Agreed. There needs to be sufficient communication of risk to make good decisions about risk acceptance and mitigation, but it can't all be scare tactics. (And the execs in question need to take the time to understand)
-ASB: http://XeeSM.com/AndrewBaker On Fri, May 14, 2010 at 4:29 PM, Ziots, Edward <[email protected]> wrote: > Good point, > > > > I also think that technical controls, without the security awareness up > front and continous training of the work force, including the folks that are > responsible for implementing those controls, is one of the main problems. > Senior Management with Knee-Jerk reactions to adverse events, or not > listening to their people making recommendations time and time again to > implement both the technical and administrative controls that would have > lowered the risk, is also a issue. > > > > I think as Security folks, we need to think, instead of of saying NO, its > more trying to think how we get to “YES” and that is a lot harder, but it > enables the business but still keeps them at a reasonable level of security. > Then you can adjust your risk accordingly. > > > > Z > > > > Edward Ziots > > CISSP,MCSA,MCP+I,Security +,Network +,CCA > > Network Engineer > > Lifespan Organization > > 401-639-3505 > > [email protected] > > > > *From:* Andrew S. Baker [mailto:[email protected]] > *Sent:* Friday, May 14, 2010 3:22 PM > > *To:* NT System Admin Issues > *Subject:* Re: HIPAA Question > > > > I have a problem with the "inhibit the users from doing their work" > argument. Yes, it sounds all business savvy and whatnot, but it doesn't > always address certain realities. There is a reason that we tell people > not to run with scissors, even though it slows them down and inhibits their > work. > > > > When a user accidentally loses a data device containing thousands or > millions of names, or sends an unencrypted email to the wrong place due to > the lack of the organization not implementing the right controls -- because > they did not want to inhibit productivity -- it generates far more in lost > productivity, revenue loss, and reputation loss. > > > > The protections are not just there for show -- they are an essential part > of not having a "business ending event", and need to be looked at that way. > > > > It's quite amazing how fast senior management is willing to put restrictive > policies and technologies in place *after* a catastrophe, despite their > alleged productivity killing impact. > > > > -ASB: http://XeeSM.com/AndrewBaker > > On Fri, May 14, 2010 at 11:41 AM, Ziots, Edward <[email protected]> > wrote: > > Honestly, I am not amazed that the laptops was stolen and there was PHI/PII > on them unencrypted. This along with unencrypted memory sticks are two of > the biggest culprits and now would follow under the breach notifications, > along with HITECH ACT, and the teeth it gave to HIPAA, it will probably help > but not truly solve this type of issue. > > > > Endpoint security will also help, but you are going to reach a point in > which you are hampering the users trying to do their work, which brings up > more questions whether its their process that needs to change, or more > security awareness training along with administrative punishment up to > including termination for violation of the policies and procedures of the > company, or being grossly negligent in this reguard. > > > > Z > > > > Edward Ziots > > CISSP,MCSA,MCP+I,Security +,Network +,CCA > > Network Engineer > > Lifespan Organization > > 401-639-3505 > > [email protected] > > > > *From:* paul d [mailto:[email protected]] > *Sent:* Friday, May 14, 2010 11:06 AM > > > *To:* NT System Admin Issues > > *Subject:* RE: HIPAA Question > > > > All too true, John. > And not just small offices either. CMS has a page that links breaches > involving more than 500 people. I'm amazed at the number of incidents > involving laptops that were stolen whose data was unencrypted. > ------------------------------ > > From: [email protected] > To: [email protected] > Date: Fri, 14 May 2010 09:43:22 -0400 > Subject: RE: HIPAA Question > > A course of action that is reasonable and doable. Most of the responses in > this thread are knee jerk over thinking of the issue. The sheer fact that > you can fax a piece of PHI (fax transmissions aren’t encrypted last time I > checked) to a “secure location” should give you some idea of what’s > reasonable. > > As a part time consultant to a software reseller we’ve come across a > disturbing fact – most small medical related offices have no real clue as to > how or even why they have to follow HIPAA standards other than it’s a > Federal law and they signed some form saying they had watched the webinar > and drank the koolaid. It’s really very poorly implemented in these small > offices because there is no ROI, compliance is a cost center and they only > spend what is absolutely necessary – then something bad happens and they > make an adjustment. > > > > *John W. Cook* > > *Systems Administrator* > > *Partnership For Strong Families* > > *315 SE 2nd Ave* > > *Gainesville, Fl 32601* > > *Office (352) 393-2741 x320* > > *Cell (352) 215-6944* > > *Fax (352) 393-2746* > > *MCSE, MCTS, MCP+I, A+, N+, VSP4, VTSP4* > > > > *From:* James Kerr [mailto:[email protected]] > *Sent:* Friday, May 14, 2010 9:19 AM > *To:* NT System Admin Issues > *Subject:* Re: HIPAA Question > > > > We have a consent form they must sign for us to send a fax or mailing so we > could use that for emailing also. We can still send the data encrypted and > give them the password over the phone. > > > > James > > ----- Original Message ----- > > *From:* paul d <[email protected]> > > *To:* NT System Admin Issues <[email protected]> > > *Sent:* Friday, May 14, 2010 8:47 AM > > *Subject:* RE: HIPAA Question > > > > They're usually referred to as Privacy or Security officers. For example, > a CISO. For HIPAA, there can also be a compliance officer. > And, to the OP, you'll eventually have to come up with some way to > electronically deliver the data as it's part of the meaningful use act; you > have to be able to give a patient their medical record by electronic means > if they so desire. > ------------------------------ > > Subject: RE: HIPAA Question > Date: Fri, 14 May 2010 10:09:32 +0100 > From: [email protected] > To: [email protected] > > Good God please don't do that! Password protected Word documents do not > stand up to scrutiny. > > > > I don't work withy HIPAA at all, but I have worked within UK FSA and DPA > guidelines for PII type data. If the patient demands it, you can send it > unencrypted (we did this with voice recordings on CD .. policy was all > CDs/DVDs had to be encrypted, but if a customer demanded a recording of a > call we could send an audio CD via Registered Post (they must sign)). > > > > Personally, I would advise the patient of the issues around this action and > offer to post it via some recorded method. If they wanted it electronically > - perhaps you have some portal they can register on and log into to retrieve > results? If it has to be email, they could send you an email requesting it > that you respond to (helps with audit trail). I would suggest encryption - > we use S/MIME a lot as it's easy for users in comparison to PGP and the > like. > > > > Whatever you do, it should be based on having a policy and something your > data protection officer (do you have such people in the US!?) and legal team > are happy with. Going outside the loop tends to get you fired if it goes > pear shaped ... > > > > > > > > a > > > ------------------------------ > > *From:* John Cook [mailto:[email protected]] > *Sent:* 13 May 2010 21:34 > *To:* NT System Admin Issues > *Subject:* Re: HIPAA Question > > Put it into a passworded Word doc and verbally give them the password. > > > ------------------------------ > > *From*: James Kerr <[email protected]> > *To*: NT System Admin Issues <[email protected]> > *Sent*: Thu May 13 15:22:20 2010 > *Subject*: HIPAA Question > > Guys, I have a quick HIPAA question. We work with people infected with > HIV. A patient that lives out of state is asking us to email him info about > his viral load. Any suggestions for how to email that info or get that info > to him somehow? If the email content doesn't contain identifying info, is it > ok? > > > > James > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
