Monthly Archives: February 2010

Wyndham hotels hacked again

Hackers broke into computer systems at Wyndham Hotels & Resorts recently, stealing sensitive customer data.

The break-in occurred between late October 2009 and January 2010, when it was finally discovered. It affected an undisclosed number of company franchisees and hotel properties that Wyndham manages. Wyndham has acknowledged the incident in a note posted to its Web site.

via Wyndham hotels hacked again.

Breaches Affecting 500 or More Individuals

Breaches Affecting 500 or More Individuals

As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. The following breaches have been reported to the Secretary.

The Methodist Hospital

State: Texas

Approx. # of Individuals Affected: 689

Date of Breach: 1/18/10

Type of Breach: Theft

Location of Breached Information: Computer

via Breaches Affecting 500 or More Individuals.

32 Large Patient Data Breaches Since September, Says OCR

OCR posted on its Web site a list of covered entities this week that have reported breaches of unsecured PHI affecting more than 500 individuals, fulfilling its obligation under HITECH.

The HHS organization, which oversees enforcement and compliance of the HIPAA privacy and security rules, reports that since September 22, 2009, 32 covered entities have reported breaches that affected at least 500 individuals.

via 32 Large Patient Data Breaches Since September, Says OCR.

How to Implement Secure, PCI-Compliant Access Controls – Security from eWeek

For instance, Section 7 of the Payment Card Industry Data Security Standard (PCI DSS) requires that access to cardholder data is restricted access by business “need-to-know.” This means that access rights are granted to only the least amount of data and privileges needed to perform a job. Section 7.1 of the PCI DSS limits access to system components and cardholder data to only those individuals whose job requires such access

via How to Implement Secure, PCI-Compliant Access Controls – Security from eWeek.

PCI Council Changes Its Audio Recording Policy, Again

Saying that it was “a result of additional market feedback,” the Council ruled that digital recordings would not be considered in scope if the retailer can prove that the data in question can’t be queried. “The Council is now saying that call centers can keep this data—even if digital—so long as they protect it per PCI.

via StorefrontBacktalk » Blog Archive » PCI Council Changes Its Audio Recording Policy, Again.

CXOtoday.com > IT-GRC Solution on Cloud

There is built in framework support for RBI Compliance, NSE, BSE, MCDEX, PCI, ISO, COBiT, SOX, BASEL II, HIPAA, FISMA, and other country specific frameworks which are ready to use. SecureGRC has a not-so-far-seen value-add in terms of integrating, synergizing and transforming information from various sources into alert raising actionable solutions, helping in identifying the source of the attempted attack through pattern and correlation analysis, and plugging the loop hole before it takes major dimensions.

via CXOtoday.com > News > Web Technologies > Government > eGestalt’s Security and IT-GRC Solution on Cloud.

Offshore HIPAA Business Associates Pose Extra PHI Risks, but Have Incentives to Self-Regulate

As providers move to cut operational costs, many are taking their business associate (BA) dealings offshore. And while sending protected health information overseas can be a risky endeavor for patients and health care organizations, one expert says the process has built-in safeguards, including financial motivators on the BA side, which can make working with offshore business associates as safe — if not safer — than working with those in the U.S.

via Offshore HIPAA Business Associates Pose Extra PHI Risks, but Have Incentives to Self-Regulate.

PCI Security Standards Council readying new payment-card security standard

The Payment Card Industry data security standards, which influence design of networks where sensitive payment-card account data is stored, are expected to be further revised by the PCI Security Standards Council over the next few months.

Bob Russo, general manager of the PCI Security Standards Council, says that by early summer the organization expects to be able to issue a summary for a new PCI standard, which would go into effect in about October.

via PCI Security Standards Council readying new payment-card security standard.

PCI Compliance: What You Don’t Know CAN Hurt You | Guest Opinions | ITBusinessEdge.com

… data like Social Security numbers, medical records and credit card information tied to an individual — that hackers got access to skyrocketed to 220 million records in 2009, compared with 35 million in 2008. That represents the largest collection of lost data on record.

via PCI Compliance: What You Don’t Know CAN Hurt You | Guest Opinions | ITBusinessEdge.com.