123 Failed Banks…the Killer Gap
123 banks have now been closed this year and questions continue to mount with each bank closing.
One of the questions is: What role is the Killer Gap playing in these bank closures?
Have you heard of the Killer Gap?
The Killer Gap is the result of the following trends:
- Mounting Risks
- Increasing Costs (Security, Compliance, Business Continuity, Management, etc.)
- Escalating Regulations
- Changing Economic Conditions
Combined with:
- Decreasing Budgets
- Limited Resources
- Traditional Management Tools
- Poor/Outdated Decision Making
This widening gap presents difficult challenges for every organizational leader and their organization and can lead to expensive, embarrassing and business ending results.
Is your organization prepared to control and manage the Killer Gap?
HHS Strengthens HIPAA Enforcement
If you were busy getting your costume ready for Halloween, you might have missed the news release from HHS on October 30, 2009. This news release should be taken seriously by all covered entities and organizational leaders that have responsibilities for protected health information (PHI)
The news release announces that HHS has issued an interim final rule to strengthen its enforcement of the rules within HIPAA to conform to the HIPAA enforcement regulations made by the HITECH Act.
As you may remember, the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, which modified the HHS Secretary’s authority to impose civil money penalties for violations occurring after February 18, 2009.
I am curious if organizational leaders are taking notice of a trend that is catching on with strengthening enforcement of regulations?
The FDIC, OSHA, SEC, FINRA, FTC and others have announced they are also strengthening enforcement of regulations.
Are organizational leaders are paying attention and taking steps to strengthen their management programs?
Stay tuned….
Rocky Mountain Bank vs. Google
In this Network World article, a US District Court Judge in California ordered Google to deactivate the Gmail account of a User who accidentally received personally identifiable information. An employee of Rocky Mountain Bank sent an e-mail to the User’s account in error containing names, Social Security Numbers and loan information of more than 1300 bank customers.
Once the employee realized their mistake, they quickly sent a follow-up e-mail requesting that the recipient destroy the previous e-mail and contact Rocky Mountain Bank as soon as possible. After receiving no reply from the recipient, the bank contacted Google and asked for information on the Gmail account holder which Google refused to provide without a court order.
On September 25, the court issued a temporary restraining order, insisting that Google shut the account down and divulge whether the account was still active and whether the confidential info had been viewed. Google complied with the order. The bank has confirmed that the confidential message was never opened and that it has now been permanently deleted.
Not sure if I agree with the judge’s decision, but I think everyone can agree that important lessons were learned. Lessons learned include 1) make sure employees understand regulatory mandates which prohibit the transmission of unencrypted personally identifiable information and 2) make sure employees understand acceptable e-mail usage guidelines and verify the e-mail address or addresses are correct before hitting SEND!
Additional acceptable e-mail usage guidelines and questions to consider before sending any e-mail or other electronic message, may include:
- Who is receiving the e-mail?
- Does the content disclose proprietary information about my organization?
- Does the content disclose sensitive personal information?
- Does the content disclose confidential data about clients, contracts, etc.?
- Are there statements or accusations in the content that cannot be substantiated?
- Does the content contain offensive, racist or slanderous information?
- What would happen if the e-mail was shared, stolen or forwarded to someone else within or outside of my organization
- If the e-mail went public, would it have a negative effect on me or my organization?
- Does the e-mail comply with organizational requirements?
Remember….everyone knows how to use e-mail…but not everyone understands the risks and consequences of using e-mail, so taking time to ensure awareness and accountability can make a huge difference in your bottom line results.
HHS Has Busy Week and HIPAA Strikes Again!
Health and Human Services (HHS) issued new regulations this week requiring healthcare providers, health plans and other entities covered by HIPAA (Health Insurance Portability and Accountability Act) to notify patients if their electronic health information has been breached.
The regulations were developed by HHS Office of Civil Rights (OCR) and require healthcare providers and other HIPAA covered entities to promptly notify people, the HHS and the media in breaches that affect more than 500 people.
Earlier this week, HHS announced that they delegated the authority for the administration and enforcement of the HIPAA Security Rule to the Office for Civil Rights (OCR).
Any lessons learned from the announcements this week?
