Meet the Bloggers Twitter BTSecureThinking YouTube Channel Blogroll About BT Looking for more?
BTSecureThinking Resources center

SecureThinking > Tags

Posts tagged - GLBA

Wednesday, August 17, 2011

Breach Notification in Healthcare and Beyond: Part 1

By: Jim Tiller, Global Security Practice Head, BT Global Services

In February 2002, California enacted SB-1386, a law requiring companies to disclose security breaches affecting the privacy of their customers. Although other, distantly similar conditions existed in EU privacy laws and with GLBA in the US reaching back to the late 90’s, few predicted that SB-1386 would become the catalyst for the massive wave of breach notification laws we see today.

The most noteworthy occurred within days of President Obama entering into office when he signed the American Recovery and Reinvestment Act (ARRA) of 2009. Tucked beneath the mountain of legalese was Title XIII Health Information Technology, or more commonly known as the Health Information Technology for Economic and Clinical Health Act (HITECH), a relatively small section that has changed everything.

In short, HITECH is a breach notification law that has now been integrated into HIPAA. Among its many proclamations, it forces the healthcare industry to reissue Business Associate Agreement’s (BAA) with all their business partners and providers to specifically address breaches. By doing so, any organization coming in contact with protected healthcare information is responsible, and liable. It ultimately gives teeth to HIPAA.

Now, the healthcare industry, which had just reached a point where HIPAA was fully integrated and manageable, is faced with a new challenge.  It is no longer enough to protect data, now the industry must have assurance, solid event detection capabilities, well-defined incident response, and, of course, notification processes.  Moreover, healthcare vendors, partners, and providers are now faced with meetings these expectations or risk losing their healthcare customers.

Breach notification has created an interesting dynamic and represents a shift in regulatory strategy. The shift in government is the redirection from protective and preventative measures to response measures. Essentially, they are setting the penalties and fines in the event of a breach as opposed to the specific controls to avoid such catastrophes. The government is simply saying, “Your controls are not as effective as we’d hoped or intended. Therefore, we are focusing on the fall out with hopes that will encourage better controls.”

This change in strategy is resonating throughout the healthcare industry in a fascinating way. Prior to HITECH organizations were provided security control expectations to achieve compliance. Unfortunately, compliance does not always equal security, but based on how the industry was regulated, compliance was of superior importance, and understandably so.

However, now armed with clarity on the fiscal impacts of a breach, organizations are more interested in meaningful security controls as opposed to simply what is expected of a compliance audit. 

In my next post, I’ll discuss the best practices that healthcare organizations are putting in place to address the unique environment that they face.

Posted at 10:33 AM in SecureCompliance | No Comments »
Tags: , , , , , , , , ,

Bookmark and Share

Tuesday, July 20, 2010

CISOs to the Rescue!

 

By Jill Knesek, Chief Security Officer, BT Global Services

There aren’t many times I check in on the trade publications and see an article that really hits on the issues faced by the C-level audience in the security sector.  Frankly, we’re an unusual bunch, with very specific interests, issues, and concerns.  But recently, I saw an article by Ernie Hayden at searchsecurity.com that got to the heart of some of the compliance issues that I know I face and I’m sure you grapple with, too.

Approaching compliance from the standpoint of managing processes, Hayden outlines five key propositions that can help guide decision-making and apply as equally to PCI as to NERC.  His top picks are:

  • Your fundamental obligation to the company is to protect data and prevent loss
  • You should know the ins and outs of the regulations your organization is held to
  • View training and awareness as key components of your compliance strategy
  • Understand the root cause of any issues related to compliance
  • The organization should be kept under constant pressure to be in compliance

To read Hayden’s entire article – “How to manage compliance as Chief Information Security Officer (CISO)” — click here

And if you’re a C-level or senior security officer in the Chicago area and would like to continue this conversation over dinner, I’ll be hosting a BT Security Roundtable in Chicago on July 28.  To learn more about the dinner, please contact our Chicago-area managed security solutions specialist, Kurt Luporini.

Posted at 3:24 PM in SecureCompliance | No Comments »
Tags: , , , , , , , , ,

Bookmark and Share