Posts Tagged ‘security’
Wednesday, May 2nd, 2012
My 12-year-old son said to me yesterday after getting home from school, “Hey, Mommy, did you know that Wal-Mart can tell when you’re pregnant? And so can Target! Even before anyone else knows! They got a girl in trouble when they sent her dad coupons for baby stuff and congratulated her!”
Me, “That’s pretty incredible, isn’t it? Companies are able to discover things like that about people more than ever before through analyzing what is called ‘Big Data’.”
Son, “That’s really creepy. I think you should (more…)
Tags:audit, big data, breach, breach response, change controls, compliance, data analytics, data mining, encryption, IBM, Information Security, information technology, infosec, IT security, midmarket, non-compliance, personal information, personally identifiable information, PII, policies, privacy, privacy breach, privacy professor, privacyprof, protected health information, Rebecca Herold, security, security engineering, sensitive personal information, SPI, systems security, Target, Wal-Mart
Posted in privacy | 1 Comment »
Tuesday, April 17th, 2012
Last week I provided Howard Anderson at HealthInfosecurity.com with some of my thoughts about the recent Utah Department of Health breach of the files of 900,000 individuals, and counting. He included some of my thoughts in his blog post, along with thoughts from others. I wanted to provide my full reply here, along with some expanded thoughts.
As background, for those of you who may not have heard of this hack yet, in a nutshell: (more…)
Tags:audit, breach, breach response, change controls, compliance, DTS, encryption, IBM, Information Security, information technology, infosec, IT security, Medicaid, midmarket, non-compliance, personal information, personally identifiable information, PHI, PII, policies, privacy, privacy breach, privacy professor, privacyprof, protected health information, Rebecca Herold, security, security engineering, sensitive personal information, SPI, systems security, Utah
Posted in BA, CE, healthcare, HIPAA, HITECH, Information Security, Privacy Incidents | No Comments »
Friday, March 30th, 2012
De-identification is a great privacy tool for all types of businesses, of all sizes. If you have personal data that you want to use for research, marketing, testing applications, statistical trending or some other legitimate purpose, but you don’t need to know the specific individuals involved in order to meet your goals, then you should consider de-identifying the personal data. Even though it sounds complicated there are many good methods you can use to accomplish de-identification. And the great thing is, (more…)
Tags:anonymous, breach, compliance, de-identified data, de-identify, employment practice, encryption, IBM, Keywords: personal information, midmarket, non-compliance, personally identifiable information, PHI, PII, policies, privacy, privacy breach, privacy professor, privacyprof, protected health information, re-identification, re-identify, Rebecca Herold, security, sensitive personal information, SPI
Posted in privacy | 2 Comments »
Friday, March 23rd, 2012
In case you’ve not paid attention to the news in the past week, there has been a barrage of stories (over 1500 turned up in a quick online search) about organizations asking job applicants and employees for their Facebook, Twitter, LinkedIn and other social networking passwords. It’s a hot topic folks! I’ve listed a bunch of them at the end of this post. Compelled password disclosure is a very bad idea for organizations to do for many reasons. Here are six that should be compelling to business management: (more…)
Tags:employee privacy, employment practice, facebook, LinkedIn, midmarket, password, policies, privacy, privacy professor, privacyprof, Rebecca Herold, security, social media, social network, twitter, YouTube
Posted in privacy, Social Media | 3 Comments »
Friday, March 2nd, 2012
I am looking forward to the day when we can look at the news headlines and not see some report about a lost or stolen computing device or storage device that contained unencrypted personal information and/or other sensitive information. And, I also want to stop seeing stories reappear about such an incident, such as the stolen NASA laptop with the clear text Space Station control codes that was stolen last year, but is making the headlines yet again today. NASA is a large enough, and tech savvy enough, organization to know better! However, there are many organizations that simply don’t understand what a valuable information security tool encryption is. I work with many small to medium sized businesses (SMBs), all of which have legal obligations (such as through HIPAA and HITECH, along with contractual requirements) to protect sensitive information, such as personal information. Over the past year I’ve heard way too many of them make remarks such as… (more…)
