It was recently announced that Electronic Health Records (EHR) are in use in all military hospitals. Granted the article is mostly marketing screed for one company, but it still represents a big step. Outside of the Department of Defense (DoD), this probably doesn’t seem like a very big deal. Inside the DoD, it’s HUGE. This is the culmination of years of work and millions, possibly billions, of dollars spent. It’s an important step in improving the health care for Wounded Warriors. It also sets the stage for wider adoption of EHR in the private sector. But there are reasons to be concerned about this, of course. There are few, if any, pieces of information more intrinsically private and personal than[…]

A couple weeks ago, NASA announced it was all but done with certification and accreditation (C&A), calling it “cumbersome and expensive.” Many were intrigued by such a statement – not because it was wrong, but because it represented a potentially interesting shift in the status quo, done in a somewhat rebellious manner. NASA instead favors a “risk-based approach” that relies more heavily on continuous monitoring. NASA also cited significant cost savings from cutting back C&A activities. Seemingly in direct response to this outburst, NIST has now released an update to their continuous monitoring FAQ, specifically pointing out that C&A activities are a necessary component of risk-based management of systems, and highlighting that continuous monitoring alone is insufficient. One of the[…]

Today, in advance of the 2010 RSA Conference, I had the benefit of attending the 10th CSO Council Bay Area Round Table: The Last Mile: The End of Paper. It has been an interesting exercise with a mock trial (moderated by two Judges) involving three wills signed with three different technologies: ink signature, closed system electronic signature, and digital signature. You would think this would be an easily decided scenario; the digital signature is a superior and more trustworthy technology, right?  Well, not when you change the rules a bit. Basically they made the strength of process the inverse of the strength of the technology.  Here are the key points from today’s trial, and I’d like your suggestions on which[…]

SearchCompliance.com has posted an article detailing important regulatory compliance trends that will affect IT in 2010. The trends that were listed include: Automation of compliance processes More regulation en route FISMA compliance reform More enforcement for noncompliance Federal data breach and privacy laws emerge Cloud computing complicates compliance SOX compliance for small companies Migration to risk management I was quoted in a couple parts of the article with my visions of the future related to FISMA and risk management. It’s worth a read and a comment if you think they missed anything, or if my predictions are way off!