I have had an account with the same bank for a really long time. Perhaps the time has come to switch to a new bank. After all in 2016 my bank still doesn’t offer two factor authentication, EMV cards, and several other modern features that I see from other banks. I’d like a bank that takes information security seriously, it seems like my current one does not. While I’m sure I could find clean compliance based audits for each of these banks, I would prefer to take a different, more open approach. For this exercise let’s just look at email and web site security.
My research methodology (inspired by Mark Stanislav’s MASSACRE talk) is broken down into four steps. Each step will be awarded a letter grade. At the end an average for each bank will be determined.
Continue reading Reviewing US Banks’ Web and Email Security
Digital storage of electronic protected health information is a treacherous path for a small company to walk. The health insurance portability and accountability act enforces a number of requirements on the security controls required for the storage of such sensitive data. Unfortunately, the language used in not crystal clear, and I have been able to find no description of actual technical systems used to comply with these controls.
These controls are required in order to ensure the confidentiality, integrity, and availability of all electronic protected health information [that a] covered entity creates, receives, maintains, or transmits 45 CFR § 164.306(a)(1).
I will outline these requirements here. In a future post I will explain the technical systems I propose implementing in order to comply with these requirements in a low-cost manner. Continue reading ePHI Storage Compliance