Monday, February 5, 2007

Senator, witnesses say health IT office is dropping ball on privacy "I fear that HHS is not acting fast enough" to build privacy and security into the emerging Nationwide Health Information Network, Akaka said. The senator's position was bolstered by testimony from Mark Rothstein, director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine in Louisville, Kentucky. In Kolodner's office, "the focus on privacy is currently lagging behind" work on technical issues such as network architectures, Rothstein testified. And Carol Diamond, managing director of the Markle Foundation's health programs, said privacy and security policies should be finalized before technology is developed. "If technology is developed in advance of, or in the absence of, the relevant policy framework, our nation runs the risk of inappropriate uses of personal information followed by a public clamor for hasty remedies," Diamond said. "In those circumstances, we may find ourselves retrofitting complex technologies at great costs....This unnecessary cycle will undermine the sustainability of a health information sharing network." 3:23:12 PM

Research Reveals Data Loss Still Major Threat Despite Increased Corporate Efforts. Research Reveals Data Loss Still Major Threat Despite Increased Corporate Efforts. Focus on threat of outside attacks overlooks danger employee behavior. [GT: Security and Privacy] 3:13:18 PM

VA data missing again. VA data missing again. The Department of Veterans Affairs is again the victim of data loss. A VA-owned, portable hard drive potentially containing personal information on an unknown number of veterans has been reported missing from a VA facility in Alabama. The VA announced Feb. 2 that a department employee at a medical facility in Birmingham, Ala., reported that the hard drive may have been stolen. In May 2006, a laptop computer and external hard drive containing personal data on about 26.5 million veterans and their families were stolen from the home of a VA employee in suburban Maryland. The laptop and hard drive were recovered a month later, and FBI officials said the data most likely had not been compromised. But the theft became a department scandal because several high-ranking VA officials failed to deal with the loss expeditiously. [FCW: Privacy] 3:08:16 PM

US Set on Expansion of Security DNA Collection. US Set on Expansion of Security DNA Collection. An anonymous reader dropped us a link to this New York Times article about a 'vast expansion' of DNA sampling here in the US. A little-noticed rider to the January 2006 renewal of the 'Violence Against Women Act' allows government agencies to collect DNA samples from any individual arrested by federal authorities, and from every illegal immigrant held for any length of time by US agents. The goal is to make DNA collection as routine a part of detainment as fingerprinting and photography. Privacy experts and immigrant rights groups are decrying this initiative already. Many are also skeptical of lab throughput, as FBI analysts indicate this may increase intake by as much as a million samples per year. There is already a backlog of 150,000 samples waiting to be entered into the agency's database. [Slashdot: Your Rights Online] 2:28:59 PM

More States Challenging National Driver's Licenses. More States Challenging National Driver's Licenses. berberine writes  "A revolt against a national driver's license, begun in Maine last month, is quickly spreading to other states. The Maine Legislature on Jan. 26 overwhelmingly passed a resolution objecting to the Real ID Act of 2005. The federal law sets a national standard for driver's licenses and requires states to link their record-keeping systems to national databases. Within a week of Maine's action, lawmakers in Georgia, Wyoming, Montana, New Mexico, Vermont and Washington state also balked at Real ID. They are expected soon to pass laws or adopt resolutions declining to participate in the federal identification network. Maine's rejection was recently discussed on slashdot."  [Slashdot: Your Rights Online] 2:22:19 PM

Retailers, Banks Trade Blame in Data Thefts. Retailers, Banks Trade Blame in Data Thefts. The Washington Post today ran a story I wrote about data breach legislation being crafted on Capitol Hill. Lawmakers are looking to respond to the almost daily disclosures of companies, schools and government agencies suffering data breaches or otherwise exploiting consumers' personal data. Since February 2005, when data mining giant ChoicePoint divulged that it had sold data on 145,000 consumers to criminals, there have been more than 100 million instances in which Americans have had their personal data compromised due to data breaches and mishaps, according to Privacy Rights Clearinghouse. It's difficult to find a policy issue that's more timely than data privacy and security. Based on my recent interviews, it is clear that this issue is shaping up to be a slugfest between the retail industry and small banks. A recent high-profile data breach at TJX, the Massachusetts-based parent of discount retailers TJ Maxx and Marshalls, happened in the backyard of House Financial Services Committee Chairman Barney Frank (D-Mass.). According to Frank, retailers like TJX are not doing enough to protect their customers' data (TJX said hackers had broken into its credit and debit card processing network for six months last year and in a separate period in 2003). Frank wants retailers to bear more of the costs that banks incur when canceling new accounts, issuing new cards and dealing with the fallout from angry and confused customers. I suspect that his argument is likely to resonate strongly with many consumers. Retailers tell a different story. Mallory Duncan, senior vice president of the National Retail Federation, sums up their point of view: "Most of the larger banks have very sophisticated, round-the-clock fraud monitoring systems in place, but a lot of the smaller institutions don't have those systems," he said. "These institutions have abdicated their responsibilities in this regard, and now they want retailers to pay for it." The rest of the story is here. Security Fix will be keeping a close eye on this key issue. I will be moderating a panel on possible legislative solutions to data privacy and breach problems at the RSA Security conference in San Francisco next Tuesday. If you're heading out there as well, please drop by the panel to join in the conversation; I plan to leave plenty of time for Q&A. [Security Fix] 2:08:21 PM

Super Bowl-Related Web Sites Hacked. Super Bowl-Related Web Sites Hacked. A recent vist to some Super Bowl host sites could mean an infected PC. [PC World: Latest Technology News] 1:54:25 PM

Super Bowl Site Trojan Aims to Nab Passwords. Super Bowl Site Trojan Aims to Nab Passwords. This story was updated at 3:02 p.m. Please read the entire post. -- The official Web site of Dolphin Stadium -- the location of this weekend's Super Bowl XLI game -- has been infected with a Trojan horse program. The virus seeks to download keystroke-logging software on Windows machines if users visit the site without the latest security updates from Microsoft, security experts warn. Websense said the site still hosts the virus, and it advises people to steer clear of the site for now. The Trojan tries to use two different exploits to break into Windows PCs; one of them was fixed by a patch Microsoft issued just last month.. It is clear that the bad guys are counting on major traffic to the site this weekend. According to Websense, the site is receiving a large number of visitors, thanks in part to some Super Bowl search terms that prominently link to the site. According to Web traffic-monitoring firm Alexa, the stadium site receives about 784,000 hits per week. If you haven't been diligent about applying Microsoft patches, please take a moment to do that now by visiting Microsoft Update. Microsoft always advises consumers to better protect themselves by visiting only "trusted sites." However, this type of attack highlights that even popular consumer sites can harbor serious problems. High-profile Web sites like Dolphin Stadium's should do even a rudimentary security review to thwart this type of attack. Update, 3:02 p.m. ET: Stadium spokesman George Torres now says the site has been cleaned up. I've confirmed his claims with a few outside experts. It also appears that the same virus may have been seeded into other sites. The main "podcasts" page on the Web site for the Center for Disease Control and Prevention appears to have been infected at some point (ah, the irony). It is unclear when that could have occurred, and it does not appear to be there now. The folks at CDC are checking on the situation. There obviously are multiple sites currently infected with this Trojan, so make sure you're up to date on Microsoft patches. This attack depends on the user allowing Javascript computer code to run in the browser. I often plug the "noscript extension for Mozilla's Firefox browser, which helps block this attack even on machines that do not have the patch. [Security Fix] 1:46:38 PM

Google to address Indian security concerns. Google to address Indian security concerns. The Indian government is in talks with Google to address longstanding concerns over too-sharp resolution of Google Maps imagery depicting sensitive areas of the country. [Computerworld Data Mining News] 1:33:17 PM

© Copyright 2007 Paul Hardwick. Last update: 3/4/07; 10:50:19 AM.