Posts Tagged ‘risk management’
Thursday, April 10th, 2014
In the past couple of weeks I’ve gotten a couple dozen questions from my clients that are small to midsized covered entities (CEs) or business associates (BAs) under HIPAA, in addition to several small to midsized start-ups that provide services in other industries. And, while some of these concerns are arising out completely erroneous advice, regrettably, some of the questions resulted from my own mea culpa of writing a confusing sentence in my last blog post, for which I’ve since provided a clarification within. (Lesson: I need to spend more time double-checking/editing text prior to posting after doing edits to cut the length.) I apologize for any confusion or alarm that may have arisen as a result.
However, this does provide a good opportunity to examine in more depth the compliance issues related to Windows XP use, and the related questions I’ve received. The following are the most common questions I’ve answered in the past several days. (more…)
Tags:awareness, compliance, cybersecurity, data protection, HIPAA, IBM, Information Security, infosec, midmarket, non-compliance, PCI DSS, personal information identifier, personal information item, PI, PII, policies, privacy, privacy laws, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, security, surveillance, training, upgrade, Windows XP, XP upgrade
Posted in HIPAA | No Comments »
Tuesday, March 25th, 2014
If you haven’t heard yet, Windows XP will no longer be supported after April 8, 2014. That’s just a couple of weeks away! Why should you even care? Well, because you may have an important, or even mission-critical, computing device you use for your business, or for personal use, that is running on Windows XP. According to NetMarketShare at the end of February, 2014, 30% of all folks using Windows desktop computers were still running Windows XP. This is around ½ a BILLION computers, folks! After support ends, (more…)
Tags:awareness, compliance, cybersecurity, data protection, IBM, Information Security, infosec, midmarket, non-compliance, personal information identifier, personal information item, PI, PII, policies, privacy, privacy laws, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, security, surveillance, training, upgrade, Windows XP, XP upgrade
Posted in Information Security | 1 Comment »
Thursday, March 20th, 2014
It seems that right now phone scam season is going strong! Last week I posted about some common scams targeting businesses. Those same scams are also targeting the general public, so please be on the lookout for them. In addition to those, here are some others that seem to be targeting primarily individuals and the general public. (more…)
Tags:awareness, compliance, cybercrooks, cybersecurity, data protection, IBM, Information Security, infosec, Keywords: phone scams, midmarket, non-compliance, personal information identifier, personal information item, phishing, PI, PII, policies, privacy, privacy laws, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, robocall, security, social engineering, surveillance, training
Posted in Uncategorized | No Comments »
Friday, March 14th, 2014
It seems that right now phone scam season is going strong! I got 2 calls last week from scammers. I got another scammer call during a meeting last night. Two of my LinkedIn contacts got calls in the past week that they asked me about. A local newspaper columnist got a call from a scammer. As folks are becoming more aware of phishing attempts via email and other types of malware, they are also becoming more lax about spotting phone scams, often stating the belief that most crooks are using online phishing scams instead of any other type of rip-off. (more…)
Tags:awareness, compliance, cybercrooks, cybersecurity, data protection, IBM, Information Security, infosec, Keywords: phone scams, midmarket, non-compliance, personal information identifier, personal information item, phishing, PI, PII, policies, privacy, privacy laws, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, robocall, security, social engineering, surveillance, training
Posted in Uncategorized | 1 Comment »
Wednesday, February 26th, 2014
Do you think the NSA is the biggest threat to your privacy? Certainly they are collecting a significant amount of personal data. And from the looks of it, with their new facility that may hold up to 12 exabytes (that’s 12,000,000,000,000,000,000 bytes) of data, they appear to be planning to continue collecting, and keeping, more data. This is an important topic, and I’ll look at in more depth in an upcoming blog post. But for now, you need to know and understand that there are many other entities that are collecting data from you and your mobile apps in the same way as NSA is slurping it up, along with several other ways. (more…)
Tags:awareness, compliance, cybercrooks, cybersecurity, data protection, encrypt, encryption, IBM, Information Security, infosec, midmarket, Mobile apps, mobile device, non-compliance, NSA, personal information, personal information identifier, personal information item, PI, PII, policies, privacy, privacy laws, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, security, surveillance, training, wearable device, wireless
Posted in Information Security, mobile computing, privacy | No Comments »
Tuesday, February 25th, 2014
Recently I’ve heard in various discussion venues the argument that information security controls are an impediment to technology use, and that instead we should look at demotivating the hackers. With specific regard to medical devices, one commenter stated that generally, the best “bet in defending medical devices (as well as financial systems) is making the information useless/pointless for the attackers.” This is a dangerous attitude, and minimizes the true value of data on the devices.
