I went to a casino recently with some friends, and watched play at the roulette table for a while. It was really interesting, to see the mindsets of the different people playing. Some were consistent with their play, playing corner bets, where you place your bet on a corner between four numbers. Some others were betting small amounts on individual numbers which held importance to them. Others bet the “safer” bets of red/black, even/odd, or high/low. What interested me were the people who were wildly inconsistent with their bets. They’d increase their bets after losing a few times in a row, because they must be “due”. The bettors reasoned with themselves that since their number hasn’t come up yet, it[…]

“What can it hurt for us to perform our own security self-assessment?”  is a question that many organizations ask themselves.  After all, they have competent IT staff, and the staff must know something about information security to keep things running.  So, why doesn’t it make sense to do your own self-assessment? Familiarity The first reason to seek an outsider to do a security assessment is they lack familiarity with your organization.  Just as you gloss over misspellings and mistakes in your own writing, you can gloss over assessment topics because you believe that you’re familiar with them.  Sometimes an outside assessment reveals the folks in that department are doing things differently than you expect.  An un-biased third party can help[…]

The Dreaded Call Daniel Seward awoke to his cell phone vibrating on his nightstand. Groggily he rolled over and looked at the phone. It was just after 5am and he didn’t recognize the 800 number, but angrily answered it ready to give the telemarketer a piece of his mind. “Do you realize what time it is?” “Mr. Seward, this is Ross Spears with the fraud prevention unit of Haneysville National Bank. We have detected activity within your account that we suspect may be fraudulent. Did you attempt a wire transfer of $73,500 to an account at 6:15am on Tuesday?” Immediately, Daniel sat up in bed, his heart racing. “No, I did not. Who was the wire made to?” “We cannot[…]

One of the things that caught my eye in PWC’s most recent The Global State of Information Security® Survey 2014 report was the bits and pieces of information shared about the importance of evaluating the security of third parties. As data proliferates and is shared among more partners, suppliers, contractors, and customers, it is increasingly critical that businesses understand the risks associated with sharing data with third parties. What’s more, organizations should ensure that third parties meet or beat their requirements for data security. This is a refrain I have been using for years, even having presented about it at the 2009 Drug Information Association Annual Meeting in San Diego, as well as the 2010 Pharma Outsourcing Congress in Munich. Unfortunately, the[…]

Should Reasonably Have Known The HIPAA Breach Notification Rule has an interesting turn of phrase: “should reasonably have known”.  A company is liable if they reasonably should have known about a breach.  So what is reasonable?  The latest 2013 rulemaking gives some guidance on that:  §164.404(a)(2) expands that to reasonably should have known by exercising reasonable diligence.  And then goes on to define it as “business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances”.  Further adding that as soon as a workforce member or other agent has knowledge or should have had knowledge of the breach, the clock on notification starts. So, you’ve got some relatively vague definitions of what’s reasonable, and as soon as someone[…]

This article describes the HIPAA contingency planning and security incident response requirements. The relevant subsections of the HIPAA law are §164.308(a)(6) and §164.308(a)(7).  HIPAA contingency planning is a term used broadly to cover security incident response procedures and contingency planning for emergency situations that may compromise protected health information. HIPAA contingency planning is one of the administrative safeguards that a covered entity must employ. The audit requirements for HIPAA contingency planning is covered in a separate post. HIPAA Security Incident Procedures “Implement policies and procedures to address security incidents.” [§164.308(a)(6)] A covered entity is required to be able to identify, mitigate and respond to security incidents in a timely and reasonable fashion. The procedure for responding to security incidents should be[…]