email or share files that lets them know they are liable for the information sent.
Quishing, or QR phishing, is a cybersecurity threat in which attackers use QR codes to redirect victims to malicious websites or prompt them to download harmful content. The goal of this attack is to steal sensitive information, such as passwords, financial data, or personally identifiable information (PII), and use that information for other purposes, such as identity theft, financial fraud, or ransomware.
This type of phishing often bypasses conventional defenses like secure email gateways. Notably, QR codes in emails are perceived by many secure email gateways as meaningless images, making the users vulnerable to specific forms of phishing attacks. QR codes can also be presented to intended victims in a number of other ways.
QR codes, or Quick Response codes, are two-dimensional barcodes that can be scanned easily with a camera or a code reader application. The main component of a QR code is data storage. QR codes have the capability to store significant amounts of information including URLs, product details, or contact information. Scanning technology allows smartphone cameras or code readers to easily and quickly access the website to which the URL points.
In a quishing attack, the attackers create a QR code and link it to a malicious website. Typically, the attacker will embed the QR code in phishing emails, social media, printed flyers, or physical objects, and use social engineering techniques to entice the victims. For example, victims might receive an email urging them to access an encrypted voice message via a QR code for a chance to win a cash prize.
Upon using their phones to scan the QR code, victims are directed to the malicious site. The site may prompt victims to enter private information, such as login information, financial details, or personal information. In the example above, the site may request the user’s name, email, address, date of birth, or account login information.
Once this sensitive information is captured, attackers can exploit it for various malicious purposes, including identity theft, financial fraud, or ransomware.
In 2015, the Federal Trade Commission (FTC) released a staff report entitled Internet of Things: Privacy & Security in a Connected World, in which it recommend that Internet of Things (IoT) style devices, which of course include medical and clinical devices, need to maintain a good security posture. It’s worth noting that the FDA, FTC, and other government regulators are centering on a few key guidelines. The following recommendations come directly from the FTC report.
Companies should build security into their devices at the outset, rather than as an afterthought. As part of the security by design process, companies should consider:
Conducting a privacy or security risk assessment
Minimizing the data they collect and retain
Testing their security measures before launching their products
Companies should train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization
Companies should retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers.
When companies identify significant risks within their systems, they should implement a defense-in-depth approach, in which they consider implementing security measures at several levels.
Companies should consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network.
Companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities
According to colleague Shahid N. Shah MS, the FTC report and FDA guidelines are remarkably consistent. When thinking of cybersecurity and data privacy, engineers tend to think about authentication, authorization, and encryption. Those are the relatively easy topics. For safety-critical devices, however, things are much more difficult and need to encompass a larger surface of questions, including but not limited to:
Asset Inventory: Is the device discoverable, and can it associate itself with standard IT inventory systems so that revision management, software updates, and monitoring can be automated?
Cyber Insurance: Does the device have enough security documentation to allow it to be insured by standard cyber insurance riders?
Patching: How is the firmware, operating system (OS), or application going to be patched by IT staff within hospitals (or the home for remote devices)?
Internal Threats: Has the device been designed to circumvent insider (hospital staff, network participants, etc.) threats?
External Threats: Has the device been designed to lock down the device from external threats?
Embedded OS Security: Is the device sufficiently hardened at the operating system level, such that no extraneous software components, which increase the attack surface, are present?
Firmware and Hardware Security: Are the firmware and hardware components sourced from reputable suppliers and free of state-sponsored spying?
Application Security: Is the Microsoft Security Development Lifecycle (SDL) or similar software security assurance process integrated into the engineering process?
Network Security: Have all network protocols not in use by the device been turned off so that they are not broadcasting?
Data Privacy: What data segmentation, logging, and auditing is being done to ensure appropriate data privacy?
HIPAA Compliance: Have proper steps been followed to ensure Health Insurance Portability and Accountability Act (HIPAA) compliance?
FISMA Compliance: If you’re selling to the federal government, have proper steps, such as use of Federal Information Processing Standard (FIPS) certified encryption, been followed to ensure Federal Information Security Management Act (FISMA) compliance?
Data Loss Prevention (DLP): Is there monitoring in place to ensure data leakage outside of the device doesn’t occur?
