Electronic Marketing to EU Residents: Determining When Consent is (and is not) Required

GDPR compliance continues to pose challenges across a wide swath of businesses and business functions that rely on the processing ...
Read More
Security

IGA – Where Disruption and Change Couldn’t Come Fast Enough!

Welcome to the introductory post in our “Meaningful Outcomes” series on Identity Governance and Administration (IGA). If you are here ...
Read More
Mexico Data Privacy

EU Privacy and US Trade Limitations: Opening New Opportunities for Mexican Business

By Mayra Cavazos, Senior Consultant, Tueoris, LLC Introduction The European Union (EU) General Data Protection Regulation (GDPR) has impacted businesses ...
Read More

Driving Effective Privacy Operations with Functional Requirements

By Shawna Doran, Senior Manager, Tueoris, LLC and Dan Goldstein, Partner, Tueoris LLC In the run-up to May 25, 2018, ...
Read More

Alternatives to Consent: New Approaches to Processing Patient Data for Current and Future Clinical Research

Introduction Pharmaceutical and biotech companies sponsoring clinical research have traditionally relied on patient consent as the legal basis for processing ...
Read More

Security Logging and Monitoring for EHRs

If you are like most medium or large healthcare providers these days, your Electronic Health Record (EHR) environment is likely ...
Read More

Is your auditor or consultant anything like the OPM OIG?

The OPM breach has been deservedly in the news for over a month now.   Much has been written and ...
Read More

No, Security-Privacy Is Not A Hindrance To TeleHealth Adoption

Since I follow the teleheath space rather closely from a security/privacy perspective, I was drawn yesterday to this article titled ...
Read More

This is how the #AnthemHack could have been stopped, perhaps

It has been just over a week since the #AnthemHack was made public. Over this period, the main stream media and ...
Read More

Docs turn up the heat on ONC! – Security Commentary

HealthcareITNews reported yesterday on this letter that was written by several physician organizations to the ONC. I wanted to write ...
Read More

Wise Words To Avoid Horror Stories in Identity and Access Management

It is no secret that Identity and Access Management (IAM) continues to be a challenge for many organizations. As a ...
Read More

Patient Portals – Make or Break

Like many other Health IT initiatives today, the primary driver for patient portals is regulatory in nature. Specifically, it is ...
Read More

Hello PCI SSC… Can we rethink?

This is a detailed follow-up to the quick post I wrote the Friday before the Labor Day weekend,  based on my read ...
Read More

Security is mostly basics, but talk is cheap

In most cases, better security posture is all about getting a few basics right. And this recent incident related to ...
Read More

Hello PCI SSC…

Hello PCI SSC, You had me on board until I saw this statement in your guidance1 released yesterday. “However, using ...
Read More

PCI Breaches – Can we at least detect them?

Almost all Payment Card Industry (PCI) breaches over the past year, including the most recent one at Supervalu appear to have ...
Read More

That Odd Authentication Dichotomy Needs To Change

By now, it should be clear that we need to consider strong (multi factor) authentication for access to anything of value ...
Read More

Beware of Security Best Practices and Controls Frameworks

What could be possibly wrong with “Best Practices” or “Leading Practices” that your favorite security consultant might be talking about? Or ...
Read More

How useful is the HHS OIG report published this week?

I am sure some of you saw this news report about HHS OIG finding some security related deficiencies in the ...
Read More

From A Security Or Compliance StandPoint…

It is probably safe to say that we security professionals hear the phrase in the title of this post rather ...
Read More

A Second Look At Our Risk Assessments?

I came across this Akamai Security Blog post recently which I thought was a useful and informative read overall. As ...
Read More

I like the fact that the HIPAA Security Rule is not prescriptive, except…

I think it makes sense for the HIPAA Security Rule (even in its latest form from the Omnibus update)  not ...
Read More

Top 10 Pitfalls – Security or Privacy Risk Assessments

Risk Assessment is a foundational requirement for an effective security or privacy program and it needs to be the basis ...
Read More

Pay attention to Security Risk Analysis in Meaningful Use Attestation

As is well known, Centers for Medicare & Medicaid Services (CMS) has been conducting pre and post payment audits of ...
Read More

Can we change the tune on Health Information Security and Privacy please?

