Megan Hudson

Megan is a Manager for HORNE Cyber where she specializes in cyber risk related assurance services. She provides analytic expertise regarding policy design and implementation as well as IT and data governance. Megan also consults on information systems environment compliance and management for public and middle market clients.
Find me on:

Recent Posts

Mar 28, 2019 9:30:00 AM

How HIPAA Compliance Efforts May Impact Your Overall Security Posture

HIPAA security and privacy rule requires many resources for an organization to be compliant. Resources can be time consuming and often create operational issues and financial burden for covered entities. Organizations often believe that there is one solution out there that will make achieve compliance or, more importantly, secure the organization. This leads organizations to consider two big questions: Where do I focus my resources to meet the HIPAA security and privacy rule? -and- Is being HIPAA security and privacy rule compliant good enough to lower the risk of a breach?

Topics: HIPAA

Mar 7, 2019 9:00:00 AM

3 Data Governance Strategies for Financial Institutions

Read Time: 5 Minutes Data Governance is how we describe the processes and management of data in any given organization. This includes the processes around the protection and use of data. In our specific context today, we will be discussing data governance for a financial institution (FI).

Topics: Data Governance

Jan 17, 2019 9:30:00 AM

2018 in Review: HIPAA Violations

In 2018 there were various fines paid by healthcare organizations for failure to comply with the HIPAA security and privacy standards. Reviewing the trends of fines in 2018 can be beneficial to healthcare organizations, providing an opportunity to learn and proactively correct outstanding violations within your organization. The various trends of fines included lack of compliance in the following areas:

Topics: HIPAA

Jan 10, 2019 9:30:00 AM

HHS Finally Offers Cybersecurity Guidance to Healthcare Organizations

I’ve worked with healthcare organizations of all sizes for many years and questions are regularly asked about what the best controls framework is for building a cybersecurity program. Surprisingly, very little guidance related to cybersecurity has been provided by the government in the past years even though healthcare has been one of the prime targets of hackers. Stories of hacking, phishing, and malware/ransomware have been prevalent on almost a weekly basis. With the majority of healthcare organizations being understaffed and underfunded, efforts to develop a cybersecurity program have typically been done in a piecemeal fashion to meet the barebone requirements.

Topics: Cyber Assurance Insights, HHS Guidance, NIST

Aug 9, 2018 9:30:00 AM

Lessons Learned from SOC for Cybersecurity Readiness Assessments

During 2017, the AICPA issued a formal framework to allow independent accounting firms to attest to the cybersecurity related posture for companies. In connection with this issuance, firms are able to help companies assess their current environment prior to the actual audit. The goal of this assessment is to allow companies to prepare for the audit to ensure their control environment is sufficient to pass the rigorous SOC for Cybersecurity audit. Ultimately, this will allow for an annual SOC for Cybersecurity report to be provided to its customers, vendors, and investors showing that the company has adequate internal controls in place around cybersecurity.

Topics: Cyber SOC

Jul 5, 2018 10:30:00 AM

Topics: Cyber Assurance Insights

Jun 14, 2018 9:34:16 AM

Building the Audit of the Future: Diving Deeper into the Role of the Auditor

Last week in “Building the Audit of the Future: The Roles of Robots and Humans”, we talked about the technology pieces of the audit of the future and the need to understand several components in order for auditors to be anticipatory in the coming years. We discussed process automation, efficiency (and data analytics), accuracy expectations and cyber risk mitigation. We left off just as we began touching on my favorite part of the audit process – discussing threats, concerns, mitigating factors and the future with clients.

Topics: Cyber Assurance Insights, Audit of the Future

Jun 7, 2018 9:30:00 AM

Building the Audit of the Future: The Roles of Robots and Humans

When most people think about the audit of the future they think about robots. Now, I don’t know about you but when I think about robots and the future I think about people wearing white jumpsuits driving flying cars. In my mind, I see a mix of something like the Jetsons meets Tomorrow Land in Walt Disney World. Unfortunately, while all of this is very exciting, it’s not exactly what the audit of the future is going to look like. Instead, the audit of the future is going to look technical at first (so, there will be some robots), and then it will take a fast 180° and feel a lot more fluid than technical. Today, I want to talk about the first half of the audit of the future, the technical piece, and then next week dive into the less concrete, client relationship piece.

Topics: cybersecurity, Cyber Assurance Insights, Audit of the Future

Aug 10, 2017 10:00:00 AM

How Secure Are Your Vendors?

The spotlight on the topic of vendor management has been shining even brighter lately with a large number of data breaches resulting because of poor vendor processes. With vendors being a key reason for the success of companies in today’s economy, companies have a responsibility to ensure efficient processes are in place when contracting with and working daily with vendors. Though many companies are limited by funds and resources that can be devoted to vendor management, the process for protecting themselves can be as simple as asking the following questions:

Topics: VENDOR MANAGEMENT, vendor security, Cyber Assurance Insights

Aug 1, 2017 10:37:00 AM

CMS May Want Their Money Back

The old adage ‘Money can make you do crazy things’ can easily be applied to both our personal and business lives. Within the healthcare industry, HITECH incentive payments were offered by the US government several years ago to implement electronic health record systems at hospitals and other healthcare organizations. In order to qualify for these government incentive payments, healthcare organizations were required to carry out regular security risk assessments in order to show that they were meeting the HIPAA Security Rule requirements. As is the case with many government incentives, a large number of healthcare organizations properly followed the rules and carried out the security risk assessments while a select number received the HITECH incentive payments without doing so.

