WPPS C-Suite News

The California Department of Public Health ("CDPH") recently announced its imposition of $675,000 in fines to six hospitals that had reported security breaches involving medical records (since January 1, 2009, the CDPH has issued fines totaling $1.1 million). The story has been extensively reported on in the media . You can listen to the CDPH's press conference here. The total number of records exposed was only 244, for an average fine of around $2,766 per record. To put that in perspective, if a California hospital suffered a breach involving 100,000 medical records, using the average stated here, their potential fines could be $276 million (assuming no cap for fines and penalties -- the relevant laws do have a cap of $250,000 per incident).

"We were told by a third-party vendor that all security measures were in place,"

One of the main reasons organizations are broken into today is because they are fixing the wrong vulnerabilities. If you fix the threats of three years ago, you will lose. APT allows organizations to focus on the real threats that exist today. While APT is important, we need to clear the smoke and hype, focusing on why it is important and what it means to you. Instead of just using it as a buzz word, if we understand the core components of APT, we can use it to improve our security. In APT, threat drives the risk calculation. Only by understanding the offensive threat will an organization be able to fix the appropriate vulnerabilities.  What is APT?

In today's economic climate, many organizations outsource parts of their business to take advantage of cost savings and solution-expertise. However, as vendor relationships increase, it becomes more difficult to manage them. The risks assumed by outsourcing can be significant without a vendor management program. According to the Ponemon Institute Study - 2009 Security Mega Trends, an average of 50.5% of organizations who outsourced sensitive and confidential data to third parties experienced a security incident or data breach as a result of outsourcing. In this 1-hour live webcast, Michael Rasmussen, President at Corporate Integrity, will share his insights on the importance of vendor management, as well as his recommendations of best practices for defining and executing an effective strategy. Chris Noell, EVP of Product management of TruArx, will then provide a brief overview of how GRC tools such as TruComply can automate key vendor management activities and enable these best practices. In this session, you will learn about: *The importance of vendor management and how it applies to your business *Best practices for defining and executing an effective vendor management strategy *How you can quickly and cost-effectively establish a mature vendor management program

"As the volume of electronically stored information (ESI) rises rapidly, improving the understanding among the C-suite, legal and IT functions is key to controlling costs and better managing e-discovery risks."

As we previously mentioned, Connecticut Attorney General Richard Blumenthal filed the first HIPAA-related lawsuit. That lawsuit has now been settled, also a first. The settlement agreement [PDF] between the State of Connecticut and the defendants (Health Net) is the result of the loss of a computer disk drive that had unencrypted health information for 1.5 million health plans. Health Net, under the terms of the settlement, has agreed to pay $250,000 to the state of Connecticut, offer 2 years of credit monitoring to those affected, obtain identity theft insurance and reimburse those affected for security freezes. They will also be required to greatly improve their security measures.

"The Need for Risk-Based FCPA Compliance Assessments How To Deal With Increasing FCPA Risks In a Time of Shrinking Budgets In a time of dwindling funds, growing risks, and increased government targeting of companies that cut compliance budgets, a proper anti-corruption assessment is a vital first step in creating a cost-effective compliance program When a warning comes straight from the mouth of the U.S. Government's lead prosecutor in a field directly affecting their bottom line, it is wise for businesses to pay heed. In an interview earlier this year with PBS's investigative journal, "Frontline," Mark Mendelsohn, the Deputy Chief of the U.S. Department of Justice's Fraud Section, which is charged with enforcing the Foreign Corrupt Practices Act ("FCPA"), offered advice to all American businesses dealing with the current global recession. "I think that companies need to be especially vigilant in this economic climate to not cut back [on FCPA compliance]," Mendelsohn said. "Our law enforcement efforts are not going to be scaled back, and so it would be, I think, a grave mistake for a company to take that path.""

Just a few weeks ago, Lincoln Medical and Mental Health Center learned a hard lesson. If you didn't see the news reports, the N.Y.-based healthcare provider notified over 130,000 individuals that their records -- including diagnostic information, Social Security numbers, dates of birth, and other information of use to identity thieves -- was potentially lost."

The House Cybersecurity Caucus has established a website.

"Didn't See That Coming? Why Many Employers are Vulnerable to Employee Fraud"

What the government IT manager needs when getting ready to embark on their migration to the Cloud is a good template; one that defines a proven roadmap to follow.What Cloud Computing Summit attendees learned (and now you) is that help is on the way. Cloud and SOA expert Dave Linthicum has developed a step-by-step plan to help you scale the heights. He goes through them meticulously in his new book Cloud Computing and SOA Convergence In Your Enterprise: A Step-by-Step Guide. At the Summit, Linthicum outlined the plan. Afterwards he told 1105 Custom Media you can consider Cloud Computing the extension of SOA out to Cloud-delivered resources, such as storage-as-a-service, data-as-a-service, and platform-as-a-service.

The journey leading up to where we are today has been taking place for 15 years now, starting way back with Windows Live and Hotmail. Since then, the services and offerings served up online through cloud from Microsoft have continued and expanded. Today, there are a number of cloud based solutions available, enabling individuals and businesses around the world to do so much. Here's a look at some of these, with links to more information about each and trials of these for you:

Existing cloud users are satisfied. Security is not considered to be an issue

MOUNTAIN VIEW, Calif. - August 4, 2010 - Symantec Corp. (Nasdaq: SYMC) today released the findings of its 2010 Information Management Health Check Survey, which highlights that a majority of enterprises are not following their own advice when it comes to information management. Eighty-seven percent of respondents believe in the value of a formal information retention plan, but only 46 percent actually have one. Survey results also found that too many enterprises save information indefinitely instead of implementing policies that allow them to confidently delete unimportant data or records, and therefore suffer from rampant storage growth, unsustainable backup windows, increased litigation risk and expensive and inefficient discovery processes.

"At the request of several Members of Congress, the Federal Trade Commission is further delaying enforcement of the 'Red Flags' Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule.  Today's announcement and the release of an Enforcement Policy Statement do not affect other federal agencies' enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance….

Spreadsheets are a thorn in the flesh of risk and compliance. I have seen organizations with upwards of 40,000 spreadsheets collected for different risk and compliance issues (e.g., SOX, Basel II, Ethics), as control questionnaires are sent to nearly everyone in the organization. The questionnaires come back and the compliance team scratches their heads and says Now what? How do we manage and report on this data?

Information security professionals face mounting threats, hoping some mix of technology, education, and hard work will keep their companies and organizations safe. But lately, the specter of failure is looming larger. "Pay no attention to the exploit behind the curtain" is the message from product vendors as they roll out the next iteration of their all-powerful, dynamically updating, self-defending, threat-intelligent, risk-mitigating, compliance-ensuring, nth-generation security technologies. Just pony up the money and the manpower and you'll be safe from what goes bump in the night.

"This directory includes laws, regulations and industry guidelines with significant security and privacy impact and requirements. Each entry includes a link to the full text of the law or reg as well as information about what and who is covered. The list is intentionally US-centric, but includes selected laws of other nations that have an impact on US-based global companies. "

"According to a recent global survey on data wiping practices, Kroll Ontrack, the leading provider of information management, data recovery, and legal technology products and services, found less than half of businesses regularly deploy a method of erasing sensitive data from old computers and hard drives. Of the 49 percent of businesses that are systematically deploying a data eraser method, 75 percent do not delete data securely, leaving most organizations highly susceptible to data breaches, which plague businesses at least once a year according to the 2010 Kroll Ontrack Annual ESI Trends Survey and cost an organization an average of $6.75 million per breach according to the 2009 Ponemon Cost of Data Breach Study."

"SAN FRANCISCO - May 18, 2011 - The City and County of San Francisco today announced that it will upgrade and consolidate its multiple citywide email systems used by more than 23,000 employees as part of its ongoing efforts to improve the quality and efficiency of its services and reduce IT management costs. "A key part of serving a community as diverse and vibrant as ours starts with making the right investments in information technology," San Francisco Mayor Edwin M. Lee said. "It is our responsibility to make decisions that are fiscally responsible, forward-looking, and improve the services that city and county employees provide to our constituents.""