…huge rates of coal consumption were a factor behind an increase in cancer and birth defects as well as non-specific and chronic nervous, immune and respiratory illnesses.
Coal-fired power plants contribute three quarters of China’s total electricity needs, but also around 70 percent of energy sector air pollution.
The government has been studying how to reduce its toxic effects, but “clean coal” remains a misnomer, said the group’s China campaign manager, Yang Ailun.
“There are many coal power plants saying they are now ‘clean’ but there are a lot of misunderstandings — coal creates pollution and clean coal is impossible,” she said.
[Kirk Smith, a professor of global environmental health at the University of California, Berkeley] said the results of the study do provide further evidence that coal causes significant health problems and should be replaced by other fuel sources. “Coal can’t be burned cleanly…it should be banned from all household use,” he told Reuters Health.
This question comes up a lot lately: how is HIPAA enforced? The U.S. Department of Health and Human Services (HHS) has a page that gives a nice flow chart for the answer.
But that does not seem to answer what people are really asking. I think what entities really want to know is what will trip a HIPAA violation and generate a fine — what should they really worry about. An excellent source of insight for that answer comes from the Case Examples and Resolutions Agreements. The UCLA agreement just two months ago (July 6, 2011) to “settle potential violations of the HIPAA Privacy and Security Rules for $865,500”, for example, details their mistakes.
On June 5, 2009 and June 30, 2009, HHS began investigations of two separate complaints alleging that the Covered Entity was in violation of the Privacy and/or Security Rules. The investigations indicated that the following conduct occurred (“Covered Conductâ€):
(i) During the period from August 31, 2005 to November 16, 2005, numerous Covered Entity workforce members repeatedly and without a permissible reason examined the electronic protected health information of Covered Entity patients, and during the period from January 31, 2008 to February 2, 2008, numerous Covered Entity workforce members repeatedly and without a permissible reason examined the electronic protected health information of a Covered Entity patient.
(ii) During the period 2005-2008, a workforce member of Covered Entity employed in the office of the Director of Nursing repeatedly and without a permissible reason examined the electronic protected health information of many patients.
(iii) During the period 2005-2008, Covered Entity did not provide and/or did not document the provision of necessary and appropriate Privacy and/or Resolution Agreement/Corrective Action Plan 08-82727 and 08-83510 (University of California Los Angeles Health System) Security Rule training for all members of its workforce to carry out their function within the Covered Entity.
(iv) During the period 2005-2008, Covered Entity failed to apply appropriate sanctions and/or document sanctions on workforce members who impermissibly examined electronic protected health information.
(v) During the period from 2005-2009, Covered Entity failed to implement security measures sufficient to reduce the risks of impermissible access to electronic protected health information by unauthorized users to a reasonable and appropriate level.
The words “reasonable and appropriate level” are the key to this enforcement agreement. It might seem vague at first glance but clearly a Covered Entity has to manage authentication and authorization. An appropriate level of access would be based on a need-to-know basis. In other words, no need means no authorization for a user.
And while the $865,500 fine could be called large, it reflects four years of authorization management deficiencies and information exposures to numerous “workforce members”. Compare it to the $1,000,000 fine handed to Massachusetts General Hospital earlier this year after a single authorized workforce member accidentally left billing papers on a subway on the way to work.
The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the MGH employee left the documents on the subway train and they were never recovered. These documents contained the PHI of 192 individuals.
I suspect these fine amounts prompt risk managers to wonder how a long-term and repeated exposure of information, which cites weak privacy management and hints at neglect and negligence, could get a lower fine than a one-time accidental disclosure by a single person.
Perhaps documents left on the subway are considered by HHS a Tier D act, but it doesn’t sound like it from their agreement. Maybe I’m underestimating the importance regulators place on an envelope and rubber band, or on special circumstances of the case. The HITECH enforcement exception was the first thing that jumped to my mind after I read the agreement, but there must have been some other compelling evidence of privacy neglect:
…prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect
I spend almost every day now reviewing breach data and analyzing threats to deconstruct vulnerabilities. Some of my more popular work recently has been to convince IT management that they need to improve their analysis of threats to understand them better.
Although there are many frustrating examples of negligence and ignorance when it comes to security, no one should feel satisfied to always blame the victim after an attack. That is why the security industry can help with more balanced risk analysis instead of pounding only on customer vulnerabilities and writing-off every threat as “sophisticated”.
After a presentation on cloud penetration testing at VMworld this week I was asked by a customer of a provider why their instance was constantly being broken into. First, I went over how they should pinpoint the threat and not just the vulnerability in their particular instance. That was because, second, I explained that if you have a nice house with big windows and live in a dangerous neighborhood when you can afford to move to a better neighborhood…the choices become more obvious when translated to a more familiar risk context.
The viruses in the flu shot are killed (inactivated), so you cannot get the flu from a flu shot.
They say you can’t get the flu from a simulation of the flu, but we all know that the flu shot still carries risks.
There are some people who should not get a flu vaccine without first consulting a physician. These include:
[…]
People who have had a severe reaction to an influenza vaccination.
In the same vein (pun not intended) I strongly recommend to anyone interested in the study of information security and the interruption of threats (to protect the vulnerable) that they watch this movie:
For years Chicago’s El Rukns seemed like the average urban street gang, dabbling in racketeering, narcotics sales and the occasional murder. But El Rukns (Arabic for “the cornerstone”) was far more ambitious than that. Last week a federal jury convicted five members of conspiring to commit terrorist acts against the U.S. The plotters, prosecutors said, expected to receive $2.5 million from Libya’s Colonel Muammar Gaddafi for bombing buildings and airplanes and assassinating American politicians.
[…]
In the late ’70s, the 100-member organization turned to political militancy and religion. The leader, Jeff Fort, 40, regularly presided over meetings from an immense, high-backed throne atop a pedestal, surrounded by outsize posters of himself and Gaddafi.
The daughter of this guy is now trying to stop the violence. I would point you to a Wikipedia reference so you could read all about this amazing and inspirational woman — Ameena Mathews — who has dedicated her life to saving so many others, but a Wikipedia administrator — Fastily — has just decided to delete her page.
This page has been deleted. The deletion and move log for the page are provided below for reference.
00:03, 29 August 2011 Fastily (talk | contribs) deleted “Ameena Mathews” ‎ (Expired PROD, concern was: Does not meet notability guidelines. Lacks citations to significant coverage in reliable sources.)
Uh, she has been written up in the NYT, The Guardian, NPR, PBS…just type her name into a search engine to see the citations. Take her interview in indieWire as an example of the “coverage” she gets:
…you’ve been meeting up with similar groups across America. How has that been?
We met up with a lot of groups that replicated the model. There’s a lot of people out there doing a lot of great things, helping the war on poverty, getting kids in school so they can put the guns down.
[…]
There’s purple hearts for those that are wounded in Afghanistan, but not much for those who do our work.
Hey Wikipedia, get a f-ing clue. The Interrupters and their work to stop threats should be the very definition of notability. Let this be yet another giant blinking warning sign of why you should not automatically trust the supposedly well-intentioned administrators of cloud services to do some basic checks before they act, let alone care about risk and the security of information.
