Friday, May 25, 2012

Never contradict the Attorney General...
By Dissent, May 24, 2012
It started with an announcement in July 2010 that computer backup tapes with data on 800,000 were missing. It proceeded to confusion as to what business associates or vendors were involved and the sequence of events. But things started getting really ugly over a dispute between South Shore Hospital and the Massachusetts Attorney General’s Office, who objected to the hospital’s position that it did not have to provide individual notice. Today, the Attorney General’s Office announced that the hospital would pay $750,000 to settle charges against it under HIPAA and state laws over the data breach:
South Shore Hospital has agreed to pay $750,000 to resolve allegations that it failed to protect the personal and confidential health information of more than 800,000 consumers, Attorney General Martha Coakley announced today. The investigation and settlement resulted from a data breach reported to the AG’s Office in July 2010 that included individual’s names, Social Security numbers, financial account numbers, and medical diagnoses.
“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form,” AG Coakley said. “It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach.”
The consent judgment approved today in Suffolk Superior Court includes a $250,000 civil penalty and a payment of $225,000 for an education fund [Never contradict the Attorney General... Bob] to be used by the Attorney General’s Office to promote education concerning the protection of personal information and protected health information. In addition to these payments, the consent judgment credits South Shore Hospital for $275,000 to reflect security measures it has taken subsequent to the breach.
The lawsuit was filed under the Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act.
In February 2010, South Shore Hospital shipped three boxes containing 473 unencrypted back-up computer tapes with 800,000 individuals’ personal information and protected health information off-site to be erased. [This part could be done on-site Bob] The hospital contracted with Archive Data Solutions to erase the back-up tapes and resell them.
The hospital did not inform Archive Data, however, that personal information and protected health information was on the back-up computer tapes nor did South Shore Hospital determine whether Archive Data had sufficient safeguards in place to protect this sensitive information. Multiple companies handled the shipping of the boxes containing the tapes.
In June 2010 South Shore Hospital learned that only one of the boxes arrived at its destination in Texas. The missing boxes have not been recovered although there have been no reports of unauthorized use of the personal information or protected health information of affected individuals to date.
The allegations against South Shore Hospital in the lawsuit are based on both federal and state law violations, including failing to implement appropriate safeguards, policies, and procedures to protect consumers’ information, failing to have a Business Associate Agreement in place [That is required by law? Bob] with Archive Data, and failing to properly train its workforce with respect to health data privacy.
According to the consent judgment, South Shore Hospital has also agreed to take a variety of steps in order to ensure compliance with state and federal data security laws and regulations, including requirements regarding its contracts with business associates and third-party service providers engaged for data destruction purposes. The hospital also agreed to undergo a review and audit of certain security measures and to report the results and any corrective actions to the Attorney General.

If you want to make a “world class security screw-up” this is the model to follow...
"Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic. The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer. ... Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

This screw-up is merely “New Jersey class” It points out how easy it is to start hacking, but omits the warning that much of this could have been spoofed.
"The mayor of West New York, New Jersey was arrested by the FBI after he and his son illegally took down a website that was calling for the recall of mayor Felix Roque (the site is currently down). From the article: 'According to the account of FBI Special Agent Ignace Ertilus, Felix and Joseph Roque took a keen interest in the recall site as early as February. In an attempt to learn the identity of the person behind the site, the younger Roque set up an e-mail account under a fictitious name and contacted an address listed on the website. He offered some "very good leads" if the person would agree to meet him. When the requests were repeatedly rebuffed, Joseph Rogue allegedly tried another route. He pointed his browser to Google and typed the search strings "hacking a Go Daddy Site," "recallroque log-in," and "html hacking tutorial."'" [Be careful what you Google... Bob]

(Related) I think it's safe to assume that “Hillary's Hackers” are more sophisticated than “some guy from Jersey” but think of the minimum required to join the Jihad...
"In the growing Al-Qaeda activity in Yemen, Secretary of State Hillary Clinton revealed today that 'cyber experts' had recently hacked into web sites being used by an Al-Qaeda affiliate, substituting the group's anti-American rhetoric with information about civilians killed in terrorist strikes. Also this week, a statement from the Senate Committee on Homeland Security and Governmental Affairs revealed the presence an Al-Qaeda video calling for 'Electronic Jihad.'"

