Health Insurance Portability and Accountability Act

Sep 28 2009   9:23PM GMT

Information security and compliance resources from around TechTarget

Posted by: Alexander Howard
Information security, Health care, PCI DSS, Health Insurance Portability and Accountability Act, policy, Wired Equivalent Privacy, Security, Payment card industry, IT compliance, compliance, HITECH

The laws and regulations that CIOs and CISOs must understand and reflect in their operations are by nature applicable to many different areas of information technology. As a recent study on the privacy profession showed, privacy policy success lies in collaboration with IT. Finding good compliance resources to keep abreast of news and technologies is crucial.

The diversity of stakeholders involved in IT compliance is reflected in the many compliance resources that are published each month across the TechTarget network of IT media. For instance, this month’s Storage Decisions Conference explored how storage managers must explain retention, email archiving and compliance.

At SearchOracle.com, there’s news about how Oracle updated Agile PLM for food and beverage compliance, allowing manufacturers to better analyze ingredients for safety.

At SearchFinancialSecurity.com, a new story explores full disk encryption, which is fast becoming a priority for laptop security in midmarket companies given increasing fears of data breaches. The article explains how to choose full disk encryption for laptop security, compliance.

Earlier this year, SearchNetworking.com ran “New PCI compliance rules ban WEP, tighten wireless LAN security.”

PCI DSS compliance

Since security and compliance are bound closely together, it should come as no surprise that SearchSecurity.com features new compliance resources regularly. That’s particularly true when it comes to PCI compliance.

Last week, site editor Rob Westervelt wrote “PCI virtualization SIG closer to proposing changes to standard.” Westervelt writes that the PCI Virtualization Special Interest Group, which has been studying virtualization for the payment card industry (PCI), is close to issuing guidance ways to maintain PCI DSS compliance when using virtualization.

For more on PCI, editorial director’s Kelley Damore feature about what PCI compliance really means in September’s issue of Information Security magazine has a plethora of useful links.

Elsewhere on SearchSecurity.com, Eric Holmquist offered guidance on strategies for using technology to enable automated compliance.

Given that schools are back in session, IT admins entrusted with securing the records of students may find security expert David Mortman’s explanation for how to prepare for a FERPA audit useful.

Mortman also provides useful advice on a PCI DSS requirement for monitoring and testing security, PCI DSS compliance: ensuring data integrity and understanding PCI DSS compliance requirements for log management.

And “across the pond,” SearchSecurity.uk.co wrote about new products that aim to streamline compliance efforts.

Healthcare compliance

SearchSecurity.com also publishes compliance resources that serve the fast-moving healthcare field, including stories like “FTC extends breach notification to Web-based health repositories” and “HIPAA compliance manual: Training, audit and requirement checklist.”

Again, Mortman provides expert advice on this areas, including guidelines to create a HIPAA-compliant data center, HHS HIPAA guidance on encryption requirements and data destruction and information on writing a patient identifier policy to prevent common HIPAA violations.

We’ve been covering healthcare at SearchCompliance.com as well, along with our sister site, SearchCIO.com, where senior writer Linda Tucci recently wrote that health care security and HIPAA compliance are on deck for CIOs.

We published “HITECH changes the game, but HIT standards still on way” this morning, in fact, following on our FAQ on the HITECH Act’s impact on IT operations and a tip about when is a data breach under HITECH is really ‘discovered.’

Here’s hoping you find these compliance resources useful in your own efforts. If you have other websites you regularly visit to find compliance resources to help you meet regulatory mandates, please let us know in the comments.

Jul 22 2009   2:29PM GMT

Compliance resources: Tips and news from around TechTarget

Posted by: Alexander Howard
Health Insurance Portability and Accountability Act, Cloud computing, Information security, identity theft, Security

Did you know that TechTarget now has more than 60 different websites, each of which focuses on a different form of technology? You can find compliance resources on nearly every one of them.

As a former editor at WhatIs.com, I’m familiar with the thousands of tips, news stories and learning resources around the network. For the time-starved reader, especially a busy compliance professional, simply being aware of what compliance resources are available can be a challenge. Here’s the best of what you’ll find on our sister sites from the past months:

CIOs and compliance

On SearchCIO.com, senior news writer Linda Tucci writes that according to research consultancy Gartner, IT security jobs will morph into risk management. The work of our contributors and the IT practitioners we talk to here at SearchCompliance.com confirm this trend. The staff at SearchCIO.com also put together a briefing on enterprise risk management solutions for CIOs and a selection of information security and IT governance guides for CIOs.

  iRobot CIO Jay Leader. During the video interview, addresses the importance of a solid IT strategy – no small issue for this midsized company that must maintain a high-level of security and secrecy given its defense contracts.

Compliance in the cloud

Tucci is similarly focused on the compliance issues that are presented to the enterprise CIO considering cloud computing for data backup and storage. In addressing compliance requirements in cloud computing contracts, as Tucci makes clear, regulatory compliance requirements must be both expressly defined and then addressed – “or the data brought back down to earth.”

One of TechTarget’s newest websites, SearchCloudComputing.com, naturally has published stories on similar issues. In “Cloud computing skepticism: IT security and compliance,” research director Andi Mann explores whether security and compliance concerns in the cloud can be reconciled.

Compliance and Security

Over at SearchSecurity.com, you’ll find dozens of resources in its audit, compliance and standards topical section. You can watch instructional videos about testing PCI compliance requirement 11 or using IAM tools to improve compliance.

Recent news included coverage of MasterCard’s increase in PCI compliance requirements for some merchants (Visa says it won’t follow suit) or the increasing risks to identity theft, in “Researchers predict SSNs, crack algorithm putting identities at risk.”

Security expert David Mortman recently addressed the recent changes to HIPAA regulations that resulted from the HITECH Act in “HIPAA compliance: New regulations change the game.” Enterprise security teams charged with safeguarding PHI will find his insights useful. Mortman has also written this month about how to find virtual machines for greater virtualization compliance.

We’ve also partnered with SearchSecurity.com to produce both events and in-depth content like the recent log management e-book. Download the e-book (free registration required) to learn how automation can reduce the operational burdens of regulatory compliance.

SearchFinancialSecurity.com, given its focus on the financial industry, naturally features content to help security officers in that highly regulated vertical manage compliance. For instance, in “Tokenization and PCI compliance,” Ed Moyle explains what this relatively new technology may mean for the protection of sensitive credit card data. Our sister website also includes a video on Red Flags Rule compliance featuring John Carlson, senior vice president of regulatory affairs for BITS, a division of the Financial Services Roundtable.

Compliance and the channel

Our colleagues at SearchSecurityChannel.com are also covering the security aspects of compliance. As Neil Roiter writes in “Vulnerabilities, regulatory compliance drive data protection market,” while risk and vulnerability management are the two headings under which security spending often falls, the ultimate goal of both is data protection.

SearchSystemsChannel.com also features compliance coverage, in particular the specific U.S. laws and regulations that represent compliance and security concerns for Microsoft Office SharePoint.

Compliance and storage

Over at SearchSMBStorage.com, contributor Kevin Beaver recently wrote about making sense of regulatory compliance and data storage for SMBs.

Feedback

If you found this roundup useful, please let us know at editor@SearchCompliance.com or at @ITCompliance on Twitter. If so, I’ll do it again in August.

Jun 23 2009   11:13AM GMT

Should data security and privacy laws specify data encryption?

Posted by: Sarah Cortes
Privacy Law, Health Insurance Portability and Accountability Act, Massachusetts Senate, Information security, Cryptography, business, Security, Data Security, privacy, HIPAA, SOX, GLB, Massachusetts Data Security and Privacy Law, California Data Security and Privacy Law, data encryption, IT security, compliance, consumer protection, civil liberties, MGL 93H, Massachusetts’ Data Privacy Law, 201 CMR 17.00, Massachusetts SB 173, Technology

The proliferation of data security and privacy laws from state and federal agencies has created challenges and complexities for all entities that store and use data. One of the most controversial areas for these laws is whether or not they should specify data encryption as a requirement.

