Pharmacies Throwing Away Privacy and Creating Personal Security Concerns

July 26th, 2006

I really like investigations where those carrying them out are not afraid to get down and dirty to find out what really is going on at businesses, and seeing how sloppy practices put privacy, and personal safety, at risk.  Digging into dumpsters to find personally identifiable information (PII) is a great indicator of the information security practices of an organization. 

Here’s an article about such an investigation to put within your awareness and training files for the ongoing problems organizations have with properly disposing of PII.  WTHR in Indianapolis did an investigation into the trash habits of pharmacies. Indeed there are some very sensitive types of information your friendly neighborhood pharmacy has on file about you and all the other folks who fill their prescriptions.  Not to mention tossed drugs…but that’s another story…

Some of the more interesting findings of the research done by the television station:

"Over a two-month period, 13 Investigates reporter Bob Segall visited 65 local pharmacies. Actually, he visited their dumpsters. Some were latched, locked or chained. But most had no security at all – out in the open, 24 hours a day. At those dumpsters, we took whatever we found – it’s perfectly legal."

Just take a nice stroll at lunch through your downtown alleys (if you are in a day-safe area), and I am willing to bet you will also find dumpsters wide open containing papers and other potential PII storage media.

"Perhaps more alarming, we found prescriptions, pill bottles and prescription labels that provided personal information about hundreds of patients. In fact, at pharmacies where we took garbage bags, we found more than half of them trashed their customers’ privacy by failing to destroy their personal information as required by federal law.  We learned who’s taking birth control pills, who has an enlarged prostate, which customers suffer from depression and which one has a prescription for genital herpes. And along with it, we learned their names, addresses, phone numbers and birthdates. You won’t hear from any of those particular patients, but others are speaking out."

"Margie Kerr was not so fortunate. A thief came to her Bloomington home and stole her prescription painkillers. Detectives say the thief singled out his 76-year-old victim when he found her personal information in an open dumpster behind her pharmacy."

Drug addicts are desperate to get a fix.  What better way to find out who has the drugs they need than by digging through the pharmacy, hospital and medical clinic dumpsters?  Organizations that do not irreversibly destroy PII prior to disposing of them are not only in noncompliance with HIPAA, but are also putting the corresponding individuals about whom the PII applies at a safety risk.

""Protections need to be in place," said Susan McAndrews, who is a top legal advisor at the Department of Health and Human Services in Washington.  McAndrews said the law is clear: customers’ personal health information must be carefully protected. After seeing what we found in the trash, she offered advice for pharmacies.  "Don’t do that!" she said. "Putting protected health information in a dumpster that is accessible to anyone… is clearly not an example of a reasonable safeguard."  McAndrews said most pharmacies are bound by HIPAA, a federal law that requires patients’ and customers’ private health information to be protected. Businesses that fail to comply can be fined up to $100 per incident."

A huge problem with HIPAA is the enforcement, or lack of, for this federal law by theDepartment of Health and Human Services (HHS).  No fines or penalties have yet been applied; just two criminal cases successfully prosecuted.  The HHS needs to step up and apply fines in such instances of blatent disregard of the law.  Without fines being applied there is no motivation for compliance by covered entities (CEs).  If the HHS is making statements about how CEs need to comply with HIPAA, they need to step up to the plate and enforce the law!  Just shaking a finger and tisk-tisking breaking the legal requirements of HIPAA will not motivate most CEs. 

"For this investigation, we randomly chose 65 metro-area pharmacies. The test included pharmacy-only stores such as Walgreens, CVS, Osco, Tucker Pharmacy and Low Cost Rx stores. It did not include grocery and retail stores that also offer pharmacy services because dumpsters at those locations contained mostly non-pharmacy trash. During the test, we took trash only from pharmacy dumpsters that offered easy public access. We did not take trash from the 13 pharmacies where the dumpsters were either locked or unaccessible to the public. Nor did we take garbage from the seven pharmacies at which dumpsters were behind a closed fence, even if the fence was unlocked. Trash dumpsters at 15 of the pharmacies were easily accessible but empty at the times we visited. We took trash from the remaining 30 pharmacies with easily-accessible garbage dumpsters, and 19 of them failed to destroy all of their customers’ personal information before placing it in the dumpsters."

The station provided a list of the secure dumpsters they encountered; largely CVS and Walgreens stores.

They also provided a map of all the dumpsters they investigated, and comments about the security of each.

What a great investigation.  It would be enlightening to see this same exercise performed in other cities and towns. 

