Group items tagged

Paperwork containing the personal medical information of at least 66 patients at Massachusetts General Hospital was lost this month when an employee apparently left it on an MBTA train. The hospital sent out letters last week to patients whose identities were included in the lost paperwork, telling them the information listed their names and dates of birth, and private medical information, including their diagnoses and the name of the provider with whom they met. The material constituted billing records for patients who attended the hospital's Infectious Disease Associates outpatient practice on Fruit Street on March 4. Deborah A. Adair, the hospital's privacy officer and director of health information services, said in a statement released yesterday that while the incident was regrettable, the hospital followed privacy laws by immediately alerting affected patients and authorities, including the state attorney general's office and the Department of Consumer Affairs and Business Regulation. "[Hospital] police and security are thoroughly investigating this matter not only with an eye toward recovering the missing information but also toward making sure that this will not happen again," Adair said. "Our information privacy and security policies and procedures are among the strongest in the healthcare industry, but incidents such as this remind us that we must continue to review and revise them, as well as continue to educate our staff on best practices to avoid incidents such as this." According to hospital security reports, a manager in the infectious disease center's billing unit told supervisors that she left the paperwork on a Red Line train the morning of March 9. The manager said she had brought the paperwork home with her to work over the weekend and left the material sometime between 7:30 and 9 a.m. The Transit Police were notified, but the paperwork was not found.

The theft in 2006 of an employee laptop that contained personal information on millions of veterans taught the Veterans Affairs Department some hard lessons. VA became "the poster child of data breaches," said Kathryn Maginnis, the department's associate deputy assistant secretary for risk management and incident response. As a result of that incident and several breaches that followed, the department developed a comprehensive incident response program and incident resolution team that evaluates all serious exposures of sensitive data. "We have a culture of report, report, report," Maginnis said at the recent FOSE conference in Washington. The incident response program received a perfect score last year in the VA inspector general's Federal Information Security Management Act audit, and Maginnis said she expects to get another perfect score this year. The department developed two in-house online tools to help track and evaluate incidents, said Amanda Graves Scott, director of the incident resolution team. The Formal Event Review and Evaluation Tool uses a 56-question questionnaire to determine the risk category of a data breach, and the VA Incident Response Tracking System automates a manual tracking process for information technology incident response.

IT practices such as identity management, email and URL filtering, virus scanning and electronic monitoring of employees can get companies that do business globally into a heap of trouble if deployed without an understanding of global data privacy laws. The warning was one of several alarms raised in a presentation on global privacy best practices by Gartner Inc. analysts Arabella Hallawell and Carsten Casper at the recent Gartner Risk Management and Compliance Summit in Chicago. Always a thorny issue, the protection of personally identifiable information (PII) is made more complicated in a world where there is limited agreement on how best to do that. According to the Gartner analysts, the world is divided into three parts when it comes to data privacy laws: countries with strong, moderate or inadequate legislation. The European Union, under the European Union Directive on Data Protection, possesses the strongest privacy regulations, followed by Canada and Argentina; Australia, Japan and South Africa have moderate to strong, recent legislation; laws in China, India and the Philippines are the least effective or laxly enforced. The United States has the dubious distinction of occupying two categories -- the strong column, due to the 45 state breach notification laws on the books, and the weak column, because of the lack of a federal law. Even among the three categories, nuances abound. Under the European Union Directive, member countries enact their own principles into legislation, and some laws (like Italy's) are more stringent than the directive's standards. Russia's very recent law is modeled after the strong EU laws, but how it will be enforced remains questionable. And in the U.S., state breach notification laws vary, with Nevada and Massachusetts proposing the most prescriptive data privacy legislation to date.

Four HIV-positive patients whose records were left behind on an MBTA train by a Massachusetts General Hospital employee are suing the hospital, claiming their privacy has been breached. In March the hospital notified 66 patients who received care at its Infectious Disease Associates outpatient practice that billing records bearing their names, Social Security numbers, doctors, and diagnoses had been lost by a manager who was riding the Red Line. She had brought the paperwork home for the weekend, but left it on the train when she returned to work the morning of Monday, March 9, according to hospital security reports. Last week two patients who are HIV-positive filed a suit in Suffolk Superior Court against the hospital and the unidentified billing manager. The unnamed plaintiffs have been joined by two other HIV-positive people. The legal action was first reported in the weekly newspaper Bay Windows. Their lawyer, John Yasi of the Salem law firm Yasi and Yasi, said in an interview he has filed a motion to make the suit a class action that could cover all 66 patients, a significant number of whom are also HIV-positive. "The damages that jump out are the emotional distress surrounding the loss of obviously very sensitive medical information and secondarily the loss of personal security information," he said. "A Social Security number in reality may lead to identity theft, which we all know is a nightmare."

