| First Amendment Center: A case pending before the Ohio Supreme Court pits the provisions of the state equivalent of the Freedom of Information Act against the privacy provisions of HIPAA. At issue is a request by the Cincinnati Enquirer newspaper for the Ohio Health Department to produce records of lead paint notices sent to Ohio households. The department complied by handing over notices sent to multiple family dwellings. But it refused to release records sent to single family homes on the grounds that the identity of residents could be extrapolated from that information, and that its release would violate HIPAA's privacy provisions. Enquirer attorneys argue that the notices are not health records covered by HIPAA; the Health Department counters that the notices could be considered a treatment record because they order property owners to remove lead paint and other hazards. Pundits speculate that the court will rule that HIPAA does not apply. | Sponsor: VoIP Business Case Resource Kit | | Understand, Quantify and Explain the VoIP Opportunity
Save 20 hours or more of your valuable time with our background research, pro forma financial calculations, and ready-to-use PowerPoint presentation. Make the right decision on this critical technology and back it up! > Get more info. |
silicon.com: Opinions within the information security industry differ with regard to the issue of regulation. Bruce Schneier, CTO of Counterpane, recommends that the IT security market should be regulated as tightly as airlines or pharmaceutical companies. He contends that software companies are choosing time-to-market and cost savings considerations over security, but that they will find ways to boost security if the government tells them that they must. On the other side, Harris Miller, president of the Information Technology Association of America, frets that government regulation will stifle creativity and innovation. Michael Colao, director of information security at Dresdner Kleinwort Wasserstein, argues that innovation and regulation are not mutually exclusive. But he adds that regulation adds costs when it is not done well, and that the chances of it being done well are slim. SearchCIO.com: You would think that CEOs would be well-versed in compliance by now. Not necessarily, says Ted Frank, president of compliance software company Axentis. He suggests many a CEO could use a tutorial from the CIO, to which end he suggests asking the CEO five key questions. The questions are really meant to forge a meeting of the minds between CEOs and CIOs with regard to key elements of compliance strategy. The first question involves developing a shared understanding of the principal risks facing the organization. The second question seeks clarity over compliance and risk management roles and responsibilities. The third question involves measurements of efficiency and effectiveness. Question number four seeks to identify the stakeholders in the performance of compliance and risk management. The final question involves identifying systems used or needed to manage compliance and risk management. | | Special Offer: Free White Paper Understanding the Total Cost of Ownership of IP Telephony Solutions
In this study conducted by an independent research and consulting group, the often-hidden costs associated with IP telephony ownership are revealed. Discover this analysis methodology for determining TCO based on six cost categories. It's highly flexible and can be used to generate similar benchmarking for many different sizes and types of deployment comparisons. Check it out today! | | | | IT Compliance Institute: Companies that expect to reinforce compliance behavior among employees by publishing compliance manuals will undoubtedly turn out frustrated. Employees read what they need to get their jobs done; compliance manuals will probably not make the cut. A better approach is incorporating compliance procedures in operating manuals. The Open Compliance and Ethics Group's 2005 draft Red Book includes a number of suggestions on how businesses can boost compliance. Organizations should develop a compliance and ethics plan which involves, among other things, compiling an inventory of compliance requirements, a code of ethics and compliance controls, policies and procedures. Organizations also should endeavor to take a unified approach to compliance projects, instead of dealing with HIPAA, Sarbanes-Oxley, and Gramm-Leach-Bliley in separate silos. Infoconomy: IT organizations have long been challenged to build bridges to enterprise business units. Some have responded to this challenge by embedding IT people within those units. Compliance projects may be driving a different trend, however. Project portfolio management (PPM) software enables IT and business units to work collaboratively. David Oates, in charge of international sales at PPM provider Primavera, believes that the increased focus on legislative compliance will drive the adoption of PPM tools to help regulate projects. Oates concedes that those tools are best used to augment cooperative working practices, but adds that PPM can help IT and business organizations share visibility into the progress of compliance projects, obviating the need to embed IT staff within other departments or to relocate IT professionals. Other experts, however, argue that aligning business and technology is much more a people issue than a technology issue. Enterprise Networks & Servers: Regulations such as HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley, Canada's Electronic Documents Act and California Senate Bill 1386 all contain common data storage requirements. The laws were drafted to reflect the best data storage practices at the time they were implemented. Data encryption, WORM storage, synchronized alternate storage and indexed document retrieval are all becoming standard, thanks to these regulatory requirements. Besides elevating data storage standards, implementing these compliance programs is also increasing the administrative work required of storage managers. Since the volume of information in secured storage will continue to rise, the storage manager must work more closely with operations managers to minimize the volume of stored data by eliminating redundancies. Storage managers must also continually educate themselves on new technologies and on legislative and regulatory demands. | IT Marketplace | | | | | Tell the IT Business Edge audience of technology decision makers about your product, service, event, or job. Click here to list it in the IT Marketplace! | | 3 QUESTIONS:
HIPAA and CRM
With Ross Armstrong, senior research analyst at Info-Tech Research Group. Armstrong specializes in IT security, legislative and regulatory compliance, and the health care industry. He is the author of "Securing Your IT Environment and Moving: An IT Perspective" and is working on an in-depth study of Sarbanes-Oxley compliance. Question: Why haven't we heard much about HIPAA lately?
Armstrong: There haven't been any high-profile prosecutions yet under HIPAA. With Sarbanes-Oxley, you have people fined, going to jail, bankrupted. Sarbanes-Oxley has had a much greater impact on IT people and c-level executives. Organizations covered by HIPAA should be thinking about patient privacy anyway, and HIPAA, after all, is one big privacy policy. But until there is a headline about a hospital official going to jail over selling patient information, HIPAA won't be an effective deterrent. It all boils down to how the law is enforced. When you start throwing people in jail, it becomes a deterrent. Question: What's the problem with HIPAA and CRM?
Armstrong: Around 25 percent of hospitals have implemented CRM. About 23 percent of clinics and private practices plan to implement CRM within the next three years. The health care industry has traditionally lagged behind the IT curve, while other industries have more engrained processes and procedures. As long as data included in CRM systems can be characterized as patient data, it is protected under HIPAA and is not the property of the health care organization. In any other industry, customers' names and addresses would be considered regular customer data, but in the health care context, it is protected patient data even if it does not include hard-core medical information such as histories, diagnoses or medications. Regular patient contact information is protected and must be treated accordingly. Organizations must secure that information and prevent it from leaking out in some inappropriate way. Question: What do health care organizations need to do to address this potential problem?
Armstrong: They need to rejig their processes. If they're going to be contacting patients using CRM data, their processes and procedures need to be refined to ensure that they are HIPAA compliant. They need to make sure that private patient information does not get into the hands of persons other than the patient and those providing health care services. HIPAA includes the concept of segregation of duties, so that only those who need patient information for the purposes of providing health care services may have access to it. CRM users and call center operators should be restricted from being able to view patient information or data elements that are not related to the services they are providing. They should not be able to see health care information unless it is critical to providing health care services. Any health care organization looking to implement CRM should be addressing these issues with vendors. Clearly, CRM offerings to be implemented in a health care environment must be built according to, or made to cater to, HIPAA rules. | | Also from IT Business Edge: Voice & Data Convergence Voice & Data Convergence examines the strategic and tactical implications of emerging IP telephony technologies, from VoIP services to advanced CRM systems to security considerations. Find out what every IT decision maker should know. Click here to sign up! | By the Numbers
3.3 percent Average increase in corporate IT costs brought about by Sarbanes-Oxley compliance, according to Gartner. 38 percent Ratio of U.S. SMBs with IT support that called on the support functions to counter information security threats. 40 percent Proportion of companies surveyed by IDG and PricewaterhouseCoopers that employ a chief information security officer, up from 31 percent in 2004. Breaking Headlines
FinanceTech: Regulators ordered the U.S. operations of Germany's largest bank to take steps to prevent money laundering. This after the Federal Reserve and the New York State Banking Department found deficiencies in Deutsche Bank's controls. The Fed announced an agreement with New York-based Deutsche Bank Trust Co. Americas, under which the bank promised to tighten its policies and procedures for the reporting of suspicious transactions and for customer vetting. The bank was not fined under the agreement.
