Comments for Law Blog 2.0

Comment on Evaluating Secutiy Incidents — Security Incident DOs and DON’Ts by Antivirus

Antivirus — Mon, 08 Mar 2010 18:03:38 +0000

I agree with Alex on this one. This is a mega guide that deserves to be disseminated. I will pass it along to some colleagues once I have sufficiently digested it for myself.

Comment on Evaluating Secutiy Incidents — Security Incident DOs and DON’Ts by Alex

Alex — Mon, 01 Mar 2010 20:26:43 +0000

Thanks for this very comprehensive guide. I am sure I will get plenty of use out of this as a reference tool. I do think it is a shame that even with top-shelf security software, we have to be weary of the endpoint users in regards to introducing security threats. Even the best software out there cannot protect an organization from irresponsible or careless users.

Comment on Updated — Summary of 50 State Security Breach Notification Laws by Bennie

Bennie — Fri, 26 Feb 2010 10:37:19 +0000

That was awesome! Probably one of the more interesting reads in awhile.

Tax Attorney Attorney Temecula

Comment on Business Associate and Covered Entity HIPAA Compliance — Auditing Questions and NIST 800-53 Security Controls. by Robert Hudock

Robert Hudock — Thu, 04 Feb 2010 20:49:19 +0000

(This is a complex issue and very factually specific — you should consult an attorney on this issue) Some off the cuff thoughts and concerns, which should not be taken as legal advise: (1) the issue partly becomes an issue of whether there exists personal jurisdiction in the United States over the entity located in China, India, Mexico, etc. (2) There also may exist treaties that would potentially address this issue. (3) Ultimately you would likely see some sort of commitment between Covered Entities and BA’s, by contract, that the information would not be sent offshore without prior consent. (4) Generally, if a company is seeking to do business with US companies they would be submitting themselves to the jurisdiction of US courts and would likely have to comply with US law (but again you should consult a lawyer on this). (5) When a company is outside the united states I would generally want to seem some sort of ISO Security certification — again I think these issues would likely be addressed in the parties due diligence process. If your a BA or CE engaging a company outside the United States I would be very interested in making sure that the company will comply with these new requirements. Your comment raises some serious questions which really have not been addressed with clarity.

Comment on Business Associate and Covered Entity HIPAA Compliance — Auditing Questions and NIST 800-53 Security Controls. by Rao

Rao — Thu, 04 Feb 2010 07:43:20 +0000

Very useful and informative posting. I understand that under HITECH act some BAs are coming under CEs. However, I am still not clear what type of BAs becoming CEs.

Let us take a scenario – A payer has a claim process outsourced to a BPO vendor/Claim exchange. This BPO vendor may in turn outsource the claim operation to offshore vendor or certain activities are performed by offshore team (location irrelevant – can be china, India or Mexico). In this scenario – BPO vendor is becoming a CE. But what about this vendors offshore partner?

Comment on Business Associate and Covered Entity HIPAA Compliance — Auditing Questions and NIST 800-53 Security Controls. by Mike

Mike — Tue, 29 Dec 2009 06:47:52 +0000

You had really summarized much information on HIPAA privacy and security regulations. I also would like to add few Questions and answers specifically Discussing security terminology.

1 Define the term security.
Security is generally defined as having controls, countermeasures, and procedures in place to ensure the protection of information assets and control access to valued resources. Security is how an entity decides to protect its information assets.

2 What’s the goal of security?
Generally, the goal of security is to counter identified threats and to satisfy relevant security policies and assumptions.

3 Define authentication.
Authentication is the process of proving your identity. A system needs to authenticate users to a degree appropriate for the level of risk/threat that an authenticated user represents.

4 Define access control.
Access control is assuring that only authorized users access a system, and that all unauthorized users are rejected.

5 Describe data confidentiality.
Data confidentiality is assuring the privacy of data on the system, and network data confidentiality protects your data from passive threats.

6 Describe data integrity.
Data integrity is the assurance that data hasn’t been altered or destroyed in any unauthorized manner. Data integrity provides protection against active threats.

7 What’s the objective of security mechanisms?
Both types of security mechanisms (specific and pervasive) implement security services.

8 What are some factors guiding the philosophy behind HIPAA’s Security Rule?
The security standards are designed to be:
• Comprehensive—They cover all aspects of security safeguards.
• Technology neutral—Standards can be implemented using a broad range of off-the-shelf and user-developed technologies and security solutions.
• Scalable—The goals of the regulations can be achieved by entities of all sizes from single practitioners to large multinational health care organizations.

9 Describe the major category areas covered by the final Security Rule under
HIPAA that an organization needs to address for compliance.
The final Security Rule outlines the requirements in three major categories:
• Administrative safeguards
• Physical safeguards
• Technical safeguards

10 What are the central principles of security?
Confidentiality, integrity, and availability.

Mike
HIPAA Training

Comment on Key Issues in Privacy and Security for 2010 by David Dean

David Dean — Wed, 16 Dec 2009 13:15:06 +0000

I agree with Alex, many companies that manufacturer mobile technologies are including the option for encrypted hard drives as part of the build. The only additional purchase would be the software to layer on top of the HDD. Many healthcare organizations are already looking at this and the buzz is starting to take place. I would certainly encourage facilities looking to refresh their technology make this a requirement as part of their hardware selection.

Comment on Updated — Summary of 50 State Security Breach Notification Laws by Alex Zaltsman

Alex Zaltsman — Wed, 02 Dec 2009 05:20:33 +0000

Great posting. We’ve added it to our data encryption blog!

Comment on Updated — Summary of 50 State Security Breach Notification Laws by Resource for State Breach Notification Laws | Avoid Breach Notification - Experior helps with Encryption

Wed, 02 Dec 2009 04:41:50 +0000

[...] Law Blog 2.0 – Summary of 50 State Security Breach Notification Laws (scroll down to see the map) [...]

Comment on Business Associate and Covered Entity HIPAA Compliance — Auditing Questions and NIST 800-53 Security Controls. by Business Associate and Covered Entity HIPAA Compliance — Auditing … « Internet Cafe Solution

Sun, 29 Nov 2009 13:36:35 +0000

[...] Originally posted here: Business Associate and Covered Entity HIPAA Compliance — Auditing … [...]