I have been asked by many to comment on the breach news regarding credit-card processor Heartland. Unfortunately I can not reveal too many details, but I would like to point out this smack down on Avivah Litan of Gartner.

“I would call this the largest breach ever,” Ms. Litan said.

But Robert Baldwin, Heartland’s president and chief financial officer, called her estimate a “totally fictional number.” The company added that, since it’s too early to say how many records were accessed, calling it the largest-ever breach would be “speculative.”

Ouch. Hahaha. But seriously, you can count on Litan to make some crazy statements about security, as I’ve pointed out before.

[Kiosks] are highly prone – given their public locations – to criminal tampering. They are a perfect target for thieves.

Perfect target. Largest breach ever. See what I mean?

I predict you will see the most fallout in this case from the sophistication of the attackers. It goes right to the core debate about encryption on the wire, as well as detection of customized malware (the sort of stuff your off-the-shelf anti-virus can’t see). A forensics investigator found the evidence of this breach, which should tell you a lot about the level of security awareness that is now required when dealing with major assets. Companies can no longer bank on simple log analysis if they want to run a safe shop. Thus, despite the sour economy, demand for correlation software as well as security investigators is rising for a reason. In this case PINs are not believed to have been exposed, but unencrypted data for hundreds of thousands of merchants was captured by attackers as it was transmitted to the card brands.

Kind of reminds me of the recent Nevada encryption law…any guesses where the regulations are going next?

I am working on a HIPAA webinar this week (should be out next week) and just noticed in the news that the US Veterans Association botched a software upgrade, which led to health care risks:

Patients at VA health centers were given incorrect doses of drugs, had needed treatments delayed and may have been exposed to other medical errors due to the glitches that showed faulty displays of their electronic health records, according to internal documents obtained by The Associated Press under the Freedom of Information Act.

This sort of error demonstrates serious mismanagement of pre-production testing. I suspect the project for the upgrade did not include time or budget for sufficient quality assurance and security verification.

The VA said there were nine reported cases in which patients at VA medical centers in Milwaukee, Durham, N.C., and Marion, Ind., were given incorrect doses, six of them involving heparin drips for patients with chest pain. The other cases involved infusions of either sodium chloride or dextrose mixtures that were prolonged for up to 15 hours past the doctor’s prescribed deadline.

The problem sounds isolated enough to get to resolution quickly. Unfortunately, the VA instead has apparently tried to keep the problems quiet from August to October of last year.

By early October, hospitals began reporting the troubling problems: When doctors pulled up electronic records of different patients within 10 minutes of each other to offer treatment advice, the medical information of the first patient sometimes displayed under the second person’s name. In some records, a doctor’s stop order for intravenous injections also failed to clearly display.

The VA issued several safety alerts to medical centers beginning Oct. 10. It also imposed new safety measures until the glitches were fully corrected in December.

I have seen this kind of data integrity mistake before, and it is not hard to investigate and find the sources of failure. The bigger question, however, is why VA management tried to hide the risk for so long when patient health was at risk.