06. December 2010 · Comments Off on Enterprise security strategy – Is More Cyber-Security Regulation the Answer? – eWeek Security Watch · Categories: blog · Tags: , , , ,

Enterprise security strategy – Is More Cyber-Security Regulation the Answer? – eWeek Security Watch.

A survey of critical infrastructure companies by Enterprise Strategy Group reported that the companies with the most industry regulations to address tended to have better security practices, something that did not strike me as all that surprising. What did strike me as somewhat surprising, though, is some of the things people agreed the government should do in regards to cyber-security.

According to the survey (PDF) – which fielded answers from a total of 285 security pros in industries such as food and agriculture, defense and information technology – 39 percent said the government should “enact more stringent cyber-security legislation along the lines of PCI.” Thirty-two percent believed the government should create legislation with higher data breach fines.

It seems to me that the federal government should enact some cyber-security legislation, but not like PCI. Government bureaucracy is too slow moving to be effective. In fact, IMHO, the PCI DSS bureaucracy is too slow moving. PCI DSS 2.0 could have done much more but chose to simply focus on clarifications. I think the federal government should (1) force more and more complete breach disclosure and (2) possibly increase penalties for breaches. The latter was a tactic the government took to with HITECH to strengthen HIPAA.

In the mean time, the states have been moving aggressively, e.g. Massachusetts 201 CMR 17.

01. February 2010 · Comments Off on First HITECH lawsuit filed by CT Attorney General against Health Net · Categories: Breaches, Health Care, HIPAA · Tags: , , , ,

American Medical News reported today (Feb 1, 2010) that the first lawsuit has been filed by a state Attorney General for a personal medical information privacy violation under the HITECH Act. The HITECH Act, part of the 2009 stimulus bill, was designed to strengthen HIPAA, which until then had limited penalties for violations.

If the HITECH Act itself was not enough of a wake up call, this lawsuit surely ought to be.