Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

Duh! Do you think Facebook is influencing politics?

Posted in eCommerce, Social Media

According to Pew “44 percent of Americans read or watch news on Facebook” so you might be interested to see the August 24, 2016 New York Times article entitled “Inside Facebook’s (Totally Insane, Unintentionally Gigantic, Hyperpartisan) Political-Media Machine” which highlights Facebook political activities.  The article included these comments about Facebook news:

The news feed is designed, in Facebook’s public messaging, to “show people the stories most relevant to them” and ranks stories “so that what’s most important to each person shows up highest in their news feeds.”

It is a framework built around personal connections and sharing, where value is both expressed and conferred through the concept of engagement.

Such news exists primarily within users’ feeds, its authorship obscured, its provenance unclear, its veracity questionable. It exists so far outside the normal channels of news production and distribution that its claims will go unchallenged.

Connecting all of these dots certainly points to Facebook’s political prowess.

Cyber Pain Points: Failure to get buy-in for Incident Response Plan (IRP) in the top 10!

Posted in Cyber, IT Industry

A recent report indicated that IRPs “are frequently developed from within departmental silos, for example, within the organization’s IT security function, and do not address the considerations of business units or cross functional areas needed to coordinate and operate together during a response. This not only leads to an uncoordinated response effort, but discourages buy-in from all business units that are expected to be involved in the response effort.”  Delta Risk issued its April 2016 report entitled “Top 10 Cyber Incident Pain Points: Are You Prepared?” which identified as # 2 on the list is “Incident response plans lack cross-organizational considerations and buy-in” which included these observations:

Integrated incident response plans, which account for the differences in the way business units respond, or those organizations which have standardized incident response across their functional business areas, are typically more successful during incident response scenarios.

Here’s the list of all 10 Pain Points:

  1. Lack of a cross-functional “incident commander” to coordinate response across the organization
  2. Incident response plans lack cross-organizational considerations and buy-in
  3. Limited data classification guidance to help determine severity and guide incident response activities
  4. Ill-defined processes (aka “pre-thought use cases”) for responding to high impact incidents
  5. Lack of defined checklists or step-by-step procedures, including contact lists for response
  6. Lack of consideration of the business impact when determining courses of action for response
  7. Ill-defined or mixed use of event and incident taxonomy between responders
  8. Lack of defined thresholds between events and incidents to aid in decision making
  9. Limited or lack of pre-determined (aka “pre-canned”) external communication statements
  10. Lack of training and exercise of “memory muscle” for the most likely or high risk incidents

It’s critical that all businesses to better plan their IRPs, training, the other 8 Pain Points!

How does FUD (Fear, Uncertainty, and Doubt) help businesses learn about cyber threat intelligence?

Posted in Cyber, eCommerce

No surprises in a recent report that “cybercriminals utilize all forms of intelligence to exploit the weakest link as an attack vector…” and as result “almost every business is a target for malicious cyber attacks and the need for cyber security is an important part of protecting an organization’s reputation and financial vitality.”  InfoArmor’s June 2016 report entitled “Threat Intelligence: Understanding What It Is and Why You Need It” stressed that by 2018 “60% of large enterprises globally will utilize commercial threat intelligence services to help inform their security strategies” including Vulnerability Intelligence:

Identifying threats from vulnerabilities from public-facing (external) hosts is extremely  important, as network-based and application-level vulnerabilities can easily go undetected within an organization’s IT infrastructure. Making a connection between these vulnerabilities and networks activities is extremely valuable, as they can result in catastrophic damage and data exfiltration within the infected host, as well as compromise others that interact with them.

Here are all 7 of InfoArmor’s key determiners:

  • Advanced Intelligence
  • Risk Intelligence
  • Security Intelligence
  • Vulnerability Intelligence
  • eCrime Intelligence
  • Compromised Credentials
  • Access to Research Analysts and Investigative Services

Given all the cybercrime around the Internet it is critical that all business use this Threat Intelligence wisely.

HIPAA penalty of $5.5 million seems like a lot, but it’s only $1.375 per patient!

Posted in Cyber, IT Industry

With 4 million patient records exposed, this was the largest fine to date for breach of ePHI (electronic Protected Health Information) which included “demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth.”  On August 4, 2016 the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced its settlement with Advocate Health Care Network (Advocate) after an investigation that began in 2013 based on 3 breach notification reports for failure to:

  • conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;
  • implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
  • obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and
  • reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

The OCR reported that “Advocate is the largest fully-integrated health care system in Illinois, with more than 250 treatment locations, including ten acute-care hospitals and two integrated children’s hospitals.”  OCR Director Jocelyn Samuels stated that the resolution agreement and corrective action plan:

We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,…

This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.

Surely we will see more HIPAA violations and penalties, so stay tuned.

Russia fines Google $6.8 million for Android antritrust violation!

Posted in eCommerce

Even though “…Yandex retains more than 50 percent of the market for internet search, according to industry statistics”, Russia fined Google because “Google’s rivals had not been able to include their own offerings, like digital maps or search.”  Little surprise that the New York Times reported that Google’s denied of any wrongdoing

…saying that it competes on equal terms with companies like Yelp and Microsoft, among others.

It also says that cellphone makers are free to use Android-based services provided by rivals.

Google does not make money directly from licensing the mobile operating system to companies, but it takes a cut from advertisements displayed on online searches.

The Russian fine may just foretell the future since there are antitrust claims in the EU where Google accounts for 90% of the Internet searches.

Delta Airlines – Cyberattack or power failure – seems a lot like Southwest’ alleged router failure?

