What it takes to become compliant with any regulation!

In general, compliance means

In general, compliance means conforming to a specification or policy, standard or law that has been clearly defined.

Corporate scandals and breakdowns such as the Enron case in 2001 have highlighted the need for stronger compliance regulations for publicly listed companies. The most significant regulation in this context is the Sarbanes-Oxley Act developed by two U.S. congressmen, Senator Paul Sarbanes and Representative Michael Oxley in 2002 which defined significant tighter personal responsibility of corporate top management for the accuracy of reported financial statements.International Traffic in Arms Regulations (ITAR) is a set of United States government regulations that control the export and import of defense-related articles and services on the United States Munitions List.[1] These regulations implement the provisions of the Arms Export Control Act, and are described in Title 22 (Foreign Relations), Chapter I (Department of State), Subchapter M of the Code of Federal Regulations. The Department of State interprets and enforces ITAR. Its goal is to safeguard US national security and further US foreign policy objectives.

------------------------------------------------

travis

hippa

Let’s talk business Let us

Let’s talk business

Let us start over. This conversation is going nowhere, yet in my heart I feel that we have so much to offer each other if we act like reasonable businesspeople seeking profitable symbiotic solutions supported by consumer demand instead of mandate. When I wrote that this conversation is historic, that was not hyperbole. This is scoop, friends. This is opportunity.

I treasure open communication and I assume that rather than witness a dentist publicly disgrace himself, you would prefer that I share with you information about a profitable and very large niche market that has been completely overlooked by anglers, elbow to elbow, hoping for big fish. Has anyone ever considered the security needs of dentists? No. Never.

In spite of losing my composure and stooping to make a cheap and unprofessional remark concerning tattoos, I am serious about fighting senselessness in dentistry, even if at times I use sarcasm to hammer a point. I apologize to you, Cutaway and LonerVamp. I bring dishonor to myself and harm to the cause I represent when I try to be cute when it is not appropriate.

Why in the world would we want to focus on each others’ characters when there are so many Internet opportunities opening for those who are paying attention to important things? You readers are already far, far ahead of any competition in a very large niche that will soon attract attention no matter what I do. So let’s keep this very quiet. Do not let anyone outside our tight group know that NOBODY IS TENDING TO DENTISTS’ PRIVACY NEEDS. Consider the long tail and think laterally.

Almost two years ago, before HIPAA was recognized as a complete farce by others knowledgeable in dentistry, I made this announcement: Dentists will abandon business computerization for much simpler and far safer pegboards and ledger cards if healthcare IT and HIPAA become too dangerous and too expensive. Some dentists, including those in the highest positions of the American Dental Association, laughed. They no longer laugh because it is no longer funny. It becomes unfunnier every day. Very few dentists know about the liability that you are already aware of.

With disaster, whether it is man-made or natural, comes opportunity. Like bountiful and safe ebbs in a flood, heavy and torrential bureaucracy has created profitable undiscovered niche markets within dentistry. Anyone interested yet?

I am not your market. I began using the primitive pegboard system when I started my practice in 1982. It has always been the business format in my office, carbon copies and all. Practices larger than mine still quietly use them efficiently as well, but there are very few of them. I remember an article in the ADA News from a few years ago that stated that only 4% of the dentists in the nation were not computerized. For those who are serious about business, forget about me and read this carefully: 96% of the dentists in the nation love their computers and will pay you very well if you can figure out a way to make them safe to use once again. Many dentists who will never adopt electronic dental records in their practices - even if they are given away - still save money using computers for billing and accounting needs. Either instances of bankruptcy caused by discoveries of breaches of dental records or the cost of HIPAA compliance will reliably become great enough to set back technology in dental offices sooner than one might think. The Ponemon estimate ($200 per record) is real, and nothing is limiting the price of compliance. Once dentists abandon their computers, many of your potential clients will be reluctant to jump back in and will be lost as a quick and easy sale. There is a time factor to the sweetest part of this niche. One has to be prepared.

