Imagine an implantable chip under your skin that contains all your personal information. The FDA recently approved marketing these chips for a Florida company. This chip would provide access to individual medical records not only to medical professionals but also to those who have the technology that can read embedded information. For more information read more at :
Identity Badge Worn Under Skin Approved for Use in Health Care
I just got back from IBM’s Security and Privacy Leadership conference and was thoroughly impressed at the depth of discussions. At events like this three years ago, we were talking about subjects like “is there really a difference between privacy and security?” Today, everyone is comparing notes on their Sarbanes-Oxley complaince efforts or sharing the pain of HIPAA compliance.
One of the keynote speakers mentioned in passing a project that should be on the radar screen of anyone developong privacy enhancing technologies. It’s a relatively new OASIS working group called “Legal XML“.
Their website describes the working group as follows:
LegalXML brings legal and technical experts together to create standards for the electronic exchange of legal data.
LegalXML is a member section within OASIS the not-for-profit, global consortium that drives the development, convergence and adoption of e-business standards. Members themselves set the LegalXML agenda, using the open OASIS technical process expressly designed to promote industry consensus and unite disparate efforts. LegalXML produces standards for electronic court filing, court documents, legal citations, transcripts, criminal justice intelligence systems, and others.
OASIS members participating in LegalXML include lawyers, developers, application vendors, government agencies and members of academia.
I’ve run several workshops in which we’ve analyzed privacy legislation and expressed the requirements in XML so that it can be related to access controls and, believe me, if was tough. Law writers are all about principles and (frankly) ambiguity. All too often they want to express goals and leave interpretation n how to achieve goals to the courts. On the other hand, IT people need very prcies, actionable items to follow. So bridging the gap between the legal world and IT world is no small taks.
But because privacy management is rooted in social expectations, I personally believe work efforts like Legal XML are gong to be an extremely important component of future privacy enhancing technologies.
The following excerpt is from an article at timesreporter.com: A review of the various effects the Health Insurance Portability and Accountability Act (HIPAA) has had on the medical industry and patients. While patients appreciate the stronger privacy protection, the medical community has found that compliance with the new law can interfere with patient care.
Personally, I can relate to these findings. A few months ago, a good friend of mine had a heart attack and was hospitalized for several days. I was visiting him on the 3rd day of his hospital stay when a hospital administrator approached him. She asked him several HIPAA related questions and asked him to sign various wavers. For example: Can the hospital disclose his personal information to friends and family members? Or, Can the doctors discuss his medical treatments and condition with family members and friends? Now, keep in mind that he had been on morphine and various other drugs since he was admitted and just finished an angioplasty procedure at this point in time. While I thought it was terribly inappropriate to ask him these questions while he was in no way cognisant enough to make such a decision, I asked myself when would be an appropriate time? Should they stop treating his pain long enough to let him sign the HIPAA wavers? Would that be humane? How else would he reach an informed decision? And where does the line for protection of personal privacy become unrealistic and/or ridiculous?
As a privacy and security researcher, I cannot agree with the hospitals actions in this matter. I realize that there will be continued resistance, compromises, and inconvenience in the pursuit of protecting our individual privacy; but if we don’t persist, we surely cannot progress.
California Governor Arnold Schwarzenegger vetoed three privacy bills on Wednesday September 29, 2004, including a bill that would have required employers to notify employees of e-mail monitoring, and two bills that would have restricted the outsourcing of medial and financial data services. Schwarzenegger said the bills were redundant to current law and would have only created more work for California businesses. Detailed story…
I’m afraid I do not agree with Governor Schwarzenegger. Of the three vetoed bills, one bill would have limited data that medical firms can send abroad for processing without a patient’s consent. If the current law is sufficient to protect patient privacy, how could this happen in October 7, 2003? A pakistan woman named Lubna Baloch, sent an email to UC San Francisco Medical Center to threaten she would disclose patient medical records if UCSF Medical Center do not help her get the money she was owed. In her email she said, “Just to make you believe that I am not bluffing I am attaching latest voice file and text of your hospital.” Baloch had included private discharge summaries for two UCSF patients. Detailed story…
Wow. Stephen O’Grady, from the analyst firm RedMonk is on the Board of Advisors for The Privacy Place and yet is humble enough not to have mentioned his recent paper “SOA Meets Compliance: Compliance Oriented Architecture.” But I happened to stumble across it as I was doing google searches on compliance technology.
The opening teaser in O’Grady’s Paper states is:
Leveraging IT to enhance business processes with transactional transparency is a necessary response to corporate governance scandals. Building the “real time enterprise” is fast becoming the preferred method for reducing fraud, and, in more and more cases, it is a mandated one.
I believe the key phrase here is “transactional transparency” in one deft phrase O’Grady has captured to industry’s trend of melding together IT (“transactional”) and business requirements (“transparency”, as in auditable acxtivity). He goes on to build a case for building transactional transparency into an IT environment using services oriented architecture, yielding what he calls, “Compliance Oriented Architecture.”
While O’Grady focuses on legal compliance issues such as Sarbanes-Oxley, it’s clear to see that a compliance oriented architecture is also key to privacy management issues. This paper is a must read for anyone who cares about Privacy Enhancing Technologies for the enterprise.
–Calvin Powers
The following quote is an excerpt from a recent news article:
The U.S. House of representatives will vote soon to crack down on spyware that hides in users computers and secretly monitors their activities. According to Microsoft, spyware was responsible for one-third of all computer crashes last year.
I have been a victim of spyware; and as a network administrator, I have dealt with numerous infected personal computers (PC). Spyware, in itís seemingly innumerable forms, has been responsible for PCs running sluggishly, the clandestine monitoring of activities, and complete system crashes. However, it is difficult to determine which is more alarming: the effects of spyware or the steadily increasing infection rates. As a researcher, I am interested in investigating the etiology behind both of these phenomena. While I believe that enacting new legislation is an appropriate step, I wager that it will prove insufficient to inhibit the increase in spyware activity. Furthermore, as I am firm believer that people value their privacy, I foresee a great deal of research and effort being dedicated to addressing this spyware assault.
For more information on this spyware legislation see: House Could Vote on Spyware Next Week
The new voting technology and polling practices certainly have an impact on the privacy rights of voters. Electronic Privacy Information Center (EPIC) has been asked to offer testimony on this impact. The committee is expected to make its recommendations to the full Election Assistance Commission board sometime next summer for adoption and implementation in 2006.
For more information see:
Voting Statement