August Tips: Win the Security & Privacy Olympics!

Why Are You Getting This?

You signed up to receive The Privacy Professor Tips, initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB) or consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.

Win the Security & Privacy Olympics!

While the world is enjoying the excitement of the Olympics, the cybercrooks continue their marathon of attempts to steal data and disrupt businesses and lives by causing a wide variety of problems and outages throughout the world. Everyone needs to compete with these digital criminals to beat them at the criminal attempts. Everyone also needs to practice healthy privacy practices, and strengthen their cyber and data security muscles. Don’t let the cybercrooks, nor the security and privacy slackers who create unsecure code and score zeros on privacy protection, win. Strengthen your knowledge of security and privacy, and encourage those you work for, and do business with, to also stay in tip-top security and privacy shape to win gold medals in risk management, and defeat poor practices, hackers and thieves.

Thank you for all your thoughtful and supportive messages about our intellectual property (IP) and trademarks protections information we provided in our July Privacy Professor Tips. We are getting closer to resolving the violations of our Privacy Professor^®trademark. However, this person has continued trying to use it in other places online, even after being notified of violating our IP rights. Hopefully this will soon stop. Thanks to all of you for letting us know of these situations. As before, if you discover someone else claiming to be the founder, owner, or otherwise, of Privacy Professor^®, please let us know. We are grateful to you for doing so.

We received some fabulous feedback messages from our July Tips. Thank you! We are going to make some new 2-minute warning videos for some of them, and incorporate some of the answers to your questions (de-identified, of course) in our new HIPAA Basics for Covered Entities: 2024 Edition. Coming soon!

Do you have stories, examples, or concerns about the topics covered in this issue that you would like to provide feedback on? Send them over! We may discuss them in an upcoming Tips.

We hope you are finding all this information valuable. Let us know! We always welcome your feedback and questions.

Thank you for reading!

Rebecca

We would love to hear from you!

August Tips of the Month

News You May Have Missed
Privacy & Security Questions and Tips
Data Security & Privacy Beacons*
Where to Find the Privacy Professor

News You May Have Missed

Thanks again for your positive feedback about our news items! You motivate us to continue looking for those stories that you’ve told us you not only enjoy reading, but that you also find valuable within your own business and personal lives. The following provides a wide range of interesting security and privacy related news that demonstrate that such types of risks exist basically anywhere in the world, and that everyone needs awareness. Here is a list of 25 such articles, most with associated quotes included, that our Privacy & Security Brainiacs team found interesting throughout the past month, in no particular order. Sometimes we will also include a few sentences about the situation to provide some advice or additional insights. Read next month for even more. Do you have interesting, unusual, bizarre or odd stories involving security and privacy? Or questions about any of the notes we included for the stories we listed this month? Let us know!

"File:2024 Summer Olympics text logo.png" by Logo Oficial de los JJOO París 2024 is licensed under CC BY 4.0.

1. Paris Olympics face unprecedented security risks. The Paris Olympic Games officially began on July 26, at a period of high geopolitical tensions. An impressive security operation has been put in place, but the Games also face unprecedented security challenges.

2. Cyberattack stymies families seeking funeral arrangements. The Florida Department of Health confirmed that a group of ransom thieves hacked the state’s Vital Statistics System, which is used to process birth and death certificates. Thomas Griffin Jr. works at Strong & Jones Funeral Home in Tallahassee. He told WFSU on Monday that the attack has kept families from receiving burial services. NOTE: This is another example of how EVERY type of business, including all those in industries not explicitly regulated to require security and privacy protections NEED to implement security and privacy programs. EVERY type of organization is a target of cybercrooks.

3. How a little-known tool is sweeping the real estate industry by giving instant access to vast amounts of homebuyer data. When Florida real estate professional Susan Hicks discovered the app Forewarn over a year ago, she was shocked to learn that for a service costing about $20 a month she could instantly retrieve detailed data on prospective clients with only their phone number.

