[Log In] []

Exploring the science and magic of Identity and Access Management
Sunday, September 25, 2022

Veriphyr Study: Protected Health Information (PHI) Privacy Breaches

Identity, Information Security
Author: Mark Dixon
Friday, September 2, 2011
5:51 pm

This afternoon, I received word that Veriphyr, a provider of SaaS Identity and Access Intelligence services, announced the results of new survey on Protected Health Information (PHI) privacy breaches. According to the report,

More than 70 percent of the organizations in the study have suffered one or more breaches of PHI within the last 12 months. …

Insiders were responsible for the majority of breaches, with 35 percent snooping into medical records of fellow employees and 27 percent accessing records of friends and relatives.

Some interesting statistics:

Top breaches in the past 12 months by type:

  • Snooping into medical records of fellow employees (35%)
  • Snooping into records of friends and relatives (27%)
  • Loss /theft of physical records (25%)
  • Loss/theft of equipment holding PHI (20%)

When a breach occurred, it was detected in:

  • One to three days (30%)
  • One week (12%)
  • Two to four weeks (17%)

Once a breach was detected, it was resolved in:

  • One to three days (16%)
  • One week (18%)
  • Two to Four weeks (25%)

79% of respondents were “somewhat concerned” or “very concerned” that their existing controls do not enable timely detection of breaches of PHI

52% stated they did not have adequate tools for monitoring inappropriate access to PHI

The report’s conclusion was not surprising:

Respondents who indicated strong satisfaction with their monitoring tools also tended to report fewer breaches of PHI and faster resolution times. The reverse is also true: respondents who indicated dissatisfaction with their monitoring tools tended to report more breaches and longer resolution times.
The morals of this story?
  • Cautiously trust, but verify the internal folks.  They are the biggest breach threat.
  • Do you want to tackle and solve your privacy breach problems? Good tools really do help.


Comments Off on Veriphyr Study: Protected Health Information (PHI) Privacy Breaches . Permalink . Trackback URL

How Much of Your Profile Data Can Your Social Network Share?

Author: Mark Dixon
Monday, June 13, 2011
4:21 pm

An interactive “Provider Guide” provided by JanRain shows what personal profile data maintained by popular social networks is available to applications that connect to these networks.  It is not surprising that Facebook offers the most information; LinkedIn is second in terms of available profile attributes.

With these many attributes about subscriber identities available through published API’s, it isn’t surprising how the stock market placed a huge premium on LinkedIn, and will presumable do the same with Facebook.  Perhaps the most valuable attributes are the connections to other people – friends on Facebook, contacts on LinkedIn.  The Network Effect arising from the interconnectivity of all those online members triggers extreme value momentum, particularly when all those relationships can be exposed to third parties.

Comments Off on How Much of Your Profile Data Can Your Social Network Share? . Permalink . Trackback URL
WordPress Tags: , ,

Privacy Site: Future of Privacy Forum – Advancing Responsible Data Practices

Privacy, Privacy Site
Author: Mark Dixon
Thursday, May 26, 2011
10:34 am

Future of Privacy ForumThe Future of Privacy Forum (FPF) is a Washington, DC based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups. FPF was launched in November 2008, and is supported by Adobe, American Express, AOL, AT&T, Bering Media, The Better Advertising Project, BlueKai, BrightTag, Comcast, comScore, Datran Media, Deloitte, DoubleVerify, eBay, Facebook, General Electric, Google, Intel, Intuit, LexisNexis, Lockheed Martin, Microsoft, The Nielsen Company, Procter & Gamble, Qualcomm, Reputation Defender, Time Warner Cable, TruEffect, TRUSTe, Verizon, Yahoo! and Zynga.

Comments Off on Privacy Site: Future of Privacy Forum – Advancing Responsible Data Practices . Permalink . Trackback URL
WordPress Tags:

Privacy Site: ApplicationPrivacy.org – Implement Trustworthy Data Practices

Privacy, Privacy Site
Author: Mark Dixon
Wednesday, May 25, 2011
2:01 pm

applicationprivacy.orgApplicationPrivacy.org is a project of the Future of Privacy Forum intended to provide application developers with the tools and resources needed to implement trustworthy data practices. The Future of Privacy Forum (FPF) is a Washington, DC based think tank that seeks to advance responsible data practices.

Comments Off on Privacy Site: ApplicationPrivacy.org – Implement Trustworthy Data Practices . Permalink . Trackback URL

National Strategy For Trusted Identities In Cyberspace – My Take

Identity, Information Security, Privacy
Author: Mark Dixon
Friday, April 29, 2011
5:54 pm
When I hear a message that begins, “We’re from the government, and we’re here to help,” I am naturally suspicious.  My political philosophy, based on personal freedom, individual responsibility and natural consequences, is all too often infringed upon by over-reaching, even if well-intentioned, government mandates.  So, when I first learned of the “National Strategy For Trusted Identities In Cyberspace,” I quite naturally envisioned the typical government movement towards stronger control, greater regulation and reduced freedom.
However, rather than leave interpretation to others, I actually read the 45-page National Strategy For Trusted Identities In Cyberspace document that was officially released on April 15th.  Based on what I read, this initiative seems more like guidance for a national Interstate Highway system than a mandate for socialized health care.
On page 29 of the document, speaking of the goals for this initiative, we read:
These goals will require the active collaboration of all levels of government and the private sector  The private sector will be the primary developer, implementer, owner, and operator of the Identity Ecosystem, which will succeed only if it serves as a platform for innovation in the market. The Federal Government will enable the private sector and will lead by example through the early adoption and provision of Identity Ecosystem services. It will partner with the private sector to develop the Identity Ecosystem, and it will ensure that baseline levels of security, privacy, and interoperability are built into the Identity Ecosystem Framework.
If indeed the Federal Government can act as a catalyst, in cooperation with the private sector, to accelerate progress toward a secure, convenient, easy to to use, interoperable and innovative framework for trusted identities, without exercising control and exploitation over participants, I can strongly support the initiative.
However, it is the nature of most people in areas of concentrated power to abuse the power with which they have been entrusted.  This natural tendancy, both in the public and private sector, may lead to unintended bad consequences as a result of this inititiave.  As the Trusted Identities initiative moves forward, we must be vigilant to make sure public or private power is not abused.

That said, I include here some key points from the document.  A user-centric “Identity Ecosystem” is proposed – an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities—and the digital identities of devices. 

The Identity Ecosystem, as envisioned here, will increase the following:
  • Privacy protections for individuals, who will be able trust that their personal data is handled fairly and transparently;
  • Convenience for individuals, who may choose to manage fewer passwords or accounts than they do today;
  • Efficiency for organizations, which will benefit from a reduction in paper-based and account management processes;
  • Ease-of-use, by automating identity solutions whenever possible and basing them on technology that is simple to operate;
  • Security, by making it more difficult for criminals to compromise online transactions;
  • Confidence that digital identities are adequately protected, thereby promoting the use of online services;
  • Innovation, by lowering the risk associated with sensitive services and by enabling service providers to develop or expand their online presence;
  • Choice, as service providers offer individuals different—yet interoperable—identity credentials and media
The Trusted Identity Strategy specifies four Guiding Principles to which the Identity Ecosystem must adhere:
  • Identity solutions will be privacy-enhancing and voluntary 
  • Identity solutions will be secure and resilient
  • Identity solutions will be interoperable
  • Identity solutions will be cost-effective and easy to use
The document spends over 40 pages explaining and exploring these goals and guiding principles.  Many more pages in many more documents will be produced before these objectives are achieved.
I look forward to following the progress of this initiative.  If this helps focus attention and resources on resolution of some difficult identity issues we face, it will be a good thing. Let’s work together to make that happen.
Comments Off on National Strategy For Trusted Identities In Cyberspace – My Take . Permalink . Trackback URL

Hey Steve! Why are you tracking me?

