Why Are You Getting This?
You signed up to receive the Tips, initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB) or consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.
| |
It's Shopping Season... for Criminals! | |
In November most folks kick into gear with shopping for the holidays. In the northern hemisphere as the air is getting crisper, football, soccer, volleyball, basketball and a wide assortment of other sports are favorites for many. November is also a favorite time of the year for criminals…to prey on their victims online, by phone, by postal mail, and in person. This month we help you navigate these now omni-present criminal threats, while also enjoying the fun of sports, shopping, and being with friends, family and co-workers.
Last month we limited our questions answered to four, and we cut down on the number of beacons to be limited to ten. Many of you let us know you liked cutting down on the questions and answers, but thought four was too few. We hear you! This month we're providing six. If we get enough support for this, we will start using that as our monthly number of questions to answer. We also received some suggestions to create short videos and/or audio messages to post online (eg, LinkedIn, our Privacy & Security Brainiacs website). We'll give it a try starting in December.
Do you have stories, examples, or concerns about the topics covered in this issue that you would like us to provide feedback on? Send them over! We may discuss them in an upcoming Tips.
We hope you are finding all this valuable information. Let us know! We always welcome your feedback.
Thank you for reading!
| |
October Tips of the Month
- Monthly Awareness Activity
- Privacy & Security Questions and Tips
- Data Security & Privacy Beacons*
- Privacy and Security News
- Where to Find the Privacy Professor
| |
Monthly Awareness Activity | |
November 12 – 18 is International Fraud Awareness Week! It was established by the Association of Certified Fraud Examiners (ACFE) in 2000 to raise awareness about fraud. This is a perfect opportunity for organizations and individuals to help raise awareness of current types of computer-based fraud tactics. Here are some activities you can consider doing, and information to consider doing sharing, with your family, friends, and co-workers to support this goal:
-
Explain what “cyber fraud” is. Here is short description to start from: “Cyber” has become the de facto term to mean something that happens on, or through the use of, the internet. “Cyber fraud,” then, is a broad term that means any type of fraud that occurs on, or through the use of, the internet.
-
Help your friends, family and co-workers understand some of the major types of cyber fraud. Here are some common types:
-
Imposter/impersonator scams: The most widespread scam currently being perpetrated. See more about this scam from the FTC here.
- Phishing: Using email, texting, online messaging, and other types of online communications services to trick victims into sharing confidential information such as personal data, login credentials, and financial details.
- Business email compromise (BEC): Targeting workers in businesses that have the authority to make wire payments and have access to employment data, such as W-2 forms. It usually compromises legitimate email accounts of executives by obtaining their login credentials through social engineering techniques. Cybercrooks then use the actual emails accounts to submit requests to send the cybercrooks payments and data to HR and accounting workers.
- Email spoofing: Sending email manipulated by the cybercrooks to show the legitimate email address on the message presented to the recipient to make it seem like it originated from a trusted source, when in fact it was sent from someone else. This tactic is very effective and in recent years has been used increasingly more often to trick HR and accounting workers into sending employee data and wiring cash.
- Ransomware: Preventing users from accessing critical data and applications, then demanding payment to restore access. The data stolen is often then sold to other cybercrooks and used for a wide range of frauds.
- Stealing data: Stealing personal data, and other types of confidential data, then using it for other frauds and selling it to other cybercrooks.
- Denial of service (DoS): Purposefully cutting off access to an online service, system, or network to disrupt business, access to vital services and data, and other critical services and data.
- Malware: Using malicious software (e.g., viruses, worms, Trojan code, etc.) to damage or disable users’ devices and/or steal personal and sensitive data.
-
Online scams: In addition to imposter scams, there are many additional types of bogus claims and representations to play upon people’s emotions and scamming them into clicking a malicious link or sending money to others who are actually crooks. Common scams include romance and online dating scams, IRS/tax scams, law enforcement scams, credit card scams, donations for various causes scams, fake websites that appear to be legitimate, lottery fee scams, and more. See more with associated details at this FTC website.