4. Your modern car spies on you, and you’re the only one who can limit it. The modern car—essentially hundreds of computers on wheels—isn’t just tracking miles driven. It’s tracking where you go, how long you stay, how hard you use the brakes, and how fast you go, along with hard cornering, forward collision alerts, lane-departure warnings, seat belt reminders, race, immigration status, even sexual activity. NOTE: Rebecca provided information to the author, Taylor Armerding, that was included in this article. Rebecca will also be providing analysis for car data sharing in her August SecureWorld keynote.

5. A few thousand fans in July got into Kauffman Stadium much quicker to see the Kansas City Royals Major League baseball team sweep the Chicago White Sox, thanks to some new technology. The Royals introduced “facial authentication technology” for people going to home games, which officially launches Monday for their series against the Arizona Diamondbacks.

6. The increasing volume and sophistication of fake network traffic has raised the cybersecurity stakes, jeopardizing sales and marketing efforts and complicating defense and protection. NOTE: Rebecca provided information to the author, Mary K. Pratt, that was included in this article.

7. A ransomware attack on an Acadian Ambulance server accessed the personal information of millions of patients. The group told a data breach website it was asking for $7 million to return the personal data. The group said the data includes Social Security Numbers, names, dates of birth, medical record numbers and medical and treatment information.

8. A Hacker ‘Ghost’ Network Is Quietly Spreading Malware on GitHub. Cybersecurity researchers have spotted a 3,000-account network on GitHub that is manipulating the platform and spreading ransomware and info stealers. OUR ADVICE: Check to see if your IT folks, including any you contract, are using GitHub for software development. If so, ask them to check on this.

9. CISA broke into a US federal agency, and no one noticed for a full 5 months. Red team exercise revealed a score of security fails.

10. What Hackers Do With 54B Leaked Cookies. NordVPN, a virtual private network service, has found billions of ad-tracking cookies leaked on the dark web. Of the 54 billion cookies, at least 1.5 billion were from the United States and 24% were active. The most cookies came from Brazil, India, Indonesia, and Vietnam. The United States ranked No. 4 in terms of number of leaked cookies. More than 2.5 billion of the cookies in the dataset were from Google, with another 692 million from YouTube. More than 500 million were from Microsoft and Bing.

11. A new Federal Trade Commission (FTC) ruling extends HIPAA to developers of health applications (apps) not previously covered by HIPAA, and all the associated covered entities. These parties include healthcare providers who recommend or approve apps for their clients or patients. The FTC update mandates that vendors of personal health records (PHRs) and related entities must notify individuals, the FTC, and in some cases media, if health data is breached. NOTE: We include more information about this in our upcoming new course, HIPAA Basics for Covered Entities: 2024 Edition.

12. American cybersecurity company KnowBe4 says a person it recently hired as a Principal Software Engineer turned out to be a North Korean state actor who attempted to install information-stealing on its devices. The firm detected and stopped the malicious actions in time, so no data breach occurred.

13. Internet Explorer is still used as a malware vehicle by threat actors. The team at Check Point Research said it spotted a new attack in the wild which uses the ancient web browser as the delivery vehicle for malware infections. The process involves the use of a file which then calls and exploits IE to deliver the malware payload. OUR ADVICE: Establish a policy to require only the latest, supported browsers to be used in your organization. Also require in your Terms of Use that clients using your software should only use such types of browsers as well. We have found several businesses still using IE since the beginning of 2024.

14. FTC Order Will Ban NGL Labs and its Founders from Offering Anonymous Messaging Apps to Kids Under 18 and Halt Deceptive Claims Around AI Content Moderation. Agency says app was unfairly marketed to kids and teens, sent fake messages to drive up usage, tricked users into signing up for its paid service, and didn’t obtain consent for recurring charges. OUR ADVICE: Check to see if your marketing areas, including any you contract, target apps to kids and are doing anything similar.

15. You’re looking at a vehicle sitting in the middle of a parking lot, near Mount Parnassus in Greece, surrounded by a salt circle. The circle - a traditional form of protection in magical practice - is a trap for a self-driving car that relies on machine vision to guide it. The solid and dashed lines are a "no entry" pattern, directed inwards, so that the car, programmed to obey the road rules, cannot leave without breaking its own programming. The car is trapped. NOTE: This is from 2017, but researchers recently found this was still working as a "trap."

