Why Are You Getting This?
You signed up to receive the Tips, or initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB) and consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.
| |
Mitigating May Privacy Mayhem! | |
May Day! May Day! This month we are passing along news stories, answering readers’ questions, recognizing privacy beacons, and providing some information about interesting events and opportunities.
Do you have stories, examples, or concerns about the topics covered in this issue that you would like us to provide feedback on? Send them over! We may discuss them in an upcoming Tips.
We hope you are finding all this information valuable. Let us know! We always welcome your feedback and questions.
We apologize for being a few days late with this issue. Our team has been heads-down finishing some new training courses. See information at the end of the Tips about this.
Thank you for reading!
| |
May Tips of the Month
- News You May Have Missed
- Privacy & Security Questions and Tips
- Data Security & Privacy Beacons*
- Where to Find the Privacy Professor
| |
Image by Stephen Faulkner | |
We’re sharing interesting security and privacy news that demonstrate that such types of risks exist basically anywhere in the world, and that everyone needs awareness. Here is a list of 23 such articles our Privacy & Security Brainiacs team found interesting throughout the past month, in no particular order. Read next month for even more. Do you have interesting, unusual, bizarre or odd stories involving security and privacy? Let us know!
1. Story County, Iowa, sheriff's office investigating explicit AI photographs of Nevada, Iowa high school students. The week prior to this, Iowa Governor Reynolds signed a bill into law making it a felony to create media of minors or their likeness engaged in a sex act or full or partial nudity, specifically calling out AI use. However, this law does not go into effect until July 1, 2024, so it cannot be applied to this incident.
2. University of Iowa and Iowa State University athletes sue state investigators over sports betting probe that involved using geo-fencing surveillance without obtaining court warrants.
3. Aiming to clamp down on identity theft and protect customers’ information, USPS is beefing up its procedures to verify your identity when you request a change of address. Now you must either show ID in person at your local post office or verify your identity online. A change of address request, or COA, has to be submitted 90 days before the date of your move or up to 30 days after your move.
4. Driverless semis will soon carry freight along Texas highways. In less than nine months, Aurora Innovation Inc., an autonomous transportation company, will launch up to 20 driverless trucks carrying loads on Texas highways for partners such as FedEx, Uber Freight and Werner.
5. Wisconsin Man Who Used Fake ID for 33 Years Pleads Guilty to Credit Union Felony. Matthew Keirans admits his crimes that led credit unions to lend him $250,000 and landed his ID theft victim in prison.
6. Man Allegedly Deposits $7 Million in Stolen U.S. Treasury Checks at Credit Unions. Duncan-Carle allegedly conducted the scheme by obtaining stolen U.S. Treasury checks made out to individuals and companies. He is accused of assuming the identity of the individuals whose names were on the checks, opening credit union accounts under the assumed identities, depositing the checks and withdrawing the funds, according to federal prosecutors. They did not report the total amount of funds he allegedly withdrew.
7. Ohio man fatally shot Uber driver after scam phone calls targeted both of them, authorities say. This tragic case shows how scam calls pretending to be from others (a type of identity fraud) can result in physical harms and deaths. Brock had received scam calls from someone pretending to be an officer from the local court who eventually began making threats and demanding money, authorities said. The victim, Loletha Hall, 61, was an Uber driver who had been told to retrieve a package from Brock’s home, a request authorities say was possibly made by the same scam caller or an accomplice. Hall had no knowledge of the calls made to Brock, authorities said. When she arrived at the home and got out of her car, Brock pulled out a gun and demanded she tell him who had made the threatening calls. He also took Hall’s cellphone and would not let her leave. When Hall tried to get away, Brock ultimately shot her three times. The original scam calls to Brock and Hall remain under investigation.
8. Smartphone App Detects Early Signs of Frontotemporal Dementia. This sounds promising for helping dementia patients. At the same time, it is a concern that there was no mention of security or privacy protections for the vast amount of health data that this app is collecting. We will continue to follow upcoming reports about this app.
9. A wearable ultrasound scanner could detect breast cancer earlier. The new device, which can be incorporated into a bra, could allow more frequent monitoring of patients at high risk for breast cancer.
10. Incognito Browsing Isn’t as Invisible as You Think. Google agrees to settle class-action lawsuit that asked for $5 billion in damages. The class-action suit filed in 2020 that covers incognito users since June 1, 2016, maintained that Google continued to catalog website visits and other data about users’ friends, finances, hobbies, shopping habits and “potentially embarrassing things” they pulled up online. By settling, Google says it will delete billions of records that reflect customers’ private browsing activities, data worth billions of dollars to parent company Alphabet.
11. The Heartbleed open-source code vulnerability has been around for 10 years now, and it is still wreaking havoc. Here are some lessons learned.
12. I’ve been living with a $699 AI Pin on my chest. You probably shouldn’t. Dedicated AI gadgets are here, but I’m not sure about living with them yet.
13. Cybersecurity investigators worry ransomware attacks may worsen as young, Western hackers work with Russians. A segment from Bill Whitaker on 60 Minutes.
14. Russian intelligence hackers stole emails between federal agencies and Microsoft and potentially collected login credentials during a recent breach of Microsoft.
15. Russian group exploits Windows print spooler bug via ‘GooseEgg’ malware.
16. Microsoft confesses April Windows update breaks some VPN connections. Applicable to Windows 10 and Windows 11 systems.
17. By the end of 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) plans to launch an automated vulnerability warning program to alert organizations that are running software with vulnerabilities being exploited by ransomware gangs.
18. On April 29, 2024, the Federal Communications Commission (FCC) fined the largest wireless carriers in the U.S. for illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure. Sprint and T-Mobile – which have merged since the investigation began – face fines of more than $12 million and $80 million, respectively. AT&T is fined more than $57 million, and Verizon is fined almost $47 million.
19. On April 12, 2024, the Federal Bureau of Investigation (FBI) warned of a massive ongoing wave of SMS phishing attacks targeting Americans, tricking them into giving them their personal data and money by claiming unpaid road toll fees. These attacks started in March, and the FBI reports over 2,000 people have already reported that the scammers have targeted them.
20. Flaws in Chinese keyboard apps leave 750 million users open to snooping, researchers claim. Huawei is OK, but Xiaomi, OPPO, and Samsung are in strife. And Honor isn't living its name.
21. How I Built an AI-Powered, Self-Running Propaganda Machine for $105. I paid a website developer to create a fully automated, AI-generated ‘pink-slime’ news site, programmed to create false political stories. The results were impressive—and, in an election year, alarming.
22. OpenAI’s rules can be ‘easily’ dodged to target Latinos and Spanish speakers, study warns.
23. 96% of hospitals share website data: April 2024 Study. Hospital websites often use tracking technologies that can capture user information and transmit it to third parties such as Google or Snapchat. In this study, conducted by researchers at Philadelphia-based University of Pennsylvania, 100 non-federal acute care hospitals' websites were analyzed between November 2023 and January 2024 to assess if they have easy-to-find privacy policies and if those policies tell users about third-party tracking. The researchers found that 96% of hospital websites shared user data with third-parties, but only 71% had a privacy policy. Among those with such a policy, 56% shared the third-party companies with which they share information.
Have you run across any surprising, odd or bizarre security and/or privacy news? Please let us know! We may include it in an upcoming issue.
| |
Privacy & Security Questions and Tips
Rebecca answers hot-topic questions from Tips readers
May 2024
| |
We continue to receive a wide variety of questions about security and privacy. We are also receiving more questions than ever about HIPAA and personal health data. Thank you for sending them in! This month in addition to our Question of the Month we’ve included six Quick Hits questions. Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming! | |
The fact is, when insureds and patients are using their CEs’ online portals for treatment, payment and operations (TPO), they are going to be viewing, downloading, modifying, or otherwise accessing their PHI in some way. Those tracking technologies are collecting data that can be specifically associated with each of the portal users, and the overall purpose is to share that data with others, typically for marketing purposes, for which the patients and insureds never consented for them to collect through such tracking tech. When these tracking tech tools use this data, including IP addresses which clearly are defined as HIPAA PHI and have been since HIPAA went into effect in 2003, this is using that PHI in ways that do not support TPO, and that the associated patient and/or insured never consented to be used.
I have been an expert witness for the use of these online tracking tools for five cases in the past 12 months. It is clear that data that is being collected is generally always implemented in a way that can associate the individual based upon the context of use at the portal and that supports that data being used for TPO. Organizations need to understand this, and make the appropriate changes. The examples provided in the revised guidance clarifies this pretty well.
The best way to navigate the guidance is to:
1) Assign a person or role the responsibility for ensuring online tracking tech is used in compliance with HIPAA, and who will be accountable for also ensuring BAs that are involved in setting them up and maintaining them, and any other third parties, are taking actions that will not violate HIPAA in how the technologies are implemented, the data is collected, or used.
2) The assigned role/person needs to identify all the online tracking tech being used on each of the pages not only on their own portals, but also in all the apps they make available to patients and insureds to use for TPO support. They need to:
a. Understand what is meant by “tracking technology.” This is explained in detail at the page pointed to in the question. Tracking tech includes such things as cookies, web pixels (e.g., Meta Pixels), conversion APIs, and any other types of emerging technologies.
b. Document all the tracking technologies used within their organization, and all the associated locations (apps, web pages, etc.) where they are implemented.
c. Audit each app and page to determine the specific data being collected by the tracking tech, determine to what other entities the data is being sent, document if the data is considered PHI based upon the pages where the tracking tech is being collected. The general locations where PHI is found include:
· Tracking on user-authenticated webpages.
· Tracking on unauthenticated webpages. Every CE and BA must consider this: In many cases the same tracking tech ID used on authenticated pages is also used on unauthenticated pages, and many of those IDs are sharing data with one or more (I’ve found as many as 30 in those 5 cases I previously mentioned) third parties, often advertisers and marketers.
So, the data collected and shared from the tracking tech ID on an authenticated page is PHI, and it is PHI on the public pages where it is also used, due to the cross-pages use of the same tracking tech ID.
· Tracking within mobile apps. These refer to apps offered to individuals by CEs and BAs to allow the individuals to, for example, find providers, access or manage their health information or health care, or pay bills.
3) CEs and BAs must then take actions to comply with HIPAA on each website page and app using tracking technologies. CEs must ensure they and their BAs:
a. Have verified the implementation and use of tracking tech in all locations where they want to put them complies with all Privacy Rule requirements.
b. That the BAAs for those BAs involved include requirements for the implementation of tracking tech and subsequent use of the associated PHI.
c. That risk assessments include consideration of all tracking tech used throughout the CE’s and BAs’ digital ecosystems.
d. That unauthorized disclosure of PHI via the tracking tech is documented and reported in the same way as all the other PHI breaches.
For even more guidance and tips about these issues, here are some more of our resources: Visit our webpage; check out our blog; subscribe to our YouTube channel; follow us on LinkedIn.
| |
Quick Hits:
Here are some questions we are answering at a high level. We provide more in-depth information and associated details about these topics in separate blog posts, videos on our YouTube channel, in infographics and e-books, LinkedIn posts to our business page, and within our online training and awareness courses.
Q: What common computer user practice can create a security problem?
A: There are many! One that is too often overlooked by both businesses and individuals is not making frequent-enough, and multiple, backups. This includes of data, as well as your systems and applications.
Making backups is a mundane task. Many security and privacy practices are. However, what is not mundane is losing valuable data and other digital files that you will find is very important to your life if they would be lost. This is something that I must personally manage on an ongoing basis. Implementing effective backup practices can also prevent many of the successful ransomware exploits that organizations and businesses fall victim to.