The State: Universities are threatening to sue the U.S. government over a change in Federal Communications Commission rules that requires providers of online communications services to modify their computer networks. The required changes would ease the way for law enforcement authorities to monitor e-mail and electronic communications. The order extends the provisions of a 1994 wiretap law to universities, libraries, airports and municipalities providing Internet access. The government says the measure is intended to help catch terrorists and other criminals, but universities are protesting. They argue that it will cost $7 billion to make the required changes while it will do little to apprehend lawbreakers. The Register: Nominet, the company that runs .uk Internet domains, has voted for Argentina's proposal for Internet ownership. Argentina's proposal seeks to maintain the status quo of ICANN Internet management, but would also create a worldwide forum in which governments, the private sector and international organizations could provide input. Nominet says it is looking for a pragmatic approach to Internet governance that would not overhaul the current model. Two other proposals are on the table. A hybrid solution put forward by the European Union and Japan would replace the hands-off U.S. government role with a hands-on international government consortium. A third approach, promoted by Brazil, Iran and Russia, calls for a new government-run organization to take over from ICANN. Emerging Trends
Techworld: Visa and MasterCard have developed a set of standards for transaction security that would prohibit merchants from storing magnetic stripe authentication data. The Payment Card Industry Data Security Standard requires different things of merchants depending on the number of transactions they handle. Merchants with low transaction numbers will be required to complete a self-assessment questionnaire. Mid-level merchants will complete quarterly vulnerability scans as well as the questionnaire. Large-volume organizations will also be required to submit to onsite audits of their practices. IT Observer: Secure enterprise networks are becoming increasingly vulnerable to what are being called spear phishing attacks. Spear phishing differs from common phishing attacks by focusing on one end user or organization at a time. The scam seeks to harvest login IDs and passwords. Spear phishing is time-consuming and requires the perpetrators to study the target company and gather as much information as possible on its structure and personnel. A successful spear phishing attack will install malware that extracts sensitive private and corporate data, which is then sold to third parties or used for identity theft. SearchSecurity.com: Interest is growing in open source databases and security is a large part of the reason why, according to a recent survey by Evans Data. While 85 percent of the 400 companies surveyed said proprietary database servers were compromised at least once in the last year, only 9 percent of those using open source databases reported the same. The study also finds that use of MySQL, an open source database software, increased over 25 percent in the last six months and that 44 percent of developers are now using it. Some believe the open source community can respond more quickly to vulnerabilities than can developers of proprietary software. IT Business Edge: Managing Compliance Standards
| Issue 44, Vol. 2 | | DISCLAIMER: At the time of publication, all links in this e-mail functioned properly. However, since many links point to sites other than itbusinessedge.com, some links may become invalid as time passes. | | This e-mail is sent by: NarrowCast Group, LLC, 124 N.First St., Louisville, KY 40202 | Copyright ©2003-2005 NarrowCast Group, LLC. All Rights Reserved.
| | 
Research
Consultant Rates
Free for Subscribers! | | Don't budget IT projects in the dark! Find out what contractors are charging for the skills you need by querying our database of more than 12,000 consultants and firms. Click here to begin your research now! | | Find Related Technology Solutions | | About the Editor
Peter Buxbaum has been writing about business, technology, and law for 12 years. He has published over 1,000 articles in publications such as Fortune, Forbes, Chief Executive, Computerworld, InformationWeek, and dozens of others. He earned a law degree from Temple University, studied economics at Columbia University, and taught seminars in international business at Penn State University.
He can be reached at editorial@itbusinessedge.com.
| | |
0 Comments:
Post a Comment
<< Home