Take a look at your own organization’s dumpsters…you might be surprised at what you find.

Residential trash is also at risk.  Dumpster diving for trash treasures the night before trash day is pretty common in many residential areas.

Technorati Tags











Personal Information of 540,000 New Yorkers on Workers Comp Lost

July 25th, 2006

Today I read in the Chicago Sun-Times that CS Stars (not sure this is the same organization’s website, but it appears as though it could be), a contractor for the state of New York, could not locate a personal computer New York State provided to them which contained the names, addresses and Social Security numbers "of as many as 540,000 injured workers."

"CS Stars had been using the computer to move the data from the state to the company’s computerized claim system, according to the letter."

CS Stars is based in Chicago but also has an office in New York.

This story brought many questions to mind…

  • Were they sending the data by physically taking it on a computer because they thought this was more secure than sending it electronically?
  • The article indicates it was missing from "a secure facility of the company," so it appears it was not lost while in transit.  Wonder what constitutes a "secure facility"?  The front door is locked?  A locked desk drawer?  A facility with guards, two-factor authentication to get in the door, and surveillance cameras?  It is always interesting to read these reports of security incidents and see the terminology used.  A secured facility is very subjective and could mean a very wide spectrum of things.
  • If the facility was such that only authorized people had access to the computer, then it is likely the theft (if it was a theft and not just a misplaced computer now stuck under someone’s desk to prop up their feet, perhaps) was done by an insider.  This would make the data more likely to be at risk if the person knew the type of data on it and planned to use it to commit some potentially lucrative cybercrime.

This story coincidentally came out after I had just visited the Identity Theft Resource Center where they reported "In 2005 there were 151 incidents affecting more than 57.7 million people. Approximately half of the breaches were educational institutions. 16% were banking, credit or financial services. We are tracking 2006 currently. As of the end of April there were nearly 80 large breaches."

Information from the FTC and the Secret Service/CERT Insider Threat Studies show how vulnerable information is to being compromised by insiders with authorized access. 

It will be interesting to see if any more is published about this investigation, and if it was an inside job.

Technorati Tags









The Security and Privacy Risks of Blogs, IMs, and Email

July 24th, 2006

I’m reading the "2006 Workplace E-Mail, Instant Messaging & Blog Survey" performed and issued July 11 jointly by the American Management Association (AMA) and The ePolicy Institute.  It is an interesting read and has some good, and sometimes surprising, statistics and findings. 

Here are a few of the tidbits for you:

  • "Last year, the inability to produce subpoenaed e-mail resulted in million dollar‚Äîeven billion dollar‚Äîlawsuits against U.S. companies. In fact, 24% of organizations have had employee e-mail subpoenaed, and 15% of companies have gone to court to battle lawsuits triggered by employee e-mail."

What are your records retention policies and practices for not only email, but also instant messaging, voice mail, and other types of files?  Be sure you clearly address the issues of email content (typically what is focused upon within policies) and also email retention.  This is a very important issue that is often not covered.

  • "Fully 26% of employers have terminated employees for e-mail misuse. Another 2% have dismissed workers for inappropriate instant messenger (IM) chat. And nearly 2% have fired workers for offensive blog content‚Äîincluding posts on employees‚Äô personal home-based blogs."

I know there are some really amazing stories about the types of email, IM and blog content personnel write and post while at work and/or using their employers’ systems…what are these people thinking?  Probably not thinking…

Again, having a good, clearly written policy will help to support your organization’s decision if you need to make a termination or a disciplinary action that is subsequently challenged in court.  I know of many instances where the cases were thrown out before going to trial because the organizations had policies explicitly stating personnel could not use electronic communications in certain ways, and also had documented and visible proof and procedures verifying communications of the policies, when personnel brought suit, particularly for claiming ignorance about a policy.

  • "With the blogosphere growing at the rate of one new blog per second, industry experts expect the ranks of dooced [fired] employee bloggers to swell."

Wow…a new blog every *SECOND*?  That amazed me.  Can that be true?  I wonder how quickly blogs disappear?  One every hour?  Every 30 minutes?  What is the ratio of blogs to websites?  How many blogs are being set up by personnel under their employers’ domains without the knowledge of the employers?

I also learned a new word…or at least a new meaning for a word…"dooced." 

  • "4% of companies have written e-mail retention/deletion policies in place, in spite of the fact that 34% of employees don‚Äôt know the difference between business-critical e-mail that must be saved and insignificant messages that may be purged."

