April 25th, 2017 
				
					The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement against a Business Associate (BA), CardioNet. This penalty was based on the impermissible disclosure of unsecured electronic protected health information (ePHI) that was a result of not understanding HIPAA requirements.
CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan.
This settlement is the first involving a wireless health services provider. CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.
Overview:
In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed
- CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft.
- CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented.
- The Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.
See the Resolution Agreement on the OCR website at https://www.hhs.gov/sites/default/files/cardionet-ra-cap.pdf
 
				 
				Tags: business associate, HIPAA, HIPAA sanction
 Posted in BA, BA and Vendor Management, HIPAA |   No Comments »
			 
		
			
				
				March 23rd, 2016 
				
					Most organizations have posted privacy notices on their websites. Great, right? Well consider that a 2012 study showed that the average reader would need 25 days simply to read the privacy policies for all websites accessed in a year. Website privacy notices are often very poorly written. And that’s not the only problem, as I’ve discovered over the past couple of decades reviewing privacy notices. In the past year in the privacy impact assessments (PIAs) I’ve done, I’ve found two consistent problems with them all. Read the rest of this entry »
				 
				Tags: privacy impact assessment, privacy management, privacy notice, privacy policy
 Posted in privacy |   No Comments »
			 
		
			
				
				March 8th, 2016 
				
					There are fascinating and potentially very helpful smart gadgets being introduced every day into the consumer market. Particularly to create “smart homes” that will make refrigerators, lights, doors, and anything else that can be connected online (so basically anything) Wi-Fi enabled so that you can control, check on, record, and lock them, just to name just a few of the possibilities, from anywhere with a handy dandy app or mobile device. Read the rest of this entry »
				 
				Tags: data security, Internet of Things, IoT, privacy, smart homes
 Posted in Internet of Things, privacy |   No Comments »
			 
		
			
				
				March 3rd, 2016 
				
					Note: This was written in early January for part of International Data Privacy Day and Iowa Data Privacy Day activities. It is just now being published due to some unforeseen delays.
Do you have any type of wearable health device, like a fitness tracker? Or maybe an implanted or attached medical device, like an insulin pump or pacemaker? If they connect with apps or other computers through wireless connections, they are most likely collecting and sending huge amounts of data. Have you considered all that data, and how it is secured and who is getting it? Read the rest of this entry »
				 
				Tags: Data Privacy Day, data security, Internet of Things, IoT, medical devices, privacy
 Posted in privacy, Uncategorized |   No Comments »
			 
		
			
				
				January 13th, 2016 
				
					In November, some of my friends contacted me, saying they thought I did a pretty good job with my 2015 predictions, and wanted to know what I am predicting for 2016. So here are some good possibilities for the year to come, along with a rewind to see how close I hit the 2015 predictions.  Read the rest of this entry »
				 
				Tags: data security, HIPAA, Internet of Things, IoT, privacy, privacy professor, Rebecca Herold
 Posted in Cybersecurity, HIPAA, Information Security, Internet of Things, Miscellaneous |   No Comments »
			 
		
			
				
				January 13th, 2016 
				
					Have you ever gotten an unsolicited call from someone claiming to be a tech support pro who wants to help you with an urgent problem with your computer? Chances are you have. It is estimated that just one type of these many scams have cost U.S. victims $1.5 billion so far in 2015. It is not known how many of these scams are currently active, but with new ones popping up almost every day, I would estimate there are at least hundreds, if not over one thousand, different groups of these crooks launching their own tech support phone scam. Read the rest of this entry »
				 
				Tags: cyber crime, phishing, tech support scam
 Posted in Cybersecurity, Uncategorized |   No Comments »
			 
		
			
				
				December 12th, 2015 
				
					How well do you think your patient data, wherever it is located, is being secured? How well do you think your healthcare providers (doctors, nurses, hospitals, clinics, etc.) and health insurance companies are securing your patient information?
The fact is, with the increasing occurrences of patient data breaches, and more use of patient data for purposes beyond the provision of healthcare, most people are worried about patient data security. Read the rest of this entry »
				 
				Tags: data security, HIPAA, patient data
 Posted in HIPAA, Information Security, PHI, privacy |   No Comments »
			 
		
			
				
				November 20th, 2015 
				
					How do we get more women involved in STEM careers, information security and tech?
I took on this topic when I attended the ISACA EuroCACS conference in Copenhagen, Denmark earlier this month and gave two sessions. One was, “Women in IT, Information Security & Privacy.” When researching for this session I found some interesting history, along with some of the current state of inclusion of women within various IT, information security and privacy events. Let’s dive in: Read the rest of this entry »
				 
				 Posted in Women in Tech |   No Comments »
			 
		
			
				
				October 30th, 2015 
				
					A childhood friend of mine, who does not have a technology or information security background, recently asked me whether or not apps that promise messages, photos, videos, and anything else sent through them will completely disappear were to be trusted. She referenced several different proclaimed “disappearing messages” apps that are currently available and asked, “So what do you think of these disappearing apps?  The messages are not really gone?” She is responsible for the care of an adult relative, and wanted to be able to communicate with his healthcare providers securely, and to not have any of the communications to linger and had been using one of these apps. Read the rest of this entry »
				 
				Tags: apps, awareness, Dell, disappearing apps, healthcare, policies and procedures, power more, powermore, privacy, privacy awareness, privacy professor, privacyprof, Rebecca Herold, risk management, security awareness, Snapchat, technology, teen privacy, training
 Posted in privacy |   No Comments »
			 
		
			
				
				October 16th, 2015 
				
					Since this is National Cyber Security Awareness Month (NCSAM) it seems appropriate to give some examples and tips for how everyone can improve upon security, and better protect their privacy, this month. Read the rest of this entry »
				 
				Tags: Dell, Information Security, IT compliance, Keywords: National Cyber Security Awareness Month, ncsam, policies and procedures, power more, powermore, privacy, privacy awareness, privacy professor, privacyprof, Rebecca Herold, risk management, security awareness
 Posted in Training & awareness |   No Comments »