Secure Value by Organizing to Solve the Puzzle of Health Care Information Protection

Image via Wikipedia

I had the pleasure to speak on HITECH to a room full of non-profit professionals in conjunction with a  program hosted by the GroundWork Group at the United Way offices in Columbus, Ohio.  This is a summary of the presentation along with some useful links from the talk. 

With the February, 2009 passage of the American Recovery and Reinvestment Act of 2009, those businesses that provide health care services or provide products or services with those that do need to take note of the Health Information Technology for Economic and Clinical Health Act or the ‘‘HITECH Act’’.

Among other things, HITECH expands the reach of the Health Insurance Portability and Accountability Act (HIPAA) and introduces the first federally mandated data breach notification requirement.  In expanding the reach it also puts regulatory teeth into a health care oriented compliance requirement that frankly many of my clients have chosen to ignore up until now.

1. Understand the law and your organization's responsibility to it.

Health and Human Services provides good information on Health Information Privacy for Covered Entities.  As you are reading through this site remember that HITECH in part expanded HIPAA to treat Business Associates as Covered Entities for information security and privacy.

Some of that understanding may have to come from a review of any Business Associate Agreements you have in force with partners, vendors or customers.

Other useful links within the HHS site include:

• Privacy Rules 
• Security Rules 
• Breach Notification Rules 

2.  Assign specific responsibilities to staff members.  HIPAA requires that you have a Compliance Officer, Security Officer and Contact Person to manage complaints and inquiries.  You can have one person manage all 3 roles.  The roles need to be formally assigned.

3.  Attack the HIPAA compliance problem as a business issue.  Organize a cross functional committee including the Compliance and Security Officer, a "C-level" executive, IT manager, HR manager and at least one representative of your service delivery units. We suggest that the committe should be a Information Security and Compliance Committe and focus on other compliance issues such as Ohio's Data Notification Law, PCI and the rest of the compliance alphabet soup you are responsible to meet.

4.  Inventory your information assets.  You have to know where your critical data is to be able to protect it!

5.  Conduct a risk assessment. 

6.  Formalize your policies.

7.  Train your workforce.  HIPAA requires that both incumbent and new hire staff are trained.  In the non-profit world make sure that that includes your volunteer work force.  HIPAA requires regular notifications.  You need to be able to show who had training when to an auditor, should an auditor show up.  As you plan for training that needs to be considered.  My company, Jacadis, has a web-based security awareness training platform that can meet this requirement.

There are MANY technical issues that need to be addressed for HIPAA.  Two that need immediate concerns relate to the breach notifications.  HHS has information about breach notifications.

As you are planning to meet the breach notification rules it might also be helpful to reference the work of the Ponemon Institute.  According to their site, “Ponemon Institute conducts independent research on privacy, data protection and information security policy.”  The numbers are constantly changing as they update their research.  We’ve used their findings that a breach costs a company $180 to $230 per record.

To manage the breach requirements you need to consider encryption.  Jacadis works with SOPHOS.  Regardless of which product you choose it should support one of the following encryption algorithms: DES, AES, RSA, Blowfish, Twofish.  We recommend whole disk encryption as an easier, more effective deployment choice.

To manage to the breach requirements you need to also have logging in place.  Again, Jacadis recommends Event Tracker. 

Finally, you need to be prepared for an audit.  Health and Human Services is very clear about the breadth and depth of what an audit will entail.  If you are technically focused you can't meet an audit request on your own, you need management support.  If you are management focused, you can't meet an audit request on your own, you need technical involvement.  See step two for how to organize yourselves to meet compliance and be prepared should you ever be audited.

