The Federal Trade Commission announced a third delay, from August 1, 2009, to November 1, 2009, for compliance with the identity theft prevention red flags rule. The delay is for another three months. Compliance originally was scheduled for November 1, 2008, then delayed the first time until May 1, 2009.
Security researchers have found some serious flaws in software that uses the SSL (Secure Sockets Layer) encryption protocol used to secure communications on the Internet.
At the Black Hat conference in Las Vegas on Thursday, researchers unveiled a number of attacks that could be used to compromise secure traffic travelling between Web sites and browsers.
A notice in published July 29 in the Federal Register starkly demonstrates administrative burdens of complying with the HIPAA privacy rule.
The Department of Health and Human Services published the notice as part of its intent to continue requiring documentation of compliance. The notice lists a dozen documentation requirements, such as authorization to use and disclose protected health information, and notices of privacy practices.
In total, HHS estimates an industry-wide annual reporting burden of nearly 62.3 million hours-98% of which covers dissemination of a notice of privacy practices and patient acknowledgement. Accounting for use and disclosure of PHI make up most of the remaining burden.
The notice is available at gpoaccess.gov/fr/index.html.
When the Network Solutions breach was reported last week, the usual buzz about whether or not the company was PCI-compliant began almost immediately.
Similar talk surrounded the situations with Heartland Payment Systems, Hannaford Bros. and just about every other data breach that has happened since the Payment Card Industry Data Security Standard (PCI DSS) was first established. But the question then becomes whether PCI is truly a useful security metric if so many breached businesses seem to be compliant.
Interesting take on HIPAA:
Starting today, reporters at the Express-News and other local media outlets will not have access to emergency medical services scanner traffic. This will make their jobs harder because they won’t hear addresses where incidents occur, or the reason an ambulance is needed.
The role of the IT security professional has expanded from securing an enterprise’s information to also managing the associated risk. ISACA has responded by offering the new Information Security and Risk Management Conference, which combines the most timely material from two of ISACA’s well-regarded security-related conferences.
ISACA, a nonprofit association serving 86,000 IT governance professionals, will host the Information Security and Risk Management Conference in Las Vegas, Nevada, USA, on 28-30 September 2009. The all-encompassing event is designed for all levels of IT security professionals.
Last September, California enacted the toughest patient privacy protections in the country, even tougher than HIPAA. They include specific penalties for medical-record snooping, rules requiring providers to report breaches far more quickly than HIPAA and requirements that safeguards like passwords be put in place. The new laws even establish a new state office supervising patient privacy and imposing fines when violations occur.
Web hosting firm Network Solutions on Friday announced that, despite its being PCI compliant, a breach had compromised approximately 573,928 individuals’ credit card information.
Approximately 4,343 e-commerce websites were affected by the breach. Network Solutions could not disclose which merchants were affected but said the victimized merchants sell a wide variety of merchandize and are primarily small businesses
Credit card numbers compromised in an attack against Web hosting provider Network Solutions exposes one of the security problems faced by cloud computing.The company says its infrastructure complied with payment card industry PCI standards when the data was possibly stolen via software installed on is servers.
Two credit-card payment processors are offering to cover merchants’ fines and penalties in the event of a data breach.
However, the two companies, Heartland Payment Systems and Mercury Payment Systems, have different requirements that must be met before a merchant would qualify for coverage.