Archive | December, 2011

HIPAA Security Risk Analysis Tips – Make it a Team Sport

Completing a HIPAA Security Risk Analysis well requires executive team engagement and support and a cross functional business team. Here’s today’s big tip – Don’t throw the project over the transom to the CIO or CISO. It’s a much bigger business risk management program and not an “IT project”. Assemble the right cross-functional team and set business risk management goals at the onset. Here’s how…

Continue Reading

HIPAA Security Reminder – You Must Do Security Reminders!

Did you know that Covered Entities and Business Associates (and, soon, their subcontractors) must consider “security reminders” as part of their security awareness and training programs under the final HIPAA security rule (see 45 CFR 164.308(a)(5)). The final rule provides that a “security reminder” includes “periodic security updates” but provides no further guidance on how to meet this requirement.

Continue Reading

Why Integration of IT and Physical Security Equals More

Healthcare today cannot afford the inefficient practices of the past in managing its many security responsibilities. It is not unusual to find healthcare organizations with multiple service providers for similar monitoring services or disparate services that could be managed by one provider. The overhead and inefficiencies can be better managed…For instance multiple alarm companies for different facilities within their system as opposed to one provider servicing, maintaining and monitoring all alarm systems. Even in situations where organizations have grown through acquisition and all alarms systems are not similar this is still possible. Integrating all physical security controls alone would accrue cost savings for many organizations. However the real savings and benefits are gained when we integrate both the physical with the logical security programs.

Continue Reading

HIPAA Security Risk Analysis Tips – Know the Regs

The HIPAA Security Final Rule, reinforced by the HITECH Act, requires every CE and BA, in accordance with the security standards general rules (§164.306), to have a security management process in place “to implement policies and procedures to prevent, detect, contain, and correct security violations.” Here’s today’s big tip – Know the letter and the intent of the regulations; specifically, in this case, know what is required for Risk Analysis and Risk Management. Here’s how…

Continue Reading

Security Experts, Are We Missing the Point?

Recently, between citizens and security experts, there has been a lot of talk about nuclear weapons, terrorism and peace treaties. At the end of the day, the question remains how do we protect a country and its citizens from attack? If that is really the purpose of the summits, the meetings and Washington, why isn’t […]

Continue Reading

IT Risks vs. Information Risks

As an Information Security professional I think it is increasingly important to understand the difference between IT Risk and Information Risks.  You should also understand the advantages in enabling business strategies by ensuring that you brand each one of these risks accordingly. Here are my high level definitions: IT Risks – The probability that a […]

Continue Reading