Related articles by Zemanta

• ARRA - HITECH: Health Care Information Breach Notification Regulations Now In Effect (healthcarebloglaw.blogspot.com)
• HIPAA Enforcement Meets HITECH: HIPAA Administrative Simplification: Enforcement Rule (healthcarebloglaw.blogspot.com)
• Son of HIPAA Breach Notification Rules and Business Associate Requirements: Who's Ready? (healthblawg.typepad.com)
• Health Care Social Media Legal Issues and Strategy Webinar (healthblawg.typepad.com)
• HIPAA's broken promises (thehealthcareblog.com)
• HITECH Act security breach rules now effective; federales give a six-month pass. Now's the time to kick compliance efforts into high gear (healthblawg.typepad.com)

Secure Value by Providing Privacy for Your Customers

Use free DMA tool to build privacy policy -- and then follow it!

The Direct Marketing Association offers a free Privacy Policy Generator.  It is touted as a tool that "Webmasters and administrators can complete a questionnaire (basing their answers on their site information policies) and create a privacy policy statement to be posted on their own Web page."

I suggest you use it a little differently.

Don't simply rely on your webmaster or an administrator to fill the survey in.  Use it as a chance to discuss your online privacy practices.  Do you do what you say you will do?  Real trust can only be built by your being transparent about your practices.  If you are collecting information on customers but don't want to admit to it are you operating in a way that builds consumer trust?

If you are building a new web based business use the survey to guide a discussion with your developer.  Only collect information that you need to serve the customer best.  If you aren't going to use it, don't collect it!

If you have an existing web facility use the survey to guide a discussion of your current practices.  Are you collecting information that isn't used?  Why?  If you aren't using it but collecting it you are either exposing yourself if you aren't properly protecting it or spending money to protect something that you don't need in the first place!

Related articles by Zemanta

• AdSense Advertisers: Change Privacy Policies for GOOG's BA Push (marketingvox.com)
• Ad industry groups agree to privacy guidelines (news.cnet.com)

Secure Value by Keeping an Eye on RedFlags ... some small businesses may be exempt!

Image via Wikipedia

Trying to manage the incoming waves of regulations is bad enough ... but keeping track of what is on and what is not on anymore is a tough job when you really just want to run and grow your business!

Short one this week.  You want to keep an eye on this news.  According to an article in SCmagazine.com there is a bill working its way through Congress that may exempt some small business from the RedFlags rules.

Related articles by Zemanta

• U.S. House Says Most Dental Offices Are Exempt From Red-Flag Rules (implantblog.wordpress.com)

Do Business in Nevada? Secure Value by Complying with New Security Act

Image via Wikipedia

Does your company transmit, process or store payment card data about any individual who lives in the State of Nevada?

If so you need to be aware of the new Security of Personal Information Act passed into law in Nevada.  In a nutshell, data collectors or merchants who collect card data to do business will be required to be compliant with PCI DSS in order to legally conduct business in Nevada.

I'm not going to spend time writing something up if I find something insightful already available.  Read the write up on the Nevada Security of Personal Information Act at InfoSecCompliance.

Secure Value by Understanding Common Threats

Image by zenonline via Flickr

Understand the common threats to your business and think about how to prevent them, detect them and respond to them before they occur

Threat models are commonly used in information security analysis to illustrate the potential for risks to impact an organization. The threat model is used to describe the characteristics of a given threat and the harm it could to do a vulnerable system. 

 If we do a project where we identify threats scenarios we’ll go into detail.  At a simple level we’ll identify the pieces of the threat scenarios including the actor (WHO), the action (HOW), the motivation (WHY), the vulnerability exploited (think WEAKNESS) and the potential impact (think DAMAGE). 

We do not address the probability of these events occurring which in most cases is impossible to predict accurately.

Over your morning coffee run through these common scenarios and ask yourself if you how they would impact you:

 A trusted employee decides to:

 ·         Download unauthorized software from the Internet which contains a Trojan horse or other malicious software. 

·         Disable antivirus scanning prior to the download of an emailed MS Office document.

·         Transfer information from a third-party computer to their work computer bringing in a virus or other malicious software into the company. 

·         With any number of portable memory devices data is copied from the network and is stolen undetected.

A disgruntled employee decides to retaliate against your company:

 ·         With knowledge of the backup tape courier routine the tape drop off is intercepted and the information contained on the tapes are used to attack your company’s reputation or are used for material gain.

