As I've been
suggesting, healthcare offers some “low hanging fruit.” Here's
proof.
The healthcare industry is experiencing a surge in
data breaches, security incidents, and criminal attacks—exposing
millions of patients and their medical records—according to the
latest Ponemon Institute study,
sponsored by ID Experts®, the Fifth
Annual Benchmark Study on Privacy & Security of Healthcare Data.
The study reveals that criminal
attacks in healthcare are up 125 percent since 2010 and are now the
leading cause of data breach. The findings also show that
most healthcare organizations are still unprepared to address this
rapidly changing cyber threat environment and lack the resources and
processes to protect patient data. According to the FBI,
criminals are targeting the information-rich healthcare sector
because individuals’ personal information, credit information, and
protected health information (PHI) are accessible in one place, which
translates into a high return when monetized and sold. To learn more
about the Fifth Annual Study on Privacy & Security of
Healthcare Data, visit www2.idexpertscorp.com/ponemon
for a free copy.
(Related) And here's another in a long line of
bad examples.
On March 18, attorneys for
Summit
Health, Inc. in Pennsylvania notified
the Maryland Attorney General’s Office that on February 19, the
hospital had learned
[Translation:
“We were told by someone else” Real computer security would have
“discovered” or “detected” the breach. Bob] that
some of its employees had fallen for a phishing attempt.
As a result of the successful phishing, employees’
information in the Lawson Employee Self-Service System, used to
access payroll and benefits information, may have been accessed by
unauthorized individuals. Included in that system was employees’
W-2 tax information, including income and Social Security numbers.
Dependents’ information might also have been accessed.
Those employees who were affected were offered a
year of credit monitoring with Experian.
The total number potentially impacted was not
disclosed, but this seems to be another instance of healthcare
entities being targeted by phishing attempts. In this case, it was
employee information that was potentially compromised and not any
patient information, but the problem is the same.
For my Computer
Security students. It would be better to check email attachments
yourself.
It seems Six Continents Hotels (InterContinental
Hotel Groups) was notified earlier this year by the
Secret Service that some of its hotels had suffered a data security
breach. One of the hotels IHG subsequently notified was Cities
Service (Holiday Inn
Express & Suites in Sulphur, Louisiana). IHG
alerted them on February 11, 2015.
When Cities Service investigated, they found a
malicious email attachment had compromised their payment system and
exposed 613 customers’ names, addresses, payment card numbers, and
expiration date. The exposure period was October 13, 2014 until
February 11, when they contained the breach.
Cities Service said it had no evidence of misuse,
but offered those affected credit monitoring and fraud assistance
services with IDT911.
… Here’s Cities Service’s notification
to the New Hampshire Attorney General’s Office, but I’m
wondering what the other impacted hotels were, how many there were,
and whether we’ll see notifications from them. I don’t recall
seeing any others related to this incident so far. You can find a
listing of their chains and properties on IHG’s web site. There
doesn’t seem to be any notice on their site that I can locate.
Is this Napoleon's law?
French
secret tapes of Sarkozy ruled legal in inquiry
A French court has ruled that wire-tapped
conversations between ex-President Nicolas Sarkozy and his lawyer can
be used as evidence in an ongoing corruption investigation.
The decision is seen as a blow for the
centre-right leader, who is likely to bid again for the presidency in
2017.
Mr Sarkozy is suspected of promising a
sought-after position to a judge in return for information on another
case.
But he was already being bugged as part of the
earlier investigation.
That case against Mr Sarkozy, the UMP leader, was
eventually dropped.
You can see why Google asked to be relieved of
this search. Would Google's search make anything discovered
automatically challengeable by the defense? (We teach students how
to find the data needle in the Big Data haystack. Looks like they
will have plenty of job opportunities with law enforcement when we
graduate them.)
Orin Kerr, having thanked
the supporters of his very short-lived
campaign
for President,* returns to the hard work of legal scholarship:
I’m working on a new law review article about the internal procedures that Internet providers follow when executing search warrants for content. Given that, I was particularly interested in this new decision from a magistrate judge in Alaska relieving Google of a duty to execute a warrant by combing through stored files for relevant content.
The case involves a search for evidence in e-mail accounts that were used to respond to a Craigslist advertisement about underage sexual activity.
Read more on The
Volokh Conspiracy.
*PogoWasRight.org is devastated that Orin, a
candidate without a web site or a privacy policy, dropped out of the
race, leaving us with the same stale candidates of yore.
