Group items tagged

In May 2008, the Office of the National Coordinator for Health Information Technology (ONC) awarded an approximately $450,000 contract to Booz Allen Hamilton to assess and evaluate the scope of the medical identity theft problem in the U.S. Medical Identity Theft Medical identity theft is a specific type of identity theft which occurs when a person uses someone else's personal health identifiable information, such as insurance information, Social Security Number, health care file, or medical records, without the individual's knowledge or consent to obtain medical goods or services, or to submit false claims for medical services. There is limited information available about the scope, depth, and breadth of medical identity theft. Dr. Robert Kolodner, National Coordinator for Health Information Technology, has noted that medical identity theft stories are being documented at an increasing rate, bringing to light serious financial, fraud, and patient care issues. ONC recognizes that health IT is an important tool to combat the threat of medical identity theft. We are seeking input from the public and other government agencies to better understand how health IT can be utilized to prevent and detect medical identity theft as well as build consumer trust in electronic health information exchange. ONC believes it is imperative to obtain a more comprehensive understanding of this issue from a variety of perspectives, and to create an open forum for dialogue to work proactively to address medical identity theft. Medical Identity Theft final report. The report summarizing health IT and medical identity theft issues raised at the town hall was completed January 15, 2009 and sets forth potential actions the Federal government and other stakeholders can undertake in working toward prevention, detection, and remediation of medical identify theft.

Salesmen and parents know the technique well. It's called the takeaway, and as far as Keith Mularski is concerned, it's the reason he kept his job as administrator of online fraud site DarkMarket. DarkMarket was what's known as a "carder" site. Like an eBay for criminals, it was where identity thieves could buy and sell stolen credit card numbers, online identities and the tools to make fake credit cards. In late 2006, Mularski, who had risen through the ranks using the name Master Splynter, had just been made administrator of the site. Mularski not only had control over the technical data available there, but he had the power to make or break up-and-coming identity thieves by granting them access to the site. And not everybody was happy with the arrangement. A hacker named Iceman -- authorities say he was actually San Francisco resident Max Butler -- who ran a competing Web site, was saying that Mularski wasn't the Polish spammer he claimed to be. According to Iceman, Master Splynter was really an agent for the U.S. Federal Bureau of Investigation. Iceman had some evidence to back up his claim but couldn't prove anything conclusively. At the time, every other administrator on the site was being accused of being a federal agent, and Iceman had credibility problems of his own. He had just hacked DarkMarket and three other carder forums in an aggressive play at seizing control of the entire black market for stolen credit card information. ....In the end they would regret that decision. Iceman was right

Enterprise employees frequently use social networking tools, most notably Web-based applications. It's no surprise more organizations are wondering what happens if social networking data becomes relevant to an e-discovery investigation. How does an enterprise go about discovering and assessing Web 2.0 data? How responsible is an organization, legally speaking, for the information that's out there in the Web 2.0 world? What risks arise from e-discovery as it relates to Web 2.0 data, and how can you mitigate them? In this tip, we will look at e-discovery as it relates to Web 2.0 and consider the strongest options for minimizing risks to the organization. E-discovery basics We begin with a quick look at what e-discovery is and how it can create risk. Essentially, e-discovery is the electronic extension of the legal process of discovery, which Wikipedia defines as "the pre-trial phase in a lawsuit in which each party through the law of civil procedure can request documents and other evidence from other parties or can compel the production of evidence by using a subpoena or through other discovery devices, such as requests for production and depositions." If you're an IT person, not a lawyer, it's important to note that the rules governing the discovery process now require plaintiffs to address all electronically stored information or ESI. In other words, if your organization faces litigation, it will have to deal with the issue of e-discovery, which will entail a whole lot more than turning over some old emails. Depending upon your role in the organization, the first you may hear of this is a "notice of litigation" with perhaps a "litigation hold directive" containing a "preservation directive." Here is a generic e-discovery request below. Apart from a few limiting factors, such as subject matter, named persons and a specified time period, the scope of such a notice is likely to be broad; blame standard procedure, not some high-powered attorney pushing his or her lu

