Monday, November 04, 2013
Privacy failure? What would suggest anything is working.
It seems like healthcare.gov has had a security breach already in which limited personal information from two applicants [33% of applicants? Bob] was disclosed to another applicant. Kelsey Harris and Rob Bluey report:
Justin Hadley logged on to HealthCare.gov to evaluate his insurance options after his health plan was canceled. What he discovered was an apparent security flaw that disclosed eligibility letters addressed to individuals from another state.
… His insurance company, Blue Cross Blue Shield of North Carolina, directed him to HealthCare.gov in a cancellation letter he received in September.
After multiple attempts to access the problem-plagued website, Hadley finally made it past the registration page Thursday. That’s when he was greeted with downloadable letters about eligibility — for two people in South Carolina. (Screenshot below.)
One of the two individuals whose eligibility determination was disclosed to Mr. Hadley tried to contact healthcare.gov about the breach but got nowhere:
After learning of the privacy breach, Dougall spent Friday evening trying to contact representatives from HealthCare.gov to no avail; he spent an hour waiting on the telephone and an online chat session was unhelpful. He also wrote to Senators Lindsey Graham (R-SC) and Tim Scott (R-SC), along with Representative Joe Wilson (R-SC).
“I want my personal information off of that website,” Dougall said. [What do you bet there is no way to do that? Bob]
This is not the first report I’ve read about people having difficulty contacting anyone about security flaws or breaches, and the government needs a phone number posted on the home page for people to use to report security or privacy flaws.
Read more about this breach on The Foundry. Note that healthcare.gov’s marketplace application system went offline last night for a 12-hour period for some updating. Hopefully when it comes back online this morning, the problem noted above will have been addressed. If not, then the government isn’t paying enough attention and should be held responsible for not providing people with a way to report security and/or privacy breaches.
Unlikely to attract new riders, but it probably attract a few lawsuits.
Hackers Take Limo Service Firm for a Ride
A hacker break in at a U.S. company that brokers reservations for limousine and Town Car services nationwide has exposed the personal and financial information on more than 850,000 well-heeled customers, including Fortune 500 CEOs, lawmakers, and A-list celebrities.
… This database would be a gold mine of information for would-be corporate spies or for those engaged in other types of espionage. Records in the limo reservation database telegraphed the future dates and locations of travel for many important people. A ridiculously large number of entries provide the tail number of a customer’s plane, indicating they were to be picked up immediately upon disembarking a private jet.
Such information would be extremely useful in the hands of nation-state level attackers. For a very relevant and timely example of this, consider the cyber spying story printed last month by Foreign Policy magazine. That piece featured an interview with Kevin Mandia, the chief executive of Mandiant, an Alexandria, Va. based firm that specializes in helping companies defend against cyber espionage attacks. In the FP story, Mandia said he recently was the target of a targeted cyber attack that tried to foist malicious spyware on him via an email with a booby-trapped PDF copy of a recent limo invoice.
It can't hurt.
NIST Releases Preliminary Cybersecurity Framework
by Sabrina I. Pacifici on November 3, 2013
Improving Critical Infrastructure Cybersecurity - Executive Order 13636 - Preliminary Cybersecurity Framework - November 1, 2013 [snipped]
“The Framework Core is a set of cybersecurity activities and references that are common across critical infrastructure sectors organized around particular outcomes. The Core presents standards and best practices in a manner that allows for communication of cybersecurity risk across the organization from the senior executive level to the implementation/operations level. The Framework Core consists of five Functions—Identify, Protect, Detect, Respond, Recover—which can provide a high-level, strategic view of an organization’s management of cybersecurity risk. The Framework Core then identifies underlying key Categories and Subcategories for each of these Functions, and matches them with example Informative References such as existing standards, guidelines, and practices for each Subcategory. This structure ties the high level strategic view, outcomes and standards based actions together for a cross-organization view of cybersecurity activities. For instance, for the “Protect” Function, categories include: Data Security; Access Control; Awareness and Training; and Protective Technology. ISO/IEC 27001 Control A.10.8.3 is an informative reference which supports the “Data during transportation/transmission is protected to achieve confidentiality, integrity, and availability goals” Subcategory of the “Data Security” Category in the “Protect” Function.”
Next? Blood tests!
Steve Hawkes reports:
The store giant has signed a ground-breaking deal with Lord Alan Sugar’s Amscreen in a move which tonight sparked fresh concerns from privacy campaigners about the growing use of “invasive” techology in the nation’s shops.
The ‘OptimEyes’ system will be rolled out into 450 Tesco petrol forecourts, which serve millions of customers a week.
Read more on The Telegraph.
In response to Tesco’s new #privacy-intrusive scheme, Paul Bernal tweeted:
OK, so I’m never, ever going to get petrol from @tesco ever again. This is SO wrong!!! via @carkmaxim & @LoisMcEwan http://t.co/S5lSDigcV2 — Paul Bernal (@PaulbernalUK) November 3, 2013
To which I respond, “Amen, bro!” I hope all UK citizens concerned about privacy will boycott Tesco and tell them why you’re boycotting them.
[From the article:
It works by using inbuilt cameras in a TV-style screen above the till that identify whether a customer is male or female, estimate their age and judge how long they look at the ad.
The 'real time' data is fed back to advertisers to give them a better idea of the effectiveness of their campaigns and enable them to tailor ads to certain times of the day.