No surprises here…it is a scary fact that a huge amount of confidential and mission critical data is contained within or attached to email messages, and that no one really has responsibility for these email security and privacy issues, and most users have no idea of the risks involved.

Organizations need to implement classification policies and procedures to support the save and purge activities.

  • "While 35% of employees use IM at work, only 31% of organizations have IM policy in place, and 13% retain IM business records."

I know a large majority of the organizations I speak with indicate they use IM internally.  IM communications, even at work, are typically mush less restrained…in content, opinions, accusations, gossip…than email.  All of which could get not only the employee but also the employer in hot water legalwise.

  • "Among the blog risks…are copyright infringement, invasion of privacy, defamation, sexual harassment and other legal claims; trade secret theft, financial disclosures, and other security breaches; blog mob attacks and other PR nightmares; productivity drains; and mismanagement of electronic business records."

Since a growing segment of business professionals rely upon these communication methods so heavily it is important to have policies governing the appropriate and reasonable use of email, IMs, and blogs. 

How many of you have such policies and supporting procedures?  I have seen many organizations with email policies and procedures, but very few companies, almost nil, with instant messaging or blog policies.

Technorati Tags









The Business Leader’s Primer for Incorporating Privacy and Security into the SDLC Process

July 23rd, 2006

It is important for business leaders throughout the enterprise to understand the system development life cycle (SDLC) and how decisions made during the process can impact, negatively or positively, the entire business. First and foremost, systems and applications must be built to support the business in the most efficient and effective manner possible. Business leaders must be involved with the process to ensure systems and applications are being developed to meet this goal; the information technology (IT) areas cannot create applications and systems on their own and reach this goal. Second, applications and systems must be created to reduce risk to the level acceptable by the business, as well as to meet compliance with applicable laws, regulations, and contractual requirements. 

I just wrote and posted a paper,"The Business Leader’s Primer for Incorporating Privacy and Security" that provides an overview for business leaders about the importance of incorporating information security and privacy into the SDLC, and key information security and privacy activities to address within each SDLC phase.  Let me know what you think, and if you have additional ideas about this topic.

Technorati Tags






VA Credit Monitoring Withdrawn

July 20th, 2006

Very surprisingly today I read in The Guardian Unlimited report from a couple of days ago that "Free credit monitoring for veterans whose personal information was stolen has been withdrawn, the Bush administration said Tuesday, because the laptop containing their data has been recovered." 

Data can be copied from hard drives and other storage media without leaving behind any evidence it was copied.   

Today there was also a story about this on the Washington AP Wire.

"Testifying to a Senate panel, Nicholson acknowledged there were no 100 percent guarantees that names, birthdates and Social Security numbers stored on a VA employee’s stolen laptop and external drive were not accessed or copied. But he said the low risk did not justify a year of personalized monitoring at a taxpayer cost of $160.5 million. "Facts have changed, the situation has changed," Nicholson said, noting that the stolen equipment has been recovered and that the FBI determined with a "high degree of confidence" that the data was not compromised.  Speaking of veterans groups, some of whom are fiercely opposed to the decision, Nicholson added: "Some oppose, but some concur, thinking it would be a waste of $160.5 million.""

So…it’s about the money?  It would be interesting to know what facts have changed…do they know where the stolen equipment was all along? 

"Nicholson said the VA was in the process of hiring a company to provide data breach analysis to detect potential patterns of misuse of data. In addition, the department planned to send letters to veterans informing them of free services already available to all citizens, including free monitoring for 90 days and credit reports three times a year."

The credit monitoring services already have the systems in place to be able to detect these types of potential misuse…but the VA is going to hire a company to do this?  How will the monitoring a hired company does be able to detect "potential patterns of misuse"?

26.5 million individuals…

Technorati Tags






Have You Started Planning For Global Security Week?

July 19th, 2006

Global Security Week is September 4 – 10 this year.  Have you started planning any awareness activities around it for your organization?

In case you haven’t heard of it, Global Security week…

"…is an opportunity to join forces with other security professionals worldwide and promote security to the masses.  The theme for Global Security Week 2006 is identity theft. Find out about the truth behind the headlines. Is ‚Äúphishing‚Äù a genuine threat? What are the banks doing about it? What can ordinary members of the public do about it? Participate in Global Security Week to help spread the word about identity theft and encourage ordinary law-abiding citizens to be on their guard."

This is a great opportunity to provide awareness messages and activities, as well as training classes, within your organization to raise the awareness of issues that impact not only your own organization, but your workers personnally.  You could also take advantage of this week to provide awareness and training to your customers, business partners, outsourced vendors, and anyone else who touches the information for which your organization is responsible.

