Archive for the 'Massachusetts 201' Category

14
Oct
10

More Protection for Government Groups

By John Stengel Leave a Comment
Categories: HIPAA Compliance, Massachusetts 201, PCI Compliance and Risk Management
Tags: , , ,

Why is it that business is always treated like the criminal?  It seems like protection is built in for consumers and government only.  The City of Charlotte loses data and you barely hear about it.  Everyone seems to know the Countrywide data loss story.  Is one worse than the other or are they equal in severity?  Regulation does nothing for data security and information protection, especially when we exclude municipalities that have more information on us than the average business. 

Only you can reduce your risk and protect your assets.  Security is not just products, it is your practices around those products.  Washington is not coming to help the people that make this country work.

New Regulation Proposition:

http://www.scmagazineus.com/banking-bill-would-treat-schools-towns-like-consumers/article/180818/

Supporting Stories:

http://www.bankinfosecurity.com/articles.php?art_id=2398

http://www.databreaches.net/?p=11855

11
Oct
10

The Risks of Regulation

By John Stengel Leave a Comment
Categories: HIPAA Compliance, Massachusetts 201 and PCI Compliance
Tags: , ,

 Why is it that all regulation has to do with protecting consumers?  Where is the regulation that protects some businesses from failure or losses?

When a HIPAA violation occurs more attention is paid to the one error a business had instead of tracking the thief.  You never hear about the thief in the papers.

Everyone knows the TJ Max story.  How much do you know about the thieves?

You need to protect your own assets and hedge against losses yourself.  No one else is going to protect your organization.  But all regulation, loss, theft, etc. raises your risk as an asset owner.

08
Oct
10

The Brittany Spears Case

By John Stengel Leave a Comment
Categories: HIPAA Compliance and Massachusetts 201
Tags: , , ,

If you are in the medical world you should know of or be aware that if a celebrity walks through your door you could have a potential crisis on your hands.  Not with the patient, but your employees.  Recent reports have found increased numbers of internal hits on confidential patient records of celebrities.  Translation, if someone famous comes in your employees might be looking at the records.

Do you have a way to track and log access to these records?  If they wind up on the internet it won’t take long until your company is sighted as the leak.

05
Oct
10

Don’t Judge a Business by its Size

By John Stengel Leave a Comment
Categories: HIPAA Compliance, Massachusetts 201 and Security Assessments
Tags: , , , , , ,

I am on a bit of a kick lately since I was told by a vendor that size equals security.

I can tell you that large healthcare companies are not necessarily secure.  Just because they have $1Billion or more in sales means absolutely nothing for protecting information.  I won’t embarrass them by naming names but here are the facts.  They do not send secure email unless they are forced to by law, not because they care about you.  Even when forced to they only bother to a small percentage of the time banking that they won’t get caught.  Employees are not trained on handling patient information.  They were recently fined $1million dollars for improper disposal of information.

I can also tell you first hand that a small company involved in healthcare with only 10 employees has not only purchased all the right products but they have the policy and procedures to ensure their clients are safe.  If you conduct business with these guys you will exchange information securely every time.  And it is in the employees’ culture to maintain security.  Our help desk gets email from any of the employees that have questions; we can tell they are following procedure.  They truly are rock stars when protecting PHI.  They read the regulations and act proactively to protect information.

Which example would you fall into?

01
Oct
10

Employee Monitoring

By John Stengel Leave a Comment
Categories: HIPAA Compliance, Massachusetts 201, PCI Compliance, Risk Management and User Awareness Training
Tags: , , , ,

When discussing employee productivity the conversation can go one of two very different ways.  Much like politics most people have a side that they fall into.

I fall strongly on the side of the pro category.  I do not distrust my employees.  What I am concerned about is protecting the company and all of its employees.  If I were to make a bad hire, and we all have, and this problem employee was violating policy or procedure we need to be able to act on it.

Most people do not understand the risks employers have regarding protecting information.  That doesn’t mean they are bad people, they are most likely very good at what they do and just have never considered the other side.

We have an obligation to create procedures and policies to protect our clients, employees, and partners.  Not building these into your culture is more damaging than many would have guessed.  Taking the time to explain and train the employees on the why will educate them and they will understand.  People just don’t like to be surprised, that leads to feeling violated personally.

Ask Rite-Aid what happens when employees don’t follow procedures.  Did the employees all chip in to cover the $1 Million fine?

