Security Incidents can be accidental incursions or deliberate attempts to break into systems and can be benign to malicious in purpose or consequence, each incident requires a careful response at a level commensurate with its potential impact to the security of individuals and your organization as a whole however few organizations have an appropriate security incident policy. The fundamental components of a security incident response plan include the following — [...]
|
|||||
|
By Robert Hudock, on September 8th, 2009
 Print This PostSeptember 8th, 2009 | Tags: malicious hackers, malware, NIST, policy, Privacy, security, security incident | Category: Computer Security Law -- Federal, Data Hemorrages, FTC Security Breach Notification, Forensic Tools, HIPAA Privacy, HIPAA Security, Identity Theft, Law and Technology, Media Sanitization, NIST, Peer-2-Peer File Sharing, Privacy, State Privacy and Computer Security Laws, State Security Breach Laws |
2 comments
Print This PostBy Robert Hudock, on August 21st, 2009
Print This PostRegulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when personal health information is breached were issued August 19th, 2009, by the U.S. Department of Health and Human Services (HHS). These “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 [...] August 21st, 2009 | Tags: Data at Rest, Data Disposed, Data in Motion, Data in Use, Destruction, Encryption, FTC, Health Breach Notification Rule - FTC, HHS, HIPAA, OCR, paper, redaction, Report, security breach | Category: American Recovery and Reinvestment Act, Computer Security Law -- Federal, Encryption, FIPS 140-2, FTC Security Breach Notification, HIPAA Security, HITECH Act, Health and Humans Services (HHS), Media Sanitization, NIST, Office of Civil Rights, unsecured protected health information |
Leave a comment
Print This PostImprove the web with Nofollow Reciprocity. |
|||||
|
Copyright © 2010 Law Blog 2.0 - Robert Hudock, Esq., CISSP - All Rights Reserved - This Blog is a personal blog of Robert Hudock. |
|||||
Business Associate and Covered Entity HIPAA Compliance -- Auditing Questions and NIST 800-53 Security Controls.
This article discusses techniques for implementing the updated requirements of the HIPAA Security Rule, with particular focus on strategies for assessing the effectiveness of implemented security controls to support compliance and audit, as well as a covered entity’s (or business associate) overarching risk management program in the context of HIPAA Compliance. Covered entities are becoming more pro-active in monitoring their business associate compliance with HIPAA privacy and security regulations and the recent changes largely the product of the HITECH Act. In the past I have used a series of questions to ascertain the compliance status of business associates to comply with HIPAA privacy and security rules. I find it useful to map security controls to NIST Special Publication 800-53. The National Institute of Standards and Technology has collaborated with the military and intelligence communities to produce the first set of security controls for all government information systems, including national security systems. The controls are included in the final version of Special Publication 800-53, Revision 3 “Recommended Security Controls for Federal Information Systems and Organizations,” released in August of 2009. (Available at http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf). [...]