https://privacyguidance.com/blog Tue, 25 Apr 2017 00:19:32 +0000 en-US hourly 1 https://wordpress.org/?v=5.3.17 $2.5 Million Settlement Against BA As Result of Not Understanding HIPAA Requirements https://privacyguidance.com/blog/2-5-million-settlement-shows-not-understanding-hipaa-requirements-creates-risk/ https://privacyguidance.com/blog/2-5-million-settlement-shows-not-understanding-hipaa-requirements-creates-risk/#respond Tue, 25 Apr 2017 00:19:32 +0000 http://privacyguidance.com/blog/?p=4103 The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement against a Business Associate (BA), CardioNet. This penalty was based on the impermissible disclosure of unsecured electronic protected health information (ePHI) that was a result of not understanding HIPAA requirements. […]

The post $2.5 Million Settlement Against BA As Result of Not Understanding HIPAA Requirements appeared first on .

]]>
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement against a Business Associate (BA), CardioNet. This penalty was based on the impermissible disclosure of unsecured electronic protected health information (ePHI) that was a result of not understanding HIPAA requirements.

CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan.

This settlement is the first involving a wireless health services provider. CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.

Overview:

In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed

  1. CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft.
  2. CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented.
  3. The Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

See the Resolution Agreement on the OCR website at https://www.hhs.gov/sites/default/files/cardionet-ra-cap.pdf

 

The post $2.5 Million Settlement Against BA As Result of Not Understanding HIPAA Requirements appeared first on .

]]>
https://privacyguidance.com/blog/2-5-million-settlement-shows-not-understanding-hipaa-requirements-creates-risk/feed/ 0
How to Avoid Common Privacy Notices Mistakes https://privacyguidance.com/blog/how-to-avoid-common-privacy-notices-mistakes/ https://privacyguidance.com/blog/how-to-avoid-common-privacy-notices-mistakes/#respond Wed, 23 Mar 2016 15:18:25 +0000 http://privacyguidance.com/blog/?p=4095 Most organizations have posted privacy notices on their websites. Great, right? Well consider that a 2012 study showed that the average reader would need 25 days simply to read the privacy policies for all websites accessed in a year. Website privacy notices are often very poorly written. And that’s not the only problem, as I’ve […]

The post How to Avoid Common Privacy Notices Mistakes appeared first on .

]]>
Most organizations have posted privacy notices on their websites. Great, right? Well consider that a 2012 study showed that the average reader would need 25 days simply to read the privacy policies for all websites accessed in a year. Website privacy notices are often very poorly written. And that’s not the only problem, as I’ve discovered over the past couple of decades reviewing privacy notices. In the past year in the privacy impact assessments (PIAs) I’ve done, I’ve found two consistent problems with them all.

  • The posted privacy notice for each had not been updated in many years
  • No one (literally) within each organization had ever read the privacy notice

I’ve also found that, generally, most organizations do not understand the purpose of a privacy notice, and are very sloppy in how they post and maintain privacy notice on their web sites, creating significant liability for their organization. Many post a privacy notice once, then never update it again, and others post something to point to for marketing spin to give the impression they care about privacy, but in fact haven’t done anything that they’ve promised.

Here are some privacy notice basics to help organizations better understand how to avoid common privacy notices mistakes.

Purpose of Privacy Notices

A posted privacy notice, also often called a “privacy policy” (but I’m going to use the term privacy notice since I typically use policy to reference inward-facing documents for employees to follow) is an outward-facing type of document that is meant specifically for those individuals whose personal information is being collected; the “data subjects.”

A posted privacy notice is provided to an organization’s data subject audience and should identify:

  • The types of personal information items that are collected
  • How the personal information is used, retained, disclosed and secured
  • The control that the data subjects have over their associated personal information (e.g., specific personal information items that are voluntary to provide, available opt-out options, individual rights of access and correction for associated personal information)

Privacy notices serve two primary purposes:

  • Establish accountability for the organization’s use, sharing and protection of personal information
  • Educate the individuals about whom personal information applies (the data subjects) for their rights regarding their personal information

Importance of Privacy Notices

A privacy notice establishes legal accountability for the associated organization to follow the practices that are stated, actually promised, in the privacy notice. Every person within the organization that accesses personal information in some way needs to know, understand and follow the promises made within the privacy notice.

The organization must ensure that every type of computing and digital storage device is configured and used in ways that also support compliance with the privacy notice. This includes all those increasingly used Internet of Things (IoT) devices that are used in ways that involve access to personal information from the organization.

Regulators, auditors, lawyers, and other organizations will judge your privacy program against your organization’s practices, and how your managers support them, as they relate to the privacy notice. Here are a few areas where organizations are often violating their own posted privacy notice:

  • Lack of accurate details in the privacy notice about the personal information and sensitive information that is being collected, shared, retained and processed
  • Lack of information about the purpose(s) for collecting personal information
  • A description of the entities to whom, and to which jurisdiction and geographical locations, the personal information might be disclosed or transferred
  • How to contact the area responsible for privacy at the organization
  • Ensuring that the privacy notice is provided either before or at the time of collection of personal information

 

Using Non-Customized Privacy Notices

Privacy notices must be tailored to the specific data subject audiences. Two common mistakes I’ve seen organizations, especially those small and mid-size organizations with no position dedicated to privacy and no legal counsel with privacy experience, make is:

  • To copy the privacy notice of another organization in their industry and use it verbatim as their own, after simply changing the name of the organization.
  • Generating a privacy notice from a free online privacy notice generator and then immediately posting the resulting privacy notice on their website without doing any customization.

It is important to customize privacy notices so that they accurately reflect the organization’s collection, use, sharing and safeguards for personal information. The privacy notice is establishing a legal obligation for the organization, so the organization must fulfill those promises. If the organization cannot do what is within their posted privacy notice, then they have created their own legal liability, which could result in significant fines, penalties and civil actions.

Out of Date Privacy Notice

Throughout my career I’ve seen a large portion of organizations that will take action to implement security and privacy practices and then, once done, they forget about it. For example, in my PIAs and audits I’ve often found organizations who had information security policies that have not been updated in over a decade. I’ve found this to be true with posted privacy notices as well.

In three PIAs I performed in 2015, I found one had a privacy notice last updated in 2008, one in 2006, and another in 2004. There were references in them to technologies that are not even supported or used anymore, to departments that no longer exist, and phone numbers no longer used; along with other no-longer-valid statements.

Think about how quickly your business changes; in the:

  • Types of personal information collected
  • Ways in which personal information is used and shared
  • Technologies used by all with access to personal information in all forms

When such changes occur, they often will necessitate changes in the posted privacy notice to accurately reflect activities involving personal information. It is important to keep the privacy notice updated and provide an accurate reflection of current practices.

Personnel Not Knowing What the Privacy Notice Says

One of the questions I always ask key stakeholders when doing a PIA is, “Have you ever read your web site’s posted privacy notice?” In around 95 – 99 percent of the time, no one has even read the posted privacy notice. Ever. These are people who are responsible for personnel, including those who access personal information in some way.

If you have not read the privacy notice, how can you even claim to be supporting the promises made within it for how personal information is collected, used, shared, and safeguarded? You cannot.

To be able to comply with your own privacy notice, you must actually read, understand, and do business in accordance with the privacy notice promises. Your work activities must support the promises.

