Recently in Regulatory Standards Category
Image via CrunchBase
by Mathew Hegarty -- More and more healthcare organizations are turning to virtual desktops to address their challenges with the management, security and cost of their organizations end-point devices, namely workstations and laptops. This has long been a complicated subject for healthcare executives due to the complexities within in the healthcare environment. The fact is, end-point devices are the one piece of the technology chain not physically placed in a secured environment. Servers and switches are hosted in secured and environmentally controlled Data Centers and IDF closets, but laptops and workstations do their work in the Emergency Room, admitting office, or on one of the Nurses mobile carts. This introduces not only additional support costs and challenges but security concerns as well.
Even for the IT administrators managing a traditional technology infrastructure consisting of servers, desktops and laptops creates serious challenges. Ensuring software is consistently updated, hardware is running optimally and data is secure and safely backed-up is a time-intensive monotonous effort that puts IT departments in reaction mode rather than focused on proactive system maintenance and innovation.
The economics of Healthcare IT are simple. The cost of maintaining IT infrastructure is becoming untenable given the complexity of new systems; the need for flexible and scalable deployments are a requirement for all new projects with executive buy-in. Add to that increasing healthcare costs relative to inflation and newfound political pressure to keep costs down while maintaining the quality of the care being provided. One thing is certain, healthcare organizations are challenged as never before to do more with less.
Enter virtual desktops to save the day - and the bottom line - for healthcare. For the uninitiated, virtual desktops represent a philosophical shift in how end-point devices are deployed and supported across an organization. The traditional approach of managing hardware, software and data at the individual machine level is extremely costly, typically in an uncontrolled environment, and near impossible to keep consistent.
The simple fact is virtual desktop technology allows Healthcare IT departments to deploy desktops, laptops and portable devices at a lower cost and from a controlled, secure data center. By running the software on a centralized server and having users access only necessary applications, the resources required to support the network are minimized while network uptime can actually be increased; because we are ìpushingî the applications and configurations from a central point, consistency is maintained across the environment.
This isn't exactly a new concept. IBM had seen the value of running centralized servers with terminals back in the late 1950's with the advent of the Mainframe. The concept was simple: centralize the key resources in a secured, controlled data center and use lower cost ìdumbî terminals at each desk to communicate with the mainframe. Well, whatís old is new again. The main difference between the Mainframes of old and todays virtual desktops are the familiar graphical interface of Microsoft Windows.
Hospitals and clinics can now make technology work for them, not the other way around. Virtual desktops loaded on thin clients, old workstations or laptops mounted on rolling carts have transformed the way physicians and caregivers treat patients. Instant access to patient records and integrated prescription management means healthcare workers now have real-time information at the point of care, which translates into faster, more effective care for patients.
Compliance with HIPAA is made even easier by virtual desktop
technology. By accessing applications and data stored on a centralized
server, the risk of losing sensitive patient data through the theft of
hardware is nearly eliminated. What's more, once data is entered by a
caregiver the device used does not retain the patient data. In short,
applications and data stored on servers in a data center are subject to
the highest level of control and security possible.
From my perspective as an experienced Systems Integrator, a virtual desktop solution makes sense for just about every healthcare organization. From small physician practices up to the largest hospital groups, the fundamental benefits are the same. Translation? Gone are the days of your IT staff having to troubleshoot individual desktops because of a problem with an application. Gone too is the need for updates and patches for individual applications and printers on every physical desktop. Application performance is raised to a higher level because the computing environment and configuration is controlled in the data center.
What's our prognosis on the future of healthcare IT? Virtual desktop technology brings too many benefits to healthcare at a time when cost containment and data control are paramount. The transformation of healthcare technology is happening now and will never be the same. Because the most efficient delivery of healthcare information always wins in the end, we're seeing the age of virtual desktops take form.
1. Know Where Data Lives
First off, you must know how credit card data flows through your system, where the data resides in the enterprise, and who has access to it. Assessors ask for this information at the outset of an assessment because it determines the scope of the project. They aren't there to review your entire security infrastructure, just the systems that collect, process, transport, and store credit card data. A surprising number of companies don't have a good grasp of this information. "It's common for a client to completely miss a particular data flow and have no idea that credit card data is being forked off to system X, Y, or Z," says a QSA at Neohapsis, who asked to remain anonymous.
Companies express an "extreme amount of frustration" over the amount of effort they have to put in to put the full picture together, says Ted Keniston, a QSA and managing consultant with the global compliances group at Trustwave. "We should be validating this information, not determining it."
Having a complete picture of credit card data isn't just a courtesy to your assessor; it also affects your ability to protect customer information, because you can't secure what you don't know about.
2. PCI Is A Moving Target
Let's say your assessor has just stamped you "compliant." You breathe a sigh of relief. The PCI assessment is annual, so you don't have to worry about it for another 12 months, right? Not so.
