Posts Tagged ‘vendor oversight’

Mobile Device Security Continues to get More Complicated

Saturday, February 1st, 2014

I first started working on truly easily mobile computing device (not counting the first programmable pocket calculator, or the luggable computers that could not be hidden in your pocket) security in the workplace when the IT folks in my company at the time started bringing Psion devices to meetings somewhere around 1992 – 1993.  They presented some serious information security risks to the company. If the information security risks were considered to be significant 20 years ago, now the new additional information security and privacy risks are comparatively staggering.

Where is it?

Probably the number one risk back then was the tendency to lose or misplace the device.  It seemed like these little gadgets would be forgotten the moment they were laid down, despite how highly prized they were by their owners. Mobile computing devices today (more…)

Yes, You Still Need Policies for Your Outsourced Activities!

Friday, December 27th, 2013

Here’s a statement I’ve answered over 100 times (seriously!) in the past few years.

“We’ve outsourced that IT activity, so we don’t we don’t need a policy for it.”

The one word reply to this statement is, (more…)

The PHI PII Egg Hunt

Saturday, March 30th, 2013

Locate it to protect it

I love speaking with folks about privacy, information security and compliance.  I am sincerely interested in hearing about their challenges, and then also identifying common challenges amongst them all.  We can then get to solutions. 

One of the consistently common challenges I’ve heard from privacy and security folks in the past several months is trying to (more…)

How Long is the Liability Tail?

Wednesday, March 27th, 2013

Don’t tell me it depends! Well, sorry, but…
I’ve been involved in several interesting discussions (some with lawyers, some with security folks, some with privacy folks, and a few of the folks wearing all three hats) about the liability of organizations that outsource business processing. Since January 17 I’ve also been working on a wide range of documentation changes to reflect the recently released 563 page tome that is the Final HIPAA Omnibus Rule. A significant part of the documentation and writing involves discussion of the increased liability a covered entity (CE) now has for the bad practices and mistakes made by their business associates (BAs).

Organizations want a clear cut answer to “how liable” they are for the actions of their outsourced entities. One CISO at a conference demanded, “Just tell me; are we going to be held responsible for the actions of our business associates or not? Just (more…)