Maintain the Privacy Notice

When it comes to privacy notices, be sure to update them appropriately. Some actions you can take to accomplish this:

  • Perform a privacy impact assessment (PIA) for your posted privacy notice to see where you are not in compliance with it, and to determine where changes and updates to the privacy notice are necessary.
  • Assign a position or team the responsibility to review the privacy notice at least once a year, and following major operations and technology changes, and to update the privacy notice appropriately.
  • Ask legal counsel to monitor changes in data protection legal requirements, and notify the assigned team of such changes so they can be considered when determining how to update the privacy notice.

Learn more:

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site dell.com/futurereadyDell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

dell_blue_rgb

The post How to Avoid Common Privacy Notices Mistakes appeared first on .

]]>
https://privacyguidance.com/blog/how-to-avoid-common-privacy-notices-mistakes/feed/ 0
Are Smart Homes Security Dumb? https://privacyguidance.com/blog/are-smart-homes-security-dumb/ https://privacyguidance.com/blog/are-smart-homes-security-dumb/#respond Tue, 08 Mar 2016 19:03:33 +0000 http://privacyguidance.com/blog/?p=4071 There are fascinating and potentially very helpful smart gadgets being introduced every day into the consumer market. Particularly to create “smart homes” that will make refrigerators, lights, doors, and anything else that can be connected online (so basically anything) Wi-Fi enabled so that you can control, check on, record, and lock them, just to name […]

The post Are Smart Homes Security Dumb? appeared first on .

]]>
There are fascinating and potentially very helpful smart gadgets being introduced every day into the consumer market. Particularly to create “smart homes” that will make refrigerators, lights, doors, and anything else that can be connected online (so basically anything) Wi-Fi enabled so that you can control, check on, record, and lock them, just to name just a few of the possibilities, from anywhere with a handy dandy app or mobile device.

Wow! This is exciting! We can shut the garage door that we forgot to close when we went to the airport. Nice. Or see that we left one of our children at home alone. Whew; saved from riding in an ice truck with a polka band! Or be alerted when someone is at our door. The age of the Jetson’s has almost arrived!

But wait. Those smart home gadgets certainly allow you to do amazing things when you are far away from home, but does that mean that others could also do the same things? Would you want to have someone else controlling your smart locks and entering your house when you are away? Or, have someone viewing your in-home video monitor? Or getting data from those devices and then using it in ways that could harm you or others in your house in some way?

These are important questions to answer. Most smart gadgets do not have security built in. Many that have security controls have not implemented them to actually be secure. Without effective security built in, it risks to not only the control of your device, but also brings risks to your safety, depending upon the purpose of the device.

And also consider that smart home devices collect a lot of data. To whom are all those devices sending all that data?  Are they entities that you even want to have the data?

Let’s think about these issues as they relate to three types of smart home devices.

The (Not So) Smart Doorbell

Smart doorbells are generally marketed as physical security/safety tools. They are connect to the Internet via home Wi-Fi networks and tout the ability to automatically lock doors and send notifications to your smartphone when people approach and hang around your home. Some also come with a video feed and intercom capability to show you who is at your house, and allow you to talk to them, even when you are far away from your house. Brilliant idea! What could be the problem with this nifty safety tool?

Here are some security and privacy questions to ask those smart doorbell vendors:

  • Are those connections to the Internet encrypted?
  • Is authentication required to get access to the doorbell app on your smartphone?
  • How is the password access controlled?
  • Are any of the data or video feeds being sent to and stored in the vendor’s, or their contractors’, cloud servers?
  • What other types of data is being collected from those using the smart doorbells?
  • How are the devices physically secured?

And the list could go on. You may think, why worry about physical security of the devices. But think about it; the tiny computer controlling the gadget is located within it. So, physical access to the gadget could give access to the controls and data.

Vulnerabilities in the physical security have already been exploited. One smart doorbell security device was recently reported to be unsecure. It attached to the house with two screws. By unscrewing the device and pressing the setup button, anyone can get the password from the configuration URL shown.

The (Not So) Smart Thermostat

Many smart home environment controllers and smart thermostats are coming onto the market. These clever tools can give those using them the ability to do such thing as turning appliances on and off, checking on electricity usage throughout the smart home, and target areas where there may be electricity leaks, and control thermostats, just to name a few. Nice! If I’m on a trip to another country, I’d love to be able to have such controls to make it look like someone is in the house. No security or privacy worries about how it works?

That depends upon how the vendors answer security and privacy questions such as these:

  • How is the communication to the Internet secured?
  • Is the data collected from the home and app shared with any third parties? If yes, which ones, and for what purposes?
  • Is any of the data collected published online? If yes, for what purposes?
  • How are the physical controllers within the home secured?

Yes, this list could go on as well. And yes, such a home environment controller has already been reported to have such security and privacy weaknesses. The FTC recently reported results of security testing for a popular smart thermostat. Their research revealed that the thermostat sent location data in clear text, so could be easily intercepted on a public Wi-Fi.

The (Not So) Smart Webcam

I have two children. They are now teens. I would have loved being able to look in on them as they slept in their rooms from a remote location when I was doing business travel when they were babies. There are now a wide variety of Wi-FI connected smart webcams that livestream video feeds to websites and/or smartphones giving anxious parents views into their homes to check on their children, and often the caregivers that they have entrusted with their care. No problems with this, right?

Again security and privacy must be considered. Ask the vendor these questions:

  • Do others have access to the livestream images?
  • Are copies of the videos stored somewhere?
  • Do the webcams all use the same default password?
  • Are passwords encrypted in storage?

Déjà vu, the list could go on. And unsecured webcams have already livestreamed thousands of images of people’s rooms, and those within them, worldwide. Often by vigilantes who want to expose the security vulnerabilities within the smart webcams.  For example, recently a mother whose three-year-old was always afraid to sleep at night walked by the toddler’s room and heard a man’s voice saying, “Wake up little boy, daddy’s looking for you.” When she walked into the room the monitor lens turned towards her and the voice said, “look someone’s coming into view.” The lack of good security had let strangers enter the room through the baby monitor. Another couple recently found photos of their baby online, which they learned were taken by someone who got access to their baby monitor and took them.

Lesson: Truly Smart Gadgets Have Security & Privacy Built In

So, are smart homes privacy dumb? You need to determine this. Before you use smart gadgets, make sure they have necessary security and privacy controls build it. If you are building smart gadgets, make sure you are building in such controls. At a minimum these controls need to:

  • Require authentication to access the device
  • Not allow authentication bypass to get into the device
  • Require strong passwords
  • Not have hardcoded passwords
  • Encrypt the data
  • Log device changes and other key activities
  • Not have backdoors built in
  • Give the users the ability to set and change security and privacy controls
  • Not store videos, audio or other data to the cloud without first getting consent from the users

 

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

dell_blue_rgb

The post Are Smart Homes Security Dumb? appeared first on .

]]>
https://privacyguidance.com/blog/are-smart-homes-security-dumb/feed/ 0
The Internet of Medical Things: Health Data Privacy https://privacyguidance.com/blog/the-internet-of-medical-things-health-data-privacy/ https://privacyguidance.com/blog/the-internet-of-medical-things-health-data-privacy/#respond Thu, 03 Mar 2016 23:14:51 +0000 http://privacyguidance.com/blog/?p=4050 Note: This was written in early January for part of International Data Privacy Day and Iowa Data Privacy Day activities. It is just now being published due to some unforeseen delays. Do you have any type of wearable health device, like a fitness tracker? Or maybe an implanted or attached medical device, like an insulin […]

The post The Internet of Medical Things: Health Data Privacy appeared first on .