21
Sep
10

Policy over Product

By John Stengel Leave a Comment
Categories: HIPAA Compliance, Massachusetts 201, PCI Compliance, Risk Management and Security Assessments
Tags: , , , , ,

Have you purchased all of the right products for your network?  Do you have your firewall, switch, security server, SAN, WAP, and Two-Factor authentication device?  Great then aren’t you all set for security?

Truth is you have a lot of stuff and that is it.  Without developing policies and procedures on how information should be handled and what is and is not allowed you don’t really have much of anything.

Let’s say you have a Web Blocker installed to stop traffic, but you never monitor what is being done on the allowed sites.

Let’s say you have an email security and DLP device, but rules around what should be stopped are never created or tested.

Let’s say you have a state of the art SAN configured, but the security was never applied to those sensitive folders.

The actual purchases of the products are only the beginning.  Now here comes the configuration and policy development.  Make sure your IT staff has a deep understanding of what they need to do and they are trained and thoroughly understand the devices.

20
Sep
10

Tokenization

By John Stengel Leave a Comment
Categories: HIPAA Compliance, Massachusetts 201, PCI Compliance and Risk Management
Tags: , , , ,

Trends in the security industry suggest that something called tokenization is the future of security.  So what is tokenization?

Well a general explanation is this.  Let’s say you take the work DATA ad you want to send that word to another computer (Like when you transmit cardholder data, PHI, PII, etc.)  The word gets broken up into separate letters D A T A.  Each letter is then changed with a secret word that can be decoded on the remote server, for example D becomes ;lk;k%%%.  The word is then reassembled on the remote end, processed, and sent on.

Some of us think this is the way text messages look with all the codes and abbreviations.  Kidding aside this technology is really cool.  If we can secure every character or symbol then reassemble it we can secure almost anything.  But be careful of vendors selling buzz this word.  The technology is new and only a few players are really good at this.

03
Sep
10

The Cost of Inaction

By John Stengel Leave a Comment
Categories: HIPAA Compliance, Massachusetts 201, PCI Compliance, Risk Management and Security Assessments
Tags: , , , , ,

Think about these questions in the context of inaction:

What if you don’t renew your auto insurance?

What if you don’t lock your car and leave a laptop on the seat?

What if you eat at that restaurant with the failing health score?

What if you don’t train your employees on the new MRI machines you just purchased?

What if your employees never call back customers?

What if you don’t secure your email until after the audit?

What if you don’t worry about patient confidentiality until after a lawsuit is filed?

Not doing something pro-actively is actually more costly than being doing it ahead of time.  Diligence is paramount in any organization.  Too often I see concerns over money up front cause a project to fail.  More money is then spent on the backend to fix the mistakes with the original install.

Assess, train, and happen to something.  Don’t wait for it to happen to you.

23
Aug
10

Email Encryption in Healthcare

By John Stengel Leave a Comment
Categories: HIPAA Compliance, Massachusetts 201, Risk Management, Security Assessments and User Awareness Training

I have written an executive whitepaper titled Email Encryption in Healthcare.  This is an executive overview explaining the background and regulations around securing email transactions.  If you would like a copy send an email to info@jstengel.net.

19
Aug
10

Massachusetts 201 CMR 17.00, to be Exact

By John Stengel Leave a Comment
Categories: Massachusetts 201, Risk Management, Security Assessments and User Awareness Training

I am not breaking any news to anyone, I think, if I tell you that a new law in Massachusetts that lays out security for protecting private information.    What I do want to write about is why I like this law.

The first thing is I like how the law says that anyone who does business with a resident of the commonwealth regardless of nexus is required to follow these guidelines, not just businesses in the commonwealth .  This is good because they are setting a standard for the rest of the union.  Too many laws are written in a form that requires a lawyer to decode them.  I read and understood the law while I waited on my Cashew Chicken at PF Chang’s.

I also like that it is very specific.  It names product segments and states exactly what needs to be done.  They don’t use terms like “Reasonable Measures”, this just confuses people and leads to inaction.  This one is clear.

I can tell you firsthand PII is handled poorly by most businesses.  You can set your company apart just by following this law.  If you become Mass 201 compliant the rest is easy, and this one is not hard.

http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 37 other followers

LinkedIn

Follow me on Twitter

  • We just wrapped up another week of WatchGuard training in Charlotte. Thank you to all of our students. We are h…http://t.co/QZGehP5j 19 hours ago
  • Google Wallet Hacked Again. Good thing they forced merchants to use it! http://t.co/mSjheLsi 19 hours ago
Follow

Get every new post delivered to your Inbox.

Join 37 other followers