September is National Campus Safety Awareness Month!
Posted In School Safety on September 2nd, 2010
Security on Campus has announced that National Campus Safety Awareness Month is celebrating its 6th anniversary this September with the theme NCSAM 2010: Coming Together to Strengthen Campus Communities.
Security On Campus, Inc. is working to create safer, more supportive campus communities and encouraging students and administrators to work together with local law enforcement and national and local organizations to ensure campuses will be more secure, students will be more informed, and victims will be better supported.
In celebration of National Campus Safety Awareness Month, Awareity we would like to offer all college campuses the opportunity to sign up for a Free 30 Day Trial of our MOAT (Managed Ongoing Awareness and Trust) tools and TIPS (Threat Assessment, Incident Management and Prevention Services).
Connecting the dots is critical as lessons learned from schools around the world clearly reveal that gaps and disconnects between faculty members, staff, administration, community members, students, parents, third-parties, policies, plans an
d procedures lead to expensive and tragic incidents.
Awareity’s innovative tools are currently helping colleges and universities implement lessons learned and connect the dots while reducing budgets and improving campus safety, risk management, threat assessment, incident reporting, prevention, security awareness, documentation, CYA and more.
To sign up for your free 30 Day Trial, please visit www.awareity.com.
We would also love to hear what your campuses are doing this month to improve student safety and security; please share your stories in the comments section below.
No Comments
Whistleblowers, Incident Reporting and Incident Management…Is your Health Care Organization Ready?
Posted In Incident Reporting, Legal, Regulatory Compliance, Risk Management on August 31st, 2010 Tags: dodd-frank wall street reform, Health Care, Incident Reporting, whistleblower
A previous Lessons Learned Blog mentioned the Dodd-Frank Wall Street Reform and Consumer Protection Act and a special bounty program within the Act for whistleblowers. Did you see it?
An attorney at the Healthcare Financial Management Association’s Annual National Institute legal update says healthcare providers may be heading into a storm of whistleblower suits that could cause serious problems for the unprepared.
The attorney predicts the new Patient Protection and Affordable Care Act could lead to an explosion of whistleblower lawsuits because the new law does not require the plaintiff to have direct knowledge of alleged fraud to file a suit.
So if you are involved with healthcare industry…are you ready?
Healthcare organizations to make sure they are ready for whistleblower related challenges:
- Do employees have access to trusted tools to report suspicious actions?
- Do third-parties/business associates have access to trusted tools to report suspicious actions?
- Do patients have access to trusted tools to report suspicious actions?
- Are assessment teams defined and trained on how to respond to incident reports?
- Do assessment teams have tools to access, track and document their actions and decisions?
- Do organizations have a customized compliance program implemented and documented?
The short list above represents some but not all of the challenges healthcare leadership should be targeting as soon as possible to ensure legal defensibility for your leadership and your organization…are you ready?
No Comments
Veterans Affairs: Why Not Implement Data Breach Lessons Learned?
Posted In Human Resources, Incident Reporting, Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management on August 26th, 2010 Tags: Awareness Training, Data Breach, Information Security, lost laptops, Veterans Affairs
Dissemination vs. Implementation
The Veterans Affairs Department recently announced they will be publishing monthly online accounts of data breaches and lost BlackBerrys and laptops in order to improve accountability and increase transparency.
What was shocking to me was that from April through July of this year, the VA has lost 72 BlackBerrys and 34 laptops. Patient information has been sent to the wrong address or mailed incorrectly 441 times. There were 9,746 breach incidents involving notifications to patients and 2,501 incidents in which credit reporting was required.
Almost 10,000 breach incidents in 3 months! What is wrong with this picture? Instead of just disseminating data breaches after the fact, what if the VA actually explained and implemented lessons learned and took proactive steps towards prevention?
I think the VA needs to ask a couple of questions:
1) Why are so many handheld devices and laptops being lost? Are there ways we can educate our employees on best practices for protecting devices? Are there consequences?
2) With so many devices and laptops lost each month, how do we ensure these devices are protected with encryption? Are employees taking home sensitive information that should not be placed on personal devices? Do employees know what information is sensitive?
3) What should be done to improve efficiencies in the mail room and prevent mailing errors with patient information? How do we know there were only 441 errors; were these just the mistakes that were caught?
4) How can we implement ongoing awareness and educate our employees (and third-parties) on protecting sensitive information?
Breach notifications are expensive. Credit reporting is expensive. Replacing BlackBerrys and laptops is expensive. Correcting errors and re-mailing information is expensive.
Prevention is a lot less expensive for the Veterans Affairs and a lot less expensive for us tax payers too… is anyone interested in implementing lessons learned?
No Comments
SEC Creates Bounty for Whistleblowers?
Posted In Incident Reporting, Legal, Regulatory Compliance, Risk Management on August 24th, 2010
According to a recent Washington Post headline, law firms are gearing up for new whistleblower reward program.
The new program was included in the Dodd-Frank Wall Street Reform and Consumer Protection Act signed by President Obama in July 2009 has created a bounty program that rewards individuals who provide “original information” to the SEC. The SEC can then award the individual with up to 30 percent of any successful enforcement action that exceeds $1 million.
There is no doubt that federal agencies are publicly ramping up to police illegal corporate activity… future Lessons Learned Blogs will discuss healthcare, education and others.
Here are some questions your organization’s leaders should be asking:
- Are your existing compliance programs working as you want them to?
- Are your policies and procedures updated, communicated, acknowledged and documented?
- Are employees and third-parties aware of how to report incidents?
- Are you encouraging employees to report internally before going to the government?
- Are you confident in how employee complaints will be handled?
- Do you have the right tools in place to connect the dots?
If law firms are gearing up…it is probably a good idea to pay attention to headlines and this Lessons Learned Blog too.
No Comments
Whistleblowers, Incident Reporting, Incident Management…Are You Ready?
Posted In Incident Reporting, Information Security, Legal, Regulatory Compliance, Risk Management, Workplace Violence on August 19th, 2010 Tags: bank fraud, CYA, financial reform, Incident Reporting, online safety, SEC, whistleblower, Workplace Violence
Have you been paying attention to recent headlines?
“New whistleblower reward program has law firms gearing up”
“Attorney tells audience to brace for a storm of whistleblower lawsuits”
“Financial reforms up retaliation risk”
“Preventing violence in health care setting”
“Banks seek customers’ help to stop online thieves”
Lessons learned and headlines are mounting and organizational leaders from nearly every sector should be paying close attention if they want to prevent their name and their organization’s name from being featured in unwanted headlines and lawsuits.
In a few of our next blog posts, I will be sharing lessons learned on how incident reporting, incident management, threat assessment teams, prevention, intervention, documentation and CYA will play a critical role for the foreseeable future….are you ready?
No Comments
Are Your Security Cameras Mobile, Capable of Making Incident Reports?
Posted In Emergency Management, Incident Reporting, School Safety, Workplace Violence on August 17th, 2010 Tags: Incident Reporting, NASRO, school resource officer, School Safety, School Security, security cameras, threat assessment, TIPS
I met some really outstanding people this month while presenting at the NASRO national conference and I deeply appreciate how school resource officers (SROs) and school security officers (SSOs) are striving to make a difference with students and with schools.
Before and after my presentations I had some interesting conversations with several SROs from schools all across the U.S. One of the SROs I spoke brought up an ongoing challenge with cameras. He would like to replace outdated analog cameras that do not give him the clarity he needs to recognize and identify people. He also wants to add more cameras for better coverage in problem areas. He went on to say that he was having a difficult time getting school Administrators to understand his concerns and he also cited budget limitations too.
So I suggested a new and different approach. What if you “connected” hundreds or even thousands of existing “security cameras” that are mobile and capable of reporting incidents too?
The SRO looked at me a little funny and said what do you mean?
What if the eyes of every student and every teacher became your security cameras?
And what if the students and teachers were also able to provide details about suspicious activities that are taking place at school, even in the places at school where cameras aren’t allowed and away from school where you will never have cameras?
Lessons learned clearly show that if we want different results…we have to start trying different solutions.
For example, new and different tools like TIPS (Threat Assessment, Incident Management and Prevention Services) empower students, teachers, faculty, counselors, janitors, bus drivers, parents and others to become your mobile cameras that also report incidents…but only if you have the tools to “connect” them.
Are you ready for different and better results?
No Comments
Rite Aid – HIPAA Violation – Lessons Learned Not Implemented
Posted In Incident Reporting, Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management on August 12th, 2010 Tags: CVS, FTC, HIPAA, HITECH, Rite Aid, Security Awareness
Did everyone see this ultimate lesson regarding lessons learned but not implemented?
Remember back in February 2009 when the Federal Trade Commission (FTC) issued a settlement against CVS Caremark? According to the settlement, CVS Caremark violated the HIPAA privacy rule and the FTC Act when some of its stores improperly disposed of prescription information and pill bottles that had patient information on them. The settlement resulted in a $2.25 million fine and they must ensure their security program meets the standards of the settlement [including ongoing audits] for the next 20 years.
Now roll the clock ahead to July 2010 and another pharmacy chain – Rite Aid Corp. – has agreed to pay a $1 million fine because they violated the HIPAA privacy rule and the FTC Act when some if its stores improperly disposed of prescription information in dumpsters.
The HHS settlement against Rite Aid requires their pharmacies to:
- Establish policies and procedures for disposing protected health information and sanctioning workers who do not follow them;
- Create a training program for disposing of patient information;
- Conduct internal monitoring;
- Obtain an independent assessment of its compliance for three years.
The FTC settlement against Rite Aid requires the company to:
- Establish a comprehensive information security program designed to protect the security, confidentiality and integrity of the personal information it collects from consumers and employees;
- Obtain, every two years for the next 20 years, an audit from a qualified independent third-party professional to ensure that its security program meets the standards of the settlement.