This tip is part of Mitigating Web 2.0 threats, a lesson in SearchSecurity.com's Data Protection Security School. Visit the lesson page or our Security School Course Catalog for additional learning resources. Social networking, a term relatively new to the computing vernacular, has already become part of the cultural norm for a great proportion of Internet users. Even more recently, the use of online communities to establish and build connections among those with shared interests has become part of the corporate world as well. As professional social networks such as LinkedIn and Blue Chip Expert continue to grow, and professional groups gain in popularity on once-personal sites like Facebook and MySpace, enterprise security and risk management professionals must face the reality that these sites are emerging conduits for the unauthorized disclosure of confidential corperate information. Add the use of public social networking tools to the list of concerns, and the effectiveness of the traditional corporate security perimeter is further diminished. However, a robust set of policy, process and architecture aids in mitigating the risks of being social. Broadly, social networking is described as software that lets people interact, rendezvous, connect, play or collaborate by use of a computer network. This definition covers the popular social networking sites, including those mentioned above, as well as blogs, wikis, RSS, podcasts, tags, and more recently, search engines. While there are numerous benefits to social network solutions, including reducing costs and increasing collaboration, we'll focus on addressing the risks.

Changes relating to different aspects of data management have been highlighted as key trends in the IT industry for 2009 in a report by consultancy Deloitte. The falling price of digital storage has caused an irresponsible approach to file management and IT leaders will need to give an increased focus to these issues, says Deloitte, along with finding ways around the rise in physical storage costs. "There are ways to control the escalation of storage costs, such as de-duplication tools that can free up space by reducing duplicate files," says the report. "Companies can assess the impact of individual applications, especially email - which is estimated to take up 25 per cent of enterprise storage capacity," it says. According to Deloitte's research, businesses will become increasingly aggressive when pursuing disputes related to copyright infringement and digital ownership rights. "If undertaking a swift launch of a product or digital application, companies should ensure that no element could lead to litigation," says the report. Despite pointing out that 2009 will be the break-out year for social networks in the business, Deloitte says that such networks will need to be developed with caution to encourage more productivity and balance control with employees' desire for privacy.

Jan. 27 /PRNewswire-USNewswire/ -- Consumer Policy Solutions today released a new survey examining consumer awareness and understanding of online privacy. With Data Privacy Day tomorrow, this is an especially timely survey intended to help raise consumer awareness of privacy issues and give consumers the knowledge and tools needed for the privacy they desire online. Many consumers are not fully aware of the implications of their online activity and the "virtual breadcrumbs" they inadvertently leave behind when roaming from site to site. This survey, which follows closely on the heels of a Consumer Policy Solutions survey released in May that revealed protecting personal privacy is a top consumer concern, takes a closer look at consumers understanding of online privacy. Many respondents were unaware of the tracking, collecting and sharing of information that occurs as a result of online activities. "Consumers care about protecting their privacy on the Internet, but they do not necessarily know how to protect themselves nor do they understand how the process works," said Debra Berlyn, president of Consumer Policy Solutions. "Today is a great day to raise awareness of what the issues are for consumers. I think our survey serves as a good gauge of how consumers view their privacy online." In response to the findings of the survey, Consumer Policy Solutions is launching a website www.ConsumerPrivacyAwareness.org dedicated to educating and informing consumers about online privacy issues. The survey found that: * Consumers think they are knowledgeable about online privacy, but many are unaware of how their activity and behaviors can be followed and collected online. o 70% of Internet users say they are very or fairly knowledgeable about how to protect their personal privacy online o 42% are unsure whether their online activity is tracked and recorded by companies for commercial purposes o 12% believe that tracking by companies for co

The global business community is faced with an unprecedented level of uncertainty and risk. Are you prepared? The BCI announces Business Continuity Awareness Week, a week-long global event that is aimed at raising awareness of business continuity, disaster recovery and resiliency around the globe and bringing to the forefront the escalating significance of Business Continuity Management (BCM) as a critical management tool for corporations and government groups of all sizes and industries. We have aligned with other industry leaders in the Business Continuity education, development and standards fields to support The Business Continuity Institute (BCI) in its production of a series of 9 FREE webinars and virtual meetings throughout the world which will include surveys, case studies, analysis processes and much more. We would strongly urge you to mark the dates on your calendar and take advantage of all of this great knowledge! Please feel free to forward this announcement to anyone that you feel would benefit from this event. For the most up to date information and event schedule please visit: www.businesscontinuityawarenessweek.org

Taking genetic tests to assess potential health risks could mean cheaper medical insurance even if the results are not disclosed, a senior industry executive has told The Times. Customers who take personal DNA scans will pay lower premiums because insurers believe that they encourage a healthier lifestyle, according to Gil Baldwin, the managing director of Norwich Union Healthcare. The advent of tests for DNA variants that affect common disorders such as diabetes and heart disease has prompted fears of discrimination and the creation of a "genetic underclass" who cannot buy cover. Mr Baldwin insisted that his company did not see genetics as a tool for cherry picking low-risk customers but as a way of helping them to manage and reduce their risk of disease with the aim of lowering costs for both parties. In an interview with The Times, he said that people who take genetic screening are likely to act on the results and therefore present a much better risk profile. Insurers will reflect this in premiums, regardless of whether results are disclosed.