]]>
Note: This was written in early January for part of International Data Privacy Day and Iowa Data Privacy Day activities. It is just now being published due to some unforeseen delays.

Do you have any type of wearable health device, like a fitness tracker? Or maybe an implanted or attached medical device, like an insulin pump or pacemaker? If they connect with apps or other computers through wireless connections, they are most likely collecting and sending huge amounts of data. Have you considered all that data, and how it is secured and who is getting it?

In December I discussed how people truly do care about the privacy and privacy of their patient data. Since January 28 is International Data Privacy Day, I want to stay on this general topic, but turn the focus to all those wireless health devices that are emerging more quickly than anyone can catch up with in the Internet of Things (IoT).

Explosion of endless numbers of health devices

So how many health and medical devices are there? The numbers are increasing so quickly it is impossible to provide an accurate number; by the time this is published that number will be much larger. But here are some facts to give you a good idea of the vast numbers and types that are currently being used:

I created the infographic shown in Figure 1 to provide examples of the many types of devices collecting and sharing a wide range of health data, along with showing how this date is shared with others, who then also continue to share the data with even yet more entities, mostly unknown to the individuals about whom the data applies.

Privacy_Processor_Health_Data_infographic_HiRes

Figure 1 – Who Has Your Health Data?

Great potential for both benefits and harms

The potential for improving health through the use of IoT devices is unlimited. I fully recognize that, and am also excited about the possibilities! However, along with this excitement is justified concern. I want the security and privacy risks addressed.

I’ve heard many medical device makers, and makers of other types of personal health IoT devices, make comments indicating they do not build in security and privacy controls for a variety of common reasons. Here are the ones I’ve heard most often, in no particular order.

  • “People aren’t concerned about privacy so there is no reason to waste money building in privacy controls.”
  • “No one wants to target wearables and medical devices; there is no motivation because the data is not worth anything to anyone but the persons using the devices.”
  • “The cost of security controls, such as encryption and authentication mechanisms, would make the costs of the devices prohibitively high.”
  • “We will never spend money to build security or privacy controls into devices unless compelled by laws to do so; it is not worth the investment of cost and time resources to do so of our own free will.”

Device creators and vendors must understand that there are definitely risks that must be mitigated.

Health devices have privacy risks

A significant problem with health and medical devices is that, for the most part, they lack sufficient security controls, and most don’t have any privacy controls. Considering search tools such as Shodan can be used to find wireless devices, it makes it easy for those who are motivated to use such tools to find such devices to then exploit security vulnerabilities. It is generally common knowledge in the technology and hacker community that a large portion of medical devices are using versions of SSL that have the Heatbleed flaw, increasing the appeal of targeting these devices for hacking.

The vulnerabilities of medical devices have been demonstrated many times. Here are a couple of examples that illustrate how vulnerable medical devices are.

Insulin Pumps and Continuous Glucose Meters

Jerome Radcliffe detailed how he hacked a continuous glucose meter, similar to that shown in Figure 2, and a  wireless insulin pump, such as shown in Figure 3, and changed the dosage settings. Think about the fatal results that could occur by changing the settings of medical devices that people depend upon to support life functions. No wonder Dick Cheney had the wireless access communications disabled in his pacemaker in 2007.

Figure 2 – Continuous Glucose Meter

Figure 2 Continuous Glucose Meter

 

 

 

 

 

 

 

 

Figure 3 – Insulin Pump

Figure 3 Insulin Pump

 

 

 

 

 

 

.

.

.

Pacemakers

Shelby Kobes, did research on medical devices for his graduate work, and now puts that research into practice through his business which helps hospitals secure all their medical devices. As part of his graduate work he purchased a Medtronic 2060, shown in Figure 4, off eBay for US $200. A Medtronic 2090 communicates with a pacemaker using a programming head and magnet. Among other things he discovered that the device had:

  • An unencrypted hard drive
  • No password protection
  • A simple deletion process allowing deleted data to be retrieved
  • Data fr
    om over 50 patients that was still active on the device
  • Medtronic representative contact information that could allow for social engineering hospitals

Figure 4 Medtronic 2090

.

.

.

.

.

.

.

.

.

Figure 4 – Medtronic 2090

Here are the specific data items found on the device:

  • Patient names
  • Hospital names
  • Doctor names
  • Serial numbers of pacemakers
  • Hospital visits dates
  • Patient ID
  • Doctor phone numbers
  • Software version
  • Battery life
  • Telemetry status
  • Last doctor appointment
  • Episodes
  • Pacemaker model
  • Age
  • Social Security Number
  • Birth date
  • Implanted date
  • Note field where any type of information could be entered

Think about Health Data Privacy for Data Privacy Day

Obviously there is much to consider when looking at the security and privacy of the growing numbers of smart gadgets that collect any type of health data. If you use these devices, at work or elsewhere, or have friends or family that do, health data privacy would be a great topic for you to ponder throughout this month and especially on Data Privacy Day, January 28.

If your organization is considering, or already providing, these devices to employees, this is definitely a topic you need to know about. And it is highly likely your organization is, or soon will be, providing such gadgets to your employees when considering increasing numbers of employers are providing a wide variety of such health devices to their employees as part of their benefits, wellness programs, and to even pregnant workers to help them identify health issues.

Want to Know More?

I will be giving a webinar, “The Internet of Medical Things: 2016, The Year Ahead” on January 21 to discuss I more detail the topic of devices that collect, store and transmit a wide variety of health data. Join me if you are intrigued and/or alarmed by this topic to learn what needs to be done to secure all these many devices.

For more information about health and medical device security and privacy see:

 

 

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

dell_blue_rgb

The post The Internet of Medical Things: Health Data Privacy appeared first on .

]]>
https://privacyguidance.com/blog/the-internet-of-medical-things-health-data-privacy/feed/ 0
Data Predictions: Looking Ahead to 2016 https://privacyguidance.com/blog/data-predictions-looking-ahead-to-2016/ https://privacyguidance.com/blog/data-predictions-looking-ahead-to-2016/#respond Wed, 13 Jan 2016 18:25:03 +0000 http://privacyguidance.com/blog/?p=4044 In November, some of my friends contacted me, saying they thought I did a pretty good job with my 2015 predictions, and wanted to know what I am predicting for 2016. So here are some good possibilities for the year to come, along with a rewind to see how close I hit the 2015 predictions. […]

The post Data Predictions: Looking Ahead to 2016 appeared first on .

]]>
In November, some of my friends contacted me, saying they thought I did a pretty good job with my 2015 predictions, and wanted to know what I am predicting for 2016. So here are some good possibilities for the year to come, along with a rewind to see how close I hit the 2015 predictions.

1.The HHS (Department of Health and Human Services) and many State Attorneys General will apply HIPAA fines

The Omnibus Rule gave all State Attorneys General the power to enforce HIPAA. Some states were proactive and took legal actions against organizations prior to the Omnibus Rule going into effect. Here are a few of their many enforcement actions to date:

  1. November 6, 2015: The Connecticut attorney general applied a $90,000 fine and required a corrective action plan on both a hospital system and one of its business associates.
  2. February 2014: The California attorney general fined a health insurer $150,000.
  3. January 7, 2013: The Massachusetts attorney general applied a $140,000 fine against a medical billing practice and four pathology groups.
  4. May 24, 2012: The Massachusetts attorney general applied a $750,000 fine against a hospital and required them to implement a corrective action plan.
  5. July 31, 2012: The Minnesota attorney general applied a $2.5 million fine against a business associate to many healthcare providers and required them to leave the state.

