Category Archives: Privacy

Rising the level of trust associated with identity in online transactions

Obama’s National Strategy for Trusted Identities in Cyberspace

In April President Obama signed the National Strategy for Trusted Identities in Cyberspace (NSTIC) which charts a course for the public and private sectors to collaborate on raising the level of trust associated with identity in online transactions.

NSTIC focuses on upgrading outdated password-based authentication systems and reducing the barriers associated with identity proofing and deployment of strong credentials, while also enabling end-users to have more control over when and what information they disclose in a range of transactions.

Could someone please translate this for me?

How is giving an end-user more control over information disclosure is going to mitigate the risk of data breaches when over 300 million credit cards have already been breached?

What about online merchants vulnerabilities and better data security countermeasures for online Web services?

Will PCI DSS discover Data loss prevention technology anytime in the next decade?

Where  I come from, that’s called shutting the barn-door after the horses have flown.

Tell your friends and colleagues about us. Thanks!
Share this

Threats on personal health information

A recent HIPAA violation in Canada  where an imaging technician accessed the medical records of her ex-husband’s girlfriend comes as no surprise to me. Data leakage of ePHI in hospitals is rampant simply because a) there is a lot of it floating around and b) because of human nature.  Humans being naturally curious, sometimes vindictive and always worried when it comes to the health condition of friends and family will bend the rules to get information.   HIPAA risk and compliance assessments that we’ve been involved with at hospitals in Israel, the US and Australia consistently show that the number one attack vector on PHI is friends and family, not hackers.

Courtesy of my friend Alan Norquist from Veriphyr

Information and Privacy Commissioner Ann Cavoukian ordered a Hospital in Ottawa to tighten rules on electronic personal health information (ePHI) due to the hospital’s failure to comply with the Personal Health Information Protection Act (PHIPA).

The actions taken to prevent the unauthorized use and disclosure by employees in this hospital have not been effective.” – Information and Privacy Commissioner Ann Cavoukian

The problem began when one of the hospital’s diagnostic imaging technologists accessed the medical records of her ex-husband’s girlfriend. At the time of the snooping, the girlfriend was at the hospital being treated for a miscarriage.

Commissioner Cavoukian faulted the hospital for:

  • Failing to inform the victim of any disciplinary action against the perpetrator.
  • Not reporting the breach to the appropriate professional regulatory college.
  • Not following up with an investigation to determine if policy changes were required.

The aggrieved individual has the right to a complete accounting of what has occurred. In many cases, the aggrieved parties will not find closure … unless all the details of the investigation have been disclosed.” – Information and Privacy Commissioner Ann Cavoukian

It was not the hospital but the victim who instigated an investigation. The hospital determined that the diagnostic imaging technologists had accessed the victim’s medical files six times over 10 months.

The information inapprorpriately accessed included “doctors’ and nurses’ notes and reports, diagnostic imaging, laboratory results, the health number of the complainant, contact details … and scheduled medical appointments.” – Information and Privacy Commissioner Report

Sources: 
(a) Privacy czar orders Ottawa Hospital to tighten rules on personal information – Ottawa Citizen, January, 2011

 

Tell your friends and colleagues about us. Thanks!
Share this

Controlled private networking

This evening I was added to a FB Group – apparently – you don’t have to agree to be joined in. FB Groups is a way to organize your contacts and get better control over your social networking.  It looks pretty cool to me but the New York Times suggests that Facebook groups may engender even more privacy control issues for Facebook Groups users:

Mr. Zuckerberg said that other applications and services that use Facebook’s technology would be able to use Groups, and that Groups would help improve other parts of Facebook.
“Knowing the groups you are part of helps us understand the people who are most important to you, and that can help us rank items in the news feed,” he said.

Knowing this – would you use Facebook Groups for a business networking application – like sales professionals talking to clients?  I don’t think so.  FB will never give up their profiling data since their revenue model is advertising-based.  The low cost of running a private controlled  social network like Elgg in the cloud should be a competitive alternative to FB Groups for a small business looking to leverage social networking to reduce cost of customer support, marketing and distribution of material.

Marc Rotenberg, executive director of the Electronic Privacy Information Center, called the new service “double-edged

“Yes, it’s good to be able to segment posts for particular friends,” he said. “But you will also be revealing information to Facebook about the basis of your online connections.”

Tell your friends and colleagues about us. Thanks!
Share this

Controlled social networking

I saw a post recently on Controlled social networking for student collaboration. One of the comments lamented not having the head count to install technology to control Facebook access by students.

Frankly – as a data security and compliance consultant who does a lot of work with corporates in social networking (both on the application side and security side), I  would not use technology as an excuse for social media abuse.

This is a cultural and behavioral issue similar to any other content abuse issue. It starts with education: at home, in the school and with parental and teacher role models.

Current definitions of privacy are changing. Regulatory definitions of privacy used by legislators in the credit card and HIPAA compliance space do not seem to be relevant for under 25 users of Facebook – who are happy to disclose pictures of themselves but very careful about what they show and who they would share the media with.  I believe that as social media becomes part of  the continuum of social interaction in the physical  and virtual worlds, privacy becomes an issue of  personal, discretionary disclosure control.

To this extent, it seems to me that we are moving rapidly towards a new generation of social networking that is much closer to what happens in the physical world – centered on individual perspectives, one person, their friends, selective disclosure and information leakage by word of mouth not by IP protocols, social media and public access Web sites like Facebook.

But – that is already another technology kettle of fish.

Tell your friends and colleagues about us. Thanks!
Share this

Are you still using Excel for risk assessment?

There is a school of thought that says that you can take any complex problem and break it down like swiss cheese. Risk assessment data collection and analysis with Excel is one of those problems that can’t be swiss-cheesed.  A collection of brittle, unwieldy, two dimensional worksheets is a really bad way of doing multi-dimensional modelling.

Consider that a typical risk assessment exercise will have a minimum of 4 dimensions (assets, threats, vulnerabilities and controls) and I think you will agree with me that Excel is a poor fit for risk assessment.

Here is where PTA (Practical Threat Analysis) comes to the rescue. You can download the free risk assessment software and try it yourself.

Any risk assessment process can be automated using Practical Threat Analysis and the PTA threat modeling database.  PTA is a threat modelling methodology and software tool that has been downloaded over 15,000 times and has thousands of active security analyst users on a daily basis.

PTA (Practical Threat Analysis) was first introduced in a paper by Ygor Goldberg titled “Practical Threat Analysis for the Software Industry” published online at Security Docs in October 2005. PTA provides a number of meaningful benefits for security and compliance risk assessments:

  • Quantitative: enables business decision makers to state asset values, risk profile and controls in familiar monetary values. This takes security decisions out of the realm of qualitative risk discussion and into the realm of business justification.
  • Robust: enables analysts to preserve data integrity of complex multi-dimensional risk models versus Excel spreadsheets that tend to be unwieldy, unstable and difficult to maintain.
  • Versatile: enables organizations to reuse existing threat libraries in new business situations and perform continuous risk assessment and what-if analysis on control scenarios without jeopardizing the integrity of the data.
  • Effective: recommends the most effective security countermeasures and their order of implementation. In our experience, PTA can help a firm mitigate 80% of the risk at 20% of the total control cost.

The PTA calculative model is implemented in a user-friendly Windows desktop application available as a freeware at the PTA Technologies web site. A PTA ISO 27001 library is available as a free download and is licensed under the Creative Commons Attribution License.

The need for cost effective risk reduction

Despite the importance of privacy and governance regulation, compliance is actually a minimum but not sufficient requirement for risk management.

The question is: What security controls should a firm implement after a risk assessment?

Taking ISO 27001 as a baseline security standard with a comprehensive set of controls, the ISO 27001 certification process can be as simple or as involved as an organization wants but there are always far more available controls than threats. As a result, organizations, large and small, find themselves coping with a long and confusing shopping list of controls. You can implement the entire checklist of controls (if you have deep pockets), you can do nothing or you can try and achieve the most effective purchase and risk control policy (i.e. get the most for your security investment dollar) with a set of controls optimized for your business situation.

However, implementing additional controls does not necessarily reduce risk.

For example, beefing up network security (like firewalls and proxies) and installing advanced application security products is never a free lunch and tends to increase the total system risk and cost of ownership as a result of the interaction between the elements and an inflation in the number of firewall and content filtering rules.

Firms often view data asset protection as an exercise in Access Control (Section 11 of ISO 27001) that requires better permissions and identity management (IDM). However, further examination of IDM systems reveals that (a) IDM does not mitigate the threat of a trusted insider with appropriate privileges and (b) the majority of IDM systems are notorious for requiring large amounts of customization (as much as 90% in a large enterprise network) and may actually contribute additional vulnerabilities instead of lowering overall system risk.

The result of providing inappropriate countermeasures to threats is that the cost of attacks and security ownership goes up, instead of risk exposure going down.

How to choose cost-effective controls

A PTA threat model enables a risk analyst to discuss risk in business terms with her client and construct an economically justified set of security controls that reduces risk in a specific customer business environment. A company can execute an implementation plan for security controls consistent with its budget instead of using an  all-or-nothing checklist designed by a committee of experts who all work for companies 100x the size of your operation.

Tell your friends and colleagues about us. Thanks!
Share this

What price privacy?

Dr. David Gurevich in an interview with the Israeli business daily Globes predicts that real time death will be the next development in reality programming.  Once the domain of science fiction and fantasy – Dr. Gurevich believes that the online death scenario is an inevitable development in the loss of privacy and wave of voyeurism brought on by social networks like Facebook.

Although many people would love to participate in televised reality shows like Survival, it’s no longer necessary – you can do it yourself on Youtube.

Like any other scarce commodity, I predict that online privacy will soon become a product that people will pay dearly for perhaps to the point of acquiring entrance into a totally technology free environment.

Tell your friends and colleagues about us. Thanks!
Share this

Secure collaboration, agile collaboration

One of the biggest challenges in global multi-center clinical trials (after enrollment of patients) is collaboration between multi-center clinical trial teams: CRAs, investigators, regulatory, marketing, manufacturing, market research, data managers, statisticians and site administrators.