16. People are reporting millions of dollars lost in a scam that targets active-duty military and plays on their desire to help. In this con, scammers approach service members to ask for help because they lost their debit card and need to pay for something like a hotel room or groceries. They want you to transfer them money using your phone, but it's a scam.

17. Plaintiffs' attorneys recently filed over 100 lawsuits in New Jersey, seeking damages based on alleged violations of Daniel's Law (N.J. Stat. § 56:8-166.1). The suits allege that various website operators have violated provisions of Daniel's Law by making available the home addresses and unpublished home telephone numbers of law enforcement officers, including by making such information available on an online searchable database, following the receipt of a nondisclosure request. The officers have purportedly assigned their claims to Atlas Data Privacy Corporation, who sent thousands of automated nondisclosure requests to the defendants from "@atlasmail.com" email addresses as a precursor to the lawsuits.

18. House guts civil rights protections in privacy bill, sparking outrage. Both in the last Congress and this year, key Democrats and Republicans have advanced sweeping bills that would for the first time create a federal data privacy law. Each time, they proposed language barring companies from collecting data in a way that “discriminates” against protected groups and requiring them to assess whether their algorithms risk harm to users. But House Energy and Commerce Committee leaders removed those sections entirely from the latest version of the bill unveiled last week, sparking massive blowback from civil rights groups who call that language essential to a national privacy framework.

19. Avoid scam websites that offer to help you get or renew your passport.

20. The Buchanan County, MO, Sheriff's Department shares tips on scam calls. One of the standard scam calls claims there is a warrant out for the called individual’s arrest, which they could resolve by paying a fee over the phone. Law enforcement will never call someone in this situation. According to the Buchanan County Sheriff's Department, if someone is requested for a court appearance or wanted for a crime, they'll never be called by law enforcement agencies.

21. Were you offered remote work for $1,200 a day? It's probably a scam. Incidences of job scams skyrocketed 118% in 2023 compared with a year earlier, according to a new report from the Identity Theft Resource Center (ITRC). And they're looking more real than ever, thanks to artificial intelligence which has allowed criminals to create job postings that appear more legitimate, and target greater numbers of victims.

22. The BlastRADIUS bug puts most networking devices at risk. A standard set in 1997 is now in need of an upgrade. Researchers warn that well-funded state-sponsored attackers can exploit the flaw to bypass multi-factor authentication (MFA) and gain network access.

23. What it means for the Supreme Court to throw out Chevron decision, undercutting federal regulators. NOTE: We are following ways in which Federal data protection (privacy) and cybersecurity regulations such as HIPAA, GLBA, etc., may be impacted and will report what we find in upcoming issues of the Tips.

24. Data Protection Authorities in Europe have begun to turn their focus to consumer devices that collect and process neural data, as neurotechnologies continue to rapidly advance. The Spanish supervisory authority (AEPD) and the European Data Protection Supervisor (EDPS) recently released a joint report titled “TechDispatch on Neurodata” detailing neurotechnologies and the data protection challenges associated with processing neural data.

25. How One Bad CrowdStrike Update Crashed the World’s Computers. A defective CrowdStrike update sent computers around the globe into a reboot death spiral, taking down air travel, hospitals, banks, and more with it. Here’s how that’s possible.

Have you run across any surprising, odd, offbeat or bizarre security and/or privacy news? Please let us know! We may include it in an upcoming issue.

Privacy & Security Questions and Tips

Rebecca answers hot-topic questions from Tips readers

August 2024

We continue to receive a wide variety of questions about security and privacy. Questions about HIPAA and personal health data are also increasing. Thank you for sending them in! This month in addition to our Question of the Month we’ve included four Quick Hits questions.

Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!

Question of the Month:

Q1: The recent CrowdStrike outage is one of the most significant events of its kind in recent years, but it is not the only one. Have cyber outages become more or less common over time and what are some of the factors supporting that trend?

