Posts Tagged ‘regulatory compliance’

How Good are the Security Practices for “America’s Most Admired Companies 2007”?

Tuesday, March 6th, 2007

Yesterday CNN reported the results of the FORTUNE 2007 survey of business people for the companies, in any industry, they admired most.
The rankings were based upon 8 key score areas:

(more…)

More About the FTC Tech-ade Public Hearing

Wednesday, November 15th, 2006

I just found a blog for the FTC Tech-ade public hearing I just posted about; the Tech-Ade Blog. Some very interesting thoughts about a wide range of topics!

More About the FTC Tech-ade Public Hearing

Wednesday, November 15th, 2006

I just found a blog for the FTC Tech-ade public hearing I just posted about; the Tech-Ade Blog. Some very interesting thoughts about a wide range of topics!

FTC Public Hearing Presenters Forecast Privacy Concerns For the Next 10 Years

Wednesday, November 15th, 2006

The Federal Trade Commission (FTC) held a public hearing Nov. 6-8 at George Washington University to discuss the ways in which technological and business developments will impact consumers’ experiences in the next 10 years.

(more…)

The State of Information Security According to E&Y

Tuesday, November 14th, 2006

This year’s Ernst & Young Global Information Security Survey 2006 is out and it is always an interesting read. Arguments aside about the statistical accuracy of such surveys, it still provides useful information and also helps to track progress in the topics covered as the years march on. The history alone involved with the survey, this is the 9th year for it, are quite revealing. My, my how concerns have changed in less than a decade!

(more…)

How the HIPAA Enforcement Rule Impacts the Compliance Efforts of Covered Entities

Wednesday, August 16th, 2006

In this episode, I speak with two highly experienced HIPAA compliance experts, Kevin Beaver and Brad Smith to get their views and opinions about this much discussed but often debated regulation.  In particular we discuss the relatively new HIPAA Administrative Simplification Enforcement Final Rule, and how it impacts providers and payers.  We explore and try to determine what, if any, impact the HIPAA Enforcement Rule has on Covered Entities. 

Instead of clarifying compliance enforcement issues for covered entities (CEs), the Enforcement Rule has seemed to confuse and mislead many CEs into believing that they really don’t need to do much with regard to HIPAA compliance unless the Department of Health and Human Services (HHS), the Office for Civil Rights (OCR) or the Centers for Medicare and Medicaid Services (CMS) come knocking at their door and tell them they specifically need to do something. 

Not all CEs are lackadaisical, though; Kevin, Brad and I discuss some of the CEs that have been very diligent in their HIPAA compliance efforts.  However, we also discuss some examples of blatent disregard for HIPAA, and the resulting risks to organizations from such action.  We also discuss the importance of addressing compliance through partnering information security, privacy, legal and compliance areas.



MP3: Rebecca Herold – How the HIPAA Enforcement Rule Impacts the Compliance Efforts of Covered Entities

Data De-identification and Masking Methods

Monday, July 31st, 2006

There is increasing concern about the use of real/actual personally identifiable information (PII) for test and development purposes.  I’m also increasingly concerned about the use of PII by sales representatives who are showing demos to potential clients.  I was recently surprised to see a vendor showing me a demo of his security software using the actual production data of his clients, which included a vast amount of PII about his clients‚Äô customers, such as names, social security numbers and credit card numbers.  He had accumulated this information while doing work for the clients with the software.  Needless to say, his demo turned into a long discussion about the risks involved with this practice.  Such a practice is an incident and lawsuit waiting to happen.  Unfortunately the sales staff at many companies use production data for demo purposes.  And it’s not just software vendors.  Insurance representatives often show their potential clients demos using PII, as do financial organizations, and healthcare companies, plus potentially other industries.  Do you know if your sales staff is using your production data?

I just posted a new podcast, "Data De-identification and Masking Methods," a follow-up to my last podcast, ‚ÄúWhat IT Leaders Need to Know About Using Production Data for Testing.‚Äù I discuss some of the ways in which data can be de-identified, or masked, to use for not only test purposes, but also for demo and other purposes. There are many ways to de-identify and mask data.  Some are better than others.  It all depends upon the type of data you‚Äôre working with, and the associated application or system.  I briefly describe seven ways in which data can be masked and de-identified, in addition to an alternative in the slim chance that there is absolutely no way in which anything other than production data can be used for testing. The ultimate goal is to protect the privacy and confidentiality of PII while also making meaningful data available for purposes of testing, demos or analysis.



MP3: Rebecca Herold – Data De-identification and Masking Methods

What IT Leaders Need to Know About Using Production Data for Testing

Friday, July 14th, 2006

There are many issues involved with using live production data, particularly real personally identifiable information (PII), for test and demo purposes.  For many years it has been the norm within organizations to use copies of production data for testing during applications and systems development.  However, over the past few years this practice is becoming more and more of a bad idea with all the new privacy laws and regulations, identity theft cases, insider instigated fraud, increased customer awareness, and the growing number of companies using outsourced companies to manage applications development, testing and quality assurance. 

In my latest podcast I discuss the importance of and reasons for using data that does not include real, production PII for test and development purposes.



MP3: Rebecca Herold – What IT Leaders Need to Know About Using Production Data for Testing