·         With any number of portable memory devices data is copied from the network and is stolen undetected.

 A former employee decides to retaliate against your company:

 ·         With a haphazard termination process the former employee uses his/her still active network access and credentials to damage or steal information from an outside location.

·         With a haphazard termination process the former employee gains access to a company facility and uses his/her still active network credentials to damage or steal information from an outside location.

An authorized visitor or an unauthorized visitor or intruder penetrates one of your company’s facilities and:

 ·         Unchallenged as they walk the floors of the facility they exploit targets of opportunity such as unlocked, unattended systems, backup tapes set unsecured waiting for courier pickup, etc.

 A third party caretaker of your company information has a security incident.  While that incident may not impact your company network, your company has no controls to prevent that incident from impacting your company at a business level.

Related articles by Zemanta

• Security Controls and Principles (deurainfosec.com)

Secure Value by Planning Ahead for Bad Things

Bad Things DO Happen ... Or We All Die Sometime ...

Securing your business value isn't just about keeping the hackers out.  It is also about managing other kinds of risks including the very real prospect, given that we all die sometime, that a senior resource might die.  Without thoughtful planning the business might die, too.  My business, Jacadis, recently committed to Sequent, a Professional Employers Organization (PEO), to help us manage our human resources risk.  Part of their services include succession planning.  What follows is an excellent write up by Pat Carpenter, CLU, CHFC of Sequent's Retirement & Benefits Group.

Do you expect your business to die when you do?

Do you expect your business to die when you do?  If your goal is for your business to thrive, how do you intend to harvest the investment you’ve made? If you want your business to provide a continuous income stream after you’re ready to move on, think out and plan the transfer of ownership. Whether the business is sold to a partner, a competitor, a group of employees or to family member(s), there are four elements necessary for a smooth transition. These four elements include:

• A business that has value independent of the founder
• A realistic market valuation of the business
• Willing buyers, and
• An agreement that compels the sale and the purchase at the agreed-upon amount

As your business has grown, you have developed products and services that your clients need. Vendors count on you for part of their business growth. Your management team helps determine, and employees execute, the business plan.  As the business’s life cycle matures, your role has evolved from technician to visionary.  Clients, vendors and employees have deepening relationships. You can move on now.

Setting a realistic market price for the business should be determined by a CPA certified in valuation. He or she will analyze the books, economic conditions, market segment and growth potential. There will be questions about anticipated revenue, and new niche markets. The CPA will select which valuation method is most appropriate for your business and set a purchase price and a formula for determining any future purchase fluctuations.

Evaluating a potential buyer is the next logical step in your succession plan. Often, key employees or family members will have already indicated interest in purchasing the business. Do they have all the skills, vision and drive necessary to be successful? To thrive in a competitive marketplace takes more than being a good technician. In addition to figuring out ‘How much?’ and ‘Who?, you might want to invest in training for any deficient skill areas.

The agreements that compel the sale usually take two forms.

The first option is an employment agreement that defines the conditions under which stock, or phantom stock, is transferred to the successor owners. This provides the current owner “golden handcuffs” and the key employees an incentive. Usually the transfer is contingent on reaching certain productivity goals.

The second option is the Buy-Sell document. This describes the transfer of stock upon the death, disability or retirement of the owner. It delivers assets to the owner’s family while removing them from the business. These documents should be prepared by attorneys who specialize in closely held corporations.

In addition, both agreements need to be funded in order to complete the final transfer. This is usually accomplished by purchasing life insurance and disability insurance on the owner, payable to the business or the successor owners. Insurance provides the funds to purchase the stock. In this way, non-participating family members are gracefully moved away from day-to-day operations and dividend expectations.

Good planning pays off for everyone:  your clients, your employees, your family, vendors and creditors. They all want to work with a company that will thrive, even through a key transition. With proper tax planning, the business will provide an annuity for the owner for the next five to ten years. Your investment in the succession planning process could pay dividends for years to come.