As the National Security Council works on its comprehensive review of federal cybersecurity programs for President Obama, it is going to great lengths to consider privacy and civil liberty issues, some Congress members said Thursday. The House Cybersecurity Caucus on Thursday met with Melissa Hathaway, the acting senior director for cyberspace for the National Security and Homeland Security Councils, who is conducting for the administration a 60-day cybersecurity review. Rep. James Langevin (D-R.I.), co-chair of the House Cybersecurity Caucus, said Hathaway has been meeting with privacy and civil liberties groups to receive their input on how to reform cybersecurity. Those issues are "a forethought rather than an afterthought," he said. "Because these are such powerful tools (to grant federal authorities to regulate cyberspace), we're going to have to have the buy-in of the public and have their support." While the Senate is working on its own plan for White House-run cybersecurity efforts, Langevin said Hathaway's assessment may ultimately suggest a strategy with a stronger emphasis on inter-agency efforts. Langevin said it is still unclear whether Hathaway will recommend that a new office for cybersecurity should be created within the Executive Office of the President--a move some senators are pushing for. Certainly, though, policy will have to come from the White House. "This is going to have to be an ongoing strategy of collaboration and cooperation directed out of the White House," Langevin said. "But there won't be one king, so to speak, at the end of the day. The chief information officers at the departments and agencies are still going to have a role to play."

Customers of CVS' pharmacy will be able to import their prescription records into a Google Health account as a result of an expanded deal between the two companies. The deal was announced Monday. An earlier deal already allowed workers whose company uses CVS Caremark to handle drug benefits to use Google Health to store their drug records. The new deal expands this to customers of CVS' network of retail pharmacies. "We now offer all of our consumers the ability to download their prescription and medication history into their Google Health Personal Health Record, whether they are CVS/pharmacy customers, CVS Caremark plan participants or visitors to our MinuteClinic locations," said CVS Caremark Executive Vice President Helena Foulkes in a statement. "By enabling patients to download their prescription information directly into their personal health record, we are helping to close the gap in today's fragmented health care system and provide a full view of a patient's health." To use the tool, the companies said, consumers need to sign up for the prescription management feature on CVS.com as well as be authenticated. With the latest deal, Google said it now believes more than 100 million Americans will have the option of viewing their drug history within Google Health. Microsoft, which is also trying to sign consumers up for its HealthVault service, announced a deal with New York-Presbyterian Hospital on Sunday which will allow patients of that hospital system to export their records to a HealthVault account.

Is it a violation of privacy that should be banned or a tool necessary to keep the internet running? Canada's privacy commissioner has opened an online discussion on deep packet inspection, a technology that allows internet service providers and other organizations to intercept and examine packets of information as they are being sent over the internet. "We realized about a year ago that technologies involving network management were increasingly affecting how personal information of Canadians was being handled," said Colin McKay, director of research, education and outreach for the commissioner's office. The office decided to research those technologies, especially after receiving several complaints, and realized it was an opportunity to inform Canadians about the privacy implications. Over the weekend, the privacy commissioner launched a website where the public can discuss a series of essays on the technology written by 14 experts. The experts range from the privacy officer of a deep-packet inspection service vendor to technology law and internet security researchers. The website also offers an overview of the technology, which it describes as having the potential to provide "widespread access to vast amounts of personal information sent over the internet" for uses such as: * Targeted advertising based on users' behaviour. * Scanning for unlawful content such as copyright or obscene materials. * Intercepting data as part of surveillance for national security and crime investigations. * Monitoring traffic to measure network performance.

Google will unveil new privacy measures today that will give consumers more control over behavioral targeting. Now, when Google serves banner ads on outside publishers' sites, the ads will include links that provide more information explaining why they were served. Clicking through will lead to details about the company's behavioral advertising program, which categorizes consumers as interested in particular types of goods or services based on the sites they visited. The program is only in beta for now, but once Google signs up publishers, consumers will be able to view the categories they have been placed in--such as "interested in travel"--and also tell Google to remove them from whatever buckets they wish. Consumers also will be able to opt out of the program permanently via a browser plug-in. Or, if people want to receive ads for certain types of products, they can edit their profiles to reflect that--in effect, opting in to particular types of ads. Google's new measures come at a time when online behavioral targeting is facing increased scrutiny. Last month, two Federal Trade Commissioners warned that the online advertising industry could face new laws if it didn't take steps to self-regulate on privacy issues. Recently, Google rival Yahoo announced enhancements to its privacy policies. Among other changes, Yahoo said it would allow consumers to opt out of behavioral targeting on its own site. Google's move drew praise from the Interactive Advertising Bureau's Mike Zaneis, vice president for public policy. "It's really a consumer empowerment tool, which is great," he said. "It's one more example of how industry is competing on the privacy issue, to the benefit of consumers--and also to the benefit of businesses."

The following is an excerpt from the book The Truth About Identity Theft. In this section of Chapter 11: Social Engineering (.pdf), author Jim Stickley explains how easy it really is to hack a password. People often ask me how hard it is to hack a password. In reality, it is rare that I ever need to hack someone's password. Though there are numerous ways to gain passwords on a network and hundreds, if not thousands, of tools available to crack encrypted passwords, in the end I have found that it is far easier to simply ask for them. A perfect example of this type of attack was a medium-sized bank that I was testing recently. The bank's concern was related to the new virtual private network (VPN) capabilities it had rolled out to a number of its staff. The VPN allowed staff to connect directly to their secured network while at home or on the road. There is no doubt that a VPN can increase productivity, but there are some pretty major risks that can come with that convenience. The bank explained that the VPN was tied into its Active Directory server. For people who are not technical, basically this just means that when employees log in via the VPN, they use the same credentials they use to log on to their computer at the office. So I went back to my office, sat down, and picked up the phone. The first call I made was to find out the name of an employee in the IT department. I called the company's main line to the bank, pressed 0, and asked to speak with someone in the IT department. I was asked what I was calling about, so I told the employee I was receiving emails from that bank that seemed malicious. I could have used a number of excuses, but I have found that if you tie in an unhappy customer with a potential security issue, your call gets further up the food chain. In this case, I reached a man who I will call Bill Smith. I made up a story about the email, and after a few minutes, he was able to explain to me that I had called the wrong bank and it was actuall

A 10-month cyberespionage investigation has found that 1,295 computers in 103 countries and belonging to international institutions have been spied on, with some circumstantial evidence suggesting China may be to blame. The 53-page report, released on Sunday, provides some of the most compelling evidence and detail of the efforts of politically-motivated hackers while raising questions about their ties with government-sanctioned cyberspying operations. It describes a network which researchers have called GhostNet, which primarily uses a malicious software program called gh0st RAT (Remote Access Tool) to steal sensitive documents, control Web cams and completely control infected computers. "GhostNet represents a network of compromised computers resident in high-value political, economic and media locations spread across numerous countries worldwide," said the report, written by analysts with the Information Warfare Monitor, a research project of the SecDev Group, a think tank, and the Munk Center for International Studies at the University of Toronto. "At the time of writing, these organizations are almost certainly oblivious to the compromised situation in which they find themselves." The analysts did say, however, they have no confirmation if the information obtained has ended up being valuable to the hackers or whether it has been commercially sold or passed on as intelligence. Although evidence shows that servers in China were collecting some of the sensitive data, the analysts were cautious about linking the spying to the Chinese government. Rather, China has a fifth of the world's Internet users, which may include hackers that have goals aligning with official Chinese political positions.