[From
the Alaska decision:
Specifically, for these narrow periods of time,
the warrant directed Google to produce:
[T]he contents of electronic or wire communications held in the SUBJECT ACCOUNTS, including:
a) all electronic or wire communications with a minor or any person purporting to be a minor, or claiming to have access to a minor, or that otherwise involve the enticement of a minor to engage in sexual activity for which any person can be charged with a criminal offense (including email text, attachments, and imbedded files) in electronic storage by the PROVIDER, or held by the PROVIDER as a remote computing service (if any), within the meaning of Stored Communications Act;
… Google filed the instant motion in response
to the published order.[3]
Google contends it resisted the first warrant, not because of the
narrow date-range limitation—in fact, Google represents that it
"prefers date range limitations," and regularly responds to
warrants for email content circumscribed by date range
limitations.[4]
Rather, Google asserts it
objected to the first warrant because it required Google to inspect
email content for relevancy and evidentiary value
(Related) Is the Ninth Circuit agreeing? Kind
of? Would Google have stopped and asked for a new warrant?
CA9:
No special protocol required for computer search warrant, but courts
must be vigilant on review
FourthAmendment.com posted this
summary and case, although I think John omitted an important
“not” when he wrote “the least intrusive measures are
required.” The opinion seems to indicate that the court held they
were not required, citing Quon, unless I’ve
misunderstood:
No special protocol required for a computer search warrant, but vigilance of the court is expected in review to protect against overreaching. Also, the least intrusive measures are required. United States v. Nessland, 2015 U.S. App. LEXIS 7360 (9th cir. May 4, 2015):
It did not specify “‘the precise manner’” of execution, but it was not required to do so. United States v. Grubbs, 547 U.S. 90, 98, 126 S. Ct. 1494, 1500-01, 164 L. Ed. 2d 195 (2006). The officers were searching for a particular type of photographic image and came across the images in question here, which were in plain view. See United States v. Wong, 334 F.3d 831, 838 (9th Cir. 2003). Thereupon, they stopped their search, and did not return to it until they obtained another warrant that covered the new type of images. See United States v. Giberson, 527 F.3d 882, 885, 889-90 (9th Cir. 2008). That approach did not violate Nessland’s rights. Indeed, this case is much like United States v. Schesso, 730 F.3d 1040 (9th Cir. 2013). There, as here, no special protocol was required, and the officers did follow the procedures set forth in the warrant application. Moreover, as here, there was no real risk of exposing other people’s data, and there was no sign of overreaching. Finally, even if some added protections could have been used here, the officers were not required to seek out and use the least intrusive means. See City of Ontario v. Quon, 560 U.S. 746, 763, 130 S. Ct. 2619, 2632, 177 L. Ed. 2d 216 (2010); Quon v. Arch Wireless Operating Co., 554 F.3d 769, 772-73 (9th Cir. 2009); see also Giberson, 527 F.3d at 889-90. While we are well aware of the need for vigilance, [citing CDT] we are satisfied that Nessland’s rights were not violated by the search.
This (to me) is a failure of the State Department
audit team. I would want to ensure that security procedures were
followed, particularly when someone new takes over. What did they
change? Did the change improve security?
Former Secretary of State Hillary Clinton’s use
of a personal email account run through a private server was "not
acceptable" and happened
without officials’ knowledge, [Only
possible if no one wanted
to know. Bob] a top State Department record-keeper said
on Wednesday.
… “The actions that we’ve taken in the
course of recovering these emails has made
it very clear what the responsibilities are [But
not who
was responsible? Bob] with regard to record-keeping,”
she added in remarks at a Senate Judiciary Committee hearing on
government transparency.
Isn't this the candidate who said Presidential
candidates had to understand technology?
… Hours after the former Hewlett-Packard CEO
appeared
on NBC’s “Late Night with Seth Meyers," the network
blocked her campaign’s attempt to post a clip from the show on
YouTube.
“This video contains content from NBC Universal,
who has blocked it on copyright grounds,” an error message on
the clip said on Wednesday morning.
Another predictable “conflict.” If I download
the “blueprints” but don't own a 3D printer am I violating any
gun laws? (Even in New York City?) If I have a 3D printer, but
never download “blueprints” an I still a suspect in the eyes of
the government? Isn't this exactly the same argument Phil Zimmerman
made about PGP encryption? (Item 1)
The
3D-Printed Guns Fight Is On
Should 3D-printed guns be legal? It’s a
question that isn’t easy to answer, because it pits the right to
the freedom of speech against calls for stronger gun control. Two
emotive subjects without much in the way of gray areas and
compromise. Especially in the United States. Still, it’s
an issue that needs deciding, and fast.
Why? Because
the blueprints for a 3D-printed firearm are already out there on the
Internet, and have been for two years thanks to Cody
Wilson. He created the Liberator, a plastic pistol that anyone can
piece together using 3D
printing. The State Department demanded he remove the blueprints
from the Internet, but two years on he’s challenging that demand.
According to Wired,
Wilson’s advocacy group Defense Distributed has filed a lawsuit
claiming the Directorate of Defense Trade Controls (DDTC) “violated
their first amendment right to free speech.” The
question is whether posting blueprints for a 3D-printed gun violates
arms export controls or not. Suffice to say, it’s a
highly complex issue.
The problem is that while it’s being discussed,
hundreds of thousands of people are downloading the blueprints for
Liberator, and the most enterprising of these people are
actually evolving the design. It’s unlikely the 3D-printed
firearms genie can ever be put back into the bottle, but we still
need to decide what, if anything, we’re going to do about it from
here on out.
Part of any Computer Security planning. If you
can't stop employee access in a timely fashion, at least keep (and
review) a log of the files the employee accesses.
According to a recent survey by IS Decisions, 75%
of businesses leave themselves open to infosecurity breaches from
former employees by not following strict post-employment processes to
ensure employees no longer have access to information.
FreshBusinessThinking.com
has more on the survey.
Now add in the risks of employees who know they
will be leaving their jobs and help themselves to your valuable data
to help them set up their own business. This week’s case in point
is Experian,
who has sued a former marketing executive, alleging he stole
trade secrets and poached former employees to start his own firm when
he learned his position would be eliminated.
This can't be a small gang. Should be interesting
to follow.
… Only after they’d ruled out a silly
accounting error or a simple case of some errant animals did they
call the law enforcement arm of the Texas and Southwestern Cattle
Raisers Association. They reported what they’d feared from the
start: 1,121 unbranded steer calves had been stolen, making it among
the largest cattle thefts that anyone could remember.
The logistics of pulling off a heist of this size
were straight out of “Where
in the World is Carmen Sandiego?” Braum’s had found that the
stolen calves weighed between 300 and 750 pounds, meaning that the
combined lot would likely have tipped the scales at over 500,000
pounds. Texas
Monthly’s John Nova Lomax estimated that it would have taken
more than 30 cattle trailers, each 36 feet long, to haul off the
animals, and it insulted logic to imagine that a fleet of massive
farm vehicles would have evaded detection.
A Big Data (gathering) issue.
ARL Joins
Hague Declaration for Changes to Intellectual Property Law, Equal
Access to Knowledge
by Sabrina
I. Pacifici on May 6, 2015
ARL
– “More than 50 organizations around the world—including
ARL—have signed the Hague
Declaration on Knowledge Discovery in the Digital Age, which
calls for immediate changes
to intellectual property (IP) law and the removal of other
barriers preventing widened and more equal access to data. Improved
treatments for diseases, answers to global issues such as climate
change, and billions in government savings are among the potential
benefits to be gained, if the principles outlined in the Hague
Declaration are adopted by governments, businesses, and society. The
declaration asserts that copyright was never designed to regulate the
sharing of facts, data, and ideas—nor should it. The right to
receive and impart information and ideas is guaranteed by the
Universal
Declaration of Human Rights but the modern application of IP law
often limits this right, even when these most simple building blocks
of knowledge are used. “The rapidly changing digital environment,
increased computing power, and the sheer quantity of data being
produced make it essential for researchers and society to be able to
use modern techniques and tools to help them make new discoveries.
Research practices could be revolutionized and lives could literally
be saved, if we can achieve better access to the knowledge contained
within big data,” said Kristiina Hormia-Poutanen, president of
LIBER,
the Association of European Research Libraries, which has led work to
develop the declaration. A new approach to knowledge discovery is
critical at a time when society is facing a literal data deluge. The
digital universe, or the data we create and copy annually, is
doubling
in size every two years and is expected to reach 44 trillion
gigabytes by 2020. In addition to clarity around the
scope of IP law, a skills gap and a lack of infrastructure must also
be addressed if computers are to be better employed to extract and
recombine data in order to identify patterns and trends. This
process, known as content mining, is widely recognized as the only
way to deal effectively with big data…”
Professor Soma at DU's Sturm College of Law shared
this:
Guide to
Big-Data Providers
Start planning. 2016 will be here this fall.
Hands on:
Office 2016 preview focuses on data-gathering and collaboration in
the cloud
… “We are moving from Office for us, to
Office with others,” Microsoft chief executive Satya Nadella
declared during Microsoft’s
Build keynote last week.
Microsoft
released the consumer preview of Office 2016 on Monday. You
won’t find dramatic redesigns of its user interface—those are
reserved for the universal
Office apps that Microsoft has built or is building for its
mobile platforms.
… Office 2016 also shifts how we interact with
data in one important way: It actively encourages you to share data
via the cloud, rather than files that you download and append to
documents. The “death of downloading” hasn’t happened yet, but
it seems nigh.
(Related)
Get the
Office 2016 Preview for home
For my students.
4 Ways to
Install Ubuntu Linux on a Windows Computer
This website always has interesting (and timely)
examples of statistics for my students. Also look at the chart on
fumbles!
This afternoon the NFL released the
results of an investigation into whether or not the New England
Patriots intentionally deflated footballs below league standards.
… The report — especially the stat-sy
appendix — went to great lengths to show that the difference in
pressure between the Pats’ and Colts’ footballs was not due to
chance.
You don’t need a stats degree to look at that
table and see that something is amiss.
I really, really, really suggest my students grab
one of these.
Rise and
shine: 8 eye-opening alarm clock tips for iOS and Android
(Related)
5 Social
Alarm Apps to Help You Get out of Bed
No comments:
Post a Comment