HIPAA Privacy Rules and High Tech Services

Health IT Security wrote an article beating up Amazon on it’s HIPAA compliance process.  The article was not favorable and also interesting.

The issue that they are talking about was a medic-alert style bracelet that someone bought on Amazon.  After this person bought it, the vendor put a picture of it, with the lady’s name, birth date and medical condition on it in an ad on Amazon.  The customer found out about it when her physician called her saying he had seen it.

When the buyer contacted Amazon, she was told they would investigate.  She later received an email from Amazon saying that they would not release the outcome of the investigation.

So the lady reached out to her local NBC TV affiliate.  It is amazing what a little bad PR can do.  The TV station contacted the Amazon vendor and they apologized and said they would fix the problem.  The TV station confirmed that the offending material was removed.

But this post is not about health jewelry.

It is to clear up a possible misunderstanding on the part of the average consumer.

While Amazon may yet get into trouble for not understanding and complying with HIPAA, this is not a HIPAA issue.

For consumers that use apps and other tech products there is an important lesson here.

Amazon does *NOT* have a HIPAA problem.

In fact, as of today, Amazon’s web site does not need to be HIPAA compliant because they are neither a covered entity nor a business associate under the terms of HIPAA.  Covered entities include organizations like doctors, hospitals and insurance companies.  Business associates are companies that handle HIPAA type information on behalf of one or more covered entity.

That means that they have no HIPAA requirement to protect your personal information.

They *MAY* have a requirement to protect it under state law in your state, but they also may not.  This depends on the particular law in your state.  In this case they may be in more trouble for publishing her birth date (which may be covered under her state’s privacy law) than her medical condition.

It does mean that they have no requirement to protect your healthcare information under Federal law because other than HIPAA, which does not apply here, there is no Federal law requiring anyone to protect your healthcare information that I am aware of.

This also includes Apple, Google and any app that is available on either the Apple or Android stores.  Apple and Google are likely covered entities because of the way their employee health insurance plans work, but that is completely separate from iphones, android phones and apps.

So, if one of those apps collects information from a hospital for you, for example, and makes it available to you, they can certainly use the diagnosis, for example, that you have diabetes to show you ads for diabetes medicine or supplies.

It is also possible (although I think this may be pretty dicey) that they could sell your healthcare data.  Depending on the state that you live in, healthcare data may not be protected AT ALL under the state’s privacy laws.  This is likely because legislators are usually lawyers and lawyers rarely understand tech and often don’t understand privacy and they think that your healthcare data is protected under HIPAA.  it is, but only under certain circumstances.  The net effect is that it MAY BE perfectly legal to sell your health care information.

If anyone thinks differently, please post a reply and I will publish it.

Information for this post came from Health IT Security.

 

Facebooktwitterredditlinkedinmailby feather

Complying with GDPR and California’s CCPA – Step 3

For those companies who have customers in California – independent of where the company is located – or are doing business in Europe, you have new privacy regulations to deal with.  While California’s law doesn’t go into effect for another 16 months and it is possible that there will be changes to the law before it goes into effect, it is important to start getting ready for the law because complying with all of the requirements will take a significant effort.  For businesses operating in Europe, you should already be compliant with GDPR.

Step 1 was to create a vendor data inventory (see article here).

Step 2 was to create a vendor cyber risk management program (see article here).

Now, here is step 3.

Step 3 – Map the flow of data between systems and between vendors.

Both CCPA and GDPR have requirement to delete data, stop processing data and provide a copy of data that you have, in a machine readable format if possible, if the user requests it.

You have to do this quickly and you have to track and document what you have done.

If you do not know what data you have, who you share it with and all of the places it may be stored, you are unlikely to be able to comply with these laws and you could wind up getting sued.

Where it is stored, for example, could include on web servers, on internal servers, on workstations and at cloud service providers.

Building and maintaining a map will assist in designing the process of complying with those requests when we get to those steps.

If you need assistance with this, please contact us.

Facebooktwitterredditlinkedinmailby feather

Potential Cyber Attack Target: The 2020 Census

Given Russia’s and China’s seeming insatiable desire to know everything possible about us, it is reasonable that they would try and target the 2020 Census.

Congress has been asking questions about the security of the Census process for the last several years and not getting any answers that they like.  We are getting pretty close to 2020 and still don’t have those comforting answers.

Kevin Smith, Chief Information Officer of the Census Bureau last week said that they are working with Homeland Security and using tools like encryption to protect the data.

He assured the folks at the meeting that security is the Census’s highest priority.

I would hope that accuracy is important too, but maybe not.

Critics of the Census Bureau’s work at the House Oversight Committee and former national security officials are less than persuaded.  In fact they are not convinced that the Census Bureau has implemented even basic cyber security practices.

Given the government’s track record when it comes to cyber security, that could be hard to argue with.

Just think about how well Russia could target citizens in the next election after the Census if they have all of the Census data.

