I have written an executive whitepaper titled Email Encryption in Healthcare. This is an executive overview explaining the background and regulations around securing email transactions. If you would like a copy send an email to info@jstengel.net.
Archive for the 'HIPAA Compliance' Category
23
Aug
10
Email Encryption in Healthcare
16
Aug
10
How Secure Are Your Passwords
Do you know what your Administrator passwords are? Do the IT people? I have been working with companies for years and they often share the Administrator passwords with several technical people or, in some cases, several of them. This is a bad model. Regular IT folks do not the company bank account numbers and they do not need these passwords.
It is true they may need Administrator level access but they do not need the password. Keeping this at the executive and higher level is not only smart but it is basic in risk mitigation.
On the reverse, executives need to make sure they have all the passwords for administrator level accounts. You also need to make sure you know every single user who has administrator level rights. During a recent security assessment we found a low level user has full access to the entire domain because of testing done years earlier.
Starting with the basics in security is the beginning of reduced risk for partners and executives.
14
Aug
10
Email Security in Healthcare
We will be hosting a webinar this week to educate executives and provide an overview of the compliance and risk mitigation benefits of email security. We will discuss what options are out there, what to look for and what to avoid.
This material will be presented in a non-technical form from a consultative perspective to give executives a brief overview of how to move forward.
Topic: Email Security in Healthcare
Date: Thursday, August 19, 2010
Time: 1:00 pm, Eastern Daylight Time (New York, GMT-04:00)
Go to https://freetrial.webex.com/freetrial/j.php?ED=136876647&RG=1&UID=0&RT=MiMxMQ%3D%3D and register for the event.
02
Aug
10
Training, Training, Training
The Department of Health and Human Services fined the pharmacy chain Rite-Aid for a HIPAA violation. The fine is for $1 Million and requires that Rite Aid take corrective action to improve practices.
The violation states, among other things, that Rite Aid did not properly dispose of personal identifiable information in its 4,900 retail pharmacies. It also states that Rite Aid failed to properly train employees on how to dispose of the information.
This goes to what I have been stressing lately, products don’t make you compliant. Policy and processes do. This also shows the importance of properly training the other managers in the business on how to handle information. Very intelligent people may run the various departments in your organization. They don’t have a background in this area and need the right procedures in place.
23
Jul
10
Be Careful Who You Hire
This is an interesting story. A hospital in Massachusetts contracted a company to destroy records. When the hospital tried to get confirmation that the data was destroyed they didn’t receive a response. When they pressed the issues they got the answer.
http://www.scmagazineus.com/hospital-files-with-personal-medical-data-on-800000-gone/article/174970/
By simply purchasing a “Compliant” piece of technology doesn’t make you compliant. Some companies even advertise their products as PCI or HIPAA compliant. This is a dishonest statement as it gives the purchaser a false sense of security. As with all regulations, the legislation or rules do not dictate specific technologies or practices – rather, it states the desired outcome.
It is true that we need to have key products in place to meet compliance obligations it is actually what we do to those products that make us secure. For example I could sell you two top of the line WatchGuard firewalls. As part of the process I explain that they have web blocking and SPAM filtering built right in which meets your needs, great right? Yes if your IT department configures them correctly.
And how should they be configured? They should be based on your company procedures and guidelines. These procedures need to be laid out clearly and by someone with experience in the industry. Too often companies write procedures based on the IT departments recommendations and not with the guidance of a security assessor.
Thank you to WatchGuard for reminding us all of this recently in Seattle.
03
Jul
10
Copiers
Think it is safe making copies? Take a look at this video. The first thing I though of was those copy businesses.
28
Jun
10
Internal Threats
I just finished up a class last week with a great group. Two of the people worked in a sensitive industry. They were telling me that in their office they can’t use wireless anything, including wireless keyboards and mice.
I personally like the idea of a business taking little steps like that to protect information. I have heard stories about medical offices spelling HIPAA wrong. If they can’t get the acronym correct do you think they have your personal identifiable information secured?
I became curious at how serious the industry was about the regulation. So to take it a step further I did a search for HIPPA Consulting Services. After telling Google to not spell check me and use the typo as is I returned 141,000 results. Who handles your security is crucial and the person, or company, needs to be well informed and up to date.
