Archive for the ‘Laws & Regulations’ Category

What You Need to Know for Retention Compliance

Wednesday, November 20th, 2013

One of the things I love about helping all my Compliance Helper (CH) clients with their information security and privacy compliance activities is that they often ask questions that most other small and mid-size organizations also have. So, I then have a great opportunity to share advice!  One of my recent conversations dealt with the challenges my mid-size client was having in trying to appropriately customize the data and records retention policy and procedure I provide through the CH service to fit his organization’s unique type of business associate service, while also meet compliance with the HIPAA retention requirements. The paraphrased questions below started our conversation after I advised that there are many types of documents that must be retained for at least 6 years to meet compliance: (more…)

You Must Practice Daily Compliance Hygiene

Tuesday, October 22nd, 2013

Compliance, like much of life, takes ongoing effort

Okay, folks. Time for a reality check for what data protection compliance involves. 

You know what’s often tedious and hard? Well, a lot of things in life. (more…)

When is PHI Not PHI?

Tuesday, August 27th, 2013

The deadline for complying with the Omnibus Rule is quickly approaching. Psst…it’s September 23 for most covered entities (CEs) and business associates (BAs).  I’ve been tardy in getting blog posts made because I’ve been happy to have the opportunity to help my hundreds of Compliance Helper and Privacy Professor clients to get into compliance with all the HIPAA and HITECH rules, many just getting there for the first time, in addition to the Omnibus Rule changes and new requirements. I’ve been getting a lot of HIPAA questions from many of the CEs and BAs. I thought it would be helpful to provide some of them on my blog. I’ll start with an interesting question about (more…)

Don’t Be Penny Wise and Privacy Foolish

Monday, June 17th, 2013

“We Can’t Afford Security and Privacy!”

Recently I was speaking to a healthcare executive (a hospital Chief Financial Officer) at a conference where I had talked in one of the sessions about the needs for information security and privacy not only for compliance reasons, but also to mitigate risks to the business. He seemed a bit short with me when he approached.

Him: “I wish (more…)

Good Intentions Often Lead to Bad Privacy Results

Monday, April 29th, 2013

Allowing Wall Street privacy law exemption is crazy! Why, you ask? Why, I’m happy to explain. In March, 2012, I wrote “6 Good Reasons NOT To Ask for Facebook Passwords“.  Since that time legislation prohibiting employers from requiring access to their employees’ protected areas of their social media accounts has been introduced or is pending in at least 35 states. Three states–Arkansas, New Mexico and (more…)

How Long is the Liability Tail?

Wednesday, March 27th, 2013

Don’t tell me it depends! Well, sorry, but…
I’ve been involved in several interesting discussions (some with lawyers, some with security folks, some with privacy folks, and a few of the folks wearing all three hats) about the liability of organizations that outsource business processing. Since January 17 I’ve also been working on a wide range of documentation changes to reflect the recently released 563 page tome that is the Final HIPAA Omnibus Rule. A significant part of the documentation and writing involves discussion of the increased liability a covered entity (CE) now has for the bad practices and mistakes made by their business associates (BAs).

Organizations want a clear cut answer to “how liable” they are for the actions of their outsourced entities. One CISO at a conference demanded, “Just tell me; are we going to be held responsible for the actions of our business associates or not? Just (more…)

Why You Should Use a Right to Audit Clause

Thursday, January 24th, 2013

A Tale of Two Viewpoints

When I was responsible for information security and privacy at a large financial and healthcare organization throughout the 1990’s I had literally hundreds of business partner organizations to which we outsourced various types of activities that required some type of access to our client and customer information. Add to that several hundred agents and, scarier still because they were not exclusively selling our products, brokers, and you can probably imagine the angst I felt when thinking about the ways in which all those other organizations were putting our information at risk.  The contracts with them had a very brief requirement to “provide appropriate security controls” for the information, but that did not alleviate my worries. But, since at that time there were no data protection regulations in effect, the lawyers said this simple clause was enough.  And then one of the outsourced entities had an incident resulting from lack of controls which allowed a hacker to enter our network.  (more…)

ISMS Certification Does Not Equal Regulatory Compliance

Wednesday, October 31st, 2012

Last week I got the following question:

“By becoming ISO 27001 certified does that automatically mean we comply with HIPAA and HITECH requirements?  Are there any requirements of HIPAA/HITECH that are not required to meet ISO 27001 standards?”

This is not the first time I’ve gotten this question, and others similar. As new technology businesses, cloud services and other businesses are popping up to provide services to large regulated organizations, start-ups are increasingly looking for a way to differentiate themselves from their competitors, and also prove that they have not only effective security controls in place, but that they also (more…)

Please Don’t Tell Me You’re Still Using SSNs as IDs!

Tuesday, October 2nd, 2012

Okay, I just finished the 3rd conversation in just the past two weeks alone with an organization that is using Social Security Numbers (SSNs) as their primary form of customer and/or employee identification. I’ve written about this topic numerous times over the past 15 years.  Seriously; all businesses out there doing this, please make a plan to stop doing this! Why? Here are three good reasons.  (more…)

Not Providing Education Is *THE* Dumbest Idea for Information Security and Privacy Efforts

Monday, August 6th, 2012

Every year or so, an otherwise smart information security professional publishes some really bad information security advice about how awareness and training is a waste of time and money. The latest proclamation at CSO Online has generated a small bit of a firestorm since it was published. 

As time goes on, and more and more information security incidents and privacy breaches occur, and more information is put into the hands, and care, of more and more end-users who have no background in information security or privacy, such statements are simply bad, bad, bad advice. Making such statements also makes it harder for information security and privacy pros to do their job as effectively as possible when business leaders believe such hogwash and then wind up cut funding for information security and privacy education as a result.  I’ve been in the information security and privacy compliance profession for a very long time, have built such programs and assisted many organizations in building theirs, and I could fill a book with examples of how training and awareness activities have improved their information security and privacy efforts and outcomes.  Others in this profession with hands one responsibilities for the full lifecycle of information protection could also write their own books with such examples.

I wrote a blog post about this topic in 2009, and now is a good time to write another and point out that there is greater need than ever before for organizations, of all sizes, to make the comparatively small investment in information security and privacy education for their workers.

5 flawed arguments against information security and privacy education (more…)