Thursday, October 09, 2008

Blue Suit, Red Cape and Red Boots

No doubt about it, things are getting tighter. Even with the volume off, the TV has a streaming litany of financial woe in a never ending flow from left to right at the bottom of the screen. And you don't need Jim Cramer to remind you, your customers are letting you know, as well as your screaming bottom line

At the same time your work day and productivity is being strangled by more regulation, more rules and more requirements for security. Even beyond the regulatory considerations, you really do want your clients' data as safe as you can make it. It is part of the reason you got into this business, along with the Truth, Justice and American way stuff. But how to catch that speeding locomotive with all these chains around your ankles?

The first step is to develop the security mindset. Like so many other things, security is not a destination, it is a way of thinking. The same instincts and habits that make you rattle the back door after locking up can serve you with many information and data security issues as well. You are not locking the back door because you expect an intruder. You are prudently making it a little more difficult for the eventual intruder that someday will check your back door. Similarly, you are not protecting your data against a specific bad guy, but instead building an array of defenses so as to make your operation as unattractive to data and identity thieves as possible.

Make certain that your employees have a grasp of the basics and are incorporating them into the work day. Passwords should be routinely changed, and not written on post-it notes or shared. Callers who ask for information about internal systems should be clearly identified, or better yet referred to a designated person. That designated person should be the office go to person for all basic security questions, and well-briefed as to possible vulnerabilities and how an exploitation might present itself.

New and even more stringent regulations are on the way. How you keep your client's data safe is going to be a problem that rests on your shoulders. You can spend a fortune building new, secure systems, or you can temper that spending with better training and looking at alternate ways of handling your data, such as on-line hosting, where the back-end security is handled for you. This combination can be a cost-effective way of providing improved security without having to leap any tall buildings.


Thom said...

Good comments about HIPAA. A lot of people aren't familiar with such regulations or don't care. But what about FACTA, have you thought about writing on it? I have found another short article talking about FACTA, HIPAA, and GLBA laws that certain businesses have to adhere to. (>

Deputy Sheriff said...

I have a real case and would like your opinion on it. I am a physician who recently resigned from my university hospital. I went in tonight to complete some charts and logged onto a computer terminal in the hospital. I clicked on a portal which I thought would bring me to my electronic charts but instead found myself staring at a highlighted list of five patients' names. My own was right in the center of the list. A "colleague" who takes an unhealthy interest in others had been on call in the hospital from 7am until shortly before I chanced to arrive at the same computer terminal. We are both in the same subspecialty and share an office opposite the ward where the computers are located. He left at 6 pm and I arrived at 730 pm to finish my charts. It was clear that he had been examining my personal medical records and either didn't care to or didn't know how to log out.
Such conduct is clearly criminal under HIPAA and he is a "covered individual". My
data is still on every computer terminal on that particular unit. Whom should I contact?
HIPAA itself only allows for mailed or electronically submitted complaints. Although by my reading of the criminal code his actions are felonies and it is the justice department's responsibility to carry out all criminal, as opposed to civil, prosecutions there is no way to contact them directly that I am aware of. The evidence will be gone eventually but is recoverable now. It should also be recoverable later because the offending physician's log on will be recorded by the system. What should my next step be?

Amarjeet Prasad said...

I admire the valuable information you offer in your articles. I will bookmark your blog and have my children check up here often. I am quite sure they will learn lots of new stuff here than anybody else!

HIPAA Training
HIPAA Certification