Comments for Venyu Blog http://blog.venyu.com Your Data Made Invincible Fri, 18 Mar 2011 19:51:23 -0500 hourly 1 http://wordpress.org/?v=3.1.1 Comment on Five Best Practices for Virtualization Deployments by Al http://blog.venyu.com/2011/03/18/five-best-practices-for-virtualization-deployments/#comment-413 Al Fri, 18 Mar 2011 19:51:23 +0000 http://blog.venyu.com/?p=1752#comment-413 I think many companies are scared of virtualization because they don't really understand virtualization. Virtualization can help businesses tremendously by cutting IT costs and freeing up technicians to work on other problems or projects. Thanks for writing! I think many companies are scared of virtualization because they don’t really understand virtualization. Virtualization can help businesses tremendously by cutting IT costs and freeing up technicians to work on other problems or projects.

Thanks for writing!

]]> Comment on Elementary Dr. Watson by Tweets that mention Elementary Dr. Watson at Venyu Blog -- Topsy.com http://blog.venyu.com/2011/02/08/elementary-dr-watson/#comment-398 Tweets that mention Elementary Dr. Watson at Venyu Blog -- Topsy.com Wed, 09 Feb 2011 16:23:41 +0000 http://blog.venyu.com/?p=1940#comment-398 [...] This post was mentioned on Twitter by Venyu HQ, David A. Chapa. David A. Chapa said: RT @Venyu: Elementary Dr. Watson » Venyu Blog #2001: A Space Odyssey #HAL #IBM #Information Week #Jeopardy http://t.co/rwRlXgW via @Venyu [...] [...] This post was mentioned on Twitter by Venyu HQ, David A. Chapa. David A. Chapa said: RT @Venyu: Elementary Dr. Watson » Venyu Blog #2001: A Space Odyssey #HAL #IBM #Information Week #Jeopardy http://t.co/rwRlXgW via @Venyu [...]

]]> Comment on If You’re An SMB With BC/DR Responsibilities, You Need To Read This by Stephen Foskett http://blog.venyu.com/2010/11/23/if-youre-an-smb-with-bcdr-responsibilities-you-need-to-read-this/#comment-324 Stephen Foskett Wed, 24 Nov 2010 00:43:08 +0000 http://blog.venyu.com/?p=1676#comment-324 Thanks so much for the kind words about my article! It's nice to hear that folks are reading and agreeing! Thanks so much for the kind words about my article! It’s nice to hear that folks are reading and agreeing!

]]> Comment on Massachusetts State Government Data Breach Revealed: Talk About Not Drinking Your Own Kool Aid by mwallace http://blog.venyu.com/2010/07/16/massachusetts-state-government-data-breach-revealed-talk-about-not-drinking-your-own-kool-aid/#comment-323 mwallace Tue, 23 Nov 2010 17:20:35 +0000 http://blog.venyu.com/?p=1466#comment-323 That's a little contradictory eh?! Thanks for posting the link! That’s a little contradictory eh?! Thanks for posting the link!

]]> Comment on Where HIPAA ends and MASS 201 CMR 17 Begins by mwallace http://blog.venyu.com/2010/11/16/where-hipaa-ends-and-mass-201-cmr-17-begins/#comment-322 mwallace Tue, 23 Nov 2010 17:18:58 +0000 http://blog.venyu.com/?p=1696#comment-322 Great point Ken! Thank you for the feedback. With the recent punitive actions taken as a result of HITECH, we will certainly start seeing more activity and clarity around this topic. Great point Ken! Thank you for the feedback. With the recent punitive actions taken as a result of HITECH, we will certainly start seeing more activity and clarity around this topic.

]]> Comment on Where HIPAA ends and MASS 201 CMR 17 Begins by Ken http://blog.venyu.com/2010/11/16/where-hipaa-ends-and-mass-201-cmr-17-begins/#comment-320 Ken Fri, 19 Nov 2010 15:58:39 +0000 http://blog.venyu.com/?p=1696#comment-320 "while encryption isn’t explicitly required under HIPAA" No - "The HIPAA Security Rule does not expressly prohibit the use of email for sending electronic PHI. However, the standards for access control, (45 CFR § 164.312(a)) integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against the unauthorized access to electronic PHI. The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect electronic PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for electronic PHI to be sent over an electronic open network as long as it is adequately protected." And "The U.S. Department of the Health and Human Services (HHS) issued guidance wherein "unsecure protected health information (PHI)" is essentially any PHI that is not encrypted or destroyed. Under this definition, it doesn't matter how many chains, walls, doors, biometric gizmos and guards with lethal weapons you have at your service. As long as PHI is not encrypted, it is considered unsecured." So while they don’t say you must encrypt "with" or "how" - they are saying that you had better protect, encrypt, or destroy. Since you can’t send an email with PHI in a fashion that is both unencrypted AND secure - the logical necessity is that it is encrypted. “while encryption isn’t explicitly required under HIPAA”

No – “The HIPAA Security Rule does not expressly prohibit the use of email for sending electronic
PHI. However, the standards for access control, (45 CFR § 164.312(a)) integrity (45
CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require
covered entities to implement policies and procedures to restrict access to, protect the
integrity of, and guard against the unauthorized access to electronic PHI. The standard for
transmission security (§ 164.312(e)) also includes addressable specifications for integrity
controls and encryption. This means that the covered entity must assess its use of open
networks, identify the available and appropriate means to protect electronic PHI as it is
transmitted, select a solution, and document the decision. The Security Rule allows for
electronic PHI to be sent over an electronic open network as long as it is adequately
protected.”

And

“The U.S. Department of the Health and Human Services (HHS) issued guidance wherein “unsecure protected health information (PHI)” is essentially any PHI that is not encrypted or destroyed. Under this definition, it doesn’t matter how many chains, walls, doors, biometric gizmos and guards with lethal weapons you have at your service. As long as PHI is not encrypted, it is considered unsecured.”

So while they don’t say you must encrypt “with” or “how” – they are saying that you had better protect, encrypt, or destroy. Since you can’t send an email with PHI in a fashion that is both unencrypted AND secure – the logical necessity is that it is encrypted.

]]> Comment on Massachusetts State Government Data Breach Revealed: Talk About Not Drinking Your Own Kool Aid by Lynn http://blog.venyu.com/2010/07/16/massachusetts-state-government-data-breach-revealed-talk-about-not-drinking-your-own-kool-aid/#comment-206 Lynn Sat, 17 Jul 2010 11:55:28 +0000 http://blog.venyu.com/?p=1466#comment-206 I totally agree that this latest Massachusetts government breach is disconcerting, however, a close read of 201 C.M.R. 17 will reveal that the regulation does not apply to the Secretary of State's Office. There's a carve out for municipalities, state offices and state agencies (201 C.M.R. defines "Person" as "a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof"). State offices and agencies are, however, subject to Executive Order 504 (see http://www.mass.gov/?pageID=gov3terminal&L=3&L0=Home&L1=Legislation+%26+Executive+Orders&L2=Executive+Orders&sid=Agov3&b=terminalcontent&f=Executive+Orders_executive_order_504&csid=Agov3 ), Unfortunately however, this order contains no requirement for encryption, despite the fact that state offices maintain enormous amounts of personal information belonging to Massachusetts residents. I totally agree that this latest Massachusetts government breach is disconcerting, however, a close read of 201 C.M.R. 17 will reveal that the regulation does not apply to the Secretary of State’s Office. There’s a carve out for municipalities, state offices and state agencies (201 C.M.R. defines “Person” as “a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof”). State offices and agencies are, however, subject to Executive Order 504 (see http://www.mass.gov/?pageID=gov3terminal&L=3&L0=Home&L1=Legislation+%26+Executive+Orders&L2=Executive+Orders&sid=Agov3&b=terminalcontent&f=Executive+Orders_executive_order_504&csid=Agov3 ), Unfortunately however, this order contains no requirement for encryption, despite the fact that state offices maintain enormous amounts of personal information belonging to Massachusetts residents.

]]>