Can you imagine what the people who run China think of 1,000,000,000 people who can communicate in real time? How does that change the political dynamic? (Does democracy start with the Tweet: “I'm not going to take this any more. Who is with me?”
China rules the mobile world with 1 billion users
According to The Next Web, the Chinese government has officially announced that it now has more than 1 billion mobile phone users.
For comparison, the U.S. looks measly with just more than 330 million users, according to numbers from the CTIA wireless association.

Google Says It Removes 1 Million Infringing Links Monthly
Each month, Google removes more than 1 million links to infringing content such as movies, video games, music and software from its search results — with about half of those requests for removal last month coming from Microsoft.
The search and advertising giant revealed the data Thursday as it released sortable analytics on the massive number of copyright takedown requests it receives — adding to its already existing data on the number of times governments ask for users’ personal data.
The Mountain View, California-based company removes links to comply with the Digital Millennium Copyright Act. The DMCA requires search engines to remove links to infringing content at a rights holder’s request or else face liability for copyright infringement itself. Google said it complies with about 97 percent of requests, which are submitted via an online form and usually approved via a Google algorithm.
… Google rejected some of the requests, Fred von Lohmann, Google’s senior copyright attorney said, because “the form is incomplete, the web page doesn’t exist or we look at it and say we don’t think it is infringing.”
The top rights holders demanding removal of links were Microsoft, at 543,000 last month, the British Recorded Music Industry at 162,000 and NBC at 145,000. The top targeted sites hosting allegedly infringing content were at more than 43,000, at more than 23,000, and at more than 22,000.
The Pirate Bay, the most notorious online haven for copyrighted content, came in at an unimpressive 13th place, with 10,245 requests for takedowns of links to the site.
… Overall, Google received 1.24 million requests from 1,296 copyright owners for removal the past month. They targeted 24,129 domains.
… But before the removal process became automated, Google said in a blog post that it removed less than 250,000 links in all of 2009. [Indication that the requester's end is also automated? Bob]

Something to think about...
The Future of Scholarship: Easier, Harder, and With More Charlatans
… Fifteen years ago my laptop was surrounded by books, some of which I owned, some I had checked out from my college's library or from the local public library, some I had ordered from other libraries. And then there were the photocopied articles, so many that I had organized them roughly by subject and gathered them into three-ring binders.
… Now I still have books around, but in far smaller stacks, and no photocopies at all. Instead, I have thirty or more browser tabs open, containing articles from JSTOR or Project Muse, full-length texts on Google Books and Project Gutenberg, pages containing all the notes I've made in the Kindle books I've used for research, plus a number of "Look Inside!" pages from Amazon. I even have Amazon pages open for books sitting on my desk. There's no Kindle edition of Diarmaid MacCulloch's magisterial biography of Thomas Cranmer, but if I'm looking for a particular passage in it, looking through my underlined and annotated paper copy is just too slow: I type a keyword or two into the "Look Inside" search box and get the relevant page number instantly. Often I type in a quotation from the webpage instead of from the book because it's faster and easier than trying to find a way to prop the book open. Probably half of the sources I draw on in my research are still from print, but I spend 80 percent or more of my working time looking at my laptop screen. I still use a lot of books, but I spend less and less time in them, and more and more time with digital text (even when I have hard copies of the books).
… So how do these changes matter? How do they affect the work of writing, and how we think about the work of writing? I think there are three major ways.
1) They make research -- and getting the research into my documents -- much easier and faster.
2) They make it less defensible to cut corners. If I read in a modern book or article a quotation from an old book or article, chances are I can find that original source online: if it's a book, it's likely to be in Google Books or some other site, and if it's an article, the digital archives of periodicals are increasingly complete. There's really no good excuse for failing to track down that original source to make sure it hasn't been quoted inaccurately or out of context, and to see if it contains other useful material.
3) They make it easier to fake erudition. It has never been nearly so easy to give yourself the appearance of learning you do not really have. … Instead of citing one source for a given idea I can cite five. If I have gotten information from a commonly-used source I can often track down a much older and more obscure citation for it.

No comments: