Posts Tagged ‘personal information’
Saturday, January 3rd, 2015
Yesterday I read a news story about how a woman, Mrs. Anita Chanko, saw an episode of the Dr. Oz show “NY Med” that included video of her husband, who had died 16 months earlier, in the hospital receiving care after being hit by a truck while crossing the street. She did not know that such a video even existed.
The picture was blurred, but the woman knew it was her recently deceased husband because she recognized his voice when he spoke, the conversation topic, the hospital where the care was occurring, along with other visual indicators. She heard her husband ask about his wife; her. She then watched his last moments of life, and then his death on television. (more…)
Tags:ABC, Chanko, Dr. Oz., HIPAA, HITECH, Information Security, infosec, medical devices, NewYork-Presbyterian Hospital, NY Med, patient information, personal information, PHI, privacy, privacy professor, privacy risks, privacy rule, privacyprof, protected health information, Rebecca Herold, security rule
Posted in HIPAA, PHI, Privacy and Compliance | No Comments »
Thursday, December 18th, 2014
Have you made plans for Data Privacy Day (DPD) yet? What, you’ve never heard of DPD? You can see more about it here. Or, have you heard about DPD, but you’ve not yet had time to plan for it? Well, I love doing information security and privacy awareness activities and events! I’ve been doing them for 2 ½ decades, and have written about them often, and included a listing of 250 awareness activities in my Managing an Information Security and Privacy Awareness and Training Program book.
Here are five of the ways that I’ve found to be very effective for raising privacy awareness throughout the years. (more…)
Tags:Data Privacy Day, Dell, dpd, Information Security, information security risks, infosec, personal information, policies, privacy, privacy awareness, privacy information, privacy professor, privacy risks, privacy training, privacyprof, procedures, protecting information journal, Rebecca Herold, risks, sensitive information, sensitive personal data, training
Posted in privacy | No Comments »
Thursday, December 18th, 2014
Once or twice a week I get a question from an organization that is considered to be a healthcare covered entity (CE) or business associate (BA) under HIPAA (a U.S. regulation) asking about the types of information that is considered to be protected health information (PHI). Last week a medical devices manufacturer, that is also a BA, asked about this. I think it is a good time to post about this topic again.
If information can be (more…)
Tags:HIPAA, HITECH, Information Security, infosec, medical devices, patient information, personal information, PHI, privacy, privacy professor, privacy risks, privacy rule, privacyprof, protected health information, Rebecca Herold, security rule
Posted in HIPAA, PHI | No Comments »
Thursday, December 11th, 2014
Today I had a great meeting with Sarah Cortes, with whom I am doing a session at the North America CACS ISACA conference in March. (I see I need to ask them to add Sarah’s name!)
I’m also going to teach a 2-day workshop (~4 hours each day), “Conducting A Privacy Impact Assessment” on March 18 & 19.
Every organization that handles personal information (PI) of any kind or form needs to know how to do a privacy impact assessment (PIA). And if you have PI from any type of individual, be it a customer, patient, employee, contractor, job applicant, etc., you need to make sure you are protecting, using and sharing the PI appropriately. A PIA will reveal where you are at risk with meeting your privacy obligations. Attend my PIA class in March and I will be happy to help you know how, or improve upon how you perform PIAs!
Can’t go to the conference for some reason? I can still help you! I have a PIA Toolkit you can use.
Any questions? Let me know!
Tags:HIPAA Compliance Tools, personal information, PI, PII, privacy, privacy audit, privacy impact assessment, privacy professor, privacy risk, privacy training, Rebecca Herold, sarah cortes
Posted in privacy impact assessment | No Comments »
Wednesday, December 10th, 2014
This year Admiral Mike Rogers, the current Commander, U.S. Cyber Command and Director, National Security Agency/Chief, Central Security Service, gave the luncheon keynote address at the U.S. Chamber of Commerce’s Third Annual Cybersecurity Summit, “Sharing Cyber Threat Information to Protect Business and America.” You can find it at: (more…)
Tags:Admiral Rogers, Dell, Information Security, information security risks, infosec, NSA, personal information, policies, privacy, privacy information, privacy professor, privacy risks, privacyprof, procedures, Rebecca Herold, risks, sensitive information, sensitive personal data, training
Posted in privacy | No Comments »
Saturday, November 29th, 2014
It is that time of the year again…time for prognostications about the year ahead!
