Archive for June, 2008

Tech News World has done a 2-part series about HIPAA. Part 1: Privacy vs. Portability and Part 2: Seeking Balance. It’s a very well-done examination of the state of the Health Insurance Portability and Accountability Act (HIPAA), some of which I will synthesize below. Given that HIPAA is often misunderstood in basics and in application, it’s a great refresher series.

HIPAA Concerns:

• There is a push for health information to become more liquid, but the privacy and security framework does not exist yet
• The technologies being designed now will have a huge impact on how health information is accessed, stored and shared
• Post-HIPAA privacy and security protections need to be adopted in law and in best practices
• HIPAA compliance was a heavy burden at initial inception, but there has been no proof that HIPAA has in any way had negative effects on patient care
• Staff training and education must be ongoing for new, and old, employees
• Continue reading about the concerns here.

HIPAA Myths:

• That it weakened, rather than strengthened, rights to health information privacy
• HIPAA is all we need in the digital age
• HIPAA “covered entities” cover every use of personal health information
• Check out the full examination of these myths here.

Logo: ; Tags: hipaa, health privacy, privacy information, health information, information, legislation, law, security

A senior intelligence official in the Cabinet office in the UK is responsible for a serious breach of security after leaving Top Secret documents with the latest al-Qaeda intelligence on a London commuter train. The Cabinet Official has been suspended from his job.

A fellow passenger on the June 10 train found the documents and handed them to the BBC, who then passed them to the police. The envelope contained several pages, stamped “UK Top Secret”, with the latest government intelligence on al-Qaeda and Iraq’s security forces. The documents were also stamped “for UK/US/Canadian and Australian eyes only” and were dated June 5th. The documents were entitled “Al-Qaeda: Constraints and Vulnerabilities” and “Iraqi Security Forces: More or Less Challenged?”

An official investigation is being requested of Home Secretary Jacqui Smith. In light of the events, people are asking:

• Why were top secret documents allowed outside the office?
• Why were top secret documents printed (ie not encrypted in a data file)?
• Why were top secret documents read in a public place?

Given the string of serious security breaches by the UK government over the past several months, this only increases the public pressure to understand why security policies are being overlooked repeatedly. The employee in question here had the security authority to remove sensitive documents from the secure office environment if strict protocols were followed – perhaps it is time to ban such document removal altogether.

Via BBC, CNN, Reuters, Times Online Tags: al qaeda, iraq, top secret, uk top secret, data breach, breach, security breach, government security, secret information, intelligence

IT Pro put together a great feature on how to create a mobile data management policy. With the increase in smartphones into the marketplace, more employees will be looking for a way to use this convenient mobile technology for work. But that poses challenges for security that businesses must address. So, when it comes to mobile technology (from smartphones to laptops), having a security policy in place is of vital importance to data security.

Your security policy should be generic enough to be easily understood and followed by all employees. An audit of what kinds of devices are currently in use (and what information they’re accessing) is the first step to understanding what kind of security policy you need. The audit will also reveal the operating systems that your mobility security suite will need to manage. After that, you can expect your security policy to include things such as:

• What to do if a device is lost
• Incentives for people to report lost devices quickly
• Which devices can connect to office equipment / data, and which cannot
• What type of data can be accessed
• Support VPNs for mobile devices
• A procedure in place to wipe data off of lost devices
• Secure disposal procedures for old devices
• Allowance for users to register their own devices, if they are wiped when an employee leaves the company
• What applications can and can’t be installed
• Using strong passwords and encryption

A way that you can easily manage smartphones and follow these tips is by using Computrace Mobile. As part of the Computrace suite of products, it uses the same Computrace Agent that lets you inventory your mobile population, and it offers remote data delete capabilities. You can find out more about it here.

An effective mobile security policy will balance the benefits of productivity with costs and data security needs. You can read more great tips here.

image: dpawatts @morguefile Tags: mobile data, mobile security, it security, security policy, it security policy, business security, laptop security

McAfee has released a new study that indicates that Hong Kong .hk domain names tend to be the most dangerous / malware-prone on the Web. The ongoing research has found that the virtual threats and risks are always changing, and the .hk domain went from being ranked 28th most risky in 2007 to the top spot in 2008.

The McAfee “Mapping the Mal Web Revisited” report reveals that Hong Kong domains (.hk) and China domains (.cn) rank as the riskiest online neighborhoods. 19.2% of all websites ending in .hk pose a security threat to web users. These sites contained adware, spyware, viruses, spam, excessive pop-ups, browser exploits or links to other red-rated sites. Although the risky sites may use .hk domains, not all of the dangerous sites will be based in Hong Kong – the domain may simply be chosen because it is inexpensive and unregulated. Many of the websites will be in English, regardless of domain.

Domains with .info are still the most risky generic domains, with 11.8% posing a security threat, and being the third most risky domain after .hk and .cn. The safest domains, by contrast, include Finland (.fi), Japan (.jp) and Norway (.no). Finland, holding the top spot this year, has only 0.5% of domains posing security threats.

Other findings from the survey:

• The chance of downloading spyware, adware, viruses or other unwanted software from surfing the Web increased 41.5% over 2007
• A Web surfer has a 1-in-20 chance of “hosing” the computer if a file is downloaded at random from the Internet
• Online adult sites are not more risky than other types of sites on the Web though, but when they are bad, they are really bad (in terms of spam & exploits)

Via CNet Tags: domains, .hk, hong kong, domain, mcafee, domain names, internet security, malware, malware report

John Page has put together a great article advocating for the use of technology in education. The article outlines nine reasons why to adopt technology in the classroom. As it stands, sometimes schools offer up laptops and other technologies for use in education but without a plan as to why they are doing so or how to use them. That leaves teachers with access to technology, but no visualization of how to use said technology.

So, how would education be better by using technology? Here are John’s 9 reasons:

1. Expansion of time and place - students have limited access to teachers and only in the classroom, but unlimited access to the Internet (for class resources and the Internet at large)
2. Depth of understanding - learning can become interactive, allowing students to play with simulations of a concept at any time
3. Learning vs. Teaching – students can pull the necessary materials themselves, rather than learning being pushed on them
4. New media for self-expression – making a presentation, a podcast, using photos, or running a blog are just some ideas
5. Collaboration – students can work together on their homework, no matter where they are. Teachers can formalize this, teaching students how to collaborate better in the virtual world.
6. Going Global - direct dialog and collaboration around the world can enhance the understanding of global cultures
7. Individual pacing and sequence - students can set their own pace, and follow interests, allowing for customized learning without disrupting class flow
8. Weight - a laptop is not as heavy as a bag of binders and text books
9. Personal Productivity - to write, read, communicate, organize and schedule.

As John eloquently states at the end of this paper, “if education is about knowledge and intellectual skills, then information technology lies at the heart of it all.” Technology offers up a new way to learn, and will greatly expand the possibilities of education.

How have you seen, or how do you see, technology affecting education outside of these 9 ways?

Tags: education, technology, schools, edu learning, learning, technology in schools

eWeek has published a slideshow of 10 Reasons Why Your Laptop is at Risk that include guidelines for preventing data loss, in every way from patching your system to common sense laptop practices.

The 10 reasons are:

1. Hard Drives Aren’t Encrypted
2. USB Drives Aren’t Glued Shut
3. Work-Home Lines are Crossed
4. End Users Aren’t Security-Aware
5. Physical Security Isn’t Implemented
6. The “Duh” Factor is Ignored
7. Systems Aren’t Labeled
8. The Eyes Don’t Have It
9. No-Jack
10. As the Worm Turns

The ninth item makes reference to Absolute Software’s Lojack for Laptops:

“Like Lojack for laptops, computer tracing programs can track and recover a lost or stolen laptop, and even render a laptop useless from afar.”

For more information on some of the more cryptic slide titles, check out the full slideshow here.

Tags: lojack for laptops, absolute software, laptop security

Absolute Software will be holding a 1 hour webinar on June 11th about Laptop Management and Data Breach Prevention. The webinar will present first-hand experiences of Allina Hospitals and Clinics, including a 75% recovery rate on its stolen computers. Computer Manufacturer Lenovo will also discuss best practices for managing laptops.

Learning outcomes include:

• Gaps in current notebook security programs
• The importance of remote data delete and theft recovery capabilities
• Common misconceptions about encryption on laptops
• How notebooks can be managed when off the LAN
• How Computrace works on Lenovo notebooks

To register for the webinar, go here

Tags: absolute software, laptop management, laptop security, computrace, health care industry, lenovo, allina

A friend of ours, Chris Pirillo, runs a live video stream fairly regularly. In a live streaming he did several months ago, he made mention of Computrace LoJack for Laptops, an Absolute Software laptop recovery service for consumers.