Category Archives: risk watch

Why Bother with a HIPAA Risk Analysis Anyway?

Posted on by 0 Comments

People tell me all the time that their management doesn’t want them to do a risk analysis, even if it’s a requirement.  Sometime they say that they have no budget
to fix anything – so why bother?

Even if it’s a requirement, like new workplace violence assessments, or a federal law like the required HIPAA risk analysis, there are people who want to do it in 30 minutes in a spreadsheet, without conferring with other staff members, without bothering to do a walk-through of the facility, without management’s enthusiastic support.

Here is a list of good reasons to do a Risk Analysis for HIPAA, even if you are not sure about whether you need it or not:

1.   It’s a Federal law.   It’s possible that no one will know if you don’t do it, but
      what if you have a MassGeneral-style data breach next week?

2.   It saves the organization BIG BUCKS, by doing the cost benefit analysis so
      the IT department can implement controls that actually increase protection
      AND reduce potential threats at the same time.

3.   A Risk Analysis acts like a security awareness training program if you
      involve the entire hospital or healthcare staff.  Many times they aren’t
      aware of the policies and procedures, and having them answer the
      HIPAA compliance surveys is a great no-cost refresher cost.

4.   You can uncover REAL vulnerabilities and fix them right away.  For example,
      you may not know who’s taking your database home on their unencrypted
      laptop.   You may not know that only 20% of the hospital staff took time to
      take the online training!  This lets your IDENTIFY problems and FIX them.

5.   It instantly makes the security analyst/information security officer the
      SMARTEST person in the room.  You know understand everything about
      protection of medical records in your organization!

6.   Regulators are getting CASH BONUSES for finding problems.  Don’t let
      them vacation in the south of France because they found a vulnerability
      in your IT systems!

Start your risk analysis today – and I will make sure YOU get all the credit!

Put your Hospital Security Department on a Low Fat Diet

Posted on by 0 Comments

Hospitals are reeling from potential losses in funding related to state budget cut-backs
and potential cuts in Medicare programs.  Every area of the hospital budget are being scrutinized, looking for areas to cut and reduce costs.

Instead of waiting for a memo about cuts that affect YOUR department, be a
pro-active manager and right-size your security department and show management
the changes you want to make.

It is possible to have an efficient, accountable security department without having costs run out of control.  It has to be based on real dollars, on real risks and it has to have the ability to show management WHY you need each element in your program.

The already-required risk assessment is the first start in this process.  When regulators come in to a hospital, they want to see the risk assessment first, and then they look to see if you followed the remediation plan identified in the risk assessment, which means they want to see you made the right improvements, based on the plan.

By including program elements in the risk assessment, and mapping it back to your actual budget, you can easily say that the Return On Investment is for each part of your program.

Arming the Office – What Happens When We Let Employees Bring Guns to Work

Posted on by 0 Comments

One of my colleagues wrote to me so passionately about the terrible gun violence he witnesses every day, that I wanted to share it with all of you.  You can call it a ‘Guest Blog’ from the Field — a Hospital Security Director in a Major U.S. City.

The gun lobby had several recent legal “wins” for the gun rights advocates in Texas, Indiana, and Tennessee.   Apparently lawmakers and gun rights advocates find it a sane and reasonable  policy to open up the workplace to armed employees.

It t is also clear that our lawmakers are not satisfied with our current national gun carnage. Currently, we shoot to death about a 100 people a day in the United States, including 25 children killed every three days.  And this tally accounts for only those killed by guns.

This doesn’t include all those I see on a daily basis who are shot, crippled, maimed and ruined by the daily shooting gallery in the USA.   In order to continue to make money and sell more guns, the gun rights advocates, and  the legislators they have paid off, corrupted and stripped of reason,  are intent on even greater carnage and human tragedy.

Every day I witness the extreme becoming mainstream, and even commonplace.  
Guns are now finding their way into the workplace, brought into churches, brought into our colleges and universities. They are brought to hospitals, and shot off over highway bridges.

The logic is totally missing.  We are already a nation awash in fear and loathing.  We hate people  we don’t know and don’t understand.  The answer to this problem is NOT to arm EVEN MORE people and have guns readily available to everyone.

Obviously, the recent horrors of Arizona and the slaughter of innocent people in a Safeway parking lot,  has already been forgotten by security professionals and criminologists.  There is no condemnation or follow up  about a terminally troubled young man and the ease in which he purchased a semi-automatic pistol and 30 shot clips.

There has been no rallying cry to address the ease in which tormented and troubled and dangerous individuals on the margins of our society can easily obtain weapons of human mass destruction.   These realities are not relevant and cannot be discussed. And in today’s political climate to even MENTION this makes one a pariah, or a “liberal”, or a “communist”.

 I have been in the Security and Prevention profession for over 35 years, so I can easily dismiss the attacks from gun rights advocates and zealots.  And in fairness,  I have found many gun rights people to be in fact reasoned and decent and willing to engage in reasoned discourse.

What troubles me, and why I wanted to write directly to YOU,  is that the vast majority of professionals in the Security profession totally bypass, ignore and in fact, minimize the reality and tragedy that is our national gun slaughter.   As a profession,  we have done nothing to challenge these trends,  or address them, or at the very least,  debate the current flood of laws designed to turn American work places into armed camps.  

And this in my view is nothing less than a tragedy.