Cyber Review Consultations Report

“The digital economy increasingly shapes and drives the broader economy. For Canadians to prosper and be confident digital innovators, they need to know that the networks that enable their efforts and safeguard their assets and information are secure. I am committed to making Canada a global centre for innovation – one that creates jobs, drives growth across all industries and improves the lives of Canadians. That’s why I am pleased to support Public Safety Canada in this important cyber security consultation.”- The Honourable Navdeep Bains, Minister of Innovation, Science and Economic Development

The number, complexity, and severity of cyber-attacks on companies and individuals in Canada are each on the rise.

On January 17, 2017, Public Safety Canada posted a report on the views of Canadians on the Canadian cyber security environment. The report was based off the findings 2095 submissions that contained 2,399 responses to individual questions across four main topics, as follows:

  • Evolution of the Cyber Threat: 1,728 responses
  • Increasing Economic Significance of Cyber Security: 364 responses
  • Expanding Frontiers of Cyber Security: 190 responses
  • Canada’s Way Forward on Cyber Security: 117 responses

The results established that cyber security in Canada is an extremely multifaceted issue with multiple challenges and a rising range of opportunities. Throughout the consultation, three ideas were consistently raised as being important and relevant to cyber security in Canada: privacycollaboration, and using skilled cyber security personnel.

The report concluded that it is the shared responsibility of governments, the private sector, law enforcement and the public, to address these challenges and seize new opportunities.

This is part of the Government’s commitment to keep Canadians safe in cyberspace and position Canada as an innovative leader in cyber security. This report is just one example of how the Canadian government is striving to take full advantage of the digital economy, while protecting the safety and security of all Canadians.

Quick Facts

  • Canada has more computers per capita than any other country (129 devices per 100 people) and Canadians are the heaviest Internet users in the world, spending more than 40 hours online per person, per month.
  • About 70 per cent of Canadian businesses have been victims of cyber attacks with an average cost of $15,000 per incident.
  • The current global market for cyber security products and services is expected to grow to over $170 billion by 2020, and the job market for cyber professionals is expected to rise by six million in the next four years.

Source: https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/2017-cybr-rvw-cnslttns-rprt/index-en.aspx

Amendments to the General Regulation (Ontario Regulation 329/04)

The Ministry of Health and Long-Term Care (“ministry”) is proposing amendments to the General Regulation (Ontario Regulation 329/04) under the Personal Health Information Protection Act, 2004 (PHIPA).

The purpose of the amendments has largely to do with clarifying the needs for health information custodian reporting of thefts, losses and unauthorized uses or disclosures of personal health information to the Information and Privacy Commissioner. Should the amendments be approved, the following requirements would have to be met:

“A Health information custodian would be obligated to report annually to the Commissioner the number of times, in the calendar year, the health information custodian had to notify individuals (in accordance with section 12(2) of PHIPA) of theft(s),loss(es) or of unauthorized use(s) or disclosure(s) of personal health information.
• It would be necessary for the report to be submitted to the Commissioner by March 1 of the following calendar year.
• The first report would be due in 2019.
• After submitting the report to the Commissioner, at the Commissioner’s request, a health information custodian would be required to provide the Commissioner with information contained in the notice that was issued to the affected individual(s), and/or any information the custodian relied on in deciding to notify the individual.”

The proposed amendments would also further allow the ministry to continue to validate progress on the implementation of changes proposed in the Health Information Protection Act (Bill 78). These changes were passed in May 2016.

The projected amendments have been posted to the Regulatory Registry website on March 10, 2017 and will be available until May 8, 2017.  The posting can be accessed at: http://www.ontariocanada.com/registry/view.do?postingId=23883&language=en

Careers in Privacy

Have you Considered a Career in Privacy?

Careers in Privacy are here to stay! It is now clearer than ever that data collection and data use is only expanding. Thus, the way that this data is being accessed, used, analyzed, and perhaps even abused-intentionally or not- is also becoming a hot topic. Especially with the rise of electronic data collecting, storage and sharing, privacy and security issues have been arising in nearly every company, operating in almost every industry. This has been met with an extensive amount of privacy laws in many countries.

