December 10, 2009

Identity and Leadership: Sorely Lacking the Latter

Blogger: Kevin Kampman

Last weekend, my wife and I conducted a whirlwind friends and family tour of western Washington State. Starting Friday morning in Seattle, we drove to Marrowstone Island, then to Glacier via Port Townsend, Deception Pass, and Bellingham.  Saturday we drove to the top of Mt. Baker, then back to Tukwila. Sunday, we were off to Carnation (just east of Redmond) to visit a horse we helped the Cowgirl Spirit Rescue Drill Team save from slaughter. We met with Juliane and JJ, and turned out Bazkheno DaVinci (you thought only people had naming issues) onto a 20 acre lot with five other rescue horses. It is a sad situation that trained horses like Baz turn up at auction; sadder still that many of them turn up as someone’s dinner.  


Sunday evening we had a fine Italian dinner with my wife’s family in Seattle; no pets were on the menu. I did have a conversation about the IT and business divide with one of my cousins, from a business perspective. More about that, later.

Bazkheno
Bazkheno DaVinci (grey horse at center) and other rescues, Carnation WA


So, where am I going with this? Burton Group has been following identity, privacy, and electronic health records (EHR) for some time. In particular, the issues around liability and the potential for damages that could occur if patient records aren’t properly managed and protected. There are a variety of solutions coming to market to capture and maintain EHRs; some employers are mandating the use of these services. Microsoft and Google are making significant strides in this area, and Microsoft just made a significant acquisition of Sentillion that bolsters its health care portfolio. Even the government is in the act, providing substantial stimulus money for health records automation.


However, the record on these efforts is not encouraging. In a recent blog: Electronic Health Records: Are They Worth It or Not? by Robert Charette, the author cites research that indicates that while certain efficiencies may be realized by implementing EHR, larger concerns are surfacing about data mining of these records, primarily to benefit insurance and government  entities. The blog goes on to state that EHRs may have little or no impact on the quality of or reducing the cost of health care.  And, the risk remains that this information will be used for purposes other than originally intended. With the large government investment being made to implement these systems, the possibility exists that the investors, managers, and the government will ride roughshod over patient privacy unless powerful oversight over this information is established.

At dinner Sunday evening, we discussed an IT project that is being rolled out to meet an arbitrary schedule. This is in spite of misgivings on the part of business representatives about project preparedness and the potential impact of failure. The point was made that while the project had known issues, there was no one influential or powerful enough to stand up and question the current state of the effort. No one wants to take the fall. The horse is ready to run, so to speak, if only on three legs.  


As part of our current research on governance, we are learning that strategic, shared perspectives about business value and risk throughout projects, programs, enterprises, and communities is frequently lacking. For a business, this is regrettable. When there are life-affecting issues at stake, this is clearly unacceptable. In these situations, governance may not be enough. Leadership skills, advocacy, and authority for those least able to protect themselves are critical. Whether it’s a new financial or patient records system, nothing less is acceptable. Once the horse (or EHR, or any other personally identifiable information) is out the gate, there is little likelihood of bringing it back.

Posted by at 04:01 PM in identity, identity management, identity theft and fraud | | Comments (1) | TrackBack (0)

|

January 22, 2009

The Highest Standards - The Most Trusted Transactions, NOT!

Blogger: Gerry Gebel

"The Highest Standards - The Most Trusted Transactions" That's the slogan on Heartland Payment Systems web site, which is obviously off the mark based on reporting that a massive security breach has resulted because of malware code installed somewhere on their network. The exact extent of the breach is unknown at this time, but the potential numbers are staggering. Heartland processes credit card transactions for 250,000 US merchant locations which amounts to some 100 million transactions per month and 4 billion annually. The malware skimmed the information found on credit card magnetic stripes - card number, cardholder name, and expiration dates - as the data was transmitted from merchants to Heartland's systems.

