Group items tagged

Last week, President Barack Obama convened a health-care summit in Washington to identify programs that would improve quality and restrain burgeoning costs. He stated that all his policies would be based on rigorous scientific evidence of benefit. The flagship proposal presented by the president at this gathering was the national adoption of electronic medical records -- a computer-based system that would contain every patient's clinical history, laboratory results, and treatments. This, he said, would save some $80 billion a year, safeguard against medical errors, reduce malpractice lawsuits, and greatly facilitate both preventive care and ongoing therapy of the chronically ill. Following his announcement, we spoke with fellow physicians at the Harvard teaching hospitals, where electronic medical records have been in use for years. All of us were dumbfounded, wondering how such dramatic claims of cost-saving and quality improvement could be true. The basis for the president's proposal is a theoretical study published in 2005 by the RAND Corporation, funded by companies including Hewlett-Packard and Xerox that stand to financially benefit from such an electronic system. And, as the RAND policy analysts readily admit in their report, there was no compelling evidence at the time to support their theoretical claims. Moreover, in the four years since the report, considerable data have been obtained that undermine their claims. The RAND study and the Obama proposal it spawned appear to be an elegant exercise in wishful thinking. To be sure, there are real benefits from electronic medical records. Physicians and nurses can readily access all the information on their patients from a single site. Particularly helpful are alerts in the system that warn of potential dangers in the prescribing of a certain drug for a patient on other therapies that could result in toxicity. But do these benefits translate into $80 billion annually in cost-savings? The cost-savings from avoi

Enforcing Privacy Promises: Section 5 of the FTC Act A key part of the Commission's privacy program is making sure companies keep the promises they make to consumers about privacy, including the precautions they take to secure consumers' personal information. To respond to consumers' concerns about privacy, many Web sites post privacy policies that describe how consumers' personal information is collected, used, shared, and secured. Indeed, almost all the top 100 commercial sites now post privacy policies. Using its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive practices, the Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers' personal information. The Commission has also used its unfairness authority to challenge information practices that cause substantial consumer injury.

It's often the security issue that dogs Google, Microsoft and other purveyors of personal health records (PHR): How will so much personal medical data be kept safe? A tangential question for Google, however -- one that has dogged the search giant since its Google Health offering was first made available in May 2008 -- is whether Google's search-based advertising platform creates a conflict with storing personal health data. Speaking at the Mastermind Session at Everything Channel's Healthcare Summit in San Diego in November,Google Vice President of Research and Special Initiatives Alfred Spector told health care CIOs, solution providers and other attendees that Google intended Google Health as an extension of the Google brand, and it was and would continue to be entirely separate from Google's main advertising platform. Watchdog organizations have taken Google to task over that claim, however, with one, Consumer Watchdog, even accusing Google of trying to lobby Congress to allow it to sell medical records by loosening regulatory language in the stimulus bill. "The medical technology portion of the economic stimulus bill does not sufficiently protect patient privacy, and recent amendments have made this situation worse," wrote Jerry Flanagan of Consumer Watchdog in a Jan. 27 open letter to Congress. "Medical privacy must be strengthened before the measure's final passage, rather than allowing corporate interests to take advantage of the larger bill's urgency." Flanagan in the letter states that, "Google is said to be lobbying hard ... to weaken the ban currently in the draft measure on the sale of our private medical records." While Consumer Watchdog did not cite specific evidence of Google pushing for softer restrictions, Google responded to the group's claims on its Public Policy Blog last week. "The claim -- based on no evidence whatsoever -- is 100 percent false and unfounded," wrote Pablo Chavez, Google's Senior Policy Counsel. "Google does not sell health

A complaint filed with the Federal Trade Commission by consumer groups seeking greater privacy protection for mobile Internet users could become a crucial test for the Obama administration's commitment to Internet privacy, a researcher has said. A policy statement published on then-President-elect Barack Obama's transitional Web site said he plans to "strengthen privacy protections for the digital age." Need to review your privacy policy or guide your clients in preparing a privacy framework? Download a copy of the Generally Accepted Privacy Principles.