In a complex global environment, pharma do not have control of computer platforms that local sites use – yet there is an expectation that file and information sharing should be easy yet there are three areas where current systems break down:

1. People forget what files had been shared and with whom they have been shared

2. People have difficulty sharing files with colleagues in a way that is accessible to everyone – firewalls, VPNs, enterprise content management, DRM, corporate data security policy, end point security, file size – these are all daunting challenges when all you want to do is share a file with a colleague in Berlin when you are working in a hospital in Washington.

3. Notifications – how do you know when new information has been added or updated? Not having timely notifications on updates can be a big source of frustration resulting in team members pinging other members over and over again with emails.

Over the past 10 years a generation of complex enterprise content management software systems have grown up – they are bloated, expensive, difficult to implement, not available to the entire multi-center team and in many cases written by English speaking software vendors who cannot conceive that there are people in the world who feel more comfortable communicating in their native tongue of French, German, Hebrew or Finnish!

We are developing (currently in beta with a Tier 1 bio-pharma in EMEA)  a Web-based, agile collaboration system with a light-weight, easy to use, simple architecture, that saves time and reduces IT and travel costs – and literally gets everyone on the same page.

The system resolves the 3 breakdowns above while recording all user activities in a detailed audit trail in order to meet internal control and FDA regulatory requirements.

The system also provides significant cost benefits in addition to improving information collaboration:

• Reduces travel costs: Using online events, integrated media and file sharing and discussions, the clinical trial team and investigators can conduct program reviews, education activities and special events.

• Eliminates proprietary IT: No proprietary software or hardware and no IT integration. No extra investments in information technologies, CRM, sales force integration and data mining.

If this interests you – drop me a line!

Tell your friends and colleagues about us. Thanks!
Share this

Data security and compliance – Best practices

Compliance is about enforcing business process – for example, PCI DSS is about getting the transaction authorized without getting the data stolen. SOX is about sufficiency of internal controls for financial reporting and HIPAA is about being able to disclose PHI to patients without leaks to unauthorized parties.

So where and how does DLP fit into the compliance equation?

Let’s start with COSO recommendations for internal controls:

“If the internal control system is implemented only to prevent fraud and comply with laws and regulations, then an important opportunity is missed…The same internal controls can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency.”
In the attached presentation – we review data security requirements in compliance regulation, we discuss provable security and show how DLP can serve both as an invaluable measurement tool of security metrics of inbound and outbound business transactions and when required – as a last line of defense for personal account numbers.
Tell your friends and colleagues about us. Thanks!
Share this

Sears using spyware for sales

No secret that Walmart is hurting many older retail chains such as Kmart and Sears. Both latter companies are struggling to stay afloat, trimming the fat by closing locations and restructuring current stores to look refreshed and up to speed with America’s #1 retail giant. But now Sears and Kmart has come under fire for acquiring marketing data using spyware, and seems rather surprising given their need for consumer patronage.
Last week the Federal Trade Commission approved its final consent order against Sears Holding Management Company, the parent company of both Sears and Kmart. According to Ars Technica, the company must destroy all data gained from its “My SHC Community” program, and halt all incoming transmissions from the hidden spyware provided by the company currently  installed “in the wild.” The program threw up a red flag as far back as early 2008, with security researchers declaring that Sears was after more than what was originally disclosed in the user agreement.

The voluntary “My SHC Community” survey collected the participant’s online web browsing in exchange for $10. However, the program that participants installed collected more than just casual browsing, but rather transmitted the complete contents of a browsing session, including secure sessions. That meant Sears and Kmart collected personal data including bank accounts, credit cards, addresses, home telephone numbers and more. The installed software also collected non-Internet information about the participant’s computer.

After an investigation, the FTC said that Sears disclosed its tracking intent, but did so in a confusing manner that appeared after a lengthy, multi-step registration process. “The agency charged that Sears did not “adequately disclose the scope of the tracking software’s data collection,” the FTC said. Sears has agreed to provide clearer disclosures, separate from any user license agreement, in future marketing programs.

Tell your friends and colleagues about us. Thanks!
Share this

Research data integrity

I usually write about best practices and practical tools to prevent data theft, data loss and data leakage – since our professional services focus on data security in Central and Eastern Europe. Data security is, I guess a sub-specialty of security and compliance.

Security is chartered with ensuring the survival of a business and protecting it’s capability  to generate value for customers and share holders. The most effective security organizations  are integrated for enterprise protection of physical, information, system and employee assets.

But – I was reminded today that data security is not just about data loss prevention – it’s about ensuring confidentiality, integrity and availability of data in all 4 realms – physical, information, systems and employees.

From on article an MedScape today:

Fewer than half of the clinical trials reported in high-impact-factor journals are adequately registered, while nearly a third show “some evidence of selective outcome reporting,” according to research published September 2 in the Journal of the American Medical Association.

Selective outcome reporting – is a data security violation, tampering with the integrity of the data.

Only this time – it’s human lives not credit cards.

Yikes.

Tell your friends and colleagues about us. Thanks!
Share this