ajfortin.com

(I’m attending this conference at Harvard University and will do some live blogging here as the mood or content strikes me. One of my reasons for being here is to make sure I’m up-to-date on HIPAA privacy and security requirements and to get a reality check on the emerging issues.)

Yesterday’s session fulfilled most of my expectations of what a great conference can bring to exploring ideas and opening up new areas of inquiry in a topic – privacy – that is getting beat to death every day with  tired clichés. So here’s hoping today’s speakers will help get us to the same level.

7:40 am Set up at the Harvard Faculty Club again, plugged in, with good wi-fi. Coffeed up as well.

7:55 am (Marc Rotenberg) will overview the Electronic Privacy Information Center (EPIC) 2008 initiative to get privacy into the Presidential Campaign.

8:00 am This is a prime moment, and this is the first audience, to launch “Privacy 08″. How do you get an issue into the race? We want it to be a grass roots campaign rather than the policy paper approach. Well get a button and a cool logo. Met with representatives of the campaigns of both parties and positions have been written by both sides. Have even set up a Facebook cause and Twitter Privacy 08! Got a ‘Privacy 08′ internet domain and are planning events to raise awareness. Will be getting materials to the political party conventions, and then holding a Candidate Forum. Will also use YouTube and questions sought from online audiences to pose to candidates. Rotenberg reviews some of the questions already submitted that they will ask the candidates, such as, “Should US firms sell surveillance technologies to the Chinese government?”  “Do you believe that the Constitution limits the ability of the President to to conduct warrantless wiretapping?”

8:30 am (Jeff Rosen) What is the future of privacy? Is it dead or on the verge of a dramatic resurrection? The truth is more complicated. Citizens want contradictory things. They don’t care until their privacy is threatened then they care a lot. He sees 5 possible privacy Chernobyls:

• Behavioral Targeted Advertising: Leaking of that tracking data (Danger of being judged “out of context.)
• Search Terms: Massive Data Leak of search terms.
• Facebook: Not a privacy free-zone. For example -The Beacon scandal: Exposes your purchases to your friends without your knowledge.
• StarWars Kid: A private video was place of the internet without permission followed by much embarrassment (and a lawsuit).
• Ubiquitous surveillance: Public likes the “security theater” of public video anti-crime surveillance. Could move from ‘closed circuit’ to ‘open circuit’. Google live-feeding public surveillance video is a definite possibility.

9:00 am (James Koenig) Talks on the “New, New Thing in Privacy.” Five things to consider now!

• Impact on privacy associated with the slowdown in the economy – Business goals versus privacy goals when companies are under financial pressure. Resources to prevent privacy breaches may be pulled back. More aggressive marketing techniques may ignore privacy concerns. Privacy officials could be eliminated or downgraded.
• Global expansion for new markets and operations – Privacy rules and cultures are not the same. Lower safeguards and infrastructure in Asian countries. China does not have a lot of privacy law history but this is changing. Public pressure is building for a comprehensive China privacy law. Or what about the tougher European standards? What is a privacy official to do? You will need a fleet of lawyers if you want to create a uniform business practice and it is quite difficult to set up a coordinated business governance structure for privacy.
• New Identity Theft Techniques – Number 1 FTC complaint! Impacts 5% of the US a year. Credit card fraud etc. Much of it is from paper and knowledgeable insiders that cause ID theft events!
• New Health care information laws driving disclosures and other risks – Electronic medical records (EMRs), personal health records (PHRs) pose more risks for breaches of medical information. Privacy legislation is on the move in the US Congress as we see in new laws on genetic information.
• Class action and litigation relating to privacy – A definite building impact on corporate behavior.

9:40 am Panel of various speakers on privacy advocacy issues and challenges.

• Convincing officials, policy makers that privacy is not an obstacle but a way to move health information technology forward.
• Privacy law is largely administrative and regulatory. What if the agency has a bad record? Congress wants to move forward through statute. A challenge for advocates.
• HIPAA not necessarily always a good thing. Many say HIPAA is enough. No more. Nobody wants to go back there politically especially for those who want health IT to move fast. Entrenched health interest do not want to reopen privacy. They’ve adjusted and want to keep it that way.
• Fake (Synthetic) identity theft – Fake private information to get credit cards. Not a mainstream issue but an opening into the technology that allows for entry into real ID theft/privacy issues.
• Chief privacy and security official roles are changing – focusing on breach prevention and response.
• How to get market competition on privacy – Car companies now compete on safety. What about businesses competing around their ability to secure the privacy of your data?
• There’s a lot of independent characters in this field and they are not well funded. Privacy advocates are usually not represented in conferences like this one and have been totally shut out of the debate in Washington. They blame us for HIPAA. Do we threaten corporate and government interests?
• People need to see the nexus between privacy and civil rights. The debate  and convergence is evolving.

11:15 am (Ken Anderson,Representing Ontario Privacy Commissioner) “Privacy by design, build it in”. For example use privacy audits and privacy impact assessments. Transformative Technology: Make the technology work for you (for ensuring privacy). Take a pragmatic approach. How to transform video surveillance technology for example? Short retention time of video, frequency of privacy audits, ensure adequate oversight, prevent voyeurism by using technology that block/unblock face recognition.

(Need to break for lunch)

1:35 pm The afternoon sessions will focus more on security issues related to HIPAA starting with an introduction and overview (John Parmigiani).

Where are we today? We  have spotty compliance with HIPAA. Is 2008 a year for HIPAA enforcement? GAO and OMB scrutiny? OIG and CMS audits? New political pressures (new national election and health care reform) and state data protection laws are entering the mix. We have an increasing number of data breaches. Medical identity theft rising (est. 1,000,000 incidents in 2008). The usual suspects are insiders, but new “outside” threats for medical identity theft from abroad and various black markets selling medical IDs. Mobile devices, remote access pose their own challenges as does the changing regulatory landscape. EMRs, PHRs, Google Health, Microsoft HealthVault and the general push for E-heath present new security issues. Corporate governance is driving compliance as are incentives, patient safety and consumers themselves.

2:00 pm (Kate Boren) Talking about security issues in working offsite. Hard enough to do in-house IT controls without looking beyond. Management often would look the other way when it comes to offsite work – A head-in-the-sand approach. We have to be proactive to protect information. HIPAA requires the protection of all devices, media and their surrounding conditions. What about personally own devices, public kiosks, wireless networks, hotels, airports etc. Do you know who works offsite? How do you identify users? Who should own the devices or laptops? We’ve got to recognize the situation. There is considerably more risk when you go outside the corporate home. There are many vulnerabilities and threats to the confidentiality, integrity and availability of our sensitive information. We have to be aware of them and manage them. CMS security guidance came out in December 2006. We are still seeing 1 or 2 security incidents each month reported in the press regarding remote access/media.

Well that’s it for now. It’s been a terrific conference. Back to BAU — Blog as usual.