The whole idea of privacy has become a joke. On one hand we have consumers who will give away their personal details to random Web sites (as well as to Mrs. Sikiratu Seki Adam, "a widow to Late Saheed Baba Adams") at the drop of a virtual hat, and on the other we have businesses losing personally identifiable information and transaction data with wild abandon … yes, I'm talking about you Heartland Payment Systems. (Heartland lost data on more than 100 million transactions although it is hardly alone - check out the data loss database at the Open Security Foundation). This widespread carelessness has compromised the privacy of tens of millions of consumers and businesses. While carelessness is the cause, what has allowed it to go unchecked are a number of factors: The Internet making transactions easier and faster; the systems we use on the Internet (particularly Windows PCs) being as secure as the First Little Pig's house of straw; organizations not taking security seriously enough; naive consumers; and inadequate regulation of the companies that hold private data. What got me thinking about this privacy void was a letter my wife received from Nordstrom Bank yesterday. My wife has a Nordstrom credit card and the company sent us, for what seems like the 1,000th time, its latest privacy policy. This version was one page of small text that more or less says what every other privacy notice from financial services companies say (we average about one of these "revised" policies every couple of weeks).

The key points of the plan closely mirror recommendations offered late last year by a bipartisan commission of computer security experts, which urged then president-elect Obama to set up a high-level post to tackle cyber security, consider new regulations to combat cyber crime and shore up the security of the nation's most sensitive computer networks. The strategy, as outlined in a broader policy document on homeland security priorities posted on the Whitehouse.gov Web site Wednesday, states the following goals: * Strengthen Federal Leadership on Cyber Security: Declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy. * Initiate a Safe Computing R&D Effort and Harden our Nation's Cyber Infrastructure: Support an initiative to develop next-generation secure computers and networking for national security applications. Work with industry and academia to develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure. * Protect the IT Infrastructure That Keeps America's Economy Safe: Work with the private sector to establish tough new standards for cyber security and physical resilience. * Prevent Corporate Cyber-Espionage: Work with industry to develop the systems necessary to protect our nation's trade secrets and our research and development. Innovations in software, engineering, pharmaceuticals and other fields are being stolen online from U.S. businesses at an alarming rate. * Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit: Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime. *

The federal government has a key role to play in researching and organizing a national response to the problem of medical identity theft, authors of a government-funded study have concluded. Patients, providers, payers and other members of the healthcare community also must join in the effort to combat a problem that is serious, although as yet its scope is not fully known, the report stated. Contractor Booz Allen Hamilton released the report last week. It represents the final phase of the $450,000 study funded last year by the Office of the National Coordinator at HHS. The study consisted of three parts, the first being to review existing knowledge about medical identity theft as well as policies and practices to prevent it. Those findings were included in a research paper on the subject released last October. The second phase involved a public meeting Oct. 15, 2008, the same day the paper was released, to "open a dialogue about medical identity theft within the healthcare industry. The final phase, the 26-page report, includes 31 "potential actions," which are recommendations that could form a national policy on medical identity theft. While medical identity theft "may be categorized as healthcare fraud," according to the report, "there are unique and important distinctions of medical identity theft that need to become more commonly understood to address this issue effectively." One difference, the report authors noted, is that the primary motive behind healthcare fraud "is most often monetary gain, such as when fraudulent providers bill for more expensive services than those rendered. However, medical identity theft tends to be focused on the use of someone else's information to gain goods, services and healthcare." IT could hurt, help Therefore, undetected medical identity theft poses medical risks to its victims, since their medical records may contain inaccurate and potentially harmful information that may cause them not to be con

A consumer group accused Google of seeking provisions in the economic stimulus package that would allow it to sell patient medical data to Google Health advertisers. Perhaps patients' biggest worry about electronic medical records is that their private health data will get into the wrong hands. To get a feel for some folks' anxiety, just take a look at this from a group called Patient Privacy Rights: "CHILLING NEWS ABOUT HEALTH PRIVACY: You Have None." (Or look at one of our many posts about health data breaches.) So it's probably not a surprise that Google, which last year launched Google Health, a personal online repository, was quick to refute a charge by a different consumer group, called Consumer Watchdog, of "a rumored [Google] lobbying effort aimed at allowing the sale of electronic medical records." The group further claimed that Google is "reportedly" pushing for items in the economic stimulus bill that would allow the company to "sell patient medical information" to advertisers. Google shot back, posting an item in its public policy blog calling the claims "100 percent false and unfounded." The company added: Google does not sell health data. In fact, one of our most steadfast privacy principles is that we don't sell our users' personal data, whether it's stored in Google Health, Gmail, or in any of our products. And from a policy perspective, we oppose the sale of medical information in the health care industry. Google's ear is likely fine tuned to this issue, considering some folks in the medical community have already pointed out the company is not a type required to follow a federal patient-privacy law called HIPAA.

