Wednesday, October 19, 2016

My Governance students should learn from this, before it comes out of their salaries.
St. Joseph Health (SJH) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following the report that files containing electronic protected health information (ePHI) were publicly accessible through internet search engines from 2011 until 2012.  SJH, a nonprofit integrated Catholic health care delivery system sponsored by the St. Joseph Health Ministry, will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan.
…On February 14, 2012, SJH reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that certain files it created for its participation in the meaningful use program, which contained ePHI, were publicly accessible on the internet from February 1, 2011, until February 13, 2012, via Google and possibly other internet search engines.  The server SJH purchased to store the files included a file sharing application whose default settings allowed anyone with an internet connection to access them.  Upon implementation of this server and the file sharing application, SJH did not examine or modify it.  
   The Resolution Agreement and Corrective Action Plan may be found on the OCR website at
Note that this incident was covered on this site back in 2012. A settlement of a class-action lawsuit stemming from the breach was announced in March of this year.

Failure to use Best Practices?  
Andrew Blake reports:
A Republican Party website that sells bumper stickers and T-shirts advertising presidential candidate Donald Trump was compromised earlier this year by hackers who spent several months silently stealing credit card details and other personal information from purchasers, according to a Dutch security researcher.
The digital storefront used by the National Republican Senatorial Committee (NRSC) to sell products ranging from “Never Hillary” stickers to “Make America Great Again” bracelets was compromised for nearly six months starting March 16, researcher Willem de Groot wrote in a recent report.
Read more on Washington Times.

Gosh, how unexpected!
Mirai Increasingly Used for DDoS Attacks After Source Code Leak
The first reports about Mirai were largely ignored by the industry, but the massive distributed denial-of-service (DDoS) attacks launched against the website of journalist Brian Krebs and hosting provider OVH brought the Trojan into the spotlight.
When he decided to release the source code, the author of Mirai claimed his creation had infected as many as 380,000 devices, but the number had started to drop after the malware made the news.
Researchers at Level3 Communications have been monitoring Mirai and determined that the number of bots more than doubled following the source code leak.

Another look at an Ethical Hacking resource.
Sandra Chereb reports:
Auditors delayed release of a report detailing security vulnerabilities in state databases to protect the information of tens of thousands of current and former state employees and their beneficiaries, a legislative committee was told Tuesday.
Douglas Peterson, information systems audit supervisor, told the Legislative Audit Subcommittee it was the first time he can recall in 20 years with the state that a decision was made to withhold an audit until problems are fixed.
Read more on the Las Vegas Review-Journal.
How bad was it, you wonder? From the key findings of the audit:
Confidential information about state employees was stored unencrypted in the Division’s databases, increasing the risk of unauthorized access of this information.
… State security standards require that confidential personal data be encrypted whenever possible.
   Enterprise Information Technology Services (EITS) support staff, who manage the Division’s databases, indicated they were not aware that there was a requirement to encrypt this information.

…and a Computer Security resource.
17 October 2016
The Hague
More than 2 500 victims were able to decrypt their devices thanks to No More Ransom
Just three months after the successful launch of the No More Ransom project, law enforcement agencies from a further 13 countries have signed up to fight ransomware together with the private sector.
   More law enforcement agencies and private sector organisations are expected to join the programme in the coming months.  Their collaboration will result in more free decryption tools becoming available, helping even more victims to decrypt their devices and unlock their information, and damaging the cybercriminals where it hurts the most: their wallets.
   The aim of the online portal is to provide a helpful resource for victims of ransomware.  Users can find information on what ransomware is, how it works and, most importantly, how to protect themselves.
SOURCE: Europol 

Something for my IT Governance students from India.  Have they been informed?
Sugata Ghosh and Sachin Dave report:
A month ago, an official of Axis Bank– India’s third largest private sector lender — received an unexpected telephone call. The caller, an engineer at Kaspersky Lab, the well-known Moscow-headquartered cyber security firm, rattled off the names of several Axis computers which, he claimed, have been breached.
The Kaspersky man said his firm had stumbled on the information in the course of a separate probe. When an Axis team looked into the bank’s servers, it found out that there was indeed an unauthorized login by an unnamed, offshore hacker.