The discipline known as governance, risk, and compliance (GRC) management has come a long way in a short time. Results from Business Finance's 2009 GRC Maturity Study suggest that the majority of companies with formal GRC programs are beginning to derive strategic benefits from their efforts: Two-thirds of survey respondents say that the primary benefit of the GRC programs extends beyond mere compliance to "strategic risk management and decision-making insights" (55 percent) and "superior resilience and long-term shareholder value" (11 percent). Additionally, 81 percent of survey respondents describe their company's GRC capabilities as "strong" (15 percent) or "acceptable" (66 percent); only 18 percent of respondents say that their programs are "in need of improvement." What's more, a remarkable 83 percent of survey respondents (see the "Methodology" side bar) say that their corporate GRC programs were somewhat to very helpful in enabling their organizations to anticipate and respond to the current economic downturn. At many companies, GRC is about much more than compliance these days.

Joshua Corman would seem an unlikely critic of IT security vendors. After all, he works for one. Yet Corman, principal security strategist for IBM's Internet Security Systems division, is speaking out about what he sees as eight trends undermining the ability of IT security practitioners to mount an effective defense against online outlaws. Having worked for the vendor side, Corman says he is uniquely positioned to grasp its weaknesses up close. And so, with a PowerPoint presentation on the "8 Dirty Secrets" of the market in hand, he has traveled to seminars and worked the phones, hoping to motivate a change for the better. Here is the breakdown of those 8 dirty secrets and what Corman sees as practical ways to keep the vendors honest. [Related podcast: The Dark Side of the Security Market] Click here to find out more! Dirty Secret 1: Vendors don't need to be ahead of the threat, just the buyer This is the problem that leads to the seven "dirty secrets" that follow. In essence, Corman said, the goal of the security market is to make money, not to ensure the customer's security. Tom Vredenburg, regional IM manager for Houston-based Wartsila Corp., said Corman's take is consistent with what he has experienced in the trenches. "Not only has security become a phantom deliverable, but the vendors themselves have become equally tough to pin down and evaluate. Are they software sellers or risk managers? Are they service providers or network designers? Am I buying partnerships or licenses? Most of them don't know themselves what they are -- only that they need to sell something that most people don't really want to buy in the first place -- insurance."

It's been repeatedly said that one of the biggest issues our culture is facing right now, and will continue to face in the years to come, is defining and coming to terms with the legality behind privacy issues. As our lives become increasingly wired, connected and monitored privacy becomes an increasingly pressing concern, especially since technology changes much faster than laws can keep up with. While privacy issues are important for adults to be aware of right now, from access to medical records to who can see into our houses, it's probably even more important for the next generation to know what the issues are and how it does and will affect them in the future. Prying Eyes: Privacy in the Twenty-First Century by Betsy Kuhn is a book written for teens and older kids about privacy issues today in America. It looks at new and developing technologies from cameras to RFID chips, the significant laws and court cases throughout our history that have dealt with privacy issues, and how it affects each of us. Kuhn does an excellent job of keeping her subject relevant, but not too focused. Kuhn manages to show how all of these issues matter and affect us without being scary. She never turns technology, corporations or even the government into something frightening. When this is a topic that could easily have been made scary, it's nice that Kuhn managed to walk that line and make this serious without being something to obsess over.

A security researcher has found that hackers are using Twitter as a means to distribute instructions to a network of compromised computers, known as a botnet. The traditional way of managing botnets is using IRC, but botnet owners are continuously working on finding new ways of keeping their networks up and running, and Twitter seems to be the latest trick.

Internet scams, phishing, identity theft and other attacks that exploit your personal data are always a threat when you shop online, set up an email account, use a credit card, manage an online bank account or carry your Social Security card. There is hope, however, for fighting these threats, and you can start by taking back control of all of your personal data. The 50 tips and tools in this list will help you understand how these scams originate, how to protect yourself online and offline, and how to track down your personal data on the Internet. Web Privacy Protect yourself and your data online by choosing a secure Web browser, understanding the dos and don'ts of wireless security, and correctly managing passwords.

Federal Communications Commission Chairman Julius Genachowski will unveil in a speech on Monday new proposals that would force Internet providers to treat the flow of content equally, sources familiar with the speech said on Friday. The concept, referred to as net neutrality, pits open Internet companies like Google Inc against broadband service providers like AT&T Inc, Verizon Communications Inc, and Comcast Corp, which oppose new rules governing network management. Advocates of net neutrality say Internet service providers must be barred from blocking or slowing traffic based on content. Providers say the increasing volume of bandwidth-hogging services like video sharing requires active management of their networks and some argue that net neutrality could stifle innovation. "He is going to announce rulemaking," said one source familiar with his speech about broadband, to be delivered at the Brookings Institution, a public policy think tank. "The commission will have to codify into new regulations the principle of nondiscrimination." The FCC could formally propose the rules aimed at applying to wireless and landline platforms at an open meeting in October.

