Archive for March, 2009

A group of over 60 companies in the health care industry have came together last year to create a set of security & privacy best practices that will go above and beyond those laid out in the Health Insurance Portability and Accountability Act (HIPAA). The Health Information Trust Alliance (HITRUST) consortium this week released a Common Security Framework (CSF) “for industry in commitment to greater electronic health information protection and growing regulatory compliance.”

“Until now, the lack of widely accepted information security standards has kept many providers on the health care IT sidelines, and has been a source of apprehension for many patients when it came to electronically sharing their medical information… the HITRUST framework should help accelerate the adoption of technologies that will dramatically improve the safety and efficiency of America’s health care system.” – Randall N. Spratt, Chief Information Officer and Executive Vice President, McKesson

The CSF is a certifiable framework that will provide organizations with structure and clarity related to information security for the healthcare industry, something more and more important as health information moves online and as data becomes more portable.

The framework is based upon recognized standards such as COBIT, NIST and ISO 270001. The framework is meant to scale according to the type, size and complexity of the organization and follows a risk-based approach that can evolve based on needs and changes in the industry and regulatory environment.

The stimulus bill that was passed in January in the U.S. called for the computerization of health care records within 5 years. The legislation contained stringent privacy and security controls above and beyond HIPAA, just like the new HITRUST CSF does.

Via SC Magazine

An Albuquerque news station recently reported on a LoJack for Laptops success story, after the laptop security solution led police to the three suspects who had allegedly stolen over $40,000 worth of items in a home burglary. Click here to view the complete newscast.

Learn more about the Absolute Theft Recovery Process.

Please note that indictments and criminal complaints are merely unproven accusations and the accused, in all cases, are presumed innocent until proven guilty.

Following on the heels of the Heartland Payment Systems breach that affected as many as 100 million credit cards, 3 arrests were made. The arrests followed the 3-month investigation into a stolen credit card ring. The arrests were for men caught using stolen credit card numbers at local WalMart stores. Apparently the Secret Service has a suspect in the Heartland data breach, someone outside North America.

With more than 580 institutions affected by this data breach, it should be no surprise that lawsuits would follow. A PA-based law firm filed a class action lawsuit against Heartland in January, accusing Heartland of belated and inaccurate notifications of the breach and inadequate security precautions. In addition, this week 8 banks and credit unions filed lawsuits against Heartland over its failure to protect credit and debit card data. The lawsuits seek compensation for the costs of breach notification and re-issue of cards by the financial institutions. Where fraud has occurred, the banks also seek recompense.

Other large breaches: the Arkansas Department of Information Systems lost a data tape from storage (807,000 affected), and it appears that information about the communications, navigation and management electronics on Marine One (the Presidential helicopter) were accidentally leaked onto a peer-to-peer file sharing network. It was thought for a week that there was a new large payment processing breach, but Visa has issued a statement that clarifies that breach notifications pertain to existing, not new, issues.

It also caught my eye that the Berkeley Center for Law & Technology and the Berkeley Technology Law Journal are holding their 13th annual Security Breach Notification seminar on March 6th. The seminar talks about identity theft and changes coming in the future. You can learn more here. If you can’t make it, check out some resources here.

Image: Clipart

A study released by J. Campana & Associates indicates that data breaches reported in the US may be under-reported by a factor of 100.

The report examines how information has been compromised in the private, public and volunteer sectors from 2005-2008. The report, which shows the risk factors of data breaches per sector, indicates that the vast majority of data breaches reported are from medium and large enterprises. However, these enterprises may be dwarfed by the smaller entities not reporting data breaches.

These smaller entities, with significantly less resources and governance, are highly vulnerable to data loss and may not have the ability to detect or report breaches that do occur. Additionally, mishandling of physical documentation (vs data) often goes without report. The author suggests that the 1,100 reported data breaches may be as high as 110,000 in reality.

“For example, the smallest units of local government comprise more than 90% of government yet this subsector only reported one breach in four years.”

The data also indicates that though the private sector makes up 94% of all enterprises in the US, it only accounts for 37% of the reported data breaches. The public sector accounts for 55% of all breaches. The major breach type in most sectors involved laptops. 60% of all breaches involve the loss, theft and improper disposal of computers and other devices.

Large data breaches, the “mega breaches”, accounted for less than 2.5% of the 1,100 breaches. However, these breaches accounted for 85% (230 million) of all profiles compromised. The author of the report points out that sensational data breaches are alarming, but we need to be just as concerned with the average data breach, what it looks like, how to detect it, and how to prevent it.

Learn more about “Data Breach Risk Factors 2005-2008: An Information Security Risk Management Resource Guide for Security and Risk Professionals” here. The 55-page report is not free.

SBTV recently aired a segment about Absolute Software’s consumer laptop security suite, LoJack for Laptops. The video was made at CES 2009. The host, Mario Armstrong, describes how LoJack works and how important it is to think about protecting your technology devices.

Armstrong also points his viewers to Absolute’s Computrace product for corporate customers looking for even more laptop security solutions.

This week, British Columbia had its first ever Anti-Bullying Day. All across BC, people wore pink to stand up to bullying – both online and offline. 1 in 4 youth in British Columbia have been victims of cyberbullying and 1 in 5 and bullied others! 80% say people bully others online because it’s earlier to do. Read more here.

We’ve talked in the past about social networking, privacy and cyberbullying, with Facebook being sited often as a platform used by cyberbullies.

Today I stumbled across a video about how to configure your privacy settings on Facebook – a video teachers may wish to share with their students, or parents with their kids:

For resources on bullying for parents and teachers, check out the list available on the BC Ministry of Education.

Via SafeKids