Why Are You Getting This?


You signed up to receive The Privacy Professor Tips, initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB) or consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.  

Image from Freepik

Don't Get Privacy and Security Scrooged

People seem to be very ready for some joy in my corner of the world. What about yours?


There has been such a heavy onslaught of negative, even scary, news this year. It is time to alleviate the tension with some pure, unspoiled happiness. One way to maintain that happiness is by being aware of security and privacy risks. This will help you and organizations take actions to help prevent security incidents and privacy breaches. That would sure make us happier! There are many security and privacy threats and vulnerabilities that exist throughout the holiday season when many people’s guards are down. Let's also be smart and aware. It's how we keep the holiday hounds at bay. The crooks, scammers and con artists - cyber and otherwise - come out of the woodwork when people are at their most generous.


You can enjoy the holidays and be aware; we want to help you do that. Time to celebrate the many holidays going on during this time of year, and be security and privacy aware!


Read on (and share!) for the latest threats to your data security and privacy.

We hope you’ll find this month’s newsletter helpful. Feel free to share with your friends and colleagues. Help them keep their security and privacy Scrooges at bay!

 

We freely distribute the Privacy Professor Tips monthly publication to help both businesses and individuals, of all ages, to help identify risks throughout their daily lives, and to help them know how to prevent security incidents, privacy breaches, and to keep from being a victim of scams. We love getting your questions! Send them our way, and you may see it in an upcoming Monthly Tips issue.


We hope you are finding all this information valuable. Let us know! We always welcome your feedback and questions. 


Thank you for reading!

Rebecca


We would love to hear from you!

December Tips of the Month


  • News You May Have Missed
  • Privacy & Security Questions and Tips 
  • Data Security & Privacy Beacons*
  • Where to Find the Privacy Professor

News You May Have Missed

We love your positive feedback about our news items! We continue to find more unique news stories to share with you. We also share news items that we believe are important for most folks to know, but that often do not get much mention in traditional news, or even in security and privacy news outlets.

 

We’ve provided just a few of the news stories we discovered throughout the past month that provide a wide range of interesting security and privacy related news. These news items demonstrate that such types of risks exist basically anywhere in the world, and that everyone needs awareness.

 

We limit the list to 15 news items, and then put them, and a long list of other interesting news items, into a post to our Privacy & Security Brainiacs blog. Here are the 15 news items, most with associated quotes included, that our Privacy & Security Brainiacs team found interesting throughout the past month, in no particular order. Sometimes we will also include a few sentences about the situation to provide some advice or additional insights, or a related news item. Read next month for even more. Do you have interesting, unusual, bizarre or odd stories involving security and privacy? Or questions about any of the notes we included for the stories we listed this month? Let us know!

Image from Freepik

1.   Facial Recognition That Tracks Suspicious Friendliness Is Coming to a Store Near You. Coresight AI has released a new product that sends alerts to store security when customers and staff have anomalous interactions.

2.   New Is your air fryer spying on you? Concerns over ‘excessive’ surveillance in smart devices. UK consumer group Which? finds some everyday items including watches and speakers are ‘stuffed with trackers.’

3.   Swiss cheesed off as postal service used to spread malware. QR codes arrive via an age-old delivery system; postal service mail. Swiss citizens receive letters faked to look like they have been sent from the nation's Federal Office of Meteorology and Climatology. They tell recipients to scan a QR code and download a "Severe Weather Warning App" for Android, which mimics the genuine Alertswiss weather app, but is spelled "AlertSwiss" in the bogus version and has a slightly different logo than the government build. The app contains a variant of the Coper trojan, and specializes in keylogging, intercepting two-factor authentication SMSes and push notifications, going after banking apps installed on a device (stealing stored bank and other credentials and other data) to log into people's bank accounts and steal all their money, and to display phishing screens. 

4.   Google AI chatbot responds with a threatening message: "Human … Please die."

5.   Chicago’s Field Museum scans dozens of mummies to learn new secrets. “From an archaeological perspective, it is incredibly rare that you get to investigate or view history from the perspective of a single individual,” said one museum official. NOTE: Privacy after death issues. At what point in time following death does privacy become overtaken by preservation of historical facts and insights? What factors should be considered? This is a topic I’ve been looking at since 1996 when my mother died of Early-Onset Alzheimer’s. We have some new research reports and possibly courses (is this of interest to you?) planned for 2025.

6.   Watch How a Hacker’s Infrared Laser Can Spy on Your Laptop’s Keystrokes. Hacker Samy Kamkar is debuting his own open source version of a laser microphone—a spy tool that can invisibly pick up the sounds inside your home through a window, and even the text you’re typing.

7.   Two Missouri officers charged with stealing nude photos during traffic stops. A Missouri highway patrol trooper and, separately, a Florissant police officer are accused of illegally searching women’s phones for nude images during traffic stops.

8.   Elon Musk Owned X Updates Privacy Policy, To Let Third-Party Collaborators Train Their AI Models On Users' Posts. Reddit struck a similar deal with Google earlier this year which allowed the tech giant to use posts on the platform to train its AI models on and improve their online search results. NOTE: Read this if you use Reddit and/or X.

9.   RAC duo busted for stealing and selling crash victims' data. Roadside assistance biz praised for deploying security monitoring software and reporting workers to cops.

10. Phishing emails increasingly use SVG attachments to evade detection. Threat actors are increasingly using SVG files in their phishing campaigns because they are usually not detected by anti-malware security software.

11. DNA firm holding highly sensitive data 'vanishes' without warning. The apparent disappearance of Atlas Biomed is a mystery - but it appears to have links with Russia.

12. Apple Engineers Show How Flimsy AI ‘Reasoning’ Can Be. The new frontier in large language models is the ability to “reason” their way through problems. New research from Apple says it's not quite what it's cracked up to be. Accuracy varies greatly.

13. It's Time to Purge Your USB Stick Collection. They are unreliable and often contain malware.

14. Five Eyes infosec agencies list 2023's most exploited software flaws. Slack patching remains a problem – which is worrying as crooks increasingly target zero-day vulns.

15. Fortinet patches VPN app flaw that could give rogue users, malware a privilege boost. Plus a bonus hard-coded local API key.

 

Check out our Privacy & Security Brainiacs blog page for more unique security and privacy news items. Have you run across any surprising, odd, offbeat or bizarre security and/or privacy news? Please let us know! We may include it in an upcoming issue.

Privacy & Security Questions and Tips

Rebecca answers hot-topic questions from Tips readers

December 2024

We continue to receive a wide variety of questions about security and privacy. Questions about HIPAA and personal health data are also increasing. Thank you for sending them in! This month in addition to our Question of the Month we’ve included four Quick Hits questions.

 

Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!

Image from Library of Congress Public Domain.

Question of the Month:



Q1: You reported in a LinkedIn post that on Oct 31, 2024, “the HHS OCR imposed a $500,000 civil monetary penalty against Plastic Surgery Associates (PSA) of South Dakota in Sioux Falls, for several HIPAA violations, following OCR’s investigation into a ransomware attack breach. This settlement marks OCR’s 6th ransomware enforcement action amid increasingly large ransomware breaches in healthcare organizations." Why did it take 7 years to get a resolution? And how much of the fine do the affected individuals receive?


A1:


Let’s first consider the context of the situation. The PSA ransomware breach was discovered on February 12, 2017. The original breach report was filed in July 2017. The OCR then did an investigation, but did not indicate the time it started or how long it took to complete. Given the significant cut in funding to HHS from the 2017 – 2020 federal lawmakers, it may have taken years to start if there were not enough resources available to start right away. The investigation could have taken several months to perform and complete. Significant HIPAA non-compliance and associated risks were discovered in the investigation.


To date, the publicly published HHS reports indicate the fines collected for HIPAA violation penalties have been, and still are, deposited in the U.S. Treasury, not to the associated individuals.