Things to think about for auditors during a downturn

As IT environments are becoming more complex, enterprises are relying on them more than ever before, said Michael Juergens, principle at Deliotte & Touche, told attendees at an ISACA CACS audit and compliance conference. He identified 10 areas in which complexity makes IT more difficult to monitor. "This list is designed to get you thinking about your environments and if currently scheduled IT audit procedures will evaluate this risks," Juergens said. "The list is in no particular order, is by no means a comprehensive list, and will vary by environment. There may be a greater or lesser risk depending on your industry, technology, business processes, and other factors," he added. He said that auditors should make a careful risk assessment at any enterprise that uses external cloud computing solutions. A key risk for compliance is simply keeping track of the data and recovering it if part of the cloud goes down. IT administrators must have insight into the cloud to enable forensics if an investigation is required. Juergens added that virtualization, often a key component of private clouds, carries the same risks as public clouds. The key issue is finding and tracing data, which can move to different servers within a virtualized environment. During this economic downturn, many companies will face disgruntled employees and will need to be able to control their access. "Specific attention items should be: timely removal of access, periphery security, internal security architecture, physical security and badge location, help desk procedures, workstation security and IDS management," Juergens said. Layoffs can harm an organization even without disgruntled employees. Many help desks and incident response teams will be understaffed, and Juergens advised that now is a good time to re-examine security procedures. A related risk could occur if an employee takes on the responsibilities of another, combining tasks that were previously segregated for compliance purposes. En

Online spying or behavioral targeting?

A question: If you have 347 followers on the Twitter microblogging service, what are the chances that they'll click on the same online ad you clicked on last night? Advertisers are dying to know. Or, say you and a colleague exchange e-mails on a Saturday night. Can managers assume that you have a tight working relationship? Researchers at IBM and Massachusetts Institute of Technology are investigating. Friendships aren't what they used to be. We now have tools, from e-mail to social networks, to keep in touch with people who a decade ago would have drifted into distant memories. Practically every hand we shake and every business card we exchange can lead to an invitation, sometimes within minutes, for a "friendship" on LinkedIn or Facebook. And unless we sever them, these ties could linger for the rest of our lives. What do these relationships say about us and the people in our networks? Companies armed with rich new data and powerful computers are beginning to explore these questions. They're finding that digital friendships speak volumes about us as consumers and workers, and decoding the data can lead to profitable insights. Calculating the value of these relationships has become a defining challenge for businesses and individuals. Marketers are leading the way. They're finding that if our friends buy something, there's a better-than-average chance we'll buy it, too. It's a simple insight but one that could lead to targeted messaging in an age of growing media clutter.

Free Social Media Screening Ever wondered if you actually have customers on social networks? Try Rapleaf's free social media screening. We'll take a look at your customer base and tell you some basic information about whether or not you have customers on social networks. The Rapleaf Social Media Screening will tell you the following: * Percentages of your consumers that are active on sites * Gender breakdown of your consumers * Friend counts of your consumers Rapleaf's social media screening is a great way to get your feet wet in social media. It's also an easy tool to help you understand whether or not to conduct deeper research on your consumers across the social web by acquiring a full Rapleaf Report To get started, fill out the form to the right and submit a few test consumer emails to our system.

Enterprise role management is key in efficiently managing user access rights and enforcing access policies such as segregation of duties. Roles help companies group coarse- and fine-grained access rights (like access to and functionality within a financial accounts application) into groups, called enterprise roles. These enterprise roles map to job functions and are only allowed access rights that don't violate segregation of duties. For instance, a financial clerk role can't contain fine-grained access rights that allow someone in the role to access the accounts receivable and accounts payable parts of the financial application. The processes and tools necessary for effective role management consist of role mining and design (automatic discovery and management of roles based on existing access rights and entitlements data), role recertification (a process performed typically every six months when a business role custodian certifies what access rights should belong to a role), and access recertification (a process performed typically every 3-6 months to ensure all user access is understood and was granted in an audited way).

In a 4-to-3 ruling, the New York State Court of Appeals ruled on Tuesday that the State Police violated a criminal suspect's rights under the State Constitution when it placed a GPS tracking device inside the bumper of his van without obtaining a warrant. The police had used the device to monitor the movements of the suspect, Scott C. Weaver, for more than two months. But the court ordered the evidence gathered from the device suppressed and ordered a new trial for Mr. Weaver. In three written opinions, the judges on the court debated the constitutional issues raised by the growing use of global positioning system technology as a tool of surveillance. The case could set an important precedent for state and local police agencies.

As USB devices have evolved into useful storage media, they've also turned into a security nightmare for agencies. The usage of USB devices should be encouraged and embraced to improve productivity, but they also must be managed to minimize the risks inherent with these tools. This paper discusses how USB devices have evolved and looks in-depth at the productivity benefits as well as the potential risks these devices can introduce if not managed properly. This paper also offers recommendations on how to balance the productivity versus risk challenge and highlights how government agencies can effectively manage the usage of USB devices and prevent data loss and malware introduction.