Posts Tagged ‘personally identifiable information’
Wednesday, May 2nd, 2012
My 12-year-old son said to me yesterday after getting home from school, “Hey, Mommy, did you know that Wal-Mart can tell when you’re pregnant? And so can Target! Even before anyone else knows! They got a girl in trouble when they sent her dad coupons for baby stuff and congratulated her!”
Me, “That’s pretty incredible, isn’t it? Companies are able to discover things like that about people more than ever before through analyzing what is called ‘Big Data’.”
Son, “That’s really creepy. I think you should (more…)
Tags:audit, big data, breach, breach response, change controls, compliance, data analytics, data mining, encryption, IBM, Information Security, information technology, infosec, IT security, midmarket, non-compliance, personal information, personally identifiable information, PII, policies, privacy, privacy breach, privacy professor, privacyprof, protected health information, Rebecca Herold, security, security engineering, sensitive personal information, SPI, systems security, Target, Wal-Mart
Posted in privacy | 1 Comment »
Tuesday, April 17th, 2012
Last week I provided Howard Anderson at HealthInfosecurity.com with some of my thoughts about the recent Utah Department of Health breach of the files of 900,000 individuals, and counting. He included some of my thoughts in his blog post, along with thoughts from others. I wanted to provide my full reply here, along with some expanded thoughts.
As background, for those of you who may not have heard of this hack yet, in a nutshell: (more…)
Tags:audit, breach, breach response, change controls, compliance, DTS, encryption, IBM, Information Security, information technology, infosec, IT security, Medicaid, midmarket, non-compliance, personal information, personally identifiable information, PHI, PII, policies, privacy, privacy breach, privacy professor, privacyprof, protected health information, Rebecca Herold, security, security engineering, sensitive personal information, SPI, systems security, Utah
Posted in BA, CE, healthcare, HIPAA, HITECH, Information Security, Privacy Incidents | No Comments »
Friday, March 30th, 2012
De-identification is a great privacy tool for all types of businesses, of all sizes. If you have personal data that you want to use for research, marketing, testing applications, statistical trending or some other legitimate purpose, but you don’t need to know the specific individuals involved in order to meet your goals, then you should consider de-identifying the personal data. Even though it sounds complicated there are many good methods you can use to accomplish de-identification. And the great thing is, (more…)
Tags:anonymous, breach, compliance, de-identified data, de-identify, employment practice, encryption, IBM, Keywords: personal information, midmarket, non-compliance, personally identifiable information, PHI, PII, policies, privacy, privacy breach, privacy professor, privacyprof, protected health information, re-identification, re-identify, Rebecca Herold, security, sensitive personal information, SPI
Posted in privacy | 2 Comments »
Saturday, November 28th, 2009
Sorry to be so tardy in getting a blog post out. As many of you know I’ve been working with the NIST Smart Grid Privacy Subgroup since late June. The work done for this group is through time volunteered by all involved.
As a quick recap, I led the privacy impact assessment (PIA) for the consumer-to-utility portion of the planned smart grid during the late June to late August/early September time frame. On Friday, 11/20, I provided an update on our NIST groups activities during the Gridwise Alliance phone conference; perhaps some of you were on that call?
Here are some links showing information about our NIST Smart Grid privacy group’s work:
(more…)
Tags:awareness and training, Information Security, IT compliance, IT training, NIST, personally identifiable information, PIA, PII, policies and procedures, privacy impact assessment, privacy law, privacy training, security training, Smart Grid, Smart Meter, SmartGrid
Posted in Information Security, Laws & Regulations, Privacy and Compliance | 1 Comment »
Monday, November 9th, 2009
I’ve had about half a dozen folks ask me how things are going with the work I’m doing with the NIST Smart Grid privacy group, and if I could provide an update since my last couple of posts on the topic here and here.
The time is going by much too quickly, and I am getting a bit nervous as we get closer to when we need to have the next draft of the NISTIR ready, tentatively set for December 31; there is so much more to do in this VOLUNTEER group effort…
(more…)
Tags:awareness and training, Information Security, IT compliance, IT training, NIST, personally identifiable information, PIA, PII, policies and procedures, privacy impact assessment, privacy law, privacy training, security training, Smart Grid, Smart Meter, SmartGrid
Posted in Privacy and Compliance | 3 Comments »
Thursday, November 5th, 2009
Over the years there have been many…too many…instances where doctors have performed the wrong types of surgeries on patients, and even the wrong surgeries on completely wrong patients…
(more…)
Tags:awareness and training, HIPAA, HITECH, Information Security, IT compliance, IT training, patient privacy, personally identifiable information, PIA, PII, policies and procedures, privacy impact assessment, privacy law, privacy training, Rhode Island Hospital, security training
Posted in Information Security, Laws & Regulations, Privacy and Compliance | No Comments »
Thursday, October 29th, 2009
Tags:awareness and training, HIPAA, HITECH, Information Security, IT compliance, IT training, patient privacy, personally identifiable information, PIA, PII, policies and procedures, privacy impact assessment, privacy law, privacy training, security training
Posted in Laws & Regulations, Privacy and Compliance | 2 Comments »
Wednesday, October 21st, 2009
I was recently asked several questions about my work with the NIST Smart Grid privacy group and associated issues. Here are a couple of those questions, and my answers to them…
(more…)
Tags:awareness and training, Information Security, IT compliance, IT training, NIST, NISTIR 7628, personally identifiable information, PIA, PII, policies and procedures, privacy impact assessment, privacy law, privacy training, security training, Smart Grid
Posted in Information Security, Laws & Regulations, Privacy and Compliance | No Comments »
Thursday, October 8th, 2009
Since just before HIPAA went actively into effect I’ve done a lot of HIPAA compliance work for covered entities (CEs). In the past few years I’ve done around 200 business associate (BA) information security and program reviews for just one CE, and these don’t even scratch the surface for how many BAs each CE has…
(more…)
Tags:awareness and training, HIPAA, HITECH, Information Security, IT compliance, IT training, personally identifiable information, PII, policies and procedures, privacy training, security training
Posted in Information Security, Laws & Regulations, Privacy and Compliance | No Comments »
Tuesday, October 6th, 2009
Last month I had the great pleasure of being a guest on Scott Draughon and Anyck Turgeon’s MyTechnologyLawyer.com radio show for a segment entitled, “Is encryption enough to achieve privacy?”
I was pleasantly surprised to see a large number of great follow-up questions following the show!
I covered one of them in my post, “Don’t Throw Your Privacy Out The Window; Know How Your PII Is Used” Here are a couple more of those many questions I want to answer in this post…
(more…)
Tags:21 CFR Part 11, ADA, awareness and training, data retention, HIPAA, HITECH, Information Security, IT compliance, IT training, personally identifiable information, PII, policies and procedures, privacy training, security training, SSA
Posted in Laws & Regulations, Privacy and Compliance | No Comments »
