Wednesday, September 21, 2011

Interesting that this is treated as a breach. Do older X-rays include personal data 'burned' on the film?
By Dissent, September 20, 2011
Not the first time we’ve seen a breach like this and likely, it won’t be the last:
Barrels of X-ray film set to be destroyed were stolen from Good Samaritan Hospital in Baltimore by a man posing as a vendor employee, police said.
According to a Baltimore City police report, officers were called to the hospital Friday morning to investigate the theft of as many as two barrels of old X-ray film. Hospital officials said the films were “more than 5 years old” and the films “had been put aside to be either destroyed or recycled.”
“It appears he did this by misrepresenting himself as the vendor responsible for the disposing and/or the recycling of those items,” Baltimore police spokesman Kevin Brown said.
A statement released by Good Samaritan Hospital suggests the assailant’s motive may have been to extract and sell the silver contained in the films: “There is no clinical impact to patient care as medical reports associated with those films remain with the patient records. We are working diligently to determine the specific patients impacted by this occurrence so direct notification can be made to assist them.”
Read more on WBAL.

Is this the electronic equivalent of asking your neighbors about your biases?
Lawyers in Murray trial using Facebook, Twitter to screen jurors
After approximately a week of poring over 145 jury questionnaires, lawyers in the trial of Michael Jackson's doctor are due in court Wednesday to discuss removing jurors whose answers they believe should disqualify them from hearing the case.
But legal experts say prosecutors and defense attorneys in the Conrad Murray trial will be doing more than simply screening jurors based on their answers to the more than 100 questions filled out on September 8 and 9. They'll also be scrutinizing what prospective jurors may have said outside the courthouse and online about events surrounding the June 2009 death of pop star Michael Jackson.
… But Gabriel added that it is rare for a legal team to have time to do such vetting of prospective jurors, because jury selection is completed within hours in a vast majority of trials, [Sounds like a business opportunity: Instant social media search Bob] not over several weeks as in the Anthony case (and most likely Murray's as well).

Interesting but not unexpected statistics.
TalkTalk ISP Study Claims Half of Internet Connected Homes Suffer Cyber Attacks
A new TalkTalk commissioned YouGov study into the broadband habits of 19,828 UK adults ('Life Online') has claimed that almost half (45%) of all internet connected homes have suffered some form of cyber-attack, although this apparently included being "bombarded with unwanted 'pop-up' advertising".
The ISP estimates that more than 700,000 attempts at identity theft were also mounted on Britain’s homes during the first quarter of 2011 and that 89% of emails sent last year were SPAM (unwanted or malicious junk). The single most prominent form of cyber-attack was Adware (35%) related, which uses various methods (e.g. keyloggers) to collect sensitive private information from your computer.
The vast majority of respondents to the survey agreed that it was important to protect their internet connections, yet 10% of broadband ISP customers said they relied "solely on their own vigilance" instead of using security software. Personal vigilance alone is not enough to spot all threats, many of which can creep in silently.
Elsewhere 23% of parents claimed to have seen their children (those aged 6-17) accidentally download a virus on to the home computer and 5% witnessed them giving out personal information online; some 73% of parents sight this as being their "biggest concern".

(Related) Still, one out of three is better than 45%...
Data breaches affect 2m in Mass.
September 21, 2011 by admin
Hiawatha Bray reports:
Personal information from nearly one out of three Massachusetts residents, from names and addresses to medical histories, has been compromised through data theft or loss since the beginning of 2010, according to statistics released yesterday by the office of Attorney General Martha Coakley.
The attorney general’s office has received 1,166 data breach notices since January 2010, including 480 between January and August of 2011. About 2.1 million residents were affected by the various incidents, though it’s unknown whether any of them were actually defrauded as a result of the data leaks.
Of the reported incidents, 25 percent involved deliberate hacking of computer systems containing sensitive data. Another 23 percent involved accidental sharing of information with unauthorized people, such as sending faxes or e-mails with personal information to the wrong recipient. In 15 percent of cases, retailers reported the theft of customer credit card numbers. Data was also lost through thefts or accidental losses of laptop computers and paper documents, or in cases in which workers deliberately gained unauthorized access to client files.
Read more on Boston Globe.

I wonder if there will be a backlash if the cops start mailing out tickets based on this “evidence”
OnStar Begins Spying On Customers’ GPS Location For Profit
September 20, 2011 by Dissent
Jonathan Zdziarski writes:
I canceled the OnStar subscription on my new GMC vehicle today after receiving an email from the company about their new terms and conditions. While most people, I imagine, would hit the delete button when receiving something as exciting as new terms and conditions, being the nerd sort, I decided to have a personal drooling session and read it instead. I’m glad I did. OnStar’s latest T&C has some very unsettling updates to it, which include selling your personal GPS location information, speed, safety belt usage, and other information to third parties, including law enforcement. [Are the cops fishing for violators? Bob] To add insult to a slap in the face, the company insists they will continue collecting and selling this personal information even after you cancel your service, unless you specifically shut down the data connection to the vehicle after canceling.

Gary Alexander sends an interesting article... It is far easier to say “NO!!!” to everything than to actually read the laws and regulations and make an informed determination. Lots of lawyers (managers too) think there job is to say no. I think their job is to help me accomplish my job. And don't get me started on sending things by FAX (first patented before the Civil War) which requires someone to print out data, fax it, then someone else gets to type it back into a computer.
HIPAA on phones, faxes and e-mail
My wife Deborah Black (light of my life) is a neuropsychiatrist who works at two different clinics. Sometimes patients are referred from one clinic to the other, and the question arises of how to transmit the details of their medical record from one team to the other.
Anything concerning the privacy of medical data in the USA is governed by the Health Insurance Portability and Accountability Act (HIPAA) passed in 1996. The legislation is complex, and the U.S. Department of Health & Human Services (HHS) has set up an extensive Web site with detailed information and instructions about HIPAA.
One of the questions I’ve been asked by my wife’s staff is whether it is acceptable to send medical information by fax or e-mail; some of the security and information technology staff at her clinics have flatly forbidden such transmission, asserting baldly that HIPAA forbids such transmission. Unfortunately, their medical records systems are incompatible, so the data cannot be sent automatically from one clinic to the another with appropriate encryption and other safeguards.
However, the IT/security staff are wrong in their absolute interdiction of faxes and e-mail for medical records.
In the document entitled, “Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone?”, the HHS writes (quoting in full),
Yes. The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, e-mail, or otherwise.

For my Computer Security students (all of whom use flash drives)
7 Best Antivirus To Save Your PC From Infected USB Flash Drives

For my Ethical Hackers.
Smart meters reveal TV viewing habits
September 21, 2011 by Dissent
Researchers at the Münster University of Applied Sciences have discovered that it is possible to use electricity usage data from smart electricity meters to determine which programmes consumers are watching on a standard TV set. The experiments were carried out as part of the state-funded DaPriM (data privacy management) project. By analysing electricity consumption patterns, it is, in principle, also possible to identify films played from a DVD or other source.
Read more on H-Online.
[From the article:
Until now, the general assumption has been that it would be possible to use typical electricity consumption data from the smart meter for different appliances to determine whether a customer had prepared his or her dinner in the microwave, on the hob or in the oven, but nothing more. That possibility had already spurred data protection officials in the USA, where smart meters are already widely used, into action – they demanded precise regulations on how electricity meters deal with and protect collected data.
Second by second data transfer makes it possible to carry out much finer analysis. In the opinion of the Münster-based research team, this calls for a tightening of data protection regulations. One solution might be to increase the polling interval or simply to transfer a statistical summary to the electricity generator or provider. This would make the high resolution consumption data required for close analysis unavailable. Either way, the consumer is reliant on the provider taking the appropriate measures.

Ditto Use the printer to make a skimmer that fits over the card slot on an ATM.
"An ATM skimmer gang stole more than $400,000 using skimming devices built with the help of high-tech 3D printers, federal prosecutors say. ... Apparently, word is spreading in the cybercrime underworld that 3D printers produce flawless skimmer devices with exacting precision. Last year, i-materialize blogged about receiving a client's order for building a card skimmer. In June, a federal court indicted four men from South Texas whom authorities say had reinvested the profits from skimming scams to purchase a 3D printer."

No comments: