今日已更新 80 条资讯 | 累计 20052 条内容
关于我们

标签:#hipaa

找到 2 篇相关文章

AI 资讯

HIPAA Risk Assessment in 2026: A Healthcare Engineer's Field Guide

If you build, run, or audit systems that touch protected health information (PHI), the HIPAA risk assessment is the document that quietly decides whether the next OCR investigation ends in a closure letter or a corrective action plan with a six-figure settlement. The proposed 2026 HIPAA Security Rule update (published as an NPRM in January 2025, still pending finalization at OCR) doesn't change the underlying requirement at 45 CFR § 164.308(a)(1)(ii)(A) — and OCR has repeatedly reaffirmed that the absence of a current, written risk analysis is itself the most-frequently-cited Security Rule deficiency . This is the engineering view: what a defensible HIPAA risk assessment actually contains in 2026, how to model it, and what tooling fits the workflow. 1. The asset inventory is non-negotiable Every defensible HIPAA risk assessment starts with a complete inventory of where ePHI lives, where it flows, and who touches it. If you can't enumerate every system, every integration, and every workforce role that creates / receives / maintains / transmits ePHI, the rest of the assessment is built on sand. A minimal asset-inventory record per system: { "system_id" : "ehr-prod-01" , "system_type" : "ehr" , "ephi_states" : [ "create" , "receive" , "maintain" , "transmit" ], "data_classification" : "phi-high" , "hosting" : { "type" : "saas" , "vendor" : "epic" , "region" : "us-east-1" }, "workforce_roles_with_access" : [ "clinician" , "billing" , "admin" ], "integrations" : [ { "to" : "billing-system" , "protocol" : "hl7-fhir" , "direction" : "outbound" }, { "to" : "patient-portal" , "protocol" : "https-rest" , "direction" : "bidirectional" } ], "encryption_at_rest" : true , "encryption_in_transit" : true , "mfa_enforced" : true , "audit_log_destination" : "central-siem" , "ba_agreement_on_file" : true , "last_reviewed" : "2026-05-15" } If you don't have this, build it before you do anything else. The HHS-provided ONC SRA Tool walks through asset enumeration but it's optimized for s

2026-06-06 原文 →
AI 资讯

Cutting HIPAA deploy time 70% with GitLab parent/child pipelines and an Ansible control plane

Parent/child first. Evidence emission second. Ansible control plane third. Every release was a manual evidence collection exercise. The pipeline was the bottleneck. This is a redacted write-up of a real engagement: rebuilding a healthcare SaaS company's CI/CD pipeline across a fleet of Linux hosts on AWS. The context The engineering team had grown faster than the pipeline architecture had evolved. What started as a single-stage GitLab job for a small team had been extended, patched, and worked around as the team scaled past the patterns the original pipeline was built for. The result was familiar. Each deploy took 30 to 45 minutes of mostly-serial execution. Engineers had developed informal habits to work around the slowness, including pushing partial changes outside the pipeline when the timeline got tight. Audit windows were preceded by three-week sprints in which the team manually compiled deployment logs, screenshots of access reviews, and approval chains into PDFs describing what the pipeline was supposed to be doing. The work was technically passing HIPAA audits, but the audit was a snapshot of a system the auditor could not independently verify. The cost was paid twice: the velocity loss on every deploy, and the three-week scramble before each assessment. The team knew the architecture was wrong. They needed engineering hands to redesign it without slowing the product roadmap the audits were already eating into. The approach The redesign moved in three layers. First, decompose the monolithic pipeline into parent/child stages so work can parallelize and the audit boundary of each stage is provable. Second, build structured evidence emission into every stage as a property of how it runs, not an after-the-fact compilation task. Third, layer an Ansible control plane across the host fleet so HIPAA control state is continuously validated, not reviewed quarterly. ┌────────────────────────── Parent Pipeline (.gitlab-ci.yml) ──────────────────────────┐ │ │ │ ┌────────

2026-06-04 原文 →