Monthly Archives: January 2015

82 percent of IT leaders consider security a top priority

January 26, 2015

Summary: Tech Pro Research’s latest report shows how the technology landscape will evolve over the next three years, identifying the products and vendors that will stay relevant, and those that will become obsolete.

By |

forecast crystal ball prediction

Technology is no stranger to change. Finding out how the technology landscape will evolve, and which products and vendors will stay relevant, as well as what companies and IT departments will do to stay on top of the game and embrace change, is what IT leaders need to know in order to make the right technology decisions.

Tech Pro Research conducted an online survey in September to find out what is predicted for the future of IT. The resulting report, IT Leaders’ Tech Predictions for 2015-2018, gleaned results from 418 survey respondents. CXOs and non-CXOs were polled, and the results compared to get their views on what the next three years will bring. The opinions of the two groups were largely the same, but some interesting insights can be gleaned from where they differed, showcasing business leader priorities as well as those in the various fields and trenches of IT.

Key findings include:

  • Improving security, lowering costs, improving applications to match business processes and project management are company priorities.
  • Increasing productivity through technology and improving efficiency and business processes are key issues for IT departments.
  • Moving data and services to the cloud is seen as important (more so by CXOs), but there is also a level of dedication to in-house systems and servers, which is based on a certain degree of skepticism.
  • Cloud computing turbulence is expected and a push to on-premises software may take place.
  • The Internet of Things is strongly expected to take off.
  • There is more faith in the future of Linux desktops than in the possibility of Apple surpassing Microsoft in the enterprise.
  • Security, mobility and big data are the top three technologies to watch.

Security is a top company priority

TPR technology priorities chart

Read full article…

$10 Million Fine in Improper Disposal Case

January 15, 2015

Safeway Cited in Handling of Pharmacy Records, Waste

By , January 14, 2015.

The grocery store chain Safeway has been ordered to pay a $9.87 million penalty as part of a settlement with California prosecutors related to improper disposal of confidential pharmacy records and hazardous waste in dumpsters.

The settlement resolves allegations that Safeway unlawfully disposed of customer pharmacy records containing private medical information in violation of California’s Confidentiality of Medical Information Act.

Prosecutors in California also alleged Safeway unlawfully disposed of various hazardous materials over a period of longer than seven years. Those materials included over-the-counter medications, pharmaceuticals, aerosol products, ignitable liquids, batteries, electronic devices and other toxic, ignitable and corrosive materials, according to a statement from the Alameda County District Attorney’s Office. That office took the lead on the civil enforcement lawsuit filed on Dec. 31 by a coalition of 43 California district attorneys and two city attorneys.

Safeway operates about 500 stores and distribution centers in California under a number of brand names, including Von’s, Pavilions and Pak ‘n Save, and is in the process of merging with another large grocery chain, Albertsons, which operates stores in several states under brands that include ACME, Albertsons, Jewel-Osco, Lucky, Shaws, Star Market and Super Saver.

The case against Safeway by the California district attorneys was based on a series of waste inspections of dumpsters belonging to Safeway facilities conducted by state environmental regulators and other inspectors during 2012 and 2013.

Kenneth Mifsud, Alameda County assistant district attorney, tells Information Security Media Group that the inspections were conducted at dozens of Safeway stores about once a month during an 18-month period. Investigators – who examined retail store waste taken to landfills – found violations in about 40 percent of the stores inspected. In some cases, pharmacy documents, such as store summaries listing medical and personal information on dozens of patients, were found among the waste, he says.

“The inspections revealed that Safeway was routinely and systematically sending hazardous wastes to local landfills, and was failing to take measures to protect the privacy of their pharmacy customers’ confidential medical information,” says the Alameda County district attorney’s statement. “Upon being notified by prosecutors of the widespread issues, Safeway worked cooperatively to remedy the issue, enhance its environmental compliance program and train its employees to properly handle such waste.”

The case against Safeway spotlights the importance of retail pharmacy chains, hospitals and other healthcare entities properly shredding or “making indecipherable” patient and other consumer personal information before disposing it, Mifsud says.

“There’s a risk of identity theft committed by dumpster divers, and unfortunately by some employees,” he says.

Settlement Terms

According to settlement documents filed in the Superior Court in Alameda County on Dec. 31 – the same day the suit was filed by the district attorneys against Safeway – the $9.87 million in civil penalties and costs Safeway agreed to pay are mainly related to the environmental and unfair business claims against the company. The unfair business claims encompass the violations of California’s medical confidentiality laws, Mifsud says.

Read full article…

N.J. Law Requires Insurers to Encrypt

January 13, 2015

New Requirement Goes Beyond HIPAA

By , January 12, 2015.

N.J. Law Requires Insurers to Encrypt

A New Jersey law that will go into effect in July requires health insurers in the state to encrypt personal information that they store in their computers – a stronger requirement than what’s included in HIPAA .

The new law, signed by N.J. governor Chris Christie last week, was triggered by a number of health data breaches in the state, including the 2013 Horizon Blue Cross Blue Shield of New Jersey breach affecting 840,000 individuals. That breach involved the theft of two unencrypted laptops.

The new law states: “Health insurance carriers shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.

The law applies to “end user computer systems” and computerized records transmitted across public networks. It notes that end-user computer systems include, for example, desktop computers, laptop computers, tablets or other mobile devices, or removable media.

Personal information covered by the encryption mandate includes individual’s first name or first initial and last name linked with any one or more of the following data elements: Social Security number; driver’s license number or State identification card number; address; and identifiable health information.

Different than HIPAA

“The New Jersey law differs from HIPAA in that it mandates implementing encryption, whereas HIPAA mandates addressing encryption,” privacy attorney Adam Greene of law firm Davis Wright Tremaine says.

The Department of Health and Human Services offers this explanation of the HIPAA encryption requirement on its website: “The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of electronic PHI.

“If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.”

Greene points out that because the new state law is tougher than HIPAA, “A New Jersey health plan could determine that some of its protected health information does not require encryption under HIPAA, but they will nevertheless be required to encrypt the information under the New Jersey law.”

– Healthcare Info Security

Go to original article…