At least they caught the guy.

http://www.nbcnewyork.com/news/local-beat/Feds-Hacker-Exploits-Federal-Reserve-Bank-In-Cleveland-108985059.html

“Two health insurers said a flash drive containing the personal health information of hundreds of thousands of Pennsylvania Medicaid recipients has gone missing” – whoops!  When will they start paying attention to HIPAA Laws?  I keep seeing the same things over and over again.  Does nobody learn from the mistakes of others?

Link:

http://www.scmagazineus.com/penn-medicaid-recipients-information-on-missing-flash-drive/article/181490/?DCMP=EMC-SCUS_Newswire

See you soon,

Kurt Baumgarten, VP of Information Security

This article is about the doctor that went to jail for HIPAA violations.

http://www.compliancehelper.com/post/95319-you-can-go-to-jail-for

I just ran across a study that has come out – enjoy:

http://go.techtarget.com/r/12243656/6276856/1

Thanks,

Kurt Baumgarten, CISA, CGEIT

VP of Information Security

I would have thought that Rite Aid would have learned a lesson from CVS – where CVS paid $2.25 million for doing pretty much the same thing about a year ago.  Article link below:

http://www.scmagazineus.com/rite-aid-to-pay-1-million-fine-for-hipaa-violation/article/175729/?DCMP=EMC-SCUS_Newswire

Subject: [Dataloss] MA: Data Loss Affects Thousands Of Patients

http://www.thebostonchannel.com/mostpopular/24311150/detail.html

Data Loss Affects Thousands Of Patients
South Shore Hospital Incident Under Investigation
POSTED: 2:12 pm EDT July 19, 2010
UPDATED: 3:09 pm EDT July 19, 2010

BOSTON — Back-up computer files containing personal, health and financial
information of thousands affiliated with South Shore Hospital may have
been lost by a professional data management company.

The backup computer files could contain personally identifiable
information for about 800,000 people, including patients who received
medical services at South Shore Hospital as well as employees, physicians,
volunteers, donors, vendors and other business partners associated with
the hospital between Jan. 1, 1996, and Jan. 6, 2010.

The information on the backup computer files may include individuals. full
names, addresses, phone numbers, dates of birth, Social Security numbers,
driver.s license numbers, medical record numbers, patient numbers, health
plan information, dates of service, protected health information including
diagnoses and treatments relating to certain hospital and home health care
visits, and other personal information. Bank account information and
credit card numbers for a very small subset of individuals also may have
been on the backup computer files.

WHOOPS!  – what  did I just say?

Kurt Baumgarten, VP of Information Security

It’s been a while since the last update – we have been very very busy. To all of you that are following this blog … I am sorry for the delay of postings.  Anyway, what is new in the InfoSec space beyond the usual high profile breaches and “what-not”?  Well, if you have not been paying attention to the news, you might have missed a few incidents where the new iteration of HIPAA regulations (via the HITECH Act) have brought down the heavy hand of the Department of Health and Human Services on a few companies that up until February 17^th 2010 (the date that HITECH went into effect).  Of course there were a few instances where some companies were fined HUGE amounts for non-compliance under HIPAA … but now, there is a whole new level of compliance required for those that are considered as “associated businesses” in the health care industry.  This means that if you have ANY part in the rendering care for a person – and “any” means: you’re and IT vendor, you manage benefits or you do billing, etc. – that you are now required by the HITECH Act to comply with the full effect of HIPAA.  Before HITECH, you needed to only worry about breaches if there was a financial component to the data you accessed or held.  Now, you need to worry about the laws if you have access in any way to any pertinent information that has anything to do with any treatment of any manifest disease or condition.  To make matters more difficult, if you have access to genetic testing data – you will also need to comply with the Genetic Information Non-discrimination Act (GINA).  We at Peritus have been dealing quite a bit with GINA lately.

Anyway, I felt that I should post an update as it has been a while to let you know what we have been up to.  HIPAA, HITECH, 201CMR17, GLBA, SAS-70, and the other usual suspects are still our bread and butter so to speak.  However, there seems to be an new trend in developing what would be considered “new” standards that impact very specific industries.  Is this a good thing?  Getting away from standardization?  I am still up in the air about that waiting to see how things shake out … after all, the creation of new industry compliance standards will inherently be for the benefit of those that develop them.  I guess as long as the underlying “basis” of those new standards comes from a recognized framework, I don’t have much an issue with it.

Also, please note that we have disabled “comments” in this blog due to the incredible amount of potential SPAM comments.  After sifting through the 20 to 30 bogus comments a day about handbags, T-shirts, and other “performance enhancing” drugs, I just decided to disable comments for a while.  If you want to leave some feedback, you can leave it via the contact info on the main part of the website.

One last thing, if you have not seen the recent article on social networking and how to control company leakage, it is located here: http://searchcio.techtarget.com/news/article/0,289142,sid182_gci1510466_mem1,00.html

Yours truly is quoted in this article as I think it is an important part of any businesses security plan given the proliferation of social networking sites and the threats that they pose (don’t get me started).

Thanks for reading – see you soon…

Kurt Baumgarten, VP of Information Security, Peritus Security Partners.

Kurt Baumgarten was recently quoted in CIO about the use of social media in the work place and how to control the risks associated with that use.  The article can be found at the link below:

http://searchcio.techtarget.com/news/article/0,289142,sid182_gci1510466,00.html

Peritus is working on a new product for the creation and managment of programs that need to comply with the new HIPAA regulations.  One of the main concerns is again vendor management – now referrred to as “associated businesses” under the HITECH Act.  What you need to think about is what your vendors are doing with Private Healthcare Information (PHI) if they have any type of access to it as provided by you through the course of doing business.  Thus, the same requirments that apply to you will now apply to your vendors – and if they cannot or will not comply and prove the level of their care over the PHI, then you had better think about getting a new vendor.  Keep an eye out for our new product to help you manage these realtionships – it should be available in a few weeks.

Kurt Baumgarten, VP of Information Security

Generally I will not post links from youtube on here – however, I thought that this ad from Symantec was pretty good at pointing out the prevalence of identity theft.  Enjoy.

http://www.youtube.com/watch?v=lMnfziDd9FQ