Cybersecurity: Safeguarding Personal Identifiable Information (PII)

Cybersecurity is the hot topic nowadays. With more threats – and more regulations to counter those threats – becoming a reality, it is crucial for businesses (from small to large) to begin strategizing a cybersecurity program.


Dentists and Physicians are targeted too!

People tend to believe that large corporations are only at risk for breaches, which is not true. Yes, larger companies are targeted more often; however, small businesses and dental & physician offices are more vulnerable due to their smaller or non-existent budget for IT security. In fact, dentists and physicians are beginning to become more targeted now due to the information a hacker can obtain using minimal effort.


As stated in a Dentist iQ article:

Many dentists believe that cyber criminals are not a threat to their small dental offices. However, when choosing between a large corporation or bank with security teams and firewalls, or a dental office with no firewall or security team, a dental practice will become the target. In fact, many hackers specifically target small dental offices because they believe small businesses don’t have the resources for sophisticated security devices and do not enforce employee security policies.


Cyber criminals striking gold

Personal Identifiable Information (PII) is equivalent to gold for cyber criminals. As stated by Medical Economics, “To criminals, your practice’s most valuable asset isn’t a high-tech medical device or a pricey piece of diagnostic equipment. It’s your patient records.” Physicians and dentists maintain plenty of patient records, which contains PII. This information allows for cyber criminals to steal patients’ identities. Identity fraud is steadily growing, with 2016 being a record year. According to the 2017 Identity Fraud Study, which was released by Javelin Strategy & Research, $16 billion was stolen from 15.4 million U.S. consumers in 2016.


Better practices

To combat the cyber criminals, dental and physician offices need to implement better practices. There should be policies and procedures in place around the protection of patient records. There should also be controls in place to govern the security of applications and third-party vendors that either maintain or have access to patients’ PII. Examples of areas your IT controls should cover are: password complexity, firewall settings, third-party vendors’ security environment, and etc. Lastly, dental and physician offices should consider seeking assistance from third-party advisors, to assess their cyber risks.


By Shanee Yelder


Oberman, S. J., Esq. (2015, February 24). Cyber security new necessity for dental practices. Retrieved May 22, 2017, from
Pascual, A., Marchini, K., & Miller, S. (2017, February 01). 2017 Identity Fraud: Securing the Connected Life. Retrieved May 22, 2017, from
Pratt, M. K. (2016, June 25). How cyberattacks can impact physicians. Retrieved May 22, 2017, from

NAIC Cybersecurity Panel Asked to Consider Using New York Rule After Draft Fails to Gain Consensus

DENVER – After three attempts at developing an insurance data security model act that failed to gain consensus, the chairman of a National Association of Insurance Commissioners panel said he’s listening to all suggestions — including New York’s new cybersecurity rule.

New York insurance Superintendent Maria Vullo, speaking at the NAIC’s Spring National Meeting, asked the cybersecurity working group to accept New York’s rule as the panel prepares for another round of deliberations. Panel Chairman Raymond Farmer, South Carolina’s insurance director, told Best’s News Service, “everything’s on the table.”

New York’s cybersecurity rule took effect March 1. Vullo said the cornerstone of the rule is a periodic risk assessment of information systems, which includes an annual penetration test of a covered entity’s information system based on risk, as well as biannual vulnerability assessments. The rule requires insurance companies and other financial services institutions to establish and maintain cybersecurity programs. Companies will hire a chief information security officer responsible for implementing and overseeing the program and enforcing cybersecurity policies (Best’s News Service, Feb. 17, 2017).

David Provost, deputy commissioner of the Vermont’s captive insurance division, suggested the panel move forward in an area of little disagreement between New York’s plan and the working group’s latest draft regarding having cybersecurity plans in place. Provost urged this part of the panel’s work be advanced quickly in order to deal with differences concerning notification processes and in what constitutes a breach.

Vullo noted differences between the New York rule and the latest working group draft. She said the NAIC draft baseline requirement to institute information-sharing practices in the federal Gramm-Leach-Bliley Act were inadequate. Vullo said the New York rule does not conflict with the federal law.

She said New York’s rule requires notices of significant cybersecurity events within 72 hours of a determination the event is material and reportable. But the NAIC model requires notice of data breaches within three days of determining that a breach may have occurred. “We believe that ‘may’ is too vague to be workable in practice, leading to confusion over what is required to be submitted,” Vullo said. “And also quite frankly, as a regulator, I don’t want to get a lot of junk.”

She said the NAIC model encourages institutions to protect personal information by encryption or other means for wireless data transmitted or on a public network for all nonpublic personal information stored on a laptop or other portable devices. She said New York’s encryption requirements are more specific, while continuing to be risk-based. New York requires a risk-based determination on what should be encrypted and that a chief information security officer review and approve any alternative compensating controls to ensure they are effective if the institution chooses not to use encryption.

Vullo said New York does not require institutions to specifically notify consumers in the event of a breach, but the rule does require institutions to have an incident-response plan that requires institutions to notify consumers as appropriate and notify regulators after a determination of a material event or breach.

“We’ve tried three times and we’re not there just yet, so this is a good regulation to consider,” Farmer said.

Comments on the working group’s latest draft and on the New York regulation are due to a drafting group headed by Rhode Island Insurance Superintendent Beth Dwyer April 17. A new revised draft is expected to be out the following week in advance of a May 9 conference call to discuss it. “Our focus is getting more narrow and more concise,” Farmer said, adding he hopes the committee might be able to take a vote on the next draft.

(By Thomas Harman, Washington Bureau manager, BestWeek:,


Shen Yun, Work of Art or Weapon Against Communism?

Is Shen Yun’s business model the wave of the future for exposing political unrest?  Shen Yun, one of the most amazing shows of our times, combines 5,000 years of Chinese history with song and dance.  However, the show is not permitted to be shown in China because of the artists depiction of Chinese politics.  Is Shen Yun a work of art, or a carefully designed weapon against communism?

George Sawyer, self-proclaimed esoteric Taoist and responsible hedonist, commented

“Shen Yun seems to be part of the propaganda arm of Falun Gong / Falun Dafa, a religious group that openly and publicly challenged the political power of the Chinese government and has paid a terrible price.

Falun Gong seems to have quite a reputation as a cult, and has received lots of terrible press.  They are being persecuted by the Chinese Government. While Falun Gong says it’s about religion, it seems to me to be about politics.  Their Wikipedia page – Falun Gong – seems quite neutral, and side-steps the “cult” issue.  The best English language account I’ve found of their dispute with the Chinese government is David Palmer’s book, “Qigong Fever: Body, Science and Utopia in China”

Here is a snippet from an articles about recent performances

Shen Yun at Lincoln Center: Truth on Falun Gong

…. If Shen Yun is a good representation of classical Chinese dance and  historical costumes then female representation is on the VERY demure  side. All the dancers wore floor length skirts and high necks and  sleeves. I don’t think I saw one thigh or chest. Sex appeal there were  none. Artistry yes. But then the show took an unexpected turn. Suddenly  there was this heavy-handed spiritual preaching about the religious  group Falun Dafa and how to achieve salvation and truth through the  Dafa. On top of the terrible lyrical translation projected on the screen  about this new religious movement in China (founded in 1992), there  were quite a few skits reacting the persecution of Falun followers in  China by the government – represented by dancers wearing all black with a  bright red sickle and hammer emblem on their backs.

The reviewer goes on to say that except for the “preachy parts ” the performance was enjoyable.

Based on the experiences of friends with Falun Dafa and based on what I’ve read, especially from the qigong community, I steer clear of them.”

On a much lighter note, here are my comments about the show,

How Remote Business Consulting is Changing Business


I own a car.

In fact, I own two. But I don’t tinker with my own vehicles. Mostly because I can’t afford the tools, the time or the brain-power to know what is needed across two Makes and Models. Not only that, but I am so used to my own vehicles, and the way they run, that I overlook glaring issues any new observer might easily recognize.

That is why I take my cars to a mechanic.  

Now, you probably think that everything is running smoothly in your small business. You might be right. But even a well-oiled machine still needs a mechanic to run diagnostics, check levels and red line it for good measure. After all: how do you know that you’re headed in the right direction for the fiscal report? And are you sure the Six Sigma launch you had that potluck around has really made a difference? No matter how well you think you’re doing: you need a check-up.

That is why you need a business consultant.

Business Consulting is like car maintenance. For over ten years business consulting has been a staple in any company worth its weight. The Consultant is your mechanic. There to fix and prevent process issues. But more than that: they should make you more money. A good mechan—er, consultant will bring changes that translate into a fatter bottom line… But don’t go hiring any old Schmuck in a suit. Read on.

Despite a good run since ‘03, there was a plateau in business consulting about 4 years ago, mostly due to costs and office politics (It seems businesses don’t like tinkering on themselves). Internal consultants and managers are too close to the problems to effect real change. This produced lack-luster results, causing business consulting to level out in 2009 (along with everyone’s 401k…) when companies were scrutinizing every penny.

Another thing that makes having an internal business consultant a gamble is that there is no way to quantify their profitability. Another person on payroll can easily get lost in the shuffle come payday. Not to mention: certain companies were nothing but consultants. And we all know how that crooked E made everyone a little wiser if not a little more fearful.

By now you’re probably saying: “but I thought you said business consulting was a good thing?!” And it is. Only; not in the form it has been in the past. After 2009 internal consultants thinned out. But the ever-present need for checking under the hood brought the next wave in consulting: The Remote Business Consultant.

Having a remote business consultant is like having a dealership mechanic come to your garage.

The consultant from outside can see things that you and your team can’t. He or she is above the cultural radar; so corporate politics and office issues won’t skew the results of their work. A remote consultant can bring change management assistance, they can better implement new technology, bring a host of new methodologies and a fresh perspective all to help your business become more efficient and profitable. And best of all: as with most contractors you can tell where they have earned their keep.

If you want to learn more about business consulting or get your engine checked out; go to