Friday, June 26, 2009

Spam, Phishing, and Malicious Code Related to Recent Celebrity Deaths

US-CERT is aware of public reports of an increased number of spam
campaigns, phishing attacks, and malicious code targeting the recent
deaths of Michael Jackson and Farrah Fawcett. These email messages may
attempt to gain user information through phishing attacks or by
recording email addresses if the user replies to the message.
Additionally, email messages may contain malicious code or may contain
a link to a seemingly legitimate website containing malicious code.

US-CERT would like to remind users to remain cautious when receiving
unsolicited email. Users are encouraged to take the following measures
to protect themselves from these types of attacks:
* Do not follow unsolicited web links received in email messages.
* Install and maintain up-to-date antivirus software.
* Refer to the Recognizing and Avoiding Email Scams (pdf) document
for more information on avoiding email scams.
* Refer to the Avoiding Social Engineering and Phishing Attacks
document for more information on social engineering attacks.

Relevant URLs:

Originally posted at:

Wednesday, June 24, 2009

Sharing data on health with patients: An IT policy question

I saw this article about IT policy in the health service delivery. Considering that we are in a health science center, maybe we ought to be aware of some trends in other countries.

Original article follows:
A new push for health data rights
by Dana Blankenhorn

A coalition of health IT reformers today offers a Bill of Heath Data Rights aimed at moving the heart of the health IT debate away from doctors and insurance companies, toward patients.

This is the brainchild of former Google Health executive Adam Bosworth and Patientslikeme co-founder James Heywood. My copy was forwarded by David Kibbe.

The actual proposal is postcard simple:

In an era when technology is allowing personal health information to be more easily stored, updated, accessed and exchanged, the following rights should be self-evident and inalienable. All people:

  • Have the right to their own health data.
  • Have the right to know the source of each health data element.
  • Have the right to take possession of a complete copy of their individual health data, without delay, at minimal or no cost. If records exist in computable form, they must be made available in that form, without delay, at minimal or no cost.
  • Have the right to share their health data with others as they see fit.

These principles express basic human rights as well as essential elements of health care that is participatory, appropriate and in the interests of each patient. No law or policy should abridge these rights.

The expected reaction from the industry is “yeah, but.” Yeah, but it’s not that simple. Yeah, but most people don’t care. Yeah, but how do you express that in software.

The hope is that the principles behind HIPAA can be maintained while the costs of HIPAA, and the use of it as a smokescreen for luddism by the health IT industry, can be foregone.

That’s a big hope for such a short document.

I’m afraid that if this became part of some law passed by Congress it certainly would become a new HIPAA law. But if NCHIT David Blumenthal can convince the President to make this part of an executive order, something that exists in spirit and is defined on-the-fly, it might be worthwhile.

Originally posted on:

Friday, June 5, 2009

Good Security Habits

Cyber Security Tip ST04-003

There are some simple habits you can adopt that, if performed consistently,
may dramatically reduce the chances that the information on your computer
will be lost or corrupted.

How can you minimize the access other people have to your information?

You may be able to easily identify people who could, legitimately or not,
gain physical access to your computer—family members, roommates, co-workers,
members of a cleaning crew, and maybe others. Identifying the people who
could gain remote access to your computer becomes much more difficult. As
long as you have a computer and connect it to a network, you are vulnerable
to someone or something else accessing or corrupting your information;
however, you can develop habits that make it more difficult.
* Lock your computer when you are away from it. Even if you only step away
from your computer for a few minutes, it's enough time for someone else
to destroy or corrupt your information. Locking your computer prevents
another person from being able to simply sit down at your computer and
access all of your information.
* Disconnect your computer from the Internet when you aren't using it. The
development of technologies such as DSL and cable modems have made it
possible for users to be online all the time, but this convenience comes
with risks. The likelihood that attackers or viruses scanning the
network for available computers will target your computer becomes much
higher if your computer is always connected. Depending on what method
you use to connect to the Internet, disconnecting may mean disabling a
wireless connection, turning off your computer or modem, or
disconnecting cables. When you are connected, make sure that you have a
firewall enabled (see Understanding Firewalls for more information).
* Evaluate your security settings. Most software, including browsers and
email programs, offers a variety of features that you can tailor to meet
your needs and requirements. Enabling certain features to increase
convenience or functionality may leave you more vulnerable to being
attacked. It is important to examine the settings, particularly the
security settings, and select options that meet your needs without
putting you at increased risk. If you install a patch or a new version
of the software, or if you hear of something that might affect your
settings, reevaluate your settings to make sure they are still
appropriate (see Understanding Patches, Safeguarding Your Data, and
Evaluating Your Web Browser's Security Settings for more information).

What other steps can you take?

Sometimes the threats to your information aren't from other people but from
natural or technological causes. Although there is no way to control or
prevent these problems, you can prepare for them and try to minimize the
* Protect your computer against power surges and brief outages. Aside from
providing outlets to plug in your computer and all of its peripherals,
some power strips protect your computer against power surges. Many power
strips now advertise compensation if they do not effectively protect
your computer. Power strips alone will not protect you from power
outages, but there are products that do offer an uninterruptible power
supply when there are power surges or outages. During a lightning storm
or construction work that increases the odds of power surges, consider
shutting your computer down and unplugging it from all power sources.
* Back up all of your data. Whether or not you take steps to protect
yourself, there will always be a possibility that something will happen
to destroy your data. You have probably already experienced this at
least once— losing one or more files due to an accident, a virus or
worm, a natural event, or a problem with your equipment. Regularly
backing up your data on a CD or network reduces the stress and other
negative consequences that result from losing important information (see
Real-World Warnings Keep You Safe Online for more information).
Determining how often to back up your data is a personal decision. If
you are constantly adding or changing data, you may find weekly backups
to be the best alternative; if your content rarely changes, you may
decide that your backups do not need to be as frequent. You don't need
to back up software that you own on CD-ROM or DVD-ROM—you can reinstall
the software from the original media if necessary.

Both the National Cyber Security Alliance and US-CERT have
identified this topic as one of the top tips for home users.

Authors: Mindi McDowell, Allen Householder

Produced 2004 by US-CERT, a government organization.

Note: This tip was previously published and is being re-distributed
to increase awareness.

This document can also be found at