Section §164.308 of the Health Insurance Portability and Accountability Act (HIPAA) covers security management and assigning overall responsibility for security policies to an individual in the organization. This article focuses on the required HIPAA administrative safeguards covered in subsections §164.308(a)(1) and (a)(2) describing policies and responsibilities. Section (a)(2) is a simple requirement. The organization must identify an individual as the Security Official who is responsible for the policies and procedures that bring the organization into compliance with the law. The Security Official is responsible for communicating these policies effectively to all workforce members. These policies must also cover the workforce and training requirements discussed in section §164.308 which will be covered in a later article. In order to be HIPAA compliant,[…]

The new HIPAA Omnibus Rule from the Department of Health and Human Services (HHS) makes some changes to the Federal Code to account for the HITECH law as well as changes since then.  This summary will be discussing changes to the Breach Notification Rule; we will also have a summary for changes to the Privacy Rule. The major change to the Breach Notification Rule is that a breach requiring notification is assumed unless : the covered entity can show (through a risk assessment) that there is a low probability that the protected health information (PHI) has been compromised, or the compromise falls under one of three exceptions to the definition of “breach”. Previously, covered entities only had to notify affected individuals if a risk[…]

Two weeks ago, I finally got a chance to try out a Windows 8 system. First, I have to give huge kudos to Dell, who makes the XPS 12 system I’m playing with. This system seems to be the ideal platform for a Windows 8 user. A thin and light notebook with plenty of power, with the ability to flip the screen around and make it into a touchscreen tablet. That said, during my initial installation of the system, alarm bells immediately rang in my head. “This system doesn’t comply with many password policies!” I found that as I joined my Windows 8 system to my company’s domain (which enforces a number of things through group policy), some configurations were allowed[…]

A service provider shall not be liable for monetary relief, or, except as provided in subsection (j), for injunctive or other equitable relief, for infringement of copyright by reason of the provider’s transmitting, routing, or providing connections for, material through a system or network controlled or operated by or for the service provider, or by reason of the intermediate and transient storage of that material in the course of such transmitting, routing, or providing connections – 17 USC § 512, from the Cornell University Law School No business is an island. There’s no company that does not, to some extent, rely on other businesses. Business models assume that vendors will be able to assure a steady flow of goods, that[…]

So, SOPA is the news of the day, in terms of the Internet and security; it has been for well over a month now. In case you’re not familiar, SOPA is the Stop Online Piracy Act. It will “authorize the U.S. Department of Justice to seek court orders against websites outside U.S. jurisdiction accused of infringing on copyrights, or of enabling or facilitating copyright infringement.” I won’t bore you with the typical arguments about how it’ll infringe on free speech, or weakens safe harbor, etc. These arguments have been made, and they may have some validity, but let’s talk technology. SOPA is the most recent in a long line of legislation intended to regulate the internet. Such legislation is doomed[…]

Sometimes it can be a daunting task to keep up with computer security best practices, especially when it comes to prevention. There is an almost unlimited amount of things to take into account, not to mention significant decisions on which risks you need to address and which aren’t worth the effort. In addition, many different people have many different ideas about what’s important when it comes to baseline mitigation. This may explain why there are so many sources on the topic, often with different core focuses in mind. For example, Cisco’s Network Security Baseline is geared towards networking configuration, while the PCI-DSS regulations are focused on the technology surrounding credit /debit cards. The truth is that no one set of[…]