The first batch of government reviews of covered entities (CEs) for compliance with the security rule revealed a host of deficiencies, ranging from failure to conduct even an initial risk assessment to inconsistent employee training, according to a summary of findings and recommended corrective actions recently released by CMS.
Solution providers who have been frustrated by the PCI DSS now have the chance to voice their positions and request changes. The PCI Security Standards Council is currently soliciting feedback as it prepares to update the standard.
Stakeholders in the compliance process have through the end of October to offer feedback and critiques, with some of the most valuable information and feedback exchange scheduled to occur at two community meetings, one in Las Vegas from Sept. 22-24 and one in Prague from Oct. 26-28.
I read with interest the recent column by Eric Ogren, Hacker charges also an indictment on PCI, and wanted to respond to negative suggestions aimed at the PCI Data Security Standards inferred.
According to the “Skimming Prevention: Best Practices for Merchants” guidelines expected to be issued by the Payment Card Industry Security Standards Council Tuesday, even tiny cameras hidden in ceilings and charity boxes left on retail counters are being used to steal detailed customer payment data, including PIN numbers.
Changes are coming to the way federal CIOs will report how their departments and agencies comply with the Federal Information Security Management Act, but the revisions have nothing to do with new ways to measure how secure are government IT systems and networks. Starting this fall, departments and agencies must use a new automated reporting systems to file their annual FISMA and privacy reports
HHS Issues Interim Final Rule for HITECH ‘Breach Notification’
U.S. Department of Health and Human Services Secretary, Kathleen Sebelius, has issued the Interim Final Rule for Breach Notification for Unsecured Protected Health Information. The Interim Final Rule was signed by Secretary Sebelius on August 6, 2009, filed at the Federal Register on Wednesday, August 19, 2009, and will be published on Monday, August 24, 2009, in the Federal Register. The effective date of the Interim Final Rule will be 30 days after publication, and will cover both covered entities and business associates of covered entities. Here is the Summary of the Interim Final Rule:
Radisson Hotels revealed Wednesday that a “limited” number of guests may have had their credit or debit card data stolen, due to a breach of the computer systems at some of the chain’s hotels.
Have you ever heard of a federal agency in charge of enforcing a set of regulations that is partly funded by the penalties it imposes on violators?
The regulations, developed by the HHS Office for Civil Rights (OCR), require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.
In a 4-0 ruling Monday, the FTC approved a rule that will require Web based businesses that deal with personal health information, even if they are not bound by HIPAA laws, to report security breaches. The Health Breach Notification Rule was created and put in place because Congress directed the FTC to issue the rule as part of the American Recovery and Reinvestment Act of 2009.