M. Scott Koller

The National Institute of Standards and Technology released April 30 a revised version of its security control catalog for federal systems, SP 800-53.

The revision (.pdf), the fourth version of the security controls catalog, also includes for the first time an appendix of privacy controls.

Changes to the security controls include a new emphasis on secure software development in an effort to shift security away from the focus of the past few years, during which it’s targeted matters such as configuration management or continuous monitoring.

Download: SP 800-53 rev. 4
Source: NIST releases 4th version of security control catalog SP 800-53 – FierceGovernmentIT

This afternoon, HHS released the attached omnibus final rule modifying the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules as required the Health Information Technology Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act (GINA).

Notably, the final rule makes business associates of covered entities directly liable for certain HIPAA Privacy and Security rule requirements; expands individuals’ right to receive electronic copies of their health information; incorporates an increased tiered and civil money penalty structure as provided by the HITECH Act; changes to the “harm” definition included in the HIPAA Breach Notification interim final rule; and modifies the HIPAA Privacy Rule as required by GINA.

Link: HIPAA Final Rule

Covered Entities and HIPAA practitioners should be aware that the Office of Civil Rights (OCR) has issued guidance about methods and approaches to achieve de-identification in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The full text is available here:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html

California Attorney General Kamala Harris has reportedly sent out notices warning as many as 100 mobile app developers that they must conspicuously post privacy policies within the next 30 days to be in compliance with the California Online Privacy Protection Act, Bloomberg reports. The new state protocol requires mobile applications that collect personal data within the state to post a privacy policy stating what data is collected and how it will be used. Harris said, “We have worked hard to ensure that app developers are aware of their legal obligations to respect the privacy of Californians, but it is critical that we take all necessary steps to enforce California’s privacy laws.”

Source: IAPP Full Story

The operator of fan Web sites for pop stars Justin Bieber, Selena Gomez, Rihanna and Demi Lovato agreed to pay a $1 million civil penalty to settle federal charges that the

Artist Arena, a company that operates fan web sites for pop stars like Justin Bieber and Selena Gomez, agreed to settle federal charges that the sites had violated a children’s privacy protection law. Source: New York Times

sites had illegally collected personal information about thousands of children, the Federal Trade Commission said Wednesday.

Artist Arena, a company that operates fan web sites for pop stars like Justin Bieber and Selena Gomez, agreed to settle federal charges that the sites had violated a children’s privacy protection law.

In a complaint, the Federal Trade Commission alleged that Artist Arena, the operator of the sites, had violated a children’s online privacy rule by collecting personal details — like the names, e-mail addresses, street addresses and cellphone numbers — of about 101,000 children aged 12 or younger without their parents’ permission.

The law, called the Children’s Online Privacy Protection Act, or COPPA for short, requires operators of Web sites to notify parents and obtain verifiable parental consent before collecting, using or disclosing personal information about children younger than 13.

Source: New York Times

In late 2010, Sean Brooks received three e-mails over a span of 30 hours warning that his accounts on LinkedIn, Battle.net, and other popular websites were at risk. He was tempted to dismiss them as hoaxes—until he noticed they included specifics that weren’t typical of mass-produced phishing scams. The e-mails said that his login credentials for various Gawker websites had been exposed by hackers who rooted the sites’ servers, then bragged about it online; if Brooks used the same e-mail and password for other accounts, they would be compromised too.

The warnings Brooks and millions of other people received that December weren’t fabrications. Within hours of anonymous hackers penetrating Gawker servers and exposing cryptographically protected passwords for 1.3 million of its users, botnets were cracking the passwords and using them to commandeer Twitter accounts and send spam. Over the next few days, the sites advising or requiring their users to change passwords expanded to include Twitter, Amazon, and Yahoo.

“The danger of weak password habits is becoming increasingly well-recognized,” said Brooks, who at the time blogged about the warnings as the Program Associate for the Center for Democracy and Technology. The warnings, he told me, “show [that] these companies understand how a security breach outside their systems can create a vulnerability within their networks.”

The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.

Read the full article here

Beth Israel Deaconess Medical Center (BIDMC) in Boston is in the process of notifying approximately 3,900 patients of a potential breach of protected health information (PHI) as a result of a physician’s stolen personal laptop computer.

The computer was stolen from the office of a BIDMC physician on May 22. The computer, which contained a tracking device, has not been recovered nor has the tracking device been activated.

In addition to notifying law enforcement, which arrested a suspect in the theft, BIDMC engaged a national forensic firm to investigate whether data were compromised.

Source: CMIO

Watch out, Silicon Valley, there’s a new startup in town and its gunning for you. California Attorney General Kamala Harris announced Thursday she’s created a unit intended to actually enforce federal and state privacy laws.

“The Privacy Unit will police the privacy practices of individuals and organizations to hold accountable those who misuse technology to invade the privacy of others,” California’s top attorney said in a statement.

The announcement of the unit, comprised of six attorneys, comes just months after Harris inked a February agreement with Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research in Motion to demand that mobile apps on their platforms contain privacy policies. Facebook signed on last month.

Source: Wired Threat Level

On June 7, 2012, at the annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference hosted in Washington, D.C. by the Department of Health and Human Services Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”), OCR Director Leon Rodriguez said that, given HIPAA’s 15-year history and the substantial technical assistance OCR and NIST have provided covered entities, tolerance for HIPAA non-compliance is “much, much lower” than it has been in the past.

In his remarks, Director Rodriguez indicated that the final omnibus rule modifying the HIPAA Privacy, Security and Enforcement Rules is “very close.” Director Rodriguez reiterated that the modifications will include extending HIPAA liability to business associates, but emphasized that business associates should not wait for the final rule to be enacted to focus on compliance. This is particularly true, according to Director Rodriguez, in light of the ability of state Attorneys General to enforce the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act), as evidenced by Minnesota Attorney General Lori Swanson’s recent lawsuitagainst Accretive Health, a business associate that suffered a security breach compromising patient data. Director Rodriguez stated that he would not be surprised if other state Attorneys General began enforcing the HITECH Act in the business associate context.

Full Story