Remember, it's “Best Practices” not
“Absolutely Foolproof Practices”
By Dissent,
January 2, 2013 8:26 am
Over the past year, I’ve had the
opportunity to talk to a number of people in different organizations
who are concerned with insider breaches in the health care sector.
One of those people is Kurt Long, CEO and Founder of FairWarning,
a firm that provides patient privacy monitoring (privacy breach
detection) systems.
So, here’s a little pop quiz to start
this post:
- What percent of insider breaches are reduced by employee training on HIPAA and review of access policies?
- What percent of insider breaches can be reduced by installing monitoring software?
- What percent of insider breaches can be reduced if you actually enforce policies and discipline employees?
According to data
compiled by FairWarning using before-and-after data on their
clients:
- Employee training can reduce insider breaches by 58%
- Monitoring the network for improper access is crucial, but may not significantly change the culture until combined with
- Disciplining or sanctioning employees, which effectively communicates that employee access is being monitored and inappropriate access will have serious consequences.
Monitoring and enforcement can reduce
insider breaches by another 40%.
Overall, within a 6-month period,
FairWarning’s clients experience an 85- 98% reduction in insider
breaches, Long says.
That’s good advertising for them, and
I’m sure readers will point out that their statistics, based on a
non-random sample, may be somewhat self-serving. But their findings
should also be food for thought for your practice or organization.
This past year, I blogged a lot about
insider breaches in the healthcare sector. While strengthening
firewalls against external threats is critical, as is training
employees not to fall for phishing schemes and not to leave PII on
unencrypted devices in unattended vehicles, some of the standard
security precautions – like encrypting PHI – really do nothing to
reduce breaches by those who are authorized to access patient data.
FairWarning’s data suggest that a strong employee training program
combined with monitoring access and making a point of enforcing
discipline so that everyone gets the message might reduce the vast
majority of insider privacy breaches.
But while creating a culture in which
employees understand that they might or will lose their jobs for
inappropriate access is important, I think it’s also crucial that
those in the health care sector see more examples of employees being
criminally prosecuted for snooping or other inappropriate access.
California has been in the forefront of pursuing cases of snooping,
while the federal government has been in the forefront of prosecuting
cases involving patient data used for Medicare fraud and tax refund
fraud. Unfortunately, many prosecutions for fraud do not name the
hospital or health care provider whose employee(s) engaged in illegal
conduct. Perhaps if they did, organizations of all sizes would be
more concerned about potential reputation harm and would take more
aggressive steps to prevent insider breaches. Even if an entity is
not named, however, such breaches can incur significant breach costs
and affect patients’ confidence or trust in the entity to protect
their sensitive information.
So what will your organization be doing
in 2013 to reduce insider breaches? And if your organization has
implemented some effective strategies to reduce insider breaches,
what are those strategies?
The crime occurred in the computer,
therefore those laws apply.
Evan Brown provides a recap of the
ruling in in MacDermid,
Inc. v. Deiter. The relevant background of the case is that
an employee of a U.S. firm who lived and worked in Canada allegedly
accessed her firm’s server in Connecticut from her Canadian
location and forwarded confidential corporate information from her
work e-mail account to her personal account. The transfer allgedly
occurred after she learned she was to be terminated from her
position.
MacDermid sued the employee in federal
court in Connecticut, alleging unauthorized access and misuse of a
computer system and misappropriation of trade secrets in violation of
Conn. Gen. Stat. §§ 53a-251 and 35-51 et seq. The
employee moved to dismiss based on lack of personal jurisdiction as
she resided and worked in Canada. The District Court agreed with the
defendant. McDermid then appealed the dismissal.
On appeal, the Second Circuit reversed
and remanded. The court held that Connecticut’s long-arm statute
did apply because the the server was located in Connecticut. And
although there would be some burden for the defendant to travel to
Connecticut to defend the suit, that factor did not make jurisdiction
in Connecticut unreasonable:
Further,
efficiency and social policies against computer-based theft are
generally best served by adjudication in the state from which
computer files have been misappropriated. Accordingly, we conclude
that jurisdiction is reasonable in this case.
