Skip to main content

Home/ WPPS C-Suite News/ Group items tagged Breach Law

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
sandy ingram

Amended SB1386 - Health care data security breach explained - 0 views

www.scmagazineus.com/...120069

hipppa SB1386 health training breaches

shared by sandy ingram on 01 Nov 08 - Cached
  • Health care data security breaches in the U.S.
  • New laws and regulations regarding data security breaches and disclosure laws affect the way in which health care organizations do business
  • Notifications can be delayed if law enforcement determines it could hinder a criminal investigation
  • ...11 more annotations...
  • he disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
  • Any agency that maintains computerized data that includes personal information that the agency does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
  • They need to implement proper security measures, like encryption,” Booz says. In addition, the law will require a new level of investment in training for customer service, sales, and other externally facing operations.
  • Individuals affected by data breaches that meet the personal information definition and notification requirements must be notified by using one of three methods: written notice, electronic notice with customer's consent, or substitute notice
  • The purpose of this rule is to secure personally identifiable information (PII) as it travels through the healthcare system. Healthcare organizations, including providers, payers, and clearinghouses, must comply with the Privacy Rule.
  • The new law requires all state agencies and companies that conduct business in California to notify residents when a breach of their medical information occurs.
  • A new California law requiring that customers be notified of a breach involving their medical information is likely to influence legislation in other states.
  • Between 2000 and 2007, nearly half of all health care security incidents that occurred in the U.S. were associated with hospitals.
  • Between 2000 and 2007, 40 percent of publicly known security incidents at health care organizations are classified as data breaches
  • Although data breaches (hackers, malicious employees, social engineering, etc.) only constitute 40 percent of incidents, they account for 57 percent of all records compromised, nearly two and a half times the next closest category.
  • This again speaks to the need for strong policies and procedures. If organizations did not allow sensitive data to leave their facility without being encrypted (for electronic data) or disposed of properly (for physical data), it could eliminate nearly a quarter of the incidents they would face.
  • sandy ingram on 01 Nov 08
     
    Notifications can be delayed if law enforcement determines it could hinder a criminal investigation
  • sandy ingram on 01 Nov 08
     
    A new California law requiring that customers be notified of a breach involving their medical information is likely to influence legislation in other states.
sandy ingram

Are you ready for a data breach? | Healthcare IT News - 0 views

www.healthcareitnews.com/...are-you-ready-data-breach

data breach HITECH DHS Risk Assessment Compliance

shared by sandy ingram on 23 Jun 10 - Cached
  • sandy ingram on 23 Jun 10
     
    The handling of data breach incidents has become a way of life for healthcare providers and with other HIPAA covered entities. With the passage of the HITECH Act last year, there are now substantial penalties that can be levied, up to $1.5 million. This fact, combined with a requirement to notify the Department of Health and Human Services as well as the media for data breach incidents that affect over 500 individuals has, for the first time, resulted in public records being kept for such incidents. If you oversee privacy, compliance, or IT for a hospital system, a group practice, a health insurance company, other covered entities, or even one of their business associates, the HITECH Act and its privacy and data breach provisions require your close attention. While many people know that HITECH generally creates requirements for data breach notification, there are at least four things you may not know about HITECH that you really should: The requirement for a mandatory incident-specific risk assessment for every incident The fact that HITECH notification provisions do not pre-empt state notification laws Encryption of data does not necessarily alleviate the risk of data breach If your business associate exposes your protected health information (PHI), you are responsible
sandy ingram

Medical-data breach said to be major; involves nearly two-thirds of the insurers' subsc... - 0 views

www.philly.com/...a_breach_said_to_be_major.html

Security Privacy compliance cybersecurity breach

shared by sandy ingram on 21 Oct 10 - No Cached
  • The security failure, one of the several largest in nearly two years, involves nearly two-thirds of the insurers' subscribers. It became known only after The Inquirer requested information Tuesday evening. The insurers said the drive was missing from the corporate offices on Stevens Drive in Southwest Philadelphia. It noted that the same flash drive was used at community health fairs. "That seems grossly irresponsible," said Dr. Deborah Peel, a Texas psychiatrist who heads Patient Privacy Rights, an advocacy group.
  • The news of the breach comes at a time when there is more emphasis - and billions of dollars in federal funding - to develop protocols for electronic medical records, with information being shared among providers, insurers, and consumers.
  • Paul Stephens, director of policy for the Privacy Rights Clearinghouse, said that data breaches in the finance and retail sectors tended to involve more people, but that health data are very sensitive and may also contain payment information.
  • ...3 more annotations...
  • Until The Inquirer asked for information, the company had not disclosed the data breach to affected members, most of whom live in Philadelphia and nearby counties
  • The federal website explaining the law says that breaches must be reported "without unreasonable delay and in no case later than 60 days."
  • They would not say how they know the computer drive was lost, not stolen. They would not comment on the riskiness of taking the drive to health fairs, nor would they say whether the data on the drive was encrypted.
  • sandy ingram on 21 Oct 10
     
    A computer flash drive containing the names, addresses, and personal health information of 280,000 people is missing - one of the largest recent security breaches of personal health data in the nation. "We deeply regret this unfortunate incident," said Jay Feldstein, the president of the two affiliated Philadelphia companies, Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan. The breach, which involves the records of Medicaid recipients, is the first such Medicaid data breach in Pennsylvania since at least 1997, according to the state's Department of Welfare, which has oversight. "We take compliance [with federal privacy laws] very seriously," department spokeswoman Elisabeth Myers said Wednesday.
sandy ingram

HITECH now specifically requires the business associate to notify their partner so that... - 0 views

www.technewsworld.com/...alth-IT-Post-HITECH-70443.html

Breach Law healthcare compliance HHS notification hitech hipaa

shared by sandy ingram on 02 Aug 10 - Cached
  • The total impact to the institution is difficult to quantify. Obviously no organization wants the negative press. It's the kind of thing that loses patients and makes the institution less appealing when trying to attract physicians.
  • Under the breach notification requirements of the HITECH Act (Title XIII of the American Recovery and Reinvestment Act), lost or stolen unencrypted records such as these requires notification to Health and Human Services for the public posting of the institution to HHS' "wall of shame," or public list of breaches involving more than 500 individuals. If you go to the HHS website right now, you'll see this incident listed there -- along with an ever-increasing laundry list of other institutions in the same boat.
  • This very public example of HITECH in action underscores just one of the many ways that the law has altered the way that healthcare does business. While the full impact of the law won't be seen for quite some time to come, we're starting to see some radical changes in the way that hospitals approach security and compliance.
  • ...7 more annotations...
  • Security Breaches From a provider point of view, probably the biggest impact from a security and compliance standpoint stems from the relatively strict breach disclosure requirements within the law. Covered entities not only need to notify in writing the individuals whose data was lost, but they also are required to notify HHS of the data loss.
  • Vendor Impact In addition to expanded disclosure provisions for business associates, HITECH also changes the landscape for them in that they now have a higher bar to meet in terms of their own security requirements
  • Under the law, business associates now have to meet the same bar as covered entities when it comes to the security rule.
  • However, covered entities are not alone in shouldering the burden of these more stringent rules. Business associates also have a role to play under the new provisions. Business associates now need to make sure that they report possible breaches to partners/customers and that they provide enough data for the covered entities to tell who was impacted and what type of data it was -- in other words, enough data for covered entities to fulfill their disclosure obligations. Whereas in the past a breach might occur at a business associate with nobody at the covered entity the wiser
  • HITECH now specifically requires the business associate to notify their partner so that the individuals impacted can be apprised.
  • Clearly, as applications move outside of the provider (for example, due to cloud computing) and more and more vendors move in to participate, rising numbers of vendors, hosting providers, and other service providers find themselves becoming "business associates" and inheriting security requirements that they're unfamiliar with. Even vendors not specifically targeting the healthcare market may find themselves in the direct path of the regs and obligated to change how they do business in response.
  • Vendors seeking to court healthcare clients will now need to pitch not only functionality but a compliance message as well.
  • sandy ingram on 02 Aug 10
     
    Just a few weeks ago, Lincoln Medical and Mental Health Center learned a hard lesson. If you didn't see the news reports, the N.Y.-based healthcare provider notified over 130,000 individuals that their records -- including diagnostic information, Social Security numbers, dates of birth, and other information of use to identity thieves -- was potentially lost."
sandy ingram

Data breach laws, e-discovery increase compliance duties - - 0 views

www.fiercecio.com/...2010-04-17

data breach laws Compliance privacy security ediscovery identity theft

shared by sandy ingram on 20 Apr 10 - Cached
  • The Massachusetts law applies not only to businesses in the state but to any company that keeps personal data on the state's residents. George examines two parts of the law that are particularly notable because they require action to avoid breaches--not just notify victims after the fact.
  • Businesses are required to have a working information security program for protecting personally identifiable information, and they must submit a written information security program to the state. They also must encrypt data in motion and at rest, including information on portable devices such as USB drives, laptop computers and smartphones.
  • A second complicated--and evolving--area of compliance is e-discovery, which is the process of handing over electronically stored information requested during a lawsuit.
  • sandy ingram on 20 Apr 10
     
    States are getting tougher when it comes to trying to protect their residents' personal data from breaches, and a new law in Massachusetts raises the bar by setting a fine of $5000 per record lost. As Randy George at InformationWeek reports, a company could be fined $1 million for losing one laptop with personal data on just 200 residents of the Bay State
sandy ingram

California Department of Public Health Breach Fines and Legally Defensible Security : I... - 0 views

www.infolawgroup.com/...nd-legally-defensible-security

california health breach

shared by sandy ingram on 28 Jun 10 - Cached
  • sandy ingram on 28 Jun 10
     
    The California Department of Public Health ("CDPH") recently announced its imposition of $675,000 in fines to six hospitals that had reported security breaches involving medical records (since January 1, 2009, the CDPH has issued fines totaling $1.1 million). The story has been extensively reported on in the media . You can listen to the CDPH's press conference here. The total number of records exposed was only 244, for an average fine of around $2,766 per record. To put that in perspective, if a California hospital suffered a breach involving 100,000 medical records, using the average stated here, their potential fines could be $276 million (assuming no cap for fines and penalties -- the relevant laws do have a cap of $250,000 per incident).
sandy ingram

Nation's toughest personal info law about to take effect -- Government Computer News - 0 views

gcn.com/...-law-personal-information.aspx

Breach Law WISP pii security MA Laws

shared by sandy ingram on 30 Jan 10 - Cached
  • Businesses that hold personally identifiable information on Massachusetts residents have one month to comply with what security experts are calling the toughest data security requirements in the nation. The Massachusetts Data Breach Law, passed in 2007, goes into effect March 1 and requires personal information in networked systems to be protected with strong encryption, firewalls, antivirus and access controls.
  • The law was written in response to the theft of information on more than 45 million credit card accounts from TJX Companies in 2007
  • The law is designed to ensure “the security and confidentiality of customer information,” based on current industry standards, focusing on threats that can or should be anticipated. The regulations take into account the size of a business, the amount of resources available to it, the amount of personal data held and the sensitivity of the data. It covers paper and electronic records and requires physical and IT security.
  • ...1 more annotation...
  • written information security plan (WISP). “Ninety percent of the clients I deal with on this law do not have a WISP.”
  • sandy ingram on 30 Jan 10
     
    "Businesses that hold personally identifiable information on Massachusetts residents have one month to comply with what security experts are calling the toughest data security requirements in the nation. The Massachusetts Data Breach Law , passed in 2007, goes into effect March 1 and requires personal information in networked systems to be protected with strong encryption, firewalls, antivirus and access controls."
sandy ingram

Ponemon Study: 73% Believe Cloud Providers Do Not Protect User's Confidential Informati... - 0 views

www.infolawgroup.com/...users-confidential-information

ponemon study Privacy security cloud cybersecurity

shared by sandy ingram on 14 May 11 - No Cached
  • Growing scrutiny of cloud computing security in the first half of this year is not surprising in light of the numerous data breaches, privacy issues and headline grabbing cloud outages that have occurred recently
  • The 26-page survey report returned a stunning conclusion – though one not surprising to those familiar with legal contracting for cloud computing; namely that a majority of cloud providers do not believe data security is their responsibility - but the customer’s. 
  • In addition, the survey revealed that a “majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage.
  • ...7 more annotations...
  • Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.”
  • The study further reports that the majority of cloud providers surveyed “admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.”
  • One bit of somewhat good news the survey revealed is that “about one-third of the cloud providers in our study are considering such solutions [providing additional security] as a new source of revenue sometime in the next two years.”
  • Another of the report’s conclusion is that “the focus on cost and speed and not on security or data protection [in cloud offerings] creates a security hole.” This potential “security hole” is a prime reason we advise clients, in certain circumstances, to be prepared to walk away from cloud providers under consideration if adequate and legally defensible security measures cannot be adequately negotiated and contractually provided for.
  • The report also states that “cloud providers are least confident about the following security requirements: Identify and authenticate users before granting access Secure vendor relationships before sharing information assets Prevent or curtail external attacks Encrypt sensitive or confidential information assets whenever feasible Determine the root cause of cyber attacks
  • These are serious security concerns any way you slice it
  • The fundamental takeaway from the Ponemon study is that cloud security is very much a work in progress, and that any cloud initiative or plan for corporate cloud usage needs serious due diligence by representatives from business, IT and legal working in conjunction
  • sandy ingram on 14 May 11
     
    Growing scrutiny of cloud computing security in the first half of this year is not surprising in light of the numerous data breaches, privacy issues and headline grabbing cloud outages that have occurred recently.
sandy ingram

Smaller companies challenged to comply with Massachusetts' data privacy rules - Mass Hi... - 0 views

www.masshightech.com/...usetts-data-privacy-rules.html

compliance Privacy Security Massachusetts proofpoint

shared by sandy ingram on 10 Nov 10 - No Cached
  • The regulations, which went into force in March, are intended to protect a consumer’s personal information from identity theft and other privacy breaches and to spell out steps that businesses must take to ensure data is secured. Some large companies — particularly those in the finance and health care industries that are already subject to data security laws like the Health Insurance Portability and Accountability Act (HIPAA) — had privacy measures in place, which helped get them ready for Massachusetts’ regulations. However, for many smaller and midsize companies that have not been subject to data security laws before, complying with the rules is a longer and often more painful process.
  • some businesses that are complying with privacy regulations for the first time and have limited in-house technology expertise “are running around with their hair on fire, trying to figure out what to do first,”
  • “We’ve seen a substantial uptick in activity in clients seeking guidance in how to comply,” said Carlos Perez-Albuerne, a partner at Choate Hall & Stewart LLP. “There’s a whole swath of businesses that never had to deal with anything like this before.”
  • ...4 more annotations...
  • Under the regulations, organizations — no matter where they are based — that store personal information about Massachusetts residents have to write security policies detailing how the data will be protected, encrypt the data when it is stored on laptops or other portable devices or transmitted over public networks, and monitor their systems for breaches.
  • Believed to be among the most stringent data privacy regulations in the U.S., the rules have lawmakers and businesses taking note. The regulations are now driving computer security policy agendas across the country, said Mark Schreiber, a partner at Edwards Angell Palmer & Dodge who chairs the firm’s privacy and data protection group. “The impact is much broader than we ever imagined. Who would have thought it would have catalyzed so much activity?” he said. “This will be with us for decades or longer.”
  • Since March, Cutugno Court Reporting and Sten-Tel Inc., a Springfield-based firm that provides document management and transcription systems, has spent “easily into the six-figure realm” on technology and consulting services to comply with the privacy regulations, said Blake Martin, the company’s CIO.
  • To date, state regulators have not yet taken any public enforcement actions against organizations that have failed to comply with the rules. The state attorney general’s office, which is charged with enforcing the regulations, and the Office of Consumer Affairs and Business Regulation, which developed the regulations, have been focusing on compliance efforts, reaching out to trade groups, bar associations and others to spread the word.
  • sandy ingram on 10 Nov 10
     
    "Eight months after the state's tough, new data privacy regulations went into effect, many businesses are still sorting through the rules and working to bring their firms into compliance. "
sandy ingram

Outgunned: How Security Tech Is Failing Us -- InformationWeek - 0 views

www.informationweek.com/...showArticle.jhtml

Security Privacy compliance cybersecurity Best Practice

shared by sandy ingram on 11 Oct 10 - No Cached
  • Thing is, the pitch is less believable these days, and the atmosphere is becoming downright hostile. We face more and larger breaches, increased costs, more advanced adversaries, and a growing number of public control failures.
  • -U.S. businesses continue to hemorrhage credit card numbers and personally identifiable information. The tab for the Heartland Payment Systems breach, which compromised 130 million card numbers, is reportedly at $144 million and counting. The Stuxnet worm, a cunning and highly targeted piece of cyberweaponry, just left a trail of tens of thousands of infected PCs. Earlier this month, the FBI announced the arrest of individuals who used the Zeus Trojan to pilfer $70 million from U.S. banks. Zeus is in year three of its reign of terror, impervious to law enforcement, government agencies, and the sophisticated information security teams of the largest financial services firms on the planet.
  • sandy ingram on 11 Oct 10
     
    Information security professionals face mounting threats, hoping some mix of technology, education, and hard work will keep their companies and organizations safe. But lately, the specter of failure is looming larger. "Pay no attention to the exploit behind the curtain" is the message from product vendors as they roll out the next iteration of their all-powerful, dynamically updating, self-defending, threat-intelligent, risk-mitigating, compliance-ensuring, nth-generation security technologies. Just pony up the money and the manpower and you'll be safe from what goes bump in the night.
sandy ingram

Information Security Clauses and Certifications - Part 1 : Info Law Group - 0 views

www.infolawgroup.com/...uses-and-certifications-part-1

Privacy Security Best Practice

shared by sandy ingram on 21 Jan 10 - Cached
  • What contractual information security provisions should you consider, as a customer or as a vendor or business partner, when the contract contemplates the exchange of protected information? What do security standards and audits entail for a vendor, and what do they offer for a customer?
  • With heightened liability and compliance risks associated with handling protected categories of data, it is becoming more common to see contractual requirements holding vendors accountable for information security or requiring them to conform to a specified information security standard
  • sandy ingram on 21 Jan 10
     
    Outsourcing business and IT functions often means outsourcing compliance and liability risks as well. When a service contract involves protected categories of personal information, both parties need to understand the security requirements and risks. The contract should allocate responsibilities to prevent and respond to security breaches. The contract may also set expectations more precisely by incorporating a written security policy or referring to a widely accepted information security standard, sometimes accompanied by a requirement for a third-party security audit or assessment
sandy ingram

Small Companies Look to #Cloud for Savings in 2011 - WSJ.com - 0 views

online.wsj.com/...3513204576047972349898048.html

Privacy security compliance cloud Best Practice

shared by sandy ingram on 30 Dec 10 - No Cached
  • As of April 2010, only about 7% of small-business owners were using cloud services, but that number is expected to grow to more than 10% by mid-2011, according to a survey by technology-research firm IDC.
  • Half of small firms that use "the cloud" say it has improved their bottom line, according to a survey this fall by Microsoft Corp., which provides cloud services.
  • A number of surveys show that some business owners are hesitant to try cloud computing because they don't want to stray from familiar systems or invest in new ones. Some owners that have made the switch, however, say it has been a boon to their cash-strapped firms.
  • ...6 more annotations...
  • Garey Willbanks, owner of Boiler Management Ltd. in Houston, says he pays about $600 a month to store information in the cloud. He estimates that is less than a tenth of what he would pay if he hired technology personnel to run an in-house storage server.
  • In June, Michael Tracy, a private law practitioner in Irvine, Calif., decided to try Nextpoint, a cloud-based program for attorneys. He had previously spent $10,000 to $12,000 a year licensing software that would organize materials before a trial. The problem was he needed it just a few times a year. By contrast, Mr. Tracy pays for Nextpoint only when he uses it, and he anticipates spending just $4,000 to $6,000 a year on the service.
  • "If you already have tight control over your company, your expenses may drop 10% to 20%,"
  • Despite the savings, there are risks. Security breaches, for instance, can happen if the cloud provider isn't reliable. "If they make money directly from you, then they will want to secure [your information]," Mr. Enderle says. "If they make it through advertising," they may be more likely to sell the information to advertisers, he says.
  • Others fear that they might lose their information, or have to spend a lot of time transferring data, if they want out.
  • "So make sure it's the right provider and that you're ready to be in it for the long haul."
  • sandy ingram on 30 Dec 10
     
    "A growing number of small-business owners are expected to try cloud computing services next year, hoping to trim costs and stay up and running if disaster strikes. Cloud computing refers to any service that operates over an Internet connection, allowing immediate access from any computer or mobile device with Web access. Business owners can access software or store information-such as customer contacts, accounting data and presentations-and leave the technical maintenance to the cloud provider. "
sandy ingram

Infosecurity (USA) - White House cybersecurity proposal shifts FISMA responsibility to DHS - 0 views

www.infosecurity-us.com/...ts-fisma-responsibility-to-dhs

security Privacy compliance FISMA DHS Best Practice

shared by sandy ingram on 07 Jun 11 - No Cached
  • This would in effect shift FISMA implementation responsibility away from the Office of Management and Budget (OMB) and the National Institute for Standards and Technology (NIST) to DHS, “where the knowledge of attacks informs the defense”, Paller said.
  • “DHS has already demonstrated that they are focusing on the critical controls....They are focusing on effectiveness measures, rather than make work”
  • The proposal would also expand the DHS authority over cybersecurity of private networks, particularly critical infrastructure. DHS would have the authority to develop and conduct risk assessments of private sector critical infrastructure systems and share information with the private sector about threats and best practices.
  • ...5 more annotations...
  • “This brings the same rationality to offense informing defense. Instead of telling people that they have to have a good security plan, what DHS’s role will be is to demonstrate what best practices are and make sure people are measuring against those best practices”, Paller said.
  • The White House proposal would also create a national data breach notification requirement standardizing various state laws
  • “The administration's proposal would protect individuals by requiring businesses to notify consumers if personal information is compromised, and clarifies penalties for computer crimes including mandatory minimums for critical infrastructure intrusions.
  • The proposal would improve critical infrastructure protection by bolstering public-private partnerships with improved authority for the federal government to provide voluntary assistance to companies and increase information sharing.
  • It also would protect federal government networks by formalizing management roles, improving recruitment of cybersecurity professionals, and safeguarding the nation's access to cost-effective data storage solutions.”
  • sandy ingram on 07 Jun 11
     
    The White House proposal, which is a comprehensive cybersecurity plan, includes a provision directing the Department of Homeland Security (DHS) "to exercise primary responsibility within the executive branch for information security. This includes implementation of information security policies and directives and compliance" with FISMA, except for national security systems.
1 - 13 of 13
Showing 20 items per page