Here is a high-level list of actions that individuals and businesses need to take to save a lot of digital file losses, stress, non-compliance penalties, and protect against ransomware attacks:
- Develop a disaster recovery plan that includes documenting the digital files that you would not want to lose and need to be backed-up regularly. It also provides instructions for restoring the backups. Make everyone who will be involved with making backups and restoring backed-up files aware of the plan.
- Making backups frequently. The more often a critical digital file is modified, the more often you need to back it up. Yes, some backups will need to be made weekly, daily, or even more often, such as hourly or even after a file is changed.
- Creating multiple backups. Don’t depend on just one backup; if it is compromised or the data corrupted, it will no longer be good for you to use. These should include a combination of incremental (copies of changes made since the last backup, reducing storage and backup time) and full (all digital files) backups.
- Make backups immutable. This generally means protecting the backups from being changed (non-modifiable) and strongly encrypted. This helps to keep the backups from being corrupted and unusable.
- Storing backups in multiple areas. Keep some backups stored locally, such as within your computer’s hard drive in a separate file, with copies stored offline in external hard drives, etc. Keep other external drives stored offsite in secured, fire- and water-proof locations. Use additional backups stored in clouds, but only if those clouds are secured, strongly encrypted using keys that the cloud service does not have access to that would allow them to decrypt your data.
- Keeping software updated. And then making multiple backups stored in different secured locations as previously described. This will help to defeat ransomware exploits.
- Keeping all family members, and employees, aware of the importance of backups. Especially if they are using their own personal devices.
- Secure access to each of the different types of backups to only those who would be needed to test and restore data from backups.
| |
Q: How can healthcare entities ensure their business associate agreements fully address the cybersecurity risks and responsibilities related to PHI protection?
A: Healthcare covered entities (CEs) and business associates (BAs) are required to obtain written satisfactory assurances from BAs that PHI will be protected. CEs and BAs are permitted to require more actions from their BAs and include more stringent cybersecurity requirements in a business associate agreement (BAA). These requirements would need to be agreed upon by both the CE and the BA, and documented within their agreements (BAAs, SLAs, etc.), along with how the BAs will provide evidence that they are meeting these requirements. For example, by providing upon request documented policies listing the required implemented safeguards, supplying recent audit reports of HIPAA compliance that includes the assurances, third-party objective certifications verifying the requirements within the contracts, etc.
A common mistake made by most CEs, as wells as BAs that subcontract and so must also use BA Agreements, is that they never customize the BA Agreements based upon the services and/or products the BAs are providing to support their treatment, payment and/or operations (TPO) activities. To help ensure they are fully addressing cybersecurity risks, the specific agreed-upon satisfactory assurances can be included in the agreements. If for some reason the organization does not want these details within the BAA, they need to be documented somewhere else, with the second-best location typically being the SLA.
Q: Is Internet Protocol (IPTV) secure?
A: Generally put, IPTV is the delivery of media content, videos or live television over an IP network. IPTV can be secure. We use IPTV often, with accompanying security settings. As with other networks, IPTV security and privacy threats include malware, hacking attempts, distributed denial of service (DDoS) attacks, data theft, unauthorized access, and more.
Mitigate security risks by ensuring your IPTV provider, in coordination with the settings you make, has taken the following privacy and security actions:
- Implemented strong firewalls.
- Regularly monitors network traffic to detect any unusual activity or potential security breaches, such as by using intrusion detection systems (IDS) and intrusion prevention systems (IPS).
- Enables IPSec support in IPv6 to provide encryption and authentication within the protocol suite itself.
- Utilizes anti-malware tools.
- Implemented access controls throughout the network using a variety of methods, such as firewall configuration, access control lists (ACLs), etc.
- Promptly applies systems, security and privacy patches and updates to mitigate potential risks.
The provider should also regularly perform security audits, monitor emerging security threats and vulnerabilities, stay aware of the latest IPv6 security updates, and monitor emerging threats.
| |
Q: My children are millennials, and my grandchildren are Gen Z. They keep warning me to be more aware of security and privacy risks. However, I see them being riskier than I am! Are there any reports about security and privacy risks for those two generations? I’d like to send some warning to them for a change! 😊
A: A research report from late 2022 from Ernst & Young (EY) reported that Gen Z and Millennials are bigger cybersecurity risks than older employees. They reported that of 1000 working adults, the younger workers surveyed are less likely to follow established business cybersecurity protocols than their Gen X and baby boomer counterparts. Here are just a few of the findings:
- 76% of workers across generations consider themselves knowledgeable about cybersecurity, but younger generations who grew up online and have lived with cyber risks the majority of their lives are significantly more likely to disregard mandatory IT updates for as long as possible; 58% for Gen Z and 42% for millennials vs. 31% for Gen X and 15% for baby boomers.
- Younger generations are more likely to use the same password for a professional account and personal account; 30% for Gen Z and 31% for millennials vs. 22% for Gen X and 15% for baby boomers.
- Younger generations are more likely to accept web browser cookies all the time or often; 48% for Gen Z and 43% for millennials vs. 31% for Gen X and 18% for baby boomers.
You can see more of the summary findings here. Read this with your children and grandchildren. Then let the interesting, enlightening, and loving discussions begin! Even though this is from 2022, we believe from a wide range of other news reports we’ve seen that this is probably still fairly accurate.
| |
Q: My son is a nurse in a hospital in the U.S. Today he was engrossed in speaking with a patient with a history of drug abuse in an otherwise empty hallway in the exam rooms area. Or so he thought. As the patient was telling him about a recent relapse with a Class A drug, he noticed a police officer slowing walking by, clearly listening to the conversation. He hadn’t even heard anyone walking! He quickly said to the officer, “Can I help you?” The officer replied, “I’d like to speak with you later,” then he walked on. My son was very alarmed, and has been extremely worried since he got home from work. He is very conscientious about speaking as quietly as possible with patients to avoid any overhearing by others, so he said he speaks quietly (not projecting) wherever he is speaking with a patient. The patient wasn’t speaking as quietly, though. He could tell the officer overheard the patient. Did he commit a HIPAA violation, when the police officer seemed to have heard about his patient’s illegal drug use?
A: Let’s look at the key points first.
- Your son was providing what could be considered treatment (of the treatment, payment and operations, or TPO, activities that HIPAA covers) to his patient in a non-public area; a hallway where he did not see anyone else around besides him and his patient.
- Your son was speaking quietly, while the patient was describing illegal drug use not so quietly.
- As soon as he saw the officer, your son seemed to have cut off the patient’s speaking, to address the officer.
- The officer seemed to have heard what the patient was saying, and said he would be speaking with your son later.
HIPAA requires PHI to be protected in all forms, including audible. HIPAA also requires CEs and BAs to “reasonably safeguard” PHI from any intentional or unintentional use or disclosure that is in violation of HIPAA requirements. Your son makes it a practice to speak quietly with patients. And, he also stopped the patient from speaking about information that would be considered as PHI as soon as he became aware of someone else nearby.
Under HIPAA, an incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule. Going strictly from what you described, it sounds like your son was practicing a tactic to protect PHI (speaking quietly), in non-public location where patients are allowed to be within, along with the hospital staff.
It could probably be argued that your son was using reasonable safeguards for PHI protection by consulting with the patient in a non-public area that appeared to be empty, and also was speaking quietly.
The patient was speaking louder, in this same location. However, HIPAA does not cover disclosures that occur from other entities beyond CEs and BAs. In these circumstances, some debate could be made about the complexities of the situation. For the purposes of our Tips answer, to keep it short, I will not expand about this here. However, we will include this as a use case in our upcoming HIPAA Basics for CEs: 2024 edition. (NOTE: We provided the questioner more details about this directly.)
Given these factors, this would not seem to be a HIPAA violation, since it seems it would be considered to be an incidental disclosure that could not have reasonably been prevented.
