HIPAA

Jun 23 2009   11:13AM GMT

Should data security and privacy laws specify data encryption?

Posted by: Sarah Cortes
Privacy Law, Health Insurance Portability and Accountability Act, Massachusetts Senate, Information security, Cryptography, business, Security, Data Security, privacy, HIPAA, SOX, GLB, Massachusetts Data Security and Privacy Law, California Data Security and Privacy Law, data encryption, IT security, compliance, consumer protection, civil liberties, MGL 93H, Massachusetts’ Data Privacy Law, 201 CMR 17.00, Massachusetts SB 173, Technology

The proliferation of data security and privacy laws from state and federal agencies has created challenges and complexities for all entities that store and use data. One of the most controversial areas for these laws is whether or not they should specify data encryption as a requirement.

Issues currently confronting lawmakers, IT security, privacy and compliance professionals, businesses, and consumer protection and civil liberties groups include:

1. Which laws currently specify encryption and which do not? What, exactly, do they specify?
2. Should encryption be included at all in these laws?
3. If so, what, exactly, should be specified?
4. If not, what should the laws require?

One viewpoint holds that data encryption is a fundamental protection and strengthens consumer protection and privacy. From this viewpoint, laws that fail to specify encryption are weak, overly slanted toward business’ interests and inadequately protective of consumers and individuals’ privacy rights.

The counterpoint to that view, held by others, is that:

• Encryption as specified in current laws is a vague term, and thus somewhat meaningless.
• Specifying current encryption standards more concretely likely ensures the laws will quickly become outdated as technology advances.
• Mentioning encryption vaguely, without clear standards, creates business risk and uncertainty for those doing business in the commonwealth.
• Deviating so far from legislation in other states and federal approaches, in areas such as encryption and certification of third-party vendors, creates a situation where those third-party vendors may find it not worth implementing these capabilities just to do business in Massachusetts, leaving organizations at a competitive disadvantage without providing real benefit to consumers and individuals.

M.G.L. 93H, Massachusetts’ Data Privacy Law currently seems to specify encryption:

“Encrypted” transformation of data through the use of a 128-bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, unless further defined by regulation of the department of consumer affairs and business regulation.

However, this definition does not set forth any circumstances under which data must actually be encrypted. When detailed regulations were issued in the form of 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth, regulators further specified that:

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall [include] the following elements: Encryption of all transmitted records and files containing personal information, including those in wireless environments, that will travel across public networks.

An amendment currently under consideration in the Massachusetts Senate, SB 173, would seem to reverse that:

The department shall not in its regulations, however, require covered persons to use a specific technology or technologies, or a specific method or methods for protecting personal information.

What do you think? Should data security and privacy laws specify data encryption?

Mar 5 2009   4:44PM GMT

Weekly Digest: Compliance headlines from Twitter for March 5, 2009

Posted by: Alexander Howard
Twitter, Google Health, web, Social network, Online Communities, Boston Massachusetts, compliance, ITIL, Information Technology Infrastructure Library, HIPAA, conference, hashtags

As those of you who have followed the launch of SearchCompliance.com know, we’ve been using our @ITCompliance account on Twitter to share news, find our audience, get the freshest compliance news and pass on information about what’s happening on our site. Like Marshall Kirkpatrick and Richard MacManus at ReadWriteWeb, I see considerable applications for journalism there. (Here’s how they use Twitter for journalism.)

I was reminded recently, however, that many CIOs and compliance professionals are not on the microblogging platform yet.

It makes sense to share compliance-related news and resources that we’ve found on Twitter with you all in the form of a weekly digest. If you haven’t followed us on Twitter, here’s what you’ve missed:

RT @ jhalamka Google Health quietly launched a disruptive technology: social networking for personal health records http://bit.ly/hjDQ [#PHI]

OGC endorsed a #compliance framework to audit vendor products, documentation & processes against #ITIL best practices: http://bit.ly/19eEfQ

PRT @ MarieADomingo Congrats to Scot Petersen (@scotpe ), former eWeek editor; new exec editor of http://SearchCompliance.com at #TechTarget

RT @ sarahebourne Thoughts by Candi Harrison, former HUD web mgr, on top-level Federal web governance http://tinyurl.com/d9l4g3 via @ levyj413

#SEC Investigation into #optionsfraud of former #RIM execs illustrates need for email management: http://tinyurl.com/djt26t (via @ ONSITE3)

RT @ CCI_Compliance Beware of CorporateCompliance Form Hoax Circulating in #Ohio –> http://tinyurl.com/aqs4ge

RT @ CAInfoGov Pete Pepiton ponders the shift in how #eDiscovery is practiced today: http://bit.ly/gTmFK | #CA | (via @ complexd)

Will the latest HIPAA rule changes force healthcare IT security pros to better understand data flow? http://bit.ly/10KfWY (via @ rwestervelt)

New #screencast on leveraging IT infrastructure for #compliance with Brian Babineau & Mark Schlack: http://bit.ly/Tg0Z2

The #Compliance Decisions Summit is next Thursday (3.12.2009) in #Boston, MA: http://bit.ly/dJ1GW | We’ll be there. Will you? | #CDS09

NOTE: “RT” means “retweet” and “PRT” means that the retweeted content has been modified. If you need a quick primer on Twitter, try the post I wrote for WhatIs.com last year, “What is Twitter? Is this distributed microblogging platform ready for the enterprise?“

My colleague Kristen Caretta has also been exploring the platform. She’s written about finding the business benefits of Twitter and using Twitter as a business tool.