Heartland's president and CFO, Robert Baldwin, made comments in another article that are unsettling to say the least: "In this case, the amount of information we know they did not get is long enough that except in very circumscribed cases identity theft is just not possible," said Baldwin. Based on this assessment, Heartland will not attempt to notify potential breach victims - even if it could identify all of them. It's great that Mr. Baldwin is so confident, but the reality is that a little searching and persistence will connect the Heartland identity "dots" with other pieces of readily available data. To quote my colleague, Kevin Kampman, "The problem here is that little pieces fit together nicely with others, enabling sophisticated thieves to assemble data from seemingly unrelated sources in order to accomplish wider ranging compromises. In their case, every little bit helps. There’s no sense in feeding them more."

Unfortunately, this latest breach highlights the continued vulnerability of our personal data as it transits a myriad of locations and handlers for the purpose of completing seemingly routine transactions. 2009 is not off to a good start, as chronicled by the Privacy Rights Clearinghouse - which doesn't yet include the Heartland incident. Will 2009 be the year when this trend is reversed? So far, the answer is "No"

Posted by at 11:37 AM in Gerry Gebel, identity theft and fraud, privacy | | Comments (0) | TrackBack (0)

|

November 17, 2008

Some change comes with an election, some things never change…

Blogger: Kevin Kampman

When I was very young, I remember coming home from church on Sundays with my father the car salesman. We would drive by the car lot and he’d stop to write down the license plate numbers of people who were there looking at cars. When I asked him why, he said that he would go to the police department and find out who they were. It turns out this was a major source of leads for him, and he was quite successful at following up.

As it turns out, use of license information for personal purposes went out of favor by the time I was married (30 odd years ago). During a stint as a councilman in an Ohio village, I would “run radar” with the local police office on weekends. When I asked if he could check out who owned a certain car, he was adamant that that was not acceptable to run license checks for individuals.

And so, I believed that public servants had the best interests of the taxpayer and consumer in mind by protecting public records from misuse. At least, until Joe the Plumber (remember, Joe Wurtzelbacher?) came along. It turns out that if you become a celebrity, otherwise private information is fair game.

Last week, Helen Jones-Kelley, director of the State of Ohio’s Department of Jobs and Family Services indicated that whenever someone in Ohio draws media attention to themselves, it’s routine to conduct a background check. Ohio Gov. Ted Strickland placed Jones-Kelley on administrative leave, not because of the privacy implications, but the suspicion that a state owned computer or e-mail account was used for political fundraising. Sounds like its time to scratch government as a trusted custodian of public records, at least in Ohio.

So, who CAN we trust? It turns out that last week was a bad one for privacy in the health care industry. Express Scripts, a St. Louis-based pharmaceutical provider, apparently had a number of patient records stolen by an extortionist. Are other large pharmacies far behind? Are our prescription records just waiting to be compromised?

Recently I was at a pharmacy and noticed an interesting product, on the counter just above the prophylactics (hold that thought). A USB memory stick was for sale in association with a service called MedicKey. This company helps you to collect all of your medical records in one place, then carry it around on a portable device. Of course, you pay them to gather the data for you. But, it IS possible. In the case of companies like Wal*Mart, it’s encouraged. Wal*Mart is working with Dossia to provide electronic patient health records to all of its employees, in a manner similar to Google and Microsoft.

What’s coming is exciting and frightening at the same time. Not only are we giving folks options for personal control, we’re also aggregating information into massive targets of opportunity. Given the track records of government and commercial providers, a lot of information is going to be misused and stolen before we establish sufficient controls to protect us from politicians, thieves, and the well-meaning. Just because we don’t know what we don’t know doesn’t mean we should move health records to the control of the patient. I’m not worried about the memory sticks as much as I am the people who prepare them. What kinds of protection do THEY offer?

Posted by at 11:32 AM in identity theft and fraud, privacy | | Comments (1) | TrackBack (0)

|

July 26, 2008

YES! The NRA tackles identity theft…

Blogger: Kevin Kampman

Following my rule of threes (when three related things come to my attention, it is time to blog), I just received a solicitation from the National Rifle Association (NRA) to protect myself from identity theft. No, they aren’t saying to lock, load, and take aim at the identity thieves (which might actually be a good start). Rather, they have joined forces with LifeLock to offer a trial and discount to use LifeLock’s services. In this respect, the NRA is to gun owners what the AARP is to folks over 50 years of age; they see them as a market opportunity.