Absolutely! If you are a manager working in a “HIPAA covered entity” – which includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, hospitals, insurance companies, HMOs, company health plans, government programs that pay for healthcare and healthcare clearinghouses – then your lesson learned is pretty obvious…make sure you fully implement your privacy and security programs as soon as possible.
Why should you take action as soon as possible?
Because OCR now has authority for:
- the HIPAA Security Rule
- the HIPAA Privacy Rule
- the Breach Notification requirements
And because the Health Information Technology for Economic and Clinical Health (HITECH) Act and American Recovery and Reinvestment Act of 2009 (ARRA) mandate these requirements.
Healthcare managers beware…
HIPAA Alert! And Congratulations to HHS Secretary Sebelius
In case you missed it, the Department of Health and Human Services (HHS) has delegated the authority for the administration and enforcement of HIPAA Security Rule to the Office for Civil Rights (OCR).
In the article Secretary Sebelius commented:
“Security and privacy of health information are increasingly intersecting as the department works with the health industry to adopt electronic health records and participate in an even greater level of electronic exchange of health information. Privacy and security are naturally intertwined, because they both address protected health information. Combining the enforcement authority in one agency within HHS will facilitate improvements by eliminating duplication and increasing efficiency.”
Why should this announcement be taken seriously in the Healthcare industry?
Enforcement changes are coming.
There is no doubt that pressure on HHS to enforce security and privacy in Healthcare is mounting. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has been around now for 13 years and new mandates such as the Health Information Technology for Economic and Clinical Health (HITECH) Act and part of the American Recovery and Reinvestment Act of 2009 (ARRA) both require improved enforcement of both rules.
Congratulations to Secretary Sebelius for recognizing the advantages of eliminating duplication and increasing efficiencies within HHS. But now comes the hard part – getting healthcare institutions to effectively and fully implement HIPAA, HITECH, PCI, FACTA and many other state and federal mandates.
Healthcare managers should be thankful for the 13 years of lax enforcement with HIPAA, and now that the HIPAA alert has been delivered, healthcare managers should be taking aggressive actions to avoid being the next enforcement poster child.
To Do Lists and Got To Do Lists…
Every manager I talk to has a long To Do List and they all say the list is getting longer.
Then I ask them a question about their GOT TO DO LIST? Their responses usually include groans, moans and terribly painful looks on their faces.
As I talk to more and more managers and review more and more headlines in the news, it is obvious to me that managers’ GOT TO DO LISTS are becoming more painful by the day.
Why are GOT TO DO LISTS getting more painful? Look at these articles which include lessons learned as well as future challenges:
Heartland CEO on Data Breach: QSAs Let Us Down
HITECH Act Ramps Up HIPAA Compliance
Obama Wants Big Banks to Pay More for Oversight
FTC Announces Expanded Business Education Campaign on ‘Red Flags’ Rule
Updated Federal Guidelines for 2009 H1N1 Influenza in Schools Offer Many Options
Improving OSHA’s Enhanced Enforcement Program
How are you managing and implementing your GOT TO DO LIST?
Article Cites “Dingbat Data Leaks”
A title to an article in SmartMoney caught my attention because it read “Dingbat Data Leaks”.
I think it caught my attention because over the last 27+ years or so, I have worked with my share of IT and IS department managers, as well spending many years working with end-users and I am not sure I understand who the author is referring to as the “dingbats”?
The author mentions absurd incidents and common blunder incidents….so:
Are the people that throw away sensitive records in the trash the dingbats?
Are the people that lose flash drives and laptops the dingbats?
Is the gas station attendant who refilled the receipt printer with a used roll that had prior customers’ credit card data printed on the back a dingbat?
I get the impression from the article that yes, they are the dingbats. The article closes with an interesting bright side revelation from a Ponemon researcher that only 2 percent of all data breaches result in ID fraud. And the conclusion of the article cites that cluelessness works both ways and says “just as it takes human stupidity to produce a leak, even accidental recipients with criminal tendencies are usually too dense to realize what they’ve received.”
Everyone has their own view, however I see some great Lessons Learned in this article for business leaders.
Isn’t it the responsibility of business leaders (and their managers) to ensure all appropriate personnel understand which records can and can’t be thrown away and which need to be shredded?
Isn’t it the responsibility of business leaders (and their managers) to ensure all appropriate personnel understand how to handle and protect information that is in transit or on mobile devices?
Isn’t it the responsibility of the business leaders to ensure their technology and business devices are compliant with today’s security and privacy regulations?
Is it possible the source of these common problems is the business leaders not implementing situational awareness, regulatory requirements, legal due diligence and accountability for their employees?
After 27+ years experience and research, I know People are very capable and most want to help. I also know People can be an organization’s first layer and best layer of defense in protecting against data leaks, but only if business leaders understand the problem and take steps to implement and enforce simple and reasonable processes and procedures at the individual level.
H1N1 Could Hit Up To 40% of US This Year…
Not sure if most people saw the article in USA Today, but health officials from the Center for Disease Control and Prevention made a disturbing new projection that up to 40% of Americans could get H1N1 (swine flu) this year and next….and several hundred thousand could die if a successful vaccine campaign is not ready.
These projections for the US are nearly twice the number of people that catch the flu bug in a normal season.
Is your organization prepared? Has your organization performed assessments to determine what could happen and what would need to happen if up to 40% of its staff was sick or home with sick family members?
Has your organization developed plans and responsibilities to ensure everyone knows what to do in different situations so your organization is prepared to prevent, respond and recover?
Has your organization considered how they are going to implement the results of your assessments and the details of your plans and responsibilities? In other words, do all managers, employees at work, employees at home, partners, contractors, vendors, service providers, community organizations, municipalities, law enforcement and other third-parties know what to do, when to do things, who should do what, where to go and why?
Now that officials in Europe are seeing more H1N1 flu cases and fast-tracking a vaccine, managers in the US should take note and immediately begin updating and implementing their Pandemic Flue plans and responsibilities to be better prepared for the upcoming flu season.
And one more thing…schools can very quickly become germ factories for the flu and school season is just around the corner.
Strained Budgets Cut Funding for Technologies…Blessing in Disguise?
According to a recent article, because of tight budgets, many organizations plan to cut funding for technologies that would help to mitigate the main security threats they face.
The article went on to say that 72 percent of respondents have seen an increase in e-mail borne malware and phishing, but eight percent of respondents said they plan to cut previously allocated funding for messaging security, e-mail encryption, e-mail security or instant messaging security technologies.
The survey also revealed that although 40 percent of respondents noted lost or stolen devices as a top security challenge for the next 12 months, 15 percent said they will be cutting budget allocations planned for mobile encryption and wireless security.
Other surveys have offered some interesting numbers, too. A survey from Ponemon indicated that 88% of breaches in 2008 were due to negligence and a survey from Verizon revealed 90% of breaches could have been prevented with security basics.
So perhaps the strained budgets could be a good thing??
What if an organization implemented awareness and accountability instead of more technology?
What if an organization implemented better knowledge that led to better decisions, less duplication and more efficiency across their silos/departments?
The bottom line would be improved with cost savings. The bottom line would be improved by targeting negligence. The bottom line would be improved by addressing security basics.
The bottom line is that perhaps strained budgets are a blessing in disguise…
School and Campus Safety Training Forum Highlights the “Whats”
I am attending the 2009 Virginia School and Campus Safety Training Forum in Virginia and the speakers have been very informative providing the attendees with a whole lot of “what you should dos”…also called recommendations.
The “what you should dos” and recommendations are targeting serious challenges and obligations:
- Legal Gotchas
- Regulatory Updates
- Gang and Drug Abuse
- Search Guidelines
- Violence and Crime Prevention
- Bullying
- Establishing Relationships with School and Community
- Threat Assessment Team Recommendations
- And many other important topics…
In talking with several of the attendees, I have been asking which step is the most difficult:
- Performing Assessments
- Planning and Development of Programs
- Implementing Plans and Ongoing Assessment Results
The results have been unanimous…Implementing is the most difficult.
This is not a surprise based on numerous school related reports including the Virginia Tech Review Panel Final Report which stated:
“Had the recommendations in this report been implemented, many of the problems cited above might have been averted.”
I think one of the attendees summed up this challenge even better telling me:
“The conference is great and I am fired up to go back to my school and improve my safety program….but when I get back to my office I am not sure how to implement all this information with all the people that need to know.”
Of course I explained to him that using proven implementation tools was the key…
Awareity's Lessons Learned Blog 