Today I read with interest an article in the U.K.’s Guardian Unlimited, “Surveillance ‘intrudes on our lives‘.”
I am doing some research into various surveillance methods, such as with CCTV, key loggers, and other methods of surreptitiously recording the activities of individuals, typically without their consent, and often without their knowledge.
Archive for the ‘Laws & Regulations’ Category
Privacy: Surveillance and Poor Security Practices
Saturday, April 28th, 2007HIPAA: More Changes and Initiatives by HHS
Thursday, April 26th, 2007I’ve been reading so much about HIPAA lately; no enforcement actions yet, but a lot of changes, proposals and initiatives.
Two more I read about recently:
SOX Compliance: Fraudsters Posing as Officials Selling “Compliance Solutions;” *NO* vendor Product Can Make an Organization 100% Compliant With ANY Regulation
Tuesday, April 24th, 2007Something that has irritated me for a very long time are vendors who see a chance to make a quick buck off of worried organizations, afraid they are not going to be in compliance with new laws, and create junk products to sell to them using fear, uncertainty and doubt (FUD). FUD products.
I saw a lot of HIPAA FUD back when that regulation went into effect, and saw way too many people spending way too much money for so-called HIPAA security and privacy certifications offered by vendors who did not even have anyone on staff with any type of healthcare provider, payer or clearinghouse practitioner experience. Not to mention HIPAA compliance solutions.
HIPAA: Advisory Workgroup Proposes PHI Security and Privacy Requirements Should Apply to All Organizations
Monday, April 23rd, 2007The Department of Health and Human Services (HHS) has a Confidentiality, Privacy, and Security Workgroup, also known as the American Health Information Community, that is made up of practitioners, IT folks, lawyers and other leaders outside of the government who want a say in how protected health information (PHI) is safeguarded, shared, and otherwise handled.
Information Security: Laws Require Secure Disposal of Information in All Forms; Using BS 8470:2006 for Compliance
Friday, April 20th, 2007Many information security incidents have occurred through non-technical means by simply and thoughtlessly throwing away printed documents into publicly-accessible trash bins, or even putting computers and sensitive documents out on the streets. I have blogged about this several times, such as here, here, and here.
Anonymous Posting on the Internet: Privacy vs. Defamation vs. Information Security
Thursday, April 19th, 2007Over the past few months I’ve discussed with several different organizations the issue of their personnel posting on Internet sites, to blogs, within Internet communities, and various other locations. The issues are many, but few organizations have really thought about them all; the implications of employees posting from the corporate network, using their corporate email address within online postings, the time used while at work to post, the possibility of libelous statements being made that the corporation may have to ultimately end up paying for, and many assorted other issues.
Admitted HIPAA Noncompliance at UPMC: Penalties Must Be Applied to Make Laws Effective
Monday, April 16th, 2007On April 13 the Pittsburgh Tribune-Review reported that the University of Pittsburgh Medical Center (UPMC) admitted to using the records of 80 patients, including names and Social Security numbers, for a presentation they made at a 2002 symposium, in violation of the Health Insurance Portability and Accountability Act (HIPAA).
Obscure Email Security Issues: Whitehouse Provides Lessons in Email Management Practices and Using Non-Business Email Accounts to Conduct Business
Sunday, April 15th, 2007So much is in the news lately related to information assurance it is hard to pick which one to share my thoughts about. However, the misuse of email, managing email, and the maintenance of email systems, which I know I’ve already talked about recently, just keeps bubbling to the top of concerns.
Throughout last week and over the weekend while watching the news programs, listening to the political pundits, and reading various news magazines there has been much talk about how perhaps millions of Whitehouse emails have seemed to have vanished, along with discussion about the use of non-Whitehouse systems for Whitehouse business emails.
HIPAA Security Rule and Privacy Rule Enforcement Reportedly Going To Be Pursued In 2007
Monday, April 9th, 2007Something that has bothered me, and many others, for a very long time is how there have been absolutely no enforcement actions for the Health Insurance Portability and Accountability Act (HIPAA) privacy rule or security rule since they went into effect. Passing a law and then not doing anything to enforce it, even after the enforcement agencies have received tens of thousands of complaints reporting noncompliance, makes the law weak and prone to disregard by covered entities (CEs) who see others getting away with noncompliance with just a, “Whoops! Sorry, we’ll try to fix that.”
Security and Legal Implications: NLRB Hears Oral Argument Regarding Employee’s Use of Employer’s Email System
Sunday, April 8th, 2007There are increasing reports of email misuse, malicious use, mistaken use, and just plain bad implementations of email systems that allow the many threats out in the wild and woolly Internet, and the desperado insiders, to exploit vulnerabilities. It is most common for information assurance pros to be fairly diligent in trying to keep malware out of the enterprise network through scanning and filtering emails, and it is good to see that it is also becoming a growing trend to try and prevent sensitive data from leaving the enterprise by using scanning and encryption. However, there are many other mishaps and business damage that can occur through the use, or misuse, of email and email monitoring that can have legal implications.
