70% of healthcare organizations said that protecting patient data was a low priority; 67% of organizations said they had less than two staff members dedicated to data protection management.
A majority of healthcare organizations said they had little confidence in their ability to secure patient records. According to the study, 71% of healthcare organizations had inadequate resources to protect patient data, and 69% said that there were insufficient policies and procedures in place to prevent and detect patient data loss.
The phrase little confidence in their own ability is a loaded one. I wonder if this is a split between security experts answering anonymously versus the direction of their leadership, or unified pessimism among health care management.
I noticed something odd about the numbers. Here is another look:
70% of healthcare organizations said that protecting patient data was a low priority
67% of organizations said they had less than two staff members dedicated to data protection management
71% of healthcare organizations had inadequate resources to protect patient data
69% said that there were insufficient policies and procedures in place to prevent and detect patient data loss
71% of respondents did not believe the HITECH Act regulations had significantly changed the management practices of patient records
I could predict the next number in that sequence although I am neither a math whiz, nor a statistician.
70% of 65 organizations is 45. Slight deviation in the answers cold come from the same 45 over and over (and over), or from the other 20 — if you are a cup is half full person. The extrapolated $6 billion estimate gets harder to believe when the numbers run so consistently. The webinar was today. I’ll have to email him my questions.
Visa has released an updated report on security breaches. It shows clearly that, within the retail industry, level 4 franchises are being breached the vast majority of time (96-97% from January 2009 to June 2010). Restaurants and lodging/hotels make up about 35% of those breaches.
A proposed explanation for this is “Many Corporate Franchisors have traditionally fallen outside the scope of Merchant and Agent PCI DSS validation programs”. One might conclude from that statement that those who fall inside the scope of compliance are breached far less than those who are outside.
The most common breach attack vector is said to be keyloggers and memory parsers. Default accounts, mis-configured network settings (e.g. direct remote access to a database with cardholder information), and single-factor remote access also are cited as contributing factors. Web attacks are relatively low. Eight countermeasures are suggested:
For remote access, consider two-factor authentication
Utilize host / application / network based Intrusion Detection Systems (“IDS”). Ensure sound notification system is in place
Utilize host / application / network based Intrusion Prevention Systems (“IPS”). Ensure sound notification system is in place
Ensure antivirus, anti-spyware and anti-malware software are up-to-date. Ensure sound notification system is in place
Implement file integrity monitoring to detect and alert security personnel of unauthorized file changes
Periodically reboot Point-of-Sale systems to clear volatile memory
Include patch management, password management and the overall security configuration
Regular application penetration tests are essential in combating known vulnerabilities (including SQL injection, Cross-site scripting, etc.)
A new category has thus been created by Visa (Corporate Franchise Servicer) to address these breaches. It will not increase requirements for any entity already validating PCI DSS compliance.
“The news that this tax credit is subsidizing exports undermines the argument that ethanol is needed to help end our oil dependency,” said Sasha Lyutse, a policy analyst at the Natural Resources Defense Council, responding in a blog post to a story first published this weekend in the Financial Times.
The ethanol exports also aren’t sitting well with food industry associations, which say that increasing ethanol use is driving up the price of corn.
“At the end of the day, we’re all trying to get the same bushel of corn,” said Kristina Butts, legislative director for the National Cattleman’s Beef Association. “This is a mature industry. It should stand on its own.”
The scanner in question was not used for air travel. Perhaps even more ironic, it was in a courthouse. Gizmodo took a cue from an EPIC lawsuit (PDF of complaint to the US DoJ) and filed a Freedom of Information Act (FOIA) request for 35,000 images saved by this one scanner under odd circumstances.
A Gizmodo investigation has revealed 100 of the photographs saved by the Gen 2 millimeter wave scanner from Brijot Imaging Systems, Inc., obtained by a FOIA request after it was recently revealed that U.S. Marshals operating the machine in the Orlando, Florida courthouse had improperly-perhaps illegally-saved images of the scans of public servants and private citizens.
Reminds me of when I worked many years ago to protect Radiology images and detect leaks by staff. Anyone working in health care should hold the safety and welfare of the patient in highest regard, and yet there is a nearly constant risk of breaches and leaks to the media. The celebrity, Farah Fawcet and Octomom etc., cases may be the most known but there are many many others. Any image that was remotely interesting (imagine things swallowed, for example) quickly became a very high-value asset. You know what will happen when a professional sees something really interesting or funny and wants to show just one really close friend…and so information security again becomes the key to whether a product can survive.