By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Regulatory Compliance

In case you missed it, the Department of Health and Human Services (HHS) has delegated the authority for the administration and enforcement of HIPAA Security Rule to the Office for Civil Rights (OCR).  In the article Secretary Sebelius commented: “Security and privacy of health information are increasingly intersecting as the department works with the health industry to adopt electronic health records and participate in an even greater level of electronic exchange of health information. Privacy and security are naturally intertwined, because they both address protected health information. Combining the enforcement authority in one agency within HHS will facilitate improvements by eliminating duplication and increasing efficiency.”Read More →

By:
On:
In: *Connecting the Dots Blog*, Information Security, Regulatory Compliance

Lessons Learned Review…Keeping You Out of the Headlines and out of this blog… Please take a moment to consider how these Lessons Learned could be implemented by managers within your organization to avoid expensive and embarrassing situations… Research Finds PCI DSS Awareness High Among Small Retailers, Lack of Understanding Remains Huge Hurdle A recent survey revealed that although most small retailers feel somewhat familiar with PCI-DSS and also understand the importance of security, most small retailers express frustration with understanding, implementing and paying for compliance.  Has your organization met compliance requirements?  Is your data secure? Schools are Given New Flu Guidelines The federal government releasedRead More →

By:
On:
In: *Connecting the Dots Blog*, Business Continuity, Information Security, Legal, Regulatory Compliance, School Safety

Every manager I talk to has a long To Do List and they all say the list is getting longer. Then I ask them a question about their GOT TO DO LIST?  Their responses usually include groans, moans and terribly painful looks on their faces. As I talk to more and more managers and review more and more headlines in the news, it is obvious to me that managers’ GOT TO DO LISTS are becoming more painful by the day. Why are GOT TO DO LISTS getting more painful?  Look at these articles which include lessons learned as well as future challenges: Heartland CEO onRead More →

By:
On:
In: *Connecting the Dots Blog*, Emergency Management, Incident Reporting, Information Privacy, Information Security, Legal, Regulatory Compliance, Workplace Violence

Lessons Learned Review…Keeping You Out of the Headlines and out of this blog… Please take a moment to consider how these Lessons Learned could be implemented by managers within your organization to avoid expensive and embarrassing situations… DDoS Attacks On Twitter, Facebook Result Of Massive Attack On One Person A pro-Georgian blogger called “Cyxymu” was apparently the intended target of the massive DDoS attack that knocked down Twitter and caused major slowdowns on Facebook and LiveJournal.  A botnet blasted waves of traffic at the blogger’s accounts on the sites simultaneously. File Sharing Banned on Government Networks  Rep. Edolphus Towns introduced a bill to ban file-sharingRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Regulatory Compliance

Another data breach involving more than 500,000 records and Network Solutions is yet another organization that claims they were PCI compliant.  How can this be happening?  How does an organization know if they are PCI compliant with all 12 sections of PCI Security Standards which include hundreds of processes, roles and responsibilities that people must be following and implementing on a daily basis? Maybe what PCI really needs is a new focus and a new three letter acronym to go with all their other three letter acronyms.  If you visit the PCI Security Standards web site, you will find a whole bunch of three letterRead More →

By:
On:
In: *Connecting the Dots Blog*, Regulatory Compliance, School Safety

Great news! A pending New Jersey bill would mandate that all public and nonpublic schools conduct monthly school security drills for non-fire evacuation, lockdown and active shooter response.  Why is this great news? Currently, most schools probably have emergency security plans in place, but due to lack of implementation many schools are not comfortable with their level of preparedness.  They have a plan, but because they are not actively implementing and practicing their plans, confusion exists regarding roles and responsibilities and what do actually do if an incident were to occur.  The status quo methods outlined below are not working: You have an Emergency Plan.Read More →

By:
On:
In: *Connecting the Dots Blog*, Human Resources, Regulatory Compliance, Workplace Violence

Recalcitrant.  That is the word the Acting Assistant Secretary of OSHA used in her recent testimony before the Subcommittee on Workforce Protections to describe organizations being targeted by a new OSHA program that is under development. Recalcitrant can mean obstinately defiant of authority or difficult to manage or operate.  Either way, OSHA is targeting recalcitrant organizations by revising their current Enhanced Enforcement Program (EEP) with a new program called Severe Violators Inspection Program (SVIP) to ensure recalcitrant organizations who are not implementing required safety and health programs are targeted for additional enforcement action.  The additional enforcement could include daily penalties, other fines, incarceration of anRead More →

By:
On:
In: *Connecting the Dots Blog*, Regulatory Compliance, School Safety

On June 12, 2009, New York State Attorney General Andrew Cuomo issued a letter informing every college and university in New York State, that underreporting crime statistics violates state law.  In a landmark case, AG Cuomo required Dominican College to reform their current system of reporting on-campus crimes, as well as pay $20,000 to New York State. The federal Jeanne Clery Act requires colleges and universities to disclose campus security policies, as well as three years worth of crime statistics to current and prospective students.  A complaint was filed against Dominican College following an on-campus sexual assault which led to an investigation revealing that DominicanRead More →

By:
On:
In: *Connecting the Dots Blog*, Incident Reporting, Information Privacy, Information Security, Regulatory Compliance

Step 8 of President Obama’s 10-point action plan is: Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement. Keywords in Step 8 include: Prepare, Initiate, Dialog, Partnership, Streamlining, Aligning, Optimize. Preparing an incident response plan is a great idea and can play a critical role in the success of a cybersecurity action plan, however a lot organizations have incident response plans that are not producing much if any feedback.   Why are traditional response plans not working? Problems with traditional incident response plans lack anonymity on theRead More →

By:
On:
In: *Connecting the Dots Blog*, Incident Reporting, Information Privacy, Information Security, Legal, Regulatory Compliance

The “octuplet mom” story not only created a media frenzy at Kaiser Permanente’s Bellflower hospital , the mom and her eight new born babies also created multiple lessons learned opportunities for every hospital that was paying attention. The lessons learned started in January when the eight new babies were born and making sure hospital personnel were prepared to handle the media frenzy and what they could say and not say and what actions were acceptable and unacceptable.  Does your organization have policies and procedures in place to handle a media frenzy? Then in March, Kaiser Permanente’s Bellflower hospital revealed that 15 employees lost their jobsRead More →