Communication Training and Curriculum Development

Interesting...C&C...NIST Framework Article

  • 1.  Interesting...C&C...NIST Framework Article

    Posted 10-01-2019 09:56 AM
    First and foremost...I appreciate Karen Greenhalgh's article this month in Compliance Today titled, "The NIST Framework: An Enterprise Risk Management Tool."

    She raises a number of interesting ideas and shares her opinions on various aspects of security and privacy, to include their applicability to HIPAA.

    From a C&C perspective...I think I have a different take on how HIPAA's effectiveness has been overall with respect to Security, Privacy, and their relationship of effectiveness towards one another.

    Now I suspect some folks have not read the article and for that reason, I will simply share the following and we will develop it from there as I believe this has some very good learning opportunities despite any differences of opinion.

    So to that end...I will start with a basic question...and folks can certainly answer even before they have read the article.

    When it comes to complying with the Security Rule or the Privacy Rule...which do you believe is/was easier for you or your organization and provide any insight...or not as to why.

    I'll start this off by offering that I see the Privacy Rule as being easier to comply with given its prescriptive nature compared to the Security Rule.

    OK...what do others have to say?  Remember...especially those of you getting started in posting to the eGroup...no right or wrong answers...and you should feel free to share without any concern of your posts being "attacked" or whatever word people want to use...by others.

    ------------------------------
    ► We don't fail unless we quit! ◄
    --------Frank Ruelas---------
    ------------------------------
    2020 SCCE Membership


  • 2.  RE: Interesting...C&C...NIST Framework Article

    Posted 10-01-2019 03:27 PM
    Security does have its share of "checkbox" type items like Passwords required, Unique logins, autolock of computers, etc. But what becomes difficult is all that behind-the-scenes stuff. It's like this big cloud in my mind. I know something is happening to try and protect us, but what it is exactly is all fuzzy. Therefore Privacy feels easier to understand and implement. Maybe it is, maybe it's not. The article did talk about how easy privacy was when it is just a list of checkboxes. But then goes on to talk about outcomes, are the people really learning anything, is it changing behaviors.

    ------------------------------
    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho
    Boise,ID

    Anything I say is my sole opinion and not of my company.
    ------------------------------

    2020 SCCE Membership


  • 3.  RE: Interesting...C&C...NIST Framework Article

    Posted 10-02-2019 07:10 AM
    I think Privacy is easier to manage: through training and monitoring. Security is hard to consistently defend against successfully.​

    ------------------------------
    Dr. Randy Lewis, LMFT, CHPC
    HIPAA Privacy Officer
    Orange County Government
    Orlando, FL
    ------------------------------

    2020 SCCE Membership


  • 4.  RE: Interesting...C&C...NIST Framework Article

    Posted 10-02-2019 08:20 AM
    Randy, isn't it the truth. I can have a privacy mistake that puts a single individual's PHI at risk. But a mistake with security would most likely put everyone's PHI at risk.

    And then we guard so diligently against these phishing emails, every day so good at seeing them for what they are. But the bad guys only need us to miss just once and they're in.It makes me want to just shut the door to email. Find another way to communicate.

    ------------------------------
    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho
    Boise,ID

    Anything I say is my sole opinion and not of my company.
    ------------------------------

    2020 SCCE Membership


  • 5.  RE: Interesting...C&C...NIST Framework Article

    Posted 10-02-2019 08:28 AM
    Another struggle is to get Security folks to communicate consistently with the Privacy Officer. In our shop this is particularly problematic. Security has more weight and attention than privacy does. Yet privacy encompasses security, not the other way around!​

    ------------------------------
    Dr. Randy Lewis, LMFT, CHPC
    HIPAA Privacy Officer
    Orange County Government
    Orlando, FL
    ------------------------------

    2020 SCCE Membership


  • 6.  RE: Interesting...C&C...NIST Framework Article

    Posted 10-02-2019 08:34 AM
    That is so true. When we have a potential security breach that they are working through, no one thinks to tell me, the Privacy Officer. To be fair that's not every time, but enough that I've spoken up about it. Hopefully security has taken notice. Of course I'm fine with not finding out if it meant that we didn't have any more security incidents.

    ------------------------------
    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho
    Boise,ID

    Anything I say is my sole opinion and not of my company.
    ------------------------------

    2020 SCCE Membership