In this expert videocast, you will learn about Web 2.0 software, the threats they pose, and whether the benefits outweigh the risks. Key areas covered include the threats posed by services like Facebook, MySpace, and LinkedIn, as well as wikis and blogs. Our expert also dives into particular attack vectors and scenarios that are becoming popular, defensive policy, and technology best practices and Web 2.0 trends to monitor going forward. Speaker David Sherry CISSP, CISM - CISO, Brown University As chief information security officer of Brown University, David Sherry is charged with the development and maintenance of Brown's information technology security strategy, IT policies and best practices, security training and awareness programs, as well as ongoing risk assessment and compliance tasks. Sherry has 20 years of experience in information technology. He most recently worked at Citizens Bank where he was vice president for enterprise identity and access management, providing leadership for compliance and security governance. He had also served as Citizens' vice president for enterprise information security, overseeing the company's security operations and controls. He has taught classes at colleges in both Massachusetts and Rhode Island, as well as spoken on identity management strategy and implementation at industry conferences. He holds undergraduate and graduate degrees in business management.

Now that behavioral targeting has become more pervasive (and more effective), it is being talked about not only by publishers and advertisers, but also by privacy advocates -- organizations like the NAI and IAB and, in Washington, the FTC. At issue is if BT players are doing enough to disclosure to consumers how BT works and offering them the opportunity to opt out of being tracked by BT vendors and publishers. There has been much discussion about how to regulate behavioral marketers; but no solution that satisfies everyone. The BT industry so far has contended that website privacy policies are sufficient disclosure since many of them contain links to opts out opportunities like the NAI site. Google and Bluekai have announced 'preference pages' or registries that allow Web users to say what type of BT they are interested in receiving. But, the other, more common option is to put that information in the Privacy Policy of the site. But the problem with that is that no matter where disclosures are placed on the service provider's site, most people won't ever see them. How will a customer visiting Retail SiteX know that Company Y is going to use their browsing behavior to later display relevant ads to them as they surf the Web on Network Z? The average customer won't. The only way a customer will know what forms of BT advertisers are using is if the advertisers themselves tell them. I think that it's time for advertisers to step up in this privacy debate. Thus far the pressure for disclosure has been placed on networks, behavioral marketing providers and publishers. The key players in those industries have done a good job of becoming more transparent (though there is still work ahead of us), while advertisers haven't been asked to do anything. Advertisers are clearly benefiting from behavioral marketing, and its time they disclosed what type of behavioral marketing they participate in, and allow customers to opt-out. How they do this is open for discussion: Tag each

Google will unveil new privacy measures today that will give consumers more control over behavioral targeting. Now, when Google serves banner ads on outside publishers' sites, the ads will include links that provide more information explaining why they were served. Clicking through will lead to details about the company's behavioral advertising program, which categorizes consumers as interested in particular types of goods or services based on the sites they visited. The program is only in beta for now, but once Google signs up publishers, consumers will be able to view the categories they have been placed in--such as "interested in travel"--and also tell Google to remove them from whatever buckets they wish. Consumers also will be able to opt out of the program permanently via a browser plug-in. Or, if people want to receive ads for certain types of products, they can edit their profiles to reflect that--in effect, opting in to particular types of ads. Google's new measures come at a time when online behavioral targeting is facing increased scrutiny. Last month, two Federal Trade Commissioners warned that the online advertising industry could face new laws if it didn't take steps to self-regulate on privacy issues. Recently, Google rival Yahoo announced enhancements to its privacy policies. Among other changes, Yahoo said it would allow consumers to opt out of behavioral targeting on its own site. Google's move drew praise from the Interactive Advertising Bureau's Mike Zaneis, vice president for public policy. "It's really a consumer empowerment tool, which is great," he said. "It's one more example of how industry is competing on the privacy issue, to the benefit of consumers--and also to the benefit of businesses."