PCI compliance is only valid and only applies to the state of the network and systems at the time of the assessment. The moment you make changes to systems that fall under the
The PCI Security Standards Council already commissioned Price-Waterhouse Coopers to do a study of tokenization, end-to-end encryption and other "beyond PCI" issues. The results will likely be discussed at the PCI SSC Community Meetings. That's great. Merchants, service providers and even QSAs want specific guidance about tokenization. This announcement and the weight of the players in the market should virtually guarantee that tokenization will be specifically addressed in the next release of PCI DSS, in addition to QSA training and other guidance from the SSC.
I have said before that the number of companies offering tokenization will increase several-fold within a year. We've already seen about a dozen players enter the market in the last six months. I'm expecting 30 to 40 more announced packages over the next six months, as payment processors, gateways, encryption vendors and application vendors all vie to see who can remove credit card data from the merchant environment the fastest.
The more options in the market, the more the demand for "token switching" will increase. Merchants who have entrusted their card data to Service Provider X will increasingly seek shorter duration contracts and have more specific demands about how they migrate their data from one tokenization provider to another.
Because there are not currently any standards for either the form of a credit card token, how it is generated or how one token type can be converted to another (they can't, BTW), as more merchants realize this, they will raise concerns about being "locked in" to a particular tokenization approach. Smaller vendors will develop "token migration" or conversion tools, etc.
Read rest of story at StorefrontBackTalk
Wal-Mart this month became the latest major retailer to experiment with self-service kiosks, selling space in 77 stores for units that buy back used video games and issue credits directly to various payment cards.
The initial trial is entirely isolated, with the kiosk vendor having access only to its own network and not to Wal-Mart's. But the $375 billion chain is officially considering having the machines offer in-store credits in the form of gift cards, which would mean allowing the kiosks two-way access to POS and potentially CRM data. That would force some serious strategic debate about how far outside vendor kiosks can--and should--be allowed to play inside a retailer's databases.
The initial version of the kiosks collect payment card information as well as drivers license data. Even setting aside the potential future POS/CRM access, the payment and highly-sensitive driver's license data will force some of that debate right away. How secure are the kiosks? Who is ultimately responsible in the event of a security breach, both from a legal and PCI perspective?
Beyond lawyers and assessors, consumers and the dollars they control will likely blame the retailer for any problems that started with a kiosk in or right next to its store. Wal-Mart officials are stressing that the Wal-Mart logo will not be used on any of the trial kiosks, although the Wal-Mart blue and yellow brand colors will absolutely be used. "This is not Wal-Mart's machine," said Melissa O'Brien, a spokeswoman for Wal-Mart's entertainment division. "We are leasing space to them in our store vestibules just like with do with other companies." And that nuanced distinction will be explained to every Wal-Mart customer how?
The insistence that no brand be used displayed will be a nice point for the lawyers, but it won't do much for public perception. PCI Safe Harbor and legal indemnification won't help much if consumers feel betrayed.
Another troubling issue is data ownership. If Wal-Mart gets consumers to come to their stores and asks them to interact with a kiosk in the store, can the kiosk vendor use that information to help other retailers? As a pragmatic matter, how can they not do so?
The kiosks will know precisely who is returning what products and for how much money. Wouldn't consumers goods manufacturers--such as the ones that made that game as well as the ones that make rival offerings--kill for such data? Or to even be able to send a message to those people? And what about other retailers trying to steal some marketshare?
Alan Rudy, CEO of E-Play, the Ohio-based kiosk operator that is working with Wal-Mart on this trial, insisted the units securely handle credit and debit card data. He said E-Play retains ownership of all information gathered by the kiosks and has no plans to share or sell it, but he wouldn't rule out anything for the future.
PCI Security Standards Council Information
Article from: San Diego Business Journal
Article date:January 12, 2009
When Congress passed the Americans with Disabilities Act in 1990, the intent was to ensure that Americans who have disabilities would be able to access public buildings and be treated fairly in the workplace.
Lawmakers surely did not anticipate the unintended consequences of their good intentions.
The ADA's purpose was for businesses to make "reasonable modifications" to ensure access, not to create a cottage industry for personal injury lawyers to abuse the law and exploit regulatory technicalities for their own financial gain.
In the past several years a small group of unscrupulous serial plaintiffs have wreaked havoc on small businesses across California, filing thousands of lawsuits for alleged ADA violations.
The reason California has been such a lucrative state in which to file ADA lawsuits is because it is one of the most generous states in the country when it comes to fines.
The federal ADA only allows private lawsuits to seek compliance with accessibility standards.
However, California law allows a plaintiff to ask for up to $4,000 in damages for each alleged ADA violation, no matter how minor and even if it did not deter access in any way--for example, a sign being the wrong color or a ramp elevation grade a percent too steep.
In addition to that fine, businesses can also be sued for thousands of dollars for each day the violations are not remedied.
Gaming The System
Serial ADA plaintiffs game the system to extract a quick cash settlement to "go away," earning the reputation of filing so-called "shakedown" lawsuits.
Many business owners say these types of plaintiffs sue numerous businesses in an area at one time, use nearly identical language in each lawsuit, and always demand a quick cash settlement without a requirement that any alleged violations are fixed.
Since most small businesses can ill afford the exorbitant cost of fighting any lawsuit, regardless of merit, they opt to pay a settlement.
Some 18 years after the original act was passed, less than 3 percent of California's businesses are ADA compliant.
Business owners claim it has been very difficult for them to comply, given conflicting state and federal standards, voluminous and changing legal requirements over the years, a lack of ADA training for building inspectors and architects, and inconsistent interpretations of damage provisions.
For years the business and disabled communities have been at an impasse on the best way to increase access while reducing what many business owners refer to as "legalized extortion."
The two sides have finally come together with a comprehensive ADA reform measure in the form of Senate Bill 1608, which received unanimous support in both houses of the state Legislature and went into effect Jan. 1.
One of the most important provisions in the new law is a stipulation that plaintiffs may recover damages only for a violation they personally encountered or that deterred access on a particular occasion, rather than for alleged violations that may exist but did not cause a denial of access.
Other key provisions include:
* A requirement that all inspections relating to permitting, plan checks or new construction in privately owned buildings be conducted by a building inspector who has gone through the state architect certification training program and is a certified access specialist.
* Incentivizing building owners to use state-certified access specialists to ensure compliance.
* A temporary stay of litigation and a streamlined court procedure for businesses that have utilized a CAS, but are still sued.
* A new state disability commission that will be tasked with evaluating and providing recommendations on further disability issues having an impact on the disability community and business.
These reforms will help achieve the true intent and spirit of the state and federal ADA laws. It does not take away the right of people to sue if they are denied access or encounter a genuine violation. It does clarify the laws and creates less opportunity for abusive, shakedown lawsuits.
With the current state of our economy, these reforms could not come at a more opportune time for small businesses struggling just to keep their doors open.
Lorie Zapf is San Diego regional director of California Citizens Against Lawsuit Abuse.
Senate Bill 1608
Title 36: Parks,
Forests, and Public Property
PART 1194--ELECTRONIC AND INFORMATION TECHNOLOGY ACCESSIBILITY STANDARDS
Subpart C--Functional Performance Criteria
§ 1194.31 Functional performance criteria.
(a) At least one mode of operation and information retrieval that does not require user vision shall be provided, or support for assistive technology used by people who are blind or visually impaired shall be provided.
(b) At least one mode of operation and information retrieval that does not require visual acuity greater than 20/70 shall be provided in audio and enlarged print output working together or independently, or support for assistive technology used by people who are visually impaired shall be provided.
(c) At least one mode of operation and information retrieval that does not require user hearing shall be provided, or support for assistive technology used by people who are deaf or hard of hearing shall be provided.
(d) Where audio information is important for the use of a product, at least one mode of operation and information retrieval shall be provided in an enhanced auditory fashion, or support for assistive hearing devices shall be provided.
(e) At least one mode of operation and information retrieval that does not require user speech shall be provided, or support for assistive technology used by people with disabilities shall be provided.
(f) At least one mode of operation and information retrieval that does not require fine motor control or simultaneous actions and that is operable with limited reach and strength shall be provided.
California Executive Magazine
ADA Amendments May Bring Subtle Change to Cal
October 30, 2008
By Steve Tanner
Amendments making the Americans with Disabilities Act (ADA) much
stricter for U.S. employers, signed into law earlier this year, take effect in
2009. But those amendments, for the most part, should have little bearing on
employers in California, which has its own equivalent, the Fair Employment
and Housing Act (FEHA).
FEHA law remains a little more employee-friendly than federal law, which
means that little will change in the way that Golden State employers handle
disability issues. But some labor and employment attorneys say the new
amendments may actually spur more lawsuits in California and that they
lower the bar for plaintiffs to cite federal law.
The difficult part for employers in defending such cases will be that
plaintiffs will be more apt to file suit under both ADA and FEHA.
"The major difference for California employers is that they'll see more ADA
claims and they'll be harder to defend," says Irvine-based labor and
employment attorney Bob King.
For most states other than California, the amendments are a serious gamechanger,
says Atlanta-based attorney and ADA expert Myra Creighton, a
partner with Fisher & Phillips LLP.
ADA applies to companies with 15 or more employees, while FEHA is
applicable to businesses with at least five employees.