A1: Cyber outages are on a troubling trend of becoming more common over time. Hopefully this is a trend that will reverse. It will require organizations responsible for software, hardware, and network engineering and associated risk management to change some of their bad habits that have been proliferating throughout the past decade or two.

Here are four key factor categories that have contributed significantly to this trend:

The complexity of networks, applications and associated technologies that support applications and systems are increasing. Historically, in the 1970s through roughly around 2000, networks and applications were created by the company using them. For example, I started as a systems engineer at the Fortune 200 financial and healthcare insurance corporation in 1988. I was one of around 800 IT workers in the organization. We engineered, coded, tested, implemented, and did basically everything else to support IT up through mid- to the end of the 1990s when specialize software and network products, such as anti-virus protection and firewall systems, were increasingly being used. So, comparatively few outsourced entities were involved, and the supply chain was fairly small. The complexity of started increasing exponentially after we entered the 21^st century, the complexity of networks and applications increased exponentially as the technologies advanced significantly, outsourcing portions of organizational ecosystems has also increased, and the number of entities involved with the supply chain of digital ecosystem components has also continued to increase. The more entities and complexities involved with digital ecosystems, the vulnerabilities that exist, along with more threats. This results in more cyber outages. To mitigate this trend every organization must implement more effective processes, and well-vetted technologies, to keep from having one out of hundreds or thousands of components failing or being exploited, and resulting in cyber outages. Unfortunately, most business leaders do not provide enough resources and support to accomplish the most effective protections necessary.
Change controls for hardware, software and firmware are typically not comprehensively tested prior to going into production. As referenced previously, I started as a systems engineer, and I created the change control system for our organization. It required thorough testing at each of four separate, closed locations; each behind our firewalls, and in subnets within our network ecosystem. Thorough testing had to be validated by a manager and then a director for the last two locations (staging, production). The concern is the same now as it was today: We had to ensure comprehensive testing was done to prevent errors, problems, downtime, security incidents, etc. This was the pretty much the same at all organizations with an IT department. Over time as complexity increased, change controls have been less rigorous. Sometimes this is by happenstance. Assumptions are often made about the security assurances of different parts of a new or updated system, application, etc. However, at other times it is because there are many different entities trying to work in coordination to test changes that are coming from many different sources. There is often lack of oversight for testing, as well as lack of insight for the testing that has or has not already occurred. Insufficient testing misses important vulnerabilities, mistakes, and coding errors. This can subsequently result in incidents, or other problems when the new or updated product is move to production (real-life use).
Climate and environmental factors. As the warming climate and resulting weather changes continue to increase in severity, with more extreme weather disasters occurring, it also results in increased cyber outages. Another related factor is the increased use of energy for powering the computing technologies that organizations, and the general public depend upon. Computing products are battling with all other types of power sources to support all power needs throughout society. More people are using more energy for cooling and other environmental comfort purposes. Exacerbating the strain on power sources is the increased need for even more power usage from new and more commonly used technologies. In October, 2023, data centers used 1.5% of global electricity, and continues on an upward rate of usage. Add to this artificial intelligence (AI) tech, which requires a great amount of power. For example, OpenAI’s GPT-3 uses nearly 1,300 megawatt-hours (MWh) of electricity; the equivalent of power used in a year for around 130 US homes. The International Energy Agency (IEA) reports that if ChatGPT were integrated into the 9 billion searches currently done each day, electricity demand would increase by 10 terawatt-hours a year; the amount consumed by about 1.5 million European Union residents. Add to this cryptocurrency mining. The US Energy Information Administration (EIA) reported in February of 2024 that current annual cryptocurrency user represents as much as 2.3% of US energy usage. And then there are all the other types of increasingly used technologies to add to all the previously listed ones. When power grids fail, there is usually a cyber outage. When power sources run dry, the associated cyber environments will go down. Environmental factors must be addressed and associated shortages mitigated to prevent cyber outages.
A wide range of other issues are also often factors. Defective hardware. Insider threats. Supply chain threats (e.g., nation state actors weaponizing one element or layer of a digital product). Lack of training and expertise leading to errors and problems. Mistakes. Misuse of open-source software development tools, such as GitHub, which is widely used to host open source software development projects. And the list could go on and on.

For even more guidance and tips about these issues, here are some more of our resources: Visit our webpage; check out our blog; subscribe to our YouTube channel; follow us on LinkedIn.

Quick Hits:

Here are five more questions we are answering at a comparatively high level. We had many questions about the newest HIPAA rules regarding reproductive health data, so we have included three of them here; two for HIPAA covered entities (CEs) and business associates (BAs), and one for patients. We provide more in-depth information and associated details about these topics in separate blog posts, videos on our YouTube channel, in infographics and e-books, LinkedIn posts to our business page, and within our online training and awareness courses.

Q2. What protocols should organizations have in place to restore operations in times of tech outages? What steps should be followed to get back up and running?

A2: Every type of organization, no matter how big or small, needs to have documented plans for a wide range of problems and outages. The necessary plans include the following shown in the general order in which they are activated. Each plan should include explicitly described steps to follow; aka, the procedures. It is important to understand that some of these plans overlap and have actions that will be performed concurrently, typically being taken by different teams involved. All plans should include timelines and timeframes within which the plans should be implemented following the associated types of outages that they cover. The listed plans show the associated definitions from NIST, most of which indicate some of the protocols related to the associated plan.

1. Information Systems Contingency Plan (ISCP): Management policy and procedures used to guide an enterprise response to a perceived loss of mission capability. The Contingency Plan is the first plan used by the enterprise risk managers to determine what happened, why, and what to do. It may point to the continuity of operations plan (COOP) or disaster recovery plan (DRP) for major disruptions.

2. Occupant Emergency Plan (OEP): Provides coordinated procedures for minimizing loss of life or injury and protecting property damage in response to a physical threat. This is an incident-based plan that is initiated immediately after an event, preceding a COOP or DRP activation.

3. Disaster Recovery Plan (DRP): Management policy and procedures used to guide an enterprise response to a major loss of enterprise capability or damage to its facilities. The DRP is the third plan needed by the enterprise risk managers and is used when the enterprise must recover (at its original facilities) from a loss of capability over a period of hours or days.

4. Continuity of Operations Plan (COOP): A predetermined set of instructions or procedures that describe how an organization’s mission essential functions (MEFs) will be sustained within 12 hours and for up to 30 days as a result of a disaster event before returning to normal operations. This plan may also activate several business unit-level BCPs, ISCPs, or DRPs, as appropriate.

5. Business Continuity Plan (BCP): The documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business processes will be sustained during and after a significant disruption. This includes mission/business processes and protocols that may be activated in coordination with a COOP plan to sustain non-mission-essential-functions (MEFs).

6. Crisis Communications Plan (CCP): Provides procedures for disseminating internal and external communications. It is the means to provide critical status information, ensure accurate information is distributed, and to control rumors. The CCP is often activated with a COOP or BCP, but may be used alone during a public exposure event.

7. Critical Infrastructure Plan (CIP): Provides policies and procedures for protection of national critical infrastructure components, as defined in the National Infrastructure Protection Plan. It is a risk [RH2] management plan that supports COOP plans for organizations with critical infrastructure and key resource assets.

8. Cyber Incident Response Plan (CIRP): Provides procedures for mitigating and correcting a cyberattack, such as a virus, ransomware, DDoS attack, worm, Trojan horse, etc. It is an information system-focused plan that may activate an ISCP or DRP, depending on the extent of the attack.

The details will vary depending upon the size and complexity of the associated organization. Even if the computer operations, and similar types of IT services, are outsourced and follow their own plans, every organization still needs to document within their own plans that outsourced IT support services are required to have these plans, and that they must be kept up-to-date, tested regularly, and meet all regulatory requirements that the organization contracting them must follow.

Q3: What are some security and privacy risks with wearable technologies, like smart rings, glasses, helmets, watches, shoes, etc.?

