How Deep Must We Dig? Fulfilling Data Subject Access Requests From Current and Former Employees
By Mayra Cavazos, Senior Consultant, Tueoris, LLC Responding in an appropriate and adequate manner to data subject access requests from ...
Read More
Read More
Go with the Flow: Personal Information Mapping for CCPA Compliance
By Tamara Lev, Consultant, Tueoris, LLC. Introduction In today’s data-driven environment, businesses around the world consume vast amounts of personal ...
Read More
Read More
Electronic Marketing to EU Residents: Determining When Consent is (and is not) Required
GDPR compliance continues to pose challenges across a wide swath of businesses and business functions that rely on the processing ...
Read More
Read More
IGA – Where Disruption and Change Couldn’t Come Fast Enough!
Welcome to the introductory post in our “Meaningful Outcomes” series on Identity Governance and Administration (IGA). If you are here ...
Read More
Read More
EU Privacy and US Trade Limitations: Opening New Opportunities for Mexican Business
By Mayra Cavazos, Senior Consultant, Tueoris, LLC Introduction The European Union (EU) General Data Protection Regulation (GDPR) has impacted businesses ...
Read More
Read More
Driving Effective Privacy Operations with Functional Requirements
By Shawna Doran, Senior Manager, Tueoris, LLC and Dan Goldstein, Partner, Tueoris LLC In the run-up to May 25, 2018, ...
Read More
Read More
Alternatives to Consent: New Approaches to Processing Patient Data for Current and Future Clinical Research
Introduction Pharmaceutical and biotech companies sponsoring clinical research have traditionally relied on patient consent as the legal basis for processing ...
Read More
Read More
Security Logging and Monitoring for EHRs
If you are like most medium or large healthcare providers these days, your Electronic Health Record (EHR) environment is likely ...
Read More
Read More
Is your auditor or consultant anything like the OPM OIG?
The OPM breach has been deservedly in the news for over a month now. Much has been written and ...
Read More
Read More
No, Security-Privacy Is Not A Hindrance To TeleHealth Adoption
Since I follow the teleheath space rather closely from a security/privacy perspective, I was drawn yesterday to this article titled ...
Read More
Read More
This is how the #AnthemHack could have been stopped, perhaps
It has been just over a week since the #AnthemHack was made public. Over this period, the main stream media and ...
Read More
Read More
Docs turn up the heat on ONC! – Security Commentary
HealthcareITNews reported yesterday on this letter that was written by several physician organizations to the ONC. I wanted to write ...
Read More
Read More
Wise Words To Avoid Horror Stories in Identity and Access Management
It is no secret that Identity and Access Management (IAM) continues to be a challenge for many organizations. As a ...
Read More
Read More
Patient Portals – Make or Break
Like many other Health IT initiatives today, the primary driver for patient portals is regulatory in nature. Specifically, it is ...
Read More
Read More
Hello PCI SSC… Can we rethink?
This is a detailed follow-up to the quick post I wrote the Friday before the Labor Day weekend, based on my read ...
Read More
Read More
Security is mostly basics, but talk is cheap
In most cases, better security posture is all about getting a few basics right. And this recent incident related to ...
Read More
Read More
Hello PCI SSC…
Hello PCI SSC, You had me on board until I saw this statement in your guidance1 released yesterday. “However, using ...
Read More
Read More
PCI Breaches – Can we at least detect them?
Almost all Payment Card Industry (PCI) breaches over the past year, including the most recent one at Supervalu appear to have ...
Read More
Read More
That Odd Authentication Dichotomy Needs To Change
By now, it should be clear that we need to consider strong (multi factor) authentication for access to anything of value ...
Read More
Read More
Beware of Security Best Practices and Controls Frameworks
What could be possibly wrong with “Best Practices” or “Leading Practices” that your favorite security consultant might be talking about? Or ...
Read More
Read More
How useful is the HHS OIG report published this week?
I am sure some of you saw this news report about HHS OIG finding some security related deficiencies in the ...
Read More
Read More
From A Security Or Compliance StandPoint…
It is probably safe to say that we security professionals hear the phrase in the title of this post rather ...
Read More
Read More
A Second Look At Our Risk Assessments?
I came across this Akamai Security Blog post recently which I thought was a useful and informative read overall. As ...
Read More
Read More
I like the fact that the HIPAA Security Rule is not prescriptive, except…
I think it makes sense for the HIPAA Security Rule (even in its latest form from the Omnibus update) not ...
Read More
Read More
Top 10 Pitfalls – Security or Privacy Risk Assessments
Risk Assessment is a foundational requirement for an effective security or privacy program and it needs to be the basis ...
Read More
Read More
Pay attention to Security Risk Analysis in Meaningful Use Attestation
As is well known, Centers for Medicare & Medicaid Services (CMS) has been conducting pre and post payment audits of ...
Read More
Read More
Can we change the tune on Health Information Security and Privacy please?
Notice the title doesn’t say HIPAA Security and Privacy. Nor does it have any of the words – HITECH, Omnibus Rule, Meaningful ...
Read More
Read More
CHIME On MU Audits… Looking For Thoughts/Feedback
I happened to read this article from Information Week Healthcare and was especially interested by this quote reproduced below… “CHIME ...
Read More
Read More
Focus On What Really Matters – Outcomes and Results
Here is something to think about as a security/privacy consultant or consulting team, big or small … When you work ...
Read More
Read More
Compliance obligations need not stand in the way of better information security and risk management
I couldn’t help write this post when I noticed this press release based on an IDC Insights Survey of Oil ...
Read More
Read More
Do we have a wake-up call in the OIG HHS Report on HIPAA Security Rule Compliance & Enforcement?
If you didn’t notice already, the Office of Inspector General (OIG) in the Department of Health and Human Services (HHS) ...
Read More
Read More
Next time you do a Risk Assessment or Analysis, make sure you have Risk Intelligence on board
I was prompted to write this quick post this morning when I read this article. I think it is a ...
Read More
Read More
Providers – Is HIPAA Security Risk Analysis in your plan over the next few months?
Security Risk Analysis is something that we recommend all organizations conduct periodically or before a significant process or technology change ...
Read More
Read More
Let’s talk some “real” insider threat numbers – How can Access Governance and SIEM be useful as effective safeguards?
If you have been following some of our posts, you probably realize that we don’t advocate security for the sake ...
Read More
Read More
You don’t know what you don’t know – Do we have a “detection” problem with the healthcare data breach numbers?
Like some of you perhaps, I have been reading a few recent articles on Healthcare data breaches, especially the one ...
Read More
Read More
May we suggest some priority adjustments to your PCI DSS Compliance program?
It isn’t any news that achieving PCI DSS Compliance continues to be onerous for many merchants out there. PCI DSS ...
Read More
Read More
Verizon 2010 Data Breach Investigations Report – Key takeaways for Security Assessors and Auditors
The Verizon 2010 Data Breach Investigations Report (DBIR) released last week has some interesting findings, just as it did last ...
Read More
Read More
Proposed updates to HIPAA Security and Privacy Rules – What is new?
It was good to see the Office of Civil Rights (OCR) publish the long awaited proposed updates to HIPAA Security ...
Read More
Read More
Logging for Effective SIEM and PCI DSS Compliance …. UNIX, Network Devices and Databases
In one of my previous blogs, I covered the importance of logging the “right” events for an effective Log Management ...
Read More
Read More
FTC delays enforcement of Identity Theft Red Flags Rule to 12/31/10
FTC announced earlier this morning that it is delaying enforcement of the Red Flags Rule to 12/31/10 pending expected legislation ...
Read More
Read More
PCI DSS – Quick and Dirty?
I recently received a tweet titled “PCI DSS Compliance – Quick and Dirty”. I think it is safe to say ...
Read More
Read More
Identity Theft Red Flags Rule – Is the 06/01/10 deadline looking good?
Frankly, I have lost count of how many times FTC has moved the deadline already (see my related post from ...
Read More
Read More
New details released regarding Internal Security Assessor (ISA) program for PCI DSS
PCI SSC has just released new details regarding the training schedule for the ISA program. The program is obviously PCI ...
Read More
Read More
Logging for PCI DSS Compliance
PCI DSS has had specific requirements for logging and review of those logs for sometime now. The logging requirements (under ...
Read More
Read More
PCI DSS update related to digital audio recordings containing cardholder data
PCI SSC released another update yesterday related to digital audio recordings. The update provides further clarification (to the update on ...
Read More
Read More
Vision, Strategy and Leadership – Effective Data Management needs these and more
What am I doing here blogging on Effective Data Management? In the interest of full disclosure, I’m an Information Risk ...
Read More
Read More
Privacy Statements, Notices, Policies …
How often do we care to read the privacy statements we receive from any number of sources these days? I ...
Read More
Read More