“Look, we're professional educators. We know more about student privacy than you parents do. Trust us!”
More districts opt out of Race to the Top but NYSED insists their personal student data will “travel” anyway — without their consent
Student privacy advocate and activist Leonie Haimson writes (emphasis added by me):
There’s a good article in today’s Buffalo News, about at least two more NY school districts upstate, Williamsville and West Seneca, that have decided to turn down Race to the Top funds to try to protect their students’ privacy, joining the growing list of suburban districts that have already announced this.
According to an article in Capital NY, 90% of the state’s 700 districts were originally participating in the RTTT program, and of these, one fourth of them, or about 160, failed to sign up for dashboards by the official deadline of October 30.
This is despite the fact that Ken Wagner of NYSED has made it clear, including again in the Buffalo News, that this does NOT mean the state will spare their personal student data from being shared with inBloom and via inBloom with the dashboard companies.
Read more on NYC Public School Parents.
(Related) “Look, we're professional health care providers. We know more about medical privacy than you do. Trust us!”
Audrey Dutton has an informative and thought-provoking article in the Idaho Statesman on health data exchanges and consent. It begins:
Karen Helms didn’t realize until this year that her medical records were being shared with a statewide network of health care providers. The discovery prompted her to question the state’s health data exchange and to file a complaint with the federal government over privacy concerns.
A spokesman for the Idaho Health Data Exchange — several years old and unrelated to the state’s new health insurance exchange — said the system has no risks or downside. There are almost 1,700 health care providers in Idaho sharing 1.97 million medical records through the electronic system. Those providers accessed patient records on the system 343,369 times in September, according to the exchange.
The exchange office receives calls from concerned patients on a weekly basis, a spokesman said. But exchange officials say privacy concerns are unfounded. They say when Idahoans learn how the exchange can prevent medical errors and other problems as well as expedite the burdensome process of getting medical records from one doctor to another, they usually choose not to opt out of the system.
“Privacy and security is our foundation with what we do and how we do it,” said Scott Carrell, executive director for the data exchange.
But should the health data exchange be premised on opt-out or should it require informed consent/opt-in? According to the article, the federal government left it up to the states as to whether to make health data exchanges opt-out or opt-in. Should they have given states that choice? And when will HHS rule on Karen Helms’ complaint? Read more on the Idaho Statesman.
Can this be true? Someone who actually considered privacy while developing an App?
I’ve occasionally blogged about privacy and security concerns raised by mobile health applications. I’m happy to report that there’s now an app in beta-testing that may be very helpful to consumers without requiring consumers to sacrifice data security or privacy.
The app automatically pulls in your prescription records from your pharmacy to enable you to keep track and manage your renewals. Although it’s still in start-up stage, it already supports most of the national pharmacy chains that provide online medication histories and can also pull in your information from some prescription insurance providers.
Helpfully, the app also enables you to get information on your medications and, importantly, interactions between your prescription medications and over-the-counter (OTC) medications (you can manually add or input OTC if you want to). Ever struggle to remember your doctor’s name or contact information to give to another doctor? The app allows you to keep track of that, too. And it can warn you if a prescribed medication contains something you’re allergic or sensitive too if you input your known allergies and problems.
Sounds like a lot of sensitive information, right? Well wait until you read their security and privacy information. “Your most sensitive information never leaves your phone unencrypted,” they write, and “You, and only you, can access your pharmacy passwords and your profile.” Indeed, I don’t recall ever reading any security section on an app’s site that provides as much detail about encryption and security as this one does, [Could this be the basis for a “Best Practice?” Bob] enabling savvy consumers to reach their own conclusions about whether this app will give them some peace of mind on security and privacy.
The app is called Pill-Fill. You can read more about it here. Although it’s not yet available for public download, it is in beta-testing, and if you are an Android user and would like to be a beta-tester, see the sign-up information here. Eventually the app will also be available for iPhone users.
It should be clear by now that I’m pretty enthusiastic about this app, and I am, having spent about an hour on the phone with its developer and chief architect a few months ago. I look forward to interviewing him for this blog after they get deeper into beta-testing.
Might be an interesting site for my students to explore.
– many computers are used by more than one person. You can log in and out from Windows, but this really takes a lot of time and effort. But you can’t install more than one Google Chrome on your computer and enjoy the speed of the Chromium project. With MakeMyBrowser, you can let other people keep on using Chrome, while you use your own browser. You can actually create as many browsers as you wish.
Automation, what a concept!
– turn your LinkedIn profile into a beautiful resume in seconds. No more messing around with multiple Word and PDF documents scattered all over the computer. Pick a resume template, customize the content, and print and share the result to your heart’s content. Your resume content is automatically fetched from your LinkedIn profile, so you can customize it as much as you want.
Who’s Spying On You? And How To Stop Them?
Interesting idea, we need more.
Stanford Mini Med - An Online Introduction to Med School
MOOCs and other similar online resources have made it possible to learn more than ever without ever leaving your house if you don't want to. A good example of this can be found in the breadth and depth of the free course materials that Stanford has put online over the last few years.
The Stanford School of Medicine has made available three semesters worth of lectures on human biology, health and disease, medical research, and health care. The lectures are available through iTunes, YouTube, and on the Stanford Mini Med School website. Click here for winter term, here for spring term, and here for fall term.