Every month, SecureState CEO Ken Stasiak addresses the hottest topics in information security, providing his unique spin on all the issues. Continue reading
Interpreting development specs is challenging enough, but writing code without analyzing the regulatory business ramifications rarely ends well. Typically the process assumes your business leaders and partners understand the regulatory environment, the impact to application functionality, and that they can successfully articulate the requirements to the development team. But often the message is muddled, because of a lack of understanding. So put on your red cape (blue tights optional), and read some compliance strategies to take your career to the next level.
As medical science advances, so too does the equipment used to deliver care. In a modern-day hospital, more and more medical devices, such as IV pumps, ventilators, MRI, CAT Scan and X-Ray machines are attached to hospital networks. Putting medical devices on the network provides a large number of benefits, such as supporting telemedicine and the easy transfer of test results to electronic medical records (ERM) systems. However, putting these devices on a network also introduces a number of risks.
Credit Card data is a crown jewel for cybercriminals. While organizations may have a legitimate business need to store cardholder data (CHD) as a part of their business process, storing that data on your systems makes your organization a target. The PCI-DSS allows for the storing of CHD, provided that a business justification is well documented and adequate security controls are in place. If you are a company or line of business manager who feels you need to store CHD, consider the list of bad reasons detailed below and possibly revisit your business model to limit storing CHD, or better yet, stop collecting it!
Healthcare workers and medical professionals are acutely aware of their obligation to keep protected health information (PHI) confidential, thanks to the Healthcare Insurance Portability Accountability Act (HIPAA) enacted in 1996. The media reports, almost daily, on stories of PHI left unprotected, resulting in fines and settlements. Due to those facts, many businesses are focus on protecting PHI data, which is good, but often patient financial data, such as credit card information, ends up becoming less of a priority.
HIPAA (1996) and HITECH/ARRA (2009) were further refined by the release of the HIPAA Omnibus Rule (1/25/2013). These regulations coupled with the increased regulatory scrutiny can make compliance difficult and expensive. HHS estimated it will cost companies up to $255.4 million to comply with the Omnibus Rule (Rule)! What will a ¼ of a billion dollars buy? Let’s invest a few minutes to analyze the impact to covered entities (e.g., hospitals, doctors, insurance), their service providers (i.e., business associates or BA), and consumers of healthcare services (i.e., you and I).
As directed by the February Executive Order from President Obama, the Federal Government issued a Request for Information to receive feedback regarding the National Institute of Standards and Technology’s (NIST) plans to develop a Cybersecurity framework for Critical Infrastructure. The purpose of the RFI was to gain information on what best practices and standards should be included in the future framework from Owners and Operators of Critical Infrastructure. But it’s about time that the security industry stops looking to new standards to solve the problem and learn how to adopt and implement what they already have! The problem does not lie in the standards themselves, but in the marketing and execution behind the standards to get the business executives involved.
Imagine this: you go to your mailbox and pull out the assorted letters and circulars. One of the letters is from your doctor’s office, informing you that the office was broken into and an unsecured laptop was stolen; it contained data on some of the patients and your data may have been on the laptop.
The reality is that those letters are appearing in mailboxes nationwide. Continue reading