Wednesday, January 02, 2013

Remember, it's “Best Practices” not “Absolutely Foolproof Practices”
By Dissent, January 2, 2013 8:26 am
Over the past year, I’ve had the opportunity to talk to a number of people in different organizations who are concerned with insider breaches in the health care sector. One of those people is Kurt Long, CEO and Founder of FairWarning, a firm that provides patient privacy monitoring (privacy breach detection) systems.
So, here’s a little pop quiz to start this post:
  1. What percent of insider breaches are reduced by employee training on HIPAA and review of access policies?
  2. What percent of insider breaches can be reduced by installing monitoring software?
  3. What percent of insider breaches can be reduced if you actually enforce policies and discipline employees?
Ready for his answers?
According to data compiled by FairWarning using before-and-after data on their clients:
  • Employee training can reduce insider breaches by 58%
  • Monitoring the network for improper access is crucial, but may not significantly change the culture until combined with
  • Disciplining or sanctioning employees, which effectively communicates that employee access is being monitored and inappropriate access will have serious consequences.
Monitoring and enforcement can reduce insider breaches by another 40%.
Overall, within a 6-month period, FairWarning’s clients experience an 85- 98% reduction in insider breaches, Long says.
That’s good advertising for them, and I’m sure readers will point out that their statistics, based on a non-random sample, may be somewhat self-serving. But their findings should also be food for thought for your practice or organization.
This past year, I blogged a lot about insider breaches in the healthcare sector. While strengthening firewalls against external threats is critical, as is training employees not to fall for phishing schemes and not to leave PII on unencrypted devices in unattended vehicles, some of the standard security precautions – like encrypting PHI – really do nothing to reduce breaches by those who are authorized to access patient data. FairWarning’s data suggest that a strong employee training program combined with monitoring access and making a point of enforcing discipline so that everyone gets the message might reduce the vast majority of insider privacy breaches.
But while creating a culture in which employees understand that they might or will lose their jobs for inappropriate access is important, I think it’s also crucial that those in the health care sector see more examples of employees being criminally prosecuted for snooping or other inappropriate access. California has been in the forefront of pursuing cases of snooping, while the federal government has been in the forefront of prosecuting cases involving patient data used for Medicare fraud and tax refund fraud. Unfortunately, many prosecutions for fraud do not name the hospital or health care provider whose employee(s) engaged in illegal conduct. Perhaps if they did, organizations of all sizes would be more concerned about potential reputation harm and would take more aggressive steps to prevent insider breaches. Even if an entity is not named, however, such breaches can incur significant breach costs and affect patients’ confidence or trust in the entity to protect their sensitive information.
So what will your organization be doing in 2013 to reduce insider breaches? And if your organization has implemented some effective strategies to reduce insider breaches, what are those strategies?


The crime occurred in the computer, therefore those laws apply.
Evan Brown provides a recap of the ruling in in MacDermid, Inc. v. Deiter. The relevant background of the case is that an employee of a U.S. firm who lived and worked in Canada allegedly accessed her firm’s server in Connecticut from her Canadian location and forwarded confidential corporate information from her work e-mail account to her personal account. The transfer allgedly occurred after she learned she was to be terminated from her position.
MacDermid sued the employee in federal court in Connecticut, alleging unauthorized access and misuse of a computer system and misappropriation of trade secrets in violation of Conn. Gen. Stat. §§ 53a-251 and 35-51 et seq. The employee moved to dismiss based on lack of personal jurisdiction as she resided and worked in Canada. The District Court agreed with the defendant. McDermid then appealed the dismissal.
On appeal, the Second Circuit reversed and remanded. The court held that Connecticut’s long-arm statute did apply because the the server was located in Connecticut. And although there would be some burden for the defendant to travel to Connecticut to defend the suit, that factor did not make jurisdiction in Connecticut unreasonable:
Further, efficiency and social policies against computer-based theft are generally best served by adjudication in the state from which computer files have been misappropriated. Accordingly, we conclude that jurisdiction is reasonable in this case.
Read more on Internet Cases.


