William, The problem is for most, that they haven't really done anything other than the paper work and training to comply with the Privacy Rule. I've visited several hundred CE's and it's a universal problem. Especially at risk are those that have relied on the HIPAA In A Box products - which promote gross over confidence, and do no real security preparedness, much less credible assessments. But now that I have been looking at GLBA for a while, I suspect large segments are in deep trouble. The irony of this all is that with HIPAA we have great support peer groups, but weak enforcement. With GLBA, no peer support at all, and heavy enforcement! Another thing that come into play with GLBA, is that it isn't the individual that gets the fine - it's the Senior Management/Board Members, and a violation of GLBA also triggers the new Corporate Integrity statute. These will be fun times ahead.
Regards, Tim McGuinness, Ph.D. Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Alt Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Direct Phone: 1-727-787-9801 Certified Consulting Specialist and Forensic Regulatory Examiner in Regulatory Privacy, Security, and Application Compliance [HIPAA/FDA/GCP/21cfr11/CMS-HCFA/ICH/ADA & Section 508/DITSCAP/NIACAP/ISO17799/BS7799/NIST 800 C&A/COPPA/GLBA/Homeland Security] Founding Board Member & Executive Co-Chairman, HIPAA Conformance Certification Organization =========================================================================== IMPORTANT LEGAL NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature. HIPAA NOTICE: It is acknowledged that HIPAA, ASCA, and other regulations and statutes are law, and that all interpretation of law should involve licensed attorneys in good standing with their local Bar Association. The forgoing is provided for educational or discussion purposes only. The author accepts no responsibility for its accuracy, review, distribution, or use in any way. You assume responsibility for understanding this material and its applicability and/or use. The above may need to be interpreted by your attorney as needed to conform with federal or state law - you're use of this information must always be reviewed and approved by your own attorney prior to use, application, or implementation. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2003 8:12 AM To: WEDI SNIP Security Workgroup List Cc: [EMAIL PROTECTED] Subject: RE: FTC Security Rule There are sufficient security requirements under the mini-security rule for HIPAA which went into effect with the Privacy Rule last April that should drive some action as well. A minimum baseline position on information security should already be in place for organizations that believe that they are HIPAA Privacy Rule compliant, regardless of the FDIC Guidelines impact. I agree, the industry has a surprise in store if anyone ever gets to the enforcement side of the equation well ahead of April 2005. William H. Dobson, CISSP, IAM TrustWave Professional Services 201 Defense Highway, Ste 205 Annapolis, Maryland 21401 Cell: 410-279-7921 Off: 410-573-6910 X 2622 Fax: 410-571-8493 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2003 4:34 AM To: WEDI SNIP Security Workgroup List Cc: [EMAIL PROTECTED] Subject: FTC Security Rule This is all well and good, but I think you all have a surprise in store. Many (exact quality unknown) Healthcare providers and plans also fall under the Gramm-Leach Bliley Act. Interestingly enough, the FTC's Safeguards Rule deadline was last May. As such ALL HIPAA entities that also fall under GLBA must also comply with the FTC Safeguard Rule which is very similar, though has some interesting twists. What is interesting about the FTC vision of security, is that no Risk is acceptable when a customer's data is subject to compromise. Of course the practicality of such an approach is problematic, but it does speak to their approach on enforcement - serious and to the point. I would strongly suggest that ALL HIPAA CE's examine the FTC Safeguard Rule available from the FTC's website www.ftc.gov (under Privacy initiatives). At least now you all have justification for your Security Budget!! Regards, Tim McGuinness, Ph.D. Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Alt Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Direct Phone: 1-727-787-9801 Certified Consulting Specialist and Forensic Regulatory Examiner in Regulatory Privacy, Security, and Application Compliance [HIPAA/FDA/GCP/21cfr11/CMS-HCFA/ICH/ADA & Section 508/DITSCAP/NIACAP/ISO17799/BS7799/NIST 800 C&A/COPPA/GLBA/Homeland Security] Founding Board Member & Executive Co-Chairman, HIPAA Conformance Certification Organization ======================================================================== === IMPORTANT LEGAL NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature. HIPAA NOTICE: It is acknowledged that HIPAA, ASCA, and other regulations and statutes are law, and that all interpretation of law should involve licensed attorneys in good standing with their local Bar Association. The forgoing is provided for educational or discussion purposes only. The author accepts no responsibility for its accuracy, review, distribution, or use in any way. You assume responsibility for understanding this material and its applicability and/or use. The above may need to be interpreted by your attorney as needed to conform with federal or state law - you're use of this information must always be reviewed and approved by your own attorney prior to use, application, or implementation. -----Original Message----- From: Bill Pankey [mailto:[EMAIL PROTECTED] Sent: Friday, November 07, 2003 6:56 PM To: WEDI SNIP Security Workgroup List Cc: [EMAIL PROTECTED] Subject: Avoiding Risk was Re: PGP encryption Chris, Doug What is very interesting about the security rule is that it does not seem to include *any* duty to 'avoid' a risk when the 'appropriate' control cannot be 'reasonably' implemented. Given that relatively few CE publish a (public) encryption key, it is easy to argue that wholesale email encryption is 'not reasonable' .... in that the cost of email encryption would then exceed its security mitigation benefit. (the lack of marginal risk mitigation benefit derives from the objectively low likelihood and potentially low impact associated with the interception / redirection of any particular message). Clearly though email encryption is appropriate as there are few, if any, alternate confidentiality controls. On the other hand, there is nothing that obligates the CE to allow email transmission of PHI, indeed many CE will claim to have had long-standing policy precluding such use of email. The fact that these polices were often incompetent or not enforced is irrelevant; the HCO having such policies, (necessarily) claim that such polices do / did not negatively impact patient care or healthcare operations .... so the unmitigated risk of email interception / redirection (apparently) can be avoided with such polices. Similarly, some marquee CE, motivated by a concern over a lack of what they considered good security, have similarly adopted categorical 'no wireless' policies. At some point (perhaps instigated by the plaintiff's bar) there simply has to be consideration of the "avoid" risk option. It does seem incumbent on the CE who decides that 'appropriate' security is too expensive (and thus unreasonable) to consider why it is that the CE is not avoiding the risk entirely, by (perhaps) disallowing certain practices, connections, technology, protocols, etc. Although not explicitly required by the Rule, where addressable features were not implemented, it seems prudent to document why the risk that would have been mitigated by those features could not somehow be avoided. bill pankey --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
