|
|
Why Are You Getting This?
You signed up to receive The Privacy Professor Tips, initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB) or consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.
| |
Celebrating 19 Years of Data Privacy Day! | |
Happy (privacy protecting and security strong) New Year! | |
Image from Pexels. Festive 2025 Light Display in Urban Setting | |
|
The first time my business team and I celebrated Data Privacy Day was in 2008; the second year that it had been observed throughout the world. 18 years ago! That started my annual tradition of providing awareness of that day. My blog post was, “Some more information and ideas for Data Privacy Day, January 28.” Two years later, I submitted a request to Iowa Governor Chet Culver to officially proclaim January 28, 2010 as Iowa Data Privacy Day, which he agreed to, and did. Each year since then, through two more different Iowa Governors, I’ve submitted requests for another proclamation. As you are reading this current January Tips, I’m still waiting to hear back from the Iowa governor’s office to learn whether or not she will approve of my request, for the 16th year in a row. We will publish the proclamation in our February Tips, assuming that it will once more be approved.
Want more ideas for how to celebrate Data Privacy Day on January 28? Well, we can help you do that. And, if you are looking for a new course on building privacy and security into your organization operations, designs, etc., I am teaching a new live, interactive class, “Cybersecurity for Engineers and Technical Professionals,” over a 2-day period, 10:00 am to 6:00 pm Eastern. With many use cases! See more below.
Read on (and share!) for more information about data security and privacy, to help you make it Data Privacy Day all 365 days in 2025!
We hope you’ll find this month’s newsletter helpful. Feel free to share with your friends and colleagues this fall. They will probably be thankful!
We freely distribute the Privacy Professor Tips monthly publication to help both businesses and individuals, of all ages, to help identify risks throughout their daily lives, and to help them know how to prevent security incidents, privacy breaches, and to keep from being a victim of scams. We love getting your questions! Send them our way, and you may see it in an upcoming Monthly Tips issue.
We hope you are finding all this information valuable. Let us know! We continue to appreciate, and love, the feedback you are sending us! We always welcome your messages.
Thank you for reading!
| |
|
January Tips of the Month
- News You May Have Missed
- Privacy & Security Questions and Tips
- Data Security & Privacy Beacons*
- Where to Find the Privacy Professor
| |
|
We continue to find more unique news stories to share with you. We also share news items that we believe are important for most folks to know, but that often do not get much mention in traditional news, or even in security and privacy news outlets.
We’ve provided just a few of the news stories we discovered throughout the past month that provide a wide range of interesting security and privacy related news. These news items demonstrate that such types of risks exist basically anywhere in the world, and that everyone needs awareness.
This month we limited the list to 18 news items, and will then include them, and a long list of other interesting news items, into a post to our Privacy & Security Brainiacs blog by the end of the month. Here are the 18 news items, most with associated quotes included, that our Privacy & Security Brainiacs team found interesting throughout the past month, in no particular order. Sometimes we will also include a few sentences about the situation to provide some advice or additional insights, or a related news item. Read next month for even more. Do you have interesting, unusual, bizarre or odd stories involving security and privacy? Or questions about any of the notes we included for the stories we listed this month? Let us know!
| |
|
1. Photobucket opted inactive users into privacy nightmare, lawsuit says. Class action could foil Photobucket’s plan to turn old photos into AI goldmine.
2. Panic over mystery drones says more about people than UFOs. Life’s great mysteries aren’t solved while taking out the trash or driving along a deserted highway.
3. Lazarus Group Spotted Targeting Nuclear Engineers with CookiePlus Malware. These activities often involve targeting developers and employees in various companies, including defense, aerospace, cryptocurrency, and other global sectors, with lucrative job opportunities that ultimately lead to the deployment of malware on their machines.
4. Concerns over the security of electronic personal health information intensifies. The PHI of Ascension patients and employees were compromised during the ransomware attack that occurred in May that affected nearly 5.6 million people.
5. Marshalltown, Iowa, police find credit card skimmer at gas station. NOTE: This is increasingly happening everywhere, throughout the world. Stay aware.
6. Google Warns Millions Of Android Users—These Apps Are Spying On You. NOTE: Everyone, everywhere needs to be aware of these skimmers. They are quickly increasing in use by cyber crooks.
7. Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud. NOTE: Some great tips here.
8. Italy’s privacy watchdog fines OpenAI for ChatGPT’s violations in collecting users personal data. NOTE: They also have found that ChatGPT did not provide an “adequate age verification system” to prevent users under 13 years of age from being exposed to inappropriate AI-generated content.
9. Netflix Gets Mixed Verdict in Invasion of Privacy Trial Over ‘Our Father’ Documentary about a doctor who secretly fathered dozens of children through fraudulent fertility treatments. A trio of women accused the streaming giant of disclosing their names without their consent in the documentary.
10. ‘Thank God I was wearing this shirt’: Woman issues warning after revealing something shocking about Ring doorbell cameras. “In general, according to InfiRay, infrared can’t see through insulating clothes like jeans and sweaters. However, per Galaxus, infrared cameras can sometimes see through thinner, semi-transparent clothes made of materials like silk.”
11. Apple is working on a doorbell camera with Face ID. The company’s smart home push includes unlocking your door the same way you do your iPhone screen.
12. A new study highlights outdoor security camera apps as some of the biggest collectors of user data. This includes sensitive personal information like email addresses, phone numbers, payment details, precise location and more.
13. Package Delivery Problem? Maybe Not. Americans Are Swamped With Scam Texts. Criminals pretend to be USPS, FedEx and UPS, smishing for your personal info and money.
14. FBI Warns Of Brute-Force Password Spy Attacks—What You Need To Know. An excerpt: “HiatusRAT actors have been seen to scan devices in the U.S. as well as Australia, Canada, New Zealand and the United Kingdom. “The actors scanned web cameras and DVRs for vulnerabilities including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044 and CVE-2021-36260,” the FBI stated, “and weak vendor-supplied passwords.” Targeting yet-to-be-patched vulnerabilities is a common tactic of hackers of all colors, the FBI said they had observed the threat actors targeting devices from Xiongmai and Hikvision with telnet access. “They used Ingram—a webcam-scanning tool available on GitHub —to conduct scanning activity,” the FBI said, and “Medusa—an open-source brute-force authentication cracking tool—to target Hikvision cameras with telnet access.””
15. 4.8 million healthcare records left freely accessible. It belonged to a Canadian company offering AI software solutions to support optometrists in delivering enhanced patient care, called Care1. The information Jeremiah found included eye exam results, which detailed patient PII, doctor’s comments, and images of the exam results. The database also contained lists of patients which included their home addresses, Personal Health Numbers (PHN), and details regarding their health.
16. Google report finds ethics issues with AI assistants. NOTE: More good reasons to keep these turned off and unplugged when you don’t need to actively use them.
17. Change Healthcare’s New Ransomware Nightmare Goes From Bad to Worse. A cybercriminal gang called RansomHub claims to be selling highly sensitive patient information stolen from Change Healthcare following a ransomware attack by another group in February.
18. AI models face collapse if they overdose on their own output. Recursive training leads to nonsense, study finds. The University of Oxford team found that using AI-generated datasets to train future models may generate gibberish, a concept known as model collapse. In one example, a model started with a text about European architecture in the Middle Ages and ended up – in the ninth generation – spouting nonsense about jackrabbits. Emily Wenger, assistant professor of electrical and computer engineering at Duke University, illustrated model collapse with the example of a system tasked with generating images of dogs. "The AI model will gravitate towards recreating the breeds of dog most common in its training data, so might over-represent the Golden Retriever compared with the Petit Basset Griffon Vendéen, given the relative prevalence of the two breeds," she said. "If subsequent models are trained on an AI-generated data set that over-represents Golden Retrievers, the problem is compounded. With enough cycles of over-represented Golden Retriever, the model will forget that obscure dog breeds such as Petit Basset Griffon Vendéen exist and generate pictures of just Golden Retrievers. Eventually, the model will collapse, rendering it unable to generate meaningful content." NOTE: If you are thinking about, or already, using AI, make sure you understand this.
Check out our Privacy & Security Brainiacs blog page for more unique security and privacy news items. Have you run across any surprising, odd, offbeat or bizarre security and/or privacy news? Please let us know! We may include it in an upcoming issue.
| |
|
Privacy & Security Questions and Tips
Rebecca answers hot-topic questions from Tips readers
January 2025
| |
|
We continue to receive a wide variety of questions about security and privacy. Questions about HIPAA and personal health data are also increasing. Thank you for sending them in! This month in addition to our Question of the Month we’ve included four Quick Hits questions.
Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!
| |
|
A1:
For most changes, yes; absolutely! Here are just a few examples:
- One proposed change is to remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions. This will improve security. I’ve seen most covered entities (CEs), and generally all business associates (BAs), abuse the “addressable” implementation specification since 2005! Most treat “addressable” as meaning “optional,” which of course it was not meant to mean. “Addressable” was, simply put, meant to mean the specific applicable standard should be implemented based upon the level of risks within each associated CE’s and BA’s situation. However, CEs and BAs have consistently considered it to mean “optional,” often at the direction and advice of their legal counsel, who typically look to save their organization money by not doing what is explicitly required to do that would take the organization’s time, resources and money to implement. Which leaves organizations vulnerable to risks, and to non-compliance. So, yes, this will ultimately improve security.
- Another proposed change is explicitly requiring written documentation of all Security Rule policies, procedures, plans, analyses and other associated documentation. Yes, this will improve security. From 2003 through to just a couple of months ago, I’ve had several CEs and BAs consistently telling me that they had policies and procedures, but that they were not documented, because they were simply “well known expectations, and long-held common sense” activities to do. Unwritten policies and other types of rules and associated documentation means there are basically no policies, etc., because there exists no verifiable proof or other auditable evidence. It also makes it impossible for consistent interpretation of such “well known” expectations, and quite frankly impossible to enforce, resulting in employees simply not doing what is not written down. So, yes, requiring formal document policies and supporting documentation will ultimately improve security.
- A third example proposed change is adding specific compliance time periods for many existing requirements such as performing risk assessments, providing training, and other activities. Again, most CEs, and virtually all BAs, have not updated their policies and other governance documents since they were first published 5, 10, and even 20 years ago! The same goes for performing risk assessments, and providing training, as well as many other required activities. Most business leaders throughout the healthcare industry, and their BAs, have viewed compliance with HIPAA as being a one-and-done type of activity. Often to, again, save the organization’s time, resources and money to implement. However, the costs of not doing so, which include increased security incidents, privacy breaches, non-compliance fines and penalties, lost trust, and more, are many times more expensive than simply implementing these common-sense security protections to begin with. Adding specific compliance time periods for Security Rule required activities will ultimately improve security.
If all CEs and BAs would actually implement these proposed new and updated security requirements, then it truly would improve security, and better protect the privacy of individuals whose PHI they are responsible for protecting.
That said, I know that many CEs and most BAs, will not want all these changes, even though they’ve complained for years about the lack of specificity within the HIPAA rules. Now they will see these specifics as being huge costs, in their time, resources and budgets, and will push back against many of them. Especially small to medium sized CEs and BAs. Many will claim this will make healthcare costs go up for patients and insureds, while leaving out the facts that untenably increasing numbers of privacy breaches and security incidents have already been significant factors in driving up healthcare costs. But, if CEs and BAs do it correctly, with thoughtful analysis and planning, implementing these protections will prevent huge numbers of security incidents and privacy breaches, which should ultimately, significantly reduce the healthcare costs, not increase them.
I encourage all leaders in CEs and BAs, and most definitely all those responsible for security, privacy and compliance within them, to carefully, thoughtfully, and realistically with understanding and not knee-jerk reactions, to read the proposed update. And then, for specific requirements that they feel strongly cannot be implemented within their organization, or that they strongly support, to submit their comments by the deadline. They should make sure they fully and clearly explain in detail why such specific requirements are either not feasible for their type of organization, or are requirements that all CEs and BAs should be doing. It would be even more helpful to also add some suggestions for how to improve upon the updated requirement, instead of simply saying that requirement should be removed.
And yes, my team and I are planning to submit feedback on the NPRM as well.
| |
|
Quick Hits:
Here are four more questions we are answering at a comparatively high level. We provide more in-depth information and associated details about these topics in separate blog posts, videos on our YouTube channel, in infographics and e-books, LinkedIn posts to our business page, and within our online training and awareness courses.
| |
|
Q2: Name something specific that poses an unusual/unique threat to the security of PHI; something beyond phishing or ransomware, that's not on everyone's radar already. Why is this a threat, and how can a healthcare entity deal with that threat?
A2: The use of patient and healthcare data for research, and to train AI tools, are not being addressed enough. Securing “smart,” internet-of-things (IoT) products within digital ecosystems where patient and health data is collected, transmitted and processed, and where life-impacting medical devices are used, are also threats to the security of patient and health data that are not being sufficiently addressed. Telehealth processes and support technologies are also being overlooked, especially the components that relate to the tech under the control and in the environments of the remote patients. There have long been research data requirements, including many under HIPAA. However, too many organizations have never fully complied with them. And now, moreso that data is being more widely used to train AI. Those three newer topics (AI, IoT and telehealth) not only need to have policies and procedures covering their use, they also need to be strengthened through training for staff, and patients as applicable, specific to their uses, and with additional types of technologies to track and control their use. All four of these areas should also always be included within the scope of risk assessments, and the additional types of risk management activities, which they have historically not been.
| |
|
Q3: What are your top three tips/must-do items for all types of organizations to do to address security threats in 2025?
A3:
1. Perform a comprehensive risk assessment of the full business enterprise. Including contracted workers, vendors who actively support the business, business associates, and other entities engaged to support the business and who have any type of access to the organization’s data, technologies, personnel, and/or physical locations. Also be sure to include use of IoT products (e.g., security cameras, robots, temperature controls, locks, fitness trackers, smart medical devices, digital assistants, etc.), AI (e.g., using personal data, such as location, conversations, patient data, etc.), telehealth, remote working areas, and other types of remote access.
2. Update security and privacy policies and procedures as part of the mitigation activities for the discovered risks. Make sure all employees know and understand them.
3. Update, and provide to all employees, security, privacy and compliance training. Then provide additional targeted training to subgroups for specific types of activities, such as to call centers and help desks, sales/marketing, IT, and HR. Send ongoing reminders for security, privacy and compliance activities, actions, and news related to how they should be incorporated into workers’ job responsibilities and daily work activities.
| |
|
Q4: Do you expect web-tracking technologies to continue to be an enforcement issue with OCR and the FTC, or will interest in this fade, particularly as the new administration takes over?
A4:
The use of tracking technologies is becoming more widespread with each passing day. So absolutely, it will remain an enforcement issue. With not only the OCR and FTC, but perhaps more frequently the State Attorneys General, and even more frequently beyond that with legal class actions, and with private action lawsuits. Changes in established regulations, rules and guidelines that were released in the past four years cannot be removed overnight. The actions and statements made throughout the last quarter of 2024 by the HHS and FTC make it clear that they are planning to continue increased pursuit of compliance investigations, audits, etc. Many privacy and security groups are not going to let these issues fade from public interest, even if the new administration may want it to be forgotten.
Add to this the fact that there is a now long-established expectation of the public for CEs, BAs, and any other businesses that collect a lot of personal data to be more effective, comprehensive, and pro-active in protecting the data they collect and derive from their patients, insureds, customers, and the general public; the precedent has already been long established. Even if federal enforcement fades, state-level and legal actions will continue to increase; especially as training AI with patient and customer data increases and as ransomware continues to increase. Especially now with the current focus on health insurance following the murder of the UHC CEO. Even though that had no direct relationship to HIPAA, it did bring world-wide attention to the need for changes in the healthcare industry, which includes the need for more privacy protections, and more comprehensive and effective security.
It is also clear to demonstrate how organizations using tracking technologies in websites, apps, IoT products, and other digital products, are taking data directly from the computing devices of individuals, and then are sending the data to Meta and other large tech companies, which then sell it to others to use for targeted marketing and other activities. All of these have direct impacts to the associated individuals.
| |
|
Q5: What can organizations and the general public do in recognition of Data Privacy Day?
A5:
There are many things they can do! I’ve written about this often throughout my professional career, and in my books. We will be posting to our blog throughout January with ideas, many of which are excerpts from one of my popular books, “Managing and Information Security and Privacy Awareness and Training Program, 2nd Edition.” Here are just a few. Follow our blog, and our LinkedIn page, throughout the month for more. Oh, and by the way, since I’ve had many requests from publishers, universities and book readers to update and publish new editions, I will get started with doing this for three of my books this year that have been popular. Keep an eye out for more on them throughout 2025.
1. Invite guest speakers to give presentations and talks about information security and privacy topics.
2. Obtain a celebrity endorsement of your organization’s customer information security and privacy goals; use the endorsement internally and within marketing materials.
3. Host information privacy and/or security awareness days (see Appendix M).
4. Create information security and privacy newsletters to give to your customers and consumers.
5. Create employee information security and privacy newsletters (or send them the Monthly Privacy Professor Tips!).
6. Create information security and privacy newsletters to give to your consultants, business partners, and contract vendors.
7. Write and publish articles in enterprise-wide newsletters and publications.
8. Maintain intranet Web sites with security and privacy tips and guidance.
9. Display information security and privacy posters: in parking lots, cafeterias, vending areas, meeting rooms, teams’ locations, restrooms, and so on. Some organizations have indicated increased awareness by posting on the inside of restroom stall doors.
10. Post information security and privacy banners over doorways.
| |
|
Data Security & Privacy Beacons*
People and Places Making a Difference
| | |
|
We get many suggestions for beacons from our readers; thank you! We include many of them when the suggestions are for businesses other than the suggester’s. Typically for those, the suggester feels deserve recognition for noteworthy data security and privacy actions. However, we do not include businesses, organizations, or people trying to promote themselves to get free marketing, and we do not take payments to put organizations or people on this list. We try to contact as many as possible after publishing our Tips to let them know we put them on our beacons list, though. If you have someone or an organization to suggest, let us know! We may include them in an upcoming Tips issue.
| |
-
Shawn Chen at Associated Press News, for, “One Tech Tip: Home for the holidays? Show relatives you care with some tech support.” NOTE: This would be fabulous for you to do for Data Privacy Day!
-
Pella, and Johnston, Iowa Police departments for warning about impersonation texts.
-
McAfee for, "How To Tell If Your Smart TV Spying on You."
-
Surfshark for their study, "Is privacy an illusion under a security camera’s watch?"
-
TheMommyConfessions’ Alexandra Fisher on Instagram for warning her followers about how easy it is to dox anyone, in seconds, in a physical setting by using Meta smart glasses and an app as demonstrated by a couple of Harvard students.
-
U.S. FTC for their video, “Hang Up on Social Security Scam Calls.”
-
U.S. Whitehouse for some new published resources:
-
“Cyber Workforce and Education Ecosystem Toolkit: Connecting People Who Connect Communities” resource
-
“Federal Strategic Plan for Advancing STEM Education and Cultivating STEM Talent.”
-
U.S. FBI for their new Private Industry Notification, “HiatusRAT Actors Targeting Web Cameras and DVRs.”
-
CISA, NSA, FBI and International Partners for publishing the, “Guide for Protecting Communications Infrastructure.”
-
Google. For their report, “The Ethics of Advanced AI Assistants.”
| |
*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices. | |
|
Check It Out!
We are going to be posting more videos to our YouTube channel this year! We know; we are behind. We will be better at getting more online content created in 2025! To date we have not formally promoted it. As we start getting a good number of some video shorts, as well as medium- to long-length videos, posted, we will be doing some traditional promotions. In the meantime, please check it out, let us know of any topics you suggest we cover, “like” the videos, and subscribe. And of course, add comments for topics that motivate you to do so.
What topics would you like to see us create videos, and more formal online courses, for? Let us know!
Have questions about our education offerings? Contact us!
| |
Where to Find The Privacy Professor | |
|
Sign up!
Sign up to attend Rebecca’s next 2-day course with EPIC live, online training January 30 - 31, 10:00 am to 6:00 pm Eastern, “Cybersecurity for Engineers and Technical Professionals.” Privacy will also be covered along with many use cases. See the syllabus at the link for more details.
| |
|
Permission to Share
If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:
Source: Rebecca Herold. January 2025 Privacy Professor Tips
www.privacysecuritybrainiacs.com.
NOTE: Permission for excerpts does not extend to images.
Privacy Notice & Communication Information
You are receiving this Privacy Professor Tips message as a result of:
1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or
2) making a request directly to Rebecca Herold or
3) connecting with Rebecca Herold on LinkedIn.
When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com.
If you wish to unsubscribe, just click the SafeUnsubscribe link below.
| | | | |
