Posts Tagged ‘procedures’
Thursday, May 21st, 2015
Do you know how well your vendors, business associates, contracted third parties (who I will collectively call “contractors”) are protecting the information with which you’ve entrusted them to perform some sort of business activity? You need to know.
Late last year, a study of breaches in the retail industry revealed 33 percent of them were from third party vendor access vulnerabilities. The largest healthcare breach in 2014 was from a business associate (the contractor of a hospital system) and involved the records of 4.5 million patients.
The list of breaches caused by contractors throughout all industries could fill a large book. The damage that your third parties can cause to your business can be significant. Do you know the risks that your contractors and other third parties bring to your organization? Or, will your contractors take down your business because of their poor security and privacy practices? (more…)
Tags:business associate, contractor, Dell, Information Security, outsourcing, policies, powermore, privacy, privacy professor, privacyprof, procedures, Rebecca Herold, risk management, risks, toprank, vendor management
Posted in BA and Vendor Management | No Comments »
Tuesday, May 12th, 2015
The expanding use of smart gadgets in the Internet of Things (IoT) is creating many more privacy risks than ever before encountered. Many businesses are also (finally!) starting to address privacy. And interest in how to establish privacy programs and how to perform privacy impact assessments (PIAs) to identify privacy risks are increasing. The privacy risks to the business that can occur include such things as: (more…)
Tags:Dell, employee, future ready, high tech, Information Security, insider threat, Internet of Things, IoT, mobile working, PIA, policies, powermore, privacy, privacy harm, privacy impact assessment, privacy professor, privacy risk, privacyprof, procedures, Rebecca Herold, risk management, toprank
Posted in PIA, privacy | No Comments »
Friday, May 8th, 2015
What does the past teach us about how to #befutureready in BYOD?
During the last half of the 1990s there was concern for the growing use of employees’ own home desktop computers to dial-in to the corporate network from home. Thousands of articles and hundreds of conference sessions discussed the associated risks, and then how to mitigate them through documented policies and the use of new tools. Soon after 2000 passed the concerns expanded to employees using their personally owned laptops, not only outside of the office, but even bringing them into the facilities to use instead of the corporate-issued computers. Thousands more articles, and hundreds more conference sessions discussed how to address the risks. (more…)
Tags:befutureready, cybersecurity, Dell, employee, future ready, high tech, Information Security, insider threat, Internet of Things, mobile working, policies, privacy, privacy professor, privacyprof, procedures, Rebecca Herold, risk management, toprank
Posted in Information Security, Miscellaneous | No Comments »
Thursday, December 18th, 2014
Have you made plans for Data Privacy Day (DPD) yet? What, you’ve never heard of DPD? You can see more about it here. Or, have you heard about DPD, but you’ve not yet had time to plan for it? Well, I love doing information security and privacy awareness activities and events! I’ve been doing them for 2 ½ decades, and have written about them often, and included a listing of 250 awareness activities in my Managing an Information Security and Privacy Awareness and Training Program book.
Here are five of the ways that I’ve found to be very effective for raising privacy awareness throughout the years. (more…)
Tags:Data Privacy Day, Dell, dpd, Information Security, information security risks, infosec, personal information, policies, privacy, privacy awareness, privacy information, privacy professor, privacy risks, privacy training, privacyprof, procedures, protecting information journal, Rebecca Herold, risks, sensitive information, sensitive personal data, training
Posted in privacy | No Comments »
Wednesday, December 10th, 2014
This year Admiral Mike Rogers, the current Commander, U.S. Cyber Command and Director, National Security Agency/Chief, Central Security Service, gave the luncheon keynote address at the U.S. Chamber of Commerce’s Third Annual Cybersecurity Summit, “Sharing Cyber Threat Information to Protect Business and America.” You can find it at: (more…)
Tags:Admiral Rogers, Dell, Information Security, information security risks, infosec, NSA, personal information, policies, privacy, privacy information, privacy professor, privacy risks, privacyprof, procedures, Rebecca Herold, risks, sensitive information, sensitive personal data, training
Posted in privacy | No Comments »
Saturday, November 29th, 2014
It is that time of the year again…time for prognostications about the year ahead!
I was asked to provide a few predictions for 2015. Based upon not only what I’ve seen in 2014, but also foreshadowing from the past two-three decades, here are some realistic possibilities. (more…)
Tags:2015 predictions, big data, big data analytics, breaches, Dell, FDA, FTC, HHS, HITECH, Information Security, information security risks, infosec, Internet of Things, IoT, personal health recordsHIPAA, personal information, PHR, policies, privacy, privacy breach, privacy information, privacy professor, privacy risks, privacyprof, procedures, Rebecca Herold, risks, sensitive information, sensitive personal data, training
Posted in Cybersecurity, privacy | No Comments »
Tuesday, November 4th, 2014
Earlier this year after a session I gave at a conference, an attendee who was new to information security, and had just been assigned this responsibility at a mid-sized organization in the healthcare industry, asked if he could visit with me for a while about risk management. Well, of course! During the course of our conversation I learned that he had gotten some very bad advice about risk management in general, and risk assessments in particular. I know from reading various comments throughout the social media discussion sites that bad advice is becoming far too common, with many (more…)
Tags:compliance, compliance documentation, documentation, HIPAA, Information Security, information security risks, infosec, midmarket, policies, privacy, privacy professor, privacy risks, privacyprof, procedures, Rebecca Herold, risk assessment, risk management, risks, SIMBUS, training
Posted in Information Security | No Comments »
Tuesday, October 21st, 2014
October is National Cyber Security Awareness Month. It would seem the breaches announced virtually every day of this month so far were orchestrated to highlight the need for organizations to beef up their information security efforts and improve their controls.
Sadly instead, cyber incidents seem to have become de rigueur these days. Consumers are getting fed up, and government agencies are proposing more laws. The tide is turning, and soon organizations will be held accountable for more effectively protecting their systems and information, or they will likely face much steeper fines and penalties than ever before. So, now’s the time to take action! Here are six actions you to take this month to start improving your organization’s information security program and associated efforts. (more…)
Tags:awareness, compliance, compliance documentation, documentation, HIPAA, IBM, Information Security, information security risks, infosec, midmarket, national cyber security awareness month, ncsam, policies, privacy, privacy professor, privacy risks, privacyprof, procedures, Rebecca Herold, SIMBUS, training
Posted in Information Security, Training & awareness | No Comments »
Friday, December 21st, 2012
This week I spoke with a small (~25 employees) organization (a business associate providing services to healthcare providers) that contacted me looking for help; they had purchased a whiz-bang “HIPAA compliance GRC” solution that included with everything else information security policies, but they couldn’t make any sense of the policies they were given or how they related to the rest of the expensive GRC tool. Grrr!! There are (more…)
Tags:audit, audits, awareness, BA, breach, business associate, business partner, CE, compliance, covered entity, customers, data protection, e-mail, electronic mail, email, employees, employment, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, messaging, midmarket, non-compliance, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, procedures, Rebecca Herold, risk, risk assessment, risk management, security, sensitive personal information, SPI, systems security, training, walk through
Posted in BA, CE, HIPAA, Information Security | 1 Comment »
Tuesday, April 19th, 2011
News broke yesterday about a physician in Rhode Island, at the Westerly Hospital, who was sanctioned for posting protected health information (PHI) on her Facebook page: (more…)
Tags:awareness, facebook, HIPAA, HITECH, patient information, PHI, policies, privacy, procedures, Rebecca Herold, Rhode Island, security, social media, Than, training, Westerly Hospital
Posted in BA, CE, healthcare, HIPAA, privacy, Privacy and Compliance, Social Media | 1 Comment »