Read more on Internet
Cases.
In some “government knows best”
future, would children be taken from Mommy bloggers?
Sarah Kendzior has a thoughtful
piece on a topic I’ve mentioned before: does a mother’s right
to tell her story or blog about her life trump the privacy rights of
her child? The issue recently came to the forefront again after
Sarah responded
critically to a blog post called “I
Am Adam Lanza’s Mother” that had gone viral. I had winced as
I had read Liza Long’s post and wondered how her son might feel
years from now if he sees what she wrote about him, but I had
understood what she was trying to do. I had also winced at Sarah’s
response, because I had the feeling that she had never walked a mile
in the shoes of a mother of a child with special needs.
Sarah writes:
On December 19,
the Federal Trade Commission passed
a law increasing privacy safeguards on children’s mobile apps
and websites. Under the new law, websites and apps will have to get
parental permission to collect photos, videos and other information
that children post online.
“Parents, not
social networks or marketers, will remain the gatekeepers when it
comes to their children’s privacy,” explained
Jim Steyer, head of the child media advocacy group Common Sense
Media.
This is all well
and good, but a question remains: Who will protect
children from their parents?
It’s an important question in a world
where the Internet never forgets. And the risks for children who
have mental health challenges may be even greater. Sarah writes:
To reveal the
personal struggles of a mentally ill minor online – in particular,
to paint him as unstable and violent – is a form of child abuse.
Not only does it violate the bond between a child and the person who
is supposed to protect him, it can lead to the child being mocked,
attacked and shunned by his own community when he is already
vulnerable.
Moreover, the
damage is permanent. Even if a mentally ill child gets the help he
needs, even if he changes his behaviour, the words of his mother will
follow him. When he applies to college, when he looks for a job, he
will not be able to escape the nightmarish portrayal painted by his
mother, the person who knew him best, the person who sold him out.
Her statement is somewhat harsh, but it
is worth considering. Parents of special needs children often lack
adequate supports offline. Writing about their day or the challenges
they and their children face is an outlet that can bring them
emotional support – and helpful treatment ideas – that they may
not have available otherwise. Even a “vent” blog serves a
function if it helps the mother express frustration that might
otherwise be expressed by physically punishing her child. And many
parents of special needs children write with the fervent hope that
somehow – if they can just write well enough – others will
understand their child and perhaps be more accepting of children who
are not like their peers. And maybe, just maybe, other mothers will
not look at them with disdain or as failures because their child does
not behave like other children.
As a mental health professional and
author, and as a mother who raised two special needs children, I
understand both sides of the arguments about non-commercial mommy
bloggers. Sharing real stories can increase public awareness and
empathy and provide a forum for support. But my children are now old
enough to think and give consent or deny consent if I wanted to share
their stories online. For most mommy bloggers, the children are too
young to grasp or have input into what their mothers decide to share
about them and how it might harm them in the future.
So where is the balance? Ideally, I’d
say blog anonymously and don’t use real names or location
information. Realistically, though, I know that even with
pseudonyms, some children’s stories are so unique that they could
still be identified and named, leaving a digital trail that might
harm their chances in the future.
Maybe part of the solution is for mommy
bloggers to ask themselves a few simple questions before they write
anything about their children:
1. What am I
trying to accomplish here?
2. Is there any future risk to my child by sharing this information about him or her?
3. Is there any other way to accomplish my goal without disclosing private information about my child?
2. Is there any future risk to my child by sharing this information about him or her?
3. Is there any other way to accomplish my goal without disclosing private information about my child?
Of course, the above doesn’t really
apply to mommy bloggers who are blogging for commercial gain. To
those bloggers, I’d just ask, “What price do you put on your
child’s privacy and future or on your future relationship with
them? If someone comes along and archives everything you write about
your child and you cannot not get it removed from the Internet, would
it still be worth it?”
It can't hurt...
