Forgot your password?
typodupeerror

Comment: Re:Being non-proft does not justify being incompet (Score 1) 188

by sthomas (#42515075) Attached to: Loss of a Single Laptop Leads to $50k Fine Against Idaho Hospice

HIPAA *does* set in place specific specifications to comply. The beauty of HIPAA is that the Dept H&HS releases guidance to inform people how to comply on pretty much every aspect:

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html

When it comes to technology, they always refer to NIST standards as being tested and compliant. Read NIST special publication 800-111 and its references to the FIPS 140-2 standard at http://csrc.nist.gov/ (Publications / Special Publications on the top menu) and you'll see they have very thorough information on how to implement encryption correctly.

Comment: Re:Why Gen Z Needs To Change for Work (Score 2) 443

by sthomas (#36204664) Attached to: Why IT Needs To Change for Gen Z

You are correct that this type of request is common from executive, and that IT bends over backwards to attempt to accommodate it. As the Security Officer of my company, I have a Risk Acceptance form that needs to be signed for this type of situation. It requires a signature by an Officer of the company, and if the requester is an Officer, it requires the CEO's signature. As the Chief Executive, the CEO is authorized to sign his own requests. HOWEVER, all of these forms are provided to the Audit Committee of the Board of Directors during each quarterly meeting, so the CEO is very sure that they are "real" requests that he is willing to support and defend. As the Security Officer, I am required to send a Risk Report directly to the Board's audit committee, and if anyone tried to circumvent the risk process, that would be in this report.

I'm fortunate that I have the backing of our executive management for this, but I have worked very hard to develop my relationship with our senior management and board. It helps that our company handles data that is subject to both HIPAA and state privacy laws, and mine is very much a "I am here to keep us all out of hot water and off the front page of newspapers" type of role. And all of our managers are mature enough to know that they are responsible should an exception to the rules end up in a loss to the company, so they are very supportive and cooperative with the controls we've agreed upon as an organization.

The key is cooperation, rather than an us-versus-them mentality between IT, management, and the rest of the business units.

Comment: Re:If you are at work (Score 1) 377

by sthomas (#35292590) Attached to: WI Capitol Blocks Pro-Union Web Site

The Democrats have crudely blocked the legislative process. The protesters have crudely blocked the Capitol's facilities. Although I don't believe this was an intentional attempt by the Republicans to block access to information, if it was I wouldn't be all that upset given the actions by the opposition. I find it interesting how selective people can be when it comes to what's fair in a conflict.

Comment: IE 6 suspect? (Score 1) 398

by sthomas (#32711862) Attached to: Chase Bank May Drop Support of Chrome, Opera

"With usage of IE6 plummeting and concerns about its security well known, the inclusion of that browser seems suspect."

Well, gs.statcounter has IE6 listed 4th, and only beaten by newer versions of IE and one version of Firefox. My company (not Chase) tracks browsers by type/version, and more than 80% of clients identify themselves as IE6. It would be silly for us not to support IE6, just as I'm sure Chase is basing their decision on similar experience with client data. If alternative browser users want to tinker with their browser identity, they should make sure they're not identifying as IE6, or they're just contributing to the problem of IE6's continued support.

Comment: Re:I agree (Score 3, Insightful) 138

by sthomas (#30407140) Attached to: Judges Can't "Friend" Lawyers in Florida

I with you on it making sense. Also, if a lawyer feels really great about his chance of a victory and posts that he's about to win his case, the judge would see that update. Then if the judge rules in his favor it gives the appearance that the lawyer received foreknowledge of a ruling. If it doesn't go his way, the judge could be argued to have ruled the other way to avoid the appearance of impropriety.

It's easier to just separate them, because in every court case someone will be unhappy with the outcome and looking for something to blame it on.

Comment: Re:Well... (Score 1) 1006

by sthomas (#30090848) Attached to: Software Piracy At the Workplace?

Actual reasons absolutely do matter. Beyond discrimination, there are other limitations as well, which is why I said it depends on the jurisdictions. Look up "At-will employment" on Wikipedia for an overview, then check your local state's laws. 43 states plus D.C. have exceptions based on public policy, for instance. "At-will" gives flexibility, not total immunity.

