The Security Catalyst

Merry Christmas and Happy New Year!

Website and Blog Changes
I’m about to update the new website. The blog will be moving to /blog (www.securitycatalyst.com/blog), but the feed of www.securitycatalyst.com/feed/ will continue to work.

The Status of the Book
The manuscript is drafted! I’m now working through the draft to both simplify and enhance the content. We currently expect to have this book heading to the printer by the end of January, so the time is coming close!

2008 is full of excitement
As we wrap up an amazing 2007, I look forward to 2008 with excitement. We’re publishing the book, planning our campaign across america, and will be working to make it easier to protect information, prevent breaches and make a difference. Look for details on the Protecting Information Program and other ways you can get ahead of the curve. 2007 was a year of transformation; 2008 is poised for action, and I can’t wait!

by Patrick Romero

Health care employers be warned – an unintentional data breach could now cost you much more than you imagined. A New York State Appellate Court has recently upheld a $365,000 jury award against a health care center that mistakenly disclosed information regarding a patient’s medical information.

A young, unmarried woman who lived with her strict Roman Catholic parents decided to terminate her pregnancy at Long Island Surgi-Center. She gave instructions to Surgi-Center never to call her at home despite providing them with her home telephone number on questionnaire forms. A day after the procedure, a nurse called the number provided to inquire about her condition and to confirm that she had no subsequent medical complications. Unfortunately, the nurse spoke with the woman’s mother and revealed sufficient information to allow the mother to conclude that her daughter had an abortion.

In a 3-2 decision, the Court held that the plaintiff be awarded punitive damages for an unintentional breach of confidential medical information even if there was no malice or malicious behavior by the defendant. As a result, the 2nd Department of New York has expanded the scope of punitive damages to include unintentional medical disclosure regardless of whether the act was done in good-faith.

The case is significant due to the implications for organizations handling medical information. Even though the medical center’s actions were not malicious, intentional or done in bad faith, disclosing the plaintiff’s medical information was grossly negligent and wanton behavior. Based on this interpretation, it appears that it will now be more difficult for healthcare workers to justify disclosure of medical information on mistakes or negligence.

The Court also appeared to have affirmed the jury’s award for punitive damages in order to send a message about the importance of protecting medical information. Punitive damages are seen as a way for the judiciary to espouse a particular public policy and to deter future violations. The Court here is clearly concerned with instances of wrongful medical disclosure and shows itself to be in sync with state and federal legislative efforts to protect confidential information. The opinion does not discuss violations of federal privacy laws such as the Health Insurance Portability and Accountability Act (HIPPA). However, it does mention New York legislation pertaining to the rights of patients in medical facilities like the one visited by the plaintiff.

More and more states are enacting laws regulating the disclosure of private and confidential information. Court cases like this highlight the need for companies to enact strong compliance rules that clearly describe the conditions in which data can be disclosed. These rules need to be properly followed and understood by all employees of an organization. The decision in New York should highlight the fact that even inadvertent medical disclosure can now lead to serious liabilities issues.

The goal in building an effective security awareness training campaign is changing behaviors. While there are many factors to consider, how you address “feedback” is crucial to your success. When we learn new concepts and try new ideas, we need constructive feedback to keep motivated and provide guidance. I’ve noticed that many of the security awareness training programs I assess use punitive measures to show users when they do something wrong — things like red tape flags when people violate a clean desk policy.

Not surprisingly, these measures often fail and wind up polarizing our users against your efforts. Nobody likes to be told they are wrong. So we have to find ways to provide constructive and useful feedback that supports the behavior change we seek.

Information to Reinforce Good Behavior
Recently, the USA Today ran a story entitled, “Pedometers may encourage weight loss” (By CARLA K. JOHNSON, Associated Press Writer). The point of the article is that people interested in losing weight have good results when they use a pedometer. If you are not familiar with pedometers, they are a simple device that can be worn on the belt, and when adjusted to your stride, help measure the steps you take in a day. It provides a way to measure your effort/output in a given period (normally, over a day).

Five Lessons Pedometers Teach us about Security Awareness Training
1. The pedometer provides an unobtrusive (and generally trusted) measure of the persons actions. Further, they can choose to share or keep their results private.

2. Most users keep a log of their “steps” per day - helping them build a visible trend. They naturally assess these trends and compare what they see to how they feel.

3. Most of us are motivated by a challenge - using a pedometer encourages the wearer to “take a few more steps.” Users get creative in how they are able to meet the challenge, stimulating a desire for more information that they then share!

4. The challenge can be spread to others. Everyone likes healthy competition.

5. Users are aware, they are consciously engaged in the process. That consciousness opens them to new ideas and stimulates their desire for knowledge.

One you stimulate the demand for more knowledge, you have to be prepared to present information that is useful, relevant and meets the needs of your users. Building on these lessons will help you build a highly effective security awareness training campaign.