In this episode, I speak with two highly experienced HIPAA compliance experts, Kevin Beaver and Brad Smith to get their views and opinions about this much discussed but often debated regulation.  In particular we discuss the relatively new HIPAA Administrative Simplification Enforcement Final Rule, and how it impacts providers and payers.  We explore and try to determine what, if any, impact the HIPAA Enforcement Rule has on Covered Entities. 

Instead of clarifying compliance enforcement issues for covered entities (CEs), the Enforcement Rule has seemed to confuse and mislead many CEs into believing that they really don't need to do much with regard to HIPAA compliance unless the Department of Health and Human Services (HHS), the Office for Civil Rights (OCR) or the Centers for Medicare and Medicaid Services (CMS) come knocking at their door and tell them they specifically need to do something. 

Not all CEs are lackadaisical, though; Kevin, Brad and I discuss some of the CEs that have been very diligent in their HIPAA compliance efforts.  However, we also discuss some examples of blatent disregard for HIPAA, and the resulting risks to organizations from such action.  We also discuss the importance of addressing compliance through partnering information security, privacy, legal and compliance areas.

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Rebecca Herold | Permalink | Comments (0) | TrackBacks (0)

There is increasing concern about the use of real/actual personally identifiable information (PII) for test and development purposes.  I'm also increasingly concerned about the use of PII by sales representatives who are showing demos to potential clients.  I was recently surprised to see a vendor showing me a demo of his security software using the actual production data of his clients, which included a vast amount of PII about his clients’ customers, such as names, social security numbers and credit card numbers.  He had accumulated this information while doing work for the clients with the software.  Needless to say, his demo turned into a long discussion about the risks involved with this practice.  Such a practice is an incident and lawsuit waiting to happen.  Unfortunately the sales staff at many companies use production data for demo purposes.  And it's not just software vendors.  Insurance representatives often show their potential clients demos using PII, as do financial organizations, and healthcare companies, plus potentially other industries.  Do you know if your sales staff is using your production data?

I just posted a new podcast, "Data De-identification and Masking Methods," a follow-up to my last podcast, “What IT Leaders Need to Know About Using Production Data for Testing.” I discuss some of the ways in which data can be de-identified, or masked, to use for not only test purposes, but also for demo and other purposes. There are many ways to de-identify and mask data.  Some are better than others.  It all depends upon the type of data you’re working with, and the associated application or system.  I briefly describe seven ways in which data can be masked and de-identified, in addition to an alternative in the slim chance that there is absolutely no way in which anything other than production data can be used for testing. The ultimate goal is to protect the privacy and confidentiality of PII while also making meaningful data available for purposes of testing, demos or analysis.

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Rebecca Herold | Permalink | Comments (0) | TrackBacks (0)

There are many issues involved with using live production data, particularly real personally identifiable information (PII), for test and demo purposes.  For many years it has been the norm within organizations to use copies of production data for testing during applications and systems development.  However, over the past few years this practice is becoming more and more of a bad idea with all the new privacy laws and regulations, identity theft cases, insider instigated fraud, increased customer awareness, and the growing number of companies using outsourced companies to manage applications development, testing and quality assurance. 

In my latest podcast I discuss the importance of and reasons for using data that does not include real, production PII for test and development purposes.

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Rebecca Herold | Permalink | Comments (0) | TrackBacks (0)

We are undergoing a data protection renaissance.  New laws have considerably expanded corporate obligations regarding security and privacy for information in all forms.  A significant obligation of the laws is applicable to basically all organizations; the duty to provide reasonable security for all corporate information.  Bottom line, generally all organizations have some legal obligation to establish effective information security programs.  It is important to realize that in most cases there are no hard and fast rules regarding which specific security measures a company should implement to satisfy its legal and privacy law obligations. In this podcast I discuss what you need to know to protect your business when trying to comply with the multitude of privacy laws, and I describe a unified, process oriented best practice approach organizations can use to address the requirements of such laws as HIPAA, GLBA, Canada’s PIPEDA, the EU Data Protection Directive, among many, many others.

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Rebecca Herold | Permalink | Comments (0) | TrackBacks (0)

A few weeks ago I discussed the need for Information Security and Privacy professionals to work together to be successful.  Yesterday I posted a new podcast that expands upon this topic, and I also describe 14 business trends that information security and privacy professionals must collaborate with each other to address. If you get a chance to listen, please let me know what you think!

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Rebecca Herold | Permalink | Comments (0) | TrackBacks (0)

In this episode I discuss how encryption supports compliance as well as effectively protects personal information.  Encryption is an under-utilized security tool.  Considering the infinite number of today’s risks, threats and vulnerabilities, encryption can effectively keep unauthorized individuals and systems from accessing sensitive information and thwart many types of attacks.  In today’s business environment with sensitive information being stored in multiple locations, many of them mobile, encrypting information is an effective privacy safeguard organizations can add to their arsenal of safeguard tools.  I also discuss incidents that occurred and how the laws, regulations, and regulatory bodies encourage the use of encryption.

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Rebecca Herold | Permalink | Comments (0) | TrackBacks (0)

In this episode I briefly discuss the current privacy concerns and business activities regarding the safeguarding of personal information and the types of impact incidents have upon business; the challenges associated with protecting personal information (both consumer and employee), and ways to address these challenges to avoid ending up in the newspaper as the next privacy incident headline; and the need to address privacy issues within business processes, not only to meet regulatory requirements but also to demonstrate due diligence, support business goals and build business value.

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Rebecca Herold | Permalink | Comments (0) | TrackBacks (0)

In this podcast I explain the purpose and goals for making this a valuable, independent site to allow information security, privacy and compliance professionals in all sectors to share and communicate about the issues and news that impact our efforts.

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Rebecca Herold | Permalink | Comments (0) | TrackBacks (0)