Tags:BA, business associate, CE, covered entity, encrypt, encryption, HIPAA, HITECH, IBM, medium business, midmarket, PHI, privacy, privacy professor, privacy rule, privacyprof, protected health information, Rebecca Herold, safeguards, security, security rule, small business, SMB, W-2, W2
Posted in Information Security | 1 Comment »
Monday, February 27th, 2012
“Is a W-2 form protected health information?” is a simple question with a complex answer that begins (I know, to the nail-biting chagrin of many), “It depends…”
First the full question: (more…)
Tags:BA, business associate, CE, covered entity, HIPAA, HITECH, IBM, midmarket, PHI, privacy, privacy professor, privacy rule, privacyprof, protected health information, Rebecca Herold, safeguards, security, security rule, W-2, W2
Posted in BA, CE, HIPAA, HITECH | No Comments »
Sunday, January 8th, 2012
When looking ahead to what may happen in this new year it is necessary to first look back. Not only to 2011, but when making plans to move forward even further back to help make the best decisions moving forward. I do a lot of reading, including many mainstream publications written for the general public. You can see a lot of trends and problems by reading about how the general public is reporting (or not) about them. I also like to read the various publications specific to information security, privacy, compliance and technology to see the backstories and guts of the problems. Looking at all such reports helps to provide a more comprehensive view necessary for making good decisions. (more…)
Tags:2011, 2012, awareness, cloud computing, compliance, governance, GRC, Information Security, infosec, mobile computing, privacy, privacyprof, Rebecca Herold, security, Smart Grid, Smart Meter, training
Posted in Information Security, mobile computing, privacy | No Comments »
Friday, July 8th, 2011
Here’s yet another HIPAA violations penalty to add to what seems to be a quickly growing list. In this case it was a violation of the minimum necessary access principle, in addition to providing the information to reporters, who then published the information. And, it is likely based upon the required actions that go beyond the fine, that the policies, procedures, training, awareness, and access logging processes was lacking as well. (more…)
Tags:accounting of disclosures, BA, business associates, CE, covered entities, herold, HHS, HIPAA, HITECH, Information Security, notice of proposed rule making, NPRM, OCR, privacy, privacy breach, privacy rule, sanctions, security, security rule, UCLA
Posted in CE, healthcare, HIPAA, HITECH, Information Security, Laws & Regulations, Non-compliance Sanctions Examples, privacy, Privacy and Compliance, Privacy Incidents | 4 Comments »
Thursday, June 2nd, 2011
My last blog post provided a preliminary overview of the Accounting of Disclosures Notice of Proposed Rulemaking (AD NPRM). I got a lot of questions as a result directly, in addition to the blog comments. When trying to understand regulations, and how to put them into practice within an organization, I’ve found it is best to break them down into bite-sized chunks, starting from the basics and building from there. Today I want to spend a little time looking at what makes up a “designated record set,” or DRS, since the access report requirement is specific to accesses to DRS’s… (more…)
Tags:access report, accounting of disclosures, BA, business associates, CE, Compliance Helper, covered entities, designated record set, DRS, herold, HHS, HIPAA, HITECH, Information Security, NCHICA, notice of proposed rule making, NPRM, privacy, privacy rule, security, security rule
Posted in BA, CE, healthcare, HIPAA, HITECH, Laws & Regulations, Privacy and Compliance | 1 Comment »
Tuesday, May 31st, 2011
Tags:accounting of disclosures, BA, business associates, CE, covered entities, herold, HHS, HIPAA, HITECH, Information Security, notice of proposed rule making, NPRM, privacy, privacy rule, security, security rule
Posted in BA, CE, HIPAA, HITECH, Laws & Regulations, privacy, Privacy and Compliance | 10 Comments »