Making a reasonable case that a termination had the appearance of retaliation, even if it did not, will usually send the business to the settlement table. Employment rights offices will often require that both sides attempt to address the complaint outside of court. And in this age of "evil company must be punished," no company wants the public to hear that they retaliated against a whistleblower who was trying to bring to light that the company was breaking laws. If the company is public or regulated, it's a nightmare of future auditing, possible sanctions, and opening the door to class-action lawsuits. And any company doesn't want that kind of bad PR.

Comment: Re:Well... (Score 1) 1006

by sthomas (#30090204) Attached to: Software Piracy At the Workplace?

Even if they come up with another reason, it would look like retaliation and they would likely lose in a court case (depending on the state). Some states favor the business, some favor the individual. Also, if you're already on a performance plan or under other disciplinary action for some other causes, retaliation is harder to prove.

But if you're a "good employee" and you're holding evidence that you tried to warn them about licensing issues and they terminate you when auditors show up for licensing confirmation, retaliation is likely enough that a good employment attorney will win the case, and even more likely get the business to settle before it even goes to a case, even in a "at-will employment" state.

Comment: Re:It will apply to everyone (Score 1) 101

by sthomas (#29483687) Attached to: Using Encryption Garners Exemption For Data Breach Notification

The commercial whole-disk encryption software we use works at the BIOS-level, rather than from within the OS. You can't mount the disks on a Linux system. Your statement that commercial encryption programs are for peace of mind rather than protection is a false generalization. Well-designed, well-implemented, *and* well-managed (must be all three) systems can provide excellent real protection of data.

Comment: Re:Encryption methodology is defined (Score 4, Informative) 101

by sthomas (#29479447) Attached to: Using Encryption Garners Exemption For Data Breach Notification

There's an excellent overview by a law firm here:

http://www.faegre.com/showarticle.aspx?Show=8969

"Previously, covered entities were obligated to mitigate harm caused by unauthorized disclosures of protected health information, but not required to give notice to the individuals whose information was inappropriately disclosed. Going forward, covered entities and business associates will be required to notify individuals when security breaches occur with respect to "unsecured" information. Unsecured information means information not protected through technology or methods designated by the federal government. In addition, if the breach involves 500 or more individuals, notice to the federal Department of Health and Human Services and the media is also required."

Comment: Encryption methodology is defined (Score 5, Informative) 101

by sthomas (#29479345) Attached to: Using Encryption Garners Exemption For Data Breach Notification

The method of encryption is defined in the law, adopts the standards set forth by the NIST, and there is a mechanism to update what is acceptable annually through published Guidances. This law is an improvement over what was previously in place. Read the HIPAA Security and Privacy rules as last updated in 2005, and then look at the major steps forward HITECH makes.

That future Guidances can update standards without having to send a law through Congress is also going to allow for future improvements in security, too. HITECH was part of the economic recovery act (ARRA), which shows how difficult it was for HIPAA to get updates - this had to be tacked onto an unrelated must-pass bill.

This article is from an encryption vendor who is stating that most encryption products are what he calls "point-to-point" encryption I bet he considers his own product to not be, thus it is superior, and thus HIPAA should require all companies to buy his products.

For those of you who think "encryption" is left up to the governed:

The HHS Guidance identifies four situations where paper or electronic data may be vulnerable to a breach, and suggests appropriate safeguards to secure the PHI:

                    - "Data at Rest". This is data that resides in databases, file systems, and other structured storage methods. The HHS Guidance points to the National Institute of Standards and Technology Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices as the approved methodology.
                    - "Data in Motion". This is data that is moving through a network, including wireless transmission. The HHS Guidance points to specific requirements in Federal Information Processing Standards (FIPS) 140-2 which include, as appropriate, standards described in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are FIPS 140-2 validated.
                    - "Data Disposed". This is discarded paper records or recycled electronic media. The electronic media must have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved. For discarded paper records, PHI would need to be shredded or destroyed in a manner that precludes reconstruction.
                    - "Data in Useâ. This is data in the process of being created, retrieved, updated or deleted. The encryption and destruction processes described above, along with the general HIPAA safeguards, will apply to all data in use.
 

IF I HAD A MINE SHAFT, I don't think I would just abandon it. There's got to be a better way. -- Jack Handley, The New Mexican, 1988.

Working...