Issues currently confronting lawmakers, IT security, privacy and compliance professionals, businesses, and consumer protection and civil liberties groups include:

1. Which laws currently specify encryption and which do not? What, exactly, do they specify?
2. Should encryption be included at all in these laws?
3. If so, what, exactly, should be specified?
4. If not, what should the laws require?

One viewpoint holds that data encryption is a fundamental protection and strengthens consumer protection and privacy. From this viewpoint, laws that fail to specify encryption are weak, overly slanted toward business’ interests and inadequately protective of consumers and individuals’ privacy rights.

The counterpoint to that view, held by others, is that:

• Encryption as specified in current laws is a vague term, and thus somewhat meaningless.
• Specifying current encryption standards more concretely likely ensures the laws will quickly become outdated as technology advances.
• Mentioning encryption vaguely, without clear standards, creates business risk and uncertainty for those doing business in the commonwealth.
• Deviating so far from legislation in other states and federal approaches, in areas such as encryption and certification of third-party vendors, creates a situation where those third-party vendors may find it not worth implementing these capabilities just to do business in Massachusetts, leaving organizations at a competitive disadvantage without providing real benefit to consumers and individuals.

M.G.L. 93H, Massachusetts’ Data Privacy Law currently seems to specify encryption:

“Encrypted” transformation of data through the use of a 128-bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, unless further defined by regulation of the department of consumer affairs and business regulation.

However, this definition does not set forth any circumstances under which data must actually be encrypted. When detailed regulations were issued in the form of 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth, regulators further specified that:

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall [include] the following elements: Encryption of all transmitted records and files containing personal information, including those in wireless environments, that will travel across public networks.

An amendment currently under consideration in the Massachusetts Senate, SB 173, would seem to reverse that:

The department shall not in its regulations, however, require covered persons to use a specific technology or technologies, or a specific method or methods for protecting personal information.

What do you think? Should data security and privacy laws specify data encryption?

May 11 2009   3:35PM GMT

Understanding the risk of penalties for violating data privacy laws

Posted by: Sarah Cortes
Electronic Communications Privacy Act, Health Insurance Portability and Accountability Act, USA Patriot Act, Sarbanes-Oxley Act, privacy, United States Department of Health and Human Services, Foreign Intelligence Surveillance Act, FTC, compliance, laws, regulatory compliance, regulations, data privacy

The “Massachusetts Data Privacy Law? We call it ‘the toothless wonder,’” laughed one smug senior technology executive from a prominent high-tech firm at a MIT industry gathering April 30 in Cambridge, Mass.

But not everyone is laughing. In April 2008, Andrea Smith, age 25, of Trumann, Ark., was convicted of privacy violations under HIPAA, as was Fernando Ferrer Jr., of Naples, Fla., in January 2007. As of today, a total of eight cases have resulted in criminal convictions with jail time for data privacy violations under HIPAA.

The U.S. Department of Health and Human Services (HHS) has served notice (as of Feb. 18) that organizations can also expect substantial fines like the one extracted from CVS. That $2.5 million fine, coupled with others won by OCR or the FTC against Providence Health & Services, demonstrate that the risk of penalties is significantly more realistic going forward.

The probability of criminal convictions and risk of substantial penalties doesn’t, however, correlate to the likelihood of other serious compliance issues. “Stricter internal controls mandated by Sarbanes-Oxley have made it more difficult for improper payments to be concealed,” notes CorpWatch.

Consider the case of Richard Scrushy, founder of HealthSouth. Although theoretically acquitted of Sarbanes-Oxley (SOX) charges, he nevertheless sits in a Birmingham, Ala., prison. Although Scrushy was technically jailed for probation violations related to a vacation on a Miami yacht when he was supposed to be under house arrest in Birmingham, SOX materially contributed to Scrushy’s imprisonment. Some commentators have pointed to the few convictions under SOX when dismissing likelihood of consequences. But, as anyone involved with the legal system can attest, likelihood of conviction and fines barely begin to measure likelihood of serious problems. Let’s look at some other data:

