OCR has announced a settlement involving a breach that
I never even reported on this site at the time and that doesn’t appear to have
been in the news at the time. A quick
look at HHS’s “Wall of Shame” shows two entries for the incident at issue: one
entry says it was reported on January 31, 2014 as “Loss – Paper/Films.” The second entry says it was reported on April
4, 2014 as “Other – Paper/Films.” Let’s
see what the press release from OCR says:
The U.S. Department of Health and Human Services, Office
for Civil Rights (OCR), has announced the first Health Insurance Portability
and Accountability Act (HIPAA) settlement based on the untimely reporting of a
breach of unsecured protected health information (PHI). Presence Health has agreed to settle potential
violations of the HIPAA Breach Notification Rule by paying $475,000 and
implementing a corrective action plan.
… With this
settlement amount, OCR balanced the need to emphasize the importance of timely
breach reporting with the desire not to disincentive breach reporting
altogether.
On January 31, 2014, OCR received
a breach notification report from Presence indicating that on October 22, 2013,
Presence discovered that paper-based operating room schedules, which contained
the PHI of 836 individuals, were missing from the Presence Surgery Center at
the Presence
St. Joseph Medical Center in Joliet, Illinois. The information consisted of the affected
individuals’ names, dates of birth, medical record numbers, dates of
procedures, types of procedures, surgeon names, and types of anesthesia. OCR’s investigation revealed that Presence
Health failed to notify, without unreasonable delay and within 60 days of
discovering the breach, each of the 836 individuals affected by the breach,
prominent media outlets (as required for breaches affecting 500 or more
individuals), and OCR.
So they were late by more than one month. The press release doesn’t indicate how late
they were, but the Resolution
Agreement notes that notifications to individuals did not occur until
February 3, 2014 (104 days post-discovery), notification to media outlets did
not occur until February 5, and notification to HHS did not occur until January
31.
The Resolution Agreement also indicates that Presence
explained its delay as being due to a “miscommunication between workers.” But in investigating Presence, OCR had also
uncovered other breaches in which notification had not been timely made. As a result, the corrective action plan
requires revision of policies and procedures for receiving and addressing
reports of breaches from both internal sources and external parties.
As a tease to readers:
In the near future, Protenus
will be releasing its report on 2016 health data breaches. Their analyses includes some data on the gap
between breach, discovery, and reporting, and how many entities actually comply
with the 60-day of discovery timeline. Their analyses, in light of today’s resolution
agreement, should make for some interesting conversations – and sweating – in
C-Suites.
Assumptions
galore. What does the Board of Directors
know about their vulnerability? How
often should you backup a database?
The other night on Twitter, after I and others
communicated concern as the number of attacks on misconfigured MongoDB
installations rose to 27,000 in a relatively short period,
@Cyber_War_News and I had a respectful disagreement about the seriousness of
the situation:
still shocked that yall shocked and fussing about the mongodb ransom spike.
@Cyber_War_News
And it's not the ransom that's my main concern. It's databases getting wiped...
@PogoWasRight
well we all know 95% are dev and waste databases, others are most likely backed
up, i see no major issue really
In light of the above, I thought I’d highlight what we can
learn from the MongoDB ransacking sheet created by Victor Gevers and Niall
Merrigan. They’ve added a sheet about
the victims they’ve provided assistance to. For the first 118 victim entries, consider the
following:
·
Only 13
report that they had recently backed up the now-wiped database; the
rest reported no recent backups.
·
7 reported paying the ransom; none of those had
gotten their data back.
·
86 of the databases (73%) were production
databases, with an additional 11 instances being coded as “staging,” and 4
instances coded as “development.” The
remaining were coded as “unknown,” left blank, or had other designations.
Maybe the first 118 cases are an atypical sample of the
more than 27,000 that have been hit, but also consider this:
For the 40+ U.S. entries in the sheet, the production
databases included:
·
a travel organization that issued tickets and
stored search and customer data in the database;
·
an online advertising firm that stored
online ads tracking data;
·
a school that stored a student database;
·
an Internet app (Social Media) that stored user
data;
·
a Consumer Services organization that stored
customer data;
·
an Online Media entity that stored customer
data;
·
an Online Service (Webshop) that stored orders
and customer data; and
·
an Online Service (Financial) that stored
transaction logs.
Many other U.S. entries were noted as “production” without
more specific information entered yet.
And of course, the problem is not confined to U.S.
databases. A French healthcare research
entity had its database with cancer research data wiped out. They reported no recent backup. And an online financial service in Argentina
also had its production database wiped out; that one contained payroll data. They, too, had no recent backup.
As of yesterday, more
than 93 terabytes of data had been wiped out.
So should we be concerned about these attacks? I think we should.
But in light of the fact that this is not a new problem,
will the Federal Trade Commission consider any enforcement actions against some
entities for not using “reasonable security” to protect personally identifiable
information? Could the FTC argue that
even if they haven’t specifically provided any guidance on MongoDB or other
NoSQL databases, the information was out there and entities or their
third-party vendors should have known by now?
For my Ethical Hacking students. Why didn’t you find these keys first? (Is this the only place you should look?)
"Truffle Hog" Tool Detects Secret Key Leaks on
GitHub
A free and open source tool
called “Truffle Hog” can help developers check if they have accidentally leaked
any secret keys through the projects they publish on GitHub.
Truffle
Hog is a Python tool designed to search repositories, including the
entire commit history and branches, for high-entropy strings that could
represent secrets, such as AWS secret keys.
Something
for our Computer Forensics students.
A data breach investigation blow-by-blow
Someone has just sent me a data breach. I could
go and process the whole thing, attribute it to a source, load it into Have I been pwned (HIBP) then
communicate the end result, but I thought it would be more interesting to
readers if I took you through the whole process of verifying the legitimacy of
the data and pinpointing the source.
Won’t this get the lawyer a visit from the “Obfuscation is
good” committee?
A
lawyer rewrote Instagram’s terms of use “in plain English” so kids would know
their privacy rights
Amy B. Wang reports:
“‘Terms and conditions’ is one of the first things you
agree to when you come upon a site,” Jenny Afia, a privacy lawyer and partner
at Schillings law firm in London, told The Washington Post. “But of course no one reads them. I mean, most adults don’t read them.”
Afia was a member of a “Growing Up Digital” task force
group convened by the Children’s Commissioner for England to study internet use
among teens and the concerns children might face as they grow up in the digital
age.
The group found more than a third of internet users are
younger than 18, with 12- to 15-year-olds spending more than 20 hours a week
online.
Most of those children have no idea what their privacy
rights are, despite all of them agreeing to terms and conditions before
starting their social media accounts, Afia said. The task force, which included experts from
the public and private sector, worked for a year and released its report
Wednesday.
Read more on The
Denver Post. I love how the task
force translated the legalese into short, comprehensible English for kids and
teens. We need more of that!
Falsifying
data for job security? Sounds like their
‘one size fits all’ process for eliminating books needs a revision. Since this impacts funding, it’s fraud.
To save books, librarians create fake 'reader' to check out
titles
Chuck Finley appears to be a voracious reader, having
checked out 2,361 books at the East Lake County Library in a nine-month period
this year.
But Finley didn't read a single one of the books, ranging
from "Cannery Row" by John Steinbeck to a kids book called "Why
Do My Ears Pop?" by Ann Fullick. That's
because Finley isn't real.
The fictional character was concocted by two employees at
the library, complete with a false address and drivers license number.
… The goal behind
the creation of "Chuck Finley" was to make sure certain books stayed
on the shelves — books that aren't used for a long period can be discarded and
removed from the library system.
Interesting, but I would never do this in isolation. It is very difficult to pull intelligence
targeting one location. Better to see
what could happen anywhere and figure out how to deal with it at your
airport. Reads more like a plan to keep
celebrities safe from ‘the little people.’
Inside LAX's New Anti-Terrorism Intelligence Unit
I’m trying to ensure that my students use all the data
they can find.
UK – There is no shortage of open data – Is anyone using it?
by Sabrina
I. Pacifici on Jan 9, 2017
ComputerWeekly.com: “The UK government’s data portal,
data.gov.uk, currently shows 36,552 published datasets available, but how
usable are they, and is anyone actually downloading them?… There are examples of data being linked in
useful ways. In several, but by no means
all, cities in the UK and Europe, Citymapper draws on open datasets,
including mapping data and public transport timetables, to show people where
they are and what their options are for getting where they want to go. To do this, the data should, first and
foremost, be available and up to date. It should also be in machine-readable format. Bus timetables in PDF form are not much fun
for human beings – and they are almost useless for navigation apps. Citymapper is often cited as an open data
success story, but is comparatively rare. A counter example was raised at the summit by
a question concerning threesixtygiving.org. On its website, threesixtygiving says it
“supports organisations to publish their grants data in an open, standardised
way and helps people to understand and use the data in order to support decision-making
and learning across the charitable giving sector”. But a questioner from the floor pointed out
that UK government data on grants is not currently open…”
Because I read a lot!
… You’d be
surprised how many ebooks you can get without paying a cent, and that applies
to both fiction and non-fiction. Where
can you find these free ebooks? Well,
we’re glad you asked…
I have some students who live for comic book movies.
Comic Book and Sci-fi Movies 2017: listed and ranked with
trailers
… The following
list is ranked in order of how epic I feel each film in the greater 2017
collection will be. For me, “epic”
doesn’t necessarily mean “award-winning” or even “good for most viewers.” In this market of sequels and chapter-cut
releases, EPIC mostly means “if you liked what came before, you’re going to
love this.”
No comments:
Post a Comment