Strong security controls are necessary for more than just preventing hack attempts

February 25th, 2014

Recently I’ve heard in various discussion venues the argument that information security controls are an impediment to technology use, and that instead we should look at demotivating the hackers. With specific regard to medical devices, one commenter stated that generally, the best “bet in defending medical devices (as well as financial systems) is making the information useless/pointless for the attackers.”  This is a dangerous attitude, and minimizes the true value of data on the devices.

Considering data on any type of computing device is considered Read the rest of this entry »

Mobile Device Security Continues to get More Complicated

February 1st, 2014

I first started working on truly easily mobile computing device (not counting the first programmable pocket calculator, or the luggable computers that could not be hidden in your pocket) security in the workplace when the IT folks in my company at the time started bringing Psion devices to meetings somewhere around 1992 – 1993.  They presented some serious information security risks to the company. If the information security risks were considered to be significant 20 years ago, now the new additional information security and privacy risks are comparatively staggering.

Where is it?

Probably the number one risk back then was the tendency to lose or misplace the device.  It seemed like these little gadgets would be forgotten the moment they were laid down, despite how highly prized they were by their owners. Mobile computing devices today Read the rest of this entry »

Time to Focus on Privacy Every Day

January 31st, 2014

This week January 28 was recognized around the world at International Data Privacy Day. Data Privacy Day is the perfect time to think about all things privacy. For example, consider all the computing devices and gadgets you use, including smartphones and tablets.  Many folks don’t realize these devices are continually collecting personal information about Read the rest of this entry »

Yes, You Still Need Policies for Your Outsourced Activities!

December 27th, 2013

Here’s a statement I’ve answered over 100 times (seriously!) in the past few years.

“We’ve outsourced that IT activity, so we don’t we don’t need a policy for it.”

The one word reply to this statement is, Read the rest of this entry »

If it was Intentional it is *NOT* Incidental

December 11th, 2013

In the past week I got the third question in a one month time-frame about the same topic. My unwritten, loosely followed rule is that if three different organizations ask me pretty much the same question in a month, then it is something worth writing about; why are so many (well, a handful) of the same questions occurring in such a short period of time? Is some vendor out there spreading horribly bad advice? Let’s consider the topic… Read the rest of this entry »

Organizations Need to Use More Than One Type of Encryption

December 3rd, 2013

Encryption has been talked about a lot lately.  I’ve gotten at least a couple dozen questions from my Compliance Helper clients in the past month.  They can pretty much be boiled down to this question:

What encryption solution should we use?

Many of the small and mid-size businesses I help, and many start-ups of any size, are under the assumption that if they get one encryption solution, it will Read the rest of this entry »

What You Need to Know for Retention Compliance

November 20th, 2013

One of the things I love about helping all my Compliance Helper (CH) clients with their information security and privacy compliance activities is that they often ask questions that most other small and mid-size organizations also have. So, I then have a great opportunity to share advice!  One of my recent conversations dealt with the challenges my mid-size client was having in trying to appropriately customize the data and records retention policy and procedure I provide through the CH service to fit his organization’s unique type of business associate service, while also meet compliance with the HIPAA retention requirements. The paraphrased questions below started our conversation after I advised that there are many types of documents that must be retained for at least 6 years to meet compliance: Read the rest of this entry »

If there’s a Shred of Evidence it’s Not Shredded

October 28th, 2013

“What’s the minimum shred size?”

Recently I got a great question from one of my Compliance Helper clients:

“This may seem like a silly question, but is there any type of HIPAA compliance requirements for shredder types?  For example, minimum shred size?”

Not a silly question at all! Of the organizations that shred their paper documents (there are still way too many that don’t), a large portion of them are not shredding their documents to a point that they are actually doing so effectively. Here are some points and tips Read the rest of this entry »

You Must Practice Daily Compliance Hygiene

October 22nd, 2013

Compliance, like much of life, takes ongoing effort

Okay, folks. Time for a reality check for what data protection compliance involves. 

You know what’s often tedious and hard? Well, a lot of things in life. Read the rest of this entry »

Ever Feel like Somebody is Watching You? They Are!

October 1st, 2013

“Sometimes I feel like…somebody’s watching me! And I have no privacy!”

(The Rockwell hit from…quite appropriately…1984.)

Each day, we are tracked by the ‘smart’ systems, mobile apps, personal communication devices and other surveillance platforms that have become commonplace in our daily lives. In an effort to educate more people, and businesses, about the data trails they are leaving behind (and the companies, data bureaus and marketers who are sniffing out that trail), I created this new infographic Read the rest of this entry »