Smith said that he didn’t want to say what they were doing because that would help the adversaries.  True enough.  But he also didn’t say that they had hired hackers from, say, another government agency like the NSA to try and hack in.  Or red team hackers from industry either.

Basically it is give us all of your data and trust us.

For people who are less than confident of the government’s ability to keep anything secret – think F-35, Sea Dragon, Office of Personnel Management and a host of other leaks – and it is hard to argue with them.

Oh, yeah, while Smith is trying to convince us that all is good, they actually haven’t finished writing the software yet, so it is kind of hard to test something that isn’t written yet.  Hopefully they will get it finished before they have to use it.  When was the last time you saw a government project finished on time?  Actually, can’t think of one.

But not to worry;  I am sure the White House has a plan.

Congress is less convinced.

And you should be less convinced as well.

Information for this post came from Cybersecurity 202.

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending Friday August 3, 2018

Old Hacks Never Die

Brian Krebs is reporting that state government agencies are receiving malware laced CDs in the mail, hoping that someone is curious enough to place it in their computer and infect it.  This is an older version of a ploy that is still common of dropping malware infected flash drives in areas outside businesses like break areas, again hoping that curious workers will plug them into their computers and infect them.

The simple solution is  not to do it and hand the media to your information security team to review. Source: Krebs on Security.

 

23 and Me Licensed All Customer’s DNA to Big Pharma

In case you thought you owned your DNA, you might, sort of, but apparently not exclusively.

23 and Me made a deal with Glaxo Smith Kline (GSK) to provide all of their customer’s DNA for “research”, whatever that means.  The deal lasts for four years.  I am not sure what happens after four years – do they have to give back everyone’s DNA?  Probably not.

And, kind of like Google, 23 and Me got a check for $300 million, but did not share that the the people who’s DNA they sold.

23 and Me says that you can opt out of letting them sell your DNA when you sign up.  Apparently I opted out.  You can also change that option at any time but it is not obvious how to do that.  It is buried in the research tab after you sign in.  I assume that change is not retroactive.  If you didn’t opt out, GSK has a copy of your DNA.  Source: Motherboard.

More Woes for CCleaner

Ccleaner, the popular utility for cleaning up your computer, has added some more woes to it’s basket.

Piriform sold CCleaner to security firm Avast a few months ago.  Right after the sale CCleaner was found to be distributing a malware laced version of the software.  Over a million copies of the infected software were downloaded but it only targeted a handful of victims.  That was done by an attacker.

This problem is self inflicted.  The new version of CCleaner has a data collection feature which vacuums up information about the victims computer with no way to disable it and no way to opt out.

Apparently someone must have explained that this nifty feature was likely a violation of the new EU data privacy law GDPR which could result in a fine of the larger of 20 million Euros or 4% of their global revenue.  They are rethinking the wisdom of doing this and will release a new version of the software.  Real soon.  Source: ZDNet.

Idaho Inmates Hack Prison Issued tablets

Prisons in Idaho issue inmates specially locked down tablets to send emails to loved ones and other limited functions.  Some of those functions cost money and that is where the rub comes in.  The tablets, managed by a vendor called JPay were hacked by several hundred inmates to the tune of almost a quarter million bucks.  Now JPay is trying to get their money back.  At least it is not taxpayer money.  Source: TechCrunch.

Facebooktwitterredditlinkedinmailby feather

The Hidden Landmine When Buying (or Even Renting) a Home

All of us are used to using the Internet, right?

What if you moved into your new home and after you paid for it and moved in you found out there was no Internet service available?

One business in New York was told that Charter Communications, the local cable provider, would be happy to connect them.  Only problem was that the business needed to pay Charter $138,000 first.  Charter being a nice company, offered to pay $5,000 towards that, so the company would only owe them $133,000 and change.

This story is repeated over and over across the country.

People are often told by the local Internet Service Provider that they can get service only to find out when they actually try that it is not available.

I am going to use my personal situation to illustrate the case.

I live about 30 minutes from downtown Denver, Colorado.

Where I live there is no cable at all, so cable Internet is not an option.

The phone company offers DSL at the WHOPPING speed of one and a half megabits per second.  Not 1.5 gigabits, 1.5 megabits.  Under FCC rules, that doesn’t even qualify as broadband Internet.

Only problem is that there is no available capacity and the phone company has no plans to add capacity.

Worse yet, if you are one of the super lucky folks to have this speedy service and you sell your house, the person who buys it doesn’t get your connection.  The connection goes back into inventory and you, the new buyer, go to the end of the list.  You may get Internet in a few years; hope you can wait.

There is also no cell service where I live, so no cell calls, no text messages, no cellular Internet.  The cell companies all offer a little box called a femto cell that simulates a cell tower to give you service.  Works great, actually, as long as you have some other form of Internet connection to carry the signal from your house back to the cell carrier.

Granted I live in a sort of rural area about 25 miles from downtown Denver, but the guy who was presented with the $133,000 bill  – he was in New York City.