If you don’t believe me, look at an AARP application. For $12.50, you get your name added to AARP-endorsed mailing lists. If you don’t want to be on the lists, try and find an opt-out option. It’s documented in the privacy policy, but not explicitly called out on the application. So, even though the AARP is a privacy advocate, they don’t conform to their own principles.

It’s really about the money. Your name and information is for sale. People over 50 haven’t learned to avoid this yet, even though older folks are a primary target for identity theft. It’s too bad that the AARP isn’t advocating for its audience, instead of making them targets for identity thieves.

Periodically I receive an application for privacy protection from one of the financial services companies. For $5.95 a month, I can get something similar to LifeLock. My contention, however, is that by collecting and sharing this information, the financial services companies, among others, contributed to our privacy and identity theft problems. Why should I reward them for the disservice? And why would I want to give them more ammunition? An identity protection industry is really the wrong answer.

Today, the identity protection market is so pervasive that you can walk through a supermarket checkout and buy identity theft protection. Whether or not these services provide you real protection and advocacy, or just line someone’s pockets is open to question. The real issue is how to prevent the problem in the first place.

When organizations that have custody of personally identifiable information (PII) exercise due care over what they trust, manage, and share, there will be real progress. One way for that to happen is to impose significant liability and damage claims on firms and organizations that are a party to the inappropriate acceptance, exposure and use of PII. Another would be to develop a consumer-protection discipline in businesses, similar to the Payment Card Industry. For example, business could leverage a sanctioned exchange from an identity oracle on demand, rather than amass and incubate a collection of information about principals that represents a target for compromise. Then we’ll see real improvements in terms of responsibilities and protection. Place the burden of the problem on those who created it. 

(The author is a life member of the NRA; has no affiliation whatsoever with the AARP).

Posted by at 08:34 AM in identity theft and fraud | | Comments (1) | TrackBack (0)

|

July 07, 2008

Physician, heal thyself…

Blogger: Kevin Kampman

In my blog entry about Google and Microsoft’s plans to publish the personal medical records of US citizens on the Internet, I questioned these firms ability to properly protect the privacy of these records. It was only a matter of time before the inadequacies of data protection came to light; it recently happened that Google fell prey to the exposure of employee records (by one of its subcontractors). While no customer information was exposed, this does underscore the need to institute due care for all sensitive identity information. Individuals, legislators, and the medical community should ask very serious questions about the efficacy of these programs before a more damaging breach involving a huge segment of the population comes to pass.

Posted by at 03:07 PM in identity theft and fraud | | Comments (1) | TrackBack (0)

|

February 26, 2008

Third time: Not always a charm

Blogger: Kevin Kampman

Last week was an identity theft week for me. First, I was contacted by a local news reporter for background on who was most vulnerable to identity theft. In the same period, I received a mailing from the US Postal Service with an insert from the Federal Trade Commission on preventing identity theft. I then received a solicitation from a financial institution offering to sell me identity theft insurance. I guess if the fox has to watch the henhouse, it might be worth asking you to pay for the inconvenience…

To top it off, I took notice of the seven-year-old boy in Illinois who was notified by the IRS that he owed $60,000 in back taxes. It appears that a 29-year-old stole the child’s information not long after he was born, then used his identity for jobs, goods, and services. The perpetrator was subsequently charged with felony identity theft. The article does not say if the IRS backed off from trying to collect from the seven-year-old. One can only hope.

It will be really unfortunate if this child bears the stigma and the associated costs of this incident. The truly guilty parties are those who failed to properly vet the stolen identity information in the first place. When business starts to accept their responsibility for accepting stolen identities, we won’t be made to pay for their lassitude, and the chickens will truly be safer.

I am concerned that business and government may both be aligned to blame the individual, when in fact they own the responsibility for the failure to protecting the individual’s interest. Accepting stolen credentials is really their problem. Until we recognize this fundamental characteristic, and the associated changes that need to occur in business and government, stories like this will continue to make headlines.

Posted by at 07:28 AM in identity theft and fraud | | Comments (0) | TrackBack (0)

|

  • Burton Group Free Resources Stay Connected Stay Connected Stay Connected Stay Connected

Categories



Archives

More...

About

Blog powered by TypePad