I have a problem with the "inhibit the users from doing their work" argument. Yes, it sounds all business savvy and whatnot, but it doesn't always address certain realities. There is a reason that we tell people not to run with scissors, even though it slows them down and inhibits their work.
When a user accidentally loses a data device containing thousands or millions of names, or sends an unencrypted email to the wrong place due to the lack of the organization not implementing the right controls -- because they did not want to inhibit productivity -- it generates far more in lost productivity, revenue loss, and reputation loss. The protections are not just there for show -- they are an essential part of not having a "business ending event", and need to be looked at that way. It's quite amazing how fast senior management is willing to put restrictive policies and technologies in place *after* a catastrophe, despite their alleged productivity killing impact. -ASB: http://XeeSM.com/AndrewBaker On Fri, May 14, 2010 at 11:41 AM, Ziots, Edward <[email protected]> wrote: > Honestly, I am not amazed that the laptops was stolen and there was > PHI/PII on them unencrypted. This along with unencrypted memory sticks are > two of the biggest culprits and now would follow under the breach > notifications, along with HITECH ACT, and the teeth it gave to HIPAA, it > will probably help but not truly solve this type of issue. > > > > Endpoint security will also help, but you are going to reach a point in > which you are hampering the users trying to do their work, which brings up > more questions whether its their process that needs to change, or more > security awareness training along with administrative punishment up to > including termination for violation of the policies and procedures of the > company, or being grossly negligent in this reguard. > > > > Z > > > > Edward Ziots > > CISSP,MCSA,MCP+I,Security +,Network +,CCA > > Network Engineer > > Lifespan Organization > > 401-639-3505 > > [email protected] > > > > *From:* paul d [mailto:[email protected]] > *Sent:* Friday, May 14, 2010 11:06 AM > > *To:* NT System Admin Issues > *Subject:* RE: HIPAA Question > > > > All too true, John. > And not just small offices either. CMS has a page that links breaches > involving more than 500 people. I'm amazed at the number of incidents > involving laptops that were stolen whose data was unencrypted. > ------------------------------ > > From: [email protected] > To: [email protected] > Date: Fri, 14 May 2010 09:43:22 -0400 > Subject: RE: HIPAA Question > > A course of action that is reasonable and doable. Most of the responses in > this thread are knee jerk over thinking of the issue. The sheer fact that > you can fax a piece of PHI (fax transmissions aren’t encrypted last time I > checked) to a “secure location” should give you some idea of what’s > reasonable. > > As a part time consultant to a software reseller we’ve come across a > disturbing fact – most small medical related offices have no real clue as to > how or even why they have to follow HIPAA standards other than it’s a > Federal law and they signed some form saying they had watched the webinar > and drank the koolaid. It’s really very poorly implemented in these small > offices because there is no ROI, compliance is a cost center and they only > spend what is absolutely necessary – then something bad happens and they > make an adjustment. > > > > *John W. Cook* > > *Systems Administrator* > > *Partnership For Strong Families* > > *315 SE 2nd Ave* > > *Gainesville, Fl 32601* > > *Office (352) 393-2741 x320* > > *Cell (352) 215-6944* > > *Fax (352) 393-2746* > > *MCSE, MCTS, MCP+I, A+, N+, VSP4, VTSP4* > > > > *From:* James Kerr [mailto:[email protected]] > *Sent:* Friday, May 14, 2010 9:19 AM > *To:* NT System Admin Issues > *Subject:* Re: HIPAA Question > > > > We have a consent form they must sign for us to send a fax or mailing so we > could use that for emailing also. We can still send the data encrypted and > give them the password over the phone. > > > > James > > ----- Original Message ----- > > *From:* paul d <[email protected]> > > *To:* NT System Admin Issues <[email protected]> > > *Sent:* Friday, May 14, 2010 8:47 AM > > *Subject:* RE: HIPAA Question > > > > They're usually referred to as Privacy or Security officers. For example, > a CISO. For HIPAA, there can also be a compliance officer. > And, to the OP, you'll eventually have to come up with some way to > electronically deliver the data as it's part of the meaningful use act; you > have to be able to give a patient their medical record by electronic means > if they so desire. > ------------------------------ > > Subject: RE: HIPAA Question > Date: Fri, 14 May 2010 10:09:32 +0100 > From: [email protected] > To: [email protected] > > Good God please don't do that! Password protected Word documents do not > stand up to scrutiny. > > > > I don't work withy HIPAA at all, but I have worked within UK FSA and DPA > guidelines for PII type data. If the patient demands it, you can send it > unencrypted (we did this with voice recordings on CD .. policy was all > CDs/DVDs had to be encrypted, but if a customer demanded a recording of a > call we could send an audio CD via Registered Post (they must sign)). > > > > Personally, I would advise the patient of the issues around this action and > offer to post it via some recorded method. If they wanted it electronically > - perhaps you have some portal they can register on and log into to retrieve > results? If it has to be email, they could send you an email requesting it > that you respond to (helps with audit trail). I would suggest encryption - > we use S/MIME a lot as it's easy for users in comparison to PGP and the > like. > > > > Whatever you do, it should be based on having a policy and something your > data protection officer (do you have such people in the US!?) and legal team > are happy with. Going outside the loop tends to get you fired if it goes > pear shaped ... > > > > > > > > a > > > ------------------------------ > > *From:* John Cook [mailto:[email protected]] > *Sent:* 13 May 2010 21:34 > *To:* NT System Admin Issues > *Subject:* Re: HIPAA Question > > Put it into a passworded Word doc and verbally give them the password. > > > ------------------------------ > > *From*: James Kerr <[email protected]> > *To*: NT System Admin Issues <[email protected]> > *Sent*: Thu May 13 15:22:20 2010 > *Subject*: HIPAA Question > > Guys, I have a quick HIPAA question. We work with people infected with > HIV. A patient that lives out of state is asking us to email him info about > his viral load. Any suggestions for how to email that info or get that info > to him somehow? If the email content doesn't contain identifying info, is it > ok? > > > > James > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