Considering data on any type of computing device is considered (more…)
Tags:audit, awareness, compliance, data protection, due diligence, hack, hacker, hacking, IBM, Information Security, information security policy, infosec, laws, medical device, midmarket, mobile device, non-compliance, outsourcing, penalties, personal information identifier, personal information item, policies, privacy, privacy policy, privacy professor, privacyprof, punishment, Rebecca Herold, risk assessment, risk management, sanctions, security, security procedure, training, vendor
Posted in Information Security, privacy | No Comments »
Saturday, February 1st, 2014
I first started working on truly easily mobile computing device (not counting the first programmable pocket calculator, or the luggable computers that could not be hidden in your pocket) security in the workplace when the IT folks in my company at the time started bringing Psion devices to meetings somewhere around 1992 – 1993. They presented some serious information security risks to the company. If the information security risks were considered to be significant 20 years ago, now the new additional information security and privacy risks are comparatively staggering.
Where is it?
Probably the number one risk back then was the tendency to lose or misplace the device. It seemed like these little gadgets would be forgotten the moment they were laid down, despite how highly prized they were by their owners. Mobile computing devices today (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, BAA, business associate, compliance, covered entity, data protection, disclosure, due diligence, Google Glass, IBM, incidental, Information Security, information security policy, infosec, iWatch, midmarket, mobile device, non-compliance, outsourcing, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy policy, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, security procedure, subcontractor, third party, training, vendor, vendor contract, vendor oversight, wearable device, wireless
Posted in Information Security, mobile computing | No Comments »
Friday, January 31st, 2014
This week January 28 was recognized around the world at International Data Privacy Day. Data Privacy Day is the perfect time to think about all things privacy. For example, consider all the computing devices and gadgets you use, including smartphones and tablets. Many folks don’t realize these devices are continually collecting personal information about (more…)
Tags:audit, awareness, compliance, Data Privacy Day, data protection, IBM, Information Security, information security policy, infosec, Iowa Data Privacy Day, midmarket, non-compliance, outsourcing, personal information, personal information identifier, personal information item, policies, privacy, privacy laws, privacy policy, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, security, security procedure, training, vendor
Posted in privacy, Training & awareness | No Comments »
Friday, December 27th, 2013
Here’s a statement I’ve answered over 100 times (seriously!) in the past few years.
“We’ve outsourced that IT activity, so we don’t we don’t need a policy for it.”
The one word reply to this statement is, (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, BAA, business associate, CE, compliance, covered entity, data protection, disclosure, due diligence, HIPAA, HITECH, IBM, incidental, Information Security, information security policy, infosec, midmarket, non-compliance, outsourcing, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy policy, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, security procedure, subcontractor, training, vendor, vendor contract, vendor oversight
Posted in BA and Vendor Management, Information Security | No Comments »
Wednesday, December 11th, 2013
In the past week I got the third question in a one month time-frame about the same topic. My unwritten, loosely followed rule is that if three different organizations ask me pretty much the same question in a month, then it is something worth writing about; why are so many (well, a handful) of the same questions occurring in such a short period of time? Is some vendor out there spreading horribly bad advice? Let’s consider the topic… (more…)
Tags:awareness, BA, BA Agreement, BA contract, BAA, business associate, CE, compliance, covered entity, data protection, disclosure, HHS, HIPAA, HITECH, IBM, incidental, Information Security, infosec, midmarket, non-compliance, OCR, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, subcontractor, training
Posted in BA, BA and Vendor Management, HIPAA, Privacy and Compliance | No Comments »