HIPAA Enforcement Results by Year

• 2008 HIPAA investigations – 3,373
• 2008 HIPAA cases resulting in a requirement for corrective actions – 2,210
• Total HIPAA investigations 2003-2008 - over 11,000
• Total HIPAA cases resulting in a requirement for corrective actions – over 7,000

Source: U.S. Department of Health and Human Services

Simply receiving notice of an investigation requires firms and individuals to incur the costs of retaining counsel and allocating time, energy and resources to preparation. That’s a nerve-racking process with an unsure outcome. The investigation alone can be a big headache. And while only 10 cases have resulted in major fines or jail time, significantly more cases were prosecuted.

Preparing and presenting a criminal or civil defense in a legal case is, again, a costly undertaking with an unsure outcome, where even acquittal can leave an organization or an individual at a huge financial loss for attorney’s fees and energy, resources and the uncertainty that legal action causes.

How about nonconviction convictions? Plea deals can result in CWOF results, or Continued Without a Finding, and result in probation. Home-free, right? That’s what Richard Scrushy thought. The reality is that each step along the legal path increases the likelihood that subsequent or related, seemingly minor developments will result in jail time or fines. Organizations and individuals amass track records, which work against them over time.

SOX and HIPAA are only two of dozens of statutes under which privacy violations can be prosecuted. Try these for a few:

Health privacy laws
1974—The National Research Act
1996—Health Insurance Portability and Accountability Act (HIPAA)

Financial privacy laws
1970—Bank Secrecy Act
1998—Federal Trade Commission
1999—Gramm-Leach-Bliley Act (GLB)
2002—Sarbanes-Oxley Act (SOX)
2003—Fair and Accurate Credit Transactions Act

Online privacy laws
1986—Electronic Communications Privacy Act (ECPA), pen registers
1986—Stored Communications Act (SCA)

Communication privacy laws
1978—Foreign Intelligence Surveillance Act (FISA)
1984—Cable Communications Policy Act
1986—Electronic Communications Privacy Act (ECPA)
1994—Digital Telephony Act - Communications Assistance for Law Enforcement Act (CALEA), 18 USC 2510-2522

Education privacy laws
1974—Family Educational Rights and Privacy Act (FERPA)

Information privacy laws
2001—USA Patriot Act, expanded pen registers

Other
1974—Privacy Act
2005—Privacy Act, sale of online PII data for marketing

Still skeptical? California alone has over 88 data privacy laws — and it actively investigates and prosecutes violations.

Twenty-three thousand HIPAA investigations over five years x 100 laws = over 2 million investigations. Your chances are looking worse and worse. And the cost of voluntary compliance is looking cheaper and cheaper by comparison.

May 5 2009   12:37PM GMT

Podcast: HITECH Act adds new compliance requirements, penalties

Posted by: Alexander Howard
Health Insurance Portability and Accountability Act, HITECH Act, Security, Health Information Technology for Economic and Clinical Health, Health care, Information technology, Google, Information security, compliance, podcast

The Health Information Technology for Economic and Clinical Health (HITECH) Act, sometimes referred to as “HIPAA2,” introduces new compliance requirements, penalties and incentives for the adoption of electronic health records. In this podcast from SearchCompliance.com, privacy expert Rebecca Herold talks with associate editor Alexander B. Howard about the HITECH Act and its implications for compliance and information security professionals.

When you listen to the podcast, you’ll learn the following:

• What is HITECH?
• What is generally required by HITECH?
• Who is affected by HITECH and its compliance requirements?
• What is the role of information technology in HITECH?
• What are the penalties for noncompliance in HITECH?
• How does HITECH differ from HIPAA?
• How will HITECH change electronic health care and the jobs of health care CIOs?

Herold is an information privacy, security and compliance consultant, and a frequent contributor to SearchCompliance.com. You can read her blog at Realtime-ITCompliance.com and follow her on Twitter at @PrivacyProf.

Herold’s recent work at SearchCompliance.com includes:

• HIPAA enforcement getting stronger
• HIPAA criminal convictions outpace sanctions
• HIPAA enforcement, more government audits leading to more convictions