In some “government knows best” future, would children be taken from Mommy bloggers?
Sarah Kendzior has a thoughtful piece on a topic I’ve mentioned before: does a mother’s right to tell her story or blog about her life trump the privacy rights of her child? The issue recently came to the forefront again after Sarah responded critically to a blog post called “I Am Adam Lanza’s Mother” that had gone viral. I had winced as I had read Liza Long’s post and wondered how her son might feel years from now if he sees what she wrote about him, but I had understood what she was trying to do. I had also winced at Sarah’s response, because I had the feeling that she had never walked a mile in the shoes of a mother of a child with special needs.
Sarah writes:
On December 19, the Federal Trade Commission passed a law increasing privacy safeguards on children’s mobile apps and websites. Under the new law, websites and apps will have to get parental permission to collect photos, videos and other information that children post online.
“Parents, not social networks or marketers, will remain the gatekeepers when it comes to their children’s privacy,” explained Jim Steyer, head of the child media advocacy group Common Sense Media.
This is all well and good, but a question remains: Who will protect children from their parents?
It’s an important question in a world where the Internet never forgets. And the risks for children who have mental health challenges may be even greater. Sarah writes:
To reveal the personal struggles of a mentally ill minor online – in particular, to paint him as unstable and violent – is a form of child abuse. Not only does it violate the bond between a child and the person who is supposed to protect him, it can lead to the child being mocked, attacked and shunned by his own community when he is already vulnerable.
Moreover, the damage is permanent. Even if a mentally ill child gets the help he needs, even if he changes his behaviour, the words of his mother will follow him. When he applies to college, when he looks for a job, he will not be able to escape the nightmarish portrayal painted by his mother, the person who knew him best, the person who sold him out.
Her statement is somewhat harsh, but it is worth considering. Parents of special needs children often lack adequate supports offline. Writing about their day or the challenges they and their children face is an outlet that can bring them emotional support – and helpful treatment ideas – that they may not have available otherwise. Even a “vent” blog serves a function if it helps the mother express frustration that might otherwise be expressed by physically punishing her child. And many parents of special needs children write with the fervent hope that somehow – if they can just write well enough – others will understand their child and perhaps be more accepting of children who are not like their peers. And maybe, just maybe, other mothers will not look at them with disdain or as failures because their child does not behave like other children.
As a mental health professional and author, and as a mother who raised two special needs children, I understand both sides of the arguments about non-commercial mommy bloggers. Sharing real stories can increase public awareness and empathy and provide a forum for support. But my children are now old enough to think and give consent or deny consent if I wanted to share their stories online. For most mommy bloggers, the children are too young to grasp or have input into what their mothers decide to share about them and how it might harm them in the future.
So where is the balance? Ideally, I’d say blog anonymously and don’t use real names or location information. Realistically, though, I know that even with pseudonyms, some children’s stories are so unique that they could still be identified and named, leaving a digital trail that might harm their chances in the future.
Maybe part of the solution is for mommy bloggers to ask themselves a few simple questions before they write anything about their children:
1. What am I trying to accomplish here?
2. Is there any future risk to my child by sharing this information about him or her?
3. Is there any other way to accomplish my goal without disclosing private information about my child?
Of course, the above doesn’t really apply to mommy bloggers who are blogging for commercial gain. To those bloggers, I’d just ask, “What price do you put on your child’s privacy and future or on your future relationship with them? If someone comes along and archives everything you write about your child and you cannot not get it removed from the Internet, would it still be worth it?”


It can't hurt...


It may be easier to find “Bob” in Centennial, Colorado than “Subject 427J” but if that is the only thing that changes in my medical dossier, I suspect anyone could find me. I'm betting we need a neutral third party to do the analysis and pass only summary data to the researchers.
The story of how Massachusett Governor William Weld’s de-identified medical records were quickly re-identified in 1997 by then-graduate student Latanya Sweeney is now legendary in discussions of the risks of sharing “anonymized” or “de-identified” health records that might foster research. In an article on Scientific American, Erica Klarreich describes a mathematical technique called “differential privacy” that could give researchers access to vast repositories of personal data while meeting a high standard for privacy protection:
A differentially private data release algorithm allows researchers to ask practically any question about a database of sensitive information and provides answers that have been “blurred” so that they reveal virtually nothing about any individual’s data — not even whether the individual was in the database in the first place.
“The idea is that if you allow your data to be used, you incur no additional risk,” said Cynthia Dwork of Microsoft Research Silicon Valley. Dwork introduced the concept of differential privacy in 2005, along with McSherry, Kobbi Nissim of Israel’s Ben-Gurion University and Adam Smith of Pennsylvania State University.
Differential privacy preserves “plausible deniability,” as Avrim Blum of Carnegie Mellon University likes to put it. “If I want to pretend that my private information is different from what it really is, I can,” he said. “The output of a differentially private mechanism is going to be almost exactly the same whether it includes the real me or the pretend me, so I can plausibly deny anything I want.”
Read more on Scientific American for a description of how this works and programs that are being developed to help researchers implement this approach.


I haven't run across too many...
I’ve posted a few look-backs at privacy in 2012, including my own review of the year in U.S. privacy. From across the pond, James Baker, Lib Dem Councillor for Warley ward in Calderdale and No2ID campaigner, provides his own look back at privacy issues in the U.K. in 2012. It’s somewhat comforting to know that our advocacy counterparts overseas are struggling with some of the same privacy issues we are.
You can read his recap on his web site.


Too dystopian?
I don’t subscribe to Showtime, so I missed the first episodes of director Oliver Stone and historian Peter Kuznick’s series, “The Untold History of the United States,” but it looks like you can view some of the full episodes online, free.
Reader and link contributor extraordinaire Joe Cadillic sends in this link to an interview of Stone and Kuznick about the series and how President Obama has been a sheep in wolf’s clothing when it comes to entrenching us more deeply in a surveillance state.


Perspective
Study: 75 Percent Of The World’s Heads Of State Are Now On Twitter
… The DPC’s annual study evaluates a total of 164 countries, and found this year that 123 of them have a head of state that is on Twitter, either with a personal handle or an official government one. That’s up significantly from 2011, when 69 out of the 164 countries had a Twitter presence.
… In terms of followers, the study found that US President Barack Obama is by far the most watched world leader on Twitter, with 25 million followers. Coming in at number two? Hugo Chavez of Venezuela, with 3.5 million followers.


Something for the Ethical Hacker toolkit? (Because you don't have to be in Pakistan to use it...)


Cute and even includes some Math stuff...
January 01, 2013
A Timeline of Information History
"This timeline presents significant events and developments in the innovation and management of information and documents from cave paintings (ca 30,000 BC) to the present. To keep recent electronic developments from dominating the listing, only the most significant digital innovations are included."


Can we please get him to suck in that annoying gecko? (Quick: Name an American physicist who would be immediately recognized in a similar role?)
Stephen Hawking sucks opera singer into black hole (in an ad)
… Stephen Hawking made an interesting choice to advertise auto insurance -- Go Compare's online auto-insurance comparison service, to be precise.
This U.K. brand's ad campaign has long featured Gio Compario, a portly opera singer urging people to, well go compare auto insurance rates.
… For myself, the highlight of this quite joyous piece is the laugh that Hawking offers at the end.
There is something quite shivering about the coolly hawkish way Hawking offers: "Ha. Ha. Ha."

No comments: