Friday, October 05, 2007

Non-profit has major security lapse: where was the Firewall?; health care info security


On Friday, October 5, 2007. Joe Stephens has an article in The Washington Post, business, p. D4, “Nature Conservancy Says Spyware Compromised Employee Data.” An employer in Human Resources in Arlington, VA reportedly visited a sports website on a work computer, which got infected with spyware, and soon the organization discovered that the personal information of over 14,000 persons was being exported.

What seems unclear is that the sports website itself was compromised (that wouldn’t normally happen), and why the organization’s security procedures and software (Firewall and virus scan) did not prevent the compromise. McAfee, for example, also offers a Site Advisor that might have caught this problem. Many other organizations have lost data because of poor physical security (missing laptops or disks); it needs to be explained in cases like this one why security software suites did not work properly. But companies and employers can be as vulnerable as individuals.

A much more positive story appears on p D1 of the same paper. Catherine Rampell has a story, “Your Health Data Plugged In to the Web: Microsoft Promises Privacy on New Portal.”

Microsoft (as well as Google and AOL) are working on projects (HealthVault from Microsoft; “Revolution Health” from Google down the road) to automate health care information, and allow patients and health care providers to maintain patient care information on secure websites. The main area where systems development and growth are needed seems to be secure automation of medical records feeds (as with XML). There a specific legal requirements from HIPAA (Health Insurance Portability and Accountability Act) that would have to be met. But the innovation could be important in controlling health care costs, and such a system could be as safe as the clumsier manual paper system.

No comments: