Privacy Warriors Must Operationalize to Keep Compliance Up, Data Breaches Down

by Mahmood Sher-jan

Privacy warriors constantly battle to keep pace and comply with complex and ever changing regulations designed to address rapidly evolving business practices, technologies, and privacy threats.  In 2014 alone, at least 19 states have introduced bills that could amend or impact breach laws.  Unfortunately, these warriors are learning that the gap between what they must do, and what they are doing is growing unless their organizations implement the required processes and tools designed to simplify the monitoring and management of these complex breach laws.

Read More »

CISOs know the importance of operationalizing data incident response

by Mahmood Sher-jan

I was invited to speak about data governance in Boston and Washington DC last week along with multiple groups of security and compliance executives.  Coincidentally the Boston session was on January 28th, which is designated as Data Privacy Day  These sessions were part of data governance roundtable discussions organized by the CISO Executive Network. The scope of discussions ranged from organizational culture to data proliferation to emerging technologies addressing data classification, behavioral threat intelligence, and incident response management. 

Read More »

Why Aren’t Health Insurance Exchanges (HIX) Bound By HIPAA Rules?

by Mahmood Sher-jan

Yes, it is understandable that a HIX would not meet HIPAA’s definition of a covered entity (CE) and therefore HIPAA Privacy Rule would not generally apply.  But I wonder why these exchanges did not get designated as Business Associates (BA) under HIPAA since they all provide a clear service (data analysis and eligibility) to participating Health Plans and these plans are all covered entities under HIPAA?

Read More »

Why the Healthcare CISO can’t be a Dr. No

by Mahmood Sher-jan

Well, the obvious answer is that acting as Dr. No can impede innovation and delivery of business value, not to mention its career limiting affects.  If you are associated with the Healthcare industry, you are witnessing the biggest transformation any industry has gone through.  Whether you are a CISO at a Provider, a Payer, or a Healthcare Business Associate (BA), there’s little resembling business as usual. So much is changing so fast that the goal posts for meeting your security & privacy obligations and keeping your patients and members’ data secure seem farther than ever before. You are expected to be an enabler of sharing ever-larger amounts of sensitive patient & member data with authorized entities, not a blocker.

Read More »

Solving Incident Risk Assessments through Innovation

by Mahmood Sher-jan

I recently returned from the weeklong Gartner Group 2013 Symposium/IT Expo in Orlando where over 12,000 CIOs and IT professional from across many industries, including Healthcare were in attendance.  Healthcare CIOs are expected to use innovation and use emerging technologies to become data brokers and data stewards in the new brave world of connected and mobile healthcare services delivery.

Read More »

Buckle Up and Face Your Final Rule Enforcement Date!

by Mahmood Sher-jan

If you are the adventurous type you might appreciate a blind date now and then for the mystery it can offer but the same is never true when the blind date is with a regulator.  The anxiety of not knowing your obligations and consequences well in advance of the date can be brand and even career threatening.  While the 9/23/2013 enforcement date was rapidly approaching, I found myself spending time handling many calls from privacy officers and CISOs who are using our RADAR data incident management software.

Read More »

Final Breach Notification Rule Enforcement Impact: UP or Down?

by Mahmood Sher-jan

Since the publication of the Final Breach Notification Rule in March 2013, there has been rampant speculation about the impact of the rule on the number of health care data breaches. Would the rule’s new “compromise” standard cause the trajectory of reported breaches to change significantly as of 9/23/2013-- the enforcement date? 

Read More »

HHS’ Sensible Compromise on the Controversial Harm Threshold (Part 2)

by Mahmood Sher-jan

In part 1 of my analysis of the HIPAA final breach notification rule I focused on the implications for covered entities and business associates of the change to the definition of “breach.” The revised definition removed the controversial “risk of harm” language and instituted an incident specific risk assessment requirement. According to HHS, the harm threshold was giving covered entities too much flexibility to apply their own perception of whether the incident could harm the affected patients.  The focus of this Part 2 analysis is on the practical choices facing covered entities to comply with the newly minted “compromise” standard and the associated risk four factors.

Read More »

Breach Notification Laws: An Evolving Mine Field

by Mahmood Sher-jan

In 2012 there were a number of states, which made changes to their breach laws including Connecticut, Texas and Vermont. The most noteworthy was Texas' House Bill 300, which amended the state's existing data breach law effective September 1, 2012, requiring covered entities in Texas to notify affected individuals regardless of their state of residency. This is ground breaking because it is the first time that a state has expanded the reach of its obligations beyond its own borders by basically saying that the obligations of a breached entity that does business in the state does not stop at the borders of the state but it follows the affected patients where ever they may reside.

Read More »

Patient Identity Infection—A Multi-Faceted Risk Facing Patients

by Mahmood Sher-jan

At ID Experts we have been helping identity theft victims and patients protect and restore their identities for over a decade.  It is our mission after all.  It shapes our company culture and values.  We know very well that identity theft and medical identity theft are growing problems.  So what are the risks to patients’ identity in the healthcare setting and how to we protect against these risks?  We know intuitively that prevention is the best medicine but how can we truly prevent a problem with so many root causes—some intentional but most unintentional?

Read More »
Page 1 of 5 pages   1 2 3 >  Last »