Topics: Cyber Assurance Insights, HITECH

Jun 29, 2017 10:01:00 AM

Will the FDA Strengthen Cybersecurity Requirements for Medical Devices?

Earlier this year, the FDA released guidance for Postmarket Management of Cybersecurity in Medical Devices. While many agree that the recommendations will help guide developers and manufacturers, these are still "non-binding" and are simply recommendations, not requirements. With the stakes being so high and the continued growth of cyber threats, if and when will the FDA begin mandating these recommendations?

Topics: Cyber Assurance Insights

Jun 22, 2017 10:02:00 AM

Breaking Bank: Episode 3

Over the last several weeks we have witnessed the story of a Bank who thought that compliance was enough to keep their customer’s information and the Bank’s reputation secure. However, they quickly realized that one breach can change everything and cause them to question their strategy regarding cybersecurity. We step back onto the scene as the ISO, Walter, has learns what he could have done differently to prevent the recent cyber attack.

Topics: Cyber Assurance Insights

Jun 1, 2017 10:03:00 AM

Breaking Bank: Episode 2

Last month we began the story of a very ambitious bank filled with well-intentioned individuals who love their jobs and want to see their customer’s information protected. We were introduced to the bank’s Information Security Officer, Walter White and we watched as he took important steps to protect his company with internal control implementation and cybersecurity practices (like hiring an IT company to perform a penetration test). He thought his company was secure, until the unexpected happened. Today, we find out what event changed everything…

Topics: Cyber Assurance Insights

May 11, 2017 10:00:00 AM

Breaking Bank: Episode 1

I don’t know about you, but I’ve read a lot of content-filled, factually intense cybersecurity articles over the past few months. I’ve read so many that I begin hearing similar concepts without actually understanding how it impacts my clients specifically. For this reason, today I don’t want to spout off a bunch of information (as accurate as it may be) and tell you to go make sense of it, I would instead like to tell you a story. So sit back, relax, and enjoy the movie (cue Disney Castle scene)…

Topics: cybersecurity, Cyber Assurance Insights

Apr 20, 2017 10:03:00 AM

Teamwork Makes the Dream Work

I grew up in Birmingham, Alabama and throughout my childhood I played a lot of sports. I played anything from basketball, to soccer, to pickup games of kickball and baseball with neighborhood friends. Actually, my entire family invested a lot of time in sports, between my five brothers playing baseball and me playing soccer/basketball we often discussed how our teams ‘meshed’ and whether or not members interacted well with one another. It was always interesting to see how different teams worked together and how their cohesiveness impacted their success on the field. Even today I often see how important it is that my coworkers and I work together as a team to complete projects efficiently while also adding as much value as possible for our clients.

Jan 19, 2017 10:00:00 AM

Vendor Management: Ignore at Your Own Risk

In this busy, ever changing business world, management has so many things to worry about that some key business responsibilities often get overlooked.  One key area that is front and center on a daily basis, but is often ignored by businesses of all sizes is the topic of vendor management. It’s hard to identify a business that doesn’t have some form of relationship with vendors. A vendor could be as simple as the person who brings the daily coffee to as complex as the offsite company that manages the servers on which key patient and financial data resides. Though the coffee guy may not have access to any information while on site that could harm the business, vendors that have access to key data for a business could see their names in the headlines if proper security protocols aren’t followed.

Topics: VENDOR MANAGEMENT

Nov 22, 2016 10:00:00 AM

FFIEC Cybersecurity Assessment Tool Frequently Asked Questions

This past month the FFIEC issued a statement to provide clarification on several questions the FFIEC recieved for the Cybersecurity Assessment Tool (CAT). Since the release of the CAT and with the statement issued last month, I have recieved numerous questions from clients that I wanted to share with you to provide you insight on its value and use to your management team. So, here are our FAQs:

Topics: cybersecurity, cybersecurity assessment tool

Nov 1, 2016 10:00:00 AM

GAO Audit: Can We Learn From Their Mistakes

The old saying “if it ain't broke, don’t fix it” immediately came to mind as I began to look at the audit report from the Government Accountability Office regarding Federal Agency Security. The reason this quote came to mind is that in information security, there are some serious breaks in need of very intentional fixing. It is evident from the amount of information security incidents that have occurred over the past several years that there is much in disrepair. In fact, since 2006, the number of incidents that we know about has risen from 5,503 to 67,168 according to the recent GAO Federal Information Security report. If this isn’t cause for concern I’m not sure what is.

Topics: cybersecurity

Oct 18, 2016 10:01:00 AM

Where is Your Data? Why Performing a Data Inventory is Integral for Companies in this Digital Age

There’s no denying that the days of printed documents are a distant speck in the rearview. Industries are becoming much more reliant on automated systems and processes versus the manual ledgers and manila files of yesteryear.

Topics: data security, data storage