Another important issue, though, is what the officer may ask of your son later. PHI may not be shared with anyone. Even if the officer has already overheard something from the patient, your son is not obligated to provide any information about any patient to the officer. The CE may be compelled, typically through the person filling the role of Privacy Officer or the CE’s lawyer, with an official court order. Additionally, on February 8, 2024, HHS finalized modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records. It includes expanded prohibitions for release of PHI related to substance abuse. So, in certain situations, depending upon what the police officer requests, the PHI related to what patient mentioned in the non-public hallway may not be compelled to be released, even with a court order.
If your son has not already spoken to the CE’s Privacy Officer about this situation, we encourage him to do so.
Q: Does adding a disclaimer to an email to a patient make it HIPAA compliant? And eliminate it from being a breach if the email is accidentally received by someone else?
A: No. It does not matter what type of disclaimer is put on an email that is covered by HIPAA. If a CE or BA accidentally sends someone’s PHI to the wrong person in an email, unless it can be shown through a documented breach analysis that accidental recipient didn’t actually view, use, share, etc., the PHI, then it is considered to be a PHI breach. Each situation is different. Each needs to have a documented breach analysis performed. HIPAA does not consider email disclaimers to eliminate any type of non-compliance issue. And, a disclaimer does not make an email with PHI compliant with HIPAA.
| |
Image from KCCI TV 8 in Des Moines from meteorologist Trey Fulbright. One of the 24 confirmed tornadoes here in Iowa on that day. | |
Data Security & Privacy Beacons*
People and Places Making a Difference
| |
We get many suggestions for beacons from our readers and Rebecca’s podcast/radio show listeners; thank you! We include many of them when the suggestions are for businesses other than the suggester’s. Typically for those the suggester feels deserve recognition for noteworthy data security and privacy actions. However, we do not include businesses, organizations, or people trying to promote themselves to get free marketing, and we do not take payments to put organizations or people on this list. We try to contact as many as possible after publishing our Tips to let them know we put them on our beacons list, though. If you have someone or an organization to suggest, let us know! We may include them in an upcoming Tips issue.
| |
-
Earlham Savings Bank. This is a regional bank with locations in central Iowa. The image above is the message currently shown to bank customers on the login portal. This message periodically changes. A great idea for all organizations to include in their online customer/patient/etc. portals!
-
The U.S. Department of Health and Human Services (HHS). The HHS has expanded the recent Healthcare Sector Cybersecurity Concept Paper they published by issuing cybersecurity performance goals (CPGs) for the healthcare and public health sectors. The CPGs help healthcare organizations protect against cyberattacks and improve responses when attacks on critical healthcare infrastructure occur.
-
AARP. For providing local events to provide physical activities to protect personal privacy. Such as this event, shown in the image below, advertised in a postal mailer to local residents.
| |
*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices. | |
Check It Out!
We have published the episode 4 of our “2-Minute Warning” security and privacy videos.
PSB 2-Minute Warning Episode 4: Harms Caused by Posting Personal Data to Online Sites
We also are publishing our new online course in May, “HIPAA Basics for Business Associates: 2024 Edition.” Check our site to find it when it is available. We will provide a direct link to it in our June Tips. In July we will be publishing our new online course, “HIPAA Basics for Covered Entities: 2024 Edition.”
What topics would you like to see us cover? Let us know!
Have questions about our education offerings? Contact us!
| |
Where to Find The Privacy Professor | |
Permission to Share
If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:
Source: Rebecca Herold. May 2024 Privacy Professor Tips
www.privacysecuritybrainiacs.com.
NOTE: Permission for excerpts does not extend to images.
Privacy Notice & Communication Information
You are receiving this Privacy Professor Tips message as a result of:
1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or
2) making a request directly to Rebecca Herold or
3) connecting with Rebecca Herold on LinkedIn.
When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com.
If you wish to unsubscribe, just click the SafeUnsubscribe link below.
| | | | |