I was asked to provide a few predictions for 2015. Based upon not only what I’ve seen in 2014, but also foreshadowing from the past two-three decades, here are some realistic possibilities. (more…)
Tags:2015 predictions, big data, big data analytics, breaches, Dell, FDA, FTC, HHS, HITECH, Information Security, information security risks, infosec, Internet of Things, IoT, personal health recordsHIPAA, personal information, PHR, policies, privacy, privacy breach, privacy information, privacy professor, privacy risks, privacyprof, procedures, Rebecca Herold, risks, sensitive information, sensitive personal data, training
Posted in Cybersecurity, privacy | No Comments »
Wednesday, February 26th, 2014
Do you think the NSA is the biggest threat to your privacy? Certainly they are collecting a significant amount of personal data. And from the looks of it, with their new facility that may hold up to 12 exabytes (that’s 12,000,000,000,000,000,000 bytes) of data, they appear to be planning to continue collecting, and keeping, more data. This is an important topic, and I’ll look at in more depth in an upcoming blog post. But for now, you need to know and understand that there are many other entities that are collecting data from you and your mobile apps in the same way as NSA is slurping it up, along with several other ways. (more…)
Tags:awareness, compliance, cybercrooks, cybersecurity, data protection, encrypt, encryption, IBM, Information Security, infosec, midmarket, Mobile apps, mobile device, non-compliance, NSA, personal information, personal information identifier, personal information item, PI, PII, policies, privacy, privacy laws, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, security, surveillance, training, wearable device, wireless
Posted in Information Security, mobile computing, privacy | No Comments »
Saturday, February 1st, 2014
I first started working on truly easily mobile computing device (not counting the first programmable pocket calculator, or the luggable computers that could not be hidden in your pocket) security in the workplace when the IT folks in my company at the time started bringing Psion devices to meetings somewhere around 1992 – 1993. They presented some serious information security risks to the company. If the information security risks were considered to be significant 20 years ago, now the new additional information security and privacy risks are comparatively staggering.
Where is it?
Probably the number one risk back then was the tendency to lose or misplace the device. It seemed like these little gadgets would be forgotten the moment they were laid down, despite how highly prized they were by their owners. Mobile computing devices today (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, BAA, business associate, compliance, covered entity, data protection, disclosure, due diligence, Google Glass, IBM, incidental, Information Security, information security policy, infosec, iWatch, midmarket, mobile device, non-compliance, outsourcing, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy policy, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, security procedure, subcontractor, third party, training, vendor, vendor contract, vendor oversight, wearable device, wireless
Posted in Information Security, mobile computing | No Comments »
Friday, January 31st, 2014
This week January 28 was recognized around the world at International Data Privacy Day. Data Privacy Day is the perfect time to think about all things privacy. For example, consider all the computing devices and gadgets you use, including smartphones and tablets. Many folks don’t realize these devices are continually collecting personal information about (more…)
Tags:audit, awareness, compliance, Data Privacy Day, data protection, IBM, Information Security, information security policy, infosec, Iowa Data Privacy Day, midmarket, non-compliance, outsourcing, personal information, personal information identifier, personal information item, policies, privacy, privacy laws, privacy policy, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, security, security procedure, training, vendor
Posted in privacy, Training & awareness | No Comments »
Friday, December 27th, 2013
Here’s a statement I’ve answered over 100 times (seriously!) in the past few years.
“We’ve outsourced that IT activity, so we don’t we don’t need a policy for it.”
The one word reply to this statement is, (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, BAA, business associate, CE, compliance, covered entity, data protection, disclosure, due diligence, HIPAA, HITECH, IBM, incidental, Information Security, information security policy, infosec, midmarket, non-compliance, outsourcing, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy policy, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, security procedure, subcontractor, training, vendor, vendor contract, vendor oversight
Posted in BA and Vendor Management, Information Security | No Comments »