And sometimes, if you CAN get service, the wait time for a connection can be 6 months to a year.

That leaves you (or me) with two options:

  1. Satellite Internet.

Satellite Internet is a horrible last resort.  You basically pay by the bit and if you go over your limit, they slow down your service to a crawl or shut you down.  Worse yet, many things like Internet telephones (VoIP), VPNs for connecting to your business and those cell extenders do not work on satellite Internet.

So, while they are horribly expensive, slow and don’t work for many things, they are pretty much universally available as long as you have a clear view of the sky.

2. Point to Point Microwave.

That is what I have.  It used to be horrible, but over the last few years, it has gotten much better.  All my software works and the particular plan that I have has a cap, but it is large and there are other plans that don’t have a cap.  It is however, pretty expensive ($70 a month for only 20 megabits/second – way faster than I had with Qwest, but 1/10 the speed of cable and that includes voice and long distance).

The only problem with P2P microwave is that you have to be within the range of a receiving tower and you have to have a clear line of sight to that tower.

My provider has two towers in the area.  The only one that I have line of sight to will not run faster than 20 mb/second.  The other tower, that one of my neighbors can see (he is higher up that me) supports 50 mb/second.  The provider says that it is not likely that I will ever see 50 mb/second on my tower.

What this means is that Netflix crashes regularly.  I don’t have any little kids who gobble up bandwidth like no one’s business.  If you wind up with service like this, plan on rationing Internet.  Your kids will be thrilled.

So what do you do, especially if the Internet providers are, apparently, bold face liars?

Unfortunately, you are not in the driver’s seat.

One thing that you can do is place the order as opposed to just asking and see if the order goes through.  Just make sure you can cancel it before the install in case you don’t actually get the house.  The problem with this is that you may not find out that they cannot provide service until the day of installation.  That happened when my son bought his house.  They came out and said.  Ooops. Sorry.

Another thing to do is to research options.  In many places there are not a lot of options:

  • Cable
  • Phone company
  • Independent Internet providers
  • Point to point microwave
  • Satellite
  • Cell (really bad idea – slow, unreliable and expensive)

See HOW MANY of these options are available and what each one costs, what the limits are and what things that you want to do won’t work.

Make sure that at least 2 or 3 acceptable options, while distasteful, are available.  That way, at least, if you have to resort to option 2 or even option 3, you at least know that you can get something.

Assume that you will not have Internet for a while when you move in.  Maybe a few days; maybe a few weeks; maybe even a few months.  I managed the IT of a business that was much closer to downtown Denver and it took us 6 months to get Internet.  Try running a business for 6 months without Internet.  If that is a problem, plan an alternate.  Unfortunately, the alternate may not be attractive.  Maybe you can work at your office, if one is available.  Whatever.

JUST REMEMBER THAT THE UNITED STATES IS A THIRD WORLD COUNTRY WHEN IT COMES TO INTERNET.  ASSUME THAT.  UNDERSTAND THAT.  PLAN FOR THAT.  Then you will not be disappointed.

Information for this post came from Motherboard.

Facebooktwitterredditlinkedinmailby feather

Researchers Find 20 Bugs in Samsung IoT Controller

In the ongoing saga of IoT security (The score is bad guys: a whole bunch, good guys: not very many), the bad guys continue to win.

Researchers analyzed Samsung’s house management hub called SmartThings and found 20 problems.

The researchers, part of Cisco, said that the attacks are complex and require the attackers to chain different bugs together, but that doesn’t lessen the severity.

The Samsung SmartThings hub supports a variety of protocols allowing it to control a wide range of devices.  Some of the devices it can control include lightbulbs, doorbells, smart locks, smart plugs and many others.

But that ability is also the problem.

If you can hack the SmartThings hub, then you could turn off alarm sensors, unlock the door to the house or spy on the homeowner by taking over the security cameras.

Given that possibility, what could go wrong?

So what should an IoT early adopter do?

The first thing is for you to understand that as an early adopter you are blazing new paths and some of those paths will be dead ends.  Personally, I have bought and replaced many different IoT devices.

Second, you should consider the risk prior to purchasing and using any IoT devices.  For example, it is far less risky to control your lightbulbs than your front door lock,  If you are risk tolerant you may be okay with the risk from the smart door lock, but  if you are less risk tolerent, you may not be.

Next, ONLY purchase IoT devices from vendors that have an active cyber security program.  All IoT devices will need patches.  If the vendor doesn’t actively create patches, then the bad guys will win.  You also want devices that automatically download and install the patches when released.  Samsung says that they have already patched every device operational in the field.  That is what you want.

Finally, stay tuned to the security news in the IoT arena.  If you are going to be an early adopter, you need to be informed.  When things are stable and mature you can be less concerned.  When there is a new attack every day – you have to be proactive.

Be smart.  Be informed.  Then make decisions.

Information for this post came from Threatpost.

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed