Cybersecurity Hot Topics
California Takes on Consumer Privacy in a Bold New Way
Just adopted, and effective January 1, 2020, the new California Consumer Privacy Act makes some unprecedented, but all significant, changes in the rights of California residents, particularly in respect to the privacy of their online activity. In addition to rights of access and deletion, under the Act, webpage owners must give detailed disclosure about the “information” they collect, whether voluntarily or involuntarily, how it’s used, and how it’s sold and disclosed to third parties. Website owners will also need to clearly display a “Do Not Sell My Personal Information” link on their homepage. Consumers will also have the right to financial and other incentives for the use of their personal data.
Breaches & Vulnerabilities in Healthcare
Failure to encrypt some portable devices resulted in the fourth largest economic penalty that has been imposed by the HHS Office of Civil Rights for violations of HIPAA. MD Anderson Cancer Center must pay a $4.3 million judgment because private patient data was stored in unencrypted devices. “The investigation found that MD Anderson had established encryption policies since 2006, and that MD Anderson’s own risk analyses had found that lack of device-level encryption posed a high risk for the receipt of information,” says the Office of Civil Rights.
The American Hospital Association has highlighted the issue of legacy devices in healthcare system as a key vulnerability and has asked for manufacturers to improve the security of their older devices. “This support should include wrapping security precautions around these devices, adding security tools and auditing capabilities where possible, conducting regular updates and patching all software, and communicating security vulnerabilities quickly through consistent channels,” noted the AHA in its letter to the committee. A representative for device manufacturers, the Advanced Medical Technology Association (AdvaMed), argued that device security is a “shared responsibility” among stakeholders — manufacturers, hospitals, physicians, IT professionals, healthcare providers, regulators and patients.
Hackers Aren't Afraid
Sometime soon the North Koreans or the Russians will improve on the two huge cyberattacks they pulled off last year. That statement is the biggest fear finance ministers and central bankers around the world face in this age of technology. There are so many American targets for hackers to choose from, some worry that it may be impossible to understand all of the vulnerabilities. Even worse, most of the targets do not belong to the government (banks, power grids, hospitals, cars) and there is a cloud of confusion over who is responsible for defending them and who can retaliate.
Right now, the agency charged with overseeing cybersecurity for U.S. pipelines is the Transportation Security Agency (TSA) but the Federal Energy Regulatory Commission (FERC) wants to change that. Two top regulators have argued the TSA is not equipped to do the job and cannot keep the pipeline network secure. FERC wants to see the role head to the Energy Department. The Children's Online Privacy Protection Act (COPPA) requires that companies covered by COPPA obtain parental consent up front before collecting personal information from children under 13. Parents must also be given the option to review and delete their child's data. Under certain situations, like a subscription service that has not been renewed, COPPA also requires a business to delete a child's personal information even if the parents do not request it.
Visit Buchanan BreachCoach®, your one-stop portal for cybersecurity information and updates.
The California Consumer Privacy Act initiative was approved for the November ballot last week, and so there were two ways it could become law. It either had to go to the voters to be approved, or the initiative’s sponsor could demand that the California legislature pass a similar law before the deadline to withdraw the initiative from the November ballot. That deadline was yesterday, June 28, 2018. As a result, new privacy legislation now known as the California Consumer Privacy Act of 2018 was passed quickly yesterday because the alternative was worse: the initiative would have gone to the voters, and there is a high risk that voters would approve it because it is so consumer-friendly (and the public sentiment for internet companies both large and small right now is not good).
HIPAA Breaches Penalties Up to 4.3 Million, Information Security Newspaper
The MD Anderson Cancer Center has been cited for keeping their devices unencrypted. The lack of device encryption will cost a Texas-based cancer treatment center 4.3 million dollars by the Department of Health and Human Services (HHS). In a statement, the HHS Civil Rights Office said it received a summary judgment of a HHS administrative law judge who ruled that the University of Texas MD Anderson Cancer Center violated the information security and safety standards established in the HIPAA. The International Institute of Cyber Security reports that the HIPAA establishes the obligation of hospital organizations to keep private the patient’s information.
Healthcare Orgs, Device Makers Debate Cybersecurity Vulnerabilities, Health IT Security
A number of medical organizations have submitted recommendations to the House Energy and Commerce Committee on how to reduce cybersecurity vulnerabilities in aging healthcare IT systems and medical devices under the committee’s Supported Lifetimes initiative. In April, the committee asked for input from various stakeholders about the problem of cybersecurity vulnerabilities in these systems and devices in response to the WannaCry ransomware campaign that caused widespread disruption in the healthcare sector last year. The American Hospital Association noted that legacy devices are a key vulnerability to the healthcare system and called on manufacturers to provide better support to improve the security of their devices.
Is Your Healthcare Organization Prepared to Withstand a Data Security Breach?, SecurityIntelligence
The healthcare industry has long been a top target for cybercriminals. According to a 2016 study from the Ponemon Institute, 89 percent of healthcare organizations have experienced a data security breach resulting in the loss or theft of patient information. More importantly, the cost of a data breach for healthcare is more expensive than any other vertical — and the volume of breaches is expected to increase. For example, the rate of ransomware attacks against healthcare organizations is projected to quadruple between 2017 and 2020.
Under COPPA, Data Deletion Isn't Just a Good Idea. It's the Law., Federal Trade Commission
Buckling up in the car is a precaution parents take to protect themselves and their children. When it comes to the Children’s Online Privacy Protection Act, navigating the rules of the COPPA Road helps protect your business and the kids who visit your website or use your online service. Most companies are familiar with COPPA’s mandate to get parental consent up front before collecting personal information from children under 13. But there’s another requirement farther down the COPPA Road that some businesses may not know about. As the FTC’s Six-Step Compliance Plan for Your Business explains, if you’re covered by the Children’s Online Privacy Protection Rule, you must provide parents the right to review and delete their children’s information. But did you know that, under certain circumstances, COPPA also requires you to delete children’s personal information, even if parents don’t ask you to?
U.S. Regulators Urge Better Oversight for Pipeline Cybersecurity, Bloomberg News
The federal agency now charged with overseeing cybersecurity for U.S. pipelines is ill equipped to do the job, say two top regulators who want the role given to the Energy Department. The Federal Energy Regulatory Commission’s Neil Chatterjee, a Republican, and Richard Glick, a Democrat, wrote in an online article that the Transportation Security Administration can’t keep the pipeline network secure. The two FERC commissioners noted that the TSA has only six full-time workers overseeing more than 2.7 million miles of pipeline, and depends on voluntary cybersecurity standards, rather than mandatory ones. Instead, Congress should give the job to “an agency that fully comprehends the energy sector and has sufficient resources to address this growing threat," the commissioners wrote.
Why Hackers Aren't Afraid of Us, New York Times
Ask finance ministers and central bankers around the world about their worst nightmare and the answer is almost always the same: Sometime soon the North Koreans or the Russians will improve on the two huge cyberattacks they pulled off last year. One temporarily crippled the British health care system and the other devastated Ukraine before rippling across the world, disrupting shipping and shutting factories — a billion-dollar cyberattack the White House called “the most destructive and costly in history.” The fact that no intelligence agency saw either attack coming — and that countries were so fumbling in their responses — led a group of finance ministers to simulate a similar attack that shut down financial markets and froze global transactions. By several accounts, it quickly spun into farce: No one wanted to admit how much damage could be done or how helpless they would be to deter it.