A3: This is an important question. And one we’ve been following for almost 20 years. We created some free eBooks covering IoT security and privacy risks that are still generally applicable. See extended answers beyond this “Quick Hit” answer here:

The wearables are covered largely in Securing IoT On the Go. However, there are some applications of wearables in the other eBooks as well.

We are thinking about updating them by the end of the year. Would that be helpful to you? Please let us know!

Also, Rebecca is giving the closing keynote at the August 28 SecureWorld virtual conference. Her talk is titled, “Navigating the Future: Privacy and Cybersecurity Challenges in the Era of an All-Connected World.” She will be covering may different risks, as well as dissecting a few use cases for how to identify vulnerabilities and to mitigate them through better engineering, use, and with technical and non-technical capabilities. Do you have a use case you’d like to suggest that she include? Let her know!

Q4: What can HIPAA compliance leaders do to fully understand and internalize the key changes introduced by the Final Rule to support reproductive health care privacy? How can HIPAA compliance leaders assess the impact of these changes on their current compliance program?

A4: These are very important issues to consider. Thank you for asking!

For readers who may not be aware, in April of this year the Final Rule of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy was published. It became effective on June 25, 2024.

At a high level this additional HIPAA rule covers the following topics. Provided by each is a short statement for what compliance leaders in covered entities (CEs) and associated business associates (BAs) need to do to understand the impact to their businesses

New explicitly stated prohibitions on protected health information (PHI) uses and disclosures. These include for specific actions related to criminal, civil, and administrative investigations. This includes for the purposes of identifying persons who receive reproductive healthcare services.
Conditions considered to indicate unlawful reproductive health care. Two conditions are described; explicit knowledge of the CE practitioner, and CE receipt of validated proof that reproductive care was not legal.
Attestations required of CEs and BAs. When CEs and BAs receive requests for reproductive data involved in health oversight activities, judicial and administrative proceedings, law enforcement purposes, and/or disclosures to coroners and medical examiners, the involved personnel must sign an attestation that the use or disclosure is not for a prohibited purpose. NOTE: The HHS provides a model attestation to serve as an example here.
Revisions needed for Notice of Privacy Practices. Changes must explicitly include explicit information about the protections for reproductive health care privacy. This is in addition to the statements about substance use disorder (SUD) protections that went into effect a few months before the reproductive health data requirements.
Limitations on PHI disclosures to law enforcement. CEs and BAs, and their personnel, may only disclose PHI for law enforcement purposes when all three of the following conditions are met: 1) Disclosure is not subject to the new prohibitions; 2) Disclosure is required by law; and 3) Disclosure meets all applicable conditions of the Privacy Rule permission to use or disclose PHI as required by law.

Compliance leaders in impacted CEs, and their BAs with any type of access to the associated PHI, should at a minimum:

Review and update their HIPAA compliance security and privacy policies and procedures to align with these new requirements.
Provide training to all personnel for the new and updated policies and procedures who could be involved in such situations involving reproductive health data.
Make appropriate associated changes in forms, PHI access logging, access controls, etc.
After publishing the updated policies and procedures and providing training, perform a risk assessment scoped to these situations to identify any existing security and privacy risks and then take actions to resolve them.
CEs need to communicate with their BAs who are involved in such activities, and ensure they take the previously described actions.

NOTE: We cover this topic in the currently available HIPAA Basics for Business Associates: 2024 Edition, and the soon-to-be-available HIPAA Basics for Covered Entities: 2024 Edition.

Q5: How can HIPAA compliance leaders train their staff effectively about the new prohibitions and conditions under which PHI can be disclosed?

A5: Our own decades of educating individuals, supported by hundreds of education research studies throughout the years, show that to make education activities as effective as possible, and remembered and put to use by the learners, they need to occur often, and be supplemented by a wide range of awareness activities and communications.

