rudis dot net

CMS is now the enforcement arm of the HHS for HIPAA and they've posted a sample interview/document request sheet.

You should already be prepared to answer questions like these if your security program is maintained well. It will be important to limit the scope (i.e. have a well-defined list of where EPHI - Electronic Protected Health Information - is stored) and it's probably an even better idea to map the areas outlined against your policies and whatever standards you've built them against.

The House introduced H.R. 4791 this week (these things have a way of cascading into the private sector, so it's good to watch what they're up to). Some "highlights" include:

• expands the definition of PII
• formalizes data breach/loss reporting requirements
• mandates encryption and/or obfuscation of records containing PII data
• requires keeping an accurate & current list of systems with PII data at rest or in transit
• outlines notification requirements
• forces protection on mobile devices
• ensures remediation plans are followed when gaps are identified
• *requires a yearly PII audit*
• extends the requirements to contractors that host or process PII data for the govt
• establishes many, many rules with data brokers

If made into a law and applied to private companies, this could generate a slew of additional work for anyone who isn't already doing all they can to protect our personal information.

If the Net builds it, the users will do anything they can to access it, even if it means violating their corporate policies and flying in the face of their code of ethics.

Digital Inspiration provided friendly advice on how to get access to Twitter (if it's blocked) and uses the big, bad UAE as the justification.

Users need to understand that their jobs are at risk more than ever when they attempt to bypass company restrictions on computer and Internet usage. Companies want to control bandwidth costs, maintain IT security and increase productivity and are spending more money than ever on controls and reporting facilities to ensure that you are focused on work. While Twitter is fun and all, it's only a useful business tool for a subset of organizations (now, an *internal* Twitter-like system would be cool) and is a hard sell to management. Is it worth your job - and personal integrity - to violate an agreement that you have signed and promised to adhere to just to IM, e-mall or tweet some friends?

If you *really* need to use blocked services, put together a case and talk to your IT security folks about it - maybe even over coffee or lunch (you may even find that the IT security folks are cool, interesting people). They may be able to help push a reasonable request through or you may discover why it's a bad idea to allow, say, Skype to flow with wild abandon on the company's network.