-
Play cybercrime bingo. Create some cards with a five-by-five grid on each. Complete the cards by putting different cybersecurity and privacy terms on each, including cybercrime and cyber fraud terms, within each of the different squares. At the beginning of International Fraud Awareness Week (or any other week of the year) give each person playing a card (each individual will have a unique card from the others). Throughout the week each person will mark off each term that they have read about or heard that falls under the definition of a term. For each square marked off, ask them to document where they read or heard it. Give the first person to “Bingo!” to notify you (via email, phone, text, or whatever way you determine best for your situation). Here is a partial view of an example of one of the cards in the “Privacy & Security Bingo!” set of cards that we provide to our clients.
| | |
What other activities do you suggest for International Fraud Awareness Week? Are you planning to do one of these suggested activities or your own? Or are you doing an awareness event for a different recognized day or week in November? | |
Privacy & Security Questions and Tips
Rebecca answers hot-topic questions from Tips readers
November 2023
| |
We continue to receive a wide variety of questions about security and privacy. We also are still receiving many questions about HIPAA and personal health data. Thank you for sending them in! We’ve included six of the many questions we’ve received here and will answer the others elsewhere, or in upcoming Tips. Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming! | |
Q: I was recently a hospital patient. I noticed tech everywhere! When I asked my physician if all those medical devices were compliant with HIPAA (like you’ve recommended for years), I was horrified when he answered, “Medical devices are not covered by HIPAA.” What!? Is this true?
A: This is a common belief, but is generally incorrect, and has been a topic of confusion for many years. The FDA provides “guidelines” for medical devices, which many healthcare organizations have interpreted as being suggestions that could be voluntarily performed, replacing their HIPAA requirements obligations for medical devices. This is not the case. Those FDA guidelines have historically focused primarily on safety, and not requiring security or privacy capabilities within medical devices to certify them. However, they have recently also provided several high-level recommendations (but not requirements) for security and privacy. It is good you are checking on this.
Digitally connectable medical devices, often call internet of medical things (IoMT) devices, generally collect and derive a large amount of protected health information (PHI), and often also process it, transmit it, and store it. This medical device data, which includes PHI, must be protected in compliance with HIPAA requirements. It includes having administrative, technical and physical security safeguards for those medical devices. Ideally the medical device manufacturers would build in security and privacy capabilities. Sadly, this is not done very often.
Healthcare providers must ensure all the medical devices they use have such safeguards implemented, even if the medical devices themselves do not have them built it. This is not a new requirement; it has always been this way. And, healthcare providers have received penalties for HIPAA noncompliance for not safeguarding medical devices. As a case in point, see the penalties and corrective action plan (CAP) for Lahey Clinic Hospital, Inc. that was applied in 2015 for their a breach of PHI involving a computerized tomography (“CT”) scanner (a medical device). They were responsible for the 2011 breach, in addition for non-compliance with many associated HIPAA requirements that should have been implemented. They were required to pay $850,000.00 and to perform the CAP actions, with ongoing oversight from the HHS OCR, for a period of two years.
If you have the opportunity and are willing to do so, I recommend you show your hospital and associated physicians this answer. They are not only putting their patient’s data and privacy at risk by not having safeguards implemented, but they are also putting their patients’ safety at risk. In addition to this, they face steep fines, multi-year penalties, and possibly even lawsuits for any resulting damage.
| |
Q: What are some good gifts to protect privacy and secure information?
A: We are so happy you asked! We just updated our free “Privacy and Security Gifts” guide. You can see it here.
| |
Q: I enjoy reading your monthly newsletter. You recommended in the October issue to use password managers where the data is maintained locally rather than in the cloud. Please let me know if you have any that you like.
Thanks, Bill.
A: We like the following local storage /offline password managers, shown in alphabetical order. Each has some unique capabilities that the others don’t have, so we want to leave it to you to determine which capabilities are the most important for your own personal (and business, as applicable) use. NOTE: We have never done work for any of these businesses, and we did not notify them ahead of publication that we were including them in our list.
-
1Password: Good for individuals, family/friends, and work. Security built in, and privacy settings by default. Runs on Android, Mac, Windows, Linux, or iOS. They use Okta, and recently experienced a security incident through that vendor, but per their own reporting, no user data was compromised.
-
Enpass: Good for individuals, family/friends, and work. Runs on Android, Mac, Windows, Linux, or iOS. Multiple storage vaults, and templates for over 80 categories of passwords.
-
Passwarden: Good for individuals, family/friends, and work. Strong encryption plus many other security features. Runs on Android, Mac, Windows, or iOS.
Do you like a different offline password manager not listed above? Let us know which one, and why you like it!
|
Q: What are the risks with Google and Apple passkeys?
A: Increasingly throughout the past several months, there have been more and more headlines heralding “passwordless authentication.” Many/most of these articles are talking about using passkeys instead of passwords. The Fast Identity Online (FIDO) Alliance developed passkeys to eliminate the need to use an ID (usually an email address) and password in login fields on websites. Why? To make it harder for cybercrooks to steal authentication credentials then ultimately get into people’s accounts.
