Month: January 2016
Foreign IT Workers and The Cultural Divide
Culture Matters
I lived and worked in the Republic of Korea in 1986 and 1987 and spoke half-way decent Korean. I also spent 3 months in Thailand and learned enough Thai to go down to the market and bargain with vendors. I have spent time in other Asian countries as well.
One of the big lessons I learned was that even if you speak the language, cultural concepts and even body language often can’t easily be interpreted or translated using verbal communications. Even talking about basics like the color of an object can be difficult.
Does yes really mean no?
At one point in Korea, I was acting as an interpreter for a meeting between American and Korean General Staff. The two sides couldn’t come to agreement on an issue and the American General blamed the lack of agreement and acquiescence of the Koreans on my abilities as an interpreter. The real problem was cultural rather than a lack of communication or understanding. What I clearly understood was that the Korean General was giving off all the cultural cues that said NO without actually stating it verbally – something he would have considered to be rude. The American General couldn’t comprehend this because American officers are trained to say NO most of the time. Saying NO isn’t necessarily considered rude in our culture. Also, the American General was changing the pre-defined plan at the last minute. Maybe things have changed now, but at the time, that kind of entrepreneurial change of plans at the last minute wasn’t something that would be rewarded in Korean culture, least of all in the military.
Xenophobia vs. Business Decisions
I frequently recommend strategic contracting and outsourcing to my clients, but contracting to people whose native language is not English from half way around the world is not what I am proposing to them. When I recommend outsourcing, I am suggesting that they contract with a local or regional professional services firm with people who have a shared cultural perspective.
Language isn’t the only problem. Culture can be a huge problem too. This isn’t xenophobia; it’s a business calculation. I have lived and worked all over the United States and the cultural differences between South, North, West, and East are vast. From a cultural point of view, California, New York and Texas are in many ways different countries, but we do share language and to some extent, culture. Conducting business when all the players don’t share language, culture, and common goals can present insurmountable obstacles.
The high price and hidden costs of cultural collision
I worked on a disastrous project in the late 1990’s that resulted in an 8-figure loss to taxpayers and several wasted and frustrating years for hundreds of people. The project was a top-down initiative from the highest levels of state government to implement a state-wide social services case management application. The software development was contracted to a firm from half-way around the world. The entire concept of the project was flawed from inception and the project, stakeholder, and communication management were poor.
The workflow was cumbersome and illogical and I always suspected that the workflow probably made sense if your brain had been wired differently based on language. It was clear that no one had bothered to consult case workers in the field about how they collected, managed, and entered data in the field. Everything was wrong with this project and there was plenty of blame to go around – especially blame for the executive management at the state level. However, communication with the foreign programmers and support personnel was a significant problem. The communication problems were both cultural and linguistic. Even the concept of what constitutes “customer service” has significant cultural ramifications and the idea of “social services” is not something universally understood around the planet.
There are cultural differences between companies as well, even if all the players are native English speakers from your region or your local community. If you are considering strategically outsourcing some aspect of your IT operations, cost shouldn’t be the only consideration. There is a value to cultural compatibility. The company culture of a potential vendor may or may not be a good fit with your organization, even if their office is right down the street. Cultural fit is an essential component of a successful business relationship and determining that fit should be part of your procurement process.
If you need help procuring appropriate contracted services for your organization, send me an e-mail at jmorgan@e-volvellc.com. Read more about IT Governance at http://blog.e-volvellc.com.
Copyright © Jeffrey Morgan 2016, 2017
by 
Information Technology Staffing Models
There be more ways to the wood than one and the methods for managing your organization’s Information Technology needs run the gamut from 100% contracted services to a full-service, in-house IT shop with help desk, software developers, and and other support including network and security engineering. All of the variations between these two extremes can work if they are strategically planned. Which one is best for your organization? That depends on your business requirements, goals and objectives, industry, organizational culture, and budget. Key elements that will contribute to whether or not the model you choose is successful include a Strategic Plan and and highly specific contracts and service level agreements.
Cost Vs. Value
Before we perform a summary examination of some specific models, let’s stipulate that this is a business project. Cost is important, but so is value. In order to determine which model will best suit your needs, you will have to make your own calculation of the Cost vs. Value equation for your organization.
How Much Does IT Cost?
How much does your operation cost now? And what value is being provided right now? Surprisingly, very few organizations can concisely and immediately answer these questions. IT costs are often buried in departmental budgets and sometimes linked to inappropriate budget accounts. Shadow IT Staff, staff members not technically part of IT but performing IT functions under a different title, are often unaccounted for in a summary of IT costs. Moreover, the cost of IT equipment has gotten so low that much of it is expensed under office supplies or something similar, so it doesn’t show up as a fixed asset or an IT line item. Unless you have very strict accounting rules, it is possible that accurately calculating the cost of IT may be difficult or impossible. This entire discussion might bring up another question: What exactly is an IT cost? Sometimes, the simplest questions are the hardest to answer.
Before we look at specific models, let’s talk about one more thing. What do you want? What are your business goals and objectives? Do you want a Help Desk to answer the phone and provide assistance with applications like Microsoft Office? Does it make sense to pay for that service? Do you require in-house server and network support to get immediate response? Or is a contracted service with a 1 or 4 hour service level agreement good enough? Are you looking for the development of institutional knowledge in-house or can a long term contract provide that security?
The secret to an efficient operation is good management that focuses on quality of service regardless of the model. A Service Level Agreement (SLA) is always required to define the scope and services to be provided by both in-house staff and contractors.
100% Contracted Services
This model is commonly used in small organizations but it can easily scale to relatively large operations. If you choose this model, I would recommend that you separate duties so that the vendor who sells and installs “stuff” is different from the vendor or consultant who is providing direction, design and planning services. In this way, you can eliminate the conflict of interest that may encourage a vendor to oversell or over spec. Consultative selling is big in the IT market and many vendors who sell solutions will provide honest advice on the best direction to take, but why risk it? Moreover, the sales people and techs whose job it is to sell products and services may not understand the minutiae of your business operations, goals, and objectives especially if you have highly specialized lines of business.
Contracts in a fully outsourced model may have some combination of a fixed rate for fixed services as well as an hourly rate for additional, incidental services. As with all contracts, close monitoring is required to keep costs in check.
The Technology Coordinator Model
One popular model is the use of a single Technology Coordinator. The position might have different names, but the general idea is that a single employee manages the strategic plan, coordinates services and manages all the contracts.When using this model, it is important to avoid the scope creep that can result from using the Coordinator as a front line fix-it person.
Hybrid Models
Most medium to large entities use some sort of hybrid model that includes a combination of in-house staff and contractors. Again, service level agreements are essential and the in-house staff can easily grow to gigantic proportions without careful management. I have seen medium sized operations with 20 or more IT FTE’s where a few staff members and strategic contracts would have been a more economical and efficient solution. In some industry sectors, a large staff may justified. However, in something like a typical medium sized municipal operation, a hybrid model with a bias toward contractors makes a great deal of sense. If your contracts are well-written, it is easy to get rid of an under-performing contractor, but eliminating or replacing employees can often be a nightmare.
Full Service Models
If Information Technology is a core business function for you, a full-service, self contained IT operation may be appropriate, but this scenario is rare if you are truly basing your decision on objective business criteria. Even the largest organizations strategically contract some services. If you are currently responsible for a large, full-service IT operation maybe it is time to do a cost-benefit analysis of other options.
Some Generalizations
In a medium to large manufacturing operation with a dynamic network, network and security engineers may be required. In a static operation of a similar size, it might make more sense to contract these services since they will rarely be required. In-house software development is similar. Some organizations might require full-time software developers, but for more static organizations, purchasing Commercial-off-the-shelf software is far more efficient and cost effective than custom software development.
If you require assistance evaluating staffing models for your organization, send me an e-mail at jmorgan@e-volvellc.com. If you would like to read more about IT Governance, check out http://blog.e-volvellc.com.