Vulnerabilities: Have common vulnerabilities such as the Open Web Application Security Project (OWASP) Top 10 been reviewed?
Data Sharing: Are proper data sharing agreements in place to allow sharing of data across devices and networks?
Password Management: Are passwords hardcoded into the device or made configurable?
Configuration Protection: Are configuration files properly check-summed and protected against malicious changes?
ASSESSMENT
It is vital to perform a security assessment on a healthcare practice to understand the environment, identify risks and perform risk mitigation. A one-time security assessment with risk mitigation is not sufficient in 2025. This is a continuous process that needs to be performed religiously to maintain a secure and compliant practice.
Posted on March 2, 2025 by Dr. David Edward Marcinko MBA MEd CMP™
By Staff Reporters
***
***
What is Honeypot?
A Honeypot is a network-attached system used as a trap for cyber-attackers to detect and study the tricks and types of attacks used by hackers. It acts as a potential target on the internet and informs the defenders about any unauthorized attempt at the information system.
Honeypots are mostly used by large companies and organizations involved in cybersecurity. It helps cybersecurity researchers to learn about the different types of attacks used by attackers. It is suspected that even cyber criminals use these honeypots to decoy researchers and spread wrong information. The cost of a honeypot is generally high because it requires specialized skills and resources to implement a system such that it appears to provide an organization’s resources while still preventing attacks at the back end and access to any production system.
Advantages of Honeypot
Acts as a rich source of information and helps collect real-time data.
Identifies malicious activity even if encryption is used.
Wastes hackers’ time and resources.
Improves security.
Disadvantages of Honeypot
Being distinguishable from production systems, it can be easily identified by experienced attackers.
Having a narrow field of view, it can only identify direct attacks.
A honeypot once attacked can be used to attack other systems.
Fingerprinting(an attacker can identify the true identity of a honeypot ).
What is Honeynet?
A honeynet is made up of two or more honeypots connected via a network. Having a linked network of honeypots can be beneficial. It allows organizations to trace how an attacker interacts with a single resource or network point while also monitoring how a hacker moves between network points and interacts with numerous points at the same time.
The goal is to induce hackers to believe that they have successfully breached the network. Having more false network destinations makes the arrangement appear more realistic.
Posted on July 23, 2024 by Dr. David Edward Marcinko MBA MEd CMP™
By Staff Reporters
Standard & Poor’s 500 Stock Index
What it is: Investment company Standard & Poor’s maintains an index of 500 stocks from the largest companies listed on the NASDAQ and New York Stock Exchange. To be eligible for consideration, companies have to meet certain criteria—including a market cap of $8.2+ billion, a U.S. headquarters, and positive earnings for at least four consecutive quarters. They can be kicked out if they slip.
How it works: Companies are weighted by their market cap, specifically their float-adjusted market cap (which only counts shares that are theoretically available for retail investors to buy). That means the S&P skews toward larger cap companies, and tech stocks now account for over a quarter of the index’s total value.
Why it matters: With 500 stocks covering a broad range of industries, the S&P is widely considered the best indicator of large-cap stocks in the U.S. While the S&P’s weighting-by-market-cap method is more common than the Dow’s weighting by share price, it does introduce some risk that overvalued stocks will inflate the overall index.
“…small businesses with fewer than 1,000 employees are four times more likely to be impacted by attackers than medium and large businesses.” That’s us, Doc. (You might not get this kind of news from the American Dental Association).
EDITOR’S NOTE: I first met Rich in B-school, when I was a student, back in the day. He was the Founder and CEO of Superior Consultant Holdings Corp. Rich graciously wrote the Foreword to one of my first textbooks on financial planning for physicians and healthcare professionals. Today, Rich is a successful entrepreneur in the technology, health and finance space.
Posted on June 27, 2024 by Dr. David Edward Marcinko MBA MEd CMP™
MEDICAL EXECUTIVE-POST–TODAY’SNEWSLETTERBRIEFING
***
Essays, Opinions and Curated News in Health Economics, Investing, Business, Management and Financial Planning for Physician Entrepreneurs and their Savvy Advisors and Consultants
“Serving Almost One Million Doctors, Financial Advisors and Medical Management Consultants Daily“
A Partner of the Institute of Medical Business Advisors , Inc.
