Privacy Parking Tickets & Technology

Parking Tickets, Technology and the Driver Privacy Protection Act, 18 U.S.C. §2721 et seq. (“DPPA”)

If you have recently received a parking ticket, the kind where a peace officer, or other public safety official, electronically looks up your vehicle registration, pulls your driver’s license information, combines the two and then prints out all of the results neatly on a piece of paper, places it, unprotected on your windshield and then leaves. From a privacy and security perspective this seems problematic, but may be a good example of technology outpacing standards, the "what can we do?," outpacing the "how should we do it right?" It may also likely be a violation of DPPA, and, as least the goals promulgated when Congress passed it.

Not only does the parking ticket writing official query protected personal information (presumably wirelessly), information which is typically not releasable without explicit consent, but, then, they take the information, print it on a piece of thermal paper, and then place it on the windshield of your car for anyone in the public realm to see. Think of it as a calling card with all your personal information available for anyone with a curious mind.

Ask yourself if you would mind if the below information was queried, printed out and left at a coffee shop unprotected and open for anyone to see:

Complete drivers license number, full name (first name, middle name, last name), home address, date of birth, height, weight, eye color, gender, and your vehicle type, vehicle make, model, color and license plate information.

This type of thing is happening every day, and is likely the result of the fast pace of technology offerings and its adoptions not being properly used and/or configured for the best and most reasonable information. From a security perspective we would ask, inter alia, if the request is made securely, what type of encryption is being used, are the users of the machines tracked by their individual ID or is it a generic ID used by many, is each query tracked. Also, how are we to know if our information was reviewed or not when it is left on a public street? Finally, we would ask, is there a way to print off less information and still meet the need of the parking ticket intent?

The Driver Privacy Protection Act, 18 U.S.C. §2721 et seq. (“DPPA”) of 1993, upheld by the U.S. Supreme Court, and which appears to be even more relevant today given the rise of identity theft etc.., is supposed to protect the information identified above from being publicly available.

The lesson for companies is this, the next time you or your company is presented with great new uses of technology and information mining, database access etc..., a key first question must be, okay great, "how can we do this to help our business, and not cause our business undue problems with handling the data, and privacy or security or other compliance laws as they relate."


Joshua W. Carlson, Esq.

Mr. Carlson is a data security and data privacy attorney and advises companies on security, privacy and compliance in areas such as SOX, GLBA, FISMA, HIPAA, HITECH, PCI-DSS and other areas.

Comments (1) Added by jcarlson January 24, 2012 (2:40PM)

Health Care Privacy Panel Addresses Information Assurance

The First Annual Health Privacy Summit will take place on November 30, 2011 and is hosted by Medtronic at their Minneapolis headquarters. Chad Boeckmann, President of Secure Digital Solutions will host a special panel discussion addressing Protected Health Information (PHI) Incident Management with Business Associate Agreements. Mr. Boeckmann will facilitate the discussion with an organization responsible for vendor assurance.

 

The panel will address business cases in which the Business Associate (BA) is not well informed or equipped to detect data breach incidents, is reluctant to harm the relationship, or conducts a disagreeable risk assessment. The discussion will seek to identify a collaborative reporting model that yields positive results.

 

According to a report by Ponemon Institute titled “True Cost of Compliance” the health care industry loses an average of 43,869 records over a 12 month period. Comparing health care to other industries such as the financial industry at an average 21,776 records lost or stolen and technology at 71,737 records lost or stolen, health care industry appears to be average in terms of records lost or stolen in a 12 month period.

 

“Over ten percent of data breaches reported in the past five years have involved a health care service provider. Under HITECH regulations, business associates now must comply with the HIPAA Security Rule and report these incidents to their covered entities. But are they doing this? We need to create better processes to manage and report incidents,” says Mr. Boeckmann.

 

Secure Digital Solutions is a Minnesota-based information security and compliance management firm. With a focus on building efficiencies through expert knowledge, SDS delivers information security, privacy and compliance management services.

Added by admin November 23, 2011 (2:01PM)

NEW POLL - Meaningful Use requirements in 2011

Eligible hospitals and CAHs looking to meet eligibility requirements for Meaningful Use are seeing the reporting year coming to a close. How has this impacted your organization? We want to hear from you . . .

Take the poll >

Added by admin November 10, 2011 (2:01PM)

INDUSTRY RESEARCH - Approach to Information Security and Compliance

Approach to Information Security & Compliance - Measure your security program investment, initiatives and maturity with that of your peers in same or similar industry. Garner leverage for those security or compliance projects that need the attention they deserve.

Take the survey.

Security survey

 

Added by admin October 3, 2011 (9:40AM)

NEW PRESENTATION - Leading Practices For Regulatory Compliance Programs

A new presentation addressing how organizations can effectively manage multiple regulatory controls and respond in a consistent manner to third-party auditors and client vendor assessments.

View full presentation.

Added by admin October 3, 2011 (9:34AM)

"Real" Security and Privacy Programs - Now a Business Requirement

Losing Business?  Why “Real” Security & Privacy Compliance Programs are now Required
Joshua Carlson Esq., CISSP
FISMA, PCI, Safe Harbor, SAS70 (SSAE16), EU Directives, ISO27001, GLBA, HIPAA, Telecommunications Act, Fair Credit Reporting Act (FCRA), COPPA, Privacy Act, CAN-SPAM, and many more regulation requirements are now being used to vet and add, keep, and more importantly remove companies from approved vendor or company lists as a way to eliminate companies from consideration to reduce their own risk of doing business with companies that don’t have viable security and privacy programs. 
The only companies that will be around in the future currently have, or are now investing in, comprehensive security and privacy compliance program initiatives.
Up until just a few years ago, it seemed many companies relied on using outdated methods, and the internet, for finding and creating their security and privacy policies to get them through their business partners/vendors security and privacy audits. They would exchange a few e-mails and attachments with the general inclination of, “it’s all good” and all would be fine for another year. 
That used to be okay, until security and privacy, through legislative (the increasing number, and scope, of laws, and increasing enforcement of those laws) and market forces (the rise of breaches, internal threats, black hats, external threats, external hacking and major incidents) see Sony, began to change these business as usual practices.
Today, companies cannot afford to do business with other companies that do not have effective and “real” security and compliance programs in place. 
Based on numerous administrative rulings, legal cases, class action lawsuits, and 100’s of consent decrees, it should be apparent that a company that does business with another company that does not have a sound security and privacy compliance program may end up being liable for some, and possibly all, of the costs of any problems that result. 
The general message if it is not clear is this: you cannot afford to be a business that doesn’t have a real security and privacy compliance program in place; and, you cannot afford to do business with a company that doesn’t have a sound security and privacy compliance program.
“We need to look into why we lost our vendor contract with xyz corp” states a client. One reason may be that the legal, reputational and financial costs of doing business with companies without good security and privacy compliance programs is no longer worth the risk.
Business is going away and not coming back to companies unprepared in the area of security and privacy compliance.
Finally, a question that often comes up often is, “do we need a security/privacy compliance program for our small business?”   I posit that if you are a company and want to do continue to business and/or grow your business to work with other companies, you must have a security and privacy program (of appropriate scale) in place.
Joshua Carlson, Esq., CISSP
 
Joshua Carlson is an attorney and a security and privacy professional who has worked with numerous companies, including some of the largest retailers and global manufacturing companies, he performs privacy and security audits for companies of all sizes as well as providing guidance in security and privacy program development.

Comments (0) Added by jcarlson August 3, 2011 (10:18AM)

Mobile Devices Pose New Security Risks for Patients

Mobile Device SecurityMobile devices have become as common as the stethoscope in patient’s rooms. Physicians routinely review patients’ electronic health records, read test results, access diagnostic tools and take patient notes, all with a few touches on their iPad or tablet, smartphone or using a flash drive. These mobile devices are ideal for information sharing and time savings, but they pose huge security risks to patient information.

In less than two years, from September 22, 2009 through May 8, 2011, the U.S. Department of Health and Human Services Office for Civil Rights indicates that 116 data breaches of 500 records or more were the direct result of the loss or theft of a mobile device, exposing more than 1.9 million patients’ PHI. A panel of five experts in the fields of healthcare IT, security and privacy, data breach and identity theft—Jill Arena, Chad Boeckmann, Rebecca Herold, Rick Kam, and Robert Siciliano—share their insights on how healthcare organizations and providers can optimize mobile health (mHealth) while protecting patients’ data.

Electronic Health Records Increase Mobile Device Usage

Sixty-four percent of physicians own smartphones and 30 percent of physicians have an iPad, with another 28 percent planning to buy one within six months, according to a recent Manhattan Research study. 10,000 mobile healthcare applications are available today on the iPad, with a larger number of them created to provide access to electronic health records. Additionally, one-third of physicians use their mobile devices to input to EHR while seeing patients, while the information is fresh.

Experts Offer Their Insights on mHealth

Jill Arena, managing partner, Health Practice Solutions, LLC, consulting and technology solutions, www.healthepracticesolutions.com/: “In many ways, digitizing patient information can make it more secure, but only if the proper security measures are in place. As we move to introduce iPad applications that integrate with physicians’ Electronic Medical Records (EMR) products, we can edit, route and capture signatures on patient forms without ever dropping them to paper. This allows physicians and their office staff to recapture valuable staff time, and it keeps paper forms with PHI, Social Security numbers and other sensitive information from floating around the clinic and potentially falling into the wrong hands.”

Chad Boeckmann, president, Secure Digital Solutions, LLC, comprehensive privacy strategy, www.securedigitalsolutions.com/: “Anytime an organization extends information beyond its walls, a risk assessment should be conducted to determine the level of security controls, including monitoring of those controls. Mobile devices are a great example of extending the enterprise. Organizations need to understand the complexities of securing mobile devices, applications and the people who use them as part of a well-rounded data security and risk management program.”

Rebecca Herold, Rebecca Herold & Associates, LLC, information security, privacy and compliance tools, education and consulting, www.privacyguidance.com/: “In healthcare, doctors and nurses are increasingly using mobile computing devices and storage devices as part of their care giving activities, storing goldmines of patient information on them. Because of the combination of increased business and patient data storage and entrusting mobile workers with mobile computing devices, it is vital that an effective mobile computing device and storage media security and privacy management program is in place. Not only to meet HIPAA compliance requirements, but also to protect your patients and your hospitals and clinics. A key component is providing training and awareness to those staff using such devices. After all, doctors and nurses cannot protect information on mobile devices if they are not taught effective ways to do so. If you don’t provide security knowledge to those using mobile devices, privacy breaches will occur.”

Rick Kam, president and co-founder, ID Experts, comprehensive data breach solutions, www.idexpertscorp.com: “Many Wi-Fi networks in hospitals and doctor’s offices are not secure and coupled with the increased mobile device usage, patient data is at risk. Here are eight things you can do to protect sensitive patient data:

  1. Whenever possible, don’t store sensitive data on wireless devices. If required, ensure the data is encrypted.
  2. Enable password protection on wireless devices, and configure the lock screen to come on after a short period of inactivity.
  3. Turn on the Remote Wipe feature of wireless devices.
  4. Enable Wi-Fi network security. Do not use WEP, and only use WPA-1 with strong passphrases. Use WPA-2 if possible.
  5. Change the default SSID and administrative passwords.
  6. Don’t transmit your wireless router’s SSID.
  7. Only allow your devices to connect by specifying their hardware MAC address.
  8. Implement a Wireless Intrusion Prevention System.”

Robert Siciliano, CEO, IDTheftSecurity.com, personal security and identity theft expert, www.IDTheftSecurity.com: “Mobile isn’t just a convenient new gadget or toy, it’s a huge target for criminal hackers and needs to be treated accordingly.”

About the Panel of Industry Experts

Jill Arena, managing partner with Health Practice Solutions, LLC, holds a Fellowship from the American College of Medical Practice Executives and has extensive experience in practice start-up and workflow improvement, including the implementation and management of the newest health information technologies. Her professional focus and passion is the intersection of physician-patient-computer. Over the past 15 years, Jill has started more than 37 new clinics, where she has introduced EMRs and implemented complete clinical IT systems.

Chad Boeckmann, president of Secure Digital Solutions, LLC, assists organizations in government, financial, healthcare and retail industries to achieve information security and compliance goals. Since 2005 Secure Digital Solutions (SDS) continually enables companies to gain confidence and trust from their clients and auditors through IT security and regulatory compliance services. Clients continually rely upon SDS to deliver customized solutions, thought leadership, a strong work ethic and exceptional client service. SDS provides value by delivering business services and solutions effectively and tailor solutions to achieve client requirements.

Rebecca Herold, CISM, CISSP, CISA, CIPP, FLMI, The Privacy Professor®, has more than two decades of information security, privacy and compliance experience. Rebecca is a partner and subject matter expert for the first cloud-based HIPAA/HITECH compliance service, Compliance Helper (www.compliancehelper.com). As owner and principal of Rebecca Herold & Associates, LLC, Rebecca is a widely recognized and respected information security, privacy and compliance expert and has been named multiple times as a “Best Privacy Adviser in the World” by Computerworld. She is currently working on her 15th published book.

Rick Kam, CIPP, is president and co-founder of ID Experts, and chairman of the “PHI Project,” a research effort to measure financial risk and implications of data breach in healthcare. He is an expert in privacy and information security, with extensive experience leading organizations to address the growing problem of protecting PHI/PII and remediating privacy incidents and identity theft. Previously, Kam spent 20 years at IBM Corporation in sales, management, and customer relationship management consulting.

Robert Siciliano, CEO of IDTheftSecurity.com, is committed to informing, educating, and empowering Americans to protect themselves from violence and crime in the physical and virtual worlds. For more than 20 years, Robert has been working in all aspects of security. A blogger, consultant, and speaker on a wide variety of topics including computer security, identity theft, and social networking security, Robert is often interviewed on national television, to give advice to consumers and to weigh in on security issues.

SOURCE ID Experts


Read more: http://emrdailynews.com/2011/07/20/mobile-devices-pose-new-security-risks-for-patients-five-experts-share-insights-on-mhealth/#ixzz1SqQSSSGx
 

Photo Credit: Yutaka Tsutano

Comments (0) Added by admin July 22, 2011 (8:34AM)

File Sharing Programs - They're not so great after all

Chad Boeckmann, CISSP, GSEC

File sharing, also referred to as P2P (Peer-to-Peer), is one of the hottest trends on the Internet. P2P is often described as a type of decentralized computing where computers communicate directly with each other. Websites and organizations that support P2P programs allow people to download the free software for the primary purpose of sharing files across the Internet. This free software allows users to download music files, movies and software. A recent report released by Ottawa-based AssetMetrix Research Labs, a provider of managed services for PC inventory and IT analysis, looked at the problems associated with P2P downloading and found that 77 percent of P2P applications resided on desktop systems. The study examined approximately 175,000 PCs from over 560 corporations, 10 percent of which were in Canada. Most of the content that is retrieved with these tools are illegal in terms of licensing and copyright regulations. This is just one example of the dangers of using Peer-to-Peer file sharing programs. Below is a summary regarding the security and legal issues of using file-sharing programs and the dangers imposed to the user of a program and the network in which a file-sharing program is used.

Sharing your hard drive

Some programs that are used for file sharing claim to only share a specific folder on your hard rive where all the files you wish to share and download are stored. In some cases, these programs appear to only share the folder which you specified when in fact you could be unknowingly sharing your entire C: drive. This is mainly due to poor programming and code audits of the free software.

Sharing your IRS tax statement

In the 2002 tax season there were some tax programs that saved your tax return on the local C: drive. This can be very convenient for some people. However, the folder in which the tax program would save your tax return was the same folder in which P2P programs would share. This meant that some taxpayers were sharing their confidential tax returns with the entire Internet via their file-sharing program and were oblivious to that fact.

Welcome mat for Viruses and Addware

Virus writers have written viruses and worms specific to P2P programs. This kind of malicious content can be hidden in all file types and when the file is executed the virus will infect your computer and you may not even know that you have a virus. This can cause many issues in terms of system stability, privacy and integrity. Other malicious content, which is sometimes installed along with the P2P application, are labeled as spyware or addware. These types of programs are used to track users actions on the Internet and sell products. Some of the symptoms of running addware or spyware programs on your computer is:

  1. Your PC is running slower than usual
  2. Your browser has a new toolbar which you did not knowingly install
  3. New program icons are in your system tray
  4. Advertising windows appear when you are not browsing the Internet

There are a variety of free tools available on the Internet to detect and uninstall addware and spyware. Though the spyware and addware programs are not as dangerous as viruses or worms, they can jeopardize your productivity and privacy.

RIAA is looking for you

The Recording Industry Association of America is on the hunt for users of file sharing programs that obtain music files illegally. Their mission is as follows: "One of the RIAA's key missions is to help foster a legal climate that protects the rights of record companies, artists and copyright owners in general. The RIAA has worked to achieve this goal by assisting its member companies in such areas as copyright enforcement, webcasting and First Amendment advocacy."

Recently RIAA has legally forced Verizon Communications to turn over the names of broadband users who were illegally trading copyrighted music files over the Internet. As of September 8, 2003 RIAA has subpoenaed 261 users of a popular file sharing service. These users could face a fine of $750-$150,000 per copyright work infringed.

Summary

File sharing is not a new concept and if implemented correctly it can be a productive tool. However, using such a tool across a public network such as the Internet can pose some serious risks. To be safe do not use these programs, as they can become a serious problem. For every connection through a public file sharing service creates a new doorway to your computer and the network it resides on creating a new vulnerability that could also cost users and companies legally and financially. It is simply not worth it.

Comments (0) Added by admin July 18, 2011 (3:34PM)

<< First < Previous [1 / 3] Next > Last >>
Secure Digital Solutions is based in Minneapolis, Minnesota.
Site design and development by Darren Leet, Incorporated