Tuesday, March 22, 2011

Audit executives stand by Sarbox dd 22 March 2011

We're seeing some major efforts in Congress right now to roll back previously enacted reform efforts, like credit and debit card reform measures, the Dodd-Frank Act, the Patriot Act and the Obama Healthcare initiative. It remains to be seen if these efforts will ever prove successful.
But we can look to Sarbanes-Oxley for an example of how legislation that is reviled can sometimes emerge as something that regulated entities eventually support.
A new survey of more than 300 chief audit executives by Grant Thornton has found that the vast majority, nearly 90 percent, do not believe the Sarbanes-Oxley Act of 2002 should be repealed. There was a day when that number would have been a lot lower. Frankly, the act has never been this popular.
So, is this legislation showing the way for laws that are currently unpopular? Maybe.
Early on, people spared no insult for Sarbox, which ended up being very expensive for companies large and small. But after years of working through the issues, the big companies eventually cracked the nut and were able to impressively streamline their 404 processes. These days, they have the process down to a science.
As for small companies, Dodd-Frank gave them a permanent reprieve from 404(b). It may be that once companies take the initial hit on some reform measures, they might end up better off.
That said, this argument will likely not prove persuasive with those who are opposing problems with the current crop of new regulations.

Mac OS X 10.6.7 fixes security vulnerabilities

Mac OS X 10.6.7 fixes security vulnerabilities

The Day - FBI tapes target Nawaz at fraud trial | News from southeastern Connecticut

The Day - FBI tapes target Nawaz at fraud trial | News from southeastern Connecticut

Tuesday, March 8, 2011

Eight Breach Prevention Tips

Don't Overlook These Breach Prevention Measures
March 7, 2011 - Howard Anderson, Executive Editor, HealthcareInfoSecurity.com
Share



Print Email Save Digg Delicious RedditPlease login or register to save this article.

To prevent healthcare information breaches, a growing number of organizations are encrypting information stored on laptops and other portable devices. As they prepare comprehensive risk management strategies, however, hospitals, clinics and others must make sure they don't overlook other important breach prevention steps, security experts advise.
Following are eight breach prevention tips gathered at the recent Healthcare Information and Management Systems Society Conference. These steps also can play an important role in complying with the privacy and security provisions of HIPAA and the HITECH Act.

1. Make Broader Use of Encryption
Adam Greene, senior health information technology and privacy specialist at the Department of Health and Human Service's Office for Civil Rights, points out that although HIPAA and the HITECH Act don't explicitly mandate the use of encryption, the HIPAA security rule makes encryption "addressable," meaning that "it's required if it's reasonable and appropriate." He added, "For electronic health records, it is generally reasonable and appropriate to encrypt."
Terrell Herzig, information security officer at UAB Medicine, urges hospitals, clinics and others to expand encryption beyond mobile devices and desktops to include USB drives, CDs and DVDs as well (See: Overlooked Breach Prevention Steps).

And far too many organizations are neglecting to use secure e-mail, says Willie Williams III, managing partner at The Kiran Consortium Group. Including patient information in e-mail that lacks encryption is extremely risky and can lead to a breach, he stresses.

2. Use Business Associate Agreements
Although pending HIPAA modifications make it clear that business associates must now comply with HIPAA, business associate agreements still are essential, Greene says. The agreements offer an "important opportunity" to spell out the role of the business associate in protecting patient information and preventing breaches, he stresses.
Williams points out that hospitals, for example, should "write into their business associate agreements how their partners, including consultants, will protect any patient information they remove from the hospital on a laptop."

3. Consider Role of Cloud Computing
Consultant Patricia Dodgen of Hielix advises smaller clinics to consider using the software-as-a-service model of cloud computing when adopting EHRs because it offers a level of security that clinics cannot provide on their own servers. She also says remotely hosted EHRs offer better backup services (See: EHRs and Cloud Computing).
But Feisal Nanji, executive director at the security consulting firm Techumen, urges healthcare organizations to require that cloud computing vendors "provide detailed documentation of how they are protecting their data centers" to prevent breaches. He also says those considering using cloud computing should get a clear understanding of "how computers will be authenticated to either provide information or receive it."

A recent New York health information breach involving the theft of unencrypted backup tapes, which may have affected as many as 1.7 million individuals, may lead more organizations to consider investigating using backup storage in the cloud.

"Many organizations are phasing out physical backup media in favor of backup over the Internet," says security specialist Kate Borten, president of The Marblehead Group. "Of course, that has its risks too, unless proper security measures are followed." (See: Privacy Protections for Backup Files)

4. Use Two-Factor Authentication
Using two-factor authentication can support efforts to more effectively control access to protected health information and prevent breaches, says Herzig of UAB Medicine. The integrated delivery system in Birmingham, Ala., recently shifted from hardware tokens to software tokens that run on mobile devices.
"We received complaints about the inconvenience of hardware tokens," Herzig says. As more clinicians were using a variety of mobile devices to remotely access patient information, UAB determined that an applet that generates a one-time password on any mobile device would be more practical, he explains.

