The Department of Health and Human Services (HHS) has a Confidentiality, Privacy, and Security Workgroup, also known as the American Health Information Community, that is made up of practitioners, IT folks, lawyers and other leaders outside of the government who want a say in how protected health information (PHI) is safeguarded, shared, and otherwise handled.
Posts Tagged ‘policies and procedures’
HIPAA: Advisory Workgroup Proposes PHI Security and Privacy Requirements Should Apply to All Organizations
Monday, April 23rd, 2007Information Security: Laws Require Secure Disposal of Information in All Forms; Using BS 8470:2006 for Compliance
Friday, April 20th, 2007Many information security incidents have occurred through non-technical means by simply and thoughtlessly throwing away printed documents into publicly-accessible trash bins, or even putting computers and sensitive documents out on the streets. I have blogged about this several times, such as here, here, and here.
Anonymous Posting on the Internet: Privacy vs. Defamation vs. Information Security
Thursday, April 19th, 2007Over the past few months I’ve discussed with several different organizations the issue of their personnel posting on Internet sites, to blogs, within Internet communities, and various other locations. The issues are many, but few organizations have really thought about them all; the implications of employees posting from the corporate network, using their corporate email address within online postings, the time used while at work to post, the possibility of libelous statements being made that the corporation may have to ultimately end up paying for, and many assorted other issues.
SMBs, Identity Theft & Insider Threat: Bad SMB Security Impacts Organizations of All Sizes
Wednesday, April 18th, 2007There are many articles written about the insider threat, several have been done, and often the focus is on large organizations where those employees with malicious intent are often either in positions of trust way down in the org chart, or the perpetrator is the person at the helm of the organization.
Free Information Security Training Workshops from FISSEA
Tuesday, April 17th, 2007The information security and privacy incidents tally continues to grow every day, the threats and vulnerabilities continue to appear every day, and information security and privacy professionals have a hard time keeping up with them all, not to mention keeping their own personnel aware of the many issues they face in their every day business work. And then to get the resources and time necessary to create an effective program! I know many folks often seem overwhelmed.
Admitted HIPAA Noncompliance at UPMC: Penalties Must Be Applied to Make Laws Effective
Monday, April 16th, 2007On April 13 the Pittsburgh Tribune-Review reported that the University of Pittsburgh Medical Center (UPMC) admitted to using the records of 80 patients, including names and Social Security numbers, for a presentation they made at a 2002 symposium, in violation of the Health Insurance Portability and Accountability Act (HIPAA).
Obscure Email Security Issues: Whitehouse Provides Lessons in Email Management Practices and Using Non-Business Email Accounts to Conduct Business
Sunday, April 15th, 2007So much is in the news lately related to information assurance it is hard to pick which one to share my thoughts about. However, the misuse of email, managing email, and the maintenance of email systems, which I know I’ve already talked about recently, just keeps bubbling to the top of concerns.
Throughout last week and over the weekend while watching the news programs, listening to the political pundits, and reading various news magazines there has been much talk about how perhaps millions of Whitehouse emails have seemed to have vanished, along with discussion about the use of non-Whitehouse systems for Whitehouse business emails.
Data Storage Must Be Secured to Protect Privacy
Saturday, April 14th, 2007Often times privacy breaches occur because the access controls are not configured appropriately for databases, or inadequate processes weren’t even established to protect data within the network perimeter. Too many organizations still focus almost all of their efforts on securing the typically highly fuzzy and porous perimeter to the exclusion of other highly vulnerable areas. Many incidents can be prevented by putting more attention and time to securing the data storage areas.
Obscure Email Security Issue: 5 Lessons About Re-using Email Addresses
Thursday, April 12th, 2007Does your organization ever re-use email addresses whenever someone leaves the company? Do you know that some of your customers‚Äô and personnel’s email service providers re-use email addresses when their subscribers leave? Probably more than you realize.
Security Software Must be Secure: 25 Questions To Ask Security Vendors
Wednesday, April 11th, 2007A little over 10 or so years ago, when I was responsible for information security and privacy at a large financial organization, I was doing research into PKI products and solutions. The sales exec for one of the products I was considering insisted on coming onsite with his “lead scientists and engineers” to tell me and some other folks in the IT and information security area about how wonderful their PKI product was. I did some research and prepared a couple of pages of questions to ask them about the specifics of their product. The sales exec, who has since gone on to other work and is also now a friend of mine, later told me that he felt like shrinking and hiding under the table as I asked questions about the specifics, functionality and support of their product that the developers themselves could not answer, and, even worse, many that they had not even thought about.
