Security Boulevard

Austin, TX, USA, 4th February 2025, CyberNewsWire

The post SpyCloud Pioneers the Shift to Holistic Identity Threat Protection appeared first on Security Boulevard.

In an era marked by high-profile cyber breaches, ransomware attacks, and violence committed against high-profile enterprise employees, the imperative for focused cybersecurity training for executives has escalated dramatically.  For CISOs and enterprise cybersecurity specialists, crafting a tailored cybersecurity training program for your organization’s executives is not just a precaution—it is a strategic imperative. Here’s how […]

The post Cybersecurity Training for Executives: What Business Leaders Need to Know appeared first on BlackCloak | Protect Your Digital Life™.

The post Cybersecurity Training for Executives: What Business Leaders Need to Know appeared first on Security Boulevard.

Malicious employees and insider threats pose one of the biggest security risks to organizations, as these users have more access and permissions than cybercriminals attacking the organization externally. 

The post How to Root Out Malicious Employees appeared first on Security Boulevard.

Decentralized identity (DCI) is emerging as a solution to the significant challenges in verifying identities, managing credentials and ensuring data privacy.

The post Decentralized Identity: Revolutionizing Identity Verification in The Digital World appeared first on Security Boulevard.

What 2025 HIPAA Changes Mean to You
madhav
Tue, 02/04/2025 - 04:49

Thales comprehensive Data Security Platform helps you be compliant with 2025 HIPAA changes.

You are going about your normal day, following routine process at your healthcare organization, following the same business process you’ve followed for the last twelve years. You expect Personal Health Information (PHI) to be protected, thankfully due to HIPAA Compliance.

HIPAA forces organizations to build a security system for personal health information. You certainly wouldn't print your personal health information and pass it out to anyone. HIPAA ensures that businesses treat your personal health information with extra care, encrypting it, restricting who can access it, and ensuring systems that store it are secure and continuously tested. Every time you receive medical care, HIPAA is working behind the scenes to keep your PHI safe from cybercriminals.

According to the Thales Data Threat Report, Healthcare and Life Sciences Edition, in 2023, among healthcare and life sciences respondents, human error (76%) is the leading reported cause of cloud data breaches, well ahead of a lack of MFA, the second highest, at 11%. To compound issues, identity and encryption management complexity is a serious issue. 60% of healthcare respondents have five or more key management systems in use.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that created the national standards when it was first published to protect sensitive patient health information (PHI) from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

Who does it apply to?

Covered Entities: All entities accessing protected personal health information (PHI), including health plans, health insurance organizations, hospitals, clinics, pharmacies, physicians, and dentists, among others.

Business Associates: Third-party service providers that create, receive, maintain, or transmit ePHI on behalf of covered entities. Examples include IT contractors or cloud storage vendors.

Key Dates

On December 27, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI), which is expected to go into effect on March 7, 2025 following a comment period. HIPAA is not a static regulation. Since its original publication, it has been periodically updated to remain relevant.

What Changed?

The changes are extensive. They focus on new written policies and procedures, technical safeguards, and updated business associate agreements, which are summarized below.

• Elimination of "Addressable" Standards: The distinction between "required" and "addressable" implementation specifications has been removed. This means that HIPAA-regulated entities are now required to comply with all security standards, with specific, limited exceptions.
• Strengthened Security Measures:
  • Mandatory Encryption: Encryption is now a mandatory requirement for all ePHI, both at rest and in transit, with limited exceptions.
  • Multi-factor Authentication: Clear definitions to enhance security when accessing sensitive systems.
  • Enhanced Risk Analysis: More stringent requirements for conducting and documenting risk analyses.
  • Vulnerability Scanning and Penetration Testing: Regular vulnerability scanning and penetration testing are now mandatory.
  • Improved Incident Response: Clearer guidelines and expectations for responding to security incidents.
  • Alignment with NIST Guidelines: Incorporates well recognized cybersecurity best practices.
  • Stronger Penalties: Increased consequences for negligence and repeated breaches.

Failure to be HIPAA Compliant

The penalties for non-compliance with HIPAA vary based on the perceived level of negligence and can range from $100 to $50,000 per individual violation, with a maximum penalty of $1.9 million per calendar year. Additionally, violations can also result in jail time of 1–10 years for the individuals responsible.

Thales Solution for HIPAA Compliance

No single tool enables organizations to be 100% compliant, but thankfully, Thales has comprehensive data security solutions that align to HIPAA requirements. Thales is driven by a vision to protect data and all paths to it, enabling you to become more compliant and more secure. Thales helps organizations address the requirements for safeguarding PHI necessary to comply with HIPAA by analyzing risk, reducing risk from third parties, access control and authentication, encrypting PHI at rest and in transit, protecting encryption keys, and de-identifying PHI in databases.

How Thales’s Helps with HIPAA Compliance

It's been one year since Thales and Imperva joined as two data security leaders. Although there is no silver bullet for improving your data security posture, Thales’s comprehensive data protection and monitoring strategy is now a clear solution to assist with HIPAA compliance. It offers remarkable encryption, multi-factor authentication, and cybersecurity solutions that enable healthcare organizations to find industry leading solutions for their data security, monitoring, and compliance needs.

With Thales’s solution depth, you can now be HIPAA compliant without investing in a confusing set of tools through multiple vendors. Thales’s Application Security, Data Security, and Identity and Access Management Solutions have the advanced security and compliance features that enable you to address new HIPAA requirements.

Summary

Thales is a major solution provider for organizations that want to achieve HIPAA compliance, remain HIPAA compliant, or adhere to new HIPAA requirements published in January 2025. HIPAA requirements are complex, and changed for the first time in 12-years, prompting organizations to look to Thales for application security, data security, and identity and access management solutions to help with HIPAA compliance.

Download our Thales Data Threat Report, Healthcare and Life Sciences Edition, to learn more about how data protection solutions and shorten your time to becoming HIPAA compliant.

Doug Bies | Product Marketing Manager
More About This Author > basic

The post What 2025 HIPAA Changes Mean to You appeared first on Security Boulevard.

A 22-year-old Canadian man is indicted by the U.S. DOJ for using borrowed cryptocurrency and exploiting vulnerabilities on the KyberSwap and Indexed Finance DeFi platforms to steal $65 million in digital assets in two schemes between 2021 and 2023.

The post Canadian Man Stole $65 Million in Crypto in Two Platform Hacks, DOJ Says appeared first on Security Boulevard.

Today, my Senator — Susan Collins — failed in her oath and duty to uphold the Constitution. She voted for the appointment of a traitor to head national intelligence, and is supporting someone for director of the Office of Management and Budget (OMB) who openly wants to dismantle the foundations of American government. She has […]

The post When Checks and Balances Fail: The State’s Role in Preserving Constitutional Order appeared first on rud.is.

The post When Checks and Balances Fail: The State’s Role in Preserving Constitutional Order appeared first on Security Boulevard.

Team Code reviews are essential to the development process. They ensure that the code meets the required standards before being merged into the main branch. Tools like SonarQube are key to making the reviews productive and valuable.

The post Enhancing Team Code Reviews with AI-Generated Code appeared first on Security Boulevard.

Orca Security has extended the reach of its agentless cloud native application protection platform (CNAPP) to include multiple options that eliminate the need to aggregate data in a software-as-service (SaaS) platform. Cybersecurity teams can now take advantage of a hybrid cloud computing through which metadata is processed using the Orca Security Cloud Platform as a..

The post Orca Security Adds Additional CNAPP Deployment Options appeared first on Security Boulevard.

Leverage Infrastructure as Code, APIs, and automations to natively remediate exposures at scale for AWS Azure and GCP, while maintaining business continuity.  TEL AVIV, Israel – February 4, 2025, Veriti, a leader in exposure management solutions, is proud to announce the launch of Veriti Cloud, an expansion of its Exposure Assessment and Remediation platform that […]

The post Veriti Expands Exposure Assessment Platform with Industry First Proactive Cloud Native Remediation Solution  appeared first on VERITI.

The post Veriti Expands Exposure Assessment Platform with Industry First Proactive Cloud Native Remediation Solution  appeared first on Security Boulevard.

Automate misconfiguration and vulnerability remediation proactively across on-prem and cloud. Executive Summary Cloud environments have become the backbone of modern organizations, the complexity and volume of misconfigurations and vulnerabilities have emerged as the leading causes of breaches. According to Gartner, cloud misconfigurations account for 65% of cloud breaches. Traditional CNAPPs (Cloud Native Application Protection Platforms) […]

The post First Proactive Cloud Native Remediation Platform appeared first on VERITI.

The post First Proactive Cloud Native Remediation Platform appeared first on Security Boulevard.

The post What SAQ A Merchants Need to Know About Updated Requirements 6.4.3 and 11.6.1 appeared first on Feroot Security.

The post What SAQ A Merchants Need to Know About Updated Requirements 6.4.3 and 11.6.1 appeared first on Security Boulevard.

One of the most complex aspects of running a WAF is managing its security rules effectively. That's where Rule Architect, our AI-powered WAF rule expert, comes in. With a distinct personality that combines deep security expertise with a dash of wit, Rule Architect takes the headache out of WAF rule management.

Think of Rule Architect as your witty security companion – it knows WAF rules inside and out, and it's not afraid to tell you when your rules might be stepping on each other's toes. While it takes security seriously, it brings a refreshing approach to what's traditionally been a dry and technical domain. It's like having a brilliant security architect on your team who also happens to make rule management almost... fun?

The Complexity of WAF Rule Management

Rule Selection Complexity

WAFs have always been challenging to configure because of the vast number of potential security rules and policies available. While modern WAFs offer extensive rule libraries, choosing the right combination of rules for your specific application remains complex due to the diverse nature of applications, varying security requirements, and the constant evolution of threat landscapes.

Too Many Rule Dependencies

Once selected, managing rule interactions becomes increasingly difficult. Poorly coordinated rules can conflict with each other, creating security gaps or causing unnecessary blocks. Legacy WAF policies often have intricate dependencies between rules, leading to brittle and convoluted configurations that are difficult to understand and even harder to modify without breaking existing protections.

Inadequate Rule Testing

WAF rule testing is often manual and incomplete. Traditional approaches to rule testing focus solely on security effectiveness, neglecting critical aspects like performance impact and resource utilization. This limited testing scope can result in rules that work from a security perspective but introduce unacceptable latency or resource overhead in production environments.

How Rule Architect Makes WAF Rule Management Simple (and Dare We Say... Enjoyable?)

Rule Architect brings intelligence, automation, and a touch of personality to WAF rule management. Here's how this AI-powered mastermind works:

Policy Recommendations with a Personal Touch

Rule Architect doesn't just make recommendations – it explains them in clear, sometimes amusing terms. Using advanced AI, it analyzes your application's API endpoints, data patterns, and security requirements to recommend the most appropriate security rules. When it spots potential issues, it might say something like "These rules are getting a bit too cozy with each other – let me help you sort that out." The AI assistant understands your application's context and automatically suggests policies that provide optimal protection while minimizing false positives. It's like having a security expert who speaks plain English and occasionally cracks a joke.

Rule Architect can show you your rules in a graph and manage dependencies for you

Rule Dependency Management (or "Rule Relationship Counseling")

Rule Architect redefines WAF rule coordination with its intelligent automation and unique way of explaining complex interactions. Dependencies are automatically mapped and visualized in a comprehensive dependency graph, and because the system understands rule interactions, it can automatically detect and resolve conflicts – all while keeping you informed with clear, often cleverly worded explanations. Rule Architect offers capabilities such as:

* Automatic rule ordering based on priority and dependencies, ensuring your security policies are applied in the optimal sequence (it's quite the organizational genius)

* Conflict detection and resolution recommendations that proactively identify and help resolve rule conflicts before they impact production (think of it as relationship counseling for your WAF rules)

* Impact analysis for rule changes that shows you exactly how modifications will affect your security posture (because surprises are great for birthdays, not security configurations)

/

‍

Comprehensive Rule Testing (With Real Personality)

Rule Architect turns the typically tedious process of rule testing into an engaging experience. The system automatically generates test cases and provides feedback with its characteristic style. Security and engineering teams can collaborate through automated test suites that incorporate:

* Security effectiveness testing that goes beyond simple pass/fail to explain exactly what's happening

* Performance impact analysis that helps you understand if your rules are being a bit too "enthusiastic" about their jobs

* Resource utilization monitoring to ensure your rules aren't becoming resource hogs

* False positive/negative detection with clear, actionable feedback (no more cryptic error messages!)

---

Ready to meet your new favorite WAF rule expert? Try Impart now! Let Rule Architect show you how WAF rule management can be both effective and entertaining.

‍

The post Meet Rule Architect: Your AI-Powered WAF Rule Expert | Impart Security appeared first on Security Boulevard.

China crisis? Stop using this healthcare equipment, say Cybersecurity & Infrastructure Security Agency and Food & Drug Administration.

The post CISA/FDA Warn: Chinese Patient Monitors Have BAD Bugs appeared first on Security Boulevard.

via the comic humor & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘AlphaMove’ appeared first on Security Boulevard.

The Health Insurance Portability and Accountability Act (HIPAA) mandates a stringent framework for protecting sensitive patient information. These standards form the foundation of cybersecurity measures within the healthcare sector, ensuring...

The post HIPAA Cybersecurity Requirements and Best Practices appeared first on Security Boulevard.

A variety of approaches to creating synthetic data for PostgreSQL databases, from building data in Postgres itself, to mock data generators, to full-on data de-identification and synthesis.

The post How to create realistic test data for PostgreSQL appeared first on Security Boulevard.

In the field of data generation, few players are as universally known as Mockaroo. Friend to dev team large and small, we’re longtime fans ourselves, and now we’re proud...

The post Mockaroo and Tonic: Partners in mock data generation appeared first on Security Boulevard.

Tonic's first Product Manager Kasey Alderete shares the three questions she considered when thinking about the problem Tonic is tackling, and how the answers to those questions led her to join the team.

The post Why I joined Tonic: A product manager’s perspective appeared first on Security Boulevard.

Artifactory token leaks are not the most common, but they pose significant risks, exposing sensitive assets and enabling supply chain attacks. This article explores the dangers of leaked tokens and proposes mitigation strategies, including token scoping and implementing least privilege policies.

The post The Secret to Your Artifactory: Inside The Attacker Kill-Chain appeared first on Security Boulevard.