The Most Alarming Fact About HIPAA Audits (Part 5)

Daniel J. Solove by Daniel Solove, TeachPrivacy
Thursday, October 23, 2014

Under the Health Insurance Portability and Accountability Act (HIPAA), various organizations can be randomly selected to be audited – even if no complaint has been issued against them and even if there has been no privacy incident or breach. What the audits thus far have revealed is quite alarming.

Android’s recent encryption announcement doesn’t protect your data

Karen Evans by Karen Evans, KE&T Partners
Wednesday, October 22, 2014

Apple’s default encryption announcement contained a notable distinction in the fine print. They promised not to read the content of your email messages. Not only will Apple’s default encryption protect your email from being accessed by governmental entities without permission, but Apple will not retrieve or use the content of your email for their own purposes. Android’s announcement did not offer the same protection to users. They did not make the same pledge which could be related to the fact that Google’s main source of revenue is derived from ad placements based on the content of user emails and searches.

How effective is cloud-provided encryption?

Paige Leidig, SC Magazine,  Tuesday, October 21, 2014

As concerns continue to mount over data breaches, data security, and regulatory compliance, particularly in public cloud environments, a growing number of cloud service providers (CSPs) are stepping up to the plate with beefed-up encryption offerings to assuage their customers' concerns. The additional encryption these CSPs now provide can certainly aid in protecting sensitive data from some types of attacks, but is CSP-provided cloud data encryption enough to secure your data and achieve compliance?

Russia and China to join forces as cyber superpowers

Russia Direct,  Tuesday, October 21, 2014

Russia and China could soon sign an agreement on cooperation in the field of cybersecurity, a move that some see as an attempt to reduce American influence in the information technology field.

Hacks, CDM continue to push cyber to forefront of CIOs' priorities

Jason Miller, Federal News Radio,  Tuesday, October 21, 2014

The Customs and Border Protection directorate in the Homeland Security Department is taking a two-pronged approach to protecting its systems and data in the cloud. First, CBP is relying on third-party audits of cloud service providers through the Federal Risk Authorization and Mitigation Program (FedRAMP). Second, it's sending its own staff of experts in to audit how vendors protect systems and government data. CBP's focus on cyber in the cloud and really across the board follows the ever-growing trend across government. Now more than ever, federal chief information officers are paying more attention to cybersecurity.

The Brave New World of HIPAA Enforcement (Part 4)

Daniel J. Solove by Daniel Solove, TeachPrivacy
Monday, October 20, 2014

The Health Insurance Portability and Accountability Act (HIPAA) regulations govern health information maintained by various entities covered by HIPAA (“covered entities”) and other organizations that receive health information from covered entities when performing functions for them. HIPAA is enforced by the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS).

Chinese government launches man-in-middle attack against iCloud

Sean Gallagher, Ars Technica,  Monday, October 20, 2014

GreatFire.org, a group that monitors censorship by the Chinese government’s national firewall system (often referred to as the “Great Firewall”), reports that China is using the system as part of a man-in-the-middle (MITM) attack on users of Apple’s iCloud service within the country. The attacks come as Apple begins the official rollout of the iPhone 6 and 6 Plus on the Chinese mainland. The attack, which uses a fake certificate and Domain Name Service address for the iCloud service, is affecting users nationwide in China. The GreatFire.org team speculates that the attack is an effort to help the government circumvent the improved security features of the new phones by compromising their iCloud credentials and allowing the government to gain access to cloud-stored content such as phone backups.

Will new commercial mobile encryption affect BYOD policy?

Adam Mazmanian, FCW,  Monday, October 20, 2014

While law enforcement is up in arms about new default data encryption on Apple iOS and Google Android devices, experts say the policy could have some benefits for federal mobility as well.

Stop worrying about mastermind hackers. Start worrying about the IT guy.

Andrea Peterson and Craig Timberg, Washington Post,  Friday, October 17, 2014

Mistakes in setting up popular office software have sent information about millions of Americans spilling onto the Internet, including Social Security numbers of college students, the names of children in Texas and the ID numbers of intelligence officials who visited a port facility in Maryland. The security problem, researchers say, has affected many hundreds of servers running popular Oracle software, exposing a peculiar melange of data to possible collection by hackers. Most of the institutions affected have been universities or government agencies, though they hold a wide range of information on individuals and private companies.

Who Are the Privacy and Security Cops on the Beat? (Part 3)

Daniel J. Solove by Daniel Solove, TeachPrivacy
Monday, October 13, 2014

In the United States, a variety of different regulators are responsible for overseeing and enforcing different laws that impact different types of information. Some laws are exclusively enforced by agencies. Some are also enforced by state attorneys general. Others are enforced exclusively with a private right of action – the ability of individuals to bring lawsuits. Several laws have criminal penalties, which are typically enforced by the Department of Justice (DOJ). And then there are laws that are enforced by a combination of means, such as the Fair Credit Reporting Act (FCRA) which is enforced by two agencies plus private rights of action.