By Robert Hudock, on September 22nd, 2009
Print This PostI am a little unclear as to why privacy advocates and security vendors believe that the harm standard, found within the new HHS regulations for security breaches, in any way hampers the HITECH Act’s security breach notice rule for covered entities and business associates. Many states use a similar risk based type analysis, in fact only seven states have a strict acquisition based standard, of those only a couple of these states link their definition of encryption to FIPS 140-2. In comparison to risk based states where one assesses the potential risk to a consumer resulting from theft of sensitive informatioin, the federal standard is more helpful in the sense that it highlights key criteria to be evaluated in assessing risk to consumers. [...]
Fear Mongering or Legitimate Criticism --
I am a little unclear as to why privacy advocates and security vendors believe that the harm standard, found within the new HHS regulations for security breaches, in any way hampers the HITECH Act’s security breach notice rule for covered entities and business associates. Many states use a similar risk based type analysis, in fact only seven states have a strict acquisition based standard, of those only a couple of these states link their definition of encryption to FIPS 140-2. In comparison to risk based states where one assesses the potential risk to a consumer resulting from theft of sensitive informatioin, the federal standard is more helpful in the sense that it highlights key criteria to be evaluated in assessing risk to consumers. [...]