For anyone who would like, let’s talk about this issue: I say that if patient identifiers are removed from their digital dental records, it would solve a lot of problems, as well as quickly sidestep HIPAA’s massive footprint. If a computer is stolen out of a dentist’s office, and all that the hard drive contains is nameless dental records (and reference numbers), how much damage could that cause? How much do you think that solution would be worth to dentists other than Darrell Pruitt DDS? Please consider it. I confidently tell you that nobody else has yet.

“We may need to solve problems not by removing the cause but by designing the way forward even if the cause remains in place.” - Edward deBono, a Maltese psychologist, physician and writer.

“Storing electronic health records with personal identifiers is like storing bombs with fuses attached.” - Darrell Pruitt, a dentist.

This is the frontier, friends. Let us take a peak just beyond the event horizon. It is ours because we are already there. Darrell

cc: spamgroup

LonerVamp, are you a member

LonerVamp, are you a member of the group I was invited to join? Darrell

I can only roll my eyes at

I can only roll my eyes at this troll. This is not even worth the time of an "anonymous" person, which obviously undercuts any valid discussion I might enjoy (despite how searchable my name really is...here, I'll even give you my web site...)

Grow up, Darrell, and stop acting like someone looking for attention and fights. If you want real discussion, leave the insults and emotion and extraneous comments somewhere else, and actually get down to a real discourse. Sadly, I don't think that's what you were looking for here, and instead just looking for a rise out of others to hear yourself "talk" virtually... If I am wrong, I look forward to hearing more from you at other similar topics, and maybe you can really sway some people and do some Good Things for the world and even IT, security, and medicals.

“Anonymity is the enemy of

“Anonymity is the enemy of civility.” - Seth Godin.

Nobody is anonymous. - Darrell Pruitt

@Dr. Pruitt Sir, It was

@Dr. Pruitt
Sir,

It was pointed out to me, and I can see from your response that I was, unnecessarily sharp during this conversation. This has taken away a little bit from my credibility and it is unfortunate. I mistook some of your responses for sarcasm when I should have afforded you the benefit of the doubt.

Certainly you have raised some good points and you have obviously performed a risk assessment that is sufficient for your business. Actually, several of the people who frequent the Security Catalyst forums agreed with your stance.

I would recommend that you consider joining and providing input to the Security Catalyst Community. Having a voice in the forums that can provide security professionals with the other side of the coin is valuable and important. You would be doing us all a service.

As to the pseudonym, well, that is the nature of the beast, currently, and not an attempt at complete anonymity.

Go forth and do good things,
Cutaway

You both have good points,

You both have good points, however, far too many people take after Darrell's point of view that they are not important enough or large enough to have to worry about this stuff. Like almost every homeowner says, it is not going to happen to him.

While it might never happen to Darrell and never happen to most employers and digital records, that sort of denial won't improve anything. If nothing, it gives validation to others who are on the fence to not do anything.

I don't mind if Darrell chooses to not be terribly secure digitally, because, yes, he's a little fish. But I do care when he tries to convince others to do the same thing, or tries to butt his nose into IT when he tells us not to butt our noses into his dentistry.

***
Protecting data from natural disasters is about business continuity, not security from theft. In other words, I don't know where you were going with this argument. And you don't have to keep all records on that shiny computer on the front desk. Store them on a drive which you keep in that locked cabinet. Plug it in every day, unplug it when you go home. You now have very similar protections for data with the added benefit of quick backups and ease of searching, if you even need that.

***
Darrell, you sound very much like you have some chip on your shoulder about IT and how compliance is giving them business. That's not entirely true. Although you can hold that opinion (and while I can only guess what makes you have that opinion, you might want to see why you hold it yourself...hopefully it's just about not wanting to spend the money, as opposed to some kid or It jockey screwing you over and making the rest of us look bad), adding it as part of any real discussion only makes you sound emotionally biased, and really has no bearing on the validity or invalidity of either side.

Likewise, while we might promote digital security which is also our job, what happens when you promote that I need a crown or some dental work done? Can I claim that you're just convincing me of something wrong so you can get my money? Of course not, likewise, give us the same courtesy. We're not all used-car-salesmen trying to pull one over on ol' Darrell Pruitt. Please leave that argument at home as well, and we'll all have better karma. :)

***
The point of IT is efficiency, not creating a captive audience. Sadly, efficiency in this digital world has its costs, which includes making crime more efficient.

Keep in mind that records and identity is not any MORE of an issue these days than it was 30 years ago. Identities have always been stolen. The only difference is the size. Digital media and records can be carried out of an office on a USB stick while paper records of equal number would be far larger. This just means it is more efficient, not more prevalent or more relevent today (ideally).

Also keep in mind that digital records can have audit trails, whereas paper ones do not. If one of your patients is an important businessman, and I'm looking for anything and everything on him, a small dentist office like yours would be a target. And while I might break in and steal your petty cash on hand, will you truly know if I flipped through your records, or which ones I looked at? Unless I pop your locks violently and misreplace the files, most likely not.

***
In the end, Darrell, I won't fault you for keeping to paper records and taking few, if any, digital security or compliance measures. Your situation as a smaller business is the real touchy subject when it comes to compliance. Gov't and IT tend to look at the global and national scale of huge business. That's unfortunate, but that is also life and it happens in far more than just IT and HIPAA. I feel for you, and feel you have a point, but I'd implore you to live with your point and be happy; not to try and insult all IT or convince every dentist to think like you. :\ There are people that I know who own small business and are very congnizant and diligent about digital security in this new age, even if their peers think like you do.

@Dr. Pruitt Sir, This is

@Dr. Pruitt
Sir,

This is my final installment to "Cutaway Vs. The DDS." You obviously have your mind made up about HIPAA and it has affected how you view information security professionals. This is unfortunate as the majority of the professionals I know would do their very best to help you well beyond the requirements of HIPAA and the protection of patient records.

I will leave you with some information.

The rules by which you are required to protect your customers' and employees' sensitive information from unauthorized exposure are set forth in the Texas Statue Business and Commerce Chapter 48. Unauthorized Use Of Identifying Information. Nowhere in this document that these protections only apply to sensitive information that are stored electronically. You should pay particular attention to this paragraph.

A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.

Although this covers items that are considered sensitive information (name, date of birth, social security number, government issued ID number) I would argue that your records contain sensitive information that are not limited to those set forth in this document. Do your records contain information that cannot be released because of doctor/patient confidentiality? I am betting some of your files contain information that your patients would not want their family, employer, or the public knowing about.

So, your paper records are important and you should take their protections into consideration. What do you think people stole before there were computers? Crimes take place against targets of opportunity. If your records are readily available and easy to obtain then it does not matter what form of media they are stored on. If they can take it they will. Heck, it is much harder to get caught for taking one paper record then one hard drive. Can you visually tell if one of your records is missing? How long would it take? The next visit?

Funny, you got me focused specifically on records against my intent. Oh well. Information Security Professionals are not here to bleed you of your hard earned money. Rather, we are here to help you run a business effectively, efficiently, and securely. If you do not need our services then it is not a problem. I have to wonder though, what possesses you to troll through articles pertaining to information security (particularly HIPAA) and try to undermine the effectiveness and even necessity of the craft.

Good luck to you, your patients, and your employees.

Cutaway, out.

This is wonderful. This is

This is wonderful. This is historical. Nobody has ever discussed dentistry and computer security on the Internet like this. Thank you so much for moderating this forum. We may all learn something. I am sharing it with some friends as well.

Tornadoes. There is an issue. Let us include fires as well. And then, let us discuss burglaries.

Here is the question: How many patient charts have been lost from dental offices over the last 50 years due to tornadoes? I can pretty much assure you that in Fort Worth, zero dental patient records have ever been destroyed and scattered by tornadoes. Myth busted. Blatant over-reach.

Fires, on the other hand… Those happen. Charts can be destroyed and radiographs ruined just from smoke and water damage. However, with metal filing cabinets and charts that are tightly packed together, the fire has to burn very hot for a very long time to destroy everything. Therefore, this is a very rare occurrence as well. My guess is that the odds of this happening over the last five years would have to be maybe five instances. Nobody keeps these numbers. I have already checked.

Dentists prepare for a disaster like this by purchasing records insurance, as part of the contents. The rider has been around as long as there have been manila folders. Fires occurred long before computers. By the way, computers do not survive fires well either.

I can only imagine that it would be an expensive and labor-intensive mess, but it would not shut down work. Losing a computer in a fire might though.

I get your point. How does a dentist replace dental records if everything is wiped out? One starts with a full set of x-rays and a complete exam. Dental records are not as complicated as medical records. Besides, it never hurts for a dentist to have a fresh look at patients’ teeth. We try to do this periodically anyway. Think simplicity.

Finally, how about burglaries and security? Is a thief more likely to steal a clunky, heavy metal filing cabinet or an office computer? I think the Ponemon Institute estimates that it costs around $200 per patient to contact everyone like you described. That means that it could cost me around half a million dollars if I fumbled patient data on a stolen computer. If that did not bankrupt me, the publicity surely would. What if I did not report a breach, or what if I did not know that one had occurred by a hacker or disgruntled employee? It happens. How often does it happen? Who knows? Burglaries happen much more often than fires at dental offices. It is scary to guess how many identities are on hard drives in pawn shops, just waiting for a buyer who recognizes a gold mine in a dentist’s patients’ identifications. I’ll take smoke damage any day.

Who are you to talk to me about security in my dental office? If your market includes all healthcare professionals, you have a lot to learn about dentistry. You are not even wrong.

Wow. I looked at the flow chart on your website. It looks like a mutant offspring of Hillary Clinton’s healthcare flow chart from the mid-1990s. It is really impressive, even in an artsy way. However, you still do not get it. I HAVE ONLY TWO FULL TIME EMPLOYEES. Darrell

@Dr. Pruitt Sir, Michael

@Dr. Pruitt
Sir,

Michael and I subscribe to the same philosophy: Compliance THROUGH Security. Adhering to HIPAA does not mean that a company is secure and I believe that you are more than aware of this fact. However, if you continue down this path you will find that security, when done correctly, is extremely beneficial to a business. In fact, security is mostly ensuring that good business practices are followed and adhered to.

I'll give you an example but you will have to shoot to my website to view an image or you can read the whole article titled Mindmapping ISO17799:2005. ISO17799:2005 is a framework that security professionals around the world use to help manage security within any business. By addressing the objectives set forth in this framework organizations can adhere to any regulation, including HIPAA. But if you look closely at the topics you will see many of the things that you probably already do to help your business thrive. I am also sure that you will see things that you can admit that could be done better. That is the goal the framework. That is the goal of a good security plan. And that is the guidance Michael and I have tried to provide to you to help you, your business, your customers, your employees, your family, and your friends.

Security touches every aspect of your business. Yes, you have a responsibility to your employees that goes beyond keeping their data out of a computer. You should also be very concerned about how your accountant treats your data as well as your money. From your indications you would rather react to something unfortunate that happens to your employees or your business than plan for it ahead of time. You can take that stance. You are permitted to roll the dice. But dice do come up Snake Eyes from time to time. What are you going to say to your employees when that happens?

"I am sorry. I did not sufficiently protect your personal information and it has been stolen. You could potentially become a victim of identity theft which could cost you thousands of dollars, force you to take unpaid time off work, and stay up worrying late at night wondering when it is going to end. By the way, I have signed you up for free credit checks for one year. Don't be late for work."

Oh, being from Dallas I know a few things about Fort Worth. Is that skyscraper still vacant or have they finally completed completely renovating it? Of course, that might not happen again. Maybe.

Go forth and do good things,
Cutaway