Monthly Archives: February 2009

Hackers Crack FAA

The personal information of more than 45,000 Federal Aviation Agency employees and retirees exposed to possible identity theft. FAA reports hacked server was not connected to air traffic control system or any other FAA operational system.

Just a day after President Obama ordered a comprehensive review of the government’s cyber security systems, the FAA (Federal Aviation Agency) reported Feb. 10 hackers illegally accessed an agency computer and stole employee personal identity information. The FAA said in a statement the hacked server was not connected to the operation of the air traffic control system or any other FAA operational system.

According to the FAA, two of the 48 files on the breached computer server contained personal information about more than 45,000 FAA employees and retirees who were on the FAA’s rolls as of the first week of February 2006. All affected employees will receive individual letters to notify them about the breach.

“The FAA is moving quickly to prevent any similar incidents and has identified immediate steps as well as longer-term measures to further protect personal information,” stated the FAA. “The agency is also providing a toll-free number and information on the employee website for those who believe they may be affected by the breach.”

The FAA did not state when the breached occurred. The FAA was not immediately available for further comment.

The number of reported data breaches in the United States jumped nearly 50 percent in 2008, according to the ITRC (Identity Theft Resource Center). All totaled, there were 656 breaches reported last year, up from 446 in 2007. The breaches led to nearly 35.7 million records being exposed. 

According to the IRTC, only 2.4 percent of all the data breaches had the information secured by encryption or other strong protection methods. Just 8.5 percent had the exposed data protected by passwords.

“Our sense is that two things are happening – the criminal population is stealing more data from companies and that we are hearing more about the breaches,” the ITRC said in a statement. “ITRC has been tracking breaches since 2001. One thing we absolutely can say is that [data breaches are] not a new problem.”

“The national security and economic health of the United States depend on the security, stability and integrity of our nation’s cyberspace, both in the public and private sectors,”John Brennan, assistant to the president for Counterterrorism and Homeland Security, said in a White House statement. “The President is confident that we can protect our nation’s critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties.”

Hackers Crack FAA.

NIST releases draft guidelines for FISMA compliance

The National Institute of Standards and Technology (NIST) on Thursday released new guidelines to help federal agencies comply with the Federal Information Security Management Act (FISMA).

The document, titled “Recommended Security Controls for Federal Information Systems and Organizations,” is in its third revision, but this is the first major update since its initial publication in December 2005. NIST is accepting comments on the document until March 27, Ron Ross, the organization’s FISMA implementation project leader, told SCMagazineUS.com Friday.

“During the past three years we have learned a lot from our federal agencies implementing these controls,” Ross said. “[The revisions are] based on new threats we are seeing and the type of cyberattacks that are ongoing within our federal agencies.”

Ross said federal government, private sector and companies abroad are encouraged to review and comment. NIST likely will put out a final draft before the document is finalized for release around April.

“We like to make sure our customers are part of the process because they have to implement this stuff — so we want to get their perspective with everything we do,” Ross said.

Changes to the document include: A restructuring of the security control catalog to include guidance requirements that were previously supplemental; adjusted security control/control enhancement allocations in the low-, moderate- and high-impact baselines; added security control enhancements for advanced cyberthreats, including supply chain threats; and elimination of redundant security controls/control enhancements.

“The biggest improvement is the addition of the new controls and control enhancements with regard to the new threats we are seeing,” Ross said.

Security program management controls were added relating to capital planning, budgeting, enterprise architecture and risk management. Additional guidance was added for the management of common controls.

A revised and simplified six-step risk management framework also was incorporated, in addition to a three-part strategy for harmonizing the FISMA security standards and guidelines with international security standards.

This will help align the federal law with standards that are generally accepted by corporations, Christopher Fountain, president and CEO of SecureInfo, provider of information assurance solutions for the federal government, told SCMagazineUS.com Friday in an email.

“It begins to incorporate [ISO 27001] that is generally accepted in the private sector,” he said. “Since the private sector controls over 90 percent of the nation’s critical infrastructure, which depends heavily on complex networks and systems, having common standards to secure all networks and systems across the public and private sectors is much needed.”

via NIST releases draft guidelines for FISMA compliance – SC Magazine US.

ATM heists linked to RBS WorldPay data breach

A data breach at US electronic transaction firm RBS WorldPay has been linked to a gang that used debit cards to steal millions of dollars from ATMs.

The FBI has released images of thieves believed to be part of a gang that took money from ATMs in 49 cities around the world using cloned debit cards in late November.

The thefts stemmed from a data breach at RBS WorldPay in which hackers stole the personal data of 1.5 million card holders, in early November, according to the Washington Post.

The thefts, which come within weeks of a data breach disclosure by Heartland Payment Systems, highlight the vulnerability of data processed by these firms.

Heartland, which is being sued for failing to protect customers from identity fraud, has announced a dedicated department to encrypt data on all its systems.

ADVERTISEMENT

Despite being compliant with the Payment Card Industry Data Security Standard PCI DSS, cybercriminals were able to gain access to Heartland’s systems.

The PCI DSS does not currently require that credit card data be encrypted on internal networks, which Heartland says it will now implement.

Robert Carr, chief executive of Heartland, has defended the PCI DSS as a good standard, but said increasingly sophisticated attacks demand end-to-end encryption.

Encryption of data in motion between internal systems is the next logical step according to Carr, but he said constant monitoring will always be required.

Carr has called for greater information sharing in the payments industry to prevent cybercriminals from re-using techniques in multiple attacks.

via ATM heists linked to RBS WorldPay data breach | 6 Feb 2009 | ComputerWeekly.com.

Nosy nurse runs afoul of HIPAA regulations – Cortlandt Forum

Breaching the privacy of a patient’s records could send her to jail and jeopardize the entire clinic.

What began as “harmless” poking through medical records ended in an arrest and possible jail time for a licensed practical nurse who shared a patient’s medical information. She put her physician-employer in jeopardy too.

Ms. A, 29, had worked at a midsize regional clinic for five years. While she enjoyed her job and got on well with Dr. P, her supervisor, she was known to bemoan what she saw as low pay and to mention that she and her husband were suffering some financial strain. That strain intensified when her husband was in an auto accident and then sued by the people in the other car seeking compensation for their injuries. 

One day, as Ms. A was flipping through charts to straighten up the files, she came across a chart bearing the name of the plaintiff in her husband’s lawsuit. Reading the chart with great interest, she jotted some notes, stuck them in her bag, and replaced the file.

That night, as her husband complained about the impending lawsuit and its potential financial consequences, Ms. A smiled and reached into her bag for the notes she’d taken earlier. “I think these will help,” she said.

The following day, Mr. A phoned the man who was suing him. During the conversation, Mr. A made it known that he had medical information which he believed weakened the man’s case. Mr. A suggested that the man consider dropping the lawsuit.

After getting off the phone with Mr. A, the patient made two phone calls. First he called the clinic where Ms. A worked. Then he called the district attorney. 

The next morning, Ms. A was summarily fired. “You may very well have put this whole clinic in jeopardy,” Dr. P told her. 
After Ms. A left the building, Dr. P called a meeting of all the nurses, physician assistants, and support staff and explained why Ms. A had been fired. Outlining the laws on patient privacy, he informed the staff that no breach of these laws would be tolerated under any circumstances.

Meanwhile, Ms. A’s problems were just beginning. The district attorney forwarded the patient’s complaint to a federal prosecutor, and within a month both Ms. A and her husband were indicted. Ms. A was charged with violating the Health Insurance Portability and Accountability Act (HIPAA) and with “conspiracy to wrongfully disclose individual health information for personal gain with maliciously harmful intent in a personal dispute.” Her husband was charged with witness tampering. 

The couple hired a criminal defense attorney, who negotiated a plea agreement with the federal prosecutor. After a great deal of soul-searching, Ms. A pleaded guilty to one count of wrongful disclosure. In exchange, the charges against her husband were dismissed. 

Ms. A is currently awaiting sentencing. She faces up to 10 years in prison, a fine as high as $250,000, and as many as three years of supervised probation. Meanwhile, the state nursing board is seeking to revoke her license.

Legal background

Since HIPAA went into effect in 2003, more than 34,000 complaints of privacy violations have been filed. Most of these complaints (approximately 80%) have been resolved. 

About 400 of the unresolved cases have been referred to the federal Department of Justice, but only a handful have been prosecuted. This is likely to change, however, as violations are taken more seriously and the government gears up for these types of cases. 

While some HIPAA violations are inadvertent—a stolen laptop with patient records on it, for example, or a computer glitch that reveals information on the Internet—Ms. A’s violation struck at the heart of what HIPAA is supposed to prevent. She accessed patient records, gathered information, and then provided that information to someone else, knowing full well that it would be used against the patient’s interest. Her prosecution was meant to set an example and warn HIPAA-covered entities that the regulation is serious and must be upheld.

Protecting yourself

Ms. A’s actions could have put the clinic itself in danger of prosecution, but management handled the situation in the best way possible: 

     —Dr. P fired her on the spot after the patient notified him of the breach. 

     —Then, without delay, he called a meeting to educate staff members—both clinical and clerical—about HIPAA, its purpose, the importance of patient privacy, and what can happen in the event of a violation.
 
As an employer, it is essential that you not wait for an incident. The best way to protect yourself is to ensure that your employees understand HIPAA regulations. 

    —Educate your employees upon hire and periodically thereafter. 

    —Keep written records detailing clinic policy and include it in all employee manuals or handbooks.

Ms. Latner, a former criminal defense attorney, is a freelance medical writer in Port Washington, N.Y.

Nosy nurse runs afoul of HIPAA regulations – Print Article – Cortlandt Forum.