I'm not sure what they mean by “routine monitoring of backups” – perhaps they were checking to see if everything was being backed up. If so, why wait two months to check?
WA: HACKED: Kadlec notifying patients of computer server breach
January 12, 2011 by admin
From the staff of Tri-City Herald:
Kadlec Regional Medical Center officials announced today that patients are being notified that one of the hospital’s computer servers containing brain scan and other patient studies was hacked in September.
Files housed on the server included information including a patient’s name, birth date, age, gender, medical record number and doctor’s name, but did not include any patient financial information, address, social security number or insurance data.
Kadlec officials first discovered the unauthorized access during routine monitoring of computer network backups on Nov. 11, according to a news release.
Read more on Tri-City Herald. I do not see any notice on the medical center’s site at this time.
[From the article:
Hospital officials said they have added significant security measures to Kadlec's servers to help prevent future breaches. [“We decided to add all that security we had decided we didn't need (didn't want to spend money on) before we found out we had inadequate security...” Bob]
Another confusing statement.
Pentagon Credit Union Database Compromised
"The credit union used by members of the U.S. armed forces and their families has admitted that a laptop infected with malware.was used to access a database containing the personal and financial information of customers. The Pentagon Federal Credit Union (PenFed) issued a statement to the New Hampshire Attorney General that said data, including the names, addresses, Social Security Numbers and PenFed banking and credit card account information of its members were accessed by the infected PC." [I doubt the PC acted alone. Was an employee's PC infected with software that captured data? Stole a User ID & Password? Copied the database and emailed it to Romania? Bob]
Again some basic questions. Where should this data be stored? How long should it be stored? (Do 231,000 patients represent months or years of radiology?)
Seacoast Radiology Computer Server Breached – 231,400 Patients Notified
January 12, 2011 by admin
From a Seacoast Radiology press release:
Seacoast Radiology, PA discovered on November 12, 2010 that an office server containing personal patient data and billing information was accessed by an unauthorized third party. Access to this server was disabled immediately and an independent investigation concluded that unauthorized use of patient and billing data is unlikely. [How does one reach this conclusion? Bob] All patients and patient billing guarantors have been notified.
The independent investigation indicated that personal information, including name, address, Social Security number, date of birth, medical procedure codes, diagnosis codes and billing information was stored on this server. Patient radiology reports, including radiographic images, and banking information was not stored on this server and therefore not breached.
Seacoast Radiology has engaged with several computer security experts and has implemented security procedural changes to keep patient data secure from unauthorized access.
In addition to procedural changes, Seacoast Radiology has contracted with ID Experts® to provide an informational toll-free number and website to answer questions about this incident. Patients with questions regarding this incident can visit www.SeacoastPrivacy.com.
This press release is in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act. Seacoast Radiology, PA has notified patients, billing guarantors and the Department of Health and Human Services (HHS).
From the FAQ on the support web site:
On November 12, 2010, Seacoast Radiology discovered that there had been unauthorized access to an office server. No credit card information was contained on this server, as Seacoast Radiology does not at this time accept credit cards for payment. The server contained patient names, Social Security numbers, address, phone number and other basic information, as well as basic medical diagnosis codes and basic procedure codes for billing purposes. The server also contained information on individuals serving as ‘insurance guarantors’ for the patients, and some of these individuals did not have social security numbers in the computer. [Sometimes they follow their procedures, sometimes they don't? Bob] In some cases the guarantor information included name and address in addition to Social Security number. Some of the guarantors only had name and address associated with their information, without Social Security number.
Brendon Nafziger of DOTMedNews.com provides additional details:
A large radiology practice in New Hampshire said Wednesday hackers apparently breached a server containing Social Security numbers and medical codes for hundreds of thousands of patients, with the culprits likely rogue gamers looking for bandwidth to play the popular military shoot-’em-up Call of Duty: Black Ops.
The group estimates 231,400 patients might have been affected by the breach.
Read more on DOTMedNews.com.
A management decision: Should we “buy insurance” or accept the risk?
Securing data will be costly, UH says
January 12, 2011 by admin
Gene Park reports:
The University of Hawaii says it needs $1.9 million to tighten its Web security and lessen the chance of future data breaches of individual privacy.
In addition, the 10-campus system would need about $764,000 a year to maintain and operate the upgraded system, said David Lassner, the university’s vice president for information technology.
“Information technology at UH is highly decentralized,” Lassner said yesterday at a state Senate informational hearing at the Capitol, “because as an academic institution, we have lots of people generating information, disseminating it, and over 600 Web servers throughout the UH system.”
The hearing was held in response to three data breaches in the UH system last year. A report by national watchdog group Liberty Coalition said UH was responsible for 54 percent of all data breaches in Hawaii since 2005, compromising 259,000 records.
Read more on the Star Advertiser.
Given that a single breach can reportedly cost $2 million in legal costs alone, it’s a better use of the money to invest in security. That said, there are other costly measures that the Hawaii legislature is considering based on Liberty Coalition’s analysis and recommendations. Having read their report and concluded that it seriously overestimates the number of ID theft victims in Hawaii and that most ID theft cases in Hawaii cannot be clearly attributed to breaches involving either the University of Hawaii or other state agencies, I hope the legislature will go very slowly and not impose costly and undue burdens on businesses and entities that are unlikely to reduce ID theft. But more on that in another blog entry when I find some time.
Article: Is the Fourth Amendment Relevant in a Technological Age?
January 13, 2011 by Dissent
Via FourthAmendment.com, a new article available on SSRN:
Is the Fourth Amendment Relevant in a Technological Age?
Christopher Slobogin Vanderbilt Law School January 4, 2011
This work will be a chapter in a forthcoming book in The Future of the Constitution series, edited by Jeffrey Rosen and Benjamin Wittes and published by the Brookings Institute. Over the past 200 years, the Fourth Amendment’s guarantees have been construed largely in the context of what might be called “physical searches” – entry into a house or car; a stop and frisk of a person on the street; or rifling through a person’s private papers. But today, with the introduction of devices that can see through walls and clothes, monitor public thoroughfares twenty-four hours a day, and access millions of records in seconds, police are relying much more heavily on what might be called “virtual searches,” investigative techniques that do not require physical access to premises, people, papers or effects and that can often be carried out covertly from far away. The Supreme Court’s current Fourth Amendment jurisprudence – specifically, its “knowing exposure,” “general public use,” “contraband-specific,” “assumption of risk” and “special needs” doctrines – has both failed to anticipate this development and continued to ignore it. This article describes this jurisprudence and how it can foster law enforcement abuse, mission creep, mistaken seizures and physical searches, and an oppressive atmosphere even for the innocent. It then outlines a more technologically-sensitive Fourth Amendment framework.
You can download the full article from SSRN.
A most interesting report (kind of reads like a marketing brochure) but with lots of quotable quotes...
January 12, 2011
Report: Protecting the Digital Economy
"On January 10, 2011, the EastWest Institute released a report detailing the results of the First Worldwide Cybersecurity Summit: Protecting the Digital Economy, and outlining the cybersecurity initiative’s next steps as it prepares for the Second Worldwide Cybersecurity Summit in London on June 1-2. At the summit, held from May 3 to 5, 2010 in Dallas, Texas, EWI brought together over 400 technical experts, policy elites and national security officials from the Cyber40, an informal grouping of the world’s most digitally-advanced countries—among others, the United States, China, India, Russia and Estonia. Participants worked to identify problems facing crucial sectors of the Internet, such as financial services and essential government services, and forge concrete solutions to protect the world’s digital infrastructure."
Coming soon to your home...
January 12, 2011
New GAO Reports: Electricity Grid Modernization
Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed, GAO-11-117, January 12, 2011: "The electric industry is increasingly incorporating information technology (IT) systems into its operations as part of nationwide efforts—commonly referred to as smart grid—to improve reliability and efficiency. There is concern that if these efforts are not implemented securely, the electric grid could become more vulnerable to attacks and loss of services. To address this concern, the Energy Independence and Security Act of 2007 (EISA) provided the National Institute of Standards and Technology (NIST) and Federal Energy Regulatory Commission (FERC) with responsibilities related to coordinating the development and adoption of smart grid guidelines and standards."
[From the report:
With respect to challenges to securing smart grid systems, GAO identified the following six key challenges:
• Aspects of the regulatory environment may make it difficult to ensure smart grid systems’ cybersecurity.
• Consumers are not adequately informed about the benefits, costs, and risks associated with smart grid systems.
• Utilities are focusing on regulatory compliance instead of comprehensive security.
• There is a lack of security features being built into certain smart grid systems.
• The electric industry does not have an effective mechanism for sharing information on cybersecurity.
• The electricity industry does not have metrics for evaluating cybersecurity.
This makes me ask, “Who is running T-Mobile?”
T-Mobile makes U-turn on data cap cut
T-Mobile UK has backtracked on its decision to drastically cut the mobile data use allowances for existing as well as new smartphone customers, following an explosion of public anger at the move.
Yesterday the operator said it will now only offer the reduced levels of data to new and upgrading customers, while existing customers will get the 1GB to 3GB they signed up for until their contracts run out.
The U-turn, announced yesterday afternoon, came shortly after the UK consumer group Which? said its legal team were of the opinion that T-Mobile was breaking its own terms and conditions by announcing the 'fair use' cap cut less than a month before it will come into force on February 1.
Another “Everyone Knows” for my Statistics students...
Talking On Your Cell Phone Could Make You Drive Safer
The original claim grew from research by psychologists at the University of Utah in 2003, who used driving simulators to test volunteers' reactions while talking and while drunk. The result: "Driving while talking on a cell phone is as bad as or maybe worse than driving drunk," the researchers reported.
That claim has since become part of the accepted canon about road safety, repeated by everyone from Oprah to U.S. Transportation Secretary Ray LaHood in his campaign against distracted driving. Eight states, including California, have made talking on a handheld cell phone while driving illegal.
… And It sounds like common sense: Splitting your mind's attention between the road and whatever someone's blathering into your ear over a cell phone must be dangerous.
… The new study comes from economists Saurabh Bhargava at the University of Chicago and Vikram Pathania of the London School of Economics. They come at the question from a different direction, starting by using data from a cell phone company on up to 440,000 calls made from California drivers during an 11-day period in 2005. The researchers were able to separate drivers from other users by filtering for calls that switched among cell towers.
Their earlier research showed that when cell phone companies had rates that dropped at 9 p.m. on Monday through Thursday nights, calling jumped up. The economists matched their calling data with crash reports for just before and just after 9 p.m, when they could prove calls from drivers on the road increased, and found no significant increase in crashes. When they expanded their scope to additional years and nearby states, there was still no rise in wrecks.