Texas to Destroy 5.3 Million Illegally Obtained Blood Samples

Posted on December 26, 2009 by Colin J. Zick

As part of the settlement of a federal court action, the State of Texas has agreed to destroy more than 5 million blood samples taken from babies without parental consent and stored indefinitely for the purpose of scientific research.  The Texas Department of State Health Services announced earlier this week that it would destroy the samples in connection with the settlement of a federal lawsuit filed in March 2009 by the Texas Civil Rights Project on behalf of five parents of children whose blood was being held for use in research without their consent. 

The parents' complaint alleged that the state’s failure to ask parents for permission to store and possibly use the blood - originally collected lawfully in order to screen for birth defects - violated constitutional protections against unlawful search and seizure. The parents also expressed fears that their children’s private health data could be misused and that the disclosure of that data could lead to discrimination against them later in life.  Under the settlement, the blood samples collected without parental consent must be destroyed by early next year.  State authorities estimated that some 5.3 million samples would be destroyed as part of this process.  The State of Texas also is required to publish a list of all research projects that used the blood specimens.


 

Tags: , , ,

Incidents of the Week: Iranian Cyber Army Targets Twitter & $26 Software Application Intercepts U.S. Military Satelite Feeds In Iraq

Posted on December 18, 2009 by Gabriel M. Helmer

1.  Iranian Cyber Army Puts Twitter On Hold

Around 10 pm last night, popular social networking site Twitter, was apparently hacked by a group calling themselves the Iranian Cyber Army.  Iran and Twitter have had a rocky relationship since last summer when Iranian citizens spread the protests over Iranian elections to the popular web site.  During that time, links circulated on Twitter that allowed users to participate in DoS (Denial of Service) attacks on Iranian government websites.  Given the name adopted by Twitter's hackers, it may be no coincidence that the New York Times interview with a U.S. computer security expert in June 2009 described the Twitter DoS attacks as allowing Twitter users to "'become part of the cyber-army,' in Iran."

 

2. $26 Russian Software Has Been Intercepting U.S. Military Drone Video Feeds In Iraq

Ever since Iraq invaded Kuwait in 1990, we laypeople have been introduced to video from U.S. military missiles right before something like a building exploded in fuzzy black and white.  Then came more advanced military drones, remote controlled airplanes, with greater resolution and improved arsenal.  If you have been craving some low res military action, it may only cost you a satellite dish and $26.  Using a $26 software package developed by Russian software company called SkyGrabber, Iraqi insurgents have reportedly been tapping into live video feeds from U.S. drone aircraft.  This news comes from a U.S. official speaking anonymously with the Wall Street Journal who reported that U.S. troops have recovered laptops used by the insurgents with "days and days and hours and hours" of intercepted military video. 

The SkyGrabber software, which allows users to tap into unencrypted satellite connections, apparently has been successfully used against the military feeds because they were (you guessed it) unencrypted.  U.S. military officials commented to CNN that encrypting the signals is problematic because it slows down video transmissions that need to be seen by a number of different operators at the same time.  Query as to whether having your adversaries monitoring your battlefield surveillance will justify adding encryption to the military's systems.  (Just remember when you do that another Russian software application is capable of decoding the WPA encryption standard.) 

Lest we begin criticizing the military too strongly, however, a moment of self-reflection might be worthwhile.  The next time you connect to the Internet using a wireless connection, whether at home or at a coffee shop, ask yourself whether you are taking any precautions to prevent your activity from being intercepted or whether you are just rolling the dice that no one in 100 yards has purchased some software from Russia recently.

 

Tags: , , , , , , , ,

Is Tougher HIPAA Enforcement Finally On Its Way?

Posted on December 9, 2009 by Colin J. Zick

It has been well over a decade since the passage of HIPAA in 1996. HIPAA has caused many changes in the way the business of health care works, including going a long way to create the position of “health information professional.” One area where HIPAA has, as yet, had little impact has been in enforcement. The history of enforcement of HIPAA’s privacy and security rules has been slim and almost none. The changes in behavior that have occurred have been done out of a desire to follow the law, and not due to fear of prosecution or administrative action. 

