What nineteen audiences in twelve months taught me?

Navigating Fear in the Security and Compliance World

In advancing technology it is fear of having a project go sideways, over budget or fail to accomplish the stated objective that has many frozen. What if that technology we recommend doesn’t work as we hope? What if it is something required by law (such as encryption in healthcare) that we fear an unknown outcome so much that we won’t act? What if we miss a key component of a project or underestimate the effort required and the entire project goes over our budget?

What nineteen audiences in twelve months taught me?2014-12-17T23:02:14-08:00

How Can An IT Security Breach Cost Me My Job? The Sony Pictures Case

I don’t normally give a moments notice to stuff that goes on in Hollywood, but the story “Future of Sony's Amy Pascal questioned after hacked email revelations” caught my attention because of the cyber security aspect involved.  So often I hear executives say something similar to “I don’t worry about our security because we don’t have anything anyone would want to hack into.”

That complacent assessment is wrong as most everyone knows since today nearly all hacking/security breach incidents are the result of indiscriminate malware that scans the Internet searching for vulnerable systems.  When that malware finds a vulnerable system most of them run automated code that looks for passwords, bank account information, encrypts data for ransom, etc.

In this particular case a ton of data was stolen and released.  The implication for Sony Pictures Co-Chairman is that her personal e-mails were....

How Can An IT Security Breach Cost Me My Job? The Sony Pictures Case2020-01-06T20:27:56-08:00

Why Will My Company be Listed on the HHS Wall of Shame?

6 Reasons Organizations Fail to Encrypt ePHI

The drumbeat of HIPAA breaches in the media is incessant, and the refrain is the same: yet another PC containing electronic protected health information is stolen, so the organization is compelled to notify patients, Health and Human Services, and the media.  The Office of Civil Rights swoops in, levies a 7 figure fine, and posts the offender on the HHS “Wall of Shame”, resulting in a damaged reputation and loss of future earnings.

Ironically, had the PC’s hard-drive been encrypted, the loss would have been a non-event, unreportable given the Safe Harbor provisions of HIPAA.  And inexpensive encryption technology has been readily available for years.  Yet, 538 or 46% of the 1,171 Breach Notifications posted on the Wall of Shame stem from the simple loss of a computer with an unencrypted hard-drive.

So, if it is so obvious how to correct the deficiency that single-handedly accounts for the most frequent HIPAA Breach Notifications, why don’t more organizations properly encrypt and protect the ePHI entrusted to them?  Here are the six most common reasons we discover during our risk assessments …

Why Will My Company be Listed on the HHS Wall of Shame?2014-12-08T18:10:15-08:00

Here is an important tax reminder for Information Technology related spending

Under Section 179, your business is eligible to deduct up to $25,000 worth of equipment as long as it is purchased and operational by December 31, 2014.Phones, computers, software, office equipment and office furniture qualify for this deduction. If you [...]

Here is an important tax reminder for Information Technology related spending2014-12-02T17:33:00-08:00

What is Change Management and Why is it Important?

In the past two weeks I have witnessed a couple of contrasting situations involving configuration changes in IT.  In one environment the client has a strict adherence to the practice of using Change Management in all their IT operations.  In the other operation the client has been reluctant to embrace Change Management.  When it came time for one of those inevitable problems that occasionally hit the Information Infrastructure, the outcomes for the two firms was very different.

What is change management?

Here is the definition from Wikipedia based upon the industry standard Information Technology Infrastructure Library (ITIL).

Change management is an IT service management discipline. The objective of change management in this context is to ensure that standardized methods and procedures are used for efficient and prompt handling of all changes to control IT infrastructure, in order to minimize the number and impact of any related incidents upon service. Changes in the IT infrastructure may arise reactively in response to problems or externally imposed requirements, e.g. legislative changes, or proactively from seeking improved efficiency and effectiveness or to enable or reflect business initiatives, or from programs, projects or service improvement initiatives. Change Management can ensure standardized methods, processes and procedures which are used for all changes, facilitate efficient and prompt handling of all changes, and maintain the proper balance between the need for change and the potential detrimental impact of changes.

A change is an event that is....

What is Change Management and Why is it Important?2018-01-29T23:25:38-08:00

How is the New Apple iWatch just like the IBM PC?

If the IBM PC legitimized the PC market in 1981 and launched an explosion of sales and it created a whole new market, I predict the health-enabled Apple Watch will do the same.  Prior to IBM's entry into the PC [...]

How is the New Apple iWatch just like the IBM PC?2014-09-10T21:53:19-07:00

Unclear HIPAA rules permit healthcare data offshoring … for now

...Under the Final Rule, the OCR has the power to domestically deal out civil penalties, corrective actions and long-term monitoring, while the DOJ has the power to domestically deliver a criminal prosecution. Through enforcement under HITECH, the State attorneys general [...]

Unclear HIPAA rules permit healthcare data offshoring … for now2014-07-29T02:19:34-07:00

Electronic health records ripe for theft

The only difference in healthcare is that the large breaches have not gotten the sensational, but appropriate coverage credit card breaches have gotten.

Three other interesting quotes:

1.      As health data becomes increasingly digital and the use of electronic health records booms, thieves see patient records in a vulnerable health care system as attractive bait, according to experts interviewed by POLITICO. On the black market, a full identity profile contained in a single record can bring as much as $500.

2.      “Criminal elements will go where the money is,” said Wah, who was the first 

Electronic health records ripe for theft2014-07-15T01:03:09-07:00

HIPAA consulting and the channel’s ethical responsibility

Kevin is a featured writer for TechTarget.  Here is is latest column: _________________________________________________________ A few months ago, I wrote an article about the practice of non-attorneys consulting on HIPAA business associate agreements. After talking with scores of people about the [...]

HIPAA consulting and the channel’s ethical responsibility2020-06-09T23:54:19-07:00

HIPAA business associate agreement consultations could be unlawful

Here is a controversial article written recently by Kevin McDonald for TechTarget. ------------------------------------------------------------------------------------------------------------------------------------- Under federal law, the Health Information Portability and Accountability Act (HIPAA) Privacy Rule extends to a class of business entities (i.e., health plans, health care clearinghouses and [...]

HIPAA business associate agreement consultations could be unlawful2020-04-29T22:44:01-07:00