Archives

6 Reasons to Properly Dispose of Technology

September 23, 2015

dispose of technology

We’ve said this before, and we’ll keep saying it: just because used technology gets unplugged and leaves your building, that doesn’t mean the data on it dies. While ensuring that your data doesn’t end up in the wrong hands is reason enough to make sure you dispose of technology properly, it’s far from the only reason.

Look around your office. If it’s like most, it probably looks a lot different than it did five years ago. Computers, phones, copiers and just about everything else associated with office work has changed dramatically. And, they’re going to keep changing.

Technology is advancing faster than just about anybody can manage. With everyone constantly upgrading to the latest, “next best thing,” it begs the question, “what’s happening to all of the old stuff?”

There are Several Good Reasons to Dispose of Technology

Here are six reasons to do so, and all of them can affect your company’s bottom line and reputation.

  1. Criminal Penalties

As the world around us continues to demand faster and more complete access to information (better technology), there is now a more robust policing of used technology disposal.

Depending on your industry, the laws that govern how you dispose of technology can fall under one or more of the following: HIPPA (healthcare), EPA (environmental), FDA (pharmaceuticals and medical devices), FCC (broadcast and phone providers), PCI regulations (credit card data), Sarbanes-Oxley (financial services), Gramm-Leach-Bliley (banking) , PII (personally identifiable information) and FACTA (credit reports).

The repercussions of criminal penalties go without saying and can impact each of the remaining reasons we list.

  1. Executive Fines and Incarceration

With information being such a high value commodity in this technological age, punishments are now catching up to the heft of the crime. Companies are now tasked with responsibly disposing of their used technology. Cavalier behavior with information can now lead to huge fines and even jail time depending on the case.

  1. Civil Penalties

Civil penalties are fines imposed by government agencies as restitution for wrongdoing. Check any business page or television news broadcast and it won’t take you long to realize that both State and Federal agencies are recognizing the growing exposure related to information security. Fines can add up quickly and not only damage your company’s bottom line, but your reputation as well. 

  1. Litigation Costs

One of the misconceptions with technology disposal is that all liability for data is transferred once technology exits. Too often that’s not the reality, and it’s the reason many companies are blindsided by cases even when they believed that things had been done correctly. Nobody wants litigation because that can get expensive very quickly.

  1. Diminished Stock Prices

Perception is almost as powerful as reality when it comes to the value of stocks. Any of the above can lead to a negative perception of your company, whether it’s founded or not. If the perception of your company is diminished, your company’s stock will be as well.

  1. Public Relations Fallout

The old adage that any publicity is good publicity doesn’t hold true here. Your company’s reputation is damaged if any of the above events occur. As technology becomes increasingly integrated into our daily business and private lives, data security is more important than it’s ever been. Understand your responsibility and ensure that old technology is disposed of properly. Your reputation depends on it.

It’s Time to Re-Examine Risk Management

March 30, 2015

Attacks Against Anthem, Others Are a Call to Action

By Bob Chaput, March 27, 2015

Bob Chaput

Just as 9/11 shattered our assumptions about the impregnability of U.S. defense systems, the recent Anthem Inc., Premera Blue Cross and Community Health Systems mega-breaches show that we need a top-to-bottom re-examination of what information risk management really requires.

To be fair, most healthcare boards of directors and C-suite executives have had their hands full just dealing with the Affordable Care Act and the momentous shift from the fee-for-service model to value-based care. That may be the reason why so many healthcare boards and C-suites are either ill-informed or disengaged from information risk management.

“We must move from the technical/tactical/spot-welding approach to a business architectural solution that’s strategic.”

In the wake of the highly publicized Community Health Systems, Anthem and now Premera hacking incidents, most organizations are scrambling to play catch-up – often trying to “checklist” their way to security. By default, and in the absence of board and C-suite direction, this approach is often too technical, too tactical and involves too much spot-welding.

Here are some reasons why it’s not a matter of if, but when, the next Anthem-style disaster strikes:

Most organizations don’t truly understand the scope of the problem. Although the Anthem hacking incident, which affected 78.8 million individuals, made headlines worldwide, hackers only account for about 8 percent of major health data breaches since September 2009, according to the Department of Health and Human Services. The other 92 percent are mainly due to preventable mistakes made by an organization’s own employees and business associates – losing a laptop containing unencrypted PHI, improperly disposing of paper records, “snooping” into and disclosing confidential data, etc. A health system might pat itself on the back for avoiding an Anthem-type breach, then get stung by a smaller scale breach that can still tarnish its reputation and cost millions to remedy.

The value and vulnerability of patient data are increasing dramatically. The anticipated growth of the national eHealth Exchange means that the likelihood of breaches will continue to rise. The exchange is predicted to soon connect hundreds of hospitals and thousands of medical groups. Hackers will no doubt be encouraged by what the Anthem thieves got their hands on: dates of birth, physical and e-mail addresses, and Social Security numbers of nearly 80 million individuals. That’s the equivalent of the entire populations of California, New York, Illinois and Maryland.

Too few organizations have a formal process for benchmarking the maturity of their IRM programs. The healthcare field is way behind other industries in this regard. The FBI said as much in its April 2014 Privacy Industry Notice and its August 2014 Alert. Many manufacturers and retailers routinely use maturity models to test the efficacy of their supply chain management and business intelligence. Healthcare needs to make it a priority to benchmark its IRM programs.

The term “data security expert” doesn’t equate with “risk management expert.” Too many healthcare organizations rely on their IT staff to ward off hackers, forgetting that breaches also come in a variety of low-tech (or no-tech) varieties. Plus the Anthem breach begs the question: What were the “experts” really doing?

Although the hackers did penetrate several layers of Anthem security, they may have gained access to the huge database by using a stolen password. And numerous media reports suggest that Anthem hadn’t bothered to encrypt the database. At the very least, we shouldn’t be making it easier for hackers to do their job. Whether the Anthem hackers were part of an international cyber-espionage team – or just brainy teenagers – doesn’t really matter. Several news organizations are reporting that the insurer will soon exhaust its $100 million cyber-insurance coverage to meet the staggering cost of identity theft repair and credit monitoring.

The healthcare field has “HIPAA compliance” myopia. The Anthem breach proves once and for all that information risk management is much more than a HIPAA compliance issue. IRM has a direct impact on patient safety and quality of care. But even more than that, it’s a discipline that’s essential to the health of a company’s brand and bottom line.

The Anthem breach demonstrates that there’s still a glaring need for better board and C-suite education about what constitutes comprehensive IRM. We must move from the technical/tactical/spot-welding approach to a business architectural solution that’s strategic. To do so, healthcare organizations need to use new benchmarking tools to help them assess the maturity of their IRM initiatives.

If the CHS breach was a wake-up call, the massive Anthem breach was a bugle blaring across healthcare boardrooms and C-suites nationwide. Let’s hope that it rouses leaders to action.

Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US, is CEO of Clearwater Compliance, an information risk management advisory firm based in Nashville, Tenn., that offers an IRM benchmarking tool.

Go to original article…

N.J. Law Requires Insurers to Encrypt

January 13, 2015

New Requirement Goes Beyond HIPAA

By , January 12, 2015.

N.J. Law Requires Insurers to Encrypt

A New Jersey law that will go into effect in July requires health insurers in the state to encrypt personal information that they store in their computers – a stronger requirement than what’s included in HIPAA .

The new law, signed by N.J. governor Chris Christie last week, was triggered by a number of health data breaches in the state, including the 2013 Horizon Blue Cross Blue Shield of New Jersey breach affecting 840,000 individuals. That breach involved the theft of two unencrypted laptops.

The new law states: “Health insurance carriers shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.

The law applies to “end user computer systems” and computerized records transmitted across public networks. It notes that end-user computer systems include, for example, desktop computers, laptop computers, tablets or other mobile devices, or removable media.

Personal information covered by the encryption mandate includes individual’s first name or first initial and last name linked with any one or more of the following data elements: Social Security number; driver’s license number or State identification card number; address; and identifiable health information.

Different than HIPAA

“The New Jersey law differs from HIPAA in that it mandates implementing encryption, whereas HIPAA mandates addressing encryption,” privacy attorney Adam Greene of law firm Davis Wright Tremaine says.

The Department of Health and Human Services offers this explanation of the HIPAA encryption requirement on its website: “The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of electronic PHI.

“If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.”

Greene points out that because the new state law is tougher than HIPAA, “A New Jersey health plan could determine that some of its protected health information does not require encryption under HIPAA, but they will nevertheless be required to encrypt the information under the New Jersey law.”

– Healthcare Info Security

Go to original article…