Simplistically, a passkey consists of a pair of cryptography keys your device generates; a public key and a private key. These keys combine to create a passkey that unlocks your account. Apps and websites where you use your passkey store your unique public key. Your private key is only stored on your device. When you access a site or app using passkeys, your public key on the app or website works with your private key on your device, and then you are authenticated to use your account on the app or website.
Some key points about the security of passkeys:
- No shared secret is transmitted
- A fingerprint, face, voice, or other biometric can be used to unlock the computing device
- If an unauthorized entity obtains the device, they can't do anything with the passkey without the device user’s biometrics
- Apps and servers do not need to protect the public keys
- A new passkey can be easily and securely created for a new device
These are a few of the characteristics that make passkeys strong, phishing resistant, and easy to use authentication credentials.
Here is a good article about passkeys with more details.
FYI, the 1Password and Enpass password managers listed above, and some others, support passkeys on mobile devices as well as desktop browsers.
| |
Q: Is Zelle a secure payment app? -M
A: Zelle is generally a peer-to-peer (e.g., bank-to-bank) money transfer tool. Hundreds of banks are using it. You can use it through the Zelle online website or through the Zelle iOS or Android app. The Zelle technology has security capabilities (e.g., multi-factor authentication, strong encryption, etc.) built in. The technology is generally secure. The privacy options are also better than alternatives (e.g., Venmo and Cash App) because it is more difficult for the cybercrooks to access the users’ personal data. However, because Zelle has access to so many banks, those using Zelle are favorite targets of cybercrooks using social engineering tactics. And, unlike credit cards that limit losses to the associated credit card users who get scammed/defrauded, Zelle does not limit losses and does not refund any money lost to cybercrooks. On the other hand, Zelle provides more information and awareness messaging to their customers than their competitors.
Overall, we consider Zelle to be an acceptably secure payment solution, that is more secure than most of their competitors. But, users of Zelle need to stay aware of social engineering attempts.
If you have had a different experience with Zelle, or think a different payment app has better security and privacy, please let us know.
| |
Q: I live in a very rural area, in a small town (around 350 population), with the closest doctor two hours away. She makes visits to our town one-two days per month. My teen daughter and I are going through some health problems, and our doctor recommended a specialist who can provide telehealth appointments. We have a laptop computer, and fairly decent internet connections through Viasat satellite service that was set up for our town residents to use. We love our neighbors, but we do not want our healthcare activities to be known by them! How should we secure our connection?
A: I was born and raised in a very rural area, and also lived 40 minutes from the city throughout most of my adult life. I can definitely relate to your situation, although your trek to town is significantly longer than mine was. It is great to hear your town installed satellite internet connectivity.
In October, The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published some informative documents to help explain to patients the privacy and security risks to their protected health information (PHI) when using telehealth services and ways to reduce these risks. Please read them, and take the associated actions, well before you attend your first telehealth appointment:
-
See Telehealth Privacy and Security Tips for Patients here.
-
See the Resource for Health Care Providers on Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth here. Even though this is meant for your doctors and nurses, it will also be helpful for you to use, to ask your specialist if she is following the practices described.
-
Another document, Telehealth Privacy for Patients, also published by the HHS OCR prior to the previous two documents, has some great additional telehealth security and privacy advice. You can see it here.
I recently wrote an article for IEEE that was published in Dark Reading, A Cybersecurity Framework for Mitigating Risks to Satellite Systems. Read it to see some satellite cybersecurity risks. Consider using it to check on the security of your town’s satellite internet connectivity.
| |
Data Security & Privacy Beacons*
People and Places Making a Difference
| |
We get many suggestions for beacons from our readers and Rebecca’s podcast/radio show listeners; thank you! We include many of them when the suggestions are for businesses other than the suggester’s. Typically for those the suggester feels deserve recognition for noteworthy data security and privacy actions. However, we do not include businesses, organizations, or people trying to promote themselves to get free marketing, and we do not take payments to put organizations or people on this list. We try to contact as many as possible after publishing our Tips to let them know we put them on our beacons list, though. If you have someone or an organization to suggest, let us know! We may include them in an upcoming Tips issue.
-
David Nield at Wired magazine for the article, How to Tell When Your Phone Will Stop Getting Security Updates and the EndOfLife site. Per the article, “For Google and Samsung, security updates are provided for five years, while Fairphone is promising at least eight for the Fairphone 5, and possibly as many as 10. Apple doesn't have a fixed approach but tends to issue security updates for a year or two after software updates have finished—after seven years, Apple products are declared obsolete.” This is very important; you become a target of cyber attackers as soon as you don’t apply updates! Bookmark the EndOfLife site.
-
US Cybersecurity & Infrastructure Security Agency (CISA) for their new website Secure Our World. They provide a wide range of tips and instructions for securing yourself, family, friends and business. And also, for how manufacturers need to build security into their computing and storage products.
-
The many organizations that published a wide range of messages, tips, and activities during October for Cybersecurity Awareness Month! Many readers indicated that they customized and used our suggestions from the October Tips. We also received many examples. Here are a couple of them. Did any of you get Cybersecurity Awareness Month messages from other organizations?
-
Target RedCard. Tips reader Hal sent us the message he received this month. Here’s a screenshot of an excerpt.
| |
-
SoFi. Tips reader Rebecca sent us this screenshot from a message she received this month, that she said she acted upon.
| |
-
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). For the resource documents they published to help explain to patients the privacy and security risks to their protected health information (PHI) when using telehealth services and ways to reduce these risks. See Telehealth Privacy and Security Tips for Patients here. And, for Resource for Health Care Providers on Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth here.
-
United States Postal Inspection Service. Smishing occurrences are increasing. They are very believable messages. The USPIS posted information about identifying these scams that are used to commit fraud. See, “Smishing: Package Tracking Text Scams.”
-
Members of NextDoor, and other social media sites, who share scam messages with other members to raise their awareness. See the screenshot of the original post below. This prompted a long conversation in the comments about such types of cyber scams. We love seeing organic awareness-raising conversations!
| | |
*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices. | |
Privacy & Security News
Visit the PSB News Page often!
| |
Hey! Did you know that we have a Privacy & Security Brainiacs page on LinkedIn? Well, we do! Please “follow” our page. We provide a lot of news, tips, advice, and other helpful information on our site. Our goal is to post 3-4 times a week. We’d also love to see your comments and thoughts on our posts. | |
Check It Out!
We have excellent feedback on our course, “HIPAA Basics for Business Associates 2023 Edition.” Our course includes more direct experience insights, examples, guidance, supporting supplemental materials, and more meaningful course quizzes and associated certificates of completion than other vendors. Similar statements about our “HIPAA Basics for Covered Entities 2023 Edition” course have been made. The real-life experiences we’ve included within the courses, and also the many supplemental materials, which we update as changes occur so our clients and learners can use their Privacy and Security Brainiacs portals as a source of not only learning, but also to keep up with regulatory changes, and even where they can store their organizations’ security and privacy policies. Please check them out!
Students of each Master Experts “Online Education” course receive certificates of completion showing the course name, length of the class to use for their continuing professional education (CPE) credits for the class, date completed, and any applicable information about the associated exam score. The certificates will also reflect how well students did in the class and much, much more. Have questions about our education offerings? Contact us!
| |
Where to Find the Privacy Professor | |
|
Rebecca’s Radio Show
If you haven't checked out Rebecca’s radio show, Data Security & Privacy with the Privacy Professor, please do so. We discuss many real-world topics within the data security and privacy realm.
Latest Episode
First aired October 7, 2023
Dr. John Johnson
The History, Mystery, and Rise of AI at CornCon!
Dr. Johnson describes why he created the wildly popular cybersecurity conference, first held in 2015, in Davenport, Iowa on the banks of the Mississippi River. He also describes the goals for the conference, how it is unique from others in offering a children’s hacking bootcamp, and a hacking contest for teens, along with two days of sessions and activities for professionals.
Something New Headed Your Way...
To make some time for several new courses, I am pausing my podcasts until May, 2024. However, I have been asked to continue with some type of online communication. I’ve decided, starting in December, to create some short (a few minutes), weekly or bi-weekly videos about various security and privacy topics that we will post to our website, and to LinkedIn and Facebook. More about those in our December Tips!
| | | |
Permission to Share
If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:
Source: Rebecca Herold. November 2023 Privacy Professor Tips
www.privacysecuritybrainiacs.com.
NOTE: Permission for excerpts does not extend to images.
Privacy Notice & Communication Information
You are receiving this Privacy Professor Tips message as a result of:
1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or
2) making a request directly to Rebecca Herold or
3) connecting with Rebecca Herold on LinkedIn.
When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com.
If you wish to unsubscribe, just click the SafeUnsubscribe link below.
| | | | |