https://apgarandassoc.com Privacy, information security, HIPAA, HITECH and regulatory compliance Tue, 23 Apr 2019 15:32:34 +0000 en-US hourly 1 https://wordpress.org/?v=5.1.1 https://apgarandassoc.com/wp-content/uploads/2018/01/cropped-Apgar-Associates-Icon-32x32.png https://apgarandassoc.com 32 32 Should you trust Alexa with your health information? https://apgarandassoc.com/should-you-trust-alexa-with-your-health-information/ Tue, 23 Apr 2019 15:32:34 +0000 https://apgarandassoc.com/?p=2356 By now you’ve likely heard that Amazon is moving into the HIPAA space with Alexa.  In conjunction with their partners, they’re launching what Amazon calls “HIPAA compliant” apps.  If only it were that easy to create a HIPAA covered app, or as Amazon calls it, skill.  As with Amazon Web Services (AWS) it’s ultimately up […]

The post Should you trust Alexa with your health information? appeared first on .

]]>
By now you’ve likely heard that Amazon is moving into the HIPAA space with Alexa.  In conjunction with their partners, they’re launching what Amazon calls “HIPAA compliant” apps.  If only it were that easy to create a HIPAA covered app, or as Amazon calls it, skill.  As with Amazon Web Services (AWS) it’s ultimately up to the individual developers to honor the law.  While Amazon may well be a trusted third party, if developers don’t build apps or “skills” with privacy, security and HIPAA compliance in mind, I wouldn’t trust Alexa with any of my healthcare data.

Having worked with a number of software development companies in the healthcare space, I can tell you that more often than not developers want to create cool and useful things. The problem with that is cool and useful don’t always automatically align with security and privacy needs. In fact, in the development process you won’t often find security and privacy at the top of the priority list.

Time, Trust & Alexa Users

Trust but verify, folks. If I were the covered entity or business associate planning to eventually trust the Amazon platform to adequately secure protected health information, I would want assurances and proof that the developers of any app/skill have privacy and security baked in.

Granted, Amazon has indicated that trust takes time to build. That it will be a while before patients widely trust Alexa with sensitive health information.  Ok, let’s say we’re down the road a way.  Trust has been earned.  Now we face another potential issue that has nothing to do with the platform or any of its available apps/skills.  The concern lies with the end users.  End users are not always savvy when it comes to protecting sensitive personal information. I think this is where there’s a definite need for some education on the part of partners, Amazon and healthcare providers.

Right now, when Alexa is on, it listens to all voices in the room, all the time. How awful would it be if an end user thought he or she was taking advantage of touted HIPAA compliant solutions but instead was airing sensitive information using another Alexa app?  Hopefully Alexa will also be smart enough to not broadcast protected health information like “You need to follow up with your [insert-private-condition-here] specialist” to the whole house.

Alexa (Amazon), are you listening?

The post Should you trust Alexa with your health information? appeared first on .

]]>
Who needs to comply with the CCPA? Hint: Not only California. https://apgarandassoc.com/who-needs-to-comply-with-the-ccpa-hint-not-only-california/ Wed, 27 Mar 2019 10:18:05 +0000 https://apgarandassoc.com/?p=2327 The first thing to realize about California Consumer Privacy Act (CCPA) compliance is that you don’t have to be a California-based business to be affected. As of 2018, California was the world’s 5th largest economy. You’re better off to ask yourself what the chances that you’re not subject to the CCPA. US-based or global, you […]

The post Who needs to comply with the CCPA? Hint: Not only California. appeared first on .

]]>
The first thing to realize about California Consumer Privacy Act (CCPA) compliance is that you don’t have to be a California-based business to be affected. As of 2018, California was the world’s 5th largest economy. You’re better off to ask yourself what the chances that you’re not subject to the CCPA. US-based or global, you have to consider the factors involved, all of which are more likely to make you subject to, rather than exempt from, the CCPA.

If you answer yes to any of these 3 questions, you’re probably subject to the CCPA – and its requirements for personal information protection.

  1. Does your business’s worldwide annual gross revenues meet or exceed $25 million?
  2. Do you annually touch the personal information of 50,000 or more California residents? Their households? Or their devices?
  3. Does half or more of your annual revenue come from selling the personal information of California residents?

