Skip to main content

Home/ WPPS C-Suite News/ Group items tagged notification

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
sandy ingram

Are you ready for a data breach? | Healthcare IT News - 0 views

www.healthcareitnews.com/...are-you-ready-data-breach

data breach HITECH DHS Risk Assessment Compliance

shared by sandy ingram on 23 Jun 10 - Cached
  • sandy ingram on 23 Jun 10
     
    The handling of data breach incidents has become a way of life for healthcare providers and with other HIPAA covered entities. With the passage of the HITECH Act last year, there are now substantial penalties that can be levied, up to $1.5 million. This fact, combined with a requirement to notify the Department of Health and Human Services as well as the media for data breach incidents that affect over 500 individuals has, for the first time, resulted in public records being kept for such incidents. If you oversee privacy, compliance, or IT for a hospital system, a group practice, a health insurance company, other covered entities, or even one of their business associates, the HITECH Act and its privacy and data breach provisions require your close attention. While many people know that HITECH generally creates requirements for data breach notification, there are at least four things you may not know about HITECH that you really should: The requirement for a mandatory incident-specific risk assessment for every incident The fact that HITECH notification provisions do not pre-empt state notification laws Encryption of data does not necessarily alleviate the risk of data breach If your business associate exposes your protected health information (PHI), you are responsible
sandy ingram

HITECH now specifically requires the business associate to notify their partner so that... - 0 views

www.technewsworld.com/...alth-IT-Post-HITECH-70443.html

Breach Law healthcare compliance HHS notification hitech hipaa

shared by sandy ingram on 02 Aug 10 - Cached
  • The total impact to the institution is difficult to quantify. Obviously no organization wants the negative press. It's the kind of thing that loses patients and makes the institution less appealing when trying to attract physicians.
  • Under the breach notification requirements of the HITECH Act (Title XIII of the American Recovery and Reinvestment Act), lost or stolen unencrypted records such as these requires notification to Health and Human Services for the public posting of the institution to HHS' "wall of shame," or public list of breaches involving more than 500 individuals. If you go to the HHS website right now, you'll see this incident listed there -- along with an ever-increasing laundry list of other institutions in the same boat.
  • This very public example of HITECH in action underscores just one of the many ways that the law has altered the way that healthcare does business. While the full impact of the law won't be seen for quite some time to come, we're starting to see some radical changes in the way that hospitals approach security and compliance.
  • ...7 more annotations...
  • Security Breaches From a provider point of view, probably the biggest impact from a security and compliance standpoint stems from the relatively strict breach disclosure requirements within the law. Covered entities not only need to notify in writing the individuals whose data was lost, but they also are required to notify HHS of the data loss.
  • Vendor Impact In addition to expanded disclosure provisions for business associates, HITECH also changes the landscape for them in that they now have a higher bar to meet in terms of their own security requirements
  • Under the law, business associates now have to meet the same bar as covered entities when it comes to the security rule.
  • However, covered entities are not alone in shouldering the burden of these more stringent rules. Business associates also have a role to play under the new provisions. Business associates now need to make sure that they report possible breaches to partners/customers and that they provide enough data for the covered entities to tell who was impacted and what type of data it was -- in other words, enough data for covered entities to fulfill their disclosure obligations. Whereas in the past a breach might occur at a business associate with nobody at the covered entity the wiser
  • HITECH now specifically requires the business associate to notify their partner so that the individuals impacted can be apprised.
  • Clearly, as applications move outside of the provider (for example, due to cloud computing) and more and more vendors move in to participate, rising numbers of vendors, hosting providers, and other service providers find themselves becoming "business associates" and inheriting security requirements that they're unfamiliar with. Even vendors not specifically targeting the healthcare market may find themselves in the direct path of the regs and obligated to change how they do business in response.
  • Vendors seeking to court healthcare clients will now need to pitch not only functionality but a compliance message as well.
  • sandy ingram on 02 Aug 10
     
