UK NSCS publishes Secure systems design guidance and security paper

Nice and concise read.. Their comments on their antipatterns are good.

https://www.ncsc.gov.uk/blog-post/secure-systems-design–new-guidance-now-available

Cyber security design principles

1. Establish the context before designing a system
2. Making compromise difficult
3. Making disruption difficult
4. Making compromise detection easier
5. Reducing the impact of compromise

Antipatterns

Anti-pattern 1: ‘Browse-up’ for administration
Anti-pattern 2: Management bypass
Anti-pattern 3: Back-to-back firewalls
Anti-pattern 4: Building an ‘on-prem’ solution in the cloud
Anti-pattern 5: Uncontrolled and unobserved third party access
Anti-pattern 6: The un-patchable system

HHS Clarifies HIPAA Liability Around Third-Party Health Apps

Interesting article that tries to summarize some of the latest HHS guidance. Includes “If the individual’s app – chosen by an individual to receive the individual’s requested ePHI – was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app,” officials explained.

https://healthitsecurity.com/news/hhs-clarifies-hipaa-liability-around-third-party-health-apps