Data Breaches and Privacy Concerns: An Overview
Privacy expert Marilyn Prosch, Ph.D., sheds light on the significant issue of privacy, emphasizing recent data breaches in various institutions and outlining some alarming cases where sensitive information was compromised. The incidents range from stolen laptops and office break-ins to mishandling of paper-based records, highlighting the pervasive nature of privacy violations affecting thousands of individuals.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
PRIVACY Marilyn Prosch, Ph.D., CIPP Arizona State University W.P. Carey School of Business Department of Information Systems Member AICPA/CICA Privacy Task Force
IS PRIVACY REALLY ALL THAT BIG OF A PROBLEM?
DATA BREACHES: WHERE IS THE HORSE? Some of the reported incidents that have recently occurred.
Manhattan Veteran's Affairs Medical Center & New York Harbor Health Care System Swedish Medical Center Univ. of Pittsburgh, Med. Center St. Rita's Medical Center Beaumont Hospital Univ. Calif. Irvine Medical Center Baystate Medical Center Baylor Health Care System Inc. Sisters of St. Francis Health Services via Advanced Receivables Strategy DCH Health Systems Mercy Medical Center Group Health Cooperative Health Care Cedars-Sinai Medical Center Johns Hopkins Hospital System Southwest Medical Association Allina Hospitals and Clinics CBIZ Medical Management Professionals Prudential Financial Inc. Wuesthoff Medical Center Northeast Orthopaedics DePaul Medical Center Massachusetts General Hospital Christus Health Care Beacon Medical Services Seton Healthcare Network University of Pittsburgh Medical Center Kaiser Medical Center St. Anthony Central Hospital McAlester Clinic & Veteran's Affairs Medical Center Bue Cross/Blue Shield Akron Children's Hospital Highland Hospital Back and Joint Institute of Texas Emory University Hospital, Emory Crawford Long Hospital, Grady Memorial Hospital, Geisinger Health System, Williamson Medical Center via Electronic Registry Systems Palo Alto Medical Foundation Cleveland Clinic Gulf Coast Medical Center Jacobs Neurological Institute Erlanger Health System Parkland Memorial Hospital Westerly Hospital Deaconess Hospital CVS Pharmacies WellPoint's Anthem Blue Cross Blue Shield Health Resources, Inc. Moses Cone Hospital Kanawha-Charleston Health Dept. South County Hospital Kaiser Permanente Colorado Concord Hospital Harris County Hospital Providence Alaska Medical Center Swedish Urology Group Intermountain Health Care Stevens Hospital via billing company Med Data Gundersen Lutheran Medical Center Catskill Regional Medical Center New Hampshire Dept. of HS St. Mary's Hospital, MD Womancare Inc. WorkCare Orem North Carolina Dept. of HHS St. Vincent Hospital Mary Washington Hospital Sky Lakes Medical Center via Verus Inc New Hampshire's Lakes Region General Hospital Wellpoint's Empire Blue Cross/ Blue Shield NY Grady Memorial Hospital Segal Group of New York via web site of Vermont agency Georgia Dept. of Community Health Peninsula Orthopaedic Associates Healing Hands Chiropractic
Some of the causes! A Blackberry containing patient information was stolen from the hospital. The Blackberry contained an email message that included patient information, such as Social Security numbers, dates of birth and medical histories. 3,200 people affected Laptop stolen from an employee's car. 14,000 people affected Laptop stolen from an employee's car. 9,300 people affected Office broken into and computer stolen. Unknown people affected Office broken into and laptop stolen. 1,000 people affected Tapes stolen while in transit. 100,000 people affected Paper-based records left on a train by an employee. 56 people affected Child welfare worker s records ended up with a local TV station. The files, which included names, Social Security numbers, contact information and details on child abuse investigations, reportedly were left behind when a DHS worker was evicted from a rent house. Paper based records stolen from an employee's car. 242 people affected Records posted on the Internet. The records appeared on a Web site visvabpo.com, which was a defunct company in India. 1,000 people affected Documents, such as labels from prescription bottles and old prescriptions, in unsecured dumpsters. Unknown people affected A woman was fired for allegedly spying. The employee had access to company files. 431 people affected Medical records were improperly disposed of when left in a dumpster behind the office.
PRIVACY: AICPA/CICA DEFINITION PRIVACY encompasses the rights and obligations of individuals and organizations with respect to the Collection Use Disclosure, and Retention of personal information. 9
Individuals Organizations Establish and communicate its privacy policies and commitments to the individual Provide choices or seek consent for the use of the personal information Collect, use, retain, and disclose personal information according to its privacy policies and commitments Allow the individual to update or correct personal information that is used by the organization Protect the personal information from unauthorized use and disclosure Otherwise adhere to its policies, applicable laws and regulations, and other agreements with the individual Be aware of the organization s privacy policies Provide accurate and appropriate information suited to the purpose for which the information is needed Rights and Obligations Notify the organization of inaccuracies in or changes to personal information used by the organization Adhere to applicable laws and regulations, and other agreements with the organization 10
WHATISTHERELATIONSHIP BETWEENPRIVACYAND SECURITY?
SECURITY, ASITRELATESTOPRIVACY Security of processes and technologies is a necessary, but not sufficient, condition of privacy Security Privacy Enhancing Technologies Policies & Procedures Privacy
WHYSHOULDSYSTEMS PROFESSORS/PRACTIONERSCARE ABOUTDATAPROTECTIONAND PRIVACY?
LASTWEEK VIRGINIA PRESCRIPTION MONITORING PROGRAMDRUGDATABASE HACKED Data hijackers deleted records on more than 8 million patients and replaced the site's homepage with a ransom note demanding $10 million for the return of the records. The database of prescriptions had been bundled into an encrypted, password- protected file and payment of the ransom would result in the password to decrypt. Their backups seem to have gone missing, too. http://voices.washingtonpost.com/securityfix/2009/05/hackers_break_into_virginia_he.html?wprss=securityfix
REASONS With enterprise systems, personal information (PI) is commingled with accounting transactions Much PI is part of accounting transaction data Data has value and that value can be an asset or a liability Good internal controls are a mechanism for protecting all assets
WHAT IS GAPP? Generally Accepted Privacy Principles Developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) to help guide organizations in implementing, sustaining, and auditing privacy programs. 17
AICPA/CICA GENERALLY ACCEPTED PRIVACY PRINCIPLES Available for free download and use 10 Principles of privacy and 66 criteria, (soon to have an additional 8 criteria with the new exposure draft is finished with the review process) http://infotech.aicpa.org/Resources/Privacy/
WHATARETHE PRINCIPLES? Management:The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures. 1. 4. Collection: The entity collects personal information only for the purposes identified in the notice. 19 5. Use and Retention: The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes. Notice: The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed. 2. Choice and Consent: The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, retention, and disclosure of personal information. 3.
WHATARETHE PRINCIPLES? 6. Access: The entity provides individuals with access to their personal information for review and update. 9. Quality: The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice. 20 7. Disclosure: The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual. 10. Monitoring and Enforcement: The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes. 8. Security for Privacy: The entity protects personal information against unauthorized access (both physical and logical).
COMPONENTS OF GAPP Consistency ofCommitments With Privacy Policies and Procedures Infrastructure and Systems Management 21
WHYHASTHE AICPA/CICA ISSUEDANUPDATETO GAPP IN THEFORMOFANEXPOSURE DRAFT?
CONTINUOUSIMPROVEMENTOF GAPP Major changes Modification of 2 criteria 8 new criteria
WHATISTHE GLOBAL PRIVACY STANDARD?
GLOBAL PRIVACY STANDARD Final version of the GPS was formally in the United Kingdom, on November 3, 2006, at the 28th International Data Protection Commissioners Conference Championed and developed by Commissioner Ann Cavoukian, Ontario 10 Principles
WHATARETHESENEWREDFLAG RULESTHATAREINTHENEWS?
NEW RED FLAG RULESEFFECTIVEMAY 1, 2009: POSTPONEDUNTIL 8/1/2009 Require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts. Originally effective May 1, 2009. The program can be different, depending on the organization s size and complexity. Thus, a small physician practice might have a much different program than a large hospital. Programs should include four basic points/steps, which could be covered under one or multiple policies. http://www.hinshawlaw.com/health-care-identity-theft-prevention-programs-and-red-flags-rules-compliance-03-10-2009/
4 REQUIRED STEPS Identify Common Red Flags Detect Red Flags Responses to Red Flags Program Execution and Updates http://www.hinshawlaw.com/health-care-identity-theft-prevention-programs-and-red-flags-rules-compliance-03-10-2009/
WHATISTHERELATIONSHIPOF PRIVACYANDOTHERMORE TRADITIONALAREASOF AIS, AUDIT, ANDASSURANCE
THEPRIMARYLINKTOTHESE 3 AREASIS effective internal controls! GAPP provides tangible criteria that can be audited and about which assurances can be made.
3 TRICKSTOGETTINGHORSESBACKINTHEBARN & KEEPINGTHEMTHERE Teach your horse that you are in control over him/her. Corporate Culture towards the use and management of personal information will likely have to change. Who owns and controls the data? Make it dang hard for the horse to do the wrong thing. Implement privacy enhancing policies, procedures, and controls. Ride a lot! Test the use and management of your data frequently.
WHATARESOMERESEARCH OPPORTUNITIES?
IMPLICATIONS FOR CA/CM RESEARCH Descriptive research: What are companies actually doing? Are they aware of the issues? If so, how are they handling these issues? Are they using some kind of data masking during these processes? Normative research: How can we build privacy protection into processes? Data tagging and masking Data replication (logging) Security around possession and handling Data life and destruction techniques (poison pills)
FURTHER QUESTIONS? marilyn.prosch@asu.edu twitter.com/ProfofPrivacy