Patricia Carpenter, CLU, CHFC

Vice President, Business Development

Pat Carpenter has more than thirty years’ experience working for and with emerging businesses. A veteran of three start-ups, she has spent more than thirty years of her career working in the life and health insurance industries as a field underwriter, group representative, broker and consultant. Pat has worked closely with business owners to create custom-tailored succession plans and wealth accumulation programs. She has analyzed financial strategies, plan designs, and employee incentives. In addition, she has educated people from line workers to Board members about how to optimize their employee benefits. Pat has earned the Chartered Life Underwriter and Chartered Financial Consultant designations from the American College.

Related articles by Zemanta

• Why Entrepreneurs Sabotage the Succession Process (blogs.harvardbusiness.org)

Secure Value by using Strong Passwords

Image by Bohman via Flickr

Other more complex security and privacy protections don't work if you are not using passwords correctly ... they are your key to security!

I have read more than my fair share of "how to protect yourself in social media" type articles lately (see a good one with links to other good ones at http://www.nateriggs.com/2009/10/how-to-protect-yourself-from-the-social-web/ ) from none security professionals.  These posts discuss protecting your location, creating a family password (like the you say Thunder then I say Flash challenge response) and other very commonsensical kinds of actions to protect your online self.  Most of them forget the basic fundamental password.

So without any more preamble.  Use strong passwords.  They work.  And when you don't use them you can be attacked (See a story on Twitter's corporate accounts being hacked all becwith a loss of tremendous confidential data all because of poor password use).

Use passwords that are at least eight characters long and include a mix of at least 3 of the following character types:  uppercase letters, lowercase letters, numbers and special characters.  (WHY?: Following this practice means that guessing your password means working through more choices making guessing both practically and mathematically  more difficult.)

But doing that makes it harder to remember, too, right?  And most people don't use good strong passwords because they are hard to remember and so because of convenience (or laziness) prefer to type "1234" or "GOBUCKS!".  What to do?

Be thoughtful about how you use and mix these characters (##Pa$$W0rd!! is easier to remember than d$a#aabe and because it is longer mathematically harder to guess):

• Substitute numbers for letters and vice versa (0 instead of O, 4 instead of A, 1 instead of L, 3 instead of E, $ instead of S and so on).
• Substitute words for numbers (one for 1, two for 2, and son on).
• Use capitalization haphazardly (passWord is stronger than password or PASSWORD).
• Use special characters in front of (##password), to end (password$$) or to punctuate or separate words (password!! or pass#word).

Have some fun.  Use these combinations to create words of phrases that are easier to remember:

• ##LuckyDuck$!!
• $$Give8100dPlayRug8y

And then use your passwords like you do your house, car and office keys:

• Never communicate them over the phone, in an email or over IM (or twitter for that matter!).
• Log off (lock the door) when you are done with a site or stepping away from your computer.
• Change your password if you suspect suspicious behavior (it is good to be a little paranoid, no?).
• Do not allow your Internet browser to save your password (if you lose control of your laptop, netbook or PDA whoever gains controls has control of your entire digital world).
• Do not share your passwords with anyone.
• Don't use password hint functions (where you select a challenge like mother's maiden name and you provide an answer) or if you are forced to don't use real data (select mother's maiden name and you provide an unrelated answer like Guinness, but honestly you are liable to fake yourself out on that one so tread lightly).

If you still have trouble remembering you have 2 choices:

• Don't be shy about hitting the "forgot password" button. (It is more secure to have a password reset sent to your email address than it is to use a simple, easy to use password).
• Use a password manager like KeePass Password Safe which is a "free, open source, light-weight and easy-to-use password manager".

This sounds so simple.  Yet, it is such a serious topic.  It isn't the only line of defense, but it is an important one and because of human nature (entering passwords does feel like such a waste of our time) an underused line of defense. 

As an executive and online citizen, don't be a victim because you didn't want to invest a small amount of time to do something simple and highly effective.  As a business owner, make sure you have policies in place to expect the proper use of passwords by all of your employees across all of your systems and applications. 

