Monthly Archives: June 2011

The CWE/SANS Top 25 Most Dangerous Software Errors Announced… Along With a New Set of Standards

Posted on June 28, 2011 by John Abraham in Main | Leave a comment

In a new and revised format, SANS along with MITRE has published the latest list of the highest risk software security vulnerabilities; the revision to the list is based on the CWE, CWSS and CWRAF security standards. The announcement leverages and highlights these new standards and collaboration efforts among the security community (including corporate, non-profit and government entities). As this announcement publicizes some new standards efforts that many of us will undoubtedly hear a lot about in the coming months, …

The LuLz Boat has Sailed

Posted on June 27, 2011 by Mark Marshall in Main | Leave a comment

Over the weekend the Lulz Security guys called it quits. Their last release came on the 50th day since they started their escapades. It isn’t clear if they had intended from the start to only exist for 50 days, but after DDOS’ing cia.gov they had escalated their wanted status to critical and it was likely only a matter of time before they were going to be caught. They leave in their wake a trail of destruction which includes some huge …

International Monetary Fund Breach – mums the word from the I.M.F.

Posted on June 12, 2011 by John Abraham in Main | Leave a comment

The New York Times reported this weekend on a potentially serious breach at the International Monetary Fund (I.M.F.). The Times reports that the breach occurred perhaps several months ago, yet the fund only disclosed this to internal staff and board members on Wednesday. Other than the report from the Times, there is not a lot of available information about the incident. The I.M.F. itself has made no public statement about the breach. Surprising for an organization that is capable of a half-dozen …

Does a HIPAA Security Risk Analysis cover Certification of EHR Technology?

Posted on June 10, 2011 by mmarshall in Main | Leave a comment

To qualify for Meaningful Use an organization must use an approved EHR application.  The standards that EHR technology must meet to be approved for Meaningful Use are defined in 45 CFR 170.302. We are often asked if our HIPAA Risk Analysis covers Certification of their EHR Technology to 45 CFR 170.302 (General certification criteria for Complete EHRs or EHR Modules).  The short answer is no.  That scope of work has already been completed.  Here is how the EHR Technology certification …

RSA: More concerned with their revenue than your security?

Posted on June 9, 2011 by John Abraham in Main | Leave a comment

The RSA Breach, their initial reaction, and their follow-up communication regarding the Lockheed Martin attack (which they are admitting is related to the initial RSA breach) makes us question their priorities. Revenue and brand come first. Customer security is second. Of course both of these are inter-related: you surely can’t build a robust security brand given security incidents like this and RSA’s brand is forever tarnished with this breach. Nonetheless, in the short term RSA’s reaction to this incident clearly …

A “Sea Change” in HIPAA Security – Why Business Associates Should Be Pro-Active About Security Risk Now

Posted on June 8, 2011 by Dan Berger in Main | Leave a comment

A recent report suggests that nearly 40% of data breaches of protected health information occur at third party companies entrusted by health care providers with sensitive data. A striking statistic particularly since HIPAA and HITECH mandate that healthcare providers ensure privacy and security among such “business associates.” While providers generally insist these obligations be included in their contracts with outside vendors, the 40% breach statistic shows just how ineffective such agreements have been, without the benefit of additional enforcement or …