ToI reports:
Pune: In one of the biggest card replacements in Indian banking, State Bank of India has said that it will re-issue around six lakh debit cards to customers, which have been blocked following a malware-related security breach in a non-SBI ATM network.
“It’s a security breach, but not in our banks’ systems.  Many other banks also have this breach — right now and since a long time,” Shiv Kumar Bhasin, SBI’s chief technology officer (CTO), told TOI, adding that customers who used their cards only at SBI-run ATMs have not been affected by this.  “A few ATMs have been affected by a malware.  When people use their card on infected switches or ATMs, there is a high probability that their data will be compromised,” Bhasin said.
Read more on Times of India.
Note: 6 lakh = 600,000 

Perspective.  (How do I encrypt my face?)
Half of American Adults Are in Police Facial-Recognition Databases
   These findings were published Tuesday in a report from Georgetown Law’s Center for Privacy and Technology.  It details the results of a year-long investigation that drew upon more than 15,000 pages of records obtained through more than 100 freedom-of-information requests.
The study’s authors—Clare Garvie, Alvaro Bedoya, and Jonathan Frankle—attempted to fill in large gaps in public knowledge about how facial-recognition technology is used, and the existence of policies that constrain how police departments can use it.  Some details about the FBI’s use of facial scanning were previously known, but the scale of local and state law-enforcement involvement is only now starting to come to light.
   Only five states have any laws that touch on how law enforcement can use facial recognition, and none of them take on more than one aspect of the issue, the report found.

Yes, Colorado has laws.
David Raths reports:
To help school administrators, families, technology companies and state legislators sort through the patchwork quilt of state legislation on student privacy, the Center for Democracy & Technology (CDT), an advocacy group, has developed a state-by-state survey of student privacy laws in partnership with the law firm BakerHostetler.
THE Journal recently spoke with Michelle De Mooy, the acting director of CDT’s Privacy & Data Project, about the survey’s findings.  In its review on student privacy legislation in all 50 states and the District of Columbia, CDT found that California is the model in terms of comprehensiveness, with clear requirements about data retention limits and data security programs.  “California’s Student Online Personal Information Protection Act is definitely a model for updated student privacy protection, we think,” said De Mooy.
Read more on T|H|E Journal

This is brilliant, but unlikely to get to enough airports fast enough to keep customers happy.  Would “global flash services” be a profitable enterprise?
Samsung Sets Up Galaxy Note 7 Exchange Stations At Airports Around The Globe
  The exchange booths first appeared in South Korea at the Incheon International Airport.  The stations have now appeared throughout the world.  Flyers have reported exchange booths at LAX and San Francisco International Airport, while the Samsung Australia page directs flyers to stations at seven different airports.  Rumor has it that these exchange booths will be coming to the United Kingdom soon.  

For my IT Architecture students.
Banking group unveils guidelines for new financial technology
The American Bankers Association (ABA) released its FinTech playbook, standards for banks to follow as they adopt new technologies to expand their services.

The future?  If it works in Europe, can it work here?
Amazon Eyes Internet Service Offering is considering offering internet service directly to consumers in Europe, said a person briefed on the discussion.  That would allow Amazon to bundle internet access with its Prime streaming video offering, the person said, making it more competitive with cable operators which already offer a similar broadband-video package.

Something for my students to consider.
   the truth is that companies rarely succeed by adapting to market events.  Rather, successful firms prevail by shaping the future.  That can’t be done through agility alone, but takes years of preparation to achieve.  The truth is that once you find yourself in a position where you need to adapt, it’s usually too late.

Are they right about cash? 
Apple's Next Goal Is Killing Paper Money Once and For All
Apple CEO Tim Cook has an idea for the future—eliminating cash.
Apple Pay could be the “catalyst” that ultimately gets the world to switch from cash to digital payments, he told the Japanese news service Nikkei in an interview published on Monday.
“We would like to be a catalyst for taking cash out of the system,” Cook said.  “We don’t think the consumer particularly likes cash.”

This will make the next Apple Super Bowl ad amusing.  Imagine Microsoft ninjas sneaking into the Patriot locker room and deflating all the footballs… 
New England Patriots coach Bill Belichick puts Surface tablet on the inactive list
In the National Football League’s march toward technology, Bill Belichick is calling a timeout.
The New England Patriots head coach says he’s “done” with Microsoft’s Surface tablets, the devices that line NFL sidelines during games to help players and coaches review images of past plays.
“They’re just too undependable for me,” he said in a rant at a press conference that reporter Zack Cox of NESN clocked at 5 minutes, 25 seconds long.  The tirade eventually touched on a range of Belichick’s concerns with the NFL’s technology regime.
Belichick, a winner of four Super Bowls, including the championship game in 2015 against the Seattle Seahawks, says he’ll stick with paper printouts from here on out.
Microsoft in 2014 inked a five-year sponsorship deal with the NFL for a reported $400 million.

Believe it or not, we have a very active student Movie Club that streams movies on the huge TV/white boards we have.
   Vudu is a offering a sweet deal here.  Although a Vudu account IS required, you don’t even need to have payment information on file to access the free, ad-supported content.  So while Vudu’s ultimate goal is to draw you into buying or renting other movies or TV shows, at least it isn’t being too pushy about it.

No comments: