Posts Tagged ‘infosec’
Wednesday, December 11th, 2013
In the past week I got the third question in a one month time-frame about the same topic. My unwritten, loosely followed rule is that if three different organizations ask me pretty much the same question in a month, then it is something worth writing about; why are so many (well, a handful) of the same questions occurring in such a short period of time? Is some vendor out there spreading horribly bad advice? Let’s consider the topic… (more…)
Tags:awareness, BA, BA Agreement, BA contract, BAA, business associate, CE, compliance, covered entity, data protection, disclosure, HHS, HIPAA, HITECH, IBM, incidental, Information Security, infosec, midmarket, non-compliance, OCR, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, subcontractor, training
Posted in BA, BA and Vendor Management, HIPAA, Privacy and Compliance | No Comments »
Tuesday, December 3rd, 2013
Encryption has been talked about a lot lately. I’ve gotten at least a couple dozen questions from my Compliance Helper clients in the past month. They can pretty much be boiled down to this question:
What encryption solution should we use?
Many of the small and mid-size businesses I help, and many start-ups of any size, are under the assumption that if they get one encryption solution, it will (more…)
Tags:awareness, breach, cloud, compliance, cryptography, data protection, encrypt, encryption, HTTPS, IBM, information management, Information Security, information technology, infosec, IT security, midmarket, non-compliance, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, security, SSL, systems security, TLS, training
Posted in Information Security | No Comments »
Wednesday, November 20th, 2013
One of the things I love about helping all my Compliance Helper (CH) clients with their information security and privacy compliance activities is that they often ask questions that most other small and mid-size organizations also have. So, I then have a great opportunity to share advice! One of my recent conversations dealt with the challenges my mid-size client was having in trying to appropriately customize the data and records retention policy and procedure I provide through the CH service to fit his organization’s unique type of business associate service, while also meet compliance with the HIPAA retention requirements. The paraphrased questions below started our conversation after I advised that there are many types of documents that must be retained for at least 6 years to meet compliance: (more…)
Tags:21 CFR Part 11, awareness, BA, BAA, breach, business associate, CE, compliance, covered entity, data management, data protection, data retention, GLBA, HIPAA, HITECH, IBM, information management, information retention, Information Security, information technology, infosec, IT security, midmarket, non-compliance, Omnibus, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy professor, privacyprof, Rebecca Herold, retain, retention, risk assessment, risk management, security, SSA, systems security, training, USA PATRIOT Act
Posted in HIPAA, Laws & Regulations | No Comments »
Monday, October 28th, 2013
“What’s the minimum shred size?”
Recently I got a great question from one of my Compliance Helper clients:
“This may seem like a silly question, but is there any type of HIPAA compliance requirements for shredder types? For example, minimum shred size?”
Not a silly question at all! Of the organizations that shred their paper documents (there are still way too many that don’t), a large portion of them are not shredding their documents to a point that they are actually doing so effectively. Here are some points and tips (more…)
Tags:awareness, BA, BAA, breach, business associate, CE, compliance, covered entity, data protection, disposal, dispose, HIPAA, HITECH, IBM, Information Security, information technology, infosec, IT security, midmarket, non-compliance, Omnibus, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy professor, privacyprof, reassemble, Rebecca Herold, risk assessment, risk management, security, shred, shredder, systems security, training, unshred
Posted in Information Security | No Comments »
Tuesday, October 22nd, 2013
Compliance, like much of life, takes ongoing effort
Okay, folks. Time for a reality check for what data protection compliance involves.
You know what’s often tedious and hard? Well, a lot of things in life. (more…)
Tags:awareness, BA, BAA, breach, business associate, CE, compliance, covered entity, data protection, HIPAA, HITECH, IBM, Information Security, information technology, infosec, IT security, midmarket, non-compliance, Omnibus, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, security, systems security, training
Posted in Laws & Regulations, Privacy and Compliance | No Comments »
Tuesday, October 1st, 2013
“Sometimes I feel like…somebody’s watching me! And I have no privacy!”
(The Rockwell hit from…quite appropriately…1984.)
Each day, we are tracked by the ‘smart’ systems, mobile apps, personal communication devices and other surveillance platforms that have become commonplace in our daily lives. In an effort to educate more people, and businesses, about the data trails they are leaving behind (and the companies, data bureaus and marketers who are sniffing out that trail), I created this new infographic (more…)
Tags:awareness, big data, breach, compliance, data protection, encrypt, encryption, IBM, Information Security, information technology, infosec, Internet of Things, IT security, midmarket, monitoring, NIST, non-compliance, NSA, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, security, social network, surveillance, systems security, training
Posted in Miscellaneous, privacy | No Comments »
Thursday, September 26th, 2013
I’ve received numerous questions from various news outlets, clients and colleagues since the published revelation that the NSA was getting the assistance of encryption vendors to decrypt messages throughout a very wide range of activities. A lot of folks are now throwing their hands in the air, claiming that encryption is now no longer effective, and planning to use something completely different. Hmm…wait! Don’t throw out the encryption baby with the unsafe practices bathwater yet. Encryption is still an effective, and necessary, information security control to use. The following are (more…)
Tags:awareness, BA, BAA, breach, business associate, CE, compliance, covered entity, data protection, encrypt, encryption, HIPAA, HITECH, IBM, Information Security, information technology, infosec, IT security, midmarket, monitoring, NIST, non-compliance, NSA, Omnibus, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, RSA, security, social network, surveillance, systems security, training
Posted in government, Information Security | No Comments »
Friday, August 30th, 2013
Over the past week a few reporters who were following up on a recent breach of 9 million patient records for stories they were writing asked me basically the same question amongst all their others, “What are the barriers that stop healthcare organizations from encrypting their devices?” One of the resulting stories, by Marianne McGee, has been posted at HealthCareInfosecurity. During my work with a wide range of small to large organizations, in a wide range of industries, I’ve found there are some common reasons why encryption is not implemented. Here are the top four I’ve run across. (more…)
Tags:awareness, BA, BAA, breach, business associate, CE, compliance, covered entity, data protection, encrypt, encryption, HIPAA, HITECH, IBM, Information Security, information technology, infosec, IT security, midmarket, monitoring, non-compliance, Omnibus, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, security, social network, surveillance, systems security, training
Posted in HIPAA, Information Security | No Comments »
Tuesday, August 27th, 2013
The deadline for complying with the Omnibus Rule is quickly approaching. Psst…it’s September 23 for most covered entities (CEs) and business associates (BAs). I’ve been tardy in getting blog posts made because I’ve been happy to have the opportunity to help my hundreds of Compliance Helper and Privacy Professor clients to get into compliance with all the HIPAA and HITECH rules, many just getting there for the first time, in addition to the Omnibus Rule changes and new requirements. I’ve been getting a lot of HIPAA questions from many of the CEs and BAs. I thought it would be helpful to provide some of them on my blog. I’ll start with an interesting question about (more…)
Tags:awareness, BA, BAA, breach, business associate, CE, compliance, covered entity, data protection, HIPAA, HITECH, IBM, Information Security, information technology, infosec, IT security, marketing, midmarket, monitoring, non-compliance, Omnibus, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy practice, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, sales, security, social network, surveillance, systems security, training
Posted in BA, CE, HIPAA, Laws & Regulations | No Comments »
Wednesday, July 31st, 2013
This past week one of my marketing friends made a statement I’ve heard far too many sales and marketing folks say over the years.
“The IT Security folks don’t have decision-making authority, and they aren’t concerned with anything beyond their network. I try not to spend too much time on them.”
It reminded me of when I was responsible for information security and privacy at a multi-national financial and healthcare organization throughout the 1990’s. I had (more…)
Tags:awareness, breach, compliance, data protection, IBM, Information Security, information technology, infosec, IT security, marketing, midmarket, monitoring, non-compliance, PHI, PII, policies, privacy, privacy laws, privacy practice, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, sales, security, social network, surveillance, systems security, training
Posted in Information Security | No Comments »