I will post digests more frequently if the volume of microblog posts (or “tweets”) merits it. You’ll certainly be able to follow our coverage of the Compliance Decisions Summit next week here and on Twitter. I’ll have a video camera and digital voice recorder, so expect to hear and see more from CIOs, security and compliance professionals.

We’re always looking for a way to feature our audience. If you’d like to write a case study of a difficult compliance-related business decision, technology implementation or user education opportunity, please write to editor@searchcompliance.com and let us know.

UPDATE: Rebecca Herold suggested via her Twitter account (@PrivacyProf) that I explain what the pound signs (#) above are and what their significance is to those unfamiliar with Twitter. (You may remember her as the compliance expert whose work on Windows compliance was the subject of a previous post.)

Here’s how hashtags.org puts it:

Hashtags are a community-driven convention for adding additional context and metadata to your tweets. They’re like tags on Flickr, only added inline to your post. You create a hashtag simply by prefixing a word with a hash symbol: #hashtag.

You can learn more about them at the Twitter Fan Wiki page for hashtag. Here’s the history:

Hashtags were developed as a means to create ”groupings” on Twitter, without having to change the basic service. The hash symbol is a convention borrowed primarily from IRC channels, and later from Jaiku’s channels.

hashtags.org provides real-time tracking of Twitter hashtags. Opt-in by following @hashtags to have your hashtags tracked.  Similarly, Twemes offers real-time tracking without the necessity of following a specific Twitter account.  Also, with their purchase of Summize, Twitter itself now offers some support of hashtags at their search engine: http://search.twitter.com

How does that extend to compliance? Simple. Just go to http://search.twitter.com and enter compliance. You’ll see a real-time reflection of the news, commentary and resources being exchanged on Twitter. You can subscribe to the compliance hashtag using RSS. If you prefer email alerts, you can also use TweetBeep to get an hourly update of whenever someone uses compliance in a tweet.

Jan 19 2009   8:37PM GMT

Podcast: Expert tackles e-health and compliance in healthcare IT

Posted by: Alexander Howard
e-health, compliance, IT compliance, healthcare IT, CCO, HIPAA, HHS, Enterprise 2.0, ECPA, podcast, consent management

What is the state of IT healthcare compliance in 2009? Dr. William Yasnoff has some thoughts.

His reply to ” Healthcare compliance gets boost from national HHS privacy framework,” a recent tip from one of SearchCompliance.com’s sister sites, demonstrated his deep understanding of the complex relationships among regulations, medicine and IT. A quick visit to his blog at WilliamYasnoff.com will confirm that he’s thought long and hard about the role of IT infrastructure in assuring patient privacy and health. SearchCompliance.com’s Alexander B. Howard found Dr. Yasnoff at his office last week and recorded a podcast.

Download Dr. William Yasnoff on e-health and compliance in healthcare IT infrastructure.

When you listen, you’ll learn the answers to the following questions about e-health, including what changes might be expected under the new Obama administration:

• The United States Department of Health and Human Services (HHS) has a released a new privacy framework that provides guidance to organizations that handle personal health information. Does the Health Insurance Portability and Accountability Act (HIPAA) apply?  What are the privacy and data protection issues created by the movement to e-health records?
• How does this directive affect IT compliance officers or system administrators at companies that handle e-health records? How could — and how should — a compliance officer change IT infrastructure and best practices to address the so-called HIPAA “audit hole?”
• The incoming Obama administration made the digitization of health records a focus of its presidential campaign. How may the atmosphere around healthcare compliance change? What additional regulatory requirements may be introduced that compliance officers should consider?
• What is Dossia? What role might this new entity, funded by corporations, play in e-health? How could Dossia affect e-health compliance? What is a health records bank? How many physicians currently use e-health records?
• What is the Electronic Communications Privacy Act (ECPA)? What must a CIO, CTO, CCO or IT administrator do to remain in compliance with the ECPA?
• What are some best practices for setting up IT infrastructure for healthcare institutions so that the systems are compliant? How will consent management factor into compliance in 2009?
• How might emerging enterprise 2.0 technologies be adapted and applied by the incoming U.S. CTO, particularly with regards to e-health records?

Dr. William Yasnoff

William A. Yasnoff is founder and managing partner of National Health Information Infrastructure (NHII) Advisors, a consulting firm that helps communities and organizations successfully develop health information infrastructure systems and solutions. Previously, as senior advisor, NHII, Department of Health and Human Services, he initiated and organized the activities leading to the president’s creation of the Office of the National Coordinator for Health Information Technology, establishing the NHII as a widely recognized goal for the nation. As vice president of research for Cell Analysis Systems Inc., he developed the first PC-based commercial system for quantifying DNA content of cells on slides in 1986. He later served as medical director of AMA/Net, the American Medical Association’s first online electronic information system for physicians. He subsequently restarted the network as U.S. HealthLink in Oregon. Dr. Yasnoff is an associate editor of the Journal of Biomedical Informatics, adjunct professor of Health Sciences Informatics at The Johns Hopkins University, a board member of the nonprofit Public Health Foundation Enterprises Inc., and the author of more than 250 publications and presentations, including co-editor of the textbook ‘Public Health Informatics and Information Systems.’ He earned his Ph.D. in computer science and M.D. from Northwestern University, and was elected a fellow of the American College of Medical Informatics in 1989.

Subscribe | Contact Us | What is RSS? | What is podcasting?