In 2021, Section 13410(c)(3) of the HITECH Act was enacted and requires HHS to establish by a methodology under which an individual harmed by a potential or verified violation of the HIPAA rules may receive a percentage of any civil money penalty (CMP) or other type of monetary settlement collected with respect to such offense. Section 13140(d)(1) of HITECH requires that OCR base determinations of appropriate penalty amounts on the nature and extent of the violation and the nature and extent of the harm resulting from such violation. The penalty amounts are updated by HHS at least once a year; historically being increased since this practice started in the last half of the 2010s.


A 2022 Request for Information (RFI) from HHS solicited public comment on the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, discusses potential methodologies for sharing and distributing monies to harmed individuals, and invited the public to submit alternative methodologies.


The chosen methodology has not yet been published and may not have been established yet. It is possible it may never be created, depending on decisions made by lawmakers going forward.


So, to answer the last part of your question, no portions of HIPAA penalties are being distributed to individuals at this point in time.


Such a methodology to distribute portions of CMPs to affected individuals would be necessarily complex given all the factors involved, and difficult to implement. Potentially more so under a whole new administration, with new and/or fewer HHS workers and contractors, and possibly even more associated factors, during a time of declining budgets. Keep in mind regulatory fines and penalties are not the same as a court case where a judgement is made by a judicial system that is not a regulatory agency that is limited by funding and human resources to enforce CMPs and associated penalties. Given a growing number of news reports, there will likely be more cuts, reportedly some significantly large, to U.S. federal agencies starting in 2025.  


Also, the level of HIPAA penalties was decreased in accordance with a re-interpretation of the meaning of the HIPAA Enforcement Rule in the prior (2017 – 2020) U.S. federal administration, and so there are many fewer dollars available to share among what are increasingly larger numbers of persons affected by violations.



This is an issue my business is monitoring as time goes on.

 Image by Tima Miroshnichenko from Pexels.

Quick Hits:


Here are four more questions we are answering at a comparatively high level. We provide more in-depth information and associated details about these topics in separate blog posts, videos on our YouTube channel, in infographics and e-books, LinkedIn posts to our business page, and within our online training and awareness courses.

Q2: What criteria are taken into account to decide the monitoring period for a HIPAA violation and/or settlement corrective action plan (CAP)?


A2: The penalties and sanctions for HIPAA noncompliance violations and related situations are established by the HIPAA Enforcement Rule. A corrective action plan (CAP) is defined as one type of “informal means” of demonstrating compliance, typically agreed to by the associated CE or BA that is obliged to follow the CAP. Each HIPAA non-compliance case is considered separately, taking into account all the associated factors, which are inherently different from one organization to the next.


The monitoring periods in corrective action plans (CAPs) for HIPAA violations imposed by the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) typically range from one to three years. These periods are generally determined by the severity of the violation, the compliance history of the entity, and the complexity and details of the required corrective actions. Below are some general descriptions of the characteristics that we’ve found to be associated with the different lengths of CAP monitoring periods from published settlements:


1. One-Year Monitoring: Smaller-scale violations or cases where issues can be addressed relatively quickly may involve a one-year monitoring period. For instance, some cases under the HIPAA Right of Access Initiative, which often deal with failure to provide timely access to medical records, have included one-year monitoring commitments. ​

2. Two-Year Monitoring: These appear to be for more complex or systemic issues, for a fairly narrow scope of consideration. For example:

  • Life Hope Labs: This case involved failure to provide timely access to records, and the CAP included two years of monitoring to ensure compliance with the right of access provision​.
  • Sentara Hospitals: After sending patient records to incorrect addresses and improperly reporting breaches, a CAP with two years of monitoring was imposed to ensure practices to help ensure a similar mistake would not happen again.​

3. Three-Year Monitoring: Large, systemic, enterprise-wide compliance failures, often involving large-scale breaches or significant violations of multiple HIPAA provisions have often required three years of monitoring. These longer periods are often used for entities with extensive corrective actions, such as comprehensive policy revisions, workforce training, and new safeguard implementations.

4. More than Three Years Monitoring: Significantly egregious and/or systems compliance failures, lack of risk management practices, and often situations involving insiders exploiting their access to PHI, have resulted in more than three years of monitoring.



Each CAP specifies the monitoring mechanisms, reporting intervals, audits, and/or independent compliance assessments necessary.

 

Related to HIPAA penalties, you may find it interesting (as we have) that an HHS administrative law judge (ALJ) can decide if civil money penalties (CMPs) are appropriate for a HIPAA violation. This can happen when a CE or BA doesn't take satisfactory action to resolve a HIPAA violation.

Image by Kampus Production from Pexels.

Q3: What's the difference between credit card fraud and identity theft?


A3: Great question! To put it very generally, credit card fraud is one of unlimited types of identity theft. NOTE: For those of you familiar with the long history of term meanings, “identity theft” and “identity fraud” have become interchangeable. In fact, the U.S. Department of Justice says both terms refer to all types of crime in which someone wrongfully obtains and uses another person’s personal data in some way that involves fraud or deception, typically for economic gain. So, we are using the term in this way for our answer. 

 

Credit card fraud is the unauthorized use of someone else’s credit card or credit card information to make purchases or withdraw funds. These fraudulent uses often occur…

  • As a result of physically stealing the credit card.
  • Stealing the credit card data through digital means, such through the use of card skimmers at gas pumps, ATM machines, credit card readers, etc.
  • Hacking the credit card systems, online credit card checkout page, etc.
  • Physically stealing a credit card.
  • Obtaining card details through phishing, skimming devices, or hacking.
  • Using stolen card information for online purchases.

 

Identity theft is a broader type of crime that occurs after stealing someone’s personal information from a wide range of sources and then impersonating that individual for fraudulent purposes.

 

Credit card fraud is one type of identity theft. However, other types of identity theft include impersonating others on loan applications, opening bank accounts, obtaining medical care and insurance benefits using someone else’s identity, when filling out job applications, when getting pulled over for speeding to have someone else’s driving record impacted, and an infinite number of more types of situations.

 

There are also unlimited harms that can occur from identity theft, many of which can be long-term, and some that can last for life. For example, damage to the identity theft victim’s financial standing and credit score. The victim being turned down for jobs and loans, and even experiencing physical harm or death from having their medical data changed by the identity thief, which can result in incorrect diagnoses, prescriptions, and medical device settings.

Q4: I keep seeing news reports about hackers and privacy breaches stating that people or business were not “protecting your credentials.” What are my credentials? Is this like my driver’s license? Or a diploma?


A4: The term “credentials” has expanded in over the years in the meanings associated with it. "Credentials" historically throughout many decades is often referred to academic or educational qualifications, such as degrees or diplomas. Additionally, the term has also meant occupational qualifications and/or authorities, such as professional certifications.


When used in a story about hacking, privacy breaches, and other types of technology incidents, the story is most likely talking about the technology that is used to verify that an individual is who she or he claims to be. Credentials consist typically of an identifier and some type of token that the associated individual uses to verify that they are indeed the person trying to use that identifier. The credentials used on a computing device, network, with an application, or other types of technologies, helps to prevent unauthorized individuals from logging into those types of environments. They are also used within a wide range of access control methods to assign digital capabilities to individuals, or other types of digital objects. The most commonly used type of credential is a user name/ID and an associated password/PIN/passphrase.

Q5: I'm getting a lot of ads on FB for Guardio, claiming they block fake deals and phishing sites. Is it legitimate?

 

A5: Guardio is a Chrome browser extension that provides some protection to users from phishing tactics on websites and related online activities. It also has Microsoft Edge add-ons.

 

It is basically a pared-down type of anti-malware tool, which generally is focused primarily on online phishing and other potentially harmful online activities, through Chrome browsers. It is also available as an add-on for Microsoft Edge and other Chromium-based browsers.

 

It is a legitimate security/privacy tech tool, but from our research, our opinion is that it only offers protection from a small subset of the total types of online threats. For that is somewhat costly compared to other types of anti-malware packages that offer a wider range of protections, which you can often find at a lower cost, or at no cost at all.

NOTE: As a follow-up to our November Tips question about privacy and security gifts, we have updated our lists! Check them out! Let us know if you have additional items to add.

Data Security & Privacy Beacons*

People and Places Making a Difference

We get many suggestions for beacons from our readers; thank you! We include many of them when the suggestions are for businesses other than the suggester’s. Typically for those, the suggester feels deserve recognition for noteworthy data security and privacy actions. However, we do not include businesses, organizations, or people trying to promote themselves to get free marketing, and we do not take payments to put organizations or people on this list. We try to contact as many as possible after publishing our Tips to let them know we put them on our beacons list, though. If you have someone or an organization to suggest, let us know! We may include them in an upcoming Tips issue.
  • Taylor & Francis subsidiary CRC Press. For continuing to publish categories of books focusing on security, privacy and compliance throughout the past 3 decades. They have many new books out right now within their Security, Audit and Leadership initiative. If you are interested in writing a book about your related expertise, but are not sure about how to take that first step for being published, get in touch with Dan Swanson. NOTE: The first IT/security/privacy article I had published was in the early 1990s when the executive editor of CRC Press, Richard O’Hanley, initiated contact with me. He asked me to write an article about the anti-virus program which I had created and implemented at Principal Financial Group, which he told me was the first to be implemented within an organization, and that he thought it would be very helpful to other organizations trying to figure out how to implement their own anti-virus programs. That started my long publishing relationship with CRC Press, which was acquired by Taylor & Francis in 2003. I’ve always found CRC Press (and Auerbach and other T&F subsidiaries) great to work with, and look forward to publishing more books with them. Perhaps you will, too!

*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Check It Out!

Check It Out!


Have you watched episode 4 of our “2-Minute Warning” security and privacy videos yet?

PSB 2-Minute Warning Episode 4: Harms Caused by Posting Personal Data to Online Sites

We will soon be publishing the next episode of our 2-Minute Warning videos. I know; we are behind. It’s been a super busy year.


What topics would you like to see us create online courses for? Let us know!

 

Have questions about our education offerings? Contact us!

Where to Find The Privacy Professor

I was honored to be asked to write the Foreword to Eric Vanderburg’s new book, “Devolution of Privacy: A Classical Examination of Privacy’s Decline.”



Published the article, “Use of AI in Healthcare: Medical Miracle, or Medical Malpractice?

 

 

Was featured in the HealthcareITNews article, “IEEE deep dive: What you really need to know about AI and cybersecurity. How is artificial intelligence being used to identify anomalies in sensitive healthcare data to safeguard patient information? What are best practices for enhancing cybersecurity through AI and ML? An expert answers those questions and others.”

Sign up!

 

Sign up to attend Rebecca’s next 2-day course with EPIC live, online training January 30 - 31, “Cybersecurity for Engineers and Technical Professionals.” Privacy will also be covered. See the syllabus at the link for more details.

Delivered the closing keynote for the SecureWorld 2nd Annual

SecureWorld Manufacturing & Retail Virtual Conference, “Navigating the Future: Privacy and Cybersecurity in the Era of an All-Connected World.”

See the recording now! "Ask Me Anything!" Privacy & Security Brainiacs Live: Dr. M.E. Kabay on Secure Coding


During this hour, Dr. M.E. Kabay provided great discussion about secure coding, his new Secure Coding Master Expert course available from the online training platform Privacy & Security Brainiacs, and his latest textbook, “The Expert in the Next Office: Tools for Managing Operations and Security in the Era of Cyberspace.” Check it out! Post your questions under the video in our YouTube channel. Or, send any questions you have for Dr. Kabay to us using info@privacysecuritybrainiacs.com.

The Privacy Professor | Website

Privacy & Security Brainiacs| Website
Facebook  Twitter  Linkedin  

Permission to Share



If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:


Source: Rebecca Herold. December 2024 Privacy Professor Tips

www.privacysecuritybrainiacs.com.


NOTE: Permission for excerpts does not extend to images.


Privacy Notice & Communication Information


You are receiving this Privacy Professor Tips message as a result of:

 

1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or

2) making a request directly to Rebecca Herold or 

3) connecting with Rebecca Herold on LinkedIn


When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com

 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.

The Privacy Professor | 625 42nd Street | Des Moines, IA 50312 US

Unsubscribe | Update Profile | Constant Contact Data Notice

Constant Contact