This week's lesson involved more of the business and financial aspects of information security. Companies want to be protected but they also want to know exactly how much that protection will cost.  Why?

Because the cost to secure them could be greater that incurring the actual threat. Strange? Possibly but it could be true. 

Now, there are different layers to be considered when we talk about information security protections: 

1. How much would a single incident cost the company?
2. How many times a year would it be anticipated for this incident to occur?
3. How much money would this incident cost the business?
4. How much does an annual solution cost?

Information security professionals have to be well rounded in not only areas of security but the financial impacts that a business leader must pay.  That may be the MOST unpleasant part of the conversation but it is obviously one of the MOST important parts. 

Helpful and detailed information like being able to articulate the cost benefit analysis is also added skill we need. 

This article gives some helpful insight on analyzing costs and why they are important for information security. 

http://www.notablesoftware.com/Papers/SecCost.html

Week 11 is all about Personnel and Security.

I was in management for over 4 years and have been in management role at my current job for over 2 years.

Security issues with employees is such a sensitive topic because employees sometimes feel offended if you request company property as if you suspect them of wrong doing. It is also sensitive because usually during either a termination or a layoff or even a resignation, there are emotions involved.

However, managers need to be sure that they handle terminations appropriately and professionally.

When medical facilities are involved, there is an additional layer added to this complex situation. Employees must be reminded that he or she still have an ethical responsibility to keep information confidential that was learned during the course of their employment.

An employee could think that their confidentiality is void once they are terminated but that just is not the case.

This article helps provide some additional information security insight for terminating employees in the healthcare industry.

http://www.hcpro.com/content/42936.pdf

Risks, Risks and More Risks...

This week's lesson centered around Risk Management. I personally was surprised at the depth this topic was covered in an information security class. My exposure to risk management until recently had only been in regards to providing healthcare or medical documentation. But after this week's reading and assignments, I've broadened my understanding of risk management, especially pertaining to information security.

First, it should not be ignored that there are risks in every genre but particularly in information security, one needs to determine how to address, mitigate and resolve these risks.

Secondly, various strategies should be used on how to approach risk management plans for information security. The needs and structure of the organization or other factors could drive this.

Thirdly, constructing a risk management plan identifying vulnerabilities and likelihoods is not a one and done process. It's ongoing.

I read an article from the Office of Civil Rights (http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf), which had a really neat point.

It suggested that that "A truly integrated risk analysis and management process is performed as new
technologies and business operations are planned, thus reducing the effort required to
address risks identified after implementation" (OCR, 2010).

While I figured that new technologies should encourage reevaulation of processes, I had not included a change in business operations as a driver.

I think the big picture comment for when to re-evaluate processes is "whenever it's necessary". If a new technology warrants a revamp to the entire risk management strategy, then it should happen. If a new business process impacts the risk management process, then it should change.

This guidance on when to review the process is a great nugget of information for a question that could seemingly have a static answer.

It is broke, fix it?

This weeks assignment involved reviewing recommendations for issues identified in the Verizon Data Breach Investigations report.

So, I find things like this interesting because when you have an issue that is identified in the company, how do you evaluate when/how to fix it?

For example, in this report, a lot of problems were identified. However, in order to fix most of them would require process changes and financial expenses. So, the system is broke - do we fix it?

Well, that depends... What's at stake? Are lives on the line? Possibly. Are customer accounts vulnerable? Maybe. Will we lose business? Perhaps.

Better question - Can we be a company with integrity if we do not fix known issues to avoid possible breaches? No.

I know ethics is covered later in the book but here's my take - companies will often do detailed analysis on issues and find all kinds of gaps. The problem that follows is their willingness to resolve and correct these deficits because of cost. However, in order to maintain some level of integrity, any reasonable business owner must fix issues, no matter the cost because we have an obligation to do so.

This week was all about security training. From 2006 - 2008, I was a compliance auditor and HIPAA auditor. I provided HIPAA training to all new employees and annual training to established employees at a medical school and its partner medical practices. I thoroughly enjoyed that job because I was able to help open employee eyes to real security threats.

I remember sitting in the training as a new employee myself years before and now I was on the other side.

What did I learn?

I learned that security training is designed to make you aware and then make you apply. It does no good to train employees about security breaches if I do not share with them how they can make practical use of the information given.

A trainer is only as good as the information that he/she provides and is only as good as the information that is retained.

Employees or attendees should walk away saying "now I know what to do so X doesn't happen to me".

I wish more trainers would transfer knowledge and not just information...

Out of all the homework I did this week, I was very intrigued by the various different types of policies. If I had to nail down a good policy type, I'd say the issue specific type. First, they describe the technology that is discussed in the policies and they mention what problems could arise that would necessitate the need for the policy.

Could these types of policies leave gaps? Possibly. I can recall a story about a hospital that had identity theft of patient information. The perps would view patient information in the course of their routine work but then would use it to open fake accounts. The institution could not have foreseen that employees would steal patient information. So, in a situation like this would an issue policy forbidding the unauthorized access of information be applicable?

