Medicare Contractors Lag on Information Security

Posted on January 22, 2012 by Colin J. Zick

This report from the Office of the Inspector General for the Department of Health and Human Services reveals significant holes in Medicare contractor security.  Here's a notable excerpt:

Security Awareness Training
The Computer Security Act of 1987 (P.L. No. 100-235) requires periodic training in computer security awareness and accepted computer practices for all employees who manage, use, or operate Federal computer systems. Additionally, Federal regulations (5 C.F.R. § 930.301(a)) require that role-specific training be provided based on each user’s security responsibilities and require agencies to provide training for employees with significant information security responsibilities. The CMS Business Partners Systems Security Manual requires Medicare contractors to document and monitor information security training activities.

Sixteen of the twenty-one Medicare contractors had no identified gaps in security awareness training, while the remaining 5 had 3 to 4 gaps each. In total, 16 gaps were identified in this area, with no gaps assigned to a high-impact subcategory. Following are examples of gaps in security awareness training:

• The contractor did not formally track and monitor job-specific security training to ensure that employees received the minimal requirements stated in the policy.
• Employees did not complete security awareness refresher training.

Employees who are unaware of their security responsibilities or have not received adequate training may be at increased risk of causing or exacerbating a computer security incident. If security personnel are not provided specific job-related training, management has no assurance that these employees can effectively perform their job responsibilities. Inadequately trained employees could cause the loss, destruction, or misuse of sensitive information and information technology (IT) assets.

Tags: , , , , ,

Data Security Industry Grows Without "Pearl Harbor" Moment

Posted on November 2, 2011 by Colin J. Zick

This article, "Cyber Bombs: Data-Security Sector Hopes Adoption Won’t Require a ‘Pearl Harbor’ Moment," in last week's Mass High Tech suggests that even without a watershed event (i.e., a "Pearl Harbor") the cyber-security business will continue to grow robustly.  Interestingly, the article cited the launch of the Advanced Cyber Security Center as proof that the Pearl Harbor isn't necessary.

Tags: , ,

Consumer Response to Data Breach: Let's Sue!

Posted on November 2, 2011 by Colin J. Zick

Interesting findings in the Unisys Security Index for the United States regarding what Americans say they would do in the event that they learned of a security breach suffered by an
organization with which they were dealing:

  • Change passwords on that organization’s website and other sites (87%)
  • Stop dealing with that organization entirely (76%)
  • Publicly expose the issue (65%)
  • Take legal action (53%)
  • Continue dealing with the organization but not online (31%) 

Thanks to Ted Julian of Co3 Systems for bringing this report to my attention.

Tags: , , , ,

New England-Israel Data Storage & Security Summit-November 14, 2011

Posted on October 27, 2011 by Colin J. Zick

Ensuring strong and efficient data storage and secured systems is the foundation of any successful business in today's global business environment; the continued migration to cloud computing only amplifies this need.  New England and Israel are global leaders in innovation and entrepreneurship and major players in the global software/IT industry, with the innovations of its companies earning international recognition and prestige.

The New England-Israel Data Storage & Security Summit is a one-day program featuring 10 of Israel's highly promising data storage and security companies, including Axxana, CloudLock, Kaminario, Scalebase and Tufin, that are looking to expand collaborations with local partners.

Tags: , , , , ,

Another Big HIPAA Settlement: The UCLA Health System Settles for $865,000

Posted on July 8, 2011 by Colin J. Zick

In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with those rules.  This follows on the heels of Massachusetts General Hospital's $1 million settlement with OCR.

The resolution agreement resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without legitimate reasons looked at the electronic protected health information of these patients. OCR's subsequent investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients.  

The corrective action plan requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over 3 years.  All in all, a very expensive proposition for UCLAHS.

Tags: , , , , , , , , , , ,

Is Teamwork the Answer to Data Security?

Posted on June 19, 2011 by Colin J. Zick

Increasingly, alliances are viewed as an important way to improve data security.  The Washington Post reports that the National Security Agency is now working with Internet service providers to thwart cyberattacks against defense firms by foreign adversaries.  We have previously noted two other initiatives:   the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).and InfraGuard, a Federal Bureau of Investigation program.  One of the oldest and best examples of successful collaboration is PCI, the credit card industry's security program.

Tags: , , , , , , , , , , , , , , ,

Does Briar Group's Massachusetts Settlement Create a New Legal Standard That Businesses Must Meet to Protect Personal Information?

Posted on May 22, 2011 by Colin J. Zick

By Brian Bialas 

A recent settlement in a data breach case exemplifies how the government can go beyond a statutory scheme and use private industry standards to protect personal information and impose sanctions on violators. 

 

The Massachusetts AG filed suit against the Briar Group, the owner of a number of bars in the Boston area (including two of my personal favorites, the Harp and Ned Devine’s) in the wake of a 2009 data breach involving credit card numbers and other personal data. The AG’s complaint alleged, among other things, that the Briar Group violated Massachusetts’s Consumer Protection Statute by failing to comply with the Payment Card Industry Data Security Standards (PCI DSS), standards created by the Payment Card Industry Security Standards Council that apply to all organizations that collect payment card data. To settle this suit, the Briar Group entered into a consent judgment pursuant to which it would pay $110,000 in civil fines.

 

What is interesting about this settlement is that it requires the Briar Group to “maintain PCI DSS compliance,” over and above Massachusetts’ own strict legal requirements.  Does the AG’s action against the Briar Group signify that all merchants are legally required to comply with both state regulations and PCI DSS? It’s too early to tell. 

The payment card industry has long been leading the charge in protecting personal data. Governments often react to issues rather than regulate proactively, but private industry must try to anticipate problems before they happen. As such, private standards generally are better at protecting personal information than state statutes and regulations. Businesses always must be two steps ahead of identity thieves in order to protect consumer data and thrive in the marketplace; the price of not doing so is high, as Sony and others have learned and continue to learn. Given this, it’s not a surprise the AG looked to PCI DSS as a new legal standard.
Tags: , , , , , , , , , ,

"Pressure Point: Online Privacy -- Privacy is Potentially a Costly Workplace Issue"

Posted on April 29, 2011 by Colin J. Zick

In the April 22, 2011 Boston Business Journal article, entitled, "Pressure Point: Online Privacy --
Privacy is Potentially a Costly Workplace Issue," I was interviewed regarding some of the recent developments in privacy and security law for employers: 

  • “Most of the time, data breaches don’t come down to a failure of technology or inadequate technology. It comes down to someone doing something stupid,” said Colin Zick, a partner in the Boston office of Foley Hoag. “In the Mass General case, an employee took some records on the Red Line and lost them.”
     
  • “When companies are bombarded with phishing emails, it’s akin to the notion of fighting off terrorism,” Zick says. “You only have to miss once to have a privacy breach. Education is important because the creativity of human beings often outpaces technology defenses.”

A subscription is required to access the entire article.

Tags: , , , , , , , ,

Data Security and Privacy for Medical Device, Pharmaceutical and Life Sciences Companies

Posted on March 29, 2011 by Colin J. Zick

Earlier today, I delivered a presentation on "Data Security and Privacy for Medical Device, Pharmaceutical and Life Sciences Companies:  How to manage your obligations under HIPAA, the HITECH Act and other federal and state data privacy and security laws" with colleagues Ara Gershengorn and Sarah Altschuller.

Tags: , , , , , , , , , ,

Compliance Approaches in the Changing HIT Privacy and Security Landscape: How You Can Nurture a Culture of Health Information Security and Privacy

Posted on March 2, 2011 by Colin J. Zick

My slides from this presentation, "Compliance Approaches in the Changing HIT Privacy and Security Landscape:  How You Can Nurture a Culture of Health Information Security and Privacy" cover HIPAA and HITECH developments and compliance, with a focus on breaches and OCR settlements/penalties, including:

Tags: , , , , , , , ,

FTC Publishes Copier Data Security Guide

Posted on February 25, 2011 by Colin J. Zick

As we noted back in May, digital copiers have caught the eye of government privacy enforcers.  If you have a digital copier at your business, you should review the FTC's Copier Data Security:
A Guide for Businesses.  In that Guide, the FTC suggests that "your information security plans .  . . should cover the digital copiers your company uses. If the data on your copiers gets into the wrong hands, it could lead to fraud and identity theft."

Tags: , , , , , , , ,

Some Tips for Protecting Your Data when Dealing with Vendors

Posted on February 10, 2011 by Colin J. Zick

By Brian Bialas

I recently attended the 10th Annual Legal and Compliance Forum on Privacy & Security of Consumer and Employee Information in Washington, DC. It featured a particularly lively panel on “Oversight of Third-Parties and Vendors: Managing and Controlling Relationships Through Effective Due Diligence and Contract Negotiation.” Below are some  key points the panelists discussed; some may seem obvious, but they are nevertheless important measures to consider as part of your vendor relationships:

  • Be able to terminate the relationship without cause.

A company’s contract with a vendor should include the ability to terminate the agreement without cause and should guarantee continuing assistance from the vendor after termination.

  • Use experienced vendors.

Do not be the first (or even second) company to contract with a vendor for a particular service. There are too many bugs to work out of new services before you know they are safe and secure.

  • Obtain and talk to references provided by the vendor.

Consider hiring a consultant to facilitate conversations with companies that have used a particular vendor and are not provided as references.

 

  • Have the vendor explain its services in detail and down to the molecular level.

Vendors should be able to go into detail about their procedures—a company should understand what the vendor is doing with its data down to the IT level.
 

  • Verify vendor data security measures.

The vendor’s laptops should be encrypted, along with USB drives, memory sticks, portable hard drives, etc.

 

  • Insist on robust notice in the event of a breach.

The vendor should be obligated to provide immediate notice to the company of any actual or suspected breach of the company’s data.

Tags: , , , , , , , ,

Security and Privacy Issues of 2011: How to Stay a Step Ahead of the Coming Wave of Legislation and Self-Regulation

Posted on January 25, 2011 by Colin J. Zick

I was on a panel today with Stuart N. Brotman, former Special Assistant to Communications and the President's principal communications policy adviser and Chief of Staff at the National Telecommunications and Information Administration.  My slides are here.

Tags: , , ,

If You Got a New Smartphone Over The Holidays, Here Are Some Security Issues to Think About

Posted on January 5, 2011 by Colin J. Zick

If you got a new smartphone over the holidays, you've probably figured out how to use it by now.  The next thing to worry about is security.  The good news is that wireless providers are working to fortify their phones against attacks, as explained in this Wall Street Journal article

There are some personal actions you should consider as well:

  1. Set a password and make it a strong one.
  2. Keep current on your updates.
  3. Think of your phone like your computer when it comes to security. 
  4. Make sure you know how to remotely lock and wipe your phone if it is lost or stolen.

 

Tags: , , , ,

Will a Smart Card Make Students Smarter or Is It a Dumb Idea?

Posted on October 28, 2010 by Colin J. Zick

In what is assuredly a sign of things to come, the Boston Public Schools have announced that they are piloting a smart card for students, called the BostONE Card.  According to an article in today's Boston Globe, the purpose of this card is to "make it easier for some public school students to use city services by providing them with one card they can use to ride the [subway], withdraw books from city libraries, play sports, attend after-school programs at community centers, and access meal programs at their schools.  The so-called BostONEcard will also be used to take attendance and may eventually serve as a debit card, among other potential uses."

Since we already know that the Boston-area transit smart cards have been hacked by MIT students, is it really a good idea to put more information in one place?  Would they be better served to use cell phone technology, since most students in the upper grades already have these devices and know how to use them (and someone else has already worked out the security and technology issues)?

Tags: , , , , ,

Balancing Privacy and Security in an Age of Instant, Ubiquitous Communications

Posted on August 3, 2010 by Colin J. Zick

In a recent article in the New York Times discussed the "growing tension between communications companies and governments over how to balance privacy with national security."  This tension is not limited to that context, however.  Nearly every workplace that uses email faces a similar tension between open access and secure communications.  And this debate splits people.  An ongoing informal survey by The Economist suggests that the number of people who want more control and restrictions over communication are nearly equally balanced by those who chafe at such restrictions.  

So, what's the right answer?  It would seem that continual balancing and re-balancing between too much/too little privacy and too much/too little security is the necessary (if not quick or easy) solution.  In the workplace, that means not always siding with one faction or the other on these issues, but addressing issues pragmatically as they arise.

Tags: , , , ,

Is the Smart Money Chasing Privacy and Security?

Posted on July 5, 2010 by Colin J. Zick

A recent article in the Wall Street Journal suggests that "top-tier venture-capital firms" have invested in start-up businesses in the privacy space in recent months.  This could be a sign that the so-called "smart money" sees data privacy and security as a viable long-term industry, and not this decade's version of Y2K.   It seems likely that  were are due for a long-term presence of privacy and security protection in our business and private lives.  While Y2K was a one-time event and and the huge amounts spent (waste?) on it left investors with a New Year's Day hangover, the digitization of commerce grows day by day, resulting in concomitant needs for information privacy and security, which may justify the faith of investors. 

Tags: , , , ,

Is the Rejection of Security Advice by Users Really Rational? A Response to Cormac Herley

Posted on April 10, 2010 by Colin J. Zick

In the April 11, 2010, Boston Globe, there is an extended discussion of an article by Cormac Herley of Microsoft entitled, "So Long, And No Thanks for the Externalities:  The Rational Rejection of Security Advice by Users."  In his paper, Mr. Herley argues thoughtfully that compliance with even simple security measures, like changing your passwords, is so time-consuming that it is not worth the effort for most users.

This is an interesting argument and article (although it is a mite technical), as it poses an argument worthy of real consideration.  There is no dispute that security measures do decrease productivity to some extent.  The question that needs to be asked is how much does security actually impair productivity and is the cost in lost productivity less than the costs from an actual security breach?

As Mr. Herley suggests, the answers to this question are difficult, because of "externalities" -- economic costs that are visited on some people by the actions of others.   His solution is not simply to reject security measures, but to analyze them and determine what works and what does not, so that it is easier to determine what measures are worth users' time and what measures do not pay off.  In Mr. Herley's words, "security advice that has compelling cost-benefit trade-offs has a real chance of user adoption."  This trade-off analysis is a worthy exercise for any individual and for any organization.

Tags: , , , , ,

FTC to Host Public Roundtables in December to Address Evolving Consumer Privacy Issues

Posted on September 17, 2009 by Colin J. Zick

The Federal Trade Commission will host a series of public "roundtable discussions" to explore the privacy challenges posed by "technology and business practices that collect and use consumer data," including social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The FTC's expressed goal of the meetings is to determine how best to protect consumer privacy while supporting beneficial uses.

The first of these free, public meeting will be held Monday, December 7, 2009, at the FTC Conference Center in Washington, DC.  A live Webcast of the program also will be available at FTC.gov.  Individuals and organizations may submit requests to participate as panelists and may recommend topics for inclusion on the agenda.

Tags: , , , , , ,

Garbage Dump in Ghana A Gold Mine For Sensitive Information

Posted on July 7, 2009 by Aaron Wright

In June, a team of researchers investigating the disposal of electronics in Ghana for PBS series Frontline discovered that computers dumped in Ghana still contained highly sensitive data from their prior owners. The researchers procured seven hard drives from the dump in Ghana and they contained credit card numbers and resumes.  The highlight of the investigation was when they discovered unencrypted information from government contractor Northrop Grumman.  The hard drives were was obtained by Frontline for $40.

Northrop Grumman said in a statement to IT World, that it believes the hard drive was stolen from an unidentified contractor hired to dispose of the computer, though that does not appear to explain how the hard drive ended up in a dump in Ghana with its information intact.  Apparently, sources in Ghana indicated to the Frontline team that "data thieves" routinely search through disposed electronics for valuable information.

The moral of this story is that electronic media, even hard drives that have been wiped of sensitive data, may retain residual information.  When disposing of them, care should be taken to ensure that information is no longer recoverable. Some suggest physically destroying hard drives containing sensitive information before disposing of them. The FTC provides a more detailed list of disposal recommendations at their OnGuradOnline website.

Links:

 

Tags: , , , , , , , , ,

Lessons from the VA: what you can learn from someone else's problems

Posted on March 19, 2009 by Colin J. Zick

For all their problems, Veterans Affairs medical centers across the country are at the vanguard of the implementation of electronic health records. As such, there is a lot to learn from the problems that the VA system has experienced in this area. According to an article in the March 4, 2009 Journal of the American Medical Association, the problems experienced by the VA include mixed-up patient names and missing medication orders. These types of problems are probably endemic in any EHR system.  (This very point was made by Drs. Jerome Groopman and Pamela Hartzband in their March 12, 2009 Wall Street Journal op-ed.) Given these built-in weaknesses, frequent auditing of records, with strong and persistent audit trails, are a vital component to any EHR system.  Also, communications between all levels of workers in the care setting are important, to provide similar feedback.  The VA has adopted these mechanisms as part of its EHR systems. VA health care workers are encouraged to report problems with the electronic medical record systems, and those reports are closely monitored. Ironically, this may be why we hear so much about the VA’s issues – they are finding problems that others have in their data systems, but do not yet know about.

Tags: , , , , ,