Covid. Vaccines. Privacy.

We definitely live in interesting times.

The virus is surging and at the same time morphing.

Two different vaccines have been approved for emergency use. More are on the way.

The country is discovering that actually getting vaccines in people’s arms is harder than talking about it.

AND, there is talk of you having to install an app on your phone to prove that you have been vaccinated in order to get on a plane, enter some venues or visit some countries. Which vaccine. How many does. What dates.

The makers of these apps promise that your data is secure.

Maybe it is safe. To be honest, I don’t know.

Unlocking your phone and giving it to some stranger in a foreign country to prove you have been vaccinated doesn’t seem like a great strategy to me.

The process works by generating a QR code and displaying it. Maybe that can be done with the phone still locked.

And of course, everyone has their own smartphone. Everywhere in the world. Including your grandma.

Of course, there are going to be multiple apps. I am sure they will all be compatible. And certainly no one is going to say that they only accept app ‘X’ and not the one that you already have installed.

Finally, I am sure that there won’t be a black market for fake credentials and all of the apps will be hacker proof.

I wonder if there is going to be a service that you can pay for to fake whatever QR code you want.

Granted this qualifies as a “first world problem”, but we will watch what happens and report back over the next several months. Credit: CNN

Security News for the Week Ending December 25, 2020

First of all, Merry Christmas and a Happy New Year.

OCC, FRB and FDIC Propose New Rule – Tell Us If You Have a Security Incident

The federal banking regulators are proposing a new rule that banks and tech companies that service banks need to report to their regulator within 36 hours if the have a security incident (like ransomware) that impacts their operations. I suspect that banks have been hiding these in the large stack of forms they file daily, hoping their regulator doesn’t catch what is going on. In *MY* opinion – long past due. It covers everyone who is part of the Federal Reserve System or the FDIC, among others. Credit: FDIC

FBI Says Iran Behind pro-Trump ‘enemy of the people’ Doxing Site

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) say that Iranian actors are “almost certainly” behind the creation of the website (currently down), basing the assertion on “highly credible information.”

The agencies add that in mid-December 2020 the website contained death threats aimed at U.S. election officials. Among them are governors, state secretaries, former CISA Director Christopher Krebs, FBI Director Christopher Wray, and people working for Dominion, the company providing the voting systems. Credit: Bleeping Computer

Facebook and Google Get a Little Too Friendly on Ads

While Google and Facebook supposedly compete in the ad business, with the two of them controlling over half the market, there was a bit of preferential treatment. In 2018 they announced a deal where Facebook’s advertisers could buy ads within Google’s ad network. What they did not announce was a secret deal where Facebook would get preferential treatment if they backed down on getting their advertisers to switch to a Google competitor. These days it is hard to keep secrets that big secret. Credit: Cybernews

Microsoft and McAfee Join Ransomware Task Force

19 tech companies, security firms and non-profits have joined together to fight ransomware. The task force will commission expert papers on the topic, engage stakeholders across industries, identify gaps in current solutions, and then work on a common roadmap to have issues addressed among all members. The result will be a standardized framework for dealing with ransomware attacks across verticals, based on industry consensus. They start playing together next month. Stay tuned to see what they produce. Credit: ZDNet

Homeland Security Releases Guide Warning About Chinese Equipment and Services

The Chinese government, along with Russia, has shown that it has a virtually insatiable appetite for stealing our stuff, whether that is personal information or trade secrets. This DHS document talks about the risks of partnering with Chinese firms and/or allowing your data to be stored in China or Chinese controlled data centers. It talks about how China has constructed it’s laws so that the government can get access to anything that it wants and what you can do to reduce the risk a little bit. A copy of the report can be downloaded here.

HHS Proposes Changes to HIPAA Privacy Rule

As is often the case when the feds do something, there is probably at least one thing that is good in this notice of proposed rulemaking and probably others that are less good.

The HIPAA privacy rule is designed to protect the privacy of patient data, but other than stopping providers from selling your health information to the media, they already share it with most of the healthcare ecosystem anyway.

The only way to REDUCE (but not eliminate) the sharing of healthcare information is to pay cash and not make an insurance claim. Other than the rich, no one does this.

The Republican administration claims that this change will offer more flexibility for disclosures in cases such as opioid overdoses and Covid-19, but of course, these changes are not limited to that.

Among the changes they propose are:

  • Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI.
  • Shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension).
  • Clarifying the form and format required for responding to individuals’ requests for their PHI.
  • Requiring covered entities to inform individuals that they retain their right to obtain or to direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy.
  • Reducing the identity-verification burden on individuals exercising their access rights.
  • Creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans by requiring covered healthcare providers and health plans to submit an individual’s access request to another healthcare provider and to receive in return the requested electronic copies of the individual’s PHI in an EHR.
  • Requiring covered healthcare providers and health plans to respond to certain records requests received from other covered healthcare providers and health plans when directed by individuals pursuant to the right of access.
  • Limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR – specifying when electronic PHI must be provided to the individual at no charge.
  • Amending the permissible fee structure for responding to requests to direct records to a third party, and requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization, and, upon request, to provide individualized estimates of fees for an individual’s request for copies of PHI and itemized bills for completed requests.
  • The updated regs would also clarify the scope of permitted uses and disclosures for individual-level care coordination and case management, according to OCR – creating an exception to the “minimum necessary” standard. It would “relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations,” according to the proposed rule-making.

The goal, they say, is to allow your doctor to disclose your personal health information the the authorities (like social services) , community based organizations (whatever they are) and other similar third party providers without having to ask your permission.

Among other changes, OCR would replace the privacy standard that permits HIPAA-covered entities to make some uses and disclosures of PHI based on “professional judgment” with a standard permitting such uses or disclosures based on that entity’s “good faith belief that the use or disclosure is in the best interests of the individual,” according to the proposed rule.

But not to worry – you can sue your doctor, spend 5 years going through the court system and spend tens of thousands of dollars if you think your doctor didn’t have an (undefined term) “good faith belief”. How do you PROVE a lack of a belief in a doctor’s head?

There are probably some legitimate changes to be made to HIPAA. I am not sure that this is the list that I would propose. It seems like mostly it is designed to loosen restrictions on what the healthcare community can do with your digital health information without asking your permission or even telling you that they are doing it.

You can probably figure out what I think of these changes. Credit: Health Care IT News

After a Cyber Attack the Details Matter

So you have been hacked and the hackers stole your customers’ data. You try to do the right thing and notify them. By email. Because that might be the only address you have for them.

But many times that email never makes to your customer. Blocked by the customer’s email service provider or spam filter.

Are YOU now liable for failing to notify your customer? Ouch!

Bulk emails will be treated with suspicion if the do get delivered to to your customer’s inbox, so what should you do?

Even if the customer no longer uses your product, has unsubscribed from your email list or has black holed your company’s emails, you still need to notify them.

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) last week released best practices recommendations for sender organizations on securely delivering mandated emails. You need to read this; it is a real page turner.

The number one thing to do is to plan in advance. Equifax tried doing the other way and it was a disaster.

Some of their tips include making sure that you have all of the email security features (SPF, DMARC, DKIM) enabled.

Send it from a trusted domain. Equifax created a new domain for the breach. New equates to malicious in email filters’ minds – especially if that new domain is sending out boatloads of emails – all of which go in the garbage.

Make the subject line obvious that it is not a piece of marketing email.

Keep the body as simple as possible with no marketing links.

These are just some of their recommendations. Your compliance or legal team needs to be well versed in the do’s and don’ts.

If you do not already have a plan, now is the time to create one.