First and foremost in this regard, I note the recent decision of the Department of Health and Human Services to transfer the authority for enforcement of HIPAA’s security rules to the Office of Civil Rights. The Office of Civil Rights is certainly in a better position to undertake enforcement than CMS. According to my colleague, Tom Barker, the Office of Civil Rights has a field force of 275 investigators that have an annual budget of $40 million. I believe OCR will need to justify that budget and the most visible way to do that is to bring enforcement actions and recover significant penalties. Nevertheless, $40 million does not go as far as it used to, and it certainly is not enough for a broad-based, nationwide enforcement initiative. Instead, I suspect we will start to see incrementally more enforcement actions, higher financial penalties and a few selected audits. 

Also pushing HIPAA enforcement is the HITECH Act, which was passed in February 2009 and much of which will go into effect in February 2010. Through the HITECH Act, HIPAA business associates under HIPAA are now subject to almost the same regulations as HIPAA covered entities. Penalties for HIPAA violations also were increased, and the ability to enforce some rules has been extended to state attorneys general. 

There is one additional factor in the enforcement environment that is little-noticed, but nevertheless is very significant: the general public.

Continue Reading...
Tags:

HIPAA Breach Notification Made Simple -- Just Fill in the Blanks

Posted on December 7, 2009 by Colin J. Zick

The Department of Health and Human Services’ Office of Civil Rights (“OCR”) has tried to make a HIPAA security breach easy to report, with its newly-released online “Notice to the Secretary of HHS of Breach of Unsecured Protected Health Information.” 

The online form is straightforward, featuring pull-down options tied to the new HITECH rules:  it will let you report whether your breach is for more than 500 individuals (or fewer than that), the type and location of the breach, etc.  OCR estimates the form will take 15-30 minutes to complete. 

Interestingly, the form does not require a statement on penalty of perjury from the submitting party, only a statement that I attest, to the best of my knowledge, that the above information is accurate.”  This could be seen to be an attempt to encourage reporting, by not saddling breach reporters with potential liability for making false statements to the government.  However, it would also seem to encourage anonymous reporting, via the use of an alias.

Tags: , , ,

Incident of the Week: Hack of Researchers' Email Triggers "Climategate"

Posted on December 3, 2009 by Gabriel M. Helmer

Compared to security breaches that involve credit card and bank account information, other breaches in security often get somewhat shortchanged in the media, notwithstanding the occasional hack of a celebrity cell phone.  The same cannot be said of the purloined emails one hacker posted online that are alleged to the the back and forth between climate change researchers at the University of East Anglia in the United Kingdom which are at the center of new controversy in public debate over climate change.  

In November, an anonymous user posted 160 MB of email, over 1000 pieces of correspondence from the University's Climatic Research Unit (CRU), to a Russian FTP site.  While it remains unclear whether all of the published emails are accurate, Phil Jones, the Director of the CRU at the time of the hack, has stated that at least one of the emails is genuine, but "has been taken completely out of context."  Other emails appear in various forms on a number of websites (see sites here and here).  At the heart of the storm are comments deriding climate change skeptics and a reference to one statistical operation as a "trick."

Climate change naysayers have seized on the opportunity to call into question whether global warming is in fact caused by human activities.  Republican Representative James Sensenbrenner of Wisconsin recently stated that the leaked emails "read more like scientific fascism than scientific process."  Others have described the leak as part of a smear campaign intended to undermine efforts to reform fossil fuel emissions and other environmental standards.  Also useful to note, if not humorous, is RealClimate's observation that:

More interesting is what is not contained in the emails. There is no evidence of any worldwide conspiracy, no mention of George Soros nefariously funding climate research, no grand plan to ‘get rid of the MWP’, no admission that global warming is a hoax, no evidence of the falsifying of data, and no ‘marching orders’ from our socialist/communist/vegetarian overlords. The truly paranoid will put this down to the hackers also being in on the plot though.

The controversy, now dubbed "Climategate," recently led to Phil Jones resignation as Director of the CRU. 

Links:

 

Tags: , , , , , ,