Whither Cloud Computing?

If you’ve heard of cloud computing and all the security issues that surround it, and if you’re wondering if you should trust the security of your sensitive and confidential data to a third party service provider, well, all I can say is that you’re like the old timer who hoards his wad of cash in crumpled bills under his mattress, believing that that’s the safest place for them simply because it’s within eyesight range. It’s an old school of thought that if you can see it, you can protect it. And although we have come a long way since the system of banking was invented and we accustomed ourselves to it, we’re still cavemen at heart who would prefer to keep our valuables close by.

Arguably the most valuable asset any enterprise has today is its data; without information, they’re nothing. And they must provide this data with the best safeguards there are in the business. This is why levels of security and passwords were invented, so that data is protected from prying eyes and the wrong hands. But your entire setup is only as strong as the weakest link, and here, it’s the human factor. If one employee can be tempted to compromise their principles and ethics, for money, revenge or any other reason, then it’s time to say goodbye to the usefulness of proprietary security measures. Human beings are also prone to errors, and because of that, we have data breaches through stolen and misplaced laptops or computers left unprotected through oversight.

Cloud computing is a pretty safe bet when you consider such issues – your data is not in your hands, which makes internal security lapses a moot issue. But there are other aspects that you must consider – the popularity and efficacy of the service provider you choose. Take Google for instance; the search engine giant is extremely popular, and as such, an attractive target for hackers. They know that if they target the cloud, they can bring down a host of sites with one blow. And so they’re going to try harder in their efforts to do so.

But organizations would be willing to stick with Google because they know what it’s capable of; they know that it has a reputation to live up to, and that there’s a certain aspect of trust involved when you’re putting all your eggs in one basket. Cloud computing is exactly that – putting all your eggs in one very protected basket. But if the basket does break, you’re in an unholy mess with egg all over your face! It’s a tricky proposition, deciding whether or not to go with cloud computing, a decision that your needs and budget must dictate.

The idea is still in its early stages, so we must wait and watch to see if any further security issues crop up. And crop up they will, because where there’s a target, you can bet your last dollar that there will be a hunter hidden in the bushes somewhere.

This post was contributed by Datakos guest author Holly McCarthy, who writes for the online college. Holly can be reached at hollymccarthy12@gmail.com.

CVS Pays $2.25 Million and Toughens Practices to Settle HIPAA Privacy Case

The U.S. Department of Health and Human Services and the Federal Trade Commission today announced that CVS, the nation’s largest retail pharmacy chain, will pay the U.S. government a $2.25 million settlement and take corrective action to ensure it does not violate the privacy of its millions of patients when disposing of patient information such as identifying information on pill bottle labels.  The settlement, which applies to all of CVS’s more than 6,000 retail pharmacies, follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.

In a coordinated action, CVS Caremark Corp., the parent company of the pharmacy chain, also signed a consent order with the FTC to settle potential violations of the FTC Act. OCR, which enforces the Privacy Rule, opened its investigation of CVS pharmacy compliance with the Privacy Rule after media reports alleged that patient information maintained by the pharmacy chain was being disposed of in industrial trash containers outside selected stores that were not secure and could be accessed by the public.

At the same time, the FTC opened an investigation of CVS. OCR and the FTC conducted their investigations jointly. This is the first instance in which OCR has coordinated investigation and resolution of a case with the FTC. “OCR is committed to strong enforcement of the HIPAA Privacy Rule to protect patients’ rights to privacy of their health information. We hope that this agreement will spur other health organizations to examine and improve their privacy protections for patient information during the disposal process,” said Robinsue Frohboese, acting director of OCR. “Such safeguards will benefit consumers everywhere.”

The Privacy Rule requires health plans, health care clearinghouses and most health care providers (covered entities), including most pharmacies, to safeguard the privacy of patient information, including such information during its disposal. Among other issues, the reviews by OCR and the FTC indicated that: * CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; and * CVS failed to adequately train employees on how to dispose of such information properly. Under the HHS resolution agreement, CVS agreed to pay a $2.25 million resolution amount and implement a robust corrective action plan that requires Privacy Rule compliant policies and procedures for safeguarding patient information during disposal, employee training and employee sanctions for noncompliance.

HHS and FTC also will require CVS to actively monitor its compliance with the resolution agreement and FTC consent order. The monitoring requirement specifies that CVS must engage a qualified independent third party to conduct assessments of CVS compliance and render reports to the federal agencies. The HHS corrective action plan will be in place for three years; the FTC requires monitoring for 20 years.

The HHS Resolution Agreement and Corrective Action Plan can be found on the OCR Web site at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresagrcap.pdf. OCR has posted new FAQs that address the HIPAA Privacy Rule requirements for disposal of protected health information.

They can be found on the OCR Web site at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf.

Information about the FTC Consent Order agreement is available at http://www.ftc.gov .

Data breaches rose sharply in 2008, study says Most of the lost data was neither encrypted nor password-protected

By Jeremy Kirk

January 7, 2009 (IDG News Service)

More than 35 million data records were breached in 2008 in the U.S., a figure that underscores continuing difficulties in securing information, according to the Identity Theft Resource Center (ITRC).

The majority of the lost data was neither encrypted nor protected by a password, according to the ITRC’s report.

It documents 656 breaches in 2008 from a range of well-known U.S. companies and government entities, compared to 446 breaches in 2007, a 47% increase. Information about the breaches was collected by tracking media reports and the disclosures companies are required to make by law.

Data breach notification laws vary by state. Some companies do not reveal the number of data records that have been affected, which means the actual number of data breaches is likely much more than 35 million.

“More companies are revealing that they have had a data breach, either due to laws or public pressure,” the ITRC wrote on its Web site. “Our sense is that two things are happening — the criminal population is stealing more data from companies and that we are hearing more about the breaches.”

The data breaches came from a variety of mishaps, including theft of laptops, hacking, employees improperly handling data, accidental disclosure and problems with subcontractors.

For the rest of this story, see computerworld.com.

Networkers Beware: Fake LinkedIn profiles promise prurient pics, send patsies malware instead

Expect more attacks to come from social networking services, says security expert

By Gregg Keizer

Hackers have seeded LinkedIn Corp.‘s business networking service with bogus celebrity profiles that link to malicious sites serving up attack code, a security researcher said today.

Unlike Twitter, which had nearly three-dozen legitimate accounts hijacked on Monday, LinkedIn was not compromised. Instead, criminals used the service to create phony profiles, gave them celebrities’ names and slapped on the word “nude” to further entice users. The celebrities named included singer Beyoncé and actresses Christina Ricci, Kirsten Dunst and Kate Hudson.

The identical profiles all sported links to sites that promised nude photographs of the celebrities, said Paul Ferguson, a threat researcher at security vendor Trend Micro Inc. Users who clicked on those sites were shunted to sites hosting malicious software.

“They’re using the same mechanism as have earlier e-mail spam campaigns, telling users that they have to install a codec,” said Ferguson. The coder/decoder is nothing of the sort, but actually a disguised Trojan horse. “They’re just casting a wider net using LinkedIn,” he said.

LinkedIn reacted quickly, according to Ferguson, who said that the fake accounts first appeared on the site Tuesday. “Once they were notified, they quickly took them down,” he said. “There’s only a handful left when I last looked.”

For more see computerworld.com.