Iran Confirms Attack By a Virus That Collects Information - New York Times - 5/29/12

Iranian high-ranking officials admitted in a statement of having knowledge that a certain virus, dubbed Flame, has been actively gathering information on governmental computers and networks. Certain Iranian IT experts assigned to deal with the virus stated that it is possible the virus is up to five years old. Kamran Nepalian, an official with Iran's Computer Emergency Response Team, was quoted as stating that the data-mining virus has only be "active" for a period of six months. Mr. Nepalian was quoted to explain that the virus seems to have been designed with specific targets, or computers, in mind. The virus can only been transferred through a USB; the USB must be connected to at least one computer on the network being targeted. There it can monitor or copy, as controlled by a remote source, keystrokes, downloads, audit, etc. The Emergency Response Team states that Flame was not discovered sooner because of it's unique design to resemble common Iranian malware.

Although the article does not specifically state, and while Flame may be considered most advanced of it's kind, there are preventative actions that could have been taken before hand. Several companies that deal with sensitive material and information, from trade secrets to possible warfare, have several preventive human hacking protocols in place. Such protocols would include the limited to no use of USB or mobile hardware in certain departments or organizations. If USBs are permitted they may be scanned before use. Also, governmental officials that are concerned about information leaking out to possible enemies might consider a closed area network or even encrypted Internet access sites when dealing with the information.


Data breach leads to $1.7M fine for Alaska DHSS - Healthcare Finance News - 6/28/12

The Alaska Department of Health and Social Services came under scrutiny recently when it chose to settle regarding their violations of the HIPAA Security Rule. This settlement and fine came from an incident that shed light on the Department poor procedural and administrative security regulations. HHS Office for Civil Right began delving into the situation when it began investigating a breach report submitted by Alaska DHSS. The report indicated that a USB hard drive had been stolen from the vehicle of a DHSS employee and that it held an estimated 2,000 individuals' information.

During the investigation it was found that "DHSS did not have adequate policies and procedures in place to safeguard patients' PHI". Even more troubling was the news that DHSS "had not completed a risk analysis, implemented sufficient risk-management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption". These findings led to the departments extra procedural fine, in addition to the $1.7 million that they will have to pay to the U.S. Department of Health and Human Services. The Alaska DHSS, according to their agreement with HHS, will have to take a corrective action plan that includes the department reviewing, revising, and maintaining policies to ensure that the HIPAA Security Rule is not violated again. More so, there will be a monitor in place that will report back to the Office for Civil Rights on a regular basis in regards to ongoing compliance efforts.

Although the Department had breached many protocols in this incident there are several procedures that should and can be implemented. One of them being Off-Site Equipment Forms. These forms can be included as part of a procedure where before "signing" out the equipment it is properly and strongly encrypted. There should be a minimum time allowed for the equipment to be off site along with a process in place to assess the condition of the equipment once it is returned (to ensure no corruption has occurred). However, this is just one small procedure available in a much bigger framework that is required. From the article, it did not sound as if the Department had a proper framework in place. There are several available and can be implemented specifically to the Departments needs. This framework would then require a thorough testing phase and regular assessments to ensure vulnerability to breaches is low. The Department must train it's employees to realize what is appropriate and inappropriate in situations involving company data. The USB hard drive should have not been left unattended in a vehicle, in my opinion; where the training should come in.

The Health Care industry is heavily based on trust. If a patient can't trust the organization with his or her private patient records/information, it stunts the ability of the organization to help the individual. A strong data security or IT framework in place allows for the patients to trust the organization in helping them in this case.