Applying these parameters to help ensure the most effective training for the new HIPAA requirements, at a high-level compliance leaders should build their plans for educating about the new-requirements updates around the following training framework:

Provide formal training specific to the new requirements. Methods include providing in-person, online live, and recorded training.
Provide supplemental materials that learners can reference and put to use during their work activities that involve these covered topics.
Send occasional reminders about the new requirements. Send follow-up news related to the activities, incidents internal to your organization that are applicable to these topics, and in any case at least once a quarter based on research for education effectiveness and maintaining knowledge over time. Once a month would be even better if possible.
Hold table-top exercises to walk through related use cases to see how different departments would react to different situations for these issues.
And many other possibilities, such as having guest speakers, showing videos covering the topics, providing books about the topics to staff who deal with such situations often, and many more possibilities.

NOTE: Rebecca’s popular book, “Managing an Information Security and Privacy Awareness and Training Program 2 ^nd Edition,” includes full details for building an education program, including an awareness methods chapter that has a list of 250 awareness activities. Her publisher has asked her to do a 3^rd edition of this book. Rebecca is considering it!

From https://www.healthit.gov/sites/default/files/YourHealthInformationYourRights_Infographic-Web.pdf

Q6: Is there anything patients should ask their healthcare providers about the new HIPAA prohibitions and conditions under which PHI can be disclosed?

A6: Yes. Given that during the past few years multiple changes have been made in HIPAA, and guidance published about how to comply with specific topics, we recommend patients always ask their healthcare providers and insurers the following questions whenever obtaining treatment, payment or operations services:

When was the last time your organization updated your HIPAA policies and procedures and provided training for those changes?

Since the last time HIPAA rules have had changes impacting all CEs and BAs practices, as described in Q4, the answer should be at sometime since April of this year.

Have you implemented the new attestations for reproductive health data releases that were recently (in June, 2024) required to be used?

Hopefully, if they have no legitimate reason for saying “no,” their answer should be “yes.”

When you, or others you know, believe your/their rights under HIPAA have been violated, a complaint can be filed with the HHS here: https://www.hhs.gov/hipaa/filing-a-complaint/index.html

Many HIPAA violations investigations have occurred that resulted from individuals filing such complaints.

Data Security & Privacy Beacons*

People and Places Making a Difference

We get many suggestions for beacons from our readers and Rebecca’s podcast/radio show listeners; thank you! We include many of them when the suggestions are for businesses other than the suggester’s. Typically for those, the suggester feels deserve recognition for noteworthy data security and privacy actions. However, we do not include businesses, organizations, or people trying to promote themselves to get free marketing, and we do not take payments to put organizations or people on this list. We try to contact as many as possible after publishing our Tips to let them know we put them on our beacons list, though. If you have someone or an organization to suggest, let us know! We may include them in an upcoming Tips issue.

Young Sheldon from Season 4, Episode 15, “A Virus, Heartbreak and a World of Possibilities.” For an entertaining lesson in computer viruses, along with using unauthorized software, this has some great lessons with which non-techie folks can relate.
K Royal. For pointing to this awesome Cher anti-privacy song! (Look at my comment on her LinkedIn page)
The ICO. For replacing its privacy notice template with a privacy notice generator to help businesses create a unique notification. Tailored templates for customers and suppliers as well as staff and volunteer information are available, and the ICO plans to release sector-specific templates in the coming months.
The ICO. For providing a consultation series on generative AI and data protection.
Christopher Burgess. For his advice (see screenshot below) about X settings.

