But the reality is that HIPAA Privacy Rule wasn't set out to be a destination but rather a journey. It isn't enough to 'BE" compliant but the expectation is to operate in compliance. Two hugely different approaches. My client had treated it as a destination, the "BE" compliant choice, had worked hard toward meeting the Privacy Rule in 2003s, but since 2003 had not attended to their obligations. They are not operating in compliance.
Are you in the same boat? Here are 3 questions that stand out as markers for how you are doing:
HIPAA requires regular training and updates on security and privacy (training requirements exist in both the Security Rule and the Privacy Rule). Have you trained your staff since 2003? Can you prove it when an auditor knocks on your door?
To operate in a compliant status you need to know the Privacy Impact of your business processes and functions. My client had understood this in 2003, but as processes had changed they had not updated their view of the privacy impact. Have your business processes using PHI (and ePHI) changed since 2003?
Documenting your privacy practices is a requirement under HIPAA. It is enormously important to be able to show to an auditor your work effort. For this client they didn't have much to show in the period between 2003 and now, but they were able to quickly produce the original documents from 2003. Our work effort to put them into an operational compliant mode won't require nearly as much investment because we have a sound starting point. Are you documenting your privacy practices under HIPAA?
This post is a quick note for those of you who serve children online as
audience members of your websites, either intentionally or unintentionally.
The FTC announced an
extension of the public comment period for COPPA Rule Review until July 12,
2010. If you are familiar with COPPA you may want to take this
short window to comment; if you aren’t, and include minors under 13 in your
online communities you may want to take the time to familiarize yourself with
COPPA.
For those that don't know COPPA, it is the Children's Online Privacy
Protection Act of 1998, a US federal law.
According to the FTC web site:
Congress enacted the Children’s Online Privacy Protection Act (COPPA), 15
U.S.C. §§ 6501-6508, in 1998. COPPA contains a requirement that the Federal
Trade Commission (FTC or Commission) issue and enforce a rule concerning
children’s online privacy, which the Commission did in 1999. The Children’s
Online Privacy Protection Rule, 16 C.F.R. Part 312, became effective on April
21, 2000.
Under the act “operators covered by the Rule must:
Post a clear and comprehensive privacy policy on their
website describing their information practices for children’s personal
information;
Provide direct notice to parents and obtain verifiable
parental consent, with limited exceptions, before collecting personal
information from children;
Give parents the choice of consenting to the operator’s
collection and internal use of a child’s information, but prohibiting the
operator from disclosing that information to third parties;
Provide parents access to their child’s personal
information to review and/or have the information deleted;
Give parents the opportunity to prevent further use or
online collection of a child’s personal information;
Maintain the confidentiality, security, and integrity
of information they collect from children.
In addition, the Rule prohibits
operators from conditioning a child’s participation in an online activity on
the child’s providing more information than is reasonably necessary to participate
in that activity.
Though we've touched on COPPA in the field when we've worked on assessments and governance formation within the higher education sector, I've not had much direct field experience with COPPA. Here are some articles online that helped me understand it, its implementation and limitations:
COPA vs. COPPA and the U.S. Supreme Court (January 29th, 2009) by Steven Leung. Leung quotes n FTC press release that says that “there is potential for
age falsification on general audience websites, as well as liability
under COPPA, should these sites obtain actual knowledge that they are
collecting, using, or disclosing personal information from children
online.”
As a parent with 3 boys 13 or under this was an interesting topic.
As a risk management perspective I recommend that you consider whether you have any exposure to children that age group using your online properties. If you do, you'll want to plan on how you can reduce your risk in regard to COPPA.
The Federal Trade Commission (FTC) announced yesterday Twitter's settlement against charges that Twitter "deceived consumers and put their privacy at risk by failing to safeguard their personal information."
In a non-technical pedestrian manner David Vladeck, Director of the FTC’s Bureau of Consumer Protection boils it down in this quote on the FTC site:
“When a company promises consumers that their personal information is secure, it must live up to that promise. Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations."
Twitter was hacked twice, once in January, 2009 and again that same year in April. And during that time period Twitter's privacy policy stated that:
"Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”
Twitter had borrowed some of the language from another firm's privacy statement (how did your privacy statement get written?).
The FTC acted under Section 5 of the FTC Act which gives them the power to hold firms accountable for "unfair and deceptive" practices. The deception here is that Twitter publicly proclaimed it did something that in fact it did not do.
There were no monetary fines levied. According to legal friends of mine this is due to the fact that Section 5 of the FTC Act does not grant the FTC the power to levy fines or penalties.
Again, according to the FTC:
"...Twitter was vulnerable to these attacks because it failed to prevent unauthorized administrative control of its system, including reasonable steps to:
require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks;
prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts;
suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days;
restrict access to administrative controls to employees whose jobs required it; and
impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.
Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers. The company also must establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years."
Again, according to my legal friends that means that Twitter is now in a spot that should they fail to fulfill their part of the settlement the FTC may find them in contempt of the settlement which then would permit the FTC to levy fines and penalties.
There is plenty of debate in the security blogosphere discussing whether or not the FTC "went too far" or was legislating by regulation.
For me the important element of the case is the lesson for other growing and emerging businesses.
Twitter has grown more rapidly than they could have known when they started up. As the subscriber based sky rocketed, however, the start up culture that is more feature focused than formal process focused carried onward. One of the hacks was because a dictionary word, easily guessed, was used to protect an executives Google Applications account. A dictionary-based password can be guessed easily especially if you know the person who owns it. Strong passwords are the foundation of information security. If a company isn't using strong passwords we question their commitment to security. Ultimately that lack of commitment is what got them.
Here are some lessons to consider:
Start security and privacy planning with business and application planning and design from the beginning. That is particularly true if your key processes involve confidential, consumer or protected information. The cost of doing security later will be much higher because you'll have to re-engineer. Metaphorically it is similar to adding a basement after your house is built.
Likewise, include information security, privacy and trust considerations in your culture early on. Technology, difficult and expensive to re-engineer, is easy in comparison to restructuring a company's culture. You can operate securely and create a loose modern team oriented culture. Focus on the customer trust issue as a rallying point rather than the constraints you feel security places on you.
Plan for your future value from the get go. Twitter's apparent laissez faire attitude toward information security and privacy earned them a 20 year dance with the FTC. It also puts a mark of toxicity on their value. If I had the money laying around to purchase Twitter would the potential of an historical lapse in security or the potential for one in the future, either of which would spawn a contempt finding and financial penalties, give me pause or give me leverage to reduce my offering price? Understand now how a breach or poorly architecture might impact your future value and work with that in mind.
Don't cut and paste privacy statements or other statements of values or customer trust from other sites and call them your own. Get an attorney or a privacy professional or both engaged in your developing your privacy policy. That policy is a sign of trust for your customer now. But poorly executed it could be a weapon used against you in the future. And as you work on developing that policy remember it is a legal and technical document and not a marketing brochure.
Finally, don't say things you don't mean or that you can't back up. Be honest. That should be true in all your business dealings as a start up or emerging firm. Customers purchase trust.
Have you built security into your culture and technology from the start? Working on it now?
The 2009 ARRA HITECH Act amended HIPAA's privacy and security requirement in a number of ways. Most importantly it expanded those required to be compliant with HIPAA to include business associates. And in expanding those requirements made BA's eligible for non-compliance penalties. Many BA's we encounter don't know they need to be compliant and are grossly non-compliant. Don't know? Use this quick test.
The HITECH Act directly obligates business associates to comply with the HIPAA Security Rule's administrative, physical and technical safeguard requirements (for full information on HIPAA and HITECH see . This includes conducting a risk assessment, developing and implementing comprehensive written security policies and procedures with respect to the protected health information (PHI) that they handle, and regularly training staff on information handling procedures and security updates.
Though a full HIPAA audit or assessment requires detailed answers to hundreds of questions, we use 3 questions to informally gauge a client's compliance with HIPAA's provisions. Use them yourself to measure whether your organization stacks up against the HIPAA and HITECH rules and regulations:
1. Compliance Officer:
Can you name your HIPAA Compliance Officer? Can everyone on your staff? Can they articulate their role as compliance officer in the organization?
A base requirement of HIPAA is that a covered entity has a named compliance officer.
A no in this category suggests a high likelihood that your organization is not compliant with HIPAA and the amended HITECH act's provisions.
2. Security Awareness:
Do you train your staff annually on proper information handling techniques? Do you update them periodically on security issues such as phishing, fraud, safe online habits, proper computer use, etc.? If an auditor showed up you prove a yes to either of the above questions?
A base requirement of HIPAA is that staff are properly trained AND updated on HIPAA privacy, security and information handling (based on your written policies and procedures).
A no in this category suggests a high likelihood that your organization is not compliant with HIPAA and the amended HITECH act's provisions.
3. Incident response:
Do you have a formal documented plan detailing how you would respond to a breach (break in) of your information systems? Is protected information encrypted?
A base requirement of HITECH was the inclusion of incident response and breach notification provisions.
A no in this category suggests a high likelihood that your organization is not compliant with HIPAA and the amended HITECH act's provisions. A no in this category, as it pertains to information not covered under HIPAA may put you at risk with Ohio's data notification laws, as well.
Nos in any of these categories point to an incomplete HIPAA program. In most cases we can guage the maturity of the client's HIPAA program, without a formal gap assessment, just by measuring their response to these three questions.
Failure by covered entities and business associates to abide by HIPAA and HITECH requirements can result in fines being assessed on both the organization and the individuals involved.
Use this quick test to self-evaluate. If you can't say yes to all 3 questions consider yourself non-compliant and take action.
Facebook has gotten batted around in the press and blogosphere this week. Facebook made some decisions regarding its privacy stance, implementation of "privacy features" and some special personalization features that have turned out doing a better job of exposing people than keeping their information private. Some bad decisions that have eroded consumer trust and .. go figure .. Facebook is under then gun and working hard to secure value.
