Verizon Protected Health Information Data Breach Report Concludes that Insiders Are Greatest Threat to Health Care Entities

Verizon recently issued its Protected Health Information (PHI) Data Breach Report, which is always an interesting read. Not surprisingly, Verizon’s report concludes that based upon analysis of 1,360 security incidents involving the health care sector, 58 percent of the incidents were caused by insiders and 42 percent were caused by external threats.

Insider threats can include wrongdoers—those who are stealing patient records to sell them on the dark web, use patient data to open credit cards or commit tax fraud. Insider threats can also include employees who commit unintentional errors. The Verizon report shows that unintentional errors caused 458 of the breaches that were included in the analysis. The biggest error found was that information is incorrectly transmitted or mailed to the wrong person, or failing to dispose of sensitive information in a secure way.

Further, the report confirms what we already know—that ransomware attacks continue to plague the health care industry.

Not surprisingly, the Report states “Basic security measures are still not being implemented. Lost and stolen laptops with unencrypted PHI continue to be the cause of breach notifications.”

Finally, the publishing of protected health information on public websites and the delivery of sensitive data via email to the wrong recipient continue to be a problem.

473,807 Patient Records Compromised in January, 2018—83 Percent Caused by Hacking Incidents

The recently released Protenus Healthcare Breach Barometer report notes that in January, 2018, at least 473,807 patient records were compromised in 37 breaches reported to the Office for Civil Rights. Twelve of the reported breaches were attributable to insiders, which was 32 percent of the data breaches reported in January. Seven of those incidents were caused by insider error and five were caused by wrongdoing. This shows how important employee education and monitoring continues to be in detecting and mitigating breaches caused by employees.

Eleven of the breaches reported in January were caused by hacking incidents, which was approximately one-third of the breaches reported in January. However, although these incidents accounted for one third of all of the reported incidents, these hacking incidents accounted for 83 percent of the records compromised, which means they were much bigger than the others. The total number of records in January exposed by hacking incidents totaled 393, 766 records.

Just one of the hacking incidents exposed 279,865 records-which illustrates how many records can be compromised by an intruder. Further, 11 of the incidents in January were caused by malware and ransomware attacks, which continue to be problematic in the health care industry

Last Two States Considering Passage of Data Breach Notification Laws

The last two states which have not passed data breach notification laws are Alabama and South Dakota. Sometimes we make jokes about these states as they are so late to the data breach notification table (California was the first state to pass a data breach notification law in 2002) and they seem not to care about consumer protection.

Not so anymore. Both Alabama and South Dakota are considering passing data breach notification laws. South Dakota Senate Bill 62 was approved by the Senate in late January by a vote of 30-2. The bill is winding its way to the House of Representatives.

Not to be left behind as the last one standing, Alabama’s breach notification law (Senate Bill 318) was passed unanimously by the Alabama Senate last week and is now heading to the Alabama House of Representatives. The Alabama bill would require companies to implement and maintain reasonable security measures to protect sensitive personal information, including performing a risk assessment.

It’s now a race to be dubbed the 50th, (or last) state to pass a data breach notification law— a mere 16 year delay. Better late than never.

Flying with Your Data – ACLU sues the TSA Over Domestic Electronic Device Searches

If you’ve flown domestically in the last year, you know the drill. Take off your jacket, belt, and shoes and place them in a bin. Remove your quart-sized bag of 3.4 oz liquids and place them on top. Pull out your laptop, iPad, e-reader, gaming device, and any other electronic device larger than a cell phone, and place them in another bin. Shuffle through the full body scanner while keeping an eye on your belongings, then pack everything back up before heading to your flight. But what about all the data on your electronic devices—is that subject to a search?

While Customs and Border Protection (CBP) has publically issued directives for its border searches of electronic devices for international travelers, the ACLU is alleging that that the Transportation Security Administration (TSA) is now searching domestic travelers’ phones, computers, tablets, and other devices, and that their policies on searching those devices “remains shrouded in secrecy.” The ACLU previously filed a Freedom of Information Act (FOIA) request in December 2017 seeking records related to (1) the policies, procedures, or protocols regarding the search of passengers’ electronic devices; (2) the equipment, including SIM-card readers, used to search, examine, or extract data from passengers’ devices; and (3) the training of the TSA officers conducting the screenings, searches, and examinations of electronic devices. The ACLU claims that it received no records from TSA in response, and their new lawsuit, filed on March 12, is intended to compel the TSA to fully respond to that request.

As of yet, the TSA has not commented on this lawsuit, and it is unclear to what extent these electronic device searches are occurring.  Travelers flying domestically with sensitive data should, however, be prepared for the possibility that their electronic devices could be searched.

Facebook Can’t Shake Illinois Biometric Proposed Class Action Case

We have previously reported on Facebook’s fight against a proposed class action case alleging violation of the Illinois Biometric Information Privacy Act (BIPA). Facebook continues to fight the allegation that its collection and storage of users’ and non-users’ facial scans through the use of facial recognition technology violates BIPA, and has filed a Motion to Dismiss the case which is pending in California (after it was successful in having the case transferred to California from Illinois). Plaintiffs allege that BIPA requires written consent before biometric information can be collected, stored or used and that Facebook refused to get Facebook users and non-users’ consent before collecting and storing facial scans.

The Judge recently denied Facebook’s Motion to Dismiss for lack of standing saying that whether Facebook does or does not store face templates for non-users is more appropriately determined during summary judgment or at trial.

Massive Adoption of Drones; Safety Still Top Concern for Officials

At the Association for Unmanned Vehicle Systems International (AUVSI) and Federal Aviation Administration (FAA) co-hosted Unmanned Aerial Systems (UAS or drones) Symposium in Baltimore, Maryland last week, all speakers agreed on one thing: safety is the primary concern. Michael Kratsios, Deputy Assistant to the president and Deputy U.S. Technology Officer, said that while “we’ve never seen such a massive adoption of new vehicles taking to the sky at such a rapid pace,” safety is still an issue and is critical to the integration of drones into the national airspace. FAA Acting Administrator, Dan Elwell, spoke to the issue of safety, stating that “[i]f you want to fly in the [national airspace], you have to be identifiable, and you have to follow the rules.” Elwell simplified it –unfortunately “one malicious act could put a hard stop on all the hard work [the FAA and the industry has] done on drone integration.” Deputy Associate Administrator for the FAA, Angela Stubblefield, agreed. She said, “With manned aircraft, you can see a tail number, but right now identifying a drone operator is more difficult. A drone flying over power infrastructure might cause concern, but if the FAA could tell that [the drone] was owned by a utility or a railroad, it would ease concerns.” For many FAA officials, drone identification is the key to drone safety in the skies. As regulations and guidance develop in this area, we will continue to monitor any new drone identification requirements and what that means for both commercial operators and hobbyists alike.

FAA Plans to Bring LAANC to 500 More Airports by Next Month

On March 6, 2018, the Federal Aviation Administration (FAA) announced the nationwide expansion of its Low Altitude Authorization and Notification Capability (LAANC) to 500 more airports, and include 300 air traffic control facilities as well as open up 78,000 miles of previously restricted airspace to commercial drone flights. Under FAA Part 107 drone regulations, operators must secure approval from the FAA to operate in any airspace controlled by an air traffic facility. Last November, the FAA deployed LAANC to determine the feasibility for fully automated solutions to this authorization (through data-sharing in LAANC). LAANC offers a process for drone flight authorizations in only five steps and applications can be processed in a manner of seconds (in most cases). Previously the waiver process was entirely manual and required 19 steps (and at least 90 days lead time). Based on the success of the test LAANC launch last year, the FAA will conduct this new, larger beta test this year, allowing greater participation across the country.

Airmap, Project Wing, Rockwell Collins and Skyward are currently the only service providers for LAANC. The FAA is considering new partners and applications for those providers interested in partnering with the FAA for LAANC must submit an application to the FAA by May 16, 2018. In conjunction with these service providers, LAANC uses airspace data provided through FAA UAS facility maps, which show the maximum altitude around airports where the FAA may authorize operations under Part 107 regulations. This is an important step towards unmanned air traffic management in our national airspace.

This will go into effect on April 30, 2018, and final deployment (after this beta test begins in April) is scheduled for September 13, 2018

JHUISI Creates New Way to Protect Drones from Cyber-attacks

OnBoard Security, a Wilmington, Massachusetts-based security provider, announced last week that graduate students from Johns Hopkins University Information Security Institute (JHUISI) have successfully implemented a secured type of sense-and-avoid (SAA) technology for drones to prevent mid-air collisions that is not as vulnerable to cyber-attacks as other prior SAA technologies. The JHUISI team knew that they had to enhance the way that drones share their locations to make them less vulnerable to cyber-attacks. The JHUISI team decided to use automatic dependent surveillance-broadcast (ADS-B) –that is, a surveillance technology in which an aircraft determines its position via satellite navigation and periodically broadcasts it, enabling it to be tracked. It is dependent in that it depends on data from the aircraft’s navigation system. To prevent attacks through the drone’s ADS-B system, the JHUISI team developed a security-augmented ADS-B system using a cryptographic software library developed by OnBoard. Using technology like this, drones will be less susceptible to man-in-the-middle attacks and message modification. This method of security will not only be useful to drone operations, but may play a role in self-driven cars as well. To read the full paper from the JHUISI team, click here.

Privacy Tip #130 – Smartphones Targeted by Dark Caracal Attack

There is a global malware campaign that is targeting mobile devices across the world. It is called Dark Caracal, which is believed to be sourced in Beirut by the Lebanese General Security Directorate. According to security researchers, attacks on mobile devices are on the rise because people are using their smartphones more than they are using laptops or desktop computers, and there is more information on smart phones than on other devices.

The malware is disguised as a messaging app like Signal and WhatsApp. It asks the user to give it permission to take photos, access the microphone, and location based services, and the user is tricked into believing that it is a real app, and as the user always does, clicks “yes” to every pop-up that a new app presents, which then gives the intruders full access to the phone. According to the researchers, this app is not “exploiting a code’s vulnerabilities, it’s exploiting a person’s vulnerabilities.” We can be our own worst enemy.

The good news is that the Google and Apple app stores are working hard to keep these apps out of its stores, but the same is not true for third-party app stores. Dark Caracal spread by advertising on websites and group sites. The tip is not to download an app through a third-party app store.

Another tip is to apply any security patches issued by a manufacturer as soon as possible. According to a report issued by the FTC late last month, individuals are not patching vulnerabilities to their smartphones quickly enough and are becoming victims of already disclosed vulnerabilities because they are not updating their phones with security patches issued by manufacturers.

So next time your phone asks you to update to the next operating system, don’t say “later.” Do it now.

Cybersecurity Task Force Launched in Arizona

Arizona Governor Doug Ducey launched the Arizona Cybersecurity Team (ACT) by Executive Order on March 1, 2018. The ACT, comprised of 22 members representing officials from the Executive Branch, including the state’s Chief Information Officer and Chief Information Security Officer, representatives from public safety, homeland security, emergency and military affairs, as well as members of the legislature, higher education, local government, and the private sector.

In announcing the launch of the ACT, Governor Ducey stated that it was a “step we can take to enhance our cyberpreparedness.” The mission of the ACT is to “work together to protect Arizonans from a cyber-attack.” To do so, the ACT will “work together as one team throughout government and the private sector.”

Working together to combat cyber-attacks cannot be emphasized enough, and any statewide effort to do  so should be lauded.