The S&P 500® index (SPX) rose 8.6 points (0.16%) to 5,477.9; the Dow Jones Industrial Average® ($DJI) added 15.64 points (0.04%) to 39,127.8; the NASDAQ Composite® ($COMP) climbed 87.5 points (0.49%) to 17,805.16.
The 10-year Treasury note yield rose 8 points to 4.32%.
The CBOE Volatility Index® (VIX) eased to 12.5
What’s up
FedEx shipped 15.52% directly to your portfolio after beating fourth-quarter earnings expectations and guiding for higher-than-expected earnings in the coming fiscal year.
Vista Outdoor rose 9.09% after MNC Capital raised its bid to acquire the ammunition maker to $3.2 billion.
What’s down
General Mills dipped 4.58% thanks to a poor quarterly earnings report, with lower sales due to lower demand from consumers.
Paychex fell 6.11% despite beating earnings estimates this quarter. The problem is slower growth ahead due to small and mid-sized businesses struggling with high inflation.
Aptiv dropped 7.93% after news of the Rivian-Volkswagen deal prompted Piper Sandler analysts to downgrade the stock and lower their price target.
The disastrous ransomware attacks on Change Healthcare and Ascension this year ran up staggering costs and put a spotlight on the healthcare sector’s vulnerability. But healthcare orgs are hardly new to eye-popping bills after a major hack. Analyzing attacks on organizations in 16 countries, IBM/Ponemon Institute has shown healthcare to be the industry with the highest cost per data breach for over a decade, coming in at an average hit of $10.93 million in 2023.
Posted on June 18, 2024 by Dr. David Edward Marcinko MBA MEd CMP™
MEDICAL EXECUTIVE-POST–TODAY’SNEWSLETTERBRIEFING
***
Essays, Opinions and Curated News in Health Economics, Investing, Business, Management and Financial Planning for Physician Entrepreneurs and their Savvy Advisors and Consultants
“Serving Almost One Million Doctors, Financial Advisors and Medical Management Consultants Daily“
A Partner of the Institute of Medical Business Advisors , Inc.
Microsoft. According to a same-day announcement on its site, the company will give “nonprofit pricing and discounts for its security products optimized for smaller organizations, providing up to a 75% discount,” along with free cybersecurity training, assessments, and—for at least one year, the company says—Windows 10 security updates.
Google. The White House said that Google will “provide endpoint security advice to rural hospitals and nonprofit organizations at no cost,” as well as a pilot program designed to help rural facilities “develop a packaging of security capabilities that fit these hospitals’ unique needs.”
Broadcom rose yet another 5.41% today, continuing its blistering rally higher thanks to one analyst’s declaration that the stock should replace Tesla in the Magnificent 7.
Micron Technology rose 4.58% after getting upgraded by Cantor Fitzgerald for its exposure to the AI trade.
AMC Networks plummeted 35.14% after the company announced it’s issuing $125 million in new debt.
Louisiana Pacific dropped 3.46% after Goldman Sachs analysts downgraded the stock to “sell” and reduced their price target to $81.
GameStop fell 12.13% almost as soon as the company’s annual shareholder meeting began this afternoon, and no amount of “hodling” could halt the decline.
The S&P 500 index gained 41.63 points (0.8%) to 5,473.23; the Dow Jones Industrial Average® ($DJI) added 188.94 points (0.5%) to 38,778.10; the NASDAQ Composite advanced 168.14 points (1.0%) to 17,857.02.
The 10-year Treasury note yield (TNX) rose more than 6 basis points to 4.279%.
The CBOE Volatility Index® (VIX) increased 0.10 to 12.76.
Posted on April 7, 2024 by Dr. David Edward Marcinko MBA MEd CMP™
By Staff Reporters
***
***
It’s not often a guy on a computer is the hero of the story. Andres Freund, a Microsoft developer, found a malicious backdoor in popular open-source software last week. Programmers scrambled to fix the problem but warned that if they hadn’t, it could have led to hundreds of millions of compromised devices and a catastrophic cybersecurity breach.
Freund told the New York Times that he first noticed an unusual error message while doing routine maintenance on the Linux operating system—a vital software used by banks, governments, and corporations around the globe. At first, he wrote it off, but a few weeks later, he noticed an application used to log into computers remotely was using a lot more power in the system than it was supposed to.
