When it’s a customer service announcement. At least that’s what one in-flight internet on demand service provider claimed. So, the first thing to understand is that there is no reason to believe that customer information was actually compromised. On the other hand, as Bruce Schneier points out in Liars and Outliers, society runs on trust … Continue reading
Tag Archives: HIPAA
Security and Privacy walk into a bar…
There can be no question that Security and Privacy are strongly related. It would be easier if they were the same thing. But they’re not, of course; there are differences. This blog has never shied away from stating the obvious. This post tries to enumerate the significant differences between privacy and security: I. They come … Continue reading
In Defense of Compliance
We read it everywhere: “compliance is not enough”. “Security must be more than compliance.” Granted. When the phrase “checking the box” only means working from a compliance checklist and never looking at how your servers are configured, you are vulnerable. When security professionals point this out, they are responding to the well intentioned attitude of … Continue reading
How to lie with risk analyses
How to lie with statistics was written by Yale Professor Darrel Huff in 1954. Now, 60 years later, many things he described as misuse of statistics are common place. He considered it ridiculous, for example, to take the combined years of work experience of the people at a company and add them together and say that the … Continue reading
Best…Practices…Ever
Just like common sense isn’t always common, best practices aren’t always. The best. This matters when describing security controls. And since it seems to be a professional trade secret, I want to come clean about it. There are at least three qualitative ways to describe a security control: How much it complies with something How … Continue reading
One hand washing the other
Can the HIPAA Security Rule learn something from the HIPAA Privacy Rule? When it comes to encryption at the application security level: yes. First, one of my particular soapboxes: in a world where medical records are increasingly found in digital form, the HIPAA Security Rule and the HIPAA Privacy rule cannot be minded by two … Continue reading
The Winter of our discontent
Can information security professionals be satisfied? Ever? Yes. But should they be? Ever wonder if Advanced Persistent Threats came into the world in part because the information security profession became more and more predictable? Or worse: commoditized, as I will discuss below. Lately, as corporate web sites from multiple industries in virtually every continent are … Continue reading
Raising the stakes by lowering them
The HIPAA Security Rule’s most significant flaw was on display recently. Hospice of Northern Idaho (HONI) has settled with the Federal Government for $50,000 to close out the case of a stolen unencrypted laptop that had the electronic protected health information of 441 patients on it. Media attention focused on the fact that this was the … Continue reading
US Privacy Law chaos
Dr. Solove illulstrates the core of the problem. http://www.linkedin.com/today/post/article/20121024165918-2259773-the-chaos-of-us-privacy-law Continue reading