If you are using Facebook to promote yourself professionally or to promote your business you need to invest some time understanding the issue.
I spent some time reviewing the deluge of Facebook privacy articles out there. Here are some of the standouts. Read through them and in no time you should have a basic understanding of the Facebook privacy issues and a quick list of things to do to protect yourself. Did I miss any good articles? Please drop a comment and let me know.
This article provides a good amount of background as well as some shocking numbers. Riddle me this: Which document has more words, the U.S. Constitution or Facebook's Privacy Policy?
Don't simply rely on your webmaster or an administrator to fill the survey in. Use it as a chance to discuss your online privacy practices. Do you do what you say you will do? Real trust can only be built by your being transparent about your practices. If you are collecting information on customers but don't want to admit to it are you operating in a way that builds consumer trust?
If you are building a new web based business use the survey to guide a discussion with your developer. Only collect information that you need to serve the customer best. If you aren't going to use it, don't collect it!
If you have an existing web facility use the survey to guide a discussion of your current practices. Are you collecting information that isn't used? Why? If you aren't using it but collecting it you are either exposing yourself if you aren't properly protecting it or spending money to protect something that you don't need in the first place!
Other more complex security and privacy protections don't work if you are not using passwords correctly ... they are your key to security!
I have read more than my fair share of "how to protect yourself in social media" type articles lately (see a good one with links to other good ones at http://www.nateriggs.com/2009/10/how-to-protect-yourself-from-the-social-web/ ) from none security professionals. These posts discuss protecting your location, creating a family password (like the you say Thunder then I say Flash challenge response) and other very commonsensical kinds of actions to protect your online self. Most of them forget the basic fundamental password.
Use passwords that are at least eight characters long and include a mix of at least 3 of the following character types: uppercase letters, lowercase letters, numbers and special characters. (WHY?: Following this practice means that guessing your password means working through more choices making guessing both practically and mathematically more difficult.)
But doing that makes it harder to remember, too, right? And most people don't use good strong passwords because they are hard to remember and so because of convenience (or laziness) prefer to type "1234" or "GOBUCKS!". What to do?
Be thoughtful about how you use and mix these characters (##Pa$$W0rd!! is easier to remember than d$a#aabe and because it is longer mathematically harder to guess):
Substitute numbers for letters and vice versa (0 instead of O, 4 instead of A, 1 instead of L, 3 instead of E, $ instead of S and so on).
Substitute words for numbers (one for 1, two for 2, and son on).
Use capitalization haphazardly (passWord is stronger than password or PASSWORD).
Use special characters in front of (##password), to end (password$$) or to punctuate or separate words (password!! or pass#word).
Have some fun. Use these combinations to create words of phrases that are easier to remember:
##LuckyDuck$!!
$$Give8100dPlayRug8y
And then use your passwords like you do your house, car and office keys:
Never communicate them over the phone, in an email or over IM (or twitter for that matter!).
Log off (lock the door) when you are done with a site or stepping away from your computer.
Change your password if you suspect suspicious behavior (it is good to be a little paranoid, no?).
Do not allow your Internet browser to save your password (if you lose control of your laptop, netbook or PDA whoever gains controls has control of your entire digital world).
Do not share your passwords with anyone.
Don't use password hint functions (where you select a challenge like mother's maiden name and you provide an answer) or if you are forced to don't use real data (select mother's maiden name and you provide an unrelated answer like Guinness, but honestly you are liable to fake yourself out on that one so tread lightly).
If you still have trouble remembering you have 2 choices:
Don't be shy about hitting the "forgot password" button. (It is more secure to have a password reset sent to your email address than it is to use a simple, easy to use password).
Use a password manager like KeePass Password Safe which is a "free, open source, light-weight and easy-to-use password manager".
This sounds so simple. Yet, it is such a serious topic. It isn't the only line of defense, but it is an important one and because of human nature (entering passwords does feel like such a waste of our time) an underused line of defense.
As an executive and online citizen, don't be a victim because you didn't want to invest a small amount of time to do something simple and highly effective. As a business owner, make sure you have policies in place to expect the proper use of passwords by all of your employees across all of your systems and applications.
Understanding the Security Risks With Social Media for Business
We have taken the plunge as a firm and use Twitter, LinkedIn and Facebook to promote our personal brands, market our business and build community with customers and prospects.
While we've embraced the 2.0 world, we've done so with eyes wide open. As we use the technology to create benefits we also acknowlledge we create risks that must be identified, addressed and managed.
Most professionals, most firms using these new technologies are not "professional paranoids" like we us.
If you are using Social Media and have concerns about the risks ... or if you have balked at adopting the technology because of your fears of those risks ... please join me for:
Image via Wikipedia
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=80ff34eb-c2d3-491f-b92a-d58405be6257)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=ebee6eb3-830c-4783-900a-2602abcf8880)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=bd4b8c43-0236-4bf4-b1a0-395bbdb386bb)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=34d3de4f-abba-4ead-8f7a-88dc77dda82b)