Predictions:

  • At least five HIPAA sanctions will be applied by State Attorneys General in 2016.
  • More sanctions will also be applied by the Office of Civil Rights (OCR ), which is the HHS agency that has responsibility for HIPAA oversight and enforcement, in 2016 than were applied in 2015.

2. Efforts to weaken encryption will fail

The current reasons being given by lawmakers and law enforcement to weaken encryption to be able to access data are noble; to prevent terrorist attacks. However, the reasoning to weaken encryption is hugely flawed. The lawmakers and law enforcement agencies asking for these backdoors do not appear to have a good understanding of technology, or how encryption works, based upon their many statements. And too many politicians are calling encryption “a problem” even though they have not looked at all the other data and technologies that they could be using but, to date, have not.

This year there have been more calls by law enforcement and lawmakers to weaken encryption than I’ve seen over the past 22 years when Clipper Chip was being pushed so hard, but ultimately failed because it simply was a very bad idea, and weakened security of data, and infringed upon privacy, so significantly.

Prediction:

The push to weaken encryption by a vocal subset of lawmakers and law enforcement will continue to build during the first half of 2016. Technology experts will coalesce midyear to mount a concerted effort to get lawmakers and politicians to FINALLY better understand encryption technology.  They will also better understand how it is available from many locations around the world (where terrorists will get it if they can use encryption from the U.S.), and all the other data sources that are available to use without weakening encryption. Those of us in the tech industry trying in every way possible to get lawmakers and law enforcement to understand how encryption technologies work will ultimately be successful in keeping encryption strong, but it will take great effort. This effort must be successful. The alternative it would be disastrous and would lead to not only more breaches because of the weakened encryption, but also would result in consumers going to overseas organizations to obtain strong encryption, potentially putting many tech organizations out of business.

3. Explosion of more health data will create significant new privacy risks and breaches

It seems everyone is jumping on the smart gadget bandwagon. And a huge number of those smart devices are collecting one or more types of health data. Since most of those devices were purchased by those consumers who are actually using them, and not at the direction of healthcare providers as a prescription to support healthcare treatment, they are generally not bound by HIPAA requirements for security and privacy. So, it is pretty much a free-for-all with regard to these devices collecting all types of health data, and doing with it whatever the vendors want. And most consumers allow vendors to collect their data because they just assume that the vendor is appropriately securing it; why wouldn’t they given all the ongoing reported breaches, right? However, people care about the security of their patient data. So every type of smart device vendor that collects any type of health data will need to actively and visibly take actions to secure their devices and data to remain a viable business, not only to meet the expectations of their consumers, but also to keep from being forced to as a result of new laws and regulations that will come if they continue to leave these new gadgets unsecured and without privacy protections.

Prediction:

New types of breaches of health data collected by smart gadgets will occur. But, because that data is currently not regulated or covered by existing state breach notice laws, those impacted will not find out until long after the fact, and likely after crooks, insurance companies, or others have used it in a way that negatively impacts the associated individuals. But when the news breaks, consumers will call for the data collected by these devices to be strongly secured, and the data be used appropriately.

Reflecting on my past predictions

Now that we finished looking ahead to 2016, let’s do a quick review to see how close I came with my predictions for 2015.

  1. The Internet of Things (IoT) will get some parental oversight

Last year I predicted that rules of some form would be created to guide those creating IoT devices. I nailed it. Here are two examples out of several initiatives currently underway:

I also predicted an IoT privacy breach would occur. It did. In November a huge breach of smart, connected children’s toys exposed the personal data of 12 million individuals, 6.4 million of whom were children. Data included gigabytes worth of headshot photos and chat logs for millions of kids and parents.

  1. Wearable smart devices in particular will get some privacy requirements

Last year I predicted some specific privacy standards and/or guidelines would be created for smart wearables. I nailed it. The Online Trust Alliance, a group representing some of the largest technology and retail firms in the U.S., proposed security and privacy standards for smart wearable devices.

  1. (Mis)use of Big Data analytics will result in a privacy breach

Last year I predicted that by the end of 2015 there would be at least one significant privacy revelation that occurs that will highlight with a jolt the need to build privacy controls within Big Data Analytics (BDA), using yet-to-be-written BDA privacy standards. I nailed it. And it didn’t take until the end of the year; such a hack occurred in July. The hack of the partner-cheating social media site involved obtaining 9.7 gigabytes of big data analytics that could recognize faces, reveal intimate preferences, and so on. The account details and log-ins for 32 million users of the social networking site were also obtained. This data was then posted online to shame those who had used the site.

  1. Explosion of more health data will create significant new privacy risks and breaches

Last year I predicted a significant breach would occur within a health data vault, app or other type of organization collecting vast amounts of health information directly from individuals. I nailed it. In December a security researcher discovered sensitive user health data, including HIV-positive data, of 5,000 individuals was leaking from two health apps for an unknown period of time. So it is not known how many people obtained all this sensitive health data.

Hey; pretty good…five for five! Time will tell how well I did with my 2016 predictions.

Happy New Year!

dell_blue_rgb 

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

The post Data Predictions: Looking Ahead to 2016 appeared first on .

]]>
https://privacyguidance.com/blog/data-predictions-looking-ahead-to-2016/feed/ 0
Tech Support Call Scams Becoming More Aggressive https://privacyguidance.com/blog/tech-support-call-scams-becoming-more-aggressive/ https://privacyguidance.com/blog/tech-support-call-scams-becoming-more-aggressive/#respond Wed, 13 Jan 2016 00:15:38 +0000 http://privacyguidance.com/blog/?p=4036 Have you ever gotten an unsolicited call from someone claiming to be a tech support pro who wants to help you with an urgent problem with your computer? Chances are you have. It is estimated that just one type of these many scams have cost U.S. victims $1.5 billion so far in 2015. It is […]

The post Tech Support Call Scams Becoming More Aggressive appeared first on .

]]>
Have you ever gotten an unsolicited call from someone claiming to be a tech support pro who wants to help you with an urgent problem with your computer? Chances are you have. It is estimated that just one type of these many scams have cost U.S. victims $1.5 billion so far in 2015. It is not known how many of these scams are currently active, but with new ones popping up almost every day, I would estimate there are at least hundreds, if not over one thousand, different groups of these crooks launching their own tech support phone scam.

My experiences

I got my first tech support scam call way back in 2005. I first wrote about another scammer with a different scam who called me in 2008. I’ve also had over a dozen of my friends and acquaintances contact me to let me know that they had been called by a tech support phone scammer. Many of their experiences have been unique from what I’ve seen. The types of phone scams that can exist are only limited by the imaginations of the crooks committing them.

I got another call from another tech support scam caller on November 27 of this year (listen to it here; 15:42 minutes). These tech support scam calls have really evolved and are more aggressive and sophisticated in their tactics than ever before. In the past they would not call me again after I hung up on them when they called.

