Posts Tagged ‘risk management’
Sunday, February 3rd, 2013
Over the years when working with a wide range of organizations, helping them to identify where all forms of their business information (including customer, client, patient and employee information) is located. One of the key activities is identifying and documenting all business associates, service providers, business partners, and all other types of outsourced entities that possess or have other types of access to this information. (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, breach, business associate, compliance, contracted workers, customers, data protection, due diligence, e-mail, electronic mail, email, employees, employment, Final Rule, HIPAA, hiring, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, liability, Mega Rule, messaging, midmarket, non-compliance, Obmnibus, outsource, oversight, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, right to audit, risk, risk assessment, risk management, security, sensitive personal information, SPI, systems security, training, walk through
Posted in BA | No Comments »
Thursday, January 24th, 2013
A Tale of Two Viewpoints
When I was responsible for information security and privacy at a large financial and healthcare organization throughout the 1990’s I had literally hundreds of business partner organizations to which we outsourced various types of activities that required some type of access to our client and customer information. Add to that several hundred agents and, scarier still because they were not exclusively selling our products, brokers, and you can probably imagine the angst I felt when thinking about the ways in which all those other organizations were putting our information at risk. The contracts with them had a very brief requirement to “provide appropriate security controls” for the information, but that did not alleviate my worries. But, since at that time there were no data protection regulations in effect, the lawyers said this simple clause was enough. And then one of the outsourced entities had an incident resulting from lack of controls which allowed a hacker to enter our network. (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, breach, business associate, compliance, customers, data protection, due diligence, e-mail, electronic mail, email, employees, employment, Final Rule, HIPAA, hiring, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, Mega Rule, messaging, midmarket, non-compliance, Obmnibus, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, right to audit, risk, risk assessment, risk management, security, sensitive personal information, SPI, systems security, training, walk through
Posted in Information Security, Laws & Regulations | No Comments »
Friday, December 21st, 2012
This week I spoke with a small (~25 employees) organization (a business associate providing services to healthcare providers) that contacted me looking for help; they had purchased a whiz-bang “HIPAA compliance GRC” solution that included with everything else information security policies, but they couldn’t make any sense of the policies they were given or how they related to the rest of the expensive GRC tool. Grrr!! There are (more…)
Tags:audit, audits, awareness, BA, breach, business associate, business partner, CE, compliance, covered entity, customers, data protection, e-mail, electronic mail, email, employees, employment, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, messaging, midmarket, non-compliance, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, procedures, Rebecca Herold, risk, risk assessment, risk management, security, sensitive personal information, SPI, systems security, training, walk through
Posted in BA, CE, HIPAA, Information Security | 1 Comment »
Monday, December 17th, 2012
There have been a lot online posts and talk lately about risk management and the “proper” or “acceptable” way to do risk assessments. It seems that the overwhelming talk, though, is only about the right and wrong way to do a risk assessment whenever considering a risk management program. Certainly, using the best risk assessment method to fit your business environment is very important; one size, and one method, does not fit all! However, there are so many more activities necessary within a risk management program than just occasionally doing a risk assessment. Regulatory agencies are (more…)
Tags:audit, awareness, breach, compliance, customers, data protection, e-mail, electronic mail, email, employees, employment, facebook, fake IDs, hiring, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, messaging, midmarket, non-compliance, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, risk, risk assessment, risk management, security, sensitive personal information, social media, social networking, SPI, systems security, test data, training, twitter, walk through
Posted in Information Security | 2 Comments »
Friday, June 3rd, 2011
A couple of days ago I published my monthly Privacy Professor Tips message, “Summer Break-in.” I provide these tips free to anyone who wants to sign up for it on my web site and fills out one of the boxes that says, (more…)
Tags:awareness, breach, compliance, GLBA, herold, HIPAA, HITECH, incident, Information Security, privacy, privacy professor, privacy training, Rebecca Herold, risk, risk management, security training, training
Posted in Information Security, Laws & Regulations, privacy, Privacy and Compliance, Training & awareness | No Comments »
Tuesday, March 8th, 2011
I participate in the Focus network and tried to answer the following question from “Caty” on their discussion board:
“How can compliance automation help secure my organization’s IT infrastructure?” Please describe the benefits of compliance automation and discuss how it can be used to secure an organization’s IT infrastructure.
However, after trying to submit my response in around half a dozen ways, I was told my answer was too long. Instead of shaving off some of my content, I decided to post here to my blog, and then point to here from there. Perhaps my other blog readers will be interested in my thoughts on this topic as well.
So, here is my answer… (more…)
Tags:compliance, HIPAA, HITECH, Information Security, privacy, Rebecca Herold, risk assessment, risk management
Posted in HIPAA, HITECH, Information Security, privacy, Privacy and Compliance | 2 Comments »
Friday, February 4th, 2011
NOTE: This is a repost for those that have browsers that could not open the original. Hopefully this will fix the problem!
Over the years I’ve had a lot of organizations ask me about whether HIPAA applies to faxes, copy machines, and other types of specific technologies. It is very important that covered entities (CEs), business associates (BAs) and their subcontractors understand that HIPAA applies to protecting the information! It doesn’t matter what the conduit is for how the information is transmitted, or where it is stored or accessed from. The important point is that protected health information (PHI), in all forms, must be protected. The Security Rule applies to only electronic data, but the Privacy Rule and HITECH apply to all forms of PHI. Okay; let’s keep this in mind when considering the following question I got earlier this week from a HIPAA business associate…
(more…)
Tags:Compliance Helper, fax, Rebecca Herold, risk management
Posted in BA, CE, HIPAA, HITECH, Information Security, Laws & Regulations, privacy, Privacy and Compliance | No Comments »
Friday, July 10th, 2009
I’ve had some very interesting discussions about the CMU SSN study throughout the week, and, before moving on to other topics next week, I wanted to wrap up the week and discussion with some final thoughts on the CMU SSN topic..
(more…)
Tags:awareness and training, Carnegie Mellon, CMU, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, social engineering, social security number, SSN
Posted in Information Security, Privacy and Compliance | No Comments »
Wednesday, July 8th, 2009
Following the release of the CMU SNN report on Monday, I’ve had some very interesting discussions with privacy and information security folks, and I’ve been pretty amazed at some of the reactions to the study.
I also posted about this to one of the GRC mailing lists I participate in, and I got some questions asking me for my thoughts about some specific issues. I wanted to share those thoughts here as well…
(more…)
Tags:awareness and training, Carnegie Mellon, CMU, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, social engineering, social security number, SSN
Posted in Information Security, Privacy and Compliance | No Comments »
Monday, July 6th, 2009
It is nice to have scientific evidence of what we’ve been telling business leaders ever since they wanted to start using SSNs as identifiers and passwords!
Today Carnegie Mellon University (CMU) released a very revealing report, “Predicting Social Security numbers from public data” I want to expand upon some of the issues covered within it, and then urge you to communicate effectively to your business leaders the related concerns of your organization…
(more…)
Tags:awareness and training, Carnegie Mellon, Information Security, IT compliance, IT training, policies and procedures, privacy, privacy training, risk management, security training, social security number, SSN
Posted in Information Security, Privacy and Compliance | No Comments »
