In my experience as a forensic and cyber-security practitioner, I am often engaged to advise clients on a wide range of issues when they are faced with a possible data breach: Validation of breach occurrence, confirmation of the breach population, whether records were accessed or acquired, and assistance with remediating the vulnerability that may have led to the breach in the first place.
As IT security professionals we often focus on network security, workstation hardening, and other preventative measures to keep unwanted intruders at bay. We sometimes forget that the computers we are trying to protect can be compromised by simple physical access. A couple of recent cases bring this to light:
Performing information security due diligence with third party vendors can be an all-too-vital component to ensuring that the information shared by your company is kept secure. But what is unfortunately the case, at times, is that due diligence efforts amount to little more than a good-faith exercise, meant to limit legal liabilities in the event that data is lost.
Certainly limiting liability is an important objective, but it will not necessarily do much of anything to truly lower the risk of loss. Once a potential third party vendor has cleared the initial due diligence hurdle and is awarded the bid, expectations must be clearly defined, and followed with action. Here are a few more items organizations should consider during this process:
The Office of the National Coordinator for Health Information Technology (ONC) is seeking public comment regarding personal health records, now through December 10. Comments can be submitted through the website, on the following topics:
The ONC is also hosting a day-long public roundtable discussion, Personal Health Records – Understanding the Evolving Landscape. According to the website, the purpose is to “inform ONC’s congressionally mandated report on privacy and security requirements for non-covered entities (non-CEs), with a focus on personal health records (PHRs) and related service providers.”
In June, the Office of the National Coordinator for Health Information Technology (ONC) issued its final rule to establish a temporary certification program for Electronic Health Record (EHR) Technology. This marks an important step towards allowing healthcare facilities to meet and achieve meaningful use, a requirement to qualify for incentive payments under Medicare and Medicaid. Yet, even with this new development, lingering security questions still plague the process, making the transition to an interoperable EHR system seem even further away and harder to achieve.