Not really because they had to see the patient's social security number. A new policy would need to be created to mention that any illegal use of patient information would be prosecuted.

Unfortunately, the mentality of our society dictates the need to craft a policy for any type of foreseeable problem.

This week's class gave me a chance to research things like disaster recovery and business continuity plans. I had never researched or read about either topic prior to this week.

So, what did I learn?

I learned that some people use these terms as synonyms for each other. In actuality, a business could have a continuity plan but not necessarily have a disaster recovery plan.

I also learned that some people did not have recovery plans until major catastrophes happened like hurricanes or terrorist attacks.

I think it definitely makes sense for any business to have both of these plans but does this create paranoia? I don't think so because we have evidence that the unexpected do happen.

As information security professionals, we will need to prepare individuals in a way that demonstrates a proactive approach instead of a reactive one.

If we can manage to exude confidence in being prepared, we should be able to obtain buy in for both disaster recovery and business continuity plans.

Lower Insurance Premiums or Higher Security Violations: Employee Wellness Reduction Programs

Every September, everyone in my department is up in arms about choosing next year's medical benefits. We work for a healthcare company and are often surprised by the high cost of healthcare.

So, a few years ago, a program was started to reduce yearly premiums. Each fall, employees are asked to go to a provider and have the followed information collected:

- BMI (body mass index)
- Weight
- Height
- Blood Pressure
- CBC (all basic laboratory bloodwork)

If an employee and spouse/domestic partner complete these studies, they can have reductions in their monthly premium costs. I am the only one in my department who refuses to do it. (Of course, my coworkers think I'm crazy and independently wealthy).

However, I have a valid reason for not participating in this. I do not know anything about the people who maintain this information.

As a woman, my BMI (along with weight) and basic bloodwork can reveal a LOT of personal information about me and I do not know who has this information or what happens to it after I'm given a discount.

I was reading a post on the privacyrights.org site regarding California laws regarding this subject. Basically, there are a few gaps in the law pertaining the vendors maintaining the information. This did not help my paranoia about this subject as I'm pretty sure other states may also have some of these gaps.

For me, the biggest problem I have is who's using this information after my employee determines "Well, Dorian Harris eats too much of the free donuts?"

Who's seeing and/or using my BMI? Or after open enrollment, then what? Where's it stored?

It is bad enough that healthcare providers sometimes do a lousy job of securing information that we have to give them but someone wants me to voluntarily submit my information to an unknown source?

Maybe my concern is completely unfounded, maybe I'm overracting or maybe I'm justified.

I'm sure the day will come when I am mandated to participate in this employee reduction program... Until then I'll keep paying the higher price financially and lower the risk for security issues.

A proper introduction ...

I realized at 3:00 a.m. this morning that I did not properly introduce myself or my intention for this blog.

My name is Dorian and I have a very personal interest in privacy issues, especially as they relate to medical care. I worked as a Medical Billing Manager for years. I reported what I believed was an inappropriate billing action by a colleague. 2 months later, the Legal department where I worked offered me a position as an auditor (I had other qualifications which also made me a candidate).

While I worked as a Compliance Auditor and HIPAA Auditor, I was privy to violations in medical facilities around our city. During my tenure at a particular facility, my son suffered an injury that left him paralyzed from his chest down at age 17. The injury was featured in our local papers and news.

When I returned to work, I was greeted by a former colleague who stated "I was really concerned about your son, so I looked at his scans and xrays. I'm sorry about what's happened".  I was livid. "You violated his privacy", I quipped and stormed out.

After I cooled off, I thought about something... People do foolish things sometimes. In fact, sometimes they think they are doing good, especially when it relates to issues of medical care. Medical privacy has to be respected and honored by everyone - patients, physicians, nurses, ancillary staff, etc.

My long winded story really sums up to this - people need to be informed about what they can and cannot do as it relates to medical information. It only takes one time.

I plan on using this blog as a means to discuss medical privacy issues, violations and education as I'm come to learn over the past 7 years.

I recently went to a new physician's office. I'm probably a front desk worker's worst nightmare. For 3 & 1/2 years I worked for a hospital and physician group corporate compliance office as a compliance auditor and a HIPAA auditor. I routine emptied trash cans, sat in waiting rooms or walked by nurse's stations documenting numerous HIPAA violations. Needless to say, whenever I enter a physician's office, I have an even higher level of anxiety regarding privacy because I know what can go wrong. I have to be honest - when I read about medical privacy or HIPAA or ePHI standards, I start to sweat. The reality of the situation is that despite the best efforts from our government, individuals overall do not yet fully grasp the imminent danger facing us through careless actions in a medical setting. Computer screens left unattended, openly displaying lab results, x-rays or worse, electronic progress notes. Ah! Medical privacy? Does anyone really care about our medical privacy?