Information Security, Privacy, Telecom
Author: Mark Dixon
Friday, April 22, 2011
4:05 pm

I first read the news about Apple’s secretive location tracking capability in the Kaspersky Labs Threat Post article, “Secret iPhone Feature Tracks Owners’ Whereabouts“:

Security researchers have discovered a hidden iPhone feature that secretly tracks and saves the meanderings of the phone – and presumably its owner.

The tracking feature was described in a presentation at the Where 2.0 Conference in San Francisco on Wednesday. According to the researchers, Pete Warden, founder of Data Science Toolkit and Alasdair Allan a researcher at Exeter University in the UK, the tracking feature records the phone’s movements, including what cell phone towers and Wifi hotspots it connects to, when and where. While that information isn’t shared with Apple, it is retained even when iPhone users update their hardware, suggesting that Apple had plans to use the data at a later time.

Was I surprised?  No.  Irritated?  Yes.  We have one more piece of evidence, that when power is concentrated in the hands of a few, abuses tend to occur.

After reading the O’Reilly Radar article, “Got an iPhone or 3G iPad? Apple is recording your moves“, I followed a link to an application to see for myself:

How can you look at your own data?

We have built an application that helps you look at your own data. It’s available at petewarden.github.com/iPhoneTracker along with the source code and deeper technical information.

The broad view clearly showed the four states in which I have used my month-old iPad:

But the real interesting view was of my supposed meanderings in Arizona:

I can easily explain three of the four major clumps of usage in the Phoenix metropolitan area – my home, the Phoenix airport, and a client site. But I have never taken my iPad to the fourth area of supposed heavy use.

All the outliers are even more problematic.  I used the iPad once in a mountainous area northeast of Phoenix, but all the other outliers?  My only explanation is that I must have forgotten to place the iPad in “Airplane Mode” on one or more more of my flights (heaven forbid!).  The iPad must have connected with dozens of cell towers as we flew over.

My message to Steve Jobs?  Please, just call. I’d gladly invite you over for dinner or take you to my favorite restaurant, where we could discuss the things that are important to me in my life.  But these shenanigans?  Really tawdry for a supposely high class company.

Comments Off on Hey Steve! Why are you tracking me? . Permalink . Trackback URL

When Can I Pay for Stuff with my iPhone?

Identity, Information Security, Privacy, Technology, Telecom
Author: Mark Dixon
Friday, April 15, 2011
10:47 am


I am anxious for the time when I can buy groceries or pay for a meal with my iPhone.  According to Juniper Research, that time may be be closer than you would think.

As reported by GigaOM, Juniper Research predicts that 1 in 5 Smartphones Will Have NFC by 2014.  NFC, or “Near Field Communication,” is a technology that allows a payment to be made by holding a device, such as a mobile phone, in close proximity to a NFC-capable point of sale terminal.

I think it would be great to use a mobile wallet on my iPhone, working in concert with an NFC chip embedded within my iPhone, to make a payment.

The GigaOM article states:

Juniper said the increasing momentum behind NFC, with a stream of vendor and carriers announcements in recent months, is helping boost the prospects of NFC. North America will lead the way, according to Juniper, with half of all NFC smartphones by 2014. France, in particular, is off to a quick start, with 1 million NFC devices expected this year.

Of course, there is more than just putting moble wallet apps and NFC chips on smartphones.

But the NFC ramp-up will still faces challenges. With so many players involved, from merchants, operators, manufacturers and web giants like Google, service complexity will be an issue. The industry also needs to work out business models around NFC while ensuring strong security for consumers unfamiliar with the concept of a mobile wallet, said Howard Wilcox, the author of the report.

Which smart phone vendor will be first to the races with a mainstream NFC-equipped device? Will the next iPhone be NFC-equipped?  I hope so, but I had also hoped for that in the iPhone 4.  Time will tell.  I’m just hoping for sooner, rather than later.

And, by the way, Identity Management and Information Security are crucial to an overall solution. Knowing who the user is and that user wants to do, and making sure their information is absolutely safe, are critical components of the mobile payments infrastructure that must be built. In that vein, its great to be in the industry that is making this all happen.



Dear Kroger: Did You Forget to Tell Me?

Identity, Information Security, Privacy
Author: Mark Dixon
Friday, April 8, 2011
4:36 pm

My last post highlighted the well-publicized Epsilon data breach that affected so many consumers like me.

But what if a company forgets to tell its customers?

That may have happened to me. Our family probably does over 80% of our grocery shopping at Fry’s Food Stores, owned by The Kroger Co. I’m quite sure they have my email address, because of their store affiliate card program. However, when Kroger was victimized by the Epsilon data breach, I did not get a notification or apology from Kroger.

Does that mean they don’t care, or by some stroke of luck, my email address wasn’t compromised? I may never know … but will wonder.

Comments Off on Dear Kroger: Did You Forget to Tell Me? . Permalink . Trackback URL

Dave Kearns and Dictionary.Com on Privacy

Identity, Privacy
Author: Mark Dixon
Tuesday, March 8, 2011
5:44 pm

imageTriggered by Dave Kearn’s article today, “What is Privacy, Really,” I spent a few minutes this afternoon with my good friend dictionary.com.  It is amazing what one can learn about word meanings by (virtually) flipping through the pages of a dictionary.

Privacy: the state of being free from intrusion or disturbance in one’s private life or affairs: the right to privacy.

This was a bit circular in its reasoning, so I looked up “private”:

Private: confined to or intended only for the persons immediately concerned; confidential: a private meeting.

These meanings match well Dave’s desire to exercise control over when he divulges personal information:

I can see no reason to cough up details of my business, number of employees, target date for purchase, types of computers, operating systems, applications, etc., simply to read a high-class marketing document

A related term is confidential – again related to the ability to keep information private:

Confidential: spoken, written, acted on, etc., in strict privacy or secrecy; secret: a confidential remark.

For example, I can assure you that there are details of my personal life that nobody but my wife knows.  We intend to keep it that way, even if powers like Facebook and Google would have it otherwise.

Comments Off on Dave Kearns and Dictionary.Com on Privacy . Permalink . Trackback URL
WordPress Tags: , ,

High Court Rules Against Corporate Privacy Rights

Author: Mark Dixon
Tuesday, March 1, 2011
4:28 pm

The Wall Street Journal reported today:

imageThe Supreme Court ruled unanimously that personal-privacy rights don’t apply to corporations under the Freedom of Information Act.

Tuesday’s ruling was a defeat for AT&T Inc., which was seeking to block the disclosure of emails and other potentially embarrassing documents it provided to the Federal Communications Commission during a 2004 investigation by the agency of whether the telecommunications giant overbilled the New London, Conn., public schools.

I am not a legal scholar by any means, but it seems that the courts often split hairs, sometimes treating corporations as persons and other times as non-persons.  In this case, non-personhood prevailed.

The court, in an opinion written by Chief Justice John Roberts, said corporations don’t get to enjoy certain personal-privacy exemptions included in FOIA, a disclosure law that allows the public to gain access to some documents filed with the government.

"The protection in FOIA against disclosure of law-enforcement information on the ground that it would constitute an unwarranted invasion of personal privacy does not extend to corporations," Chief Justice Roberts wrote. "We trust that AT&T will not take it personally."

That last comment by Chief Justice Roberts is an interesting play on words.  According to his judgment, AT&T couldn’t take it “personally”.  They had to take it “corporately.”

How will it affect us?  Opinions vary:

News-industry groups and open-government advocacy organizations argued that AT&T’s position could place a wide range of records on corporate-behavior off limits to the public.

Several business groups backed AT&T. The U.S. Chamber of Commerce said the threat of public disclosure could have a chilling effect on corporations’ willingness to cooperate with law-enforcement authorities.

It will be interesting to watch where this leads.

Technorati Tags: ,,
Comments Off on High Court Rules Against Corporate Privacy Rights . Permalink . Trackback URL
WordPress Tags: , ,
Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.