The FISMA Focus IPD

Editor’s Note:  The US-CERT Monthly Monitor Report for October-December 2012 is attached here.

From: Network World

Homeland Security’s Cyber Emergency Response Team for Industrial Control Systems published a report covering common and sophisticated malware discovered in the ICS environment that targeted America’s critical infrastructure in 2012. Meanwhile at the 29th Chaos Communication Congress, the SCADA Strangelove, or ‘How I Learned to Start Worrying and Love Nuclear Plants’ presentation revealed 20 new SCADA vulnerabilities.

By Ms. Smith

From: Scientific American

A mathematical technique called “differential privacy” gives researchers access to vast repositories of personal data while meeting a high standard for privacy protection

By Erica Klarreich and Simons Science News

In 1997, when Massachusetts began making health records of state employees available to medical researchers, the government removed patients’ names, addresses, and Social Security numbers. William Weld, then the governor, assured the public that identifying individual patients in the records would be impossible.

Within days, an envelope from a graduate student at the Massachusetts Institute of Technology arrived at Weld’s office. It contained the governor’s health records.

From: Amednews.com

The boosts are a result of federal mandates to conduct regular security assessments that help identify vulnerabilities.

By Pamela Lewis Dolan

Most health care organizations, including physician practices, have increased their privacy and security budgets during the past five years and are conducting risk assessments more frequently, according to a new survey from the Healthcare Information and Management Systems Society.

The HIMSS survey, which was conducted with the help of the MGMA-ACMPE, the professional organization for medical group practice managers, found that more than half of the organizations had increased their information technology budgets and resources because of federal initiatives. These include the meaningful use incentive program and the move to HIPAA 5010, a new standard that regulates electronic transmissions of specific health care transactions.

From: Insurance Networking News

Insurers evaluating their clients’ risk exposures are advised to monitor their own cybersecurity exposures, particularly related to mobile and BYOD.

Pat  Speer

As insurers evaluate their 2013 risk management programs, they are faced with a growing concern over the long-term effects of cybersecurity attacks.

This concern is shared by some legislators in Washington, however, in November, the Cybersecurity Act of 2012 (CSA) failed to pass the U.S. Senate. The vote was portrayed as Republican obstructionism, even though five Democrats voted against the bill and four Republicans voted for it, according to the online site The Foundry. Meanwhile, the President has vowed to issue an executive order to implement at least some of the elements of the bill.

Editor’s Note:  GCs are right to worry about the cost and complexity of cyber security regulation.  CRE is long on record as stating that 1) federal regulation of critical infrastructure cyber defenses is inevitable; and 2) that regulation needs to be developed and implemened in such as way as to be cost effective.  Moreover, CRE has warned that trial lawyers are focusing on cyber security as a new profit center.  Companies and regulators will need to work together to develop mechanisms that assure appropriate security while shielding companies from the costs and uncertainties of litigation — costs which are a drain on company resources and thus would benefit the hackers.