Posted in Cyber, eCommerce

The New York Times reported “at least 858 cancellations and 7,359 delays across the global industry on Monday morning” in less than 5 hours based on a power outage at 2:30am EDT. But Delta’s story does not pass the smell test following Southwest Airlines’ recent claim of a single point of failure of a router.  In response to the world-wide IT disaster the New York Times reported Delta’s response:

We are aware that flight status systems, including airport screens, are incorrectly showing flights on time,… We apologize to customers who are affected by this issue, and our teams are working to resolve the problem as quickly as possible.

Time will tell, but Delta’s alleged power outage that led to an IT problem is probably a cyberattack!

The 10 Commandment of Internet Ethics

Posted in eCommerce, IT Industry

When reading Wikipedia’s 1992 Ten Commandments of Computer Ethics you can easily substitute “Internet” for “computer” and it’s amazing what you see…., for example the 1st Commandment “You shall not use the Internet to harm other people.”  Here are all Ten Commandments of Internet Ethics (with my minor edits):

  1. You shall not use the Internet to harm other people.
  2. You shall not interfere with other people’s Internet work.
  3. You shall not snoop around in other people’s Internet files.
  4. You shall not use the Internet to steal.
  5. You shall not use the Internet to bear false witness.
  6. You shall not copy or use proprietary software for which you have not paid (without permission).
  7. You shall not use other people’s Internet resources without authorization or proper compensation.
  8. You shall not appropriate other people’s intellectual output.
  9. You shall think about the social consequences of the program you are writing or the system you are designing.
  10. You shall always use the Internet in ways that ensure consideration and respect for your fellow humans.

For those of us who used the Internet 1992 it’s great to see that the Ethics of the Internet in 1992 (from the Computer Ethics Institute) applies in 2016!

Cybercriminal data breaches in Healthcare may exceed a whopping $6.2 billion!

Posted in Cyber, eCommerce, IT Industry

Ponemon reported that “over the past two years the average cost of a data breach for healthcare organizations is estimated to be more than $2.2 million. No healthcare organization, regardless of size, is immune from data breach.”  The “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data” study included this alarming information about healthcare’s ability to properly protect ePHI (electronic Protect Health Information) and included data from 91 Covered Entities and 84 Business Associates:

Data breaches in healthcare are increasingly costly and frequent, and continue to put patient data at risk. Based on the results of this study, we estimate that data breaches could be costing the healthcare industry $6.2 billion.

For the second year in a row, criminal attacks are the leading cause of data breaches in healthcare. In fact, 50 percent of healthcare organizations say the nature of the breach was a criminal attack and 13 percent say it was due to a malicious insider.

This news is consistent with other reports and is a primary reason for aggressive HIPAA enforcement by Office for Civil Rights (OCR) of U.S. Department of Health and Human Services (HHS).

Unencrypted PHI (Protected Health Information) on iPhone leads to $650,000 HIPAA penalty!

Posted in eCommerce, Internet Privacy, IT Industry

TexasBarToday_TopTen_Badge_Small (1)

The HIPAA violation in violation of a Business Associate Agreement (BAA)  resulted from extensive PHI on an iPhone which “included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information” according to a recent report from the Office for Civil Rights (OCR) of U.S. Department of Health and Human Services.  The settlement fine of $650,000 included a remediation plan for the Business Associate Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) who under BAAs “provided management and information technology services as a business associate to six skilled nursing facilities.”  The report including this surprising information:

At the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident; OCR also determined that CHCS had no risk analysis or risk management plan.

In determining the resolution amount, OCR considered that CHCS provides unique and much-needed services in the Philadelphia region to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS.

This report should be a wake call to all Covered Entities and Business Associates covered by HIPAA.

HIPAA News Update: Ransomware reporting requirements have been issued!

Posted in Cyber, eCommerce, Internet Privacy

“The FBI has reported an increase in ransomware attacks and media have reported a number of ransomware attacks on hospitals” and as a result the Office for Civil Rights (OCR) for the US Department of Health & Human Services (HHS) issued a Fact Sheet and report on July 11, 2016 entitled “Your Money or Your PHI: New Guidance on Ransomware.”  The OCR made it clear that if the Covered Entity properly encrypts the ePHI (electronic Protected Health Information) then the Ransomware cannot really create any threat of HIPAA violation which was explained in answering Question #8 entitled “Is it a reportable breach if the ePHI encrypted by the ransomware was already encrypted to comply with HIPAA?” as follows assuming the ePHI is:

…encrypted by the entity in a manner consistent with the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals such that it is no longer “unsecured PHI,” then the entity is not required to conduct a risk assessment to determine if there is a low probability of compromise, and breach notification is not required.

The OCR Fact Sheet explained the rules regarding Ransomware for HIPAA concerning these 8 questions:

  1. What is ransomware?
  2. Can HIPAA compliance help covered entities and business associates prevent infections of malware, including ransomware?
  3. Can HIPAA compliance help covered entities and business associates recover from infections of malware, including ransomware?
  4. How can covered entities or business associates detect if their computer systems are infected with ransomware?
  5. What should covered entities or business associates do if their computer systems are infected with ransomware?
  6. Is it a HIPAA breach if ransomware infects a covered entity’s or business associate’s computer system?
  7. How can covered entities or business associates demonstrate “…that there is a low probability that the PHI has been compromised” such that breach notification would not be required?
  8. Is it a reportable breach if the ePHI encrypted by the ransomware was already encrypted to comply with HIPAA?

SC Magazine reported that the OCR issued the Ransomware guidelines as a result of a June 2016 letter request of US Representatives Ted Lieu (California) and Will Hurd (Texas) urging HHS “to develop ransomware guidelines.”