ADA Amendments: On Par with California
The ADA amendments generally broaden how a disability is defined under
federal law, overturning a U.S. Supreme Court decision that tightens this
definition to only include impairments that "severely restrict" major life
activities. In line with California's definition, the ADA will now include
impairments that "substantially limit" major life activities, a notion the Equal
Employment Opportunity Commission (EEOC) will further define in the
Overturning another U.S. Supreme Court decision, which holds that
impairments are to be evaluated after considering the effects of "mitigating
factors" such as medication or prosthetics, the amendments largely do away
with such evaluations.
"The Supreme Court found that if your disability was controlled with
insulin, for example, then you're not necessarily disabled," Barer says. "The
amendments change this, so that you're still considered disabled."
He says this likely will not include the roughly 75% of Americans who use
eyeglasses or contact lenses, also in line with California law.
What's New For California Employers
It remains to be seen exactly how the new amendments will play out in
federal courts. But one element of the ADA that may provide more
protection than state law for California employees - meaning it would have
to be followed - is the inclusion of people who are merely "regarded as"
being disabled, says attorney Margaret Rosenthal. Pending guidance by the
EEOC will provide more details about this and other amendments.
"I think that 'regarded as' is covered under state law, but the issue under state
law is how it is defined and whether or not you are entitled to
accommodations," says Rosenthal, a partner in the Los Angeles office of
Baker & Hostetler LLP, adding that attorneys are still waiting to see how the
ADA amendment will define 'regarded as' and whether it will require
If the EEOC decides that employers do not have to accommodate someone
who is merely perceived as being disabled, it could help level the playing
field, King says. The "regarded as" claim, he adds, is primarily a plaintiff's
"California law isn't clear in that respect. So you can say, as comparable
precedent under the ADA [hypothetically speaking], that you don't have
accommodate employees who are only regarded as disabled," King says.
But if the ADA amendment ends up requiring accommodations or otherwise
affords more protection for employees, then it would have the opposite
effect, attorneys say.
Increased ADA Claims?
There is some debate whether or not the strengthened federal ADA
requirements will indeed trigger more lawsuits for California employers,
although attorneys all say the amendments will make it easier for plaintiffs
to cite federal law. Another theory is that the sweeping changes in ADA will
generate more attention to disability discrimination, prompting more suits.
"You'll see more people challenging decisions on an ADA basis, even if the
law in California hasn't changed," says Jennifer Berman, managing director
of the HR advisory consulting and training group at CBIZ Inc. in San Jose.
King says the amendments will give plaintiffs citing both federal and state
law more firepower, since the ADA will provide nearly as much protection
as FEHA. One likely result, he says, is an increased difficulty in challenging
claims of an employee's disability status.
"So you'll start seeing more federal claims against California employers,"
King says. "There was a big initial hurdle, which was to prove whether or
not someone is disabled. Now that hurdle is much lower."
Rosenthal says she believes the ADA amendments won't have much of an
impact in California, but that plaintiffs in the state might be more willing to
file in federal court for "regarded as" claims.
Attorneys also say lawsuits could increase for California companies that
have offices in other states.
Employers already compliant with FEHA and that have properly trained
their supervisors and HR managers are probably in good shape, attorneys
"If employers have good policies in place right now, with regard to
accommodations, then I don't think it will affect them too much," says Scott
Barer, an attorney based in Woodland Hills, referring to the requirement
under both FEHA and ADA to provide reasonable accommodations for
Those that have been lax with respect to their FEHA and ADA obligations,
however, should take the opportunity to get back up to speed. Berman says
many of the California companies she consults are woefully vulnerable to
ADA (and FEHA) lawsuits.
"You look at most policies, and they're just generic," Berman says,
suggesting that employers specifically address discrimination under ADA, as
well as FEHA, in training and employee handbooks. She says it might also
be a good idea to create a separate section on disability discrimination within
an organization's anti-discrimination training program.
Berman stresses the importance of providing relatively detailed job
descriptions, which are matched against employees' accommodation
requests. Attorneys echo the importance of job descriptions as well.
"The best way to prove whether or not someone could do their job is to have
a description on hand," says Washington, D.C. attorney Tina Maiolo, a
member of Carr Maloney P.C.
King and other attorneys say the new ADA amendments, even if they
change little for California employers, are an opportunity to review the socalled
"interactive process" of sitting down with a disabled employee and
determining what reasonable accommodations would help them meet the job
requirements. This process should be documented as well, attorneys say.
"I think where these claims often go awry really is in the interactive process,
which often breaks down," King says. "I would use these amendments as a
framing opportunity to review the interactive process again. Not just for HR
people, but also managers."
Rosenthal says most small businesses in particular often need help analyzing
disability issues. Similarly, Barer says it's often money well spent to consult
an attorney if a disability issue arises, that business executives and managers
should not be expected to become experts on ADA and FEHA but rather
California employers would be wise to review their policies and be prepared
for the changes to federal law, but most attorneys say the ADA amendments
change little within the state. The amendments take effect on Jan. 1, 2009.