NIST issues security guidance

Maintaining e-mail security is an ongoing process, and organizations should be prepared to apply patches in a timely manner and test security frequently, according to February 20 guidance from the National Institute of Standards and Technology (NIST).

SP 800-45 Version 2, Guidelines on Electronic Mail Security offers recommendations for protecting individual e-mail messages and for securing mail server operating systems and applications.

NIST also released the following publications:

1. SP 800-94, Guide to Intrusion Detection and Prevention Systems
   This offers guidance in designing, implementing, configuring, and maintaining intrusion detection and prevention systems.
2. SP 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
   This document provides detailed information on the Institute of Electrical and Electronics Engineers (IEEE) 802.11i standard for wireless local area network security.

[ via HIPAA Weekly Advisor ]

Data-level security takes center stage

Security controls at the data-level are the new concern for information technology (IT) professionals—a change from years of focus on network security, reports Computerworld. High profile breaches, such as those at the Department of Veterans Affairs, have renewed IT interest in data security.

"Reputation management" and the avoidance of bad publicity are the driving forces behind the trend, Mark Burnett, director of IT security and compliance at a Nashville-based hospitality company, told Computerworld. Stronger state laws are also behind the emphasis on security, according to the article.

Click here to read the Computerworld article.

[ via HIPAA Weekly Advisor ]

Is your reimbursement information secure?

A new report by the Government Accountability Office warns that inadequate computer security threatens the confidential Medicare and Medicaid data of millions of Americans, according to USA Today. The report, which the GAO is scheduled to release in April, focuses on the Department of Health and Human Services (HHS)—specifically on management and audit reports from 13 HHS divisions in 2004 and 2005.

Among other inconsistencies, GAO investigators found that that anti-virus software is often not installed or up to date, that there is a lack of adequate control over computer passwords, that employees and contractors work without background checks, and that there are little to no effective controls, such as surveillance cameras and restricted access prompts, to prevent spying and theft. In a statement, HHS officials questioned the accuracy and thoroughness of the GAO report, which they said fails to note a 57% decrease in HHS’ reportable deficiencies in 2005.

[ via LTC Liability Monitor ]