By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Regulatory Compliance

  The HHS Office for Civil Rights plans to use powers authorized under the HITECH Act to tighten up privacy requirements, as well as exponentially increase the penalties for HIPAA privacy and security violations. Lessons Learned:  Organizations will need to ensure they are meeting all requirements and documenting actions under the HIPAA/HITECH Act and maintain a a high level of CYA – compliance year around!  All employees (and third-parties) must be aware of and accountable for their individual requirements as a single data breach or violation can cost an organization up to $50,000…which is much more expensive and costly than new compliance and risk platformsRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Regulatory Compliance

  The HHS Office for Civil Rights is asking for $46.7 million in funding, an increase of $5.6 million over the current level.  76 percent of the new funds will be for increased enforcement of health information privacy and security rules. Lessons Learned:  Increased enforcement of existing and new regulatory requirements are on the way.  Is your organization prepared and meeting all compliance requirements for HIPAA/HITECH or are you willing to take your chances?  Based on numerous other lessons learned stories in this blog (search the Lessons Learned Blog for your sector or other keywords), getting your compliance program in shape sooner than later makesRead More →

By:
On:
In: *Connecting the Dots Blog*, Financial, Health Care, Information Privacy, Information Security

  According to Symantec’s Internet Security Threat Report, there were 286 million new threats in 2010 which equals an average of about 783,561 new threats per day.  The report also points to dramatic increases in both frequency and sophistication of targeted attacks and continued growth of social networking sites to distribute attacks. Lessons learned:  Your people are under attack…how is your organization keeping your people up to date on new attacks and new threats?Read More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Regulatory Compliance

  I recently came across an interview on BankInfoSecurity entitled, “Banks Must Assume Customers Will Compromise Themselves”. In this interview, Tom Oscherwitz, chief privacy officer and vice president of government affairs for ID Analytics, discussed why online security measures are failing due to basic authentication techniques.  With the use of current social networking sites, such as Facebook, customers are often revealing all the information fraudsters need to figure out their log-in credentials. Many experts (and vendors) are recommending banks increase their security measures and implement expensive fraud detection technology solutions and measures.  Unfortunately this is merely reacting to a symptom rather than preventing the problem. Read More →

By:
On:
In: *Connecting the Dots Blog*, Human Resources, Information Privacy, Information Security, Risk Management

  In a recent Dark Reading article, new research from Trusteer revealed that mobile users are the most likely to fall victim to fake e-mail messages and visit phishing sites. Once they arrive at the fraudulent site they are also three times more likely than users on PCs to provide sensitive login information. Why are mobile users more vulnerable? Availability – smartphones are with their users 24/7 so e-mails are checked more frequently. Phishing attacks generally get their victims during their initial launch, as after a certain time frame sites are taken down, blocked or shut down. Size – the smaller screens of mobile devicesRead More →

By:
On:
In: Business Continuity, Information Privacy, Information Security, Risk Management

  General Information Personally Identifiable Information Intelligence Information Industry Information Regulatory Information Legal Information Risk Information Customer Information Emergency Information Competitive Information Etc…. Most people and their organizations would agree they are overwhelmed by information that is spread all over in e-mails, web sites, binders, intranets, etc. BUT, most people and their organizations would also agree they are not overwhelmed by awareness, and more specifically they are not overwhelmed by Situational Awareness. Lessons learned continue to reveal that just having information is not enough.  Most of the highly publicized tragedies and incidents reveal that information in the form of red flags or intelligence or riskRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security

  One of my last blogs discussed the risks of third-party contractors and their responsibilities for protecting information.  This blog will address yet another third-party risk – your janitors. A janitor was recently arrested for removing boxes of records from a Southern California health care clinic.  Interested only in getting money for the paper, the janitor sold 14 boxes of patient records to a recycling center for $40.  This janitor was not interested in identity theft, but the next one might be… In an earlier case, a janitor stole personal information from patient files at a Chicago hospital, participating in an identity theft ring thatRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Legal, Regulatory Compliance

  A recent GAO report has revealed that federal agencies utilizing contracted workers are failing to implement contractual assurances with third-parties regarding the protection of sensitive information. GAO auditors examined the contracting practices of three of the largest federal agencies and of those three, only one (DHS) required third-party companies to sign standard contracts requiring the contractors to follow best practices in safeguarding sensitive information. In a recent data breach, a TSA contractor allegedly provided a Boston couple the social security numbers for more than a dozen TSA workers.  Third-parties are increasingly responsible for data breaches, but most often, the hiring agency or company willRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management

  Dissemination vs. Implementation The Veterans Affairs Department recently announced they will be publishing monthly online accounts of data breaches and lost BlackBerrys and laptops in order to improve accountability and increase transparency. What was shocking to me was that from April through July of this year, the VA has lost 72 BlackBerrys and 34 laptops.  Patient information has been sent to the wrong address or mailed incorrectly 441 times.  There were 9,746 breach incidents involving notifications to patients and 2,501 incidents in which credit reporting was required. Almost 10,000 breach incidents in 3 months!  What is wrong with this picture?  Instead of just disseminatingRead More →

By:
On:
In: *Connecting the Dots Blog*, Incident Reporting, Information Privacy, Information Security, Regulatory Compliance

  Did everyone see this ultimate lesson regarding lessons learned but not implemented? Remember back in February 2009 when the Federal Trade Commission (FTC) issued a settlement against CVS Caremark?  According to the settlement, CVS Caremark violated the HIPAA privacy rule and the FTC Act when some of its stores improperly disposed of prescription information and pill bottles that had patient information on them.  The settlement resulted in a $2.25 million fine and they must ensure their security program meets the standards of the settlement [including ongoing audits] for the next 20 years. Now roll the clock ahead to July 2010 and another pharmacy chainRead More →