With so many regulations and compliance issues to be followed, many individuals are entering careers related to data privacy and data security through other career, perhaps more traditional career or academic paths, such as law, rather than through designated cyber-technological or privacy training. Others may enter these careers due to personal interest in protecting people or companies from harm — whether it be financial or reputation. It is without a doubt that privacy is an issue of profound societal importance and is becoming more essential to the business of almost any company.

Below we outline, just some of the many careers one can

Data Protection Officer or Team Member

Today, nearly every financial organization, government agency and healthcare association, and a growing number of mid-to-large size company, has at least one designated data protection officer, and this number is only growing. Likewise, more and more people are working within a team of people working with the Data Protection Officer or a similar professional.

Duties related to this area may include being either primarily or solely responsible for advising on all company activities related to privacy, confidentiality, and security implications. This may or may not also include monitoring services and systems to certify compliance with personal privacy legislation and government policies and practices. You likely will have to develop policies and procedures that ensure that all your company’s sponsored activities obey by all the applicable privacy and confidentiality legislation and requirements in your jurisdiction and align well with the requirements of those abroad if your business does international work (such as with the European Union).

Governmental Policy

Especially in Canada, the United States and Europe, privacy offices exist every level of government. Numerous of these governmental agencies continue to create policies or revise existing policies and regulations related to privacy. Moreover, many government agencies regulate privacy, such as the Federal Trade Commission (FTC) in the United States or The Office of the Privacy Commissioner of Canada (OPC), among others.

Duties may include establishing departmental, federal, provincial or territorial, programs or strategy for the improvement of the management of personal or organizational information; and/or be responsible for monitoring adherence to this policy across various organizations and measuring the achievement of the expected results of the policies put in place in a variety of ways.

Privacy Law

Privacy law is another booming field. Adhering to privacy laws are complicated, as it often involves numerous very complex federal statutes and regulations. Privacy lawyers may often choose to specialize in a particular aspect of privacy such as focusing on financial privacy, employment privacy, European Union privacy, and electronic surveillance. As such, many companies may often rely on a team of privacy lawyers to cover all the privacy issues faced by their organization.

Duties from a privacy lawyer may include to provide legal advice on privacy, advise on restrictions on electronic data collection, communications and the use of tracking or profiling tools (such as cookies) and ensure the company is upholding the current applicable privacy and marketing laws and standards.

Course Instructor

With all the recent career advancements related to privacy, many will wish to undergo specific training. A course instructor trained in privacy, either through career experience or academic means, can help offer courses on privacy.

Duties for course instructors vary on the course, but may include providing a basic overview of the concepts of informational privacy and the Country’s privacy legislation. Courses may also wish to introduce students to differential privacy, and encourage them to move towards the frontier of modern privacy research. Essentially an instructor may help to empower future employees with the skills and knowledge needed for them to help protect businesses and the public against growing security risks and compliance missteps. Similarly, by educating current employees, course instructors are helping to reduce the likelihood that certain businesses will become a victim information security threats.

Software Developer

Especially with the increase in internet use and storage, the need for developing accurate, high-quality, innovative, and user-friendly data technology software that allows end users to comply with their privacy policy (or even to create their privacy policy) is increasing. Many privacy regulations necessitate that companies install and use an array of technical controls to protect customer information, whether they are being collected, stored or transmitted.

Typically, software developers must reconcile vague ideas with practical technological solutions and design, implement and test data managing (or other related) software that captures responses, stores personal data and helps to analyze or score results within a wide variety of software platforms.

Many software developers may also be self-employed and try to work with other organizations on developing industry-specific, or even company-specific tools, in a contract-like role. For example, a company may approach a software developer to develop an awareness program, a log management product to advanced threat correlation and analysis services within that organization. In this hypothetical example, the developer may be responsible for developing a software product that is able to handle the logging, correlation, and reporting needs of the company, as well as ad-hoc analysis and forensic investigation potential.

Privacy impacts all of our lives; especially now with personal data, whether it be socio-demographic information, or health records etc,  increasingly being used and stored in electronic form.  Ensure that the appropriate privacy, confidentiality, and security safeguards are necessary to prevent the unauthorized access, use, or disclosure (as much as possible). Thus, data privacy is an area that needs more professionals. We know posit that need for individuals working in privacy is going to continue to grow in 2017 and beyond. While the regulatory landscape for data and the career options for working in a privacy-related field may feel confusing, it is expanding. For those who are itching for a new career or those who feel that they are intrigued by the area of privacy and just want to learn more, data privacy positions offer much prosperity in terms of opportunity.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Evaluating Anonymization Methods

Article 29 Data Protection

The European Commission’s Article 29 Data Protection Working Party provides a useful set of criteria for evaluating anonymization methods in its “Opinion on Anonymization Techniques” (2014):

  • Is it still possible to single out an individual?
  • Is it still possible to link records relating to an individual?
  • Can information be inferred concerning an individual?

 

The first criterion means that it should not be possible to discover information about a specific individual or small group of individuals. For example, if only three individuals in an anonymized hospital dataset share a diagnosis, the dataset fails the test of singling out. The second means that it should not be possible to link different records pertaining to an individual or group. For example, a dataset that includes individuals’ occupations as well as demographic information could potentially be linked to publicly available profiles on LinkedIn, social media, or registers of professionals or government employees. Third, it should not be possible to infer potentially identifying attributes based on other attributes in a dataset. For example, location data collected through smartphones, which has sometimes been released as part of open datasets, usually makes it possible to infer the location of an individual’s home and office.

To evaluate re-identification risk, the Article 29 Working Party also suggests understanding identity as multidimensional, with each clear attribute as a coordinate. Whenever it is possible to analyze a region of this multi-dimensional space that contains only a few points, there is a risk of individuals being re-identified. In other words, any combination of properties that is unique to a particular individual or a very small group of individuals poses a risk of re-identification. Anonymity is protected when it is only possible to analyze sizeable “clusters” of individuals who cannot be distinguished from one another based on their attributes.

Here’s an example of the application of anonymization techniques to prevent the singling out of individuals or small subgroups:

A hospital database is being anonymized so that it can be shared with a medical research institute. Patient names and health card numbers have been deleted from the dataset, and dates of birth and death have been generalized to years of birth and death only. Dates of diagnosis and treatment have been generalized to monthly intervals. Data fields that remain unchanged are diagnosis and treatment procedures. If, say, only three individuals born in 1982 received a particular diagnosis in March 2014, the risk of re-identification is too high. One option is to delete these records. The other is to apply additional anonymization, perhaps by generalizing years of birth to ten-year intervals (e.g., 1980-1989, or alternatively age 30-39).

The key to anonymization lies not in deleting particular types of data, but in preventing the occurrence of subsets of one or a few individuals with a specific set of characteristics. The concept of dimensions of identity provides a starting point towards this goal by helping to break down a dataset and suggest possibilities for anonymization. Dimensions not relevant to a particular purpose can be eliminated from the dataset. Within each of the remaining dimensions, the most specific fields can be deleted, randomized, or generalized. Finally, any very small subsets remaining can be identified and deleted. When this is accomplished, the risk of re-identification approaches zero, as any unique or distinct attributes of individuals have been concealed.

Reference

Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques. 

How to Protect Canadian Health Data

Canadian Healthcare and U.S. Cloud Services: Is HIPAA Compliance Good Enough for Canadian Health Data?

Many Canadian healthcare organizations are asking questions about using U.S.-based cloud service providers to manage services such as email and databases. Cloud service providers in the U.S. and public organizations in Canada often ask whether compliance with the Health Insurance Portability and Accountability Act (HIPAA), or with Federal Trade Commission (FTC) recommendations, is relevant in evaluating compliance with Canadian privacy laws. In other words, does legal compliance translate, in full or in part, from the U.S. to Canada?