For lessons learned to become lessons implemented, organizations must ensure that their program [security, privacy, compliance, risk management, etc.] is clearly defined, communicated, acknowledged by all appropriate personnel, documented, updated and maintained on an ongoing basis.
Unfortunately most programs are just pushed out on portals, intranets and shared drives or blasted out in binders, e-mails and memorandums.
Albert Einstein said it best:
“Insanity is doing the same thing over and over again and expecting different results.”
Are you and your organization doing the same thing over and over again and expecting different results?
No Comments
Blueprints Do Not Build Skyscrapers
Posted In Business Continuity, Human Resources, Regulatory Compliance, Risk Management, School Safety, Workplace Violence on August 11th, 2010 Tags: Anti-Bullying, policy and procedure management, preparedness program
In my previous blog I suggested that building a successful preparedness campaign is like building a skyscraper…and in some cases it seems like building a skyscraper may actually be easier than building a successful campus-wide or organization-wide preparedness effort.
I mentioned that building a skyscraper and building a campus-wide or organization-wide preparedness effort have a lot in common and one of those common items is blueprints.
Blueprints can be a technical drawing, a mechanical drawing, an architectural plan, a model, a prototype, a detailed plan of action and etc. Blueprints can also include programs, policies, procedures, processes, guidelines, checklists and etc.
But blueprints are not skyscrapers.
Lessons learned continue to reveal that many organizations are extremely vulnerable because they purchase blueprints (emergency plans, anti-bullying programs, checklists, and etc.) and schedule a meeting or training session and post their blueprints on an intranet/portal and think they have built their “skyscraper”.
More and more organizations are learning the hard way that having blueprints is not enough.
Even though financial organizations have policies, government entities have plans, schools have procedures, healthcare organizations have checklists and organizations have been offering general training on an annual basis for years… tragedies, failures, bullying and lawsuits continue to escalate.
Do your organization’s leaders understand that building organization-wide preparedness efforts or a culture of safety or an anti-bullying environment requires more than disseminating blueprints?
No Comments
Building A Preparedness Program…like Building a Skyscraper?
Posted In Business Continuity, Emergency Management, Human Resources, Regulatory Compliance, School Safety, Workplace Violence on August 9th, 2010 Tags: campus preparedness conference, Compliance, Ethics, safety, Security
I attended the Virginia Governor’s Campus Preparedness conference last week and had an interesting discussion with one of the attendees. We were talking about how building preparedness across an organization or an entire campus is becoming more complex and more difficult due to escalating challenges, regulations, obligations, liabilities and much more.
As our discussion continued, we started talking about how important tools can be when building campus-wide preparedness programs. In reference to whether tools can make a difference, I offered the following analogy:
Could a skyscraper be built using a hammer, a saw and some nails?
The attendee responded quickly, yes the skyscraper could be built but she wouldn’t go inside it!
Next we discussed how building a skyscraper and building a campus-wide or organization-wide preparedness program have a lot in common:
- Both require blueprints
- Both are complex and require planning
- Both require specialized tools to build
- Both have a lot of parts or “dots to connect”
- Both require specialized tools to maintain
- People will not trust poorly built skyscrapers or preparedness programs
Are you building your __________ program [preparedness, compliance, business continuity, safety, security, ethics, etc.] with old outdated tools such as binders, intranets, shared drives and general training?
No Comments
Is Your Company Vulnerable to Social Engineering?
Posted In Information Privacy, Information Security, Risk Management on August 5th, 2010 Tags: BP, defcon, security awareness training, Social Engineering
Lessons learned from a recent hacking competition at Defcon revealed yet again that your employees are the biggest threat to your organization.
With just two phone calls, a hacker posing as a Louisiana-based employee handling claims involving the Gulf oil spill was able to trick a computer support employee at BP into divulging sensitive information that could have proved crucial in launching a network attack. The employee provided information to the caller including the model of laptops BP used, the specific operating system, browser anti-virus and VPN software. The hacker also convinced the employee to visit an unknown web site, Social-Engineer.org.
Other hackers in the competition asked company employees what version of Adobe Reader the company used or who the garbage collector was that hauled their trash. Employees seemed extra willing to help the hackers who pretended to lack specific information. Several large corporations were targeted including BP, Shell, Apple, Google, Microsoft, Cisco Systems, Proctor and Gamble, Pepsi, Coca-Cola and Ford. Only 3 of the 10 companies passed the test and did not provide any sensitive information.
Are your employees this gullible? Is your company vulnerable to social engineering attacks?
By sharing real-world stories like the competition results above, you can help your employees understand risks and potential consequences of revealing sensitive information. Managers can help employees become aware of how they can protect their jobs, their organization and your organization’s clients by preventing data breaches, information losses, lawsuits, etc.
Hackers are continuously developing new tactics and more sophisticated strategies for retrieving information from unsuspecting employees. Because we know hackers are getting better at social engineering, it is critical for your organization to develop better awareness training and education to keep up with changing risks, threats and more sophisticated techniques.
Link: Companies Fail Social Engineering Contest
No Comments