In the past I would also play along with all the crooks’ calls and then hang up right before the point they would typically infect their victims’ computer. If you listen to my most recent call recording, to the end, you’ll know I stayed with them, playing along and doing as they asked, right up to the point where they wanted me to hit enter to give them access to my computer; I then told them I lost my internet connection.  But this time was different, and points to a trend to be much more aggressive than in the past.

  • The call started with one person who, once I was engaged in conversation, said that she could see (even though she did not have access to my computer yet) that my computer was “so badly infected, and putting everyone else” I communicate with through it at risk that she wanted her manager, “the foremost expert in the world in such computer problems,” to speak with me. And then she transferred be to another person.
  • The tech support scam crooks repeatedly called me, 243 more times through December 9 from fourteen (so far) different phone numbers shown in Figure 1. This is an average of 19 calls per day! This shows how much they want to get into other people’s computers, and how lucrative their crimes are, to be so persistent.

Figure 1

1st Dell blog Dec 2015 Figure 1

  • They were much more aggressive. Calling me names when I told them I thought my computer was okay. Yelling at me when I said that I would take my computer to the computer repair shop I always use for computer tech support. Even threatening me with arrest, or to have people come to my home, if I didn’t let them clean up my computer like “a good cyber citizen.”

 

Being lured to the tech support site

Another variation of the tech support scam is luring people to the bogus, malicious fake site. The US Federal Trade Commission (FTC) recently fined ($1.3 million) and shut down some scammers who had stolen over $17 million from their duped victims by luring them to their sites with pop-up alerts telling the victim that malware was on their PC. The ads provided a contact number and people would be told to call to get rid of the problem. From there they’d be directed to a malicious site and the unsuspecting victim would follow instructions, and then nasty malware, ransomware (which I wrote about here), would be downloaded, and they would be charged thousands of dollars to have it removed.

 

Know the signs of a scammer

Every business, of every size, and every individual is a potential target Make sure that everyone in the organization can recognize some of the key red flags of a tech support scammer.

 

Unsolicited calls

If someone, who is not from any organization or vendor that you know you’ve paid to get tech services from, calls out of the blue and tells you that you have malware on your computer and they need to get into it to remove it, they are probably a crook.

Dubious information provided

They will try to sound convincing by telling you to go to your event log viewer, and will sound alarmed and concerned when you tell them the files that you have there; they’ll tell you that those files are all malicious. Don’t believe them. They are logs generated by the many different activities processed by your computer.

All of my calls came from people with very thick non-U.S. accents. I asked the first person who called, whose accent was so thick I had to ask him to repeat what he said several times, for his name. He said his name was Sam Wilson. This name also did not match the location from where he sounded like he came.

 

Malicious websites

These scammers have been using the same bogus business names when they speak with victims. Here are some of the URLs the scammers try to and convince victims to go to:

  • Onesupport . me
  • Support . me
  • click4support
  • chromecrashreport . com
  • comphelpapp . com
  • costatechhelp . com
  • earntechhelp . com
  • emergencyvirussupport . com
  • instant-protection . com
  • gettechhelp . com
  • mypcoptimizerpro . com
  • redlrect-403av . com
  • redlrect-winav . com
  • responsecomputersupport . com
  • security-issue . us
  • security-message . support
  • washtechhelp . com
  • window-defender-security-alert . info
  • windows-spywarealert-cucwmpxvlfqfo2lpxgapsmccuy1yflsnjvtme . co

 

Keep this list handy. If someone tells you to go to one of these sites, you’ll know you are speaking with a scammer; simply hang up.

 

Invalid area codes

Scam callers often mask their phone numbers, using invalid phone numbers when they call so they cannot be traced. Figure 2 lists the 575 currently unassigned area codes that phone criminals love to use.

Figure 2

1st Dell blog Dec 2015 Figure 2

Of course some phone scammers will use legitimate area codes, but those numbers are comparatively small. As a case in point, only three of the 14 different phone numbers used by calling criminals who called me were actually-used area codes.

Keep this list handy. If someone calls using one of these area codes, you’ll know you are speaking with a scammer; simply hang up.

Stay aware

Never give control of your computer to someone who made an unsolicited call to you. And never provide credit card or financial information to someone claiming to be tech support.

If you do fall victim to one of these scams, report it to your company’s information security area and/or local police immediately.

Every business, of every size, sector and location, needs to stay aware of these calling scams. These criminals are equal opportunity scammers; they will call anyone anywhere to get a victim. This makes it more important than ever before for every organization to ensure they provide information security training to all their employees, and send them ongoing reminders warning of such scams. It also makes it very important for every individual to be able to recognize the signs of a phone scammer so they will not fall victim, and possibly lose all their files, and a lot of money, in the process.

 

For more information about this tech support call scam crimes, see:

dell_blue_rgb

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

The post Tech Support Call Scams Becoming More Aggressive appeared first on .

]]>
https://privacyguidance.com/blog/tech-support-call-scams-becoming-more-aggressive/feed/ 0
People care about the security of their patient data https://privacyguidance.com/blog/people-care-about-the-security-of-their-patient-data/ https://privacyguidance.com/blog/people-care-about-the-security-of-their-patient-data/#respond Sat, 12 Dec 2015 02:37:03 +0000 http://privacyguidance.com/blog/?p=4026 How well do you think your patient data, wherever it is located, is being secured? How well do you think your healthcare providers (doctors, nurses, hospitals, clinics, etc.) and health insurance companies are securing your patient information? The fact is, with the increasing occurrences of patient data breaches, and more use of patient data for […]

The post People care about the security of their patient data appeared first on .

]]>
How well do you think your patient data, wherever it is located, is being secured? How well do you think your healthcare providers (doctors, nurses, hospitals, clinics, etc.) and health insurance companies are securing your patient information?

The fact is, with the increasing occurrences of patient data breaches, and more use of patient data for purposes beyond the provision of healthcare, most people are worried about patient data security.

People care about the security of their patient data

People may seem like they don’t care based upon what is posted to social media sites. But keep in mind that the core concept of privacy is being in control of how your personal information is collected, used, shared, accessed and secured. As shown in Figure 1, most responding recently to a poll I provided throughout October and November indicated they are concerned about the security of their patient information.

Figure 1 – October November 2015 Patient Data Security Poll Results

Oct Nov 2015 Privacy Professor Patient Data Security Poll

It was interesting to see that the distribution of answers remained constant from the beginning of the poll to the end; with some interesting results.

Patient data is used for other purposes

Most folks I speak with are amazed at the growing ways in which patient health data that has historically only been used by healthcare providers is now being collected by a very wide number of organizations through the many fitness wearables, medical devices and mobile apps in new ways that were never imaged. Consider just a few of these ways that what has historically been considered to be patient data are now being collected and used for more than treatment purposes:

The data is going to continue to proliferate exponentially in the coming years. Just consider fitness tracker wearables. Currently 10.2 percent of the U.S. population (25.1 million) uses them. It is projected that by 2019 over 33 percent of the U.S. population, from newborns to those over 100 years old, will be using them. That is a lot of health data being sucked up on a continuous basis. And most of those fitness wearable vendors will be sending that data to many others beyond the cloud service that the wearers are using to give them their fitness diagnostics.

Patient data breaches are increasing

Concerns about the security of patient data are not unfounded. Consider the following:

The range of breach sizes illustrates that any size of organization with healthcare data, from a 1-person business to a gigantic healthcare insurer with over one hundred thousand employees, is susceptible to a privacy breach of patient data. And the small to midsize organizations are likely more at risk given 77 percent of them do not have formal, written information security policies for employees to follow, and 41 percent do not have necessary security technologies implemented.

It is no wonder considering patient data is much more valuable than other types of personal data. Recent research shows that patient health data is ten times more valuable than credit card numbers

Improving patient data security

There are many security and privacy concerns for patient health data. Four primary concerns include:

If your organization collects health and patient data, not only do you need to comply with all applicable legal requirements, such as those within HIPAA CEs and their BAs and subcontractors, but you also need to ensure you have a strong privacy and security program. And always remember, people care about the security of their patient data

For more information about strengthening your privacy and security program to better protect patient data, see the following:

dell_blue_rgbThis post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

The post People care about the security of their patient data appeared first on .

]]>
https://privacyguidance.com/blog/people-care-about-the-security-of-their-patient-data/feed/ 0
Women in STEM: Take the lead to secure a path for the future https://privacyguidance.com/blog/women-in-stem-take-the-lead-to-secure-a-path-for-the-future/ https://privacyguidance.com/blog/women-in-stem-take-the-lead-to-secure-a-path-for-the-future/#respond Fri, 20 Nov 2015 18:00:18 +0000 http://privacyguidance.com/blog/?p=4012 How do we get more women involved in STEM careers, information security and tech? I took on this topic when I attended the ISACA EuroCACS conference in Copenhagen, Denmark earlier this month and gave two sessions. One was, “Women in IT, Information Security & Privacy.” When researching for this session I found some interesting history, […]

The post Women in STEM: Take the lead to secure a path for the future appeared first on .

]]>
How do we get more women involved in STEM careers, information security and tech?

I took on this topic when I attended the ISACA EuroCACS conference in Copenhagen, Denmark earlier this month and gave two sessions. One was, “Women in IT, Information Security & Privacy.” When researching for this session I found some interesting history, along with some of the current state of inclusion of women within various IT, information security and privacy events. Let’s dive in:

A brief history of women in STEM

As I mentioned in my earlier post, Overlooked Women in Tech Innovation History, in the late 1890’s 58 percent of science, technology, engineering and math (STEM) students were female. So what happened over the years to the number of women taking STEM classes, and being in STEM careers? I did some quick checks to see if I could find research studies looking into this. What I found at first blush was intriguing.

Figure 1 – Key moments for women in STEM


Key Moments for Women in STEM by Rebecca Herold Nov 2015.jpg

.

.

.

.

Figure 2 – Decline of women majoring in computer science

Women in Comp Sci Graph

 .

.

.

.

.

.

.

.

These few findings are intriguing and motivate me to do more research into this topic in the coming months.

Tiny fraction of speakers and forum experts are women

I speak at a lot of events. I’ve been invited to speak as a keynote, and for additional sessions, all over the world in not only the U.S., but also in Bogota, Colombia, Singapore, Melbourne, Australia, Ireland, and most recently Copenhagen at the beginning of this month, just to name a few.

In January of this year I received an invitation to deliver a keynote about my Internet of Things (IoT) security and privacy research at an IT conference in the summer. I accepted the invitation, but I did not hear from the conference coordinator again for several months, so I got back in touch with her. She told me, “Oh yes, that. We decided that a man would be a bigger draw than a woman. Men are just considered to be more knowledgeable, and to be the experts, than women for that topic. Nothing personal. We may be able to use you for another conference, though, in some way.” Hmm. Well, no you won’t. I’m not going to attend any of your upcoming conferences. Nothing personal.

A few days before my session in Copenhagen earlier this month I did a quick online search for “information security” “conference” and “speakers” to see how many of the top four returned searches included women. Here were the results for the conferences:

And the next one returned for the search was actually for an online forum:

So, the tally results in: 7 of 128, or 5 percent, of the speakers/experts were women.

Lessons:

  • We need more conferences to invite women to be speakers. There are many women in tech who are outstanding in their professions. They have much valuable information to share.
  • We need more women to submit proposals to be speakers. I know many don’t because they’ve been rejected so many times that they feel it will just be a waste of time to keep writing proposals that will get rejected any way. I personally no longer submit proposals for certain conferences specifically because of that. But, I really do need to submit any way. And so do more women.
  • We need to start highlighting the percentages of speakers at all STEM conferences to highlight imbalances in gender representation where they exist. Sooner (hopefully) or later conferences will change after they’ve consistently been reported to be so far out of gender balance.
  • We need more online forums to recognize more of the many women who are exceptional in their professions and ask them for their opinions to add to the predominantly male views.
  • We need BOTH men and women to purposefully include women in events and forums whenever an opportunity arises.

A small fraction of IT writers are women

I’ve had 17 books published so far, and several of them have been published by CRC Press / Taylor & Francis. I checked with my publisher there, Rich O’Hanley, and he indicated that for 2013 and 2014, 10 percent of the IT books they published had women as the sole or the primary author, and that it was also the same percentage for business and management books: 10 percent each year. Some women, me and a handful of others, were repeat authors; we each have written more than one book. Rich indicated, “It’s not that we reject proposals submitted by women, but that we don’t receive proposals from women.

Lesson:

Women, we need more of you to write. Writing is a powerful way to demonstrate your capabilities, strengths, and expertise. Writing also shows that women are just as capable and possess as much expertise as their male counterparts who are doing 90% of the writing.

Comments from conference session attendees

I covered the following topics in my Copenhagen “Women in IT, Information Security & Privacy” session:

  • Dealing with various types of challenges throughout your career: things I’ve learned.
  • Know the many types of opportunities that exist, and are emerging, within the IT, information security and privacy career space…it’s not just about laws!
  • Know the steps to succeed in a IT, information security and privacy profession
  • Answer, “Is it too late for me?” Can you make the move into new areas of IT, information security and privacy after being in the workforce for 20+ years?
  • Gaining experience and knowledge in ways other than going back to school; volunteer opportunities lead to professional growth
  • Know how to get it right from the start – what courses should you be taking at the university level to prepare yourself for an IT, information security and/or privacy career?
  • Why mentors can be great or not great: knowing when to use mentors, and finding the mentor that is right for you.
  • Learn by example by hearing about some successful women in the IT, information security and privacy space and what they do

I was happy to see several men in my session. I received some interesting comments, during my session as well as after the session. Here are four that stood out for me:

  • A man in the audience during the session: “I am surprised, and enlightened by this information! I had no idea about many of these issues. This session should have been advertised as required attendance for men! I don’t think most realize many of these challenges that women face.”
  • One woman in the audience during the session said, “But what can I do to make changes right away? Why should I continue trying? I am the only woman on my information security team, I work longer hours, and I have done more volunteering (one of the actions I suggested) than any of the rest of them, and I have provided contributions recognized as very valuable. But I have not gotten raises or promotions while all the other team members have. Why should I keep trying?
  • Another man asked, “Help us men understand, then. What would you say are strengths that women have for tech work that men should know about?

My answer to him, “I don’t think there are any types of STEM professions or activities better suited to women than men; in the same way that there are no STEM positions or activities for which men are better suited. What an individual can do best depends upon his or her own personal strengths, capabilities and drive. Men, and women, need to recognize that individuals each have their own strengths. Women and men equally have the same strengths and weaknesses for working in STEM careers. What everyone needs to understand is that each person must be considered for his or her own unique capabilities and strengths, and that consideration should not be impacted by opinions of what men or women are, or are not, capable of doing.”

  • From a woman who attended and came up to me after the session, “I joined a long-established engineering organization as the only woman in the IT area. All the others, men who were all 10 years and more older than I, had worked there a long time, were clearly friends, and they often went out golfing together, and having lunch together. I was never included, but I just thought it was because they were all such longtime friends. And then I started seeing that business decisions were being made outside of the business environment; when they were golfing and socializing. And then one of those business decisions involved an idea that the group said they had been considering for a long time, but was actually an idea I had proposed and described at a recent IT meeting. I received no recognition for my contribution. It is hard to find success, or even recognition, in what they refer to themselves as the ‘old boys’ club’.”

Changes are needed, recognizing there is no simple answer

There is a lot of discussion online, at meetings and conferences about how to get more women involved in STEM careers in general, and in information security and tech in particular. Looking at the history of women in STEM, and also the current inclusion or exclusion of women in conferences and online forums, helps to highlight actions that can be taken now for women currently in colleges and workplaces. We also need to provide the same opportunities to girls from the youngest ages, both at home and in schools and clubs.

Making just one change will not make an impact. But making many changes throughout the entire stages of life and professional careers will start making noticeable changes. It is time to do so.

Women in STEM: Take the lead to secure a path for the future.


Additional Resources and more information:

Dell Women’s Entrepreneur Network 

Women leading us to the cloud

Women in tech: Meet the trailblazers of STEM equality

dell_blue_rgbThis post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

The post Women in STEM: Take the lead to secure a path for the future appeared first on .

]]>
https://privacyguidance.com/blog/women-in-stem-take-the-lead-to-secure-a-path-for-the-future/feed/ 0
No Those Messages Will Not Completely Self-Delete https://privacyguidance.com/blog/no-those-messages-will-not-completely-self-delete/ https://privacyguidance.com/blog/no-those-messages-will-not-completely-self-delete/#respond Fri, 30 Oct 2015 21:48:52 +0000 http://privacyguidance.com/blog/?p=4005 A childhood friend of mine, who does not have a technology or information security background, recently asked me whether or not apps that promise messages, photos, videos, and anything else sent through them will completely disappear were to be trusted. She referenced several different proclaimed “disappearing messages” apps that are currently available and asked, “So […]

The post No Those Messages Will Not Completely Self-Delete appeared first on .

]]>
A childhood friend of mine, who does not have a technology or information security background, recently asked me whether or not apps that promise messages, photos, videos, and anything else sent through them will completely disappear were to be trusted. She referenced several different proclaimed “disappearing messages” apps that are currently available and asked, “So what do you think of these disappearing apps?  The messages are not really gone?” She is responsible for the care of an adult relative, and wanted to be able to communicate with his healthcare providers securely, and to not have any of the communications to linger and had been using one of these apps.

I then had a great conversation with her about this, letting her know all the ways in which those messages can be saved that are outside the control of those apps. Since so many healthcare organizations are now communicating with their patients by using these tools, as well as a wide variety of other businesses who are communicating with their customers, it is important that all using them know the associated ways in which those messages will not be disappearing. Here are the four most significant ways.

  1. The recipient can make a screenshot of the message

Unless one of these disappearing messages apps has built in the capability to disable screen shot capabilities of the device it is received on, the app cannot make a valid guarantee that it can permanently make the messages disappear. And I have not found any such apps that can do such disabling. There are some creative apps that put bars, imperceptible to the viewer, over the images to keep them from being seen when capturing a screenshot, but it only works on certain types of devices, and only if both sender and receiver are using it. And I’m not convinced these will always work even both sender and receiver are using it, and that the person taking the screenshot will not figure out how to time it to avoid those image-covering bars. It is also not known how those bars would prevent people using auto-saving apps can keep them from seeing the original image. Another app tries to prevent screenshots by allowing only small portions of a message to be viewed at one time. That may work if you are only interested in text secrecy, but it does not seem to be something that would work for photos or videos.

  1. Others nearby can snap an image with their phone

When you travel, or are in public places, do you notice what those around you are doing? I do. I find it fascinating to people watch, and to see what people do to put their own privacy at risk, in addition to seeing what people do to invade others’ privacy. While traveling in September, and waiting for over an hour for my connecting flight, I noticed one young man walking behind a row of travelers, all of which were looking down at their smartphones and tablets, and he stopped, pointed his smartphone, and appeared to take a few photos of what one of them was viewing, and those he was targeting appeared oblivious.

Situations like this are dicey. Should you act upon what may, or may not, be someone digitally scooping up other people’s screen images? Or, shake your head and fuhgettaboutit?  I took an approach somewhere in the middle. I got up, walked towards the young man, but looked past him, like I was looking out the window behind him. I stopped within a few feet, and as he looked at me, I made eye contact, smiled, and said to him, “Lots to see in [city name], isn’t there?” He turned and hurried away. I’ve also seen people watching others’ screens on airplanes, in restaurants, and at public entertainment events. If anyone is around you when you get a disappearing message, remember that they could be taking a photo of it unbeknownst to you. Then they can basically post it online for the world to see wherever, and whenever, they choose.  

  1. Software can copy the messages

There are a variety of software tools and apps that exist that can be surreptitiously loaded onto smartphones (for example, as a result of phishing, malicious sites, via malware, peer-to-peer sharing, etc.) and copy all those so-called disappearing photos, videos and messages, before they “disappear,” to a different location on the Internet, or to someone else’s phone or computer. For example, in 2014 it was shown how Snapchat photos could be obtained from Android phones using widely-available forensics software and removing a “.NoMedia” file extension that was keeping the photos from being viewed on the device.  There are also apps you can use to automatically make copies of the messages and images sent from people using such disappearing apps, and the sender will not be notified in any way that you are using a tool to copy that disappearing message before it actually disappears.

  1. Copies of messages are often left in memory and/or storage

The fact is, whenever a computing device, like a smartphone or tablet, sends or receives messages, photos, videos, and so on, there are logs generated by the device to indicate some type of activity has occurred. And often, depending upon settings of the device, and how the software sending or receiving the messages are written, copies of the message may be temporarily stored in memory, or even on the storage disk, even after the original message itself has been deleted. Earlier this year a digital forensics expert did “a very basic experiment” to determine the types of data that are discoverable after the messages were supposedly erased. He learned as he did additional experiments and research that it was possible to find “certain messages – perhaps all messages” on the devices. This is really not surprising given the way in which technology works. But, it is important to know also given the claims and promises made by these self-erasing apps and tools.

Good security practices are necessary

As businesses and healthcare organizations start using these types of self-deleting apps and tools as part of their communications with customers and patients, it is very important that those using them not only know and understand the four facts described above, but they must also practice good, effective security practices beyond those limitations of the apps and tools. Otherwise they are putting the messages, photos and videos at risk of unauthorized access.

I won’t go over every security practice that should be in place within an organization; this is covered extensively in thousands of other books, articles, and blog posts. But with regard to the use of disappearing messaging apps and tools, make sure you do the following:

  • Establish procedures to ensure those you correspond with using these apps and tools are trustworthy. If you know the patient or customer, and know that they are as motivated to be safe and secure with the messages as you are, that will help to ensure one of the four risks described above are not exploited.
  • Use anti-malware software, and remove all unused apps from your device. The fewer apps and files on your device the better. Otherwise some of those apps and tools could be making copies of messages and photos without your knowledge.
  • Be aware of those around you when you are using disappearing messaging apps and tools. Make sure no one is peeping onto your screen that is within viewing distance.
  • Create policies and supporting procedures for the use of such disappearing apps and tools within your organization. Especially how they are used in communicating with customers. And certainly, in the U.S. with regard to healthcare, you need to make sure you use them in compliance with all HIPAA requirements.
  • Provide training to all those within your organization for how to use such apps and tools in the most secure and privacy-protecting way possible.

Bottom line…

Self-deleting messages appeal to a very wide range of demographic groups, in part because they make those using them feel they have control over those messages. My long-time friend wants to feel in control of the messages she shares with her relative’s health care providers. Teens want to feel in control of the messages they send to their friends. Feeling in control is a critical component of privacy protection; giving control to individuals of their own personal information and associated actions.

But, no those messages will not self-delete. The fact is no message or image can be guaranteed to disappear completely if it is sent to others, and then appears on a computing device screen. There are unlimited numbers of screen grab tools that can immediately take what is shown and make a copy of it. Promises that they will disappear are often misleading; they can only promise that their app and the way the app has control to store the message/image will be deleted. They have absolutely no control over those other screen grab tools, or the associated situations in which those messages could be viewed.

Keep these things in mind as you are considering the use of disappearing messages within your business, or your personal life, to help protect your private photos, videos and messages.

 

dell_blue_rgbThis post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

The post No Those Messages Will Not Completely Self-Delete appeared first on .

]]>
https://privacyguidance.com/blog/no-those-messages-will-not-completely-self-delete/feed/ 0
Four Things to Do for National Cyber Security Awareness Month https://privacyguidance.com/blog/four-things-to-do-for-national-cyber-security-awareness-month/ https://privacyguidance.com/blog/four-things-to-do-for-national-cyber-security-awareness-month/#respond Fri, 16 Oct 2015 17:55:07 +0000 http://privacyguidance.com/blog/?p=4003 Since this is National Cyber Security Awareness Month (NCSAM) it seems appropriate to give some examples and tips for how everyone can improve upon security, and better protect their privacy, this month. More and more breaches are announced almost daily. It really highlights the need for not only organizations to strengthen their information security efforts […]

The post Four Things to Do for National Cyber Security Awareness Month appeared first on .

]]>
Since this is National Cyber Security Awareness Month (NCSAM) it seems appropriate to give some examples and tips for how everyone can improve upon security, and better protect their privacy, this month.

More and more breaches are announced almost daily. It really highlights the need for not only organizations to strengthen their information security efforts and improve their controls, but it also points to the need for everyone to be more aware of when others are collecting their personal information, and knowing how that information is used and shared, as well as doing a better job as consumers of securing our personal information.

So what security improvement actions have the most bang for the buck? Here are four actions for organizations, and individuals, to take this month to significantly improve upon the security of computing devices, along with the personal information used with them.

.

  1. Get rid of apps you don’t need.

Most folks have many more apps loaded on their mobile computing devices than they are actually using. There is a tendency to download apps, and then never delete them; even if the apps are never used. A recent study revealed that most smartphone owners use only three of the many apps they’ve downloaded. A different recent study reported that over half of smartphone owners have 40 to 70 apps on their phone, but over 70 percent of them use just one to six of them a day.

I think the number loaded is actually much higher. In my experience when I’ve asked friends and others how many apps they think are loaded on their phones, and then had them check to see the actual number, the actual number was always much higher. In one case one person said she thought she had around 25 apps, but when she checked she actually had over 150. She downloaded a lot of free apps, then never used them, and then forgot about them. Those unused apps are not just sitting there in storage; a large number of them are sending data from the phone out to potentially many others, that the phone owner doesn’t even know about. For example, a health tracking app approved by the National Health Service in England was discovered to be sending clear text personal and health data to others. Each unused app on a smartphone is a potential data syphon.

TO DO FOR NCSAM: Review all the apps on smartphones and completely remove all those that are not used.

 

 .

  1. Use effective authentication, including two-factor authentication and strong passwords.

Many websites, products and organizations now offer two-factor authentication. Which is good! Because single-factor authentication has been shown to be weak and a significant vulnerability. Unfortunately too many organizations and individuals still do not utilize two-factor authentication when it is available.

And when was the last time you changed your passwords? A recent study showed that over half of passwords had not been changed in over five years. And when you choose a new password, do you choose a strong one? One that has at least eight alpha-numeric-symbol characters? Most people still choose horribly bad passwords. For example, in the Ashley Madison hack the top five most commonly used passwords were:

  • 123456
  • 12345
  • Password
  • DEFAULT
  • 123456789

Another problem is that far too many businesses and individuals still are using the default passwords that came on the devices; change those now!

TO DO FOR NCSAM: Implement two-step authentication wherever possible, require strong passwords, and ALWAYS change the default passwords.

 .

  1. Apply security updates to all your systems and applications.

Recently I asked a group of executives at a large client of mine if all their computing systems were kept updated with the most recent security patches. Most said they assumed so. Then I asked if their personally owned computing devices were kept updated. They all looked around at each other. Then one said, “I would assume so.” I asked, “Do you ever see any update messages on your device? Do you have the settings to automatically download updates?” Most shrugged. If you don’t know if your computer systems are getting regularly updated, then chances are they are not.

Cyber crooks look for systems that have old vulnerabilities. Plus, those vulnerabilities can allow bad things to happen as a result of mistakes and interactions with other applications and systems. You are a digital sitting duck if you don’t stay on top of security updates. Case in point: Have you updated your OpenSSL to remove the Heartbleed vulnerability? Do it now!

 

TO DO FOR NCSAM: Check to ensure all your personal and business computing devices are updated with the most recent versions, apply all appropriate security patches available, and set your devices to automatically install new security updates. 

.

  1. Learn about the latest security threats and vulnerabilities.

People are not born with an innate sense of how to secure information. Organizations must provide effective training as well as provide ongoing awareness communications so they know how to incorporate effective information protection practices within their daily job activities. Just consider this: one recent study found that 57% of privacy breaches are caused by insiders, most of whom simply made mistakes, or did things not knowing that it would put information at risk. These could have been prevented with good education.

Every individual using computing devices of all kinds also needs to know and practice security and privacy protection. At the very least subscribe to my free monthly Privacy Professor Tips to get a monthly dose of news and advice for how to best protect your devices and data.

 

TO DO: Give good and effective information security and privacy training to ALL your employees and send them ongoing reminders and other types of awareness communications. Get information security and privacy news regularly for your own benefit.

 

.

 

 

Bottom line for organizations of all sizes…

These four things to do for National Cyber Security Awareness Month are just the start of improving, or building, your information security and privacy program into one that is effective, comprehensive and up-to-date. And certainly every organization, of every size, in every location, in every industry, needs to have an effective, comprehensive information security and privacy program in place. And every person that uses computing devices also needs to practice strong security and know how to protect privacy. Every month should really be Cyber Security Awareness Month for all organizations as well as all individuals.

.

 

dell_blue_rgbThis post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

The post Four Things to Do for National Cyber Security Awareness Month appeared first on .

]]>
https://privacyguidance.com/blog/four-things-to-do-for-national-cyber-security-awareness-month/feed/ 0