"Temporary workers brought in to help during the busy holiday shopping season can sometimes pose a data security risk for companies. Retailers that hire temporary help need to keep a watchful eye on them to reduce the risk of data compromises, said Bob Russo, general manager of the PCI Security Standards Council. The council oversees the implementation of mandatory security standards for protecting credit and debit card data across the payment industry. With many retailers hiring temporary workers to handle extra business, vigilance is key, Russo said. "Management needs to hover at this time of the year, especially with temps," he said. Temporary workers who handle credit card data or are involved in any form of payment processing need to follow appropriate security procedures. Proper access controls also need to be in place to prevent temporary workers from gaining access to other systems, he said."

"Forrester often gets inquiries such as, "What requirements should we keep in mind while developing our disaster recovery plans and documents?" and, "Which strategies work best for managing our disaster recovery program once it's in place?" "

If you can't measure it, you can't manage it. If you don't even know what it is...

Even IT professionals are confused about what constitutes Web 2.0, according to a survey released Wednesday by web security vendor Websense and research firm Dynamic Markets. According to the survey, of 1,300 information technology managers across 10 countries, 17 percent of respondents correctly identified all the items on the survey that can be considered Web 2.0. IT administrators commonly identified the "obvious" Web 2.0 sites -- such as the social networking sites Facebook and LinkedIn, Dave Meizlik, director of product marketing at Websense, told SCMagazineUS.com on Tuesday. They also commonly identified blogs and micro blogs, such as Twitter, as Web 2.0. But, respondents less frequently identified other sites as Web 2.0, including iGoogle and Wikipedia, Meizlik said. Only half of respondents identified video uploading sites, such as YouTube, as part of Web 2.0, the survey found. David Lavenda, vice president of marketing and product strategy at security vendor Worklight, told SCMagazineUS.com on Wednesday that IT administrators know they need to secure the enterprise from Web 2.0 threats, but are not always sure what those threats are. "When you go to organizations where security is really important -- financial and government organizations -- and ask, 'What's your fear of Web 2.0?,' they say, 'I really don't know, but we hear enough stories of people being compromised that we don't want to take a chance.' That's the most common answer." Lavenda said.

You can't ignore the presence and usage of all the myriad forms of instant messaging, social networking and blogging. The millennial generation won't thrive in companies where Facebook is banned or texting is frowned upon. They think and work so differently from their baby boomer managers that generational clashes are inevitable. The Security Executive Council and CXO Media, producer of CSO Perspectives and CSO magazine, are partnering to probe attitudes toward collaborative technologies like IM and social networking. By participating you will receive a research report based on this survey. Definition of web 2.0 apps: The term "Web 2.0" describes the changing trends in the use of World Wide Web technology and web design that aim to enhance creativity, communications, secure information sharing, collaboration and functionality of the web. Web 2.0 concepts have led to the development and evolution of web culture communities and hosted services, such as social-networking sites, video sharing sites, wikis, blogs, and folksonomies. (Wikipedia)

These were developed for boards, but they would probably be a good basis for questions auditors could ask as well.

Today's post discusses the relationship between strategy, leadership, and vision, 3 processes normally associated with senior organizational members. The majority of employees in mid to large sized corporations spend their time in tactical pursuit of short-term goals set by managers. Rather than

"The inspector general of the National Archives and Records Administration is investigating a potential data breach affecting tens of millions of records about U.S. military veterans, Wired.com has learned. The issue involves a defective hard drive the agency sent back to its vendor for repair and recycling without first destroying the data. The hard drive helped power eVetRecs, the system veterans use to request copies of their health records and discharge papers. When the drive failed in November of last year, the agency returned the drive to GMRI, the contractor that sold it to them, for repair. GMRI determined it couldn't be fixed, and ultimately passed it to another firm to be recycled. The incident was reported to NARA's inspector general by Hank Bellomy, a NARA IT manager, who charges that the move put 70 million veterans at risk of identity theft, and that NARA's practice of returning hard drives unsanitized was symptomatic of an irresponsible security mindset unbecoming to America's record-keeping agency."

"Consumers are often oblivious to the fact that some businesses share a great deal of their personal information with other businesses who deliver targeted behavioral advertising, says Anzen analysts Megan Brister and Jordan Prokopy. In an e-mail interview with IT Business Edge editor Lora Bentley, Brister and Prokopy say most consumers are just not aware of the business practices of companies that use personal information for profit. The Federal Trade Commission recently held meetings with consumer and privacy advocates, business and government leaders to discuss privacy, regulatory, and business issues of online behavioral advertising. It plans plan to ramp up efforts to protect consumers and possibly push for tougher legislation to protect consumers. One issue, Brister and Prokopy say, is the lack of transparency by companies that engage in behavioral advertising. These companies have been slow to adopt clear data-management policies and even when they do have policies, they are often written in language that is difficult to understand. Fortunately for consumers, some type of regulation appears to be on the way. The FTC appears eager to penalize businesses who lack transparency regardless of whether the consumer actually experienced any real negative effects as a result, Brister and Prokopy say."