Among Canadian organizations, public healthcare providers have particularly complex information technology needs. They store large volumes of personal data that need to be easily accessible, yet also protected by strong privacy safeguards. They need private and secure means for communication and data sharing. In addition, they often de-identify or anonymize data for use in research and system planning. Cloud services appear to be a promising option to meet some of these needs. They offer to eliminate the expense of maintaining secure servers, and deliver easy but secure data access and improved features. Cloud services are also typically more interoperable than local systems. It seems a cost-effective and convenient solution.

Numerous Canadian healthcare organizations are, in fact, choosing to make use of cloud services to manage email, databases, and other systems. This is a decision that needs to be examined carefully from the perspective of privacy and security. Most cloud service providers are based in the U.S. It can be difficult to assess whether these companies are in compliance with Canadian privacy laws and standards. Organizations often ask whether compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA), or with Federal Trade Commission (FTC) recommendations, is relevant in evaluating compliance with Canadian privacy laws. In other words, does legal compliance translate, in full or in part, from one jurisdiction to another?

HIPAA vs. PHIPA

Both in Canada and in the U.S., healthcare is recognized as a sector that requires specific privacy legislation. In the U.S., healthcare privacy is regulated by the Health Insurance Portability and Accountability Act (HIPAA). In Canada, most provinces have dedicated healthcare privacy legislation.

Does HIPAA compliance have any relevance to Canadian healthcare organizations? It is difficult to compare HIPAA with Canadian healthcare privacy laws such as Ontario’s Personal Health Information Protection Act (PHIPA) and Alberta’s Health Information Act (HIA) because they are written in different language. Canadian privacy laws generally focus on objectives rather than methods, and use general terms: for example, Ontario’s PHIPA states that Health Information Custodians (HICs) must take “reasonable steps” to protect personal health information against theft, loss, and unauthorized use and disclosure, as well as unauthorized copying, modification, or disposal. HIPAA, on the other hand, describes specific required physical and electronic safeguards for health information, such as facility access controls, workstation security, electronic information access control and authentication, and transmission security.

HIPAA compliance does indicate alignment with certain industry standards for privacy and security, but HIPAA differs from Canadian healthcare privacy laws on a number of specific points. For example, Ontario’s PHIPA has several requirements that are not included in HIPAA:

  1. Information technology service providers to HICs must “notify the custodian of any breach of the restrictions on its use and disclosure of personal health information or unauthorized access.”

This means that email or cloud storage providers serving healthcare organizations in Ontario are obligated to notify them of any security breaches or other instances of unauthorized access or disclosure. HIPAA does not require IT service providers to notify healthcare clients of breaches. While a notification requirement could be included in a contract with an American service provider, many U.S. service providers are reluctant to agree to notify their clients of breaches because of fears of liability and loss of reputation.

  1. Information technology service providers to HICS must “make available to the public, information about the services provided to the custodian; any directives, guidelines and policies of the provider that apply to the services provided; and a general description of the safeguards that have been implemented.”

IT service providers to Ontario healthcare organizations should provide a plain language description to be published online and in print about the services they will be providing, the privacy and security directives, guidelines, and policies to which they have agreed, and the information safeguards they employ.

  1. Information technology service providers to HICs must agree to comply with PHIPA.
“HIPAA Compliant” Applications

Do health applications advertised as “HIPAA-compliant” offer some legal assurance? Often, the answer is no. HIPAA does not apply to technological applications as such. Rather, it governs personal health information managed by covered entities such as hospitals, physicians, pharmacies, and health insurance companies. Health applications managed by covered entities are subject to HIPAA rules. Consumer health applications managed by private businesses or independent developers are not.

What developers of consumer health applications likely mean, when they advertise themselves as “HIPAA-compliant,” is that their solution aligns with HIPAA standards, and that they are willing to sign Business Associate Agreements (BAA) with healthcare organizations.  A BAA makes a service provider to a healthcare organization directly liable under HIPAA rules. Canadian healthcare organizations can obtain some legal protection by signing a BAA with a U.S.-based information service provider.

HIPAA definitely does not apply to consumer health applications, such as mobile apps and wearable devices that collect health information for an individual’s use (e.g., monitoring one’s exercise habits or diet), but do not share this information with a healthcare provider. Healthcare providers who wish to recommend these applications to patients should be aware that Canadians have few legal avenues to enforce their privacy rights with respect to consumer applications.

 

This point is problematic when it comes to large U.S.-based IT service providers. It is doubtful whether American companies would agree to assess and monitor compliance with Canadian laws. The possibility of having to maintain compliance with multiple sets of laws from different jurisdictions is a liability which many companies are not willing to take on.

Do you have the right IT Strategy?→

The U.S. National Security Caveat

The state of privacy in the U.S. cannot be understood apart from its national security legislation. Many Canadians hold privacy concerns about U.S. national security agencies’ broad access to data held by major internet companies. The USA PATRIOT Act and the U.S. National Security Agency’s PRISM project are frequently cited as privacy violations. It is often noted that this legislation permits more extensive surveillance of foreign citizens than of U.S. citizens. Yet the U.S. Cybersecurity Information Sharing Act (CISA), passed in 2015, may be even more problematic. CISA’s stated goal is to develop procedures for the federal government to share classified and declassified information on cybersecurity threats with private companies, lower levels of government, and the public. In practice, this could legally justify the existence of a catch-all database recording internet traffic, accessible to multiple levels of government and corporations. Several privacy provisions included in the draft bill were removed shortly before the bill was passed.

It is largely because of concerns about surveillance that two Canadian provinces, British Columbia and Nova Scotia, have passed laws prohibiting public bodies, such healthcare and educational institutions, from storing personal information outside of Canada. While other provinces do not explicitly prohibit this practice, it is clear that from a privacy perspective it is not ideal for Canadians’ personal information to be managed by U.S. companies.

The current reality is that U.S.-based cloud service providers are generally not in compliance with Canadian legal requirements and have no plans to achieve compliance. Canadian organizations considering using American cloud services should carefully consider how to ensure legal compliance and enforce contracts. If Canadian organizations choose to utilize U.S.-based service providers, they will need to retain enough power and control to monitor legal compliance and effect changes needed to bring systems into alignment with Canadian laws.

KI Design works with companies to achieve cross-border privacy compliance →

How to Protect Canadian Health Data

For healthcare organizations in provinces that permit the use of U.S.-based cloud services, contractual and technical safeguards can mitigate some of the privacy risks.

  1. Sign a Business Associate Agreement

The HIPAA Privacy Rule recognizes that most healthcare providers employ third party service providers, including information service providers. HIPAA allows healthcare providers to disclose protected health information to these “business associates” if the providers “obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.”[1] These assurances are to be documented in a contract or agreement, commonly known as a Business Associate Agreement (BAA). Business associates that have signed a BAA are directly liable under HIPAA rules.

The U.S. Department of Health and Human Services website lists requirements for a BAA, and offers a list of sample provisions.[2] Ki Design’s experts in international privacy law can help your organization to draft a specialized BAA to protect Canadian health information managed by U.S.-based cloud service providers.

  1. Segregate data assets and support

Whether your organization chooses to procure cloud application services (software as a service – SaaS), cloud platform services (PaaS), or cloud infrastructure services (IaaS), personal health data need to be segregated from other cloud customers’ data at all three levels: application, platform, and infrastructure. Healthcare organizations should also choose cloud service providers with support services located in Canada or the U.S., and support technicians’ access to health data should be segregated.

  1. Choose database-level encryption

When healthcare organizations employ cloud services, it is essential that health data be encrypted at the database level, before data leave the source computer. Database-level encryption tools may be built into the original database, or may function as a separate engine, producing an encrypted version of the database.

Using cloud services, and especially cloud services based in another country, to manage personal health data brings certain technical and legal risks. However, legal agreements and strong technical safeguards can mitigate some of the most significant risks. Contact Ki Design for a consultation on how your organization can use cloud services safely.

 

For more information on how Ki Design can help your organization can use cloud services safely, please visit: https://kidesign.io/ or send us an email.

[1] http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/

[2] http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

For more information on how Ki Design can help your organization can use cloud services safely, please visit: https://kidesign.io/

How Privacy will be Different in 2017

Privacy is a process. So, what can we expect in 2017?

Dr. Wael Hassan presents

three trends, privacy and big data protection will bring about changes in terms of privacy automation, legislation and open data.

Privacy Automation (Adoption)

Many companies are now understanding that privacy helps facilitate business growth by building the public’s trust in their brand. To keep up with the demand for privacy and to comply with the law (more in the next section), companies will become more reliant on software solutions in the year ahead. Specifically, 2017 can see increases in three specific types of applications:

  1. Data Mapping software that will be used to assist governance officers by developing privacy and security maps of their data assets in accordance to the pertinent legislation.
  2. Assessment Automation software which will consist of a variety of tools that can help Privacy and Security Officers assess and track the risk of their organization.
  3. Process Automation software will continue to be used to reduce costs in time and money, but there will be an increase in Privacy & Cybersecurity Operational Access. This will represent an opportunity for the improvement of cybersecurity and privacy tools for many companies.
  4. Multi-Scan Technology: Basically all current anti-malware/virus scanning is single engine (AVG, Norton, etc..). MultiScan solutions allow you to use up to 20 engines.

While not all of these softwares are new, the way they are used and managed will be and can present radical shifts in how organizations develop their privacy practices.

Legal developments

The first European Union Data Protection Directive was written in 1995. However, to account for the vast technological advances that have occurred over the past two decades, a new, firmer regulation is being developed in Europe GDPR. This regulation will be finalized and implemented in 2017. This will which have consequences in Canada, the US and beyond. Due to the public increase in knowledge of the risks and dangers that can occur to individual personal privacy, regulatory bodies are realizing the importance of data protection. Governments are also recognizing the importance of a lack of appropriate privacy and data protection can have on business consumer confidence and trust, including in terms of financial and reputational loss.  Fortunately, there are promising changes to legal developments on the horizon.

Open Data World

Whereas in 2016, the majority of big data analytics and adoption was being led by large corporations, we predict that 2017 will allow for open access to this data for all. This will allow for more data analytics to take place. Increasing the use of big data analytics will help companies make more informed business decisions. Newer class technologies will also form the core of which data scientists, predictive modelers and other analytics professionals can process large and diverse sets of data. Companies of all sizes engaging in the world of open data, must ensure that they have safeguards in place. In any case, it will be important to ensure that in this ‘open data world’ the data is accurate, protected and accounted for.

All three of the aforementioned trends will work together to reform privacy in 2017.

Three takeaways:

  • Cooperation between IT and Privacy is important to Given that more and more companies will adopt better privacy policies, there will be many more data mapping, assessment automation and process animation software products introduced.
  • Implementing Privacy Frameworks to implement upcoming legal changes:  As policy legislation becomes stronger world-wide, it is important to become familiar with the appropriate legislation law.
  • Follow Innovative Approaches to Privacy: The principles of data analytics will become the forefront of the privacy research domain due to the potentials that open access has, companies need to support and learn from research.

Here is a list of solutions that you may be interested in.

  1. Audit Product: Maize Analytics
  2. Open Data : Aircloak Anonymized Analytics
  3. Data Mapping: DPOrganizer
  4. Consent Solutions: Privacycheq
  5. MultiScan: OPSWAT

 

About the Author

If you have questions about what approaches your companies may take, do not hesitate to reach out to wael@kidesign.io

Inappropriate Access detection using Machine Learning

Detecting Inappropriate Access to Personal Health Information

While PHIPA has served Ontarians well over the last decade, rapid changes in technology and communications are demanding that we keep pace. With the growing use of electronic health records, the province needs a legislative framework that addresses the rights of individuals and the duties and obligations of health care providers in an electronic environment. Modernizing PHIPA will pave the way for a smooth and seamless transition toward 21st century health care while protecting our privacy.”   – Brian Beamish, Information and Privacy Commissioner of Ontario

 

Event:  2016 PHIPA Connections Summit www.phipasummit.ca

Using Machine Learning Healthcare to detect healthcare snoopers

Talk By Dr. Wael Hassan and Dr. Daniel Fabbri

Open Electronic Medical Record (EMR) access environments trade clinician efficiency for patient privacy. Monitoring EMR accesses for inappropriate use is challenging due to access volumes and hospital dynamics. This talk presents the Explanation-Based Auditing System, which uses machine learning to quickly identify suspicious accesses, improving compliance officer efficiency and patient privacy.

 

Featuring:

Daniel Fabbri
PhD. Assistant Professor of Biomedical Informatics and Computer Science, Vanderbilt University,
Maize Analytics
Daniel Fabbri, Ph.D., is an Assistant Professor of Biomedical Informatics in the School of Medicine at Vanderbilt University. He is also an Assistant Professor of Computer Science in the School of Engineering. His research focuses on database systems and machine learning applied to electronic medical records and clinical data. He developed the Explanation-Based Auditing System, which uses data mining techniques to help hospital compliance officers monitor accesses to electronic medical records in order to identify inappropriate use. He received a National Science Foundation Innovation Corps award to commercialize this auditing technology at Maize Analytics. Beyond research, he has participated in the A World In Motion program, which teaches elementary and middle school children physics through weekly interactive experiments such as building toy cars powered by balloons. He received his doctorate in computer science from the University of Michigan, Ann Arbor and a bachelor of science in computer science and engineering from the University of California, Los Angeles. Prior to joining Vanderbilt, he interned at Google, Microsoft Research, Goldman Sachs, Lockheed Martin and Yahoo. Students interested in research topics on machine learning, data management and the security of electronic medical records and clinical data? Please consider applying to the Vanderbilt Biomedical Informatics or Computer Science graduate programs. Selected Invited Talks: • The Open Web Application Security Project, Chicago, 2014. • Safeguarding Health Information: Building Assurance through HIPAA Security, U.S. Health and Human Services Department, Washington D.C., 2013. • Archimedes Workshop on Medical Device Security, University of Michigan, Ann Arbor, 2013.
Wael Hassan
Founder: Big Data, Privacy and Risk,
Ki Design Magazine
Dr. Waël Hassan is one of North Americas leading advisors on privacy and cyber security innovation. He serves as an advisor for both the political and industry organizations to help them better understand privacy and cyber security technology & adoption. He has in-depth knowledge of privacy laws across Canada, EU, and the US, along with, holds the first Canadian PhD in Validation of Legal Compliance. In his role Waël advances his clients’ interests on a range of issues, including internet freedom, cyber security, surveillance, disaster response, product certification, and risk metrics. Dr. Hasan founded KI DESIGN Magazine, http://magazine.kidesign.net, where he writes a regular column. Waël’s highly anticipated book, Privacy in Design: A practical guide for corporate compliance will be released in Spring 2017.

Legal Obligations for Energy Boards

In this guide you will explore:

  1. Obligations of Energy Boards
  2. FTC and Fair Information principle requirements
  3. Smart Grid Data Protection Requirements
  4. Employee Privacy in the Energy Space
  5. Federal and state law requirements

In recent years, news of massive data breaches has become almost commonplace.  We are witnessing an unprecedented increase in cyberattacks, with energy utilities and the smart grid in particular under threat.
For directors and their boards, compliance is a vital aspect of governance. Utility boards and management focus attention on NERC’s Critical Infrastructure Protection Reliability Standard.  Traditionally “Security” meant securing energy management system or EMS.  With the recent regulations it also means securing personal data.