NIST. For their new publication, “NIST Risk Management Framework (RMF) Small Enterprise Quick Start Guide.”
FTC. For their article, “Heads up in your language.” Being online is part of kids’ lives. When they’re online, kids watch and create content, post photos, videos, play games, and share what they’re doing with friends and family. But when they post, play, and connect, they can encounter people and situations that aren’t always what they seem. What can you do to help protect them? To help the kids in your life be safe online, Heads Up: Stop. Think. Connect has some ideas to get a conversation started with them. It’s a free resource, available in twelve languages from Amharic to Vietnamese.
Global Internet Forum to Counter Terrorism (GIFCT). This site provides a great amount of useful information. The Global Internet Forum to Counter Terrorism brings together the technology industry, government, civil society, and academia to foster collaboration and information-sharing to counter terrorist and violent extremist activity online.
Pia Tesdorf. For her LinkedIn post about Firefox browser profiling and fingerprinting.
Media Bias / Fact Check (MBFC). For their great site to provide some validation of, or to disprove, information found online, or through other digital sources. Given the increasingly common use of AI to create misinformation and disinformation, this is a good tool to use if you want to see if something is really true or not. NOTE: There are other sites that provide similar types of validation/disproval as well. Do you have another site for such fact checking that you like better? Let us know!
IEEE . For their paper, "Understanding Data Valuation: Valuing Google’s Data Assets." By Kean Birch, Sarah Marquis, and Guilherme Cavalcante Silva. There are some great points within about data valuation. As the last sentence in their abstract states, “We conclude that, despite being highly ambiguous, Google’s approach to data value focuses on monetizing users, not data.”
Jeimy Cano. For his paper, "Improving Cyberrisk Maturity, Governance, and Management in Boards of Directors." NOTE: If you hit a paywall and want to receive this as a PDF, let us know and we will check with ISACA to see if we can provide a copy to you.
ACM. For publishing this article, “Command Hijacking on Voice-Controlled IoT in Amazon Alexa Platform.” By Wenbo Ding, Song Liao, Long Cheng, Xianghang Mi, Ziming Zhao, Hongxin Hu. Very enlightening analysis.
David Hamilton. For his article, “Why time speeds up as you age.” NOTE: This is not directly related to privacy. However, Rebecca stumbled upon it, found it interesting, and thought our readers would find it interesting also.

*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Check It Out!

We have published the episode 4 of our “2-Minute Warning” security and privacy videos.

PSB 2-Minute Warning Episode 4: Harms Caused by Posting Personal Data to Online Sites

In August we will be publishing the next episode of our 2-Minute Warning videos.

“HIPAA Basics for Business Associates: 2024 Edition.” Check it out at our site. This month we will be publishing our new online course, “HIPAA Basics for Covered Entities: 2024 Edition.”

What topics would you like to see us create online courses for? Let us know!

Have questions about our education offerings? Contact us!

Where to Find The Privacy Professor

Just published! A new episode of the SecureTalk podcast, Navigating HIPAA Compliance with Confidence. With Rebecca and her co-author for The Practical Guide to HIPAA Privacy and Security Compliance, Kevin Beaver. Hosted by Justin Beals.

Debbie Laskey will include my answers to her leadership questions in her "Olympics Leadership Series" later in August. Thank you, Debbie!

On August 20, Rebecca will join Jeff Brown in an IANS Research event, The Privacy Implications of AI and IoT. Rebecca and Jeff are both IANS faculty members. Here is a synopsis of the discussion:

The accessibility and use of publicly available data is creating a challenge for security teams and those responsible for interpreting the privacy regulations that cover publicly available data. This webinar, led by IANS Faculty Rebecca Herold and Jeff Brown, will provide practical advice around the regulations associated with the use of publicly available data. Rebecca and Jeff will also discuss the new laws and regulations around IoT devices and best practices for managing data in their IoT environment.

On August 28, Rebecca will provide the ending keynote for the SecureWorld virtual Manufacturing & Retail conference. Her talk is titled, “Navigating the Future: Privacy and Cybersecurity Challenges in the Era of an All-Connected World.” Register and attend the full day for free and get 6 CPEs.

Announcement! Plan now to attend Rebecca’s 2-day course with EPIC live, online training November 21. “Cybersecurity for Engineers and Technical Professionals.”

The Privacy Professor | Website

Privacy & Security Brainiacs| Website

Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:

Source: Rebecca Herold. August 2024 Privacy Professor Tips

www.privacysecuritybrainiacs.com.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Information

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or

2) making a request directly to Rebecca Herold or

3) connecting with Rebecca Herold on LinkedIn.

When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com.

If you wish to unsubscribe, just click the SafeUnsubscribe link below.