Posted on October 1, 2023 by Dr. David Edward Marcinko MBA MEd CMP™
By Staff Reporters
***
***
The SEC’s new cybersecurity regulations went into effect last week. Most companies are “largely ready” to comply, Matt Gorham, senior managing director and leader of PwC’s Cyber & Privacy InnovationInstitute, told CFO Brew, “but that doesn’t mean there isn’t work to do.”
As their companies’ finance leaders, CFOs are instrumental in determining whether a cybersecurity incident is material, but they have other roles to play as well. Gorham shared his advice for how CFOs can help their organizations comply with the new regs. Now, aAs a reminder, the regulations consist of what Gorham refers to as three “buckets.” Companies that file with the SEC are required to:
Declare any material cybersecurity incidents to the SEC on Item 1.05 of Form 8-K within four business days of determining materiality
Disclose information about their cyber risk management and strategy on a new section of the 10-K called Item 1C
Disclose information about their boards’ and management’s role in overseeing cybersecurity risk
The first two “buckets,” Gorham said, will likely require the most work to comply with.
Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.
Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com
OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:
Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, urls and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.
Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com
OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:
In the event of an emergency [likes now storm Jonas last week], a well defined contingency plan helps the team to allow for data restoration in addition to providing physical security. A contingency plan is usually used when there is an emergency, for example when there is an outage. During the crisis it is important that the doctors still have access to EMRs/ePHI so that the quality of care is not compromised.
Major Mitigation:
Based on the size of the physician’s practice, the contingency plans in place may vary. For small doctor’s offices, the whole staff may need to be involved in restoration. In the case of large physician practices, authorized personnel may need to be accompanied into the buildings by guards.
A contingency plan should be in place that ensures the right people have access to where the PHI is physically housed. This would mean that there needs to be procedures and processes that are well established so that in the case of an emergency, authorized people that have access can retrieve the PHI or even make a back up copy of the PHI data.
For example, this can mean bringing up the application in another data center if the primary data center housing the application becomes inaccessible. This should be done so that the physician’s have uninterrupted access to their patient’s PHI even in the event of an emergency.
Periodic third party audits of contingency plans and mock emergency drills can help ensure that this risk has been taken care of and mitigated.
Conclusion
Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.
Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com
OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:
Posted on October 17, 2015 by Dr. David Edward Marcinko MBA MEd CMP™
On Ransom-Ware, Black-Hat Hackers, the Gullible, Guilty … and Personal Cyber Security
A-Special ME-P Report
***
By Dr. David E. Marcinko MBA MBBS [Hon]
[Publisher-in-Chief]
Your Ashley Madison Account
[Paul recommends to read this email] But … don’t fall for it!
I just received this email message from sharingservices@aol.com: In this time of medical information and financial advisory data cyber security breaches, here is a warning about personal security, too!
Unfortunately your data was leaked in the recent hacking of Ashley Madison and I know have your information. I have also used your user profile to find your Facebook page, using this I can now message all of your friends and family members.
If you would like to prevent me from sharing this dirt info with all of your friends and family members (and perhaps even your employers too?) then you need to send 1 bitcoin to the following BTC address.
You may be wondering why should you and what will prevent other people from doing the same, in short you now know to change your privacy settings in Facebook so no one can view your friends/family list. So go ahead and update that now (I have a copy if you don’t pay) to stop any future emails like this.
You can buy bitcoin using online exchanges easily. If the bitcoin is not paid within 3 days of 23 Sep 2015 then my system will automatically message all of your friends and family members. The bitcoin address is unique to you.
Consider how expensive a divorce lawyer is. If you are no longer in a committed relationship then think about how this will affect your social standing amongst family and friends. What will your friends and family think about you?
An Object lesson to all ME-P readers and subscribers
After review, I noted the following faults with this blast message:
* No sender last name.
* Sender blast email service
* Multiple email addresses
* Poor grammar
* I do not have – or ever had – a Facebook account
* I do not have – or ever had – an AM account
Assessment
Note any other “give-aways“? Don’t fall for this ploy. And, don’t be Gullible or Guilty. Forewarned is forearmed.
Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.
Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com
OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:
It struck a reasonable balance between new regulations (almost none) and guidance (in the form of non-binding recommendations).
NOW …
In 2015, the Federal Trade Commission (FTC) released a staff report entitled Internet of Things: Privacy & Security in a Connected World, in which it recommend that Internet of Things (IoT) style devices, which of course include medical and clinical devices, need to maintain a good security posture. It’s worth noting that the FDA, FTC, and other government regulators are centering on a few key guidelines.
Six Recommendations
The following six recommendations come directly from the FTC report:
Companies should build security into their devices at the outset, rather than as an afterthought. As part of the security by design process, companies should consider:
Conducting a privacy or security risk assessment
Minimizing the data they collect and retain
Testing their security measures before launching their products
Companies should train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization
Companies should retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers.
When companies identify significant risks within their systems, they should implement a defense-in-depth approach, in which they consider implementing security measures at several levels.
Companies should consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network.
Companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities
The FTC report and FDA guidelines are remarkably consistent. When thinking of cybersecurity and data privacy, engineers tend to think about authentication, authorization, and encryption. Those are the relatively easy topics.
*** ***
Mission Critical Medical Devices
For “mission-critical” medical safety devices, however, things are much more difficult and need to encompass a larger surface of questions, including but not limited to:
Asset Inventory: Is the device discoverable, and can it associate itself with standard IT inventory systems so that revision management, software updates, and monitoring can be automated?
Cyber Insurance: Does the device have enough security documentation to allow it to be insured by standard cyber insurance riders?
Patching: How is the firmware, operating system (OS), or application going to be patched by IT staff within hospitals (or the home for remote devices)?
Internal Threats: Has the device been designed to circumvent insider (hospital staff, network participants, etc.) threats?
External Threats: Has the device been designed to lock down the device from external threats?
Embedded OS Security: Is the device sufficiently hardened at the operating system level, such that no extraneous software components, which increase the attack surface, are present?
Firmware and Hardware Security: Are the firmware and hardware components sourced from reputable suppliers and free of state-sponsored spying?
Application Security: Is the Microsoft Security Development Lifecycle (SDL) or similar software security assurance process integrated into the engineering process?
Network Security: Have all network protocols not in use by the device been turned off so that they are not broadcasting?
Data Privacy: What data segmentation, logging, and auditing is being done to ensure appropriate data privacy?
HIPAA Compliance: Have proper steps been followed to ensure Health Insurance Portability and Accountability Act (HIPAA) compliance?
FISMA Compliance: If you’re selling to the federal government, have proper steps, such as use of Federal Information Processing Standard (FIPS) certified encryption, been followed to ensure Federal Information Security Management Act (FISMA) compliance?
Data Loss Prevention (DLP): Is there monitoring in place to ensure data leakage outside of the device doesn’t occur?
Vulnerabilities: Have common vulnerabilities such as the Open Web Application Security Project (OWASP) Top 10 been reviewed?
Data Sharing: Are proper data sharing agreements in place to allow sharing of data across devices and networks?
Password Management: Are passwords hardcoded into the device or made configurable?
Configuration Protection: Are configuration files properly check-summed and protected against malicious changes?
Conclusion
Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.
ABOUT
Mr. Shahid N. Shah is an internationally recognized healthcare thought-leader across the Internet. He is a consultant to various federal agencies on technology matters and winner of Federal Computer Week’s coveted “Fed 100″ Award, in 2009. Over a twenty year career, he built multiple clinical solutions and helped design-deploy an electronic health record solution for the American Red Cross and two web-based eMRs used by hundreds of physicians with many large groupware and collaboration sites. As ex-CTO for a billion dollar division of CardinalHealth, he helped design advanced clinical interfaces for medical devices and hospitals. Mr. Shah is senior technology strategy advisor to NIH’s SBIR/STTR program helping small businesses commercialize healthcare applications. He runs four successful blogs: At http://shahid.shah.org he writes about architecture issues; at http://www.healthcareguy.com he provides valuable insights on applying technology in health care; at http://www.federalarchitect.com he advises senior federal technologists; and at http://www.hitsphere.com he gives a glimpse of HIT as an aggregator. Mr. Shah is a Microsoft MVP (Solutions Architect) Award Winner for 2007, and a Microsoft MVP (Solutions Architect) Award Winner for 2006. He also served as a HIMSS Enterprise IT Committee Member. Mr. Shah received a BS in computer science from the Pennsylvania State University and MS in Technology Management from the University of Maryland.
Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com
OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:
Posted on October 30, 2014 by Dr. David Edward Marcinko MBA MEd CMP™
More on Medical Cyber-Security
[By The Doctors Company]
***
***
NOTE
The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each health care provider in light of all circumstances prevailing in the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.
Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.
Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com
OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:
Posted on January 24, 2011 by Dr. David Edward Marcinko MBA MEd CMP™
What it is – How it works?
By Staff Reporters
All medical practitioners and ME-P readers and subscribers are aware that there are stiff penalties for protected health information [PHI] data breaches. And, the HIPPA policies and laws are legendary.
Security Standards
Cyber security standards are standards which enable healthcare and other organizations to practice safe security techniques to minimize the number of successful cyber security attacks and HIPPA information breaches.
Assessment
These guides provide general outlines as well as specific techniques for implementing cyber security. For certain specific standards, cyber security certification by an accredited body can be obtained. There are many advantages to obtaining certification including the ability to get cyber security insurance.
Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.
Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com
OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:
Posted on December 6, 0202 by Dr. David Edward Marcinko MBA MEd CMP™
Risk Management, Liability Insurance, and Asset Protection Strategies for Doctors and Advisors [Best Practices from Leading Consultants and Certified Medical Planners]
“Physicians who don’t understand modern risk management, insurance, business and asset protection principles are sitting ducks waiting to be taken advantage of by unscrupulous insurance agents and financial advisors; and even their own prospective employers or partners. This comprehensive volume from Dr. David Marcinko, and his co-authors, will go a long way toward educating physicians on these critical subjects that were never taught in medical school or residency training.” —Dr. James M. Dahle, MD, FACEP, Editor of The White Coat Investor, Salt Lake City, Utah, USA “With time at a premium, and so much vital information packed into one well organized resource, this comprehensive textbook should be on the desk of everyone serving in the healthcare ecosystem. The time you spend reading this frank and compelling book will be richly rewarded.” —Dr. J. Wesley Boyd, MD, PhD, MA, Harvard Medical School, Boston, Massachusetts, USA
“Physicians have more complex liability challenges to overcome in their lifetime, and less time to do it, than other professionals. Combined with a focus on practicing their discipline, many sadly fail to plan for their own future. They need trustworthy advice on how to effectively protect themselves, families and practice, from the many overt and covert risks that could potentially disrupt years of hard work.
Fortunately, this advice is contained within ‘Risk Management, Liability Insurance, And Asset Protection Strategies For Doctors And Advisors: Best Practices From Leading Consultants And Certified Medical Planners™’. Written by Dr. David Edward Marcinko, Nurse Hope Rachel Hetico and their team of risk managers, accountants, insurance agents, attorneys and physicians, it is uniquely positioned as an integration of applied, academic and peer-reviewed strategies and research, with case studies, from top consultants and Certified Medical Planners™. It contains the latest principles of risk management and asset protection strategies for the specific challenges of modern physicians. My belief is that any doctor who reads and applies even just a portion of this collective wisdom will be fiscally rewarded. The Institute of Medical Business Advisors has produced another outstanding reference for physicians that provide peace of mind in this unique marketplace! In my opinion, it is a mandatory read for all medical professionals.” —David K. Luke, MS-PFP, MIM, CMP™, Net Worth Advisory Group, Inc., Sandy, Utah, USA
“This book is a well-constructed, comprehensive and experiential view of risk management throughout the entire medical practice life-cycle. It is organized in an accessible, high-yield style that is familiar to doctors. Each chapter has case models, examples and insider tips and useful pearls. I was pleased to see multi-degreed physicians sharing their professional experiences in a textbook on something other than clinical medicine. I can’t decide if this book is right on – over the top – or just plain prescient. Now, after a re-read, I conclude it is all of the above; and much more.” —Dr. Peter P. Sidoriak, Pottsville, Pennsylvania, USA