The site has created a planning calendar to get you started.

Check out the Global Security Week FAQ for more information, as well as some great links to other information security and privacy sites and information.

Technorati Tags






Information Security & Privacy in a Digital World

July 18th, 2006

CNN published an interesting report today by Peggy Mihelich, "Price of virtual living: Patience, privacy."  It contains many interesting and thought-provoking statistics and other info, many of which impact information security and privacy directly or indirectly.

When was the last time you walked through a public area, such as a grocery store, airport, and so on, and did NOT see someone using or posessing some type of technology device, such as a cell phone, blackberry, or digital camera?  How many of these devices on the street contain business information along with the device-user’s own assorted types of information?

I found the loss of patience associated with technology discussion interesting.

"Time in the virtual world takes us away from time spent in the real world. Though studies are inconclusive and ongoing, some psychologists warn that too much virtual exposure can undercut face-to-face interaction, lead to depression and isolation, and erode our patience. "We don’t have the tolerance any more to wait," Rosen said. "Listening to people talk slowly or talk, period — we just can’t tolerate it."  A recent Associated Press poll found that Americans start to feel impatient after 5 minutes on hold on the phone or 15 minutes in line.  Technology has brought us to a world where we have to have it when we want it, and we want to have it all simultaneously.""

Well, I’ve always gotten perturbed if I’m kept on hold for more than 5 minutes (actually less) when calling a company.  This has more to do with good customer service than with technology, however.  I also have never waited more than 10 or 15 minutes in line, such as waiting to be seated in a restaurant.  I don’t care how good the food is, I’ve always felt more than 10 minutes of doing nothing but sitting in an overcrowded bar just to be seated is wasting way too much time I could be spending doing something productive.

However, this loss of patience issue is something to keep in mind when addressing customer questions about their PII, your company’s privacy and security practices, and so on.  Be prepared for how you handle these questions ahead of time, and don’t give them the run-around.  Remember, everyone tends to be impatient.

The impatience issue is also something to keep in mind when you are creating your information security and privacy training and awareness materials.  Get to your point clearly and succinctly…don’t make your audience impatient and lose their attention with a lot of unnecessary information, or by using delivery methods that take up more of their time than is really necessary.

"E-mail lets us send a quick response, and IM lets us carry on a real-time conversation with someone halfway around the world – a great and inexpensive convenience, but a behind-the-screen form of communication."

Email and IM brings along with them their own unique and significant information security and privacy concerns…something to explore in another post or paper…

"A Federal Trade Commission survey found that from 1999 to 2003 more than 27 million Americans were victims of identity theft, costing them and businesses more than $50 billion. Personal data used to be protected by "practical obscurity," meaning that public records existed on paper or in isolated databases in courthouses and government offices. The information was legally within reach, but accessing it usually took hours or days and a lot of leg work.  But that’s changing, Steinhardt said. Communication, transaction and other public and private records have moved online, and they can be pulled together in minutes to create a picture of our lives.  Typing someone’s name into a search engine or online phone directory can reveal where they live. Going to their local government Web site can reveal how much their house is worth – and how much they pay in property taxes. Checking another Web site can reveal how much they contributed to political campaigns."

There are still too many people…too many business executives, leaders and decision-makers…who believe that obscurity is a form of security.  The abundance of electronic PII stored in so many different places puts the PII at risk…and truly does create ways to tell much more about people than just one or a few of the PII items alone could provide.

Technology is great…it is a very powerful business tool.  "With great power comes great responsibility."  Yes, I’m a Spiderman fan.  🙂  However, this statement is very true with regard to the power businesses wield over the PII they possess.

Isn’t it amazing to consider that just a little over a decade ago emails were primarily shared within organizations, through mainframe-based systems…now most businesses would be lost without the ability to communicate with all their business associates and customers via email.  Cellphones have virtually replaced the pagers.  It will be very interesting to see what types of technology dependencies will be created for business in the coming few years.  I’m sure most, if not all, will have significant information security and privacy issues.

Technorati Tags






Insider Threat Example: FBI Computer Consultant Hacked Director’s Passwords

July 17th, 2006

On Friday, 7/14/06, Silicon Valley reported:

"An FBI computer consultant who pleaded guilty to hacking the secret passwords of Director Robert Mueller and others will not serve any time in prison, a federal judge has ruled. Joseph Thomas Colon of Springfield, Ill., was sentenced Thursday by U.S. District Judge Richard Leon to six months of home detention and ordered to pay $20,000 in restitution to the FBI.

Colon pleaded guilty in March to four misdemeanor counts of intentionally exceeding his authorized computer access. He faced up to 18 months in prison after he acknowledged using two computer programs available for free on the Internet to extract the information and decode the passwords of Mueller and others.  Prosecutors do not believe Colon was trying to damage national security or use the information for financial gain. But the FBI said it was forced to take significant steps to make sure there was no harm from Colon’s actions.

“Joseph T. Colon was granted a substantial level of trust. He betrayed that trust,” FBI assistant director Charles S. Phalen Jr. said. “Once we identified the breach of security, we took quick and appropriate action to neutralize its impact.” Colon had said he was given a password to the FBI’s secret computer system to speed work he was hired to perform in the FBI’s Springfield office."

This points out that an insider is not always an employee.  It is anyone who has access within your facilities or to your network or computer systems.  In this case a contracted consultant. 

It would be interesting to know how they arrived at the $20,000 restitution amount.

This is a good example of an insider threat incident to add to your files and use in your awareness and training messages.

Technorati Tags








Despite Choicepoint Spin There Are Still Many Informtion Security and Privacy Concerns

July 16th, 2006

There was a very interesting read in ConsumerAffairs today, "ChoicePoint Gets a Makeover."

The story reinforces once again the need to have a good security program in place with good controls and a well communicated comprehensive information security awareness and training program.  If the controls and awareness had been in place would this fraud have occurred?  We’ll never know for sure, but the chances would have been much smaller that this incident would have occurred…knowledge and controls could have blocked the criminals from instigating their fraud.

However, lack of controls and awareness aside, the gargantuan amount of personal information Choicepoint controls is very scary…especially considering how the use of it to make decisions impacts virtually everyone in the U.S. and significant others outside the states.

It would have been good to have gotten some statistics about ChoicePoint in this story…how many people’s records do they have in their systems?  In how many places are these records located?  How do they successfully and completely change errors within the records?  What specific types of information do they have?  I have a feeling the answer to that would be a very, very long and disconcerting list.  With how many other organizations do they share their data?  Do they send information corrections to all these other organizations when they correct their own errors?  I could go on…but you get the picture….

Some information about Choicepoint from their site:

  • They have around 5,500 employees in 60 locations (Is all our personal data also as scattered?  Are any of these locations outside the U.S.?  Within any outsourced entities?)
  • Their 2005 Annual Report is interesting (A lot of spin….A LOT.)  A few excerpts:
    • "For the first time ever, revenues exceeded one billion dollars, at $1.06 billion, a 15 percent increase over 2004."
    • "Last year, we helped more than 100 million Americans obtain fairly-priced home and auto insurance."

So they have information on at least 100 million Americans then?

    • "As of December 31, 2005, the Company recorded a charge of $8.0 million for the FTC settlement that represents the $10.0 million civil penalty, the $5.0 million fund of consumer redress initiatives, a $4.0 million charge for additional obligations under the order offset by $11.0 million anticipated recovery of these fees from the Company’s insurance carrier."

Interesting…so of the $19 million penalty, Choicepoint only had $8 million come out of their pockets…the other $11 million was covered by their insurance provider…gee, wonder if that is something that will impact their insurance score and bump up their premium…speaking of which…

This story caught my eye for another reason because I’ve been interested in the impact and type of insurance scores Choicepoint generates and how they impact consumers’ costs for insurance.  To see a list of all the variables that go into creating your insurance score see Choicepoint’s ChoiceTrust site.  There are 156 different types of situations/events listed that can impact your insurance costs…making them go higher…and some of them will be surprising to a large segment of the population.

It’s truly amazing the power and impact these huge data brokers have, Choicepoint in particular, and the huge amount of personal information…some of it inaccurate but propogated…about literally 100’s of millions of people.

Technorati Tags








What IT Leaders Need to Know About Using Production Data for Testing

July 14th, 2006

There are many issues involved with using live production data, particularly real personally identifiable information (PII), for test and demo purposes.  For many years it has been the norm within organizations to use copies of production data for testing during applications and systems development.  However, over the past few years this practice is becoming more and more of a bad idea with all the new privacy laws and regulations, identity theft cases, insider instigated fraud, increased customer awareness, and the growing number of companies using outsourced companies to manage applications development, testing and quality assurance. 

In my latest podcast I discuss the importance of and reasons for using data that does not include real, production PII for test and development purposes.



MP3: Rebecca Herold – What IT Leaders Need to Know About Using Production Data for Testing