5. Develop a Social Media Policy
Lee Aase, director of the Mayo Clinic Center for Social Media, advises healthcare organizations that are making broader use of social media to educate staff members about appropriate uses of the new media by using a combination of blogs, webcasts, conferences and other options (See: Mayo Clinic's Insights on Social Media).
Mayo's social media guidelines are based on its existing, broader policies regarding maintaining patient privacy, guarding trade secrets, using the Internet during work hours and other issues, Aase points out. He also stresses the need to develop a corporate culture that emphasizes serving the best interests of patients, including maintaining their privacy.

6. Monitor Document Shredding
Shredding documents is an effective strategy to protect the privacy of personal information and prevent breaches, says UAB's Herzig. But when his organization audited the work of its new shredding vendor, "we discovered that in actuality they were leaving a lot of the material in an unsecure location to pre-stage it," he says.
"It's a case in point. You have to audit every one of your security controls to make sure they are operational and effective."

7. Destroy Unused Drives, Tapes
Herzig also says hospitals need to develop more effective, affordable methods to properly dispose of unused media, such as hard drives or backup tapes. He says degaussing magnetic storage media can prove difficult, and overwrites of data can be time-consuming.
So instead, UAB uses an onsite industrial crusher to destroy old drives. "We pulverize our hard drives into half-inch squares," he says. By destroying drives onsite, UAB can easily track the chain of custody and issue a certificate of destruction, he adds.

8. Use DLP as Educational Tool
UAB generates weekly security reports using a data loss prevention application. For example, the reports pinpoint inappropriate uses of e-mail that were prevented.
"We sanitize the data in these reports and use it in our corporate compliance education courses," Herzig says. Such educational efforts can play a critical role in preventing breaches, he adds.





Next Related Article:
Feds Name Healthcare Chief Privacy Officer

Tuesday, March 1, 2011

It's Time to Invest in Your IT Team

Skills to invest in for 2011 and beyond.

By Don Jones03/01/2011
As we near the end of the first quarter of 2011, you're probably getting those new IT projects moving, allocating this year's budget and so forth. As you do, don't forget one of your most important IT assets: your team. But where should you focus? I suggest three areas.

Troubleshooting Skills
In my practice as a strategic consultant, I see an incredible lack of troubleshooting skills within organizations. That means when problems occur, those organizations spend an unacceptably long amount of time resolving issues and stabilizing the production environment. Unfortunately, troubleshooting skills are hard to teach.

You can, however, encourage your team to deliberately develop and refine its experience, which leads directly to more efficient troubleshooting. Have a brief meeting every month (and no, I can't believe I'm recommending more meetings rather than fewer) where you review the problems of the previous month and ask one team member to describe what went wrong, what fixed the problem and why the fix worked.

Automation Skills
It pains me every time I see someone performing some rote task, such as creating new user accounts using a GUI console. C'mon, it's 2011 -- surely we can start letting the computers do the mundane, repetitive stuff, right?

In the Microsoft world, that means investing in Windows PowerShell. A solid understanding of command-line administration also engenders a better understanding of the technology you're administering ... which leads to better troubleshooting skills, too.

I've been careful to write command-line administration and not scripting. A lot of Microsoft-focused admins have a huge fear of, distaste for or disinterest in "programming," and they correctly see scripting as a kind of lightweight programming. No problem: A major benefit of Windows PowerShell is that you can be extremely effective without learning to program. That's a main focus of the classes I teach, and it's a message that's been going over gangbusters with hundreds of administrators every year. Sure, for those admins who do have some programming experience and who enjoy scripting, Windows PowerShell steps up and lets them be extremely powerful -- but it doesn't leave you out in the cold if you're not ready to fire up Visual Studio, either.

Based on what I'm seeing some of my largest clients (banks, pharmaceuticals, telecoms and manufacturing firms) do, Windows PowerShell could well be the most important IT investment you'll make in the next five or six years. Some of my customers have documented clear returns on training investment in just a few months, simply by automating tasks and freeing up administrator time for other projects and issues.

A New Version
Finally, make sure every one of your team members becomes well-versed in the latest version of at least one product or technology that he works with, along with details on how to deploy it. Even if you're not planning to actually deploy that version of that product, get someone up to speed on it.

You never know when you may suddenly have to change your mind about that version, and having an expert on staff will make things easier. Also, the "skip a version" mindset might work well from a financial perspective, but it results in a huge skills deficit. Skip version 4, and your team will be even less prepared for versions 5 and 6, which will doubtless build on version 4. So if version 4 is what's new right now, at least have someone gain a basic familiarity with it. Today's cheap virtual machine technologies make it easy to create a test lab where someone can spend some time with the new technology. Make this project a part of each team member's formal goals for the year.

About the Author
Don Jones is a 12-year industry veteran, author of more than 45 technology books and an in-demand speaker at industry events worldwide. His broad technological background, combined with his years of managerial-level business experience, make him a sought-after consultant by companies that want to better align their technology resources to their business direction. Jones is a contributor to TechNet Magazine and Redmond, and writes a blog at ConcentratedTech.com.