Before you gleefully answer “No” to all three, here’s the catch. You need to understand the definitions applied to the qualifiers in the questions.

Start with the definition of personal information – guaranteed to blow your mind. If we include the full definition here, you’ll throw your hands up in disgust and not read any further. Essentially, it’s “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household or device.” That’s extremely broad.

Let’s move on to “touching” personal information. An Internet Protocol, or IP address, can be considered personally identifiable information – yes, you read that correctly. That means a visit to your company website where IP information is automatically collected (think about your handy dandy Google Analytics always running in the background). You’ve just touched personally identifiable information.

To get even more granular: Do you know which of your website visitors are considered California residents?

I know 50,000 annually sounds like a lot of website visitors. Especially if you don’t consider yourself to be enterprise-level. But it breaks down to only 137 visitors from California per day. Now wrap in the personal information definition. It includes households and devices. It’s pretty hard to have a website as a company of any size and not have that number of touches per year.

Then there’s “selling” the personal information. Many wouldn’t consider the everyday interactions with client and consumer data as selling. However, the definition of “selling” in the CCPA stretches all understanding. It can mean “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

How does a business comply with the CCPA? The very thought of what it will take overwhelms. As both a certified information privacy manager and professional who regularly attends regulatory seminars, I can tell you that every CCPA-related event is thick with corporate legal counsel – a fair number from those great big companies that we all know. We’re all impatient to understand how compliance can happen. Stay tuned as I share more insights and commentary on the CCPA in the weeks to come. Topics include: the “HIPAA Exemption”, the various interpretations of “selling” personal information, the “opt out” option, and more.

Julia Huddleston is a Certified Privacy Manager and a Certified Privacy Professional through the IAPP (International Association of Privacy Professionals). She’s deeply involved in privacy compliance activities with clients and how policies and procedures are implemented to protect data privacy. You can reach her at Apgar & Associates: 503-384-2538.

Resource(s): IAPP CCPA Comprehensive Seminar 2019

The post Who needs to comply with the CCPA? Hint: Not only California. appeared first on .

]]>
Consumers in the Regulatory Driver’s Seat: Protecting Personal Data Privacy https://apgarandassoc.com/consumers-in-the-regulatory-drivers-seat-protecting-personal-data-privacy/ Tue, 12 Mar 2019 15:24:58 +0000 https://apgarandassoc.com/?p=2308 Consumers on the warpath to protect personal data privacy are making strides in state houses. For instance, here’s an update on Oregon’s Senate Bill 703 re selling health information. If you use Big Data at all, you’ve probably been following this Bill. It’s basically saying that anyone selling personal health information, although thoroughly de-identified, would […]

The post Consumers in the Regulatory Driver’s Seat: Protecting Personal Data Privacy appeared first on .

]]>
Consumers on the warpath to protect personal data privacy are making strides in state houses. For instance, here’s an update on Oregon’s Senate Bill 703 re selling health information. If you use Big Data at all, you’ve probably been following this Bill. It’s basically saying that anyone selling personal health information, although thoroughly de-identified, would need to pay the source for the privilege, i.e., you and me. As you may imagine, research groups and analysts who may touch any Oregonian’s de-identified PHI, not to mention privacy officers at the source of de-identified data, are watching this closely.

You can likely thank Facebook backlash for this Bill. Taking personal data and sharing it without user knowledge has caused huge problems for the social media giant. Now we’re hearing that they’re going to reel it all in, but how do you get the genie back in the bottle?  The trust is gone, and SB 703 is just one instance of how outraged consumers are at how data is being used.

From a compliance perspective, the information, aka personal data, is already de-identified PHI, so that’s not the basis for the Bill. It’s a clear call for personal data privacy protection beyond the pale of what we’ve seen up to now. You can also look at the yet-to-go-live California Consumer Privacy Act as another example of privacy protection taken to the Nth degree.

This isn’t to say that personal data privacy isn’t important because it absolutely is, it’s merely to point out that the logistical reality of complying with either SB 703 or CCPA is a nightmare we’ve yet to face. You can hardly blame people for playing ostrich when confronted with such a daunting task. You can also hardly blame people for pushing back on companies being able to use personal information for free.

We’ll be writing more on CCPA and its potential effect on business operations both outside and within the healthcare environment. In the meantime, should Oregon’s SB 703 move further down the path to fruition, we’ll weigh in on that, too.

Need specialized insight on these and other data privacy and information security regulations? Contact Apgar & Associates, LLC at 503-384-2538. Our in-the-trenches knowledge and professional consulting will help you and your workforce with compliance and critical certification preparation.

The post Consumers in the Regulatory Driver’s Seat: Protecting Personal Data Privacy appeared first on .

]]>
How can your Third Party Vendor help or hurt your SOC 2 status? https://apgarandassoc.com/how-can-your-third-party-vendor-help-or-hurt-your-soc-2-status/ Tue, 19 Feb 2019 14:12:45 +0000 https://apgarandassoc.com/?p=2280 Are you tracking the moving target of your third party vendors’ privacy and security practices? You may want to get on that. If you’re one of the many organizations about to tackle the SOC 2 assessment process, familiarize yourself with the AICPA’s 2017 Trust Service Criteria document (formerly Trust Service Principles). You’ll quickly notice the […]

The post How can your Third Party Vendor help or hurt your SOC 2 status? appeared first on .

]]>
Are you tracking the moving target of your third party vendors’ privacy and security practices? You may want to get on that. If you’re one of the many organizations about to tackle the SOC 2 assessment process, familiarize yourself with the AICPA’s 2017 Trust Service Criteria document (formerly Trust Service Principles). You’ll quickly notice the underlying theme is organizational risk management where vendor risk management figures prominently.

The updated criteria delves into the many joys of maintaining and assuring “commitment” and “competency.” Under the evolving TSPs (yes, still called TSPs), “system and organization controls” expand to include cybersecurity risks, such as those that come with third party vendors.

In fact, nearly every mention of risk profile components includes vendors. Their reliability, the need to assess external threats, the ongoing relationship. So how do you begin to manage the risk they bring to your organization?

Vet them at the outset as part of due diligence prior to contract. Well, of course, you say. Wait for it: vet again, and again, at timely intervals.

All too often, we see the opposite. When going through a proposal process, organizations may be all over the potential vendor partner with a microscope. Once the contract is complete, crickets. As long as the service is fairly smooth, vendor privacy and security audits are rare, if they happen at all.

However, an organization that’s considering any certification (HITRUST, ISO) or a successful SOC report won’t have that option. And increasingly, to be competitive, you need to make the extra effort to demonstrate your data privacy and information security competency. So what’s the plan?

Tips for Third Party Vendor Risk Management

  1. Vet vendors early and often. Because it bears repeating, make due diligence a repetitive activity. Regular re-assessment of your vendor’s privacy and security practices could be the action that saves your organization from an embarrassing and costly breach.
  2. Make them prove that they train their workforce on issues you think are important. Isn’t your third party partner part of your operations? Don’t they affect your ability to conduct business successfully? Think about how you can identify your most important training issues and push them to include them in their training. That speaks to assuring competency, by the way. A TSP.
  3. Mitigate risks immediately. You’ll inevitably identify privacy and security risks during everyday business oversight. When they’re to do with a vendor, take action immediately. The more quickly you address any vulnerability, the less likely it can grow from a manageable security incident to a major security breach.

For those of you who are happy SOC 2 Report achievers, keep up to par on those TSPs. Remember, the AICPA is only one organization honing in on vendor risk management. Whether you’re going for a certification or simply trying to stay on top of regulatory requirements, the risk is real.

Are you considering a certification or readying for an assessment? Chris Apgar and Julia Huddleston have helped numerous clients prep for a successful assessment to achieve certification or a SOC 2 report. Call Apgar and Associates today to learn more: 503-384-2538.

 

Informational source includes: American Institute of Certified Public Accountants, Inc. “Trust Service Criteria.” Issued by the AICPA Assurance Services Executive Committee (ASEC). Copyright © 2017. Available at https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf

 

The post How can your Third Party Vendor help or hurt your SOC 2 status? appeared first on .

]]>
How to Harden Laptops, Tablets & Smartphones to Protect PHI https://apgarandassoc.com/how-to-harden-laptops-tablets-smartphones-to-protect-phi/ Wed, 06 Feb 2019 14:35:06 +0000 https://apgarandassoc.com/?p=2264 When your goal is to protect PHI on laptops and mobile devices, keep in mind that information security is only as strong as its weakest link. Lenient information security standards exponentially increases the risk to sensitive healthcare data. It can also place you in non-compliance with the HIPAA Security Rule. On top of that the […]

The post How to Harden Laptops, Tablets & Smartphones to Protect PHI appeared first on .