Notice the title doesn’t say HIPAA Security and Privacy. Nor does it have any of the words – HITECH, Omnibus Rule, Meaningful ...
Read More

CHIME On MU Audits… Looking For Thoughts/Feedback

I happened to read this article from Information Week Healthcare and was especially interested by this quote reproduced below… “CHIME ...
Read More

Focus On What Really Matters – Outcomes and Results

Here is something to think about as a security/privacy consultant or consulting team, big or small … When you work ...
Read More

Compliance obligations need not stand in the way of better information security and risk management

I couldn’t help write this post when I noticed this press release based on an IDC Insights Survey of Oil ...
Read More

Do we have a wake-up call in the OIG HHS Report on HIPAA Security Rule Compliance & Enforcement?

If you didn’t notice already, the Office of Inspector General  (OIG) in the Department of Health and Human Services (HHS) ...
Read More

Next time you do a Risk Assessment or Analysis, make sure you have Risk Intelligence on board

I was prompted to write this quick post this morning when I read this article. I think it is a ...
Read More

Providers – Is HIPAA Security Risk Analysis in your plan over the next few months?

Security Risk Analysis is something that we recommend all organizations conduct periodically or before a  significant process or technology change ...
Read More

Let’s talk some “real” insider threat numbers – How can Access Governance and SIEM be useful as effective safeguards?

If you have been following some of our posts, you probably realize that we don’t advocate security for the sake ...
Read More

You don’t know what you don’t know – Do we have a “detection” problem with the healthcare data breach numbers?

Like some of you perhaps, I have been reading a few recent articles on Healthcare data breaches, especially the one ...
Read More

May we suggest some priority adjustments to your PCI DSS Compliance program?

It isn’t any news that achieving PCI DSS Compliance continues to be onerous for many merchants out there. PCI DSS ...
Read More

Verizon 2010 Data Breach Investigations Report – Key takeaways for Security Assessors and Auditors

The Verizon 2010 Data Breach Investigations Report (DBIR) released last week has some interesting findings, just as it did last ...
Read More

Proposed updates to HIPAA Security and Privacy Rules – What is new?

It was good to see the Office of Civil Rights (OCR) publish the long awaited proposed updates to HIPAA Security ...
Read More

Logging for Effective SIEM and PCI DSS Compliance …. UNIX, Network Devices and Databases

In one of my previous blogs, I covered the importance of logging the “right” events for an effective Log Management ...
Read More

FTC delays enforcement of Identity Theft Red Flags Rule to 12/31/10

FTC announced earlier this morning that it is delaying enforcement of the Red Flags Rule to 12/31/10 pending expected legislation ...
Read More

PCI DSS – Quick and Dirty?

I recently received a tweet titled “PCI DSS Compliance – Quick and Dirty”. I think it is safe to say ...
Read More

Identity Theft Red Flags Rule – Is the 06/01/10 deadline looking good?

Frankly, I have lost count of how many times FTC has moved the deadline already (see my related post from ...
Read More

New details released regarding Internal Security Assessor (ISA) program for PCI DSS

PCI SSC has just released new details regarding the training schedule for the ISA program. The program is obviously PCI ...
Read More

Logging for PCI DSS Compliance

PCI DSS has had specific requirements for logging and review of those logs for sometime now. The logging requirements (under ...
Read More

PCI DSS update related to digital audio recordings containing cardholder data

PCI SSC released another update yesterday related to digital audio recordings. The update provides further clarification (to the update on ...
Read More

Vision, Strategy and Leadership – Effective Data Management needs these and more

What am I doing here blogging on Effective Data Management? In the interest of full disclosure, I’m an Information Risk ...
Read More

Privacy Statements, Notices, Policies …

How often do we care to read the privacy statements we receive from any number of sources these days? I ...
Read More