Today’s reading brought me to another article by Brian Krebs about his continuing research into the breach at Target. The lengthy article points to some newly uncovered clues, and provides some conjecture as to how the breach may have been exercised. A part of it definitely caught my eye, because it is closely related to some of the work we get called on to do on a regular basis. That “Best1_user” account name seems an odd one for the attackers to have picked at random, but there is a better explanation: That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas base[…]

This article describes the HIPAA information access management requirements for accessing electronic protected health information. The relevant subsection of the HIPAA law is §164.308(a)(4).  Section §164.308 of the Health Insurance Portability and Accountability Act describes the administrative safeguards that a covered entity must employ. This article will explore section §164.308(a)(4), which deals with ensuring that appropriate authorization mechanisms are in place when electronic protected health information (ePHI) is accessed. HIPAA Information Access Management “Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.” [§164.308(a)(4)] A covered entity is responsible for isolating and guarding ePHI from unauthorized access. This section outlines the implementation requirements of a covered[…]

I recently got directed to this article called First-Hand Experience with a Patient Data Security Breach. It is a really good breakdown of the elements of what happens during a breach and the subsequent events. It starts with the theft of a laptop from an employee’s car.   After the theft was reported, they looked at a recent backup of the machine and learned that the laptop contained data files about healthcare patients. Well, not directly. It contained logs of problems with health information systems, and within those logs were the healthcare records. Oops. While the laptop did not belong to a healthcare provider directly, it still managed to have files that were important and potentially could result in a breach according to[…]

The term “black swan event” was introduced by Nassim Nicholas Taleb in the book Fooled By Randomness. Black swan events have three major characteristics: they are rare, they cause a significant or extreme impact, and upon retrospection, they are actually predictable. As described very well in this Wired article, “getting hacked” is a black swan event. While “getting hacked” can mean many different things, let’s take the example as used in the Wired article of having your identity stolen by hackers. It is rare enough that many of us will probably never experience it. Some cases have an extreme impact such as having your identity stolen, losing funds from your bank account, or having your computer or mobile devices wiped. And as this blog and any number of[…]

An attack on the South Carolina Department of Revenue exposed 3.6 million social security numbers, and about 387,000 credit and debit card numbers of South Carolina residents. Data breaches like this are so common, they are barely newsworthy… and we certainly try not to cover every single data breach event on this blog. However, today’s followup to the story is what made it interesting. Governor Nikki Haley went on the record in a press conference trying to defend their lack of good practices. I’ve embedded the video below and hopefully it will start at the good part, 12:43 into the video: This is a really good example of sending the wrong kind of message. I understand her desire to defend[…]

Data leaks in very interesting ways. The other night I was watching one of the political conventions, and the camera crew of the station I was watching loved to cut away from the speaker to catch glimpses of the crowd reactions. When I saw this image, I thanked %deity% for my TiVo, paused, and rewound a bit. Then, I took a picture of the TV with my cellphone. Sure enough, this woman – Edith Byrd – is proudly showing the camera her Medicare card. And, the broadcaster is sending out a full 1080p high definition signal, meaning that I could read every detail of the woman’s card. (It’s far more readable on my TV than in this picture.) I see[…]