"The United States healthcare system is marching diligently toward a more connected system of care through the use of electronic health record systems (EHRs) and electronic exchange of patient
information between organizations and with patients and caregivers. The Patient Identification and Matching Initiative, sponsored by the Office of the National Coordinator for Health Information Technology) or Health Information Technology (ONC), focused on identifying incremental steps to help ensure the accuracy of every patient’s identity, and the availability of their information wherever and whenever care is needed.
Matching records to the correct person becomes increasingly complicated as organizations share records electronically using different systems, and in a mobile society where patients seek care in many
healthcare settings. Many healthcare organizations use multiple systems for clinical, administrative, and specialty services, which leads to an increased chance of identity errors when matching patient
records. Additionally, many regions experience a high number of individuals who share the exact name and birthdate, leading to the need for additional identifying attributes to be used when matching
patient records. […] Driven by concerns for patient safety in the event of mismatched or unmatched records and the national imperative to improve population health and lower costs through care
coordination, this initiative studied both technical and human processes, seeking improvements to patient identification and matching that could be quickly implemented and lead to near-term improvements
in matching rates."
"The NAID-ANZ Secondhand Hard Drive Study, completed in January 2014 and published 19 Feb., showed that 15 of 52 hard drives randomly purchased, approximately 30 percent, contained highly
confidential personal information. While seven of the 15 devices were recycled by individuals, eight were recycled by law firms, a government medical facility, and a community centre. These study results
come just before the new Privacy Act reforms will be effective 12 March, requiring organisations to safeguard people’s personal information."
"The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The Framework
consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities, outcomes, and informative references
that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Through use of the Profiles, the Framework will help the
organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics
of their approach to managing cybersecurity risk. The Executive Order also requires that the Framework include a methodology to protect individual privacy and civil liberties when critical infrastructure
organizations conduct cybersecurity activities. While processes and existing needs will differ, the Framework can assist organizations in incorporating privacy and civil liberties as part of a
comprehensive cybersecurity program."
"The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. […] More than 380 unique victims in 31 countries have been observed to date.
What makes ‘The Mask’ special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, 32- and 64-bit Windows versions, Mac OS X and
Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS). […] When active in a victim system, The Mask can intercept network traffic, keystrokes, Skype conversations, PGP keys,
analyse WiFi traffic, fetch all information from Nokia devices, screen captures and monitor all file operations. The malware collects a large list of documents from the infected system, including
encryption keys, VPN configurations, SSH keys and RDP files. There are also several extensions being monitored that we have not been able to identify and could be related to custom military/government-
level encryption tools."
"Therein lies the two contrasts starkly evident within data privacy news in 2013: The attempts to direct and curb behavior at a government level that sometimes take years between passage and
force […] contrasted with the matter of weeks it took one individual to collect and disseminate tens of thousands of ostensibly extraordinarily sensitive documents. The concerted efforts within the EU
to even propose a new standard law for data privacy again contrasted with the efforts of one individual to undermine years of U.S.-EU negotiation, diplomacy, and representations. 2013 was the year big
data, concerns about data privacy, and one man proved Archimedes’ assertion from ~250 BC; with at least 57,974 or so documents still awaiting release, 2014 should shape up to be even more
"As security protocols are used to authenticate more transactions, they end up being relied on in legal proceedings. Designers often fail to anticipate this. Here we show how the EMV protocol - the dominant card payment system worldwide - does not produce adequate evidence for resolving disputes. We propose five principles for designing systems to produce robust evidence. We apply these to other systems such as Bitcoin, electronic banking and phone payment apps. We finally propose specic modications to EMV that could allow disputes to be resolved more eciently and fairly."
"Using methods ranging from the socially engineered theft of passwords and credentials to stealthy, hide-in-plain-sight infiltrations that execute in minutes, malicious actors continue to
exploit public trust to effect harmful consequences. However, the trust problem goes beyond criminals exploiting vulnerabilities or preying on users through social engineering: it undermines confidence in
both public and private organizations. Today’s networks are facing two forms of trust erosion. One is a decline in customer confidence in the integrity of products. The other is mounting evidence that
malicious actors are defeating trust mechanisms, thus calling into question the effectiveness of network and application assurance, authentication, and authorization architectures."
