Monthly Archives: August 2009

CMS HIPAA Security Review: Encryption & Employee Background Checks Mandatory, MT Providers Next Under The Microscope?

The first batch of government reviews of covered entities (CEs) for compliance with the security rule revealed a host of deficiencies, ranging from failure to conduct even an initial risk assessment to inconsistent employee training, according to a summary of findings and recommended corrective actions recently released by CMS.

via The XY Files in an MT World : CMS HIPAA Security Review: Encryption & Employee Background Checks Mandatory, MT Providers Next Under The Microscope?.

Solution Providers’ Input Sought for #PCI Security Standard Update – Security

Solution providers who have been frustrated by the PCI DSS now have the chance to voice their positions and request changes. The PCI Security Standards Council is currently soliciting feedback as it prepares to update the standard.

Stakeholders in the compliance process have through the end of October to offer feedback and critiques, with some of the most valuable information and feedback exchange scheduled to occur at two community meetings, one in Las Vegas from Sept. 22-24 and one in Prague from Oct. 26-28.

via Solution Providers’ Input Sought for PCI Security Standard Update – Security.

Skimming Prevention: Best Practices for Merchants #PCI

According to the “Skimming Prevention: Best Practices for Merchants” guidelines expected to be issued by the Payment Card Industry Security Standards Council Tuesday, even tiny cameras hidden in ceilings and charity boxes left on retail counters are being used to steal detailed customer payment data, including PIN numbers.

via How to minimize the risk of illicit credit card capturing – Network World.

OMB Unveils Automated FISMA Reporting System

Changes are coming to the way federal CIOs will report how their departments and agencies comply with the Federal Information Security Management Act, but the revisions have nothing to do with new ways to measure how secure are government IT systems and networks. Starting this fall, departments and agencies must use a new automated reporting systems to file their annual FISMA and privacy reports

via OMB Unveils Automated FISMA Reporting System.

HIPAA.com – HHS Issues Interim Final Rule for HITECH ‘Breach Notification’

HHS Issues Interim Final Rule for HITECH ‘Breach Notification’

U.S. Department of Health and Human Services Secretary, Kathleen Sebelius, has issued the Interim Final Rule for Breach Notification for Unsecured Protected Health Information. The Interim Final Rule was signed by Secretary Sebelius on August 6, 2009, filed at the Federal Register on Wednesday, August 19, 2009, and will be published on Monday, August 24, 2009, in the Federal Register. The effective date of the Interim Final Rule will be 30 days after publication, and will cover both covered entities and business associates of covered entities. Here is the Summary of the Interim Final Rule:

via HIPAA.com – HHS Issues Interim Final Rule for HITECH ‘Breach Notification’.

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information

The regulations, developed by the HHS Office for Civil Rights (OCR), require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

via HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information.

FTC: Organizations not bound by HIPAA must report breaches – Security

In a 4-0 ruling Monday, the FTC approved a rule that will require Web based businesses that deal with personal health information, even if they are not bound by HIPAA laws, to report security breaches. The Health Breach Notification Rule was created and put in place because Congress directed the FTC to issue the rule as part of the American Recovery and Reinvestment Act of 2009.

via FTC: Organizations not bound by HIPAA must report breaches – Security.