David, I totally agree with you! They key point of this threat from my perspective is this: we don't have 18 months to sit around.
Regards, Tim McGuinness, Ph.D. Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Alt Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Direct Phone: 1-727-787-9801 Certified Consulting Specialist and Forensic Regulatory Examiner in Regulatory Privacy, Security, and Application Compliance [HIPAA/FDA/GCP/21cfr11/CMS-HCFA/ICH/ADA & Section 508/DITSCAP/NIACAP/ISO17799/BS7799/NIST 800 C&A/COPPA/GLBA/Homeland Security] Founding Board Member & Executive Co-Chairman, HIPAA Conformance Certification Organization =========================================================================== IMPORTANT LEGAL NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature. HIPAA NOTICE: It is acknowledged that HIPAA, ASCA, and other regulations and statutes are law, and that all interpretation of law should involve licensed attorneys in good standing with their local Bar Association. The forgoing is provided for educational or discussion purposes only. The author accepts no responsibility for its accuracy, review, distribution, or use in any way. You assume responsibility for understanding this material and its applicability and/or use. The above may need to be interpreted by your attorney as needed to conform with federal or state law - you're use of this information must always be reviewed and approved by your own attorney prior to use, application, or implementation. -----Original Message----- From: David Frid [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2003 8:56 AM To: WEDI SNIP Security Workgroup List Cc: [EMAIL PROTECTED] Subject: RE: FTC Security Rule While there are many "rules" that people are debating here the most accurate thing I've heard is that all the legislation is really just enforcing good business practices that should already be in place. It is important to understand your legal requirements for setting priorities on a security program, but you still need a security program as a business. The FTC is using its authority to validate information security claims by companies. So you need to exercise due care and be able to show that an effort is being made to maintain your security program and protect systems from common vulnerabilities. FTC has an enforcement army and will be able to grow it with recent settlements such as Guess. It's only a matter of time (and political positioning) before the FTC turns its eye towards the parts of the health industry. -David -----Original Message----- From: Nahra, Kirk [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2003 8:29 AM To: WEDI SNIP Security Workgroup List Cc: [EMAIL PROTECTED] Subject: RE: FTC Security Rule Its somewhat more complicated in terms of who must comply with the GLB provisions. "Insurers" need to comply generally, but they would need to comply with state laws developed by the insurance departments, rather than the FTC rule (meaning in part that the FTC deadline is not relevant to most insurers). Many states have not yet passed a state GLB security rule. There is a model from the National Association of Insurance Commissioners that is being used by many states. Employer plans for the most part are not covered by GLB. Neither are most health care providers, unless they somehow also qualify as a "financial institution." So, while it is important to be aware of the FTC and/or GLB security rules, this is not necessarily important for many HIPAA covered entities (and probably less important than the security provisions of the Privacy Rule that went into effect on April 14, 2003.) Kirk J. Nahra Wiley Rein & Fielding, LLP. 1776 K Street, N.W. Washington, D.C. 20006 202.719.7335 202. 974.1402 (fax) [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Visit www.wrf.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2003 4:34 AM To: WEDI SNIP Security Workgroup List Cc: [EMAIL PROTECTED] Subject: FTC Security Rule This is all well and good, but I think you all have a surprise in store. Many (exact quality unknown) Healthcare providers and plans also fall under the Gramm-Leach Bliley Act. Interestingly enough, the FTC's Safeguards Rule deadline was last May. As such ALL HIPAA entities that also fall under GLBA must also comply with the FTC Safeguard Rule which is very similar, though has some interesting twists. What is interesting about the FTC vision of security, is that no Risk is acceptable when a customer's data is subject to compromise. Of course the practicality of such an approach is problematic, but it does speak to their approach on enforcement - serious and to the point. I would strongly suggest that ALL HIPAA CE's examine the FTC Safeguard Rule available from the FTC's website www.ftc.gov (under Privacy initiatives). At least now you all have justification for your Security Budget!! Regards, Tim McGuinness, Ph.D. Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Alt Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Direct Phone: 1-727-787-9801 Certified Consulting Specialist and Forensic Regulatory Examiner in Regulatory Privacy, Security, and Application Compliance [HIPAA/FDA/GCP/21cfr11/CMS-HCFA/ICH/ADA & Section 508/DITSCAP/NIACAP/ISO17799/BS7799/NIST 800 C&A/COPPA/GLBA/Homeland Security] Founding Board Member & Executive Co-Chairman, HIPAA Conformance Certification Organization =========================================================================== IMPORTANT LEGAL NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature. HIPAA NOTICE: It is acknowledged that HIPAA, ASCA, and other regulations and statutes are law, and that all interpretation of law should involve licensed attorneys in good standing with their local Bar Association. The forgoing is provided for educational or discussion purposes only. The author accepts no responsibility for its accuracy, review, distribution, or use in any way. You assume responsibility for understanding this material and its applicability and/or use. The above may need to be interpreted by your attorney as needed to conform with federal or state law - you're use of this information must always be reviewed and approved by your own attorney prior to use, application, or implementation. -----Original Message----- From: Bill Pankey [mailto:[EMAIL PROTECTED] Sent: Friday, November 07, 2003 6:56 PM To: WEDI SNIP Security Workgroup List Cc: [EMAIL PROTECTED] Subject: Avoiding Risk was Re: PGP encryption Chris, Doug What is very interesting about the security rule is that it does not seem to include *any* duty to 'avoid' a risk when the 'appropriate' control cannot be 'reasonably' implemented. Given that relatively few CE publish a (public) encryption key, it is easy to argue that wholesale email encryption is 'not reasonable' .... in that the cost of email encryption would then exceed its security mitigation benefit. (the lack of marginal risk mitigation benefit derives from the objectively low likelihood and potentially low impact associated with the interception / redirection of any particular message). Clearly though email encryption is appropriate as there are few, if any, alternate confidentiality controls. On the other hand, there is nothing that obligates the CE to allow email transmission of PHI, indeed many CE will claim to have had long-standing policy precluding such use of email. The fact that these polices were often incompetent or not enforced is irrelevant; the HCO having such policies, (necessarily) claim that such polices do / did not negatively impact patient care or healthcare operations .... so the unmitigated risk of email interception / redirection (apparently) can be avoided with such polices. Similarly, some marquee CE, motivated by a concern over a lack of what they considered good security, have similarly adopted categorical 'no wireless' policies. At some point (perhaps instigated by the plaintiff's bar) there simply has to be consideration of the "avoid" risk option. It does seem incumbent on the CE who decides that 'appropriate' security is too expensive (and thus unreasonable) to consider why it is that the CE is not avoiding the risk entirely, by (perhaps) disallowing certain practices, connections, technology, protocols, etc. Although not explicitly required by the Rule, where addressable features were not implemented, it seems prudent to document why the risk that would have been mitigated by those features could not somehow be avoided. bill pankey --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