"Data classification has been used for decades to help large organizations such as Microsoft, governments, and military entities manage the integrity of their data. This paper provides readers
with an introduction to the fundamentals of data classification and highlights its value, specifically in the context of cloud computing. Organizations that are assessing cloud computing for future use or
organizations that are currently using cloud services and seeking ways to optimize data management will benefit most from this paper."
"This report analyses the conditions under which online security and privacy seals (OSPS) can be deployed to support users to make an informed trust decision about Web services and their
providers with respect to the provided security and privacy. This report is motivated by the numerous policy documents, that mention marks, seals, logos, icons, (collectively referred as OSPS) as a mean
enabling users to judge on the trustworthiness of services offered on the Web. The field of OSPSs has also developed in maturity. Therefore, we aim at analysing the current situation and identified key
challenges for online signals in practise. Based on these challenges, this report identifies possible solutions and corresponding recommendations and next steps that ENISA and other stakeholders should
follow for enabling users in judging on the trustworthiness of services offered on the Web."
"This paper is built around three cornerstones: interviews with IT managers in companies with 200-1,000 employees, our implementation of changes to password authentication systems, and security analysis of passwords. The paper covers some of real-world experiences we have gained in the last 6 months and uses them as a background for common understanding of password and building a simple threat model. The second part of the paper explores options for improving password security while preserving existing infrastructure. We are interested in schemes that can be used in existing password- based systems, from Windows AD-based systems, to cloud-based applications."
"Are we facing a BYOA (Bring Your Own Application) revolution, in which employees claim the right to choose the tools with which they get their work done, while IT scrambles to protect corporate assets? The revolution is already here, according to the results of a recent Stratecast survey. Thanks to the ease of access to Software as a Service (SaaS) applications, even nontechnical employees feel comfortable and entitled to choose their software - and they are doing so in droves. In many cases, IT departments and security officers are unaware of the extent of ‘shadow IT,’ and therefore unprepared to deal with it."
"Nowadays, a serious concern about cloud computing is the protection of clients’ data and computations against various attacks from the cloud provider’s side as well as outsiders. Moreover, cloud consumers are rather limited in implementing, deploying and controlling their own security solutions in the cloud. In this thesis, we present a cloud architecture which enables cloud consumers to securely deploy and run virtual machines in the cloud, in which the complete deployment lifecycle is considered, and with a special focus on both the malicious insider as well as the external attacker."
"As the demand for sustainable, low-carbon driving solutions is increasing, the electri cation of vehicles, called electro mobility or short eMobility, is the next big milestone for the automotive industry. Vehicle manufactures, power grid operators and energy companies are devising approaches to integrate electrical vehicles with the power grid. Connecting electrical vehicles to the energy grid and the Internet poses several advantages for the driver, vehicle manufacturers and grid operators. Yet, these approaches need to be compatible, secure and privacy-preserving. This master thesis investigates the security and privacy challenges of electric mobility and focuses on the design, implementation, and evaluation of a privacy-enhancing charging solution for electric vehicles."
"The number of standards relating to cyber security in some form exceeds 1,000 publications globally. This makes for a complex standards landscape. Despite the quality and general applicability of most individual standards, there was no comprehensive standard identified that provided a ‘one size fits all’ approach. Conversely the complex landscape made it difficult for organisations to identify the standards relevant to their organisation and business activities. […] While many organisations implement cyber security standards to some degree, the majority partially implement the controls deemed relevant and self-certify this compliance. Only a small proportion invests in gaining external certification."
"The number of security breaches affecting UK business continues to increase. […] The rise is most notable for small businesses; they’re now experiencing incident levels previously only seen in larger organisations. […] In total, the cost to UK plc of security breaches is of the order of billions of pounds per annum - it’s roughly tripled over the last year."