Good point,
I also think that technical controls, without the security awareness up front and continous training of the work force, including the folks that are responsible for implementing those controls, is one of the main problems. Senior Management with Knee-Jerk reactions to adverse events, or not listening to their people making recommendations time and time again to implement both the technical and administrative controls that would have lowered the risk, is also a issue. I think as Security folks, we need to think, instead of of saying NO, its more trying to think how we get to "YES" and that is a lot harder, but it enables the business but still keeps them at a reasonable level of security. Then you can adjust your risk accordingly. Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] From: Andrew S. Baker [mailto:[email protected]] Sent: Friday, May 14, 2010 3:22 PM To: NT System Admin Issues Subject: Re: HIPAA Question I have a problem with the "inhibit the users from doing their work" argument. Yes, it sounds all business savvy and whatnot, but it doesn't always address certain realities. There is a reason that we tell people not to run with scissors, even though it slows them down and inhibits their work. When a user accidentally loses a data device containing thousands or millions of names, or sends an unencrypted email to the wrong place due to the lack of the organization not implementing the right controls -- because they did not want to inhibit productivity -- it generates far more in lost productivity, revenue loss, and reputation loss. The protections are not just there for show -- they are an essential part of not having a "business ending event", and need to be looked at that way. It's quite amazing how fast senior management is willing to put restrictive policies and technologies in place *after* a catastrophe, despite their alleged productivity killing impact. -ASB: http://XeeSM.com/AndrewBaker On Fri, May 14, 2010 at 11:41 AM, Ziots, Edward <[email protected]> wrote: Honestly, I am not amazed that the laptops was stolen and there was PHI/PII on them unencrypted. This along with unencrypted memory sticks are two of the biggest culprits and now would follow under the breach notifications, along with HITECH ACT, and the teeth it gave to HIPAA, it will probably help but not truly solve this type of issue. Endpoint security will also help, but you are going to reach a point in which you are hampering the users trying to do their work, which brings up more questions whether its their process that needs to change, or more security awareness training along with administrative punishment up to including termination for violation of the policies and procedures of the company, or being grossly negligent in this reguard. Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] From: paul d [mailto:[email protected]] Sent: Friday, May 14, 2010 11:06 AM To: NT System Admin Issues Subject: RE: HIPAA Question All too true, John. And not just small offices either. CMS has a page that links breaches involving more than 500 people. I'm amazed at the number of incidents involving laptops that were stolen whose data was unencrypted. ________________________________ From: [email protected] To: [email protected] Date: Fri, 14 May 2010 09:43:22 -0400 Subject: RE: HIPAA Question A course of action that is reasonable and doable. Most of the responses in this thread are knee jerk over thinking of the issue. The sheer fact that you can fax a piece of PHI (fax transmissions aren't encrypted last time I checked) to a "secure location" should give you some idea of what's reasonable. As a part time consultant to a software reseller we've come across a disturbing fact - most small medical related offices have no real clue as to how or even why they have to follow HIPAA standards other than it's a Federal law and they signed some form saying they had watched the webinar and drank the koolaid. It's really very poorly implemented in these small offices because there is no ROI, compliance is a cost center and they only spend what is absolutely necessary - then something bad happens and they make an adjustment. John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I, A+, N+, VSP4, VTSP4 From: James Kerr [mailto:[email protected]] Sent: Friday, May 14, 2010 9:19 AM To: NT System Admin Issues Subject: Re: HIPAA Question We have a consent form they must sign for us to send a fax or mailing so we could use that for emailing also. We can still send the data encrypted and give them the password over the phone. James ----- Original Message ----- From: paul d <mailto:[email protected]> To: NT System Admin Issues <mailto:[email protected]> Sent: Friday, May 14, 2010 8:47 AM Subject: RE: HIPAA Question They're usually referred to as Privacy or Security officers. For example, a CISO. For HIPAA, there can also be a compliance officer. And, to the OP, you'll eventually have to come up with some way to electronically deliver the data as it's part of the meaningful use act; you have to be able to give a patient their medical record by electronic means if they so desire. ________________________________ Subject: RE: HIPAA Question Date: Fri, 14 May 2010 10:09:32 +0100 From: [email protected] To: [email protected] Good God please don't do that! Password protected Word documents do not stand up to scrutiny. I don't work withy HIPAA at all, but I have worked within UK FSA and DPA guidelines for PII type data. If the patient demands it, you can send it unencrypted (we did this with voice recordings on CD .. policy was all CDs/DVDs had to be encrypted, but if a customer demanded a recording of a call we could send an audio CD via Registered Post (they must sign)). Personally, I would advise the patient of the issues around this action and offer to post it via some recorded method. If they wanted it electronically - perhaps you have some portal they can register on and log into to retrieve results? If it has to be email, they could send you an email requesting it that you respond to (helps with audit trail). I would suggest encryption - we use S/MIME a lot as it's easy for users in comparison to PGP and the like. Whatever you do, it should be based on having a policy and something your data protection officer (do you have such people in the US!?) and legal team are happy with. Going outside the loop tends to get you fired if it goes pear shaped ... a ________________________________ From: John Cook [mailto:[email protected]] Sent: 13 May 2010 21:34 To: NT System Admin Issues Subject: Re: HIPAA Question Put it into a passworded Word doc and verbally give them the password. ________________________________ From: James Kerr <[email protected]> To: NT System Admin Issues <[email protected]> Sent: Thu May 13 15:22:20 2010 Subject: HIPAA Question Guys, I have a quick HIPAA question. We work with people infected with HIV. A patient that lives out of state is asking us to email him info about his viral load. Any suggestions for how to email that info or get that info to him somehow? If the email content doesn't contain identifying info, is it ok? James ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