Related articles by Zemanta

• Stolen Hotmail data reveals widespread use of weak passwords (infoworld.com)
• Gmail Blog - Choosing A Smart Password (lockergnome.com)
• More On the E-Mail Hijackings (pindebit.blogspot.com)
• The art of creating strong passwords (macworld.com)
• Hackers are Everywhere (myventurepad.com)

Secure Value by Planning Now for H1N1 to Hit Your Business

Image via Wikipedia

I have to confess I have had that same "it can't happen to me" attitude about the H1N1 pandemic.  I've scoffed at the sterilizers my wife Jodi put around the house, at being taught how to cough and at all of the concerns people have. 

But I've learned that if you think "It can't happen" it just might.

I've alluded to the fact that I coach football.  I run the defense for the Patriots, a team of 16 fantastic 9 and 10 year old boys, just learning the tackle game.  Tuesday night we were down to 9 kids.  About two weeks ago, one of our players was diagnosed with H1Ni and we lost his services for a game.  The abscenes steam rolled since then. Tuesday night we had 9 boys at practice with the other 6 at home sick.  Not all of them had H1N1, but the resulting impact got me to thinking.  What if 50% of our company was out sick or quaranteened because of fever?

Great question.  And this week we have begun to plan for it.  Over the next week or so our management team is going to ask soem questions:

• How bad could it get?
• Can we function in that environment?
• Can we service clients? Generate revenues? Shift risks?
• Depend on our critical service providers?
• Are there any effective prevention measures we can implement at a company level? Require of our employees?

As we go I'll through my thoughts and findings up here to help you along .. because as I have found out it can happen to anyone.

Some links of interest I've already discovered (and which I'll update as I find new ones):

• Flu.gov which has lots of information for businesses and indiviauals
• Center for Disease Control

Related articles by Zemanta

• How is the flu transmitted? (fitnesstipsforlife.com)
• Areas Hit Hard by Swine Flu in Spring See Little Now (nytimes.com)
• Swine Flu (H1N1): It's Popping up Everywhere (chilmarkresearch.com)
• A Look Inside the CDC's Battle Against the Swine Flu (abcnews.go.com)
• Your resource for tracking the swine flu (news.cnet.com)
• Small Businesses Prepare for a Hit from the H1N1 Flu (time.com)

Business working with health care records? -- Secure Value by complying with HIPAA Breach Notice

Effective September 23, 2009

Just in case you forgot to put this on your calendar OR because it slipped your attention as you were trying to run and grow your business.  By way of HIPAA Breach Notice 74 Fed. Reg. 42740: "Any privacy breaches or security issues that are exposed on or after September 23, 2009 must be recorded and individuals notified.  This rule applies to group health plans and many other HIPAA-covered entities, and will be strictly enforced by HHS"

If you work with health care records of any type or provide services to entities that do, you need to understand what this means for your business.

 

Related articles by Zemanta

• Five Steps to HITECH Preparedness (computerworld.com)
• New HealthCare Data Breach Program Begins September 23rd (ducknetweb.blogspot.com)

Secure Value with a Social Media Plan

Yesterday, I presented my first pass on Securing Social Media: Protecting Yourself, Your Company, Your Customer.  Over the next few days I'll be posting some lessons learned and other odds and ends from the presentation.

One of the points I made was that your company efforts with social media, to be successful and to be secure, need to be managed from a formal action plan.  The security part of that plan is going to include some thought on policy and the procedures and safegaurds needed to support the policy.  But the policy needs to be business driven which requies a social media action plan or a business plan for the use of social media in your company.

Four firms that I've had contact with who have taught me some valued lessons on the use of social media certainly can help you with that action plan.  I would recommend as you are thinking about how to innovate with social media to contact:

• Nate Riggs, huber+co interactive
• Billy Fischer, Oxiem Marketing Technology
• Brenda Stier-Anstine, Marketing Works
• Kate Brodock, OtherSide Group