]]>
When your goal is to protect PHI on laptops and mobile devices, keep in mind that information security is only as strong as its weakest link. Lenient information security standards exponentially increases the risk to sensitive healthcare data. It can also place you in non-compliance with the HIPAA Security Rule. On top of that the courts are likely to see it as a security failing in the case of data breaches. Now you’re looking at an expensive law suit!

An abbreviated overview of the HIPAA Security Rule’s general requirements calls for covered entities and business associates to do the following:

  1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
  3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under Subpart E of this part.

Can you demonstrate device encryption?

CEs and BAs, keep in mind, too, that you can’t take advantage of the HIPAA Breach Notification Rule safe harbor if you can’t demonstrate that stolen devices were actually encrypted at the time. If the device isn’t locked down, it’s hard to prove that the device was secure and no PHI or PII accessed when the device is lost or stolen. While Apple tablets and smartphones are natively encrypted, either end users or IT staff need to enable or turn on encryption for Android tablets and smart phones, Windows laptops, tablets and smartphones and Macs. Take the below steps to protect laptops, tablets and smartphones – and to protect PHI.

7 Steps to Laptop Data Security & Intrusion Protection

  1. Remove administrator privileges for all company-owned laptops and lock down devices
  2. Install and maintain mobile device management tools that support:
    1. Remote wipe of hard and flash drives
    2. Device tracking in the event a device is lost or stolen
    3. Enforce encryption of hard drives and flash drives
  3. Install and periodically update anti-malware applications
  4. Install and periodically update firewall applications
  5. Enforce strong passcodes or passwords and require periodic password changes
  6. Enable biometric authentication if available
  7. If using Windows, properly set share and Microsoft New Technology File System (NTFS) permissions to keep network snooping to a minimum and unauthorized users out of sensitive files stored locally

6 Ways to Protect Tablet & Smart Phone Security & Prevent Intrusion

  1. Remove administrator privileges for all company owned tablets and smartphones and lock down devices
  2. Install and maintain mobile device management tools (company owned and personally owned; BYOD) that support:
    1. Remote wipe of flash drives
    2. Device tracking in the event a device is lost or stolen
    3. Enforce encryption of flash drives
    4. Preferably – segregate company data from personal data on BYOD devices
  3. Install and periodically update anti-malware applications (Exception: iPhones and iPads)
  4. Install and periodically update firewall applications (Exception: iPhones and iPads)
  5. Require strong passcodes or passwords and regular password changes
  6. Enable biometric authentication if available

Device hardening is considered a reasonable security safeguard which means it’s a “must do” when it comes to HIPAA compliance and state law compliance in some states. Take the necessary steps to protect PHI and avoid the bad headlines, regulatory penalties, law suits and lost business. If you need to beef up compliance planning, conduct your security risk analysis, or just aren’t sure where to start with any of it, give us a call: 503-384-2538.

The post How to Harden Laptops, Tablets & Smartphones to Protect PHI appeared first on .

]]>
5 Ways You Can Reduce Phishing Risk https://apgarandassoc.com/5-ways-you-can-reduce-phishing-risk/ Tue, 22 Jan 2019 15:22:42 +0000 https://apgarandassoc.com/?p=2244 Malware attacks via phishing knocked it out of the park in 2018. Phishing attacks account for an inordinate number of the data breaches and compromised networks. In fact, the Identity Theft Resource Center (ITRC) reported that “one-third of all security incidents last year began with a phishing email.” As the cyberattacks get sneakier, everyone – […]

The post 5 Ways You Can Reduce Phishing Risk appeared first on .

]]>
Malware attacks via phishing knocked it out of the park in 2018. Phishing attacks account for an inordinate number of the data breaches and compromised networks. In fact, the Identity Theft Resource Center (ITRC) reported that “one-third of all security incidents last year began with a phishing email.” As the cyberattacks get sneakier, everyone – workforce and consumers – are at ever-higher risk of breaching data privacy and security.

From fake offers of free World Cup tickets to false GDPR privacy policy notices, 2018’s worst phishing scams cut no corners on creativity. Organizations large and small have implemented penetration testing, aka pen testing, to see how well their technology and their workforce withstand malware attacks. If we’ve learned one thing, it’s that size doesn’t matter to cyberattackers.

5 Pointers to Avoid Getting Hooked

  1. Conduct penetration testing, aka pen testing. Pen testers employ the same tactics as hackers, but to your benefit. You’ll discover how effective your firewalls and patches are as well as how well your workforce “gets” anti-phishing training.
  2. Conduct phishing-specific training. Human error continues to be a big gap in privacy and security effectiveness. One click or tap on a link or attachment opens the gate to phishing malware. Scenario-specific, interactive, out-of-the-box training sessions make the biggest difference.
  3. Stay on top of the latest phishing and smishing (mobile device phishing via text) techniques so you can take measures to prevent systems infiltration as well as keep your workforce alerted.
  4. Encourage transparency internally and externally. Whether it’s an employee who opened the backdoor or a third party partner, you need to know when security has been breached. Promote admitting, “I may have messed up” and what to do the second it happens (aka per security incident response).
  5. Keep anti-virus, anti-spam and anti-spyware software current. Hackers are smart cookies but if you’re not on top of essential technology safeguards, they don’t even have to try.

If we were going to choose one tech tip and one human error prevention tip to focus on in Q1, we’d select pen testing and anti-phishing training. One pen testing researcher is so intent on lighting a fire against phishing that he published his scarily successful pen test.

And should all prevention measures fail, you’ll need backup. Which brings us to: Keep recent backup system copies readily accessible. If phishing does get through, you’ll want to be able to quickly go back to a “safe” backup so you can get operations back up and running. With response measures in place, the sooner you know, the faster you can act.

The post 5 Ways You Can Reduce Phishing Risk appeared first on .

]]>
Data Privacy & Security: 2018 Reflections & the Year Ahead https://apgarandassoc.com/data-privacy-security-2018-reflections-the-year-ahead/ Tue, 18 Dec 2018 15:25:40 +0000 https://apgarandassoc.com/?p=2209 It’s been a tumultuous 2018 for data privacy and information security. New regulations here and abroad show that data privacy will continue to be a hot topic as we move into 2019. We’re seeing the OCR’s investigations and penalties aren’t limited to large entities or to large breaches. Expect that will continue. Over 60 organizations […]

The post Data Privacy & Security: 2018 Reflections & the Year Ahead appeared first on .

]]>
It’s been a tumultuous 2018 for data privacy and information security. New regulations here and abroad show that data privacy will continue to be a hot topic as we move into 2019.

We’re seeing the OCR’s investigations and penalties aren’t limited to large entities or to large breaches. Expect that will continue. Over 60 organizations reported breaches affecting fewer than 1000 individuals, reminding everyone that not all breaches make headlines. Some of them are small organizations in your own backyard.

Buyer Beware re CCPA Cool Tools

The California Consumer Protection Act (CCPA) has reaped much hoopla. And the sales push on the trade show floors shows it. At conferences nationwide, we’ve seen “solutions” for CCPA compliance. Yet the Act isn’t yet in its final codified form.

Our recommendation on CCPA: don’t put the cart before the horse. Spend the time between now and the CCPA’s 2020 date getting your data privacy and security house in order. Go back to basics and pay attention to how the law evolves before spending money – and  implementation time – on a “cool tool” that ultimately, may not be what you need.

Not All Certifications are Created Equal

On that note of cool things, are you looking at how your vendors are certified? People will peddle that they’re certified in this or that, like saying “We’re ISO certified.” That’s great. But we can’t stress enough that not all ISO certifications mean the same thing. The ISO 27001 certification is the one that relates to information technology security standards. So if you have a potential vendor touting their certifications, do a quick online search to be sure that it’s the one(s) that matters to your business. Oh, and make sure the certifications are still active. Just because a vendor was certified once doesn’t mean they are still certified.

In fact, just because you’re in the healthcare business doesn’t mean you necessarily need to rush out and buy a regulatory-specific solution or need the certification that your competitor is getting. Examine what type of business you do, where you do it and who your customer is before making a financial and time commitment that may not be needed, or that may not be needed right now.

When it comes to you and your business, be strategic. And keep in mind that not all business strategies call for the same certification. We can help you figure out which certification makes the most sense for your organization (HITRUST, SOC 2 and ISO 27001 are the most commonly pursued).

Now that you have all the information that matters (ho, ho, ho!), kick back and let’s toast 2018 out and 2019 in! We wish you and yours a happy, healthy holiday season and a prosperous new year. Thanks for making 2018 such a great year and for trusting us to help you with your data privacy, security, compliance and certification preparations!

The post Data Privacy & Security: 2018 Reflections & the Year Ahead appeared first on .

]]>
Word of Warning: join.me Does Not Sign Business Associate Agreements https://apgarandassoc.com/word-of-warning-join-me-does-not-sign-business-associate-agreements/ Wed, 12 Dec 2018 14:51:04 +0000 https://apgarandassoc.com/?p=2199 A few days ago, after making multiple attempts on behalf of a client to verify and clarify how join.me supports HIPAA compliance, specifically participating in Business Associate Agreements, I found that they do not. In fact, they do not consider themselves subject to HIPAA regulations, regardless of the possibility of PHI being stored on the […]

The post Word of Warning: join.me Does Not Sign Business Associate Agreements appeared first on .

]]>
A few days ago, after making multiple attempts on behalf of a client to verify and clarify how join.me supports HIPAA compliance, specifically participating in Business Associate Agreements, I found that they do not. In fact, they do not consider themselves subject to HIPAA regulations, regardless of the possibility of PHI being stored on the join.me platform. Therefore – as you’ll see in the exchange below – they “do not sign BAAs.”

So, a warning to those who use join.me and store recordings that include PHI on the join.me platform – join.me is unwilling to execute a business associate agreement with covered entities and business associates. If you need a video communications platform that supports the storage of PHI and is HIPAA compliant, it’s wise to look elsewhere.

Below is a reprint from a warning I posted on LinkedIn just the other day. Please feel free to share your experiences of similar situations and vendors with me in the comments area on that post. Here’s my email exchange with join.me.

Original Question/Comment

I’m attempting to get an answer one last time. I represent a mutual customer who currently uses join.me who is required to comply with HIPAA. Given the fact that protected health information (PHI) may be stored on join.me‘s platform in the form of recordings, join.me is required to sign a business associate agreement with my client. If join.me is unable or unwilling to sign a business associate agreement, I need to recommend that my client change to another conferencing platform such as Zoom or WebEx who will sign a business associate agreement.

On Dec 2, 2018, at 6:42 PM, join.me Support wrote:

Hello Chris,

Thank you for contacting join.me.

We actually do not sign BAAs because our services are not HIPAA compliant as HIPAA compliance, per se, is applicable only to entities covered by HIPAA regulations (e.g., healthcare organizations).

That being said the technical security controls employed in the join.me service and associated host and client software can meet or exceed HIPAA technical standards. But again, we are unable to sign any BAA’s.

If we have answered your question, we will send you an email in the next few days asking for your feedback. We value your opinion and thank you in advance for taking the time to click on the survey link and letting us know how your experience was with our team.

Thanks again for using join.me.

L***  | Customer Support Representative
LogMeIn, Inc.

My reply to join.me

You (join.me) answered my question. My client will be looking for another vendor. While the functionality may be there to secure the data, my client would be violating HIPAA by continuing to use the join.me platform. As the US Department of Health and Human Services, Office for Civil Rights has stated, claiming to not be a business associate doesn’t mean you actually aren’t one. I also feel a need to remind covered entities and business associates they shouldn’t be contracting with join.me if the platform will be used to store recordings that contain PHI.

Chris Apgar, CISSP
www.apgarandassoc.com

My Recommendation

Ultimately, I had to recommend to the client that they not use join.me but check into online video and document storage with vendors who will sign BAAs, such as Zoom or Webex. The instance serves as a reminder that no matter how technically secure a vendor professes to be, if you plan to use their platform or services for anything pertaining to PHI, there needs to be a BAA in place, documenting that they follow HIPAA regulatory requirements as relates to PHI protection. And as I indicated to the customer support representative above, claiming that you’re not a business associate doesn’t magically transform you into not being one!

Chris is a frequent LinkedIn Pulse contributor. You can connect with him here, and you can follow Apgar and Associates on LinkedIn here.

The post Word of Warning: join.me Does Not Sign Business Associate Agreements appeared first on .

]]>
Policy Controls: Why The Whole World Wants You to Write Policies https://apgarandassoc.com/policy-controls-why-the-whole-world-wants-you-to-write-policies/ Tue, 13 Nov 2018 20:37:13 +0000 https://apgarandassoc.com/?p=2126 As a follow-up to Chris’s 2018 Privacy & Security Forum update, I’ll focus on policy controls, because the entire world has lasered in on policies thanks to the GDPR effect. But first, a tip of the hat to Professor Solove and Professor Schwartz for their role in designing and running this conference. It was substantial, […]

The post Policy Controls: Why The Whole World Wants You to Write Policies appeared first on .

]]>
As a follow-up to Chris’s 2018 Privacy & Security Forum update, I’ll focus on policy controls, because the entire world has lasered in on policies thanks to the GDPR effect. But first, a tip of the hat to Professor Solove and Professor Schwartz for their role in designing and running this conference. It was substantial, and rigorous, and there wasn’t an infomercial to be found!

Policy controls and their importance is the hot topic for anyone doing business – healthcare, financial or retail – on either side of the ocean. Keep in mind that policy controls are the basis on which anyone assessing the company’s system is building. Also remember that GDPR uses the term “privacy” interchangeably for what we in the US differentiate into privacy and security. So when they say “policy controls” they’re saying privacy policies (e.g., controls) and those very likely pertain to privacy and security.

Note: This information will be explored in greater detail in our upcoming GDPR Guide for Business Associates. Keep an eye on our website and sign up for our newsletter to receive an alert. The guide should be available by early December.

Related to the topic of policy controls in all of its attendant meanings, I attended several GDPR-focused workshop sessions.

One of the speakers at a session I attended focused on policy writing – European style and United States style.  The German IT attorney who spoke about European style policy writing made the following statements (and yes, I’m paraphrasing):

  • Data Protection Authorities (DPAs) are likely to read policies
  • DPAs are likely to take policies at their word. If an organization is not following its own policies, the DPAs are likely to view that as a breach.

From a United States perspective, substitute OCR/regulators/auditors for DPAs, and the same advice holds true. For instance, consider the following instances of policies and procedural controls related to HIPAA, ISO 27001 and SOC 2.

The HIPAA Security Rule is not prescriptive. Covered entities and business associates must implement controls that are:

  • reasonable for the organization’s size,
  • the complexity of what it does, and
  • the sensitivity of the information with which it deals.

ISO 27001 is not prescriptive. ISO says that you build an Information Management Security System to ensure information privacy. Organizations develop their Information Security Management Systems based on:

  • risk assessment,
  • risk treatment plans, and
  • the Statement of Applicability.

SOC 2 is not prescriptive. Organizations design their own controls to meet the SOC 2 principles that are relevant to the business.

Privacy & Policy Controls Success Tip: Walk the Talk

With all that said, once an organization designs a policy control, it needs to live up to what it says it will do. Auditors are “show me” people. Say one of the controls you assert is in place for your information system includes a well-defined off-boarding system. You say that every step is tracked by a ticketing system, and that management reviews occur at regular intervals to make sure the system is being followed.

You can bet that the auditors will ask to see the written documentation that defines the system, a sample of the tracking tickets, and dated evidence of management review.  There may be a call for an organizational chart that depicts that management really is management, too.

You get to design and implement the policy controls that your organization will follow.  Follow regulation, and good practice, yes, but also make sure that your business can and will live by the standards that you’ve committed to – whether you’re in Portland, Oregon or Prague, Czech Republic!

For help with the intricacies of certification readiness, including policy controls, contact Julia Huddleston, a Certified Information Privacy Manager and a Certified Information Privacy Professional.  

*More information about the 2018 Privacy & Security Forum can be found here

 

 

 

 

The post Policy Controls: Why The Whole World Wants You to Write Policies appeared first on .

]]>
Privacy & Security Forum Update: OCR Activity, Audit Protocols, Ransomware & the HIPAA Security Rule https://apgarandassoc.com/privacy-security-forum-update-ocr-activity-audit-protocols-ransomware-the-hipaa-security-rule/ Mon, 29 Oct 2018 17:57:04 +0000 https://apgarandassoc.com/?p=2117 Julia and I had the pleasure of attending the 2018 Privacy & Security Forum a couple of weeks ago.  One of the sessions I attended was focused on what’s happening at OCR these days.  The speaker was Roger Severino, Director of OCR, and the moderator was Adam Greene, partner at Davis Wright Tremaine, LLP.  I […]

The post Privacy & Security Forum Update: OCR Activity, Audit Protocols, Ransomware & the HIPAA Security Rule appeared first on .

]]>
Julia and I had the pleasure of attending the 2018 Privacy & Security Forum a couple of weeks ago.  One of the sessions I attended was focused on what’s happening at OCR these days.  The speaker was Roger Severino, Director of OCR, and the moderator was Adam Greene, partner at Davis Wright Tremaine, LLP.  I heard about new OCR activity, got an answer to my question about the future use of the OCR audit protocols, and key OCR takeaways.  I have the pleasure of passing the Forum’s highlights on to you.

OCR audit protocols use.

The big news to me was the answer to one of my questions about OCR audit protocols.  For over a year, we’ve been saying that for investigations and enforcement activity that it’s likely the OCR will use the audit protocols that were updated from the phase 2 audits.  I took the opportunity to ask the top authority at OCR about future use of the protocols.  Mr. Severino confirmed – that’s just what OCR intends to do and may already be doing so.

Other OCR activity includes:

  • Updating HIPAA/FERPA guidance (jointly with the US Department of Education)
  • Issuing a notice of proposed rule making (NPRM) request for information (RFI) HITECH Act accounting of disclosures language (the last NPRM was not well received by the industry and privacy advocates)
  • Evaluating ways OCR can distribute funds received as part of enforcement related civil monetary penalties and settlement agreements to victims of breaches of their PHI

That’s a fair amount of activity.  The only caveat is we don’t know how soon “soon” is.

FBI and FTC weighs in on ransomware attacks.

I also attended a session that featured speakers from the FBI and the FTC.  Along with Mr. Severino the FBI said the first step covered entities and business associates should take is to contact the FBI if you’re attacked by ransomware.  The FBI has agents in place to investigate ransomware and help covered entities and business associates get their data back without paying a ransom.  This is something to keep in mind when you’re updating your security incident response plans especially given local law enforcement may not have the resources to assist with an investigation.

Is the HIPAA Security Rule being updated?

There has been much talk over the past few years about the need to update the HIPAA Security Rule.  The Director indicated that he things there is nothing fundamentally broken with security rule so it’s unlikely the rule will be amended any time soon.  The Security Rule is technology neutral and is flexible.  It hasn’t become obsolete due to changes in technology and there has been a lot of change since the rule was published in 2005.

OCR phase 2 audit results and plans for enforcement.

Mr. Severino shared that OCR was finalizing phase 2 audits and results will be published soon.  As far as the audit program goes, he indicated that there would likely be no more formal audits.  Instead, the audits would become part of OCR’s enforcement activity.  He believes this promotes an enforcement mindset with a higher-level rigor, similar to enforcement activity conducted by the US Department of Justice.

An audience member asked if enforcement would continue unabated or would be curtailed under this administration.  The answer: OCR is still on track with enforcement.  Mr. Severino would like to see enforcement go down as a reflection of the expansion of a culture of compliance, which OCR has been pushing since 2011.  He did add that the industry was far from there today.

Adam Greene asked Mr. Severino to provide three takeaways for the audience.  The Director said:

  1. You need to treat PHI as if it was a bar of gold. That includes conducting periodic risk analyses, encrypting PHI and securing mobile devices.
  2. “We’re from the governments and we’re here to help” – tap into OCR resources through its website, the most popular website for the US Department of Health & Human Services.
  3. “Help us help you” – review NPRMs, RFIs, and other information OCR would like input from the industry about and provide feedback. Periodically check regulations.gov to check on opportunities to provide OCR feedback.

All in all it was a great conference and good to get information from the proverbial horse’s mouth.  Julia will be sharing information about some of the sessions she attended.  Look for more in the weeks to come!

 

The post Privacy & Security Forum Update: OCR Activity, Audit Protocols, Ransomware & the HIPAA Security Rule appeared first on .

]]>