I have an open question for the people who complain about the potential of advertising networks to track your behavior on the Internet: What is a better way? Some might say that all behavioral targeting should simply be banned. But if you don't think that showing Chevy ads to people looking for cars is equivalent to poisoning the peanut butter, we need a middle ground that explains to people what's going on and lets them decide what is acceptable. This is much harder than it sounds: Any one Web page you visit can have a dozen advertisements and invisible bits of code that each send information about you to different companies, each with different ways of using that data. The privacy policy of the site you are looking at - not that anyone reads privacy policies - can't even try to explain this to you, because the site owner doesn't even know what all of its advertisers are doing. I'm coming to the conclusion that each advertisement on a page has to speak for itself. That's implicit in the approach Google is taking for its new behavioral targeting system. It puts the phrase "Ads by Google" on all its advertisements. Click that link and you'll get some limited information about Google's targeting system and an ability to adjust some of the interests that Google is tracking. But Google's approach is presented in a way that glosses over what they are doing and discourages people from reading the disclosure and exercising control, says Joseph Turow, a marketing professor at the Annenberg School for Communication of the University of Pennsylvania. Mr. Turow has developed a plan that is simpler and more comprehensive: Put an icon on each ad that signifies that the ad collects or uses information about users. If you click the icon, you will go to what he calls a "privacy dashboard" that will let you understand exactly what information was used to choose that ad for you. And you'll have the opportunity to edit the information or opt out o

Data classification is a cornerstone of good privacy & security management. If you can measure it, you can manage it, right? First you have to know where it is.

Why classify data? Classifying data can help make data more accessible (or less accessible) to the users in your environment who need it. For example, suppose the Human Resources department created a folder on the file server within their department called Litigation. In this folder they place files that are needed for any litigation the company is associated with. The permissions on the folder are configured so that HR employees can edit the contents of the folder and add documents. Senior management can read the documents in the litigation folder, and the HR manager can remove documents that are no longer needed. The question is, how is it determined that a document is no longer needed and how do we apply these criteria to existing files in such a way that minimizes user interaction with them? The new classification feature in Windows Server 2008 R2 makes it possible to automatically assign classification information to files on file servers and apply policy to them based on that information. Classification in Windows Server 2008 R2 consists of several elements: properties, rules, and a policy segment including reporting and file management. Properties are the fields that you wish to assign a value for, and the rules are the criteria that set these values. There are other methods of classification available as well, including applications and scripts. More detailed examination of the methods of configuring the File Classification Infrastructure will follow in a future post. For the above example, a rule would be used to label a set of files in the Litigation folder. Adding a label such as Litigation-Case Number X (where X is the number of the case) can allow easy organization of files for each litigation case. When the classification rule is run against the specified folder, all files meeting the rule conditions would be classified with an appropriate label. You could use an expiration date here, but doing that might require reclassification of files if the ex

Concerned that Google knows too much about you? The company provides many ways to protect your privacy online -- you just need to find them. Here are six good ones. 1. Know your privacy rights: Use the Google Privacy Center. This site includes all of Google's privacy policies, as well as privacy best practices for each of its products and services. Although the "legalese" of privacy policies can be difficult to understand, Google's Privacy Channel offers a library of short YouTube videos with practical tips on protecting your data when using Google products and services. Try the "Google Search Privacy" and "Google Privacy Tips" series. 2. Protect your content on the services you use. Some content that Google stores for you, such as photos uploaded in Picasa Web Albums, are public by default. You can protect your privacy when you upload photos by choosing the appropriate checkbox. Choices include "unlisted" (accessible only if you have the Web link, and not indexed by Web search engines) or private (viewable only by named users who must sign in). Another example: You can take a Google Chat "off the record" if you don't want the instant messaging transcript stored. In contrast, Google Latitude, which tracks your whereabouts by way of GPS-enabled cell phones, does not share your location data by default. You must authorize others to see it. Latitude stores your last known location, but not your history. 3. Turn off the suggestion feature in the Chrome browser. By default, Chrome retains a history of Web sites you've visited -- and the full text of those pages -- so it can try to guess which Web address you want as you type in the "Omnibox." You can turn the feature off by going to "Under the Hood" under Options and unchecking the "Use a suggestion service" box. You can also select other privacy options, including surfing in Chrome's "incognito" mode. 4. Turn off Web History. You may have turned on the Web History option, also called Personalized Search, when yo

