3 Key Security StoriesNew Guidance, Fines, Legislation Top the News
The first, of course, is from the banking industry, where we find the draft of the FFIEC's new Interagency Supplement to Authentication in an Internet Banking Environment. I'm actually a little stunned that this story hasn't become a bigger deal. This draft guidance represents the first time banking regulators have addressed authentication since 2005 -- easily one of the most eagerly awaited pieces of guidance in years. And it seemingly was released by accident back in December.
I first heard about the draft guidance at RSA Conference 2011, where information security leaders were abuzz about the FFIEC's recommendations. It seemed to me, in fact, that it was easier to count who hadn't seen the draft guidance than who had.
I'm actually a little stunned that this story hasn't become a bigger deal.
Since then, we've published the draft's highlights and waited to see what would happen next. Would the draft's disclosure be a big deal? Would we see the expedited release of the final guidance? So far, nada.
From our own reporting, it's clear that the reviews are mixed. Some observers feel the FFIEC's draft language is unclear re: protective measures banks should take. Meanwhile, at least one fraud victim believes we're headed in the right direction toward protecting commercial accounts from corporate account takeover.
Me? I just want to see the final guidance released, so banking institutions know exactly what their expectations are and can begin to respond.
HIPAA Violations, FinesOver on the healthcare side of the house, I'm following the stories of two large organizations fined for violations of the HIPAA privacy rule.
First, Cignet Health of Prince George's County, Md., was fined $4.3 million for violations that involved failing to provide 41 patients with access to their medical records and then failing to cooperate with federal investigators.
Just days later, regulators announced that Massachusetts General Hospital and its physicians organization have entered into a resolution agreement that calls for paying a $1 million settlement and taking corrective action to avoid future violations. The case involved the loss of documents that included information on patients with HIV/AIDS.
These findings and fines are a big deal. As Executive Editor Howard Anderson points out in a new blog entry, "The most powerful way to help ensure HIPAA compliance is for some organizations to get hit with well-publicized penalties. These two new cases, and perhaps others to come, could be powerful compliance catalysts."
Stay tuned. If we've learned one thing about healthcare information security over the past year or so, it's that the U.S. federal government doesn't take risks or breaches lightly. I expect we'll see additional headlines.
It's Cyber Bill SeasonFinally, from the government sector, comes the latest wave of legislation looking to establish federal cybersecurity policy.
The Cybersecurity and Internet Freedom Act of 2011, introduced to the U.S. Senate by co-sponsors Susan Collins, R-Maine; and Thomas Carper, D-Del., would (among other things) establish a White House Office of Cyberspace Policy, with its Senate-confirmed director to have influence over agencies' IT security budgets. The bill also would reform the way IT security would be governed in the federal government, emphasizing real-time monitoring of government IT systems and a move away from paper-compliance. And it would require each agency to designate a qualified, senior official as chief information security officer.
The bill's likelihood of passage? That's anyone's guess. As you know, starting at the White House itself, cybersecurity has never been a higher priority for federal officials, and yet we got through 2010 with nary a cyber bill being passed. As CSC's Sam Visner told me in a video interview at RSA Conference 2011, the road to cyber legislation is steep and will be clogged with a lot of traffic in 2011.
For updates on these and other key stories, stay tuned to the Information Security Media Group family of news sites.