It may be easier to find “Bob” in
Centennial, Colorado than “Subject 427J” but if that is the only
thing that changes in my medical dossier, I suspect anyone could find
me. I'm betting we need a neutral third party to do the analysis and
pass only summary data to the researchers.
The story of how Massachusett Governor
William Weld’s de-identified medical records were quickly
re-identified in 1997 by then-graduate student Latanya Sweeney is now
legendary in discussions of the risks of sharing “anonymized” or
“de-identified” health records that might foster research. In an
article on Scientific American, Erica Klarreich describes a
mathematical technique called “differential privacy” that could
give researchers access to vast repositories of personal data while
meeting a high standard for privacy protection:
A differentially
private data release algorithm allows researchers to ask practically
any question about a database of sensitive information and provides
answers that have been “blurred” so that they reveal virtually
nothing about any individual’s data — not even whether the
individual was in the database in the first place.
“The idea is
that if you allow your data to be used, you incur no additional
risk,” said Cynthia Dwork of Microsoft Research Silicon Valley.
Dwork introduced the concept of differential privacy in 2005, along
with McSherry, Kobbi Nissim of Israel’s Ben-Gurion University and
Adam Smith of Pennsylvania State University.
Differential
privacy preserves “plausible deniability,”
as Avrim Blum of Carnegie Mellon University likes to put it. “If I
want to pretend that my private information is
different from what it really is, I can,” he said. “The
output of a differentially private mechanism is going to be almost
exactly the same whether it includes the real me or the pretend me,
so I can plausibly deny anything I want.”
Read more on Scientific
American for a description of how this works and programs that
are being developed to help researchers implement this approach.
I haven't run across too many...
I’ve posted a few look-backs at
privacy in 2012, including my
own review of the year in U.S. privacy. From across the pond,
James Baker, Lib Dem Councillor for Warley ward in Calderdale and
No2ID campaigner, provides his own look back at privacy issues in the
U.K. in 2012. It’s somewhat comforting to know that our advocacy
counterparts overseas are struggling with some of the same privacy
issues we are.
You can read his recap on his
web site.
Too dystopian?
I don’t subscribe to Showtime, so I
missed the first episodes of director Oliver Stone and historian
Peter Kuznick’s series, “The Untold History of the United
States,” but it looks like you can view
some of the full episodes online, free.
Reader and link contributor
extraordinaire Joe Cadillic sends in this link to an interview
of Stone and Kuznick about the series and how President Obama has
been a sheep in wolf’s clothing when it comes to entrenching us
more deeply in a surveillance state.
Perspective
Study:
75 Percent Of The World’s Heads Of State Are Now On Twitter
… The DPC’s annual
study evaluates a total of 164 countries, and found this year
that 123 of them have a head of state that is on Twitter, either with
a personal handle or an official government one. That’s up
significantly from 2011, when 69 out of the 164 countries had a
Twitter presence.
… In terms of followers, the study
found that US President Barack Obama is by far the most watched world
leader on Twitter, with 25
million followers. Coming in at number two? Hugo Chavez of
Venezuela, with 3.5
million followers.
Something for the Ethical Hacker
toolkit? (Because you don't have to be in Pakistan to use it...)
Cute and even includes some Math
stuff...
January 01, 2013
A
Timeline of Information History
"This timeline
presents significant events and developments in the innovation and
management of information and documents from cave paintings (ca
30,000 BC) to the present. To keep recent electronic developments
from dominating the listing, only the most significant digital
innovations are included."
Can we please get him to suck in that
annoying gecko? (Quick: Name an American physicist who would be
immediately recognized in a similar role?)
Stephen
Hawking sucks opera singer into black hole (in an ad)
… Stephen Hawking made an
interesting choice to advertise auto insurance -- Go Compare's online
auto-insurance comparison service, to be precise.
This U.K. brand's ad campaign has long
featured Gio Compario, a portly opera singer urging people to, well
go compare auto insurance rates.
… For myself, the highlight of this
quite joyous piece is the laugh that Hawking offers at the end.
There is something quite shivering
about the coolly hawkish way Hawking offers: "Ha. Ha. Ha."
No comments:
Post a Comment