Archive for February, 2008

Navigating the specific compliance regulations of the Health Insurance Portability and Accountability Act (HIPAA) can be daunting. The act requires national standards for electronic health care information at the government and business level.

Tom Walsh, president of Tom Walsh Consulting in Kansas, has identified seven areas of compliance that meet the bare minimum for HIPAA. These are:

1. Have a compliance official
2. Set standards of conduct into policies, procedures, or guidelines so that people know what the expected behavior is
3. Training and education of all staff on an ongoing basis, including additional training for specific employees should their jobs require it
4. Incident reporting to correct and prevent incidents
5. Incident response procedures in the form of a plan and a team
6. Auditing and monitoring continually, with an evaluation and validation process set at regular intervals
7. Corrective actions applied consistently (sanctions, risk management, security controls)

You can read more here or visit our healthcare resources here.

Tags: hipaa, health security, health information, data security, it security, compliance, hipaa compliance, health sector

It should come as no surprise that laptops top the list of most stolen gadgets. They are small and attractive for black market resale. Switched.com has put together a list of the top 5 most stolen gadgets, and steps you can take to prevent theft, or to minimize its consequences.

The 5 Most Stolen Gadgets:

1. Laptops - tips include locks, passwords, insurance, encryption and tracking software
2. Cell Phones – use a password, call your cell company to deactivate it, call the police
3. GPS Devices - remove the device and its mount when you park, use a friction mount (so no ring is left visible), also use a password, close car windows, and install a car alarm
4. Car Stereos – remove faceplate, use a security code, use a car alarm, log serial number
5. iPods - use other headphones, conceal the player, be careful where you take it (subways, schools)

Continue reading at Switched for more tips.

Tags: stolen gadgets, gadgets, it security, security, theft, gadget thefts, laptop theft, laptop security

In other government news, the US and UK governments have created a new e-mail specification to enable secure government electronic collaboration.

The Transglobal Secure Collaboration Program (TSCP) is the result of a collaboration effort between the two government defence agencies and aerospace partners. The TSCP e-mail specification is a public-key infrastructure-based technology that verifies user identities via digital certificates that can encrypt and verify email content.

Paul Grant, deputy information sharing executive, Information Sharing Office in the office of the Defense Department CIO, stated TSCP is “transforming e-mail from one of the most extensively used but least trusted collaboration capabilities to one that can be trusted with sensitive information. This will serve as foundational for sharing ‘Controlled Unclassified Information’ without mission partners, which certainly includes our suppliers.”

The TSCP Website says that its mandate is to develop secure solutions to “affordably mitigate multi-national compliance and IT security risks inherent in large-scale collaborative programs.” Governments and their contractors will adopt the specification with differing levels of access and classification.

Via intergovworld Tags: collaboration, secure email, e collaboration, security, it security, government security

A new desktop security mandate has set in at the Federal level. The Federal Desktop Core Configuration standard (the FDCC) will require government agencies to apply and maintain standard security settings on all desktops and laptops.

The FDCC standard will limit the user ability to change the configuration of their desktop. The standard was created to return control to administrators and to keep systems more secure. All desktop computers will need to support standard secure configurations for Windows XP and Vista.

All agencies were to have this plan in place by February 1, with desktops (and laptops) configured by the end of the month. Agencies will need to monitor the endpoint configurations and report on them regularly.

In order to facilitate the new FDCC standard, the National Institute of Standards and Technology has developed a Security Content Automated Protocol (SCAP) that vendors can use in their products.

You can read more about the FDCC here – the FAQ section is particularly useful. And you can read more about the SCAP here.

Via network world Tags: fdcc, scap, standards, security standards, government security, it security, security vendors

Who Breached: Davidson Companies
Number Affected: 226,000
Information breached: Social Security Numbers, bank account numbers
How: hacker

A hacker has attacked a database at Davidson Companies and obtained the names, Social Security Numbers and account numbers of 226,000 Great Falls financial services clients. No information has been provided on the time period over which this data was accessed.

Spokeswoman for Davidson Companies, Jacquie Burchard, says that the hacker did not get access to any bank accounts. However, there is persistent risk for identity theft and for fraud.

“Despite our efforts to safeguard client information, a computer hacker using sophisticated techniques illegally accessed a database and obtained access to confidential client information,” said William A. Johnstone, Davidson Companies president and CEO

Clients have been sent letters asking them to pay attention to unusual activity in their bank accounts, monitor for unauthorized charges on credit cards, and place fraud alerts on their credit files. Credit monitoring is being offered for one year. More information for clients can be found here.

Davidson proactively hired a penetration testing company in September of 2007, and no holes were found by those ‘hired hackers.’ Unfortunately, some means of access were found since that time. The company response has been up-front about the stress and uncertainty this causes to clients.

Via great falls tribune & information week Tags: davidson companies, data breach, identity theft, id theft, bank security, business security, database, hackers

Less than a week ago, we reported that California had expanded its notification law to cover medical information. Now, another piece of data breach notification legislation being considered by the Indiana State Senate is facing heavy pressure from industry lobbyists.

Microsoft, AT&T and Verizon have teamed up to kill the pro-consumer legislation, bill 1197, currently being considered. This bill would require that all breaches of unencrypted data affecting one or more consumers be reported to the Attorney General. The Attorney General would then publish all records of breaches to a public website. This bill would make Indiana the only State to publicly report each breach. Currently, New Hampshire posts breaches online, but it is not compelled to do so by law.

CNet reported this story with much criticism of the companies trying to stop this bill. An AT&T image is captioned with this snarky comment: “consumers should be kept in the dark–oh, and we kick puppies too.”

In a State Senate meeting yesterday, the lobbyists claimed that the online reports would provide phishers with ammunition for more attacks (for example, emailing consumers the real link as well as a link to an attack site). The state of New Hampshire has not, after a year, had any connection between the reports and phishing attacks. Breach compilation sites like Attrition.org have also not experienced phishing issues.

Aside from these contentious points of the bill, this legislation would tighten up existing notification requirements. For example, companies that have password-protected computers are not required to report a breach – the new bill would have encryption as the basis for this exemption.

Continue reading more here from CNet’s Chris Soghoian, who helped to spearhead the creation of this new bill.

Tags: lobbyists, law, legislation, data breach, data breach notification, data breach law, notification requirements, indiana, privacy, consumer rights