Wondering where to start your healthcare security projects? We recommend a SWOT analysis! You can obtain more information about SWOT from this Wikipedia article. SWOT stands for Strengths, Weaknesses, Opportunities, and Threats!
..
SWOT is typically used in business planning processes but it could very well be applied to your healthcare security projects. Remember the four points of data security vulnerability: data at rest, data in motion, data in use, and data disposed. Determine the SWOT of all four points of vulnerabilities and create a plan for remediating the W (weaknesses) and the T (threats) portions of the SWOT. There are likely to be Strengths in your overall systems. The O (opportunity) could be looked as your ultimate goal of improving the security of your IT systems.
..
Encryption has always been thought of as a complex technology that is difficult to implement. With a SWOT analysis and the right partner on your side implementing encryption is a snap! Choosing a partner that specializes in encryption and data security will help you get the protection you need quickly, without an extended learning curve.
Media notification is required when a breach of more than 500 records has occurred. The Interim Final Rule preamble discusses how the U.S. Department of Health and Human Services (HHS) expects the media to be notified in case a breach of over 500 records occurs. Note that HHS considers media notification to be relative to where the residents live, not the location of the covered entity or business associate.
If the residents in the unsecured protected health information (PHI) live in a particular city the breach notification should be sent to the prominent media outlet serving that city. A prominent media outlet could be a television station or newspaper (no preference is given).
If the residents in the unsecured protected health information (PHI) are spread across a state the prominent media outlet must serve the entire state.
If the total amount of records breached is over 500 but the residents live in multiple states and not more than 500 are in any one state then media notification is not required. Although media notification is not required, notification to the individuals is still required.
If the total amount of records breached is over 500 in more than one state media notification is required to the prominent media outlet in each state.
The content in the media notification is identical to the content required for individual notification:
A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
Any steps individuals should take to protect themselves from potential harm resulting from the breach.
A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches.
Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web address, or postal address.
..
HHS expects the notification to the media to be in form of a press release.
The new breach notification guidelines go into effect on September 23rd, 2009. Even though breach notification goes into effect on 9/23/09, the Interim Rule states that civil penalties will not be imposed until February 18th, 2010. The government is aware of the ambiguity and clearly states that it has discretion on imposing sanctions for failure to provide notification in case of a breach notification for breaches occurring before 2/18/10.
..
During the 180 period between 8/2009 and 2/2010 covered entities have the perfect opportunity to review the data stored on their IT systems. The Interim Rule is concerned specifically with Data in Motion, Data in Use, Data at Rest, and Data Disposed. Experior can help determine the best plan of action to implement encryption in your IT systems to protect your organization from breach notification requirements.
Copyright 2008-2011 - Experior Data Security and Encryption - No parts of the content herein may be copied or reproduced without permission www.experiordata.com
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=5d731223-1ceb-4c70-98a0-3353b8d37d4b)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=8c6c8f69-fa59-4034-bafb-0bbd62910381)