“When a practicing physician thinks about their risk exposure resulting from providing patient care, medical malpractice risk immediately comes to mind. But; malpractice and liability risk is barely the tip of the iceberg, and likely not even the biggest risk in the daily practice of medicine. There are risks from having medical records to keep private, risks related to proper billing and collections, risks from patients tripping on your office steps, risks from medical board actions, risk arising from divorce, and the list goes on and on. These liabilities put a doctor’s hard earned assets and career in a very vulnerable position. This new book from Dr. David Marcinko and Prof. Hope Hetico shows doctors the multiple types of risk they face and provides examples of steps to take to minimize them. It is written clearly and to the point, and is a valuable reference for any well-managed practice. Every doctor who wants to take preventive action against the risks coming at them from all sides needs to read this book.” —Richard Berning, MD, FACC, New Haven, Connecticut, USA
“This is an excellent companion book to Dr. Marcinko’s Comprehensive Financial Planning Strategies For Doctors And Advisors: Best Practices from Leading Consultants and Certified Medical Planners™. It is all inclusive yet easy to read with current citations, references and much frightening information. I highly recommend this text. It is a fine educational and risk management tool for all doctors and medical professionals.” —Dr. David B. Lumsden, MD, MS, MA, Orthopedic Surgeon, Baltimore, Maryland, USA
“This comprehensive text book provides an in-depth presentation of the cyber security and real risk management, asset protection and insurance issues facing all medical profession today. It is far beyond the mere medical malpractice concerns I faced when originally entering practice decades ago.” —Dr. Barbara s. Schlefman, DPM, MS, Family Foot Care, PA, Tucker, Georgia, USA “Am I over-insured and thus wasting money? Am I under-insured and thus at risk for a liability or other disaster? I never really had the means of answering these questions; until now.” —Dr. Lloyd M. Krieger, MD, MBA, Rodeo Drive Plastic Surgery, Beverly Hills, California, USA
“I read and use this book, and several others, from Dr. David Edward Marcinko and his team of advisors.” —Dr. John Kelley, DO, Orthopedic Surgeon, Tucker, Georgia, USA
“An important step in the risk management, insurance planning and asset protection process is the assessment of needs. One can create a strong foundation for success only after all needs have been analyzed so that a plan can be constructed and then implemented. This book does an excellent job of recognizing those needs and addressing strategies to reduce them.” —Shikha Mittra, MBA, CFP®, CRPS®, CMFC®, AIF®, President – Retire Smart Consulting LLC, Princeton, New Jersey, USA
“The Certified Medical Planner™ professional designation and education program was created by the Institute of Medical Business Advisors Inc., and Dr. David Edward Marcinko and his team (who wrote this book). It is intended for financial advisors who aim specifically to serve physicians and the medical community. Content focuses not only on the insurance and professional liability issues relevant to physicians, but also provides an understanding of the risky business of medical practice so advisors can help work more successfully with their doctor-clients.” —Michael E. Kitces, MSFS, MTAX, CFP®, CLU, ChFC, RHU, REBC, CASL, http://www.Kitecs.com, Reston, Virginia, USA
“I have read this text and used consulting services from the Institute of Medical Business of Advisors, Inc. on several occasions.” —Dr. Marsha Lee, DO, Radiologists, Norcross, Georgia, USA
“The medical education system is grueling and designed to produce excellence in medical knowledge and patient care. What it doesn’t prepare us for is the slings and arrows that come our way once we actually start practicing medicine. Successfully avoiding these land mines can make all the difference in the world when it comes to having a fulfilling practice. Given the importance of risk management and mitigation, you would think these subjects would be front and center in both medical school and residency – ‘they aren’t.’ Thankfully, the brain trust over at iMBA Inc., has compiled this comprehensive guide designed to help you navigate these mine fields so that you can focus on what really matters – patient care.” —Dennis Bethel, MD, Emergency Medicine Physician
Support our online development, and advance our onground research initiatives in free market economics, as we seek to showcase the brightest Next-Gen minds.
THE ME-P DISCLAIMER: Posts, comments and opinions do not necessarily represent iMBA, Inc., but become our property after submission. Copyright © 2006 to-date. iMBA, Inc allows colleges, universities, medical and financial professionals and related clinics, hospitals and non-profit healthcare organizations to distribute our proprietary essays, photos, videos, audios and other documents; etc. However, please review copyright and usage information for each individual asset before submission to us, and/or placement on your publication or web site. Attestation references, citations and/or back-links are required. All other assets are property of the individual copyright holder.
The Leading Business Education Network for Doctors, Financial Advisors and Health Industry Consultants 