ACTA (Anti-Counterfeiting Trade Agreement) has concerned many consumer rights organizations for some time now. Given that it could easily affect criminal laws in many countries around the world, it's not hard to see why there is demand for public disclosure and allow public debate in the matters. Still, to this day, ACTA is being negotiated behind closed doors by many countries around the world and now consumer groups want to, at least, have the negotiations disclosed to them. When it comes to the privacy and surveillance debates, which are in various stages in different countries right now, many say that for national security concerns, further surveillance measures should be taken in the law books. Many policy makers want to know every detail of day-to-day communications of millions of people including who you talk to, when, how, where, and, with a warrant, what the contents of those messages are. Unsurprisingly, consumer rights groups have a problem with that. Meanwhile, when it comes to the highly secretive negotiations happening with ACTA, many consumer rights organizations want a clear indication on how the new international standard is forming and the contents of the legislation and to have such things disclosed to the public. Ironically, policy makers seem to have a problem with that.

Weak security policies and practices in nearly all 24 major federal agencies in 2008 have resulted in exposing personally identifiable information of Americans, according to a new report from the Government Accountability Office (GAO). "An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs," according to the GAO report, issued Monday. "As a result, agencies have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise." Federal agencies have reported some progress, providing awareness training for employees and testing system contingency plans, the GAO said. Still, employees with significant security responsibilities are not getting enough security training and known vulnerabilities remain wide open. The GAO conducts a periodic review of information security policies and procedures at federal agencies. Inspectors general review agency conformity to the Federal Information Security Management Act of 2002 (FISMA) and report their findings to Congress.

In order to comply with Canadian privacy law, Facebook must take greater responsibility for the personal information in its care, the Privacy Commissioner of Canada said today in announcing the results of an investigation into the popular social networking site's privacy policies and practices. "It's clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates," says Privacy Commissioner Jennifer Stoddart. The investigation, prompted by a complaint from the Canadian Internet Policy and Public Interest Clinic, identified several areas where Facebook needs to better address privacy issues and bring its practices in line with Canadian privacy law. An overarching concern was that, although Facebook provides information about its privacy practices, it is often confusing or incomplete. For example, the "account settings" page describes how to deactivate accounts, but not how to delete them, which actually removes personal data from Facebook's servers. The Privacy Commissioner's report recommends more transparency, to ensure that the social networking site's nearly 12 million Canadian users have the information they need to make meaningful decisions about how widely they share personal information.

Even as the Canadian government is fighting against "Buy American" policies that discriminate against Canadian firms, the federal government appears to be quietly continuing with policies that effectively block U.S. firms from winning some kinds of federal contracts. Case in point: a contract worth $150 million to help relocate nearly more than 18,000 public servants every year was awarded to the only Canadian bidder in mid-August. American firms were interested in the contract but say they were essentially blocked from the bidding because of a provision that personal information about Canadians cannot be stored on computerized databases outside of Canada. Canada Post, a Crown corporation, is about to award its own multimillion-dollar relocation services contract and it, too, has effectively blocked U.S. companies from bidding with a requirement that personal information be stored only on computers in Canada.

"The school's policy seems to violate the Genetic Information Nondiscrimination Act (GINA), says Susannah Baruch of the Genetics and Public Policy Center at Johns Hopkins University. "Most generally," she says, "GINA prohibits health insurers and employers from using your genetic information against you." The law went fully into effect Nov. 21, and it prevents health insurers from collecting genetic information to make decisions about the insurance people get or how much it costs. The law also says an employer can't use it to make decisions about hiring, firing or job promotions. There are a few exceptions. The law doesn't apply to employers with fewer than 15 workers. And while it covers health insurance, it doesn't apply to life or long-term care insurance."

The House Energy and Commerce Committee is slated to vote Wednesday on legislation that would require strong security policies from firms that collect and store individuals' sensitive information and provide for nationwide notification in the event of a data breach. The bill was sponsored by House Energy and Commerce Commerce, Trade, and Consumer Protection Subcommittee Chairman Bobby Rush, D-Ill., and was tweaked to win his panel's approval in June, but more revisions are expected.

The House Energy and Commerce Committee is slated to vote Wednesday on legislation that would require strong security policies from firms that collect and store individuals' sensitive information and provide for nationwide notification in the event of a data breach. The bill was sponsored by House Energy and Commerce Commerce, Trade, and Consumer Protection Subcommittee Chairman Bobby Rush, D-Ill., and was tweaked to win his panel's approval in June, but more revisions are expected.