1200011255511 2001 11252222 2002 11555551 2003 1125551 2004 112555 2005 11255551 2006
According to a study released by the IT Policy Compliance Group 68% of organizations experience six losses of sensitive data every year, while another 20% suffer from 22 or more sensitive data losses annually.”
Due to this incredible increase in Data Breach, and the fact that over 70% of identity theft stems from the workplace,
the onus has been placed on You and I via new or expanded federal laws such as HIPAA, GLB Safeguard Rule, FACTA, FCRA, as well as numerous state laws.
Over 37 states currently have such laws and most of those that remain have legislation pending.
Schools, universities, colleges, government entities, churches, non-profits, business owners, employers and employees,
all now have greater accountability for how they deal with, protect, and dispose of Personal Health Information (PHI) and Non-Public Information (NPI).
With our desire for and, greater responsibility of protecting our,
Students
Employees
Vendors
Clients
no statute of limitations, as well as the risk of substantial penalty if we do not, it is imperative that we strive for, and maintain compliance.
A recent report by The Ponemon Institute showed that 81 percent of U.S. companies
surveyed reported the loss of one or more laptop computers containing sensitive
information during the previous 12 months.
Given the prevalence of loss and theft of computers, encryption of files is a step toward prevention of data loss and breach.
A more effective solution however, is authenticating user access by stronger means than passwords alone.
Of course more secure and compliant website and e-mail access are two key factors in preventing data breach.
The FFIEC has mandated that financial institutions with online access have stronger, multi-factor authentication for web access.
Can other regulatory bodies be far behind?
As for email, both HIPAA and Gramm-Leach-Bliley Safeguard Rule(GLB) have mandated that compliant email systems be provided by an entity
(business, government, et al) for its employees, sales associates, or sub-contractors.
Reference GLB Requirements OIG Region 4 in Atlanta is kicking off the first provider HIPAA security rule audit, but a source indicates it will be national. Some Medicare fiscal intermediaries have also been audited by OIGfor HIPAA security rule compliance, says the source, who has direct knowledge of the audit but declines to be identified.
The security regulation mandates physical, technical and administrative safeguards for e-PHI, brought to life through certain standards. For every standard, the security rule provides a number of "implementation specifications." There are two kinds of implementation specs: required and "addressable."
In the face of a possible OIG audit and generally given the potentially disastrous consequences of a breach, organizations should take a hard look at their level of security compliance, says consultant Chris Apgar, president of Apgar & Associates LLC in Portland, Ore.
Excerpted from: AISHealth.com
To be within
GLB/GLBA Compliance, you must also have procedures and policies in place to
ensure that Non-Public Personal Information (NPI) is safeguarded, kept, transferred and disposed of in a
confidential manner.
Do You Have Information Access Controls In Place?
What are the challenges to the deployment of biometric authentication technologies?
Answer:
Authentication is one of the three As--authentication, authorization and accountability--for user administration and control. Though authentication is critical, solving the other two are challenges that enterprises must address first. It is difficult to administer authorization for access to applications or data in a large organization with tens of thousands of users.
This will require significant expenditure to solve and will push biometrics to the back burner in the near term.
One of the knocks against biometrics, especially voice and face recognition, is that the system has high false positives. This means an authorized person is denied access because the system cannot process and match to the database even slight deviations in an individual’s appearance.
Smart cards and other two-factor solutions have become the accepted form of strong authentication systems. Companies have a significant investment in this technology, which works close to 100% of the time (compared to 90 to 98% with biometrics).
This makes biometrics a tough purchase decision. The department of defense just issued its one-millionth smart card--evidence of how entrenched and successful two-factor authentication is. An organization of that size would be hard-pressed to switch to a new technology any time soon.
What is seen in privacy and security circles as the best solution is not biometric authentication, but token-less, cognometric authentication such as Passfaces.