Copyright © Jeffrey Morgan 2016
by The Clinton e-mail Scandal as a Failure of IT Governance
This isn’t about partisan politics or law. It is about good, common sense IT Governance. The ongoing revelations of the Clinton e-mail scandal demonstrate a total failure of IT Governance at the highest levels of the US Government. Not only is no IT Governance in evidence, the situation has displayed astonishing hubris, casual disregard for information security, and a massive sense of entitlement of all the parties involved. Common sense, good judgement and even a basic understanding of handling sensitive information seem to be completely absent. Where were all of the tens of thousands of security professionals employed by the federal government? Who was keeping an eye on the ball while all this was going on?
Having served for four years in Army intelligence, I can assure you that had this situation been perpetrated by minions and peons in the military, the culprits would already have been behind bars facing long sentences in military prison. Were similar revelations made about highly regulated corporations required to comply with regulations such as GLBA and SOX, we would have already seen dozens of executives and managers doing perp walks and making plea deals to stay out of prison.
We can’t easily fix what goes on in Washington, but you can take steps to ensure that your organization does not suffer this kind of embarrassment. I hope you are using this as a lesson and an opportunity to review your Acceptable Use, e-mail and information security policies and procedures. Make sure that all your policies, processes, and procedures comply with best practices, applicable regulations, and common sense. And make sure your staff receives annual training on these policies and procedures.
In general, large corporate entities tend to have strict policies because of the enormous quantity of regulatory compliance issues they face. However, many municipal and county organizations have elected or appointed officials who use personal e-mail addresses for conducting official business. There is absolutely no reason for this. E-mail is a dirt cheap commodity and a strict policy on e-mail is likely to prevent embarrassment, civil litigation, or criminal indictments down the road.
Here are some tips for e-mail usage and your policies:
- Never, never send confidential information in an unencrypted e-mail. E-mail is not a secure method of transmission.
- Never put anything in an unencrypted e-mail that you wouldn’t want the entire world to see. Even if it is encrypted, the recipient may decrypt it and accidentally (or purposely) forward it to EVERYONE. This happens all the time. Moreover, if your e-mail is FOIL’ed or subpoenaed you may find yourself in an embarrassing situation.
- Everyone on your staff should be using business e-mail for business purposes, and personal e-mail for personal purposes. Don’t cooperate with bad actors by communicating about a business issue to a personal e-mail account.
- Consider an e-mail archiving solution and have it configured to comply with all applicable regulations affecting your operation.
- Consider whether or not a DLP (Data Loss Prevention) solution would make sense for your organization.
If you require assistance determining appropriate e-mail and acceptable use policies, send me an e-mail at jmorgan@e-volvellc.com.
Read more about IT Governance issues at http://blog.e-volvellc.com. If you are snowed in and want to read about hubris and entitlement with a real sleaze factor, pick up a copy of Tom Wolfe’s Bonfire of the Vanities.
Copyright © Jeffrey Morgan 2016
by Putting Out Fires
By Jeffrey Morgan
While conducting IT Audits over the years, I have often heard end users relating stories about how hard the IT Staff works at putting out fires. Generally, the IT Audit is being conducted because the customer service being delivered by IT is abysmal and the end users know it, but they usually try to find something nice to say about their coworkers. The end users think they are stating something positive to me, but what they are really doing is waving an alarming red flag. Danger, Danger Will Robinson!
In a well run IT operation, putting out fires should be rare. The IT staff should be spending most of their time on routine operations, preventative maintenance, projects, and implementation of a cycle of continual improvement. Putting out fires is a sign that there are problems that may include network infrastructure and configuration issues, improper server and software configuration, improper configuration of end user devices, etc. With proper configuration and preventative maintenance, the systems should be stable more than 99% of the time. There may be other problems as well, such as end user training issues or malfeasance. Root causes surface pretty quickly if you conduct a thorough IT audit and investigate all the potential factors. Well managed IT operations are proactive rather than reactive.
In a stable environment, IT management is not necessarily the most exciting job. Critical tasks in a stable environment include validation of backups, routine administration, reviewing security logs, patch management, disaster and recovery planning, and other essential preventative maintenance tasks. Another important task is ensuring that the organizational policies such as the Security Policy, Acceptable Use Policy, SLA (Service Level Agreement),and other governing policies are being complied with. Depending on your industry, regulatory compliance may be a critical task.
Is your system stable, or are your IT people constantly putting out fires? If you have questions about how to fire-proof your IT operation, send me an e-mail at jmorgan@e-volvellc.com.
Copyright © Jeffrey Morgan 2016
by Improving IT Customer Service Part 2 – Using a PSA System
By Jeffrey Morgan
Poor customer service is an epidemic in both public and private sector IT organizations. Art imitates life and there is nothing more hilarious than watching skits with Jimmy Fallon playing Nick Burns, Your Company’s Computer Guy. These skits are so funny because they ring true in most people’s life experience. Unfortunately, bad customer service in your organization isn’t anything to laugh about.
Let’s put this in the form of a syllogism – “We have a customer-service problem. Customer Service is the responsibility of management. Therefore, we have a management problem.” As an executive, it is your responsibility to address the management problem. The good news is that you can fix this problem and I will provide you with a high-level overview of one way to do it.
Once you have a Service Level Agreement, you can take the next step in order to improve the quality of customer service being delivered by your Information Technology Department – A Professional Services Automation (PSA) system. As I have previously discussed, no system you purchase will inherently do anything to improve the quality of your services. You must use the system correctly in harmony with other tools such as leadership, training, process, policy and procedure.
Regardless of what type of model you are using to support your IT operation, or the size of the operation, a PSA system is a required tool. These systems are widely available, affordable, and available in SaaS (Software as a Service, aka Cloud) solutions. If you have a small IT Department, or even a 1-man operation, the Cloud solution may make the most sense. Whatever you decide to do, buy one of the commercially available options rather than having a staff member write one in-house. I have seen organizations try this and it never works out.A correctly implemented and configured PSA system can also provide a wealth of other management data that can show you an X-Ray of of information management in your organization.
There are 3 basic rules for using a PSA system effectively – with no exceptions.
- Everything goes in a ticket. No Exceptions.
- Employees must account for ALL of their time in the PSA system. If they work a 40 hour week – 40 hours should be documented in the PSA system. No exceptions.In fact, you may wish to use the PSA system as the time sheet for the IT Staff and only pay them for what they have documented.
- Everything (Absolutely Everything!) related to a ticket gets documented in the system. No Exceptions.
Once you have data in the system, it might be worthwhile to have your team along with an expert 3rd party evaluate the system’s reports. There are common problems. For instance, one problem you might find is that some employees require more time than necessary to complete tasks. You might even find some pretty egregious consumption of resources like techs taking 10 hours or more to complete something that should be a 1 hour task. You may not know how long standard tasks require, but you can find an expert who does.Also, you may find that IT staff are performing activities that are not defined in your SLA, thereby wasting precious resources.
You will be able to identify other problems as well. Are there recurring problems with specific users? With specific departments? With a specific piece of software or hardware? How much are these problems costing your organization? Are IT staff members actually causing problems? Do end users require additional training?
Getting from abysmal customer service to a baseline of acceptable customer service may take a while. During the Go Live period for the PSA system, your IT Management should be living in the system. If you have long been suffering bad customer service, the IT management may require considerable coaching and training just to understand what good customer service looks like.
Your staff members may present all sorts of obstacles to such a system. For instance, they may say that it takes too long to document every incident. Like any other skill, it takes practice to thoroughly document your work and activities, but the results are worth the effort.
Another argument you might hear is Why don’t the other departments have to document their work? Many professionals document their time and activities: Attorneys, accountants, physicians, consultants,truck drivers, and pilots to name a few. There is no good reason why Tech professionals shouldn’t do so as well. In fact, once you have the PSA system in place and working, you may like the results so much that you will want to start a similar program for other groups, like your facilities staff as one example.
If you would like assistance with implementing a PSA system or with improving the customer service in your IT organization, send me an e-mail at jmorgan@e-volvellc.com. If you would like to watch Nick Burns, take a look here.
Copyright © Jeffrey Morgan 2016
by The Twenty Percent Rule
By Jeffrey Morgan
About twenty percent of people are really good or pretty good at what they do. The other eighty percent are mediocre to poor. This rule unfortunately works across all professions – doctors, attorneys, bartenders, auto mechanics, IT people, grocery store clerks, etc. When I need a professional, especially a doctor or lawyer, I try to choose from those in the twenty percent. I really learned this lesson the hard way during my divorce. I only got the right attorney on the fifth try.
If you are a manager or supervisor, you are stuck with this reality.
What puts people in the top 20% or the bottom 80%? Talent, intelligence and aptitude are all part of the equation but these factors only partially account for great work output. Work ethic and attitude are the factors that really matter.
My parents and many teachers tried to teach me about work ethic in my youth but I didn’t really learn the lesson until I was in the army. Almost thirty years later I still remember my moment of work ethic epiphany. My platoon members and I were all in our Quonset hut at Camp Red Cloud in the Republic of Korea cleaning weapons and I clearly remember Sergeant C talking about work ethic. Always do the best job you can do regardless of whether it is cleaning weapons, cleaning the latrines or performing your mission in the field.
This was only a few days after he went on an epic rampage. He had been away for a few days and when he came back and took a look around, there were a few problems. Someone had left a broom out in the motor pool and someone from another platoon had borrowed a tire from one of our Hummers. There were a couple of other minor infractions. This triggered a screaming virtuoso performance in denigration and excoriation in the most impressively profanity filled reaming I have ever received. We all walked away from the 30 minute (seemed like hours) reaming thoroughly demoralized and totally ashamed. But it made us all better people. It was a lesson that has shaped my life ever since.
Sergeant C was trying to drag us all into the 20% and wouldn’t tolerate anyone in his platoon being part of the 80%. In the current climate of PC and positive reinforcement, Sergeant C’s management style probably wouldn’t be tolerated but it was certainly effective. Giving out gold stars for shoddy performance does no one any good.
If you are a manager, you are stuck with your own staff of 20% vs. 80%, but you can certainly influence those in the 80% to perform better. If Sergeant C could do it, so can you. Have a comment? Need help in improving the quality of output in your organization? Send me an e-mail at jmorgan@e-volvellc.com.
Copyright © Jeffrey Morgan 2016
by Introduction to Enterprise Procurement Projects – Part 3 – The Business Process Assessment
What is a Business Process Assessment?
Now that you have established preliminary Goals, Objectives and Criteria for Success for your enterprise project, it is essential to conduct a Business Process Assessment to identify the actual business practices in your organization. When I refer to a Business Process Assessment, I am talking about a comprehensive, objective, and assumption-free evaluation of all the activities, processes, procedures and personnel involved in the production of a specific product such as a payroll run, an accounts payable run, or an AR billing cycle, to name just a few.
An Example
Let’s use payroll as an example. An appropriate assessment might begin with a new pay period and should include the examination of all the tasks, steps, people, processes, procedures and paperwork involved in payroll production. How do departments report time to the payroll office? Is it paper based or automated? How much does it cost your organization to produce a payroll check? How many people are involved? How is the payroll produced? Is all the work done in a single system? Are there spreadsheets and exceptions involved? What reports are produced monthly, quarterly, annually? Are there bottlenecks? Excessive mistakes? Recurring problems? Regulatory compliance issues? Problem departments? Problem people?
Do you really know what your process are?
You might think you already know all this and you feel you have a solid understanding of how all your departments conduct business. It is often the case at this stage that executives and managers explain to me what they truly believe to be their business practices and processes. These descriptions are frequently completely wrong.
It is difficult to evaluate new systems if you don’t truly understand your current systems. With systems and staff members that have been running unchallenged and unchanged for decades, staff members, supervisors and managers often perform tasks without questioning the underlying processes. A thorough Business Process Assessment identifies and documents all these processes and establishes a baseline for your current business performance.
Getting Started
Surveys, either paper-based or electronic are a good tool with which to begin but they are no substitute for direct observation and interviewing staff in each department. One possible approach to conducting a system-wide assessment might be to disseminate surveys first and then conduct department level interviews as the next step.
The final product of the Business Process Assessment should be a detailed report describing current, identified practices, processes and problems. This report should also include suggestions and recommendations for improving the processes going forward.
You may find it difficult to perform an accurate assessment using internal staff. Regardless of how well-intentioned, smart and motivated they are, organizational culture, biases, and assumptions are likely to be an obstacle and the objectivity may suffer. If you would like to discuss any aspects of your Business Process Assessment, or any other part of your enterprise project, send me an e-mail at jmorgan@e-volvellc.com.
Copyright © Jeffrey Morgan 2016
by HIPAA Security Rule Compliance in Municipal Organizations
By Jeffrey Morgan
I am always astonished by the number of organizations I encounter that are not in compliance with the HIPAA Security Rule (45 CFR Parts 160, 162 and 164). If you are running a County government, for instance, there is a high probability that one or more of your departments are covered entities and have an obligation to comply with this regulation. Human Resources, Public Health, Mental Health, Social Services the County Jail, the County Home, Probation, Courts, and Child and Adult Protective services may all be covered entities and may process, store, transmit and manage Protected Health Information (PHI). While many covered entities have complied with the Privacy Rule, my observation has been that many covered entities are not in compliance with the Security Rule. Is your organization in compliance?
Covered Entities
According to the Department of Health and Human Services (HHS), a covered entity is one of the following:
- A Health Care Provider
- Doctors
- Clinics
- Psychologists
- Dentists
- Chiropractors
- Nursing Homes
- Pharmacies
- A Health Plan
- Health Insurance Companies
- HMO’s
- Company Health Plans
- Government Programs that pay for health care such as Medicare, Medicaid, and Military and Veterans health care programs.
- A Health Care Clearinghouse
In the list above, I have highlighted entities that are likely to exist in a municipal government operation. Do you have covered entities in your organization? If so, are you in compliance with both the Privacy and Security Rules? You can view HIPAA as an onerous compliance issue, or you can view it as an opportunity to address critical security issues in your organization. Regardless of how you feel about it, it is federal law and there may be severe consequences and penalties for failure to comply.
A Brief History
The HIPAA Security Rule was adopted in 1996 and the Final Rule was published in 2003. Compliance for most covered entities was required in 2005. After more than 30 years of dealing with organizational security and Information Security Policies for government entities I have come to the conclusion that the best way to handle HIPAA is to bring the entire organization up the HIPAA Security Rule standards. Why would I suggest this?
A Solid Foundation
The HIPAA Security Rule provides a pretty good foundation and framework for an Information Security Policy even if you are not a covered entity. There are more than 3000 County governments in the United States and more than 19,000 municipal entities. Many of them don’t have any type of Comprehensive Information Security Policy. Even if you are not managing a covered entity, you should have a solid Information Security Policy. You may not be protecting PHI, but you have plenty of other information that should be protected. In my opinion, the lack of a security policy in an organization responsible for collecting, storing, and managing large amounts of sometimes sensitive public information constitutes organizational malpractice. If you get sued for a catastrophic breach, the courts are likely to agree with this assessment.
Roles and Responsibilities
Who should be responsible for HIPAA Security Rule Compliance or Information Security Compliance in your organization? There is no easy answer to this question, but as the Executive responsible for the organization as a whole, compliance is ultimately your responsibility. At another level, Information Security is everyone’s responsibility. The law has been on the books for 20 years and compliance has been required for the last 11 years. I didn’t know is no longer an acceptable response. But, maybe you really didn’t know? You have a lot on your plate, but now is the time to fix it.
I will provide you with one possible high level look at how responsibilities might be distributed. First, someone in your organization should fill the role of an Information Security Officer. Depending on the size of your organization, this may only need to be a part time role. Nevertheless, you need a Go To person for problems, policies, issues, and questions about information Security. Because of conflicts of interest, this role should never be delegated (in my opinion) to a person on the Information Technology staff. Attorneys, or staff members with backgrounds in law enforcement, security, regulatory compliance or investigation are often good choices for this role.
Privacy Rule issues should probably be handled by individual departments based on their exposure, but there should be some organization-wide privacy policies as well. The HIPAA Security Rule covers physical security, technical and electronic security, and administrative security issues, so those roles will be filled by different, applicable departments or subject matter experts. For instance, compliance with the physical security components may be addressed by someone in your Facilities department, for instance.
As far as technical safeguards and full compliance with the Security Rule are concerned, that is a discussion for another article.
Sample Compliance Matrix
In the table below, I have included a sample compliance matrix. If you are a covered entity, or have departments that are covered entities, your Information Security Policy should contain, at a minimum, these elements.. Take a look at your policy and see if it measures up.
| HIPAA Security Rule Compliance Matrix | R/A | Reference |
| Rule | ||
| Risk Analysis | R | III.5 |
| Risk Management (R) | R | III.6 |
| Sanction Policy (R) | R | III.1 |
| Information System Activity Review (R) | R | III.7 |
| Assigned Security Responsibility ………….. 164.308(a)(2) (R) | R | III.8 |
| Workforce Security 164.308(a)(3) | ||
| Authorization and/or Supervision (A) | A | III.9.A |
| Workforce Clearance Procedure | III.9.B | |
| Termination Procedures (A) | A | III.9.C |
| Information Access Management …………. | R | |
| 164.308(a)(4) Isolating Health care Clearinghouse Function (R) | NA | NA |
| Access Authorization (A) | A | III.10. |
| Access Establishment and Modification (A) | A | III.10 |
| Security Awareness and Training …………. 164.308(a)(5) | A | III.11.A |
| Security Reminders (A) | A | III.11.B |
| Protection from Malicious Software (A) | A | III.11.C |
| Log-in Monitoring (A) | A | III.11.D |
| Password Management (A) | A | III.11.E |
| Security Incident Procedures ……………….. 164.308(a)(6) Response and Reporting (R) | R | III.12 |
| Contingency Plan 164.308(a)(7) | R | III.13 |
| Data Backup Plan (R) | R | III.13.A |
| Disaster Recovery Plan (R) | R | III.13.D |
| Emergency Mode Operation Plan (R) | R | III.13.D |
| Testing and Revision Procedure (A) | A | III.13.F |
| Applications and Data Criticality Analysis (A) | A | III.13.G |
| Evaluation . 164.308(a)(8) (R) | III.14 | |
| Business Associate Contracts and Other Arrangement. | III.15 | |
| 164.308(b)(1) Written Contract or Other Arrangement (R) | III.15 | |
| Physical Safeguards | ||
| Facility Access Controls ………………………. 164.310(a)(1) | A | IV.1 |
| Contingency Operations (A) | A | III.13.D |
| Facility Security Plan (A) | A | IV.1.B |
| Access Control and Validation Procedures (A) | A | IV.1.B |
| Maintenance Records (A) | A | IV.1.C |
| Workstation Use 164.310(b) (R) | R | IV.2 |
| Workstation Security …………………………… 164.310(c) (R) | R | IV.3 |
| Device and Media Controls …………………. 164.310(d)(1) | R | IV.4 |
| Disposal (R) | R | IV.4.B |
| Media Re-use (R) | R | IV.4.C |
| Accountability (A) | A | IV.4.A, IV.4.B |
| Data Backup and Storage (A) | A | IV.4.D |
| Technical Safeguards (see § 164.312) | ||
| Access Control …………………………………… 164.312(a)(1) | R | V |
| Unique User Identification (R) | R | V.1.A |
| Emergency Access Procedure (R) | R | III.18.A, V.1.B |
| Automatic Logoff (A) | A | IV.3 |
| Encryption and Decryption (A) | A | V.1.D |
| Audit Controls ……………………………………. 164.312(b) (R) | R | V.2.A |
| Integrity …………………………………………….. 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information (A) | A | V.2.B |
| Person or Entity Authentication ……………. 164.312(d) (R) | R | V.2.B |
| Transmission Security …………………………. 164.312(e)(1) | A | V.3.A |
| Integrity Controls (A) | A | V.2.B |
| Encryption (A) | A | V.5.B |
| Breach Notification | R | VI |
If you would like to discuss Information Security or HIPAA Security Rule compliance in your organization, e-mail me at jmorgan@e-volvellc.com. I would be happy to discuss your specific case.
Copyright © Jeffrey Morgan 2016
by 
Recent Comments