Big tech is thinking about digital ethics, and small businesses need to keep up

Daphne Leprince-Ringuet
zdnet.com
Originally posted 16 Dec 19

Here is an excerpt:

And insurance company Aviva recently published a one-page customer data charter along with an explainer video to detail how it uses personal information, "instead of long privacy policies that no one reads," said the company's chief data scientist, Orlando Machado.

For McDougall, however, this is just the tip of the iceberg. "We hear from Microsoft and Intel about what they are doing, and how they are implementing ethics," he said, "but there are many smaller organizations out there that are far from thinking about these things."

As an example of a positive development, he points to GDPR regulation introduced last year in the EU, and which provides more practical guidelines to ensure ethical business and protection of privacy.

Even GDPR rules, however, are struggling to find a grip with SMBs. A survey conducted this year among 716 small businesses in Europe showed that there was widespread ignorance about data security tools and loose adherence to the law's key privacy provisions.

About half of the respondents believed their organizations were compliant with the new rules – although only 9% were able to identify which end-to-end encrypted email service they used.

A full 44% said they were not confident that they always obtained consent or determined a lawful basis before using personal data.

The info is here.

Hackers are not main cause of health data breaches

Lisa Rapaport
Reuters News
Originally posted November 19, 2018

Most health information data breaches in the U.S. in recent years haven’t been the work of hackers but instead have been due to mistakes or security lapses inside healthcare organizations, a new study suggests.

Most health information data breaches in the U.S. in recent years haven’t been the work of hackers but instead have been due to mistakes or security lapses inside healthcare organizations, a new study suggests.

Another 25 percent of cases involved employee errors like mailing or emailing records to the wrong person, sending unencrypted data, taking records home or forwarding data to personal accounts or devices.

“More than half of breaches were triggered by internal negligence and thus are to some extent preventable,” said study coauthor Ge Bai of the Johns Hopkins Carey Business School in Washington, D.C.

The info is here.

Protecting Patient Privacy and Data Security

By Julie K. Taitsman, Christi Macrina Grimm, and Shantanu Agrawal
The New England Journal of Medicine - Perspective
February 27, 2013
DOI: 10.1056/NEJMp1215258

Here is one portion of the article.

STEPS TO PROTECT AND SECURE INFORMATION WHEN USING MOBILE DEVICES*

• Install and enable encryption
• Use a password or other user authentication
• Install and activate wiping, remote disabling, or both to erase data on lost or stolen devices
• Disable and do not install or use file-sharing applications
• Install and enable a firewall to block unauthorized access
• Install and enable security software to protect against malicious applications, viruses, spyware, and  malware-based attacks
• Keep security software up to date
• Research mobile applications before downloading
• Maintain physical control of mobile devices
• Use adequate security to send or receive health information over public Wi-Fi networks
• Delete all stored health information on mobile devices before discarding the devices

* Recommended by the Office of the National Coordinator for Health Information Technology

The entire article is here.

Thanks to Gary Schoener for this article.

To Encrypt Email or Not to Encrypt Email? Practical Answers to a Question That Is Surprisingly Complex

by Elizabeth H. Johnson
Poyner Spruill LLP
Originally posted on October 5, 2012


Health care providers frequently ask us whether they have to encrypt emails, particularly those sent to patients who have asked for an emailed copy of their health records. Since patients have a right to receive electronic copies of their health records, emailing them a copy when they ask for it seems like the right thing to do.

Unfortunately, the decision actually is more complicated. HIPAA requires that all electronic transmissions of protected health information (PHI) be encrypted. That means ALL of them … fax, email, web-based and otherwise. The requirement applies regardless of the identity of the recipient or patient, and the recipient cannot “undo” or waive the requirement by consenting to the receipt of unencrypted emails.

(cut)

One more time in English? Health care providers are allowed to send PHI in unencrypted emails but only after they engage in the analysis described above and document their determination. It is a violation of the HIPAA Security Rule to send unencrypted emails containing PHI without first having performed and documented that analysis. A single violation can carry a penalty as high as $50,000, a useful figure to contemplate if you think encryption is too expensive to implement. Encryption also carries the benefit of qualifying for a “safe harbor” under HIPAA’s breach notification requirements. A security incident that would otherwise require notification is not considered a breach if the PHI affected were encrypted and the encryption key has not been compromised.

The entire article is here.

Thanks to Marlene Maheu for this article via LinkedIn.