Posts Tagged ‘Information Security’

Another Hospital Suspends Staff For Violating HIPAA Requirements

Wednesday, October 10th, 2007

A couple of weeks ago I blogged about the Ivinson Memorial Hospital applying sanctions to their staff for violating HIPAA requirements.
They have set a good example…another hospital has also applied sanctions…suspending 27 of their staff members for violating HIPAA requirements.

(more…)

Iowa Universities Provide Examples of Good and Bad Information Security and Privacy

Wednesday, October 10th, 2007

In the past week the two largest universities in Iowa provided examples of both great and poor security practices. Let’s see…how about the bad example first?

(more…)

New Nevada Law Explicitly Requires Organizations to Encrypt PII Sent Through Networks

Tuesday, October 9th, 2007

To date there have been several laws that direct organizations in certain industries to consider using encryption as one way to protect data based upon the organization’s considered risks, and laws that make encryption a factor in decisions regarding breach notifications, but until now no laws that I’m aware of explicitly required personally identifiable information (PII) to be encrypted. The state of Nevada has now changed that!

(more…)

Increase Business Productivity AND Reduce Carbon Dioxide Emissions

Monday, October 8th, 2007

While participating in a discussion in the Security Catalyst community I posted a message about how much more productive time I have now that I work from my home office as opposed to commuting in to an office building each day. After I finished posting I started thinking about how much more productive most businesses could be if they would establish significant portions of their workforce to work from home.

(more…)

Something You Should Know: FTC Is Aggressively Going After Companies With Poor Security

Sunday, October 7th, 2007

Of all the U.S. government regulatory oversight agencies, the Federal Trade Commission (FTC) is the most active and aggressive in looking for and applying penalties to organizations that not only are in noncompliance with laws and regulations, but also those who are not in compliance with their own information security and privacy promises; in other words, those that are practicing “unfair and deceptive trade practices.”

(more…)

Who Would Want to Be a CISO or CPO for a Social Networking Site?

Friday, October 5th, 2007

This morning I spoke with a reporter from billingworld.com about social networking sites, innovation and partnering established businesses with new sites such as this and the risks involved. After the call I continued to think about this and jotted down a few notes…

(more…)

Why Would You Trust Microsoft To Store Your Sensitive Health Information?

Thursday, October 4th, 2007

Today Microsoft launched their new web portal, HealthVault to store, for free, “medical histories, immunization and other records from doctors’ offices and hospital visits, including data from devices like heart monitors. It is also tied to a health information search engine the software maker launched last month.”

(more…)

Know How To Motivate Your Personnel To Protect Information

Wednesday, October 3rd, 2007

Not everyone has the same motivation to secure the information they handle or access while they are working. This is something very important for information security and privacy practitioners to understand, but unfortunately too many do not think about motivation factors when creating and managing their information security, privacy and compliance programs.

(more…)

Lack of testing, lack of built-in security, and inadequate protection for stored data lead list of PCI noncompliance items

Tuesday, October 2nd, 2007

I figured that since the PCI DSS compliance deadline for Level 1 merchants was this past Sunday that there would probably be a ton of published news reports about it on Monday. There were…and today as well! One that caught my eye was in eWeek on Monday, “Comparison Shows Very Little Shift in PCI Failures.”

(more…)

ABN Amro PII Breached Through P2P: Lessons Learned

Monday, October 1st, 2007

Much is written about the risks P2P presents to organizations, but many organizations continue to implement P2P technologies, or more accurately allow their personnel to implement them on computers used for business, because they are willing to risk that the threat theories will not materialize within their own organizations.

(more…)