Health care

Information security and compliance resources from around TechTarget

The laws and regulations that CIOs and CISOs must understand and reflect in their operations are by nature applicable to many different areas of information technology. As a recent study on the privacy profession showed, privacy policy success lies in collaboration with IT. Finding good compliance resources to keep abreast of news and technologies is crucial.

The diversity of stakeholders involved in IT compliance is reflected in the many compliance resources that are published each month across the TechTarget network of IT media. For instance, this month’s Storage Decisions Conference explored how storage managers must explain retention, email archiving and compliance.

At SearchOracle.com, there’s news about how Oracle updated Agile PLM for food and beverage compliance, allowing manufacturers to better analyze ingredients for safety.

At SearchFinancialSecurity.com, a new story explores full disk encryption, which is fast becoming a priority for laptop security in midmarket companies given increasing fears of data breaches. The article explains how to choose full disk encryption for laptop security, compliance.

Earlier this year, SearchNetworking.com ran “New PCI compliance rules ban WEP, tighten wireless LAN security.”

PCI DSS compliance

Since security and compliance are bound closely together, it should come as no surprise that SearchSecurity.com features new compliance resources regularly. That’s particularly true when it comes to PCI compliance.

Last week, site editor Rob Westervelt wrote “PCI virtualization SIG closer to proposing changes to standard.” Westervelt writes that the PCI Virtualization Special Interest Group, which has been studying virtualization for the payment card industry (PCI), is close to issuing guidance ways to maintain PCI DSS compliance when using virtualization.

For more on PCI, editorial director’s Kelley Damore feature about what PCI compliance really means in September’s issue of Information Security magazine has a plethora of useful links.

Elsewhere on SearchSecurity.com, Eric Holmquist offered guidance on strategies for using technology to enable automated compliance.

Given that schools are back in session, IT admins entrusted with securing the records of students may find security expert David Mortman’s explanation for how to prepare for a FERPA audit useful.

Mortman also provides useful advice on a PCI DSS requirement for monitoring and testing security, PCI DSS compliance: ensuring data integrity and understanding PCI DSS compliance requirements for log management.

And “across the pond,” SearchSecurity.uk.co wrote about new products that aim to streamline compliance efforts.

Healthcare compliance

SearchSecurity.com also publishes compliance resources that serve the fast-moving healthcare field, including stories like “FTC extends breach notification to Web-based health repositories” and “HIPAA compliance manual: Training, audit and requirement checklist.”

Again, Mortman provides expert advice on this areas, including guidelines to create a HIPAA-compliant data center, HHS HIPAA guidance on encryption requirements and data destruction and information on writing a patient identifier policy to prevent common HIPAA violations.

We’ve been covering healthcare at SearchCompliance.com as well, along with our sister site, SearchCIO.com, where senior writer Linda Tucci recently wrote that health care security and HIPAA compliance are on deck for CIOs.

We published “HITECH changes the game, but HIT standards still on way” this morning, in fact, following on our FAQ on the HITECH Act’s impact on IT operations and a tip about when is a data breach under HITECH is really ‘discovered.’

Here’s hoping you find these compliance resources useful in your own efforts. If you have other websites you regularly visit to find compliance resources to help you meet regulatory mandates, please let us know in the comments.

Podcast: OWASP’s Hess on security and compliance in the cloud

Today’s episode features an interview with Georg Hess about Web application security and compliance in the cloud. Hess is the founder of application security provider Art of Defence and current German chapter head of the Open Web Application Security Project (OWASP).

The OWASP membership includes corporations, educational organizations and individuals from around the world. OWASP’s community works to create freely available articles, methodologies, documentation, tools and technologies.

 

 Podcast: OWASP's Hess on security and compliance in the cloud [23:41m]: Play Now | Play in Popup | Download

When you listen to the podcast, recorded by associate editor Alexander B. Howard, you’ll learn the answers to the following questions:

• How are the security challenges that OWASP advises others on changing?
• OWASP recently published an Application Security Verification Standard. What does the standard mean?
• What does establishing such a standard mean for chief information security (CISO) and compliance officers who are considering cloud computing?
• What other security standards are being established for the cloud or need to be created?
• What compliance issues do companies face when implementing cloud computing?
• How can cloud providers offer secure cloud offerings?
• How can security and compliance officers confirm that they are doing so?
• What do banking and health care CISOs who are considering adopting cloud models need to know?
• How are threats to Web application security evolving?
• What do compliance and security officers need to know — and do — to respond?
• What other regulations do compliance officers need to be aware of in 2009?

Podcast: HITECH Act adds new compliance requirements, penalties

The Health Information Technology for Economic and Clinical Health (HITECH) Act, sometimes referred to as “HIPAA2,” introduces new compliance requirements, penalties and incentives for the adoption of electronic health records. In this podcast from SearchCompliance.com, privacy expert Rebecca Herold talks with associate editor Alexander B. Howard about the HITECH Act and its implications for compliance and information security professionals.

 

 Podcast: HITECH Act adds new compliance requirements, penalties [26:01m]: Play Now | Play in Popup | Download

When you listen to the podcast, you’ll learn the following:

• What is HITECH?
• What is generally required by HITECH?
• Who is affected by HITECH and its compliance requirements?
• What is the role of information technology in HITECH?
• What are the penalties for noncompliance in HITECH?
• How does HITECH differ from HIPAA?
• How will HITECH change electronic health care and the jobs of health care CIOs?

Herold is an information privacy, security and compliance consultant, and a frequent contributor to SearchCompliance.com. You can read her blog at Realtime-ITCompliance.com and follow her on Twitter at @PrivacyProf.

Herold’s recent work at SearchCompliance.com includes:

• HIPAA enforcement getting stronger
• HIPAA criminal convictions outpace sanctions
• HIPAA enforcement, more government audits leading to more convictions

How will the Massachusetts Data Protection Law affect IT compliance?

The Massachusetts Office of Consumer Affairs and Business Regulation established a significant new regulations in 2008, 201 CMR 17.00: Standards for The Protection of Personal Information. The strict new data protection law was set to take effect on January 1, 2009.

After the shift in the nation’s macroeconomic climate and strong resistance by state business leaders, however, the deadline for compliance with the basic provisions of the law was extended to May 1, 2009.

I’ll be traveling to Waltham to try to livestream the state’s public hearings on the legislation. Assuming that no technical difficulties occur in our use of uStream.com, you’ll be able to watch a webcast of the proceedings and ask question through the integrated chatroom. An archived version of the event will also be available for on-demand viewing.

We’re also preparing a podcast that will examines the new law from the perspective of a compliance software expert, a security expert and the Massachusetts Office of Consumer Affairs and Business Regulation MIS officer. You can expect the podcast to become available later this week.

Dr. John Halamka, CIO of CareGroup Health System and CIO/Dean for Technology at Harvard Medical School, provided some perspective on the relationship of the new MA data protection law to healthcare compliance on his blog.

UPDATE: Due to the expected 4-7″ of snow falling here in Massachusetts, the Greater Boston Network Users Group has cancelled today’s Q&A with David A. Murray, General Counsel and Gerry Young, CIO. Details are posted at the calendar at BNUG.org. We’ll update you when the next hearing is scheduled.