    Just a few weeks ago, Lincoln Medical and Mental Health Center learned a hard lesson. If you didn't see the news reports, the N.Y.-based healthcare provider notified over 130,000 individuals that their records -- including diagnostic information, Social Security numbers, dates of birth, and other information of use to identity thieves -- was potentially lost."
sandy ingram

Amended SB1386 - Health care data security breach explained - 0 views

www.scmagazineus.com/...120069

hipppa SB1386 health training breaches

shared by sandy ingram on 01 Nov 08 - Cached
  • Health care data security breaches in the U.S.
  • New laws and regulations regarding data security breaches and disclosure laws affect the way in which health care organizations do business
  • Notifications can be delayed if law enforcement determines it could hinder a criminal investigation
  • ...11 more annotations...
  • he disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
  • Any agency that maintains computerized data that includes personal information that the agency does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
  • They need to implement proper security measures, like encryption,” Booz says. In addition, the law will require a new level of investment in training for customer service, sales, and other externally facing operations.
  • Individuals affected by data breaches that meet the personal information definition and notification requirements must be notified by using one of three methods: written notice, electronic notice with customer's consent, or substitute notice
  • A new California law requiring that customers be notified of a breach involving their medical information is likely to influence legislation in other states.
  • The new law requires all state agencies and companies that conduct business in California to notify residents when a breach of their medical information occurs.
  • The purpose of this rule is to secure personally identifiable information (PII) as it travels through the healthcare system. Healthcare organizations, including providers, payers, and clearinghouses, must comply with the Privacy Rule.
  • Between 2000 and 2007, nearly half of all health care security incidents that occurred in the U.S. were associated with hospitals.
  • Between 2000 and 2007, 40 percent of publicly known security incidents at health care organizations are classified as data breaches
  • Although data breaches (hackers, malicious employees, social engineering, etc.) only constitute 40 percent of incidents, they account for 57 percent of all records compromised, nearly two and a half times the next closest category.
  • This again speaks to the need for strong policies and procedures. If organizations did not allow sensitive data to leave their facility without being encrypted (for electronic data) or disposed of properly (for physical data), it could eliminate nearly a quarter of the incidents they would face.
  • sandy ingram on 01 Nov 08
     
    Notifications can be delayed if law enforcement determines it could hinder a criminal investigation
  • sandy ingram on 01 Nov 08
     
    A new California law requiring that customers be notified of a breach involving their medical information is likely to influence legislation in other states.
sandy ingram

Identity Theft Resource Center ITRC 2008 Breach List - 0 views

www.idtheftcenter.org/...ITRC_2008_Breach_List.shtml

itrc breaches 2008 report

shared by sandy ingram on 10 Mar 09 - Cached
  • sandy ingram on 10 Mar 09
     
    The ITRC breach list is a compilation of breaches confirmed by various media sources, notification lists from state governmental agencies.
sandy ingram

Privacy and Security | BCP Business Center - 0 views

business.ftc.gov/privacy-and-security

Privacy Security compliance Best Practice breach cybersecurity FTC

shared by sandy ingram on 16 Nov 10 - No Cached
  • Behavioral Advertising Online behavioral advertising – the practice of tracking someone’s online activities to deliver targeted advertising – can raise potential privacy issues.  Do you disclose your practices to your customers and honor your promises? Children’s Online Privacy The Children’s Online Privacy Protection Act (COPPA) gives parents control over what information websites can collect from their kids. If you run a website designed for kids or have a website geared to a general audience but collect information from someone you know is under 13, you must comply with COPPA’s two main requirements. Credit Reports Does your business use credit reports to evaluate customers’ credit worthiness? Do you consult credit reports when considering evaluating applications for jobs, leases, and insurance? Here is information about your responsibilities when using, reporting, and disposing of information in those credit reports. Data Security Many companies keep sensitive personal information about customers or employees in their files. Having a sound security plan in place can help you meet your legal requirements to protect that sensitive information. Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. Health Privacy If you offer or maintain personal health records online, you could be covered by the FTC’s Health Breach Notification Rule. Are you familiar with your legal obligations in case of a security mishap? Red Flags Rule The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs  – or red flags – of identity theft in their day-to-day operations.
  • sandy ingram on 16 Nov 10
     
    "Privacy and Security For many companies, collecting sensitive consumer and employee information is an essential part of doing business. If you collect this type of information, it's your legal responsibility to take steps to properly secure or dispose of that data."
sandy ingram

Data Security Breaches Cost Real Money - 0 views

www.mondaq.com/...article.asp

it data security breach cost privacy Information Assurance Poneman

shared by sandy ingram on 08 Apr 10 - Cached
  • PGP Corporation, an enterprise data protection company, and the Poneman Institute, a privacy and information management research firm, as part of their fifth annual U.S. Cost of a Data Breach Study, tracked a wide array of cost elements
  • These elements included outlays for detection, escalation, notification, and response along with legal, investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs related to customer support like information hotlines and credit monitoring subscriptions
  • data breaches caused by malicious attacks and botnets were on the high end of severity and cost responses. These types of breaches doubled from 2008 to 2009.
  • ...5 more annotations...
  • data breaches involving data outsourced to third-parties, especially those offshore, remain very costly.
  • The study shows that companies are spending more on legal defense costs in the area of data security breaches
  • Furthermore, companies that have a Chief Information Security Officer (CISO) or equivalent high-level security/privacy leader in place who manages data security breach incidents experienced a 50% less per cost of compromised record than companies that do not have such leadership.
  • Somewhat surprisingly, the study indicates that companies that notify victims of data breaches too quickly may incur about 12% higher response costs. The study suggests that moving too quickly through the data breach process could cause inefficiencies that raise total costs
  • companies that engage outside expertise to assist them during a data breach incident tended to have a lower $170 cost per victim than companies that do not seek outside help at $231 per victim.
  • sandy ingram on 08 Apr 10
     
    study shows that companies are spending more on legal defense costs in the area of data security breaches. This has been attributed to fears of potential class actions, and other lawsuits resulting from consumer and employee data loss. In fact, companies that engage outside expertise to assist them during a data breach incident tended to have a lower $170 cost per victim than companies that do not seek outside help at $231 per victim.
sandy ingram

Infosecurity (USA) - White House cybersecurity proposal shifts FISMA responsibility to DHS - 0 views

www.infosecurity-us.com/...ts-fisma-responsibility-to-dhs

security Privacy compliance FISMA DHS Best Practice

shared by sandy ingram on 07 Jun 11 - No Cached
  • This would in effect shift FISMA implementation responsibility away from the Office of Management and Budget (OMB) and the National Institute for Standards and Technology (NIST) to DHS, “where the knowledge of attacks informs the defense”, Paller said.
  • “DHS has already demonstrated that they are focusing on the critical controls....They are focusing on effectiveness measures, rather than make work”
  • The proposal would also expand the DHS authority over cybersecurity of private networks, particularly critical infrastructure. DHS would have the authority to develop and conduct risk assessments of private sector critical infrastructure systems and share information with the private sector about threats and best practices.
  • ...5 more annotations...
  • “This brings the same rationality to offense informing defense. Instead of telling people that they have to have a good security plan, what DHS’s role will be is to demonstrate what best practices are and make sure people are measuring against those best practices”, Paller said.
  • The White House proposal would also create a national data breach notification requirement standardizing various state laws
  • “The administration's proposal would protect individuals by requiring businesses to notify consumers if personal information is compromised, and clarifies penalties for computer crimes including mandatory minimums for critical infrastructure intrusions.
  • The proposal would improve critical infrastructure protection by bolstering public-private partnerships with improved authority for the federal government to provide voluntary assistance to companies and increase information sharing.
  • It also would protect federal government networks by formalizing management roles, improving recruitment of cybersecurity professionals, and safeguarding the nation's access to cost-effective data storage solutions.”
  • sandy ingram on 07 Jun 11
     
    The White House proposal, which is a comprehensive cybersecurity plan, includes a provision directing the Department of Homeland Security (DHS) "to exercise primary responsibility within the executive branch for information security. This includes implementation of information security policies and directives and compliance" with FISMA, except for national security systems.
1 - 7 of 7
Showing 20 items per page