Peritus Security

You think the Feds would know better…

admin — Fri, 19 Nov 2010 20:46:25 +0000

At least they caught the guy.

http://www.nbcnewyork.com/news/local-beat/Feds-Hacker-Exploits-Federal-Reserve-Bank-In-Cleveland-108985059.html

280,000 New Victims!

admin — Tue, 26 Oct 2010 12:15:49 +0000

“Two health insurers said a flash drive containing the personal health information of hundreds of thousands of Pennsylvania Medicaid recipients has gone missing” – whoops! When will they start paying attention to HIPAA Laws? I keep seeing the same things over and over again. Does nobody learn from the mistakes of others?

Link:

http://www.scmagazineus.com/penn-medicaid-recipients-information-on-missing-flash-drive/article/181490/?DCMP=EMC-SCUS_Newswire

See you soon,

Kurt Baumgarten, VP of Information Security

Interesting article

admin — Sun, 19 Sep 2010 17:58:25 +0000

This article is about the doctor that went to jail for HIPAA violations.

http://www.compliancehelper.com/post/95319-you-can-go-to-jail-for

The Cost of Cyber Crime

admin — Fri, 20 Aug 2010 14:00:55 +0000

I just ran across a study that has come out – enjoy:

http://go.techtarget.com/r/12243656/6276856/1

Thanks,

Kurt Baumgarten, CISA, CGEIT

VP of Information Security

Yet another HIPAA fine

admin — Thu, 29 Jul 2010 15:55:48 +0000

I would have thought that Rite Aid would have learned a lesson from CVS – where CVS paid $2.25 million for doing pretty much the same thing about a year ago. Article link below:

http://www.scmagazineus.com/rite-aid-to-pay-1-million-fine-for-hipaa-violation/article/175729/?DCMP=EMC-SCUS_Newswire

Hmmmmm …. check this out

admin — Wed, 21 Jul 2010 01:54:12 +0000

Subject: [Dataloss] MA: Data Loss Affects Thousands Of Patients

http://www.thebostonchannel.com/mostpopular/24311150/detail.html

Data Loss Affects Thousands Of Patients
South Shore Hospital Incident Under Investigation
POSTED: 2:12 pm EDT July 19, 2010
UPDATED: 3:09 pm EDT July 19, 2010

BOSTON — Back-up computer files containing personal, health and financial
information of thousands affiliated with South Shore Hospital may have
been lost by a professional data management company.

The backup computer files could contain personally identifiable
information for about 800,000 people, including patients who received
medical services at South Shore Hospital as well as employees, physicians,
volunteers, donors, vendors and other business partners associated with
the hospital between Jan. 1, 1996, and Jan. 6, 2010.

The information on the backup computer files may include individuals. full
names, addresses, phone numbers, dates of birth, Social Security numbers,
driver.s license numbers, medical record numbers, patient numbers, health
plan information, dates of service, protected health information including
diagnoses and treatments relating to certain hospital and home health care
visits, and other personal information. Bank account information and
credit card numbers for a very small subset of individuals also may have
been on the backup computer files.

WHOOPS! – what did I just say?

Kurt Baumgarten, VP of Information Security

Back to the Future – HIPAA and HITECH

admin — Tue, 20 Jul 2010 23:53:56 +0000

It’s been a while since the last update – we have been very very busy. To all of you that are following this blog … I am sorry for the delay of postings. Anyway, what is new in the InfoSec space beyond the usual high profile breaches and “what-not”? Well, if you have not been paying attention to the news, you might have missed a few incidents where the new iteration of HIPAA regulations (via the HITECH Act) have brought down the heavy hand of the Department of Health and Human Services on a few companies that up until February 17^th 2010 (the date that HITECH went into effect). Of course there were a few instances where some companies were fined HUGE amounts for non-compliance under HIPAA … but now, there is a whole new level of compliance required for those that are considered as “associated businesses” in the health care industry. This means that if you have ANY part in the rendering care for a person – and “any” means: you’re and IT vendor, you manage benefits or you do billing, etc. – that you are now required by the HITECH Act to comply with the full effect of HIPAA. Before HITECH, you needed to only worry about breaches if there was a financial component to the data you accessed or held. Now, you need to worry about the laws if you have access in any way to any pertinent information that has anything to do with any treatment of any manifest disease or condition. To make matters more difficult, if you have access to genetic testing data – you will also need to comply with the Genetic Information Non-discrimination Act (GINA). We at Peritus have been dealing quite a bit with GINA lately.

Anyway, I felt that I should post an update as it has been a while to let you know what we have been up to. HIPAA, HITECH, 201CMR17, GLBA, SAS-70, and the other usual suspects are still our bread and butter so to speak. However, there seems to be an new trend in developing what would be considered “new” standards that impact very specific industries. Is this a good thing? Getting away from standardization? I am still up in the air about that waiting to see how things shake out … after all, the creation of new industry compliance standards will inherently be for the benefit of those that develop them. I guess as long as the underlying “basis” of those new standards comes from a recognized framework, I don’t have much an issue with it.

Also, please note that we have disabled “comments” in this blog due to the incredible amount of potential SPAM comments. After sifting through the 20 to 30 bogus comments a day about handbags, T-shirts, and other “performance enhancing” drugs, I just decided to disable comments for a while. If you want to leave some feedback, you can leave it via the contact info on the main part of the website.

One last thing, if you have not seen the recent article on social networking and how to control company leakage, it is located here: http://searchcio.techtarget.com/news/article/0,289142,sid182_gci1510466_mem1,00.html

Yours truly is quoted in this article as I think it is an important part of any businesses security plan given the proliferation of social networking sites and the threats that they pose (don’t get me started).

Thanks for reading – see you soon…

Kurt Baumgarten, VP of Information Security, Peritus Security Partners.

Kurt Baumgarten Quoted in Search CIO Magazine

admin — Mon, 10 May 2010 12:04:31 +0000

Kurt Baumgarten was recently quoted in CIO about the use of social media in the work place and how to control the risks associated with that use. The article can be found at the link below:

http://searchcio.techtarget.com/news/article/0,289142,sid182_gci1510466,00.html

HIPAA2 / HITECH Act

admin — Sun, 18 Apr 2010 13:53:37 +0000

Peritus is working on a new product for the creation and managment of programs that need to comply with the new HIPAA regulations. One of the main concerns is again vendor management – now referrred to as “associated businesses” under the HITECH Act. What you need to think about is what your vendors are doing with Private Healthcare Information (PHI) if they have any type of access to it as provided by you through the course of doing business. Thus, the same requirments that apply to you will now apply to your vendors – and if they cannot or will not comply and prove the level of their care over the PHI, then you had better think about getting a new vendor. Keep an eye out for our new product to help you manage these realtionships – it should be available in a few weeks.

Kurt Baumgarten, VP of Information Security

Humor

admin — Sat, 20 Mar 2010 15:39:57 +0000

Generally I will not post links from youtube on here – however, I thought that this ad from Symantec was pretty good at pointing out the prevalence of identity theft. Enjoy.

http://www.youtube.com/watch?v=lMnfziDd9FQ