Sunday, November 08, 2009

German Big Brother Award - Companies & Privacy

Each year a committed of privacy experts determines the companies that have actively profited and supported the privacy breaches (so called legal ones or border line ones). This year, according to Heise Online, the price for the worst offender actually went to not only one company but a large number of companies:

- Quante Netzwerke for the development and sale of programs that allow for storage of network information of Internet users also known as "Lawful Interception".

- Utimaco Safeware for its "Data Retention Suite".

- Datakom-subsidiary GTEN for its outstanding work in eavesdropping technology.

- Syborg a company specialized in telephone recording and analysis.

- DigiTask for the development of a Trojan (malicious code) that can be used to eavesdrop on Skype conversations.

- Secunet because of selling/providing their "Sina-Box" to each telecom recording facility that the German government has in place.

- Cisco for its excellent work in deep packet inspection that allows for continued monitoring of information even with increasing Internet traffic.

- Trovicor, a Spin-Off from Nokia Siemens Networks (NSN), which delivered surveillance software to the Iran.

Read more: German Big Brother Awards(English)

1SSA - Security Consulting, Training and Products

Sunday, November 01, 2009

HHS issues an interim final rule on HIPAA enforcement

On October 30th the US Department of Health & Human Services issued a interim final rule to strengthen the enforcement of the Health Insurance Portability and Accountability Act (HIPAA). This was necessary due to the The Health Information Technology for Economic and Clinical Health (HITECH) Act, which modified the HHS Secretary’s authority to impose civil money penalties for violations of the HIPAA act occurring after Feb. 18, 2009. These HITECH Act revisions significantly increase the penalty amounts the Secretary may impose for violations of the HIPAA rules and encourage prompt corrective action.

Prior to the HITECH Act, HHS could not impose penalties of more than $100 for each violation or $25,000 for all identical violations. A covered health care provider, health plan or clearinghouse could also bar the Secretary’s imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules. Section 13410(d) of the HITECH Act strengthened the civil money penalty scheme by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.

Do you have checks in place that ensure you are in compliance? It is common practice and required by NIST SP 800-66 to actually have regular checks in place.

Contact us, we can help:

Read more:
HHS announcement

1SSA - Security Consulting, Training and Products