Privacy failure? What
would suggest anything is working.
It seems like
healthcare.gov has had a security breach already in which limited
personal information from two applicants [33%
of applicants? Bob] was disclosed to another applicant.
Kelsey Harris and Rob Bluey report:
Justin
Hadley logged on to HealthCare.gov to evaluate his insurance options
after his health plan was canceled. What he discovered was an
apparent security flaw that disclosed eligibility letters addressed
to individuals from another state.
…
His insurance company, Blue Cross Blue Shield of North Carolina,
directed him to HealthCare.gov in a cancellation letter he received
in September.
After
multiple attempts to access the problem-plagued website, Hadley
finally made it past the registration page Thursday. That’s when
he was greeted with downloadable letters about eligibility — for
two people in South Carolina. (Screenshot below.)
One of the two
individuals whose eligibility determination was disclosed to Mr.
Hadley tried to contact healthcare.gov about the breach but got
nowhere:
After
learning of the privacy breach, Dougall spent Friday evening trying
to contact representatives from HealthCare.gov to no avail; he spent
an hour waiting on the telephone and an online chat session was
unhelpful. He also wrote to Senators Lindsey Graham (R-SC) and Tim
Scott (R-SC), along with Representative Joe Wilson (R-SC).
“I
want my personal information off of that website,” Dougall said.
[What do you bet there is no way to do
that? Bob]
This is not the first
report I’ve read about people having difficulty contacting anyone
about security flaws or breaches, and the government needs a phone
number posted on the home page for people to use to report security
or privacy flaws.
Read more about this
breach on The
Foundry. Note that healthcare.gov’s marketplace application
system went offline last night for a 12-hour period for some
updating. Hopefully when it comes back online this morning, the
problem noted above will have been addressed. If not, then the
government isn’t paying enough attention and should be held
responsible for not providing people with a way to report security
and/or privacy breaches.
Unlikely to attract new
riders, but it probably attract a few lawsuits.
Hackers
Take Limo Service Firm for a Ride
A hacker break in at a
U.S. company that brokers reservations for limousine and Town Car
services nationwide has exposed the personal and financial
information on more than 850,000 well-heeled customers, including
Fortune 500 CEOs, lawmakers, and A-list celebrities.
… This database
would be a gold mine of information for would-be corporate spies or
for those engaged in other types of espionage. Records in the limo
reservation database telegraphed the future dates and locations of
travel for many important people. A ridiculously large number of
entries provide the tail number of a customer’s plane,
indicating they were to be picked up immediately upon disembarking a
private jet.
Such information would
be extremely useful in the hands of nation-state level attackers.
For a very relevant and timely example of this, consider the cyber
spying story printed last month by Foreign Policy
magazine. That piece featured an interview with Kevin
Mandia, the chief executive of Mandiant,
an Alexandria, Va. based firm that specializes in helping companies
defend against cyber espionage attacks. In the FP story, Mandia said
he recently was the target of a targeted cyber attack that tried
to foist malicious spyware on him via an email with a booby-trapped
PDF copy of a recent limo invoice.
It can't hurt.
NIST
Releases Preliminary Cybersecurity Framework
by Sabrina
I. Pacifici on November 3, 2013
Improving
Critical Infrastructure Cybersecurity - Executive Order 13636 -
Preliminary Cybersecurity Framework - November 1, 2013 [snipped]
“The Framework Core
is a set of cybersecurity activities and references that are common
across critical infrastructure sectors organized around particular
outcomes. The Core presents standards and best practices in a manner
that allows for communication of cybersecurity risk across the
organization from the senior executive level to the
implementation/operations level. The Framework Core consists of five
Functions—Identify, Protect, Detect, Respond, Recover—which
can provide a high-level, strategic view of an organization’s
management of cybersecurity risk. The Framework Core then
identifies underlying key Categories and Subcategories for each of
these Functions, and matches them with example Informative References
such as existing standards, guidelines, and practices for each
Subcategory. This structure ties the high level strategic view,
outcomes and standards based actions together for a
cross-organization view of cybersecurity activities. For instance,
for the “Protect” Function, categories include: Data Security;
Access Control; Awareness and Training; and Protective Technology.
ISO/IEC 27001 Control A.10.8.3 is an informative reference which
supports the “Data during transportation/transmission is protected
to achieve confidentiality, integrity, and availability goals”
Subcategory of the “Data Security” Category in the “Protect”
Function.”
Next? Blood tests!
Steve Hawkes reports:
The
store giant has signed a ground-breaking deal with Lord Alan Sugar’s
Amscreen in a move which tonight sparked fresh concerns from privacy
campaigners about the growing use of “invasive” techology in the
nation’s shops.
The
‘OptimEyes’ system will be rolled out into 450 Tesco petrol
forecourts, which serve millions of customers a week.
Read more on The
Telegraph.
In
response to Tesco’s new #privacy-intrusive scheme, Paul Bernal
tweeted:
OK,
so I’m never, ever going to get petrol from @tesco
ever again. This is SO wrong!!! via @carkmaxim & @LoisMcEwan
http://t.co/S5lSDigcV2
— Paul Bernal (@PaulbernalUK) November
3, 2013
To which I respond,
“Amen, bro!” I hope all UK citizens concerned about privacy will
boycott Tesco and tell them why you’re boycotting them.
[From
the article:
It works by using
inbuilt cameras in a TV-style screen above the till that identify
whether a customer is male or female, estimate their age and judge
how long they look at the ad.
The 'real time' data is
fed back to advertisers to give them a better idea of the
effectiveness of their campaigns and enable them to tailor ads to
certain times of the day.
“Look, we're
professional educators. We know more about student privacy than you
parents do. Trust us!”
Student privacy
advocate and activist Leonie Haimson writes (emphasis added by me):
There’s
a good article in today’s Buffalo
News, about at least two more NY school districts upstate,
Williamsville and West
Seneca, that have decided to turn down Race to the Top funds to
try to protect their students’ privacy, joining the growing list of
suburban districts that have already announced this.
[...]
According
to an article in Capital
NY, 90% of the state’s 700 districts were originally
participating
in the RTTT program, and of these, one fourth of them, or about
160, failed to sign up for dashboards by the official deadline of
October 30.
This
is despite the fact that Ken Wagner of NYSED has made it clear,
including again in the Buffalo
News, that this does NOT mean the state will spare their personal
student data from being shared with inBloom and via inBloom with the
dashboard companies.
Read more on NYC
Public School Parents.
(Related) “Look,
we're professional health care providers. We know more about medical
privacy than you do. Trust us!”
Audrey Dutton has an
informative and thought-provoking article in the Idaho Statesman
on health data exchanges and consent. It begins:
Karen
Helms didn’t realize until this year that her medical records were
being shared with a statewide network of health care providers. The
discovery prompted her to question the state’s health data exchange
and to file a complaint with the federal government over privacy
concerns.
A
spokesman for the Idaho Health Data Exchange — several years old
and unrelated to the state’s new health insurance exchange — said
the system has no risks or downside. There are almost
1,700 health care providers in Idaho sharing 1.97 million medical
records through the electronic system. Those providers accessed
patient records on the system 343,369 times in September, according
to the exchange.
The
exchange office receives calls from concerned patients on a weekly
basis, a spokesman said. But exchange officials say privacy concerns
are unfounded. They say when Idahoans learn how the exchange can
prevent medical errors and other problems as well as expedite the
burdensome process of getting medical records from one doctor to
another, they usually choose not to opt out of the system.
“Privacy
and security is our foundation with what we do and how we do it,”
said Scott Carrell, executive director for the data exchange.
But should the health
data exchange be premised on opt-out or should it require informed
consent/opt-in? According to the article, the federal government
left it up to the states as to whether to make health data exchanges
opt-out or opt-in. Should they have given states that choice? And
when will HHS rule on Karen Helms’ complaint? Read more on the
Idaho
Statesman.
Can this be true?
Someone who actually considered privacy while developing an App?
I’ve occasionally
blogged about privacy and security concerns raised by mobile health
applications. I’m happy to report that there’s now an app in
beta-testing that may be very helpful to consumers without requiring
consumers to sacrifice data security or privacy.
The app automatically
pulls in your prescription records from your pharmacy to enable you
to keep track and manage your renewals. Although it’s still
in start-up stage, it already supports most
of the national pharmacy chains that provide online medication
histories and can also pull in your information from some
prescription insurance providers.
Helpfully, the app also
enables you to get information on your medications and, importantly,
interactions between your prescription medications and
over-the-counter (OTC) medications (you can manually add or input OTC
if you want to). Ever struggle to remember your doctor’s name or
contact information to give to another doctor? The app allows you to
keep track of that, too. And it can warn you if a prescribed
medication contains something you’re allergic or sensitive too if
you input your known allergies and problems.
Sounds like a lot of
sensitive information, right? Well wait until you read their
security
and privacy information. “Your most sensitive information never
leaves your phone unencrypted,” they write, and “You, and
only you, can access your pharmacy passwords and your profile.”
Indeed, I don’t recall ever reading any security
section on an app’s site that provides as much detail about
encryption and security as this one does, [Could
this be the basis for a “Best Practice?” Bob]
enabling savvy consumers to reach their own conclusions about whether
this app will give them some peace of mind on security and privacy.
The app is called
Pill-Fill. You can read more about it here.
Although it’s not yet available for public download, it is
in beta-testing, and if you are an Android user and would like to be
a beta-tester, see the sign-up information here.
Eventually the app will also be available for iPhone users.
It should be clear by
now that I’m pretty enthusiastic about this app, and I am, having
spent about an hour on the phone with its developer and chief
architect a few months ago. I look forward to interviewing him for
this blog after they get deeper into beta-testing.
Might be an interesting
site for my students to explore.
– many computers are
used by more than one person. You can log in and out from Windows,
but this really takes a lot of time and effort. But you can’t
install more than one Google Chrome on your computer and enjoy the
speed of the Chromium project. With MakeMyBrowser, you can let other
people keep on using Chrome, while you use your own browser. You can
actually create as many browsers as you wish.
Automation, what a
concept!
– turn your LinkedIn
profile into a beautiful resume in seconds. No more messing around
with multiple Word and PDF documents scattered all over the computer.
Pick a resume template, customize the content, and print and share
the result to your heart’s content. Your resume content is
automatically fetched from your LinkedIn profile, so you can
customize it as much as you want.
Interesting Infographic
Who’s
Spying On You? And How To Stop Them?
Interesting idea, we
need more.
Stanford
Mini Med - An Online Introduction to Med School
MOOCs and other similar
online resources have made it possible to learn more than ever
without ever leaving your house if you don't want to. A good example
of this can be found in the breadth and depth of the free course
materials that Stanford has put online over the last few years.
The Stanford School of
Medicine has made available three semesters worth of lectures on
human biology, health and disease, medical research, and health care.
The lectures are available through iTunes, YouTube, and on the
Stanford
Mini Med School website. Click
here for winter term, here
for spring term, and here
for fall term.
No comments:
Post a Comment