We’re not talking about plain old rules, but rather mandated rules as defined in a federally enacted legislation. As someone with a career in information security, my first answer is “yes, regulation is good for security.” Regulation helps make sure that people and companies are protecting the security of their systems, networks, and information, even minimally. If you are faced with regulatory compliance, you are faced with a legal issue. And, if you are not compliant, you are essentially breaking the law.

But the devil is in the details.

I know perfectly well that there are many standards and regulations in place. But which ones are the most impactful?

HIPAA/HITECH has been around now since 1996. The main purpose of HIPAA was originally to help ensure portability of insurance in the event an employee changes jobs. This grew as the bill grew with a variety of contributors, and soon included requirements to establish national... read more >

My last blog focused on how to put together a HITECH compliance plan for your organization. This post takes that thought a bit further to provide a list of topics you should, at a minimum, include in your HITECH training. Do not over complicate your training; keep it simple, factual, and to the point. If you create it in PowerPoint, 10-15 slides will probably be about the right length. If you are concerned employees will only skim the material and not retain it, you can require them to take a very short quiz after completing the training with no more than 8-10 questions. Again, keep it simple and ask questions directly from the training to reinforce the important topics. If it takes more than 30 minutes to complete the training and quiz, you are likely going into details most users do... read more >

It’s a beautiful day here in Atlanta, GA today. The temperature is uncharacteristically mild for an August day in the South. There’s a nice breeze blowing. The humidity is low, and there isn’t a cloud in the sky. Looking out my office window, the bright cerulean blue of the sky reminds me of a day about 10 years ago. I was working in my office in a mid-rise office building outside of Atlanta, occasionally gazing out the window to admire the day. It was my birthday, and I was excited at the prospects the day would bring.

Since I worked alone in a very quiet office, I kept a radio tuned to my favorite news/talk station. I was listening to the morning show when the announcer broke in to say, “An airplane has struck the World Trade Center in New York.” For the rest of the day and night, like most Americans, I remained glued to the news. Needless to say, the plans for celebrating my birthday that evening were scrapped.

With the... read more >

When people hear the phrase “we need to be compliant with HITECH”, they panic. While equally important, HITECH compliance is much easier for an organization to tackle then say, PCI DSS. You can essentially do it yourself, whereas with other standards, you may be better off pulling in third party resources to perform gap analysis and remediation guidance.

What do you have to do to be HITECH compliant? In summary, here’s a quick guide:

1)Identify all Protected Health Information (PHI) your organization may come in contact with and who “owns” that information
2) Identify all company assets (devices) where PHI may... read more >