Privacy Tip #211 – WhatsApp Users: Update Your App to Patch Vulnerability

WhatsApp has announced that it has patched a vulnerability that would have allowed hackers to access with malware the chat history of users. Android 8.1 and 9 could have been susceptible to the attack. However, WhatsApp is urging all users to update their app.

Although WhatsApp says it has patched the vulnerability and does not believe that it was exploited by attackers, it is urging users to update their apps so that the patch can be applied to thwart any exploitation.

WhatsApp users—heed the recommendation and go to the Apple App Store or Google Play Store and tap the WhatsApp update button so the patch can be applied as soon as it is issued.

URGENT/11 Cybersecurity Vulnerabilities Could Affect Medical Devices and Hospital Networks

On the heels of an FDA committee report concerning cybersecurity issues with medical devices [view related post] the U.S. Food and Drug Administration (FDA) issued an alert regarding cybersecurity vulnerabilities, referred to as “URGENT/11,” that could introduce risks for some medical devices and hospital networks.

According to the FDA’s October 1st notice, the URGENT/11 vulnerabilities exist in IPnet, a third-party software component that supports network communications between computers. It affects several operating systems that might impact certain medical devices connected to a communications network, such as wi-fi and public or home Internet, as well as other connected equipment such as routers, connected phones and critical infrastructure equipment. These cybersecurity vulnerabilities could allow a remote user to take control of a medical device and change its function, cause denial of service, or cause information leaks or logical flaws that could prevent a device from functioning properly, if at all.

At this time, although the FDA is unaware of any confirmed adverse events related to the URGENT/11 vulnerabilities, it notes that software to exploit the weaknesses is already publicly available. The FDA alert includes recommendations for manufacturers, health care providers, health care facility staff (including IT professionals), and patients to assess, communicate, and mitigate risks. Some medical device manufacturers are already actively determining which devices have operating systems affected by URGENT/11 and are identifying risk and remediation actions, including notification to health care providers and consumers as appropriate.

Devices found to be affected thus far include an imaging system, an infusion pump, and an anesthesia machine. However, the FDA expects that more medical devices will be identified that contain one or more of the vulnerabilities associated with the original IPnet software.

The FDA encourages patients and their health care providers to report suspected problems with medical devices through the MedWatch Voluntary Reporting Form. Further, the FDA is working closely with other federal agencies, manufacturers, and security researchers to identify, communicate and prevent adverse events related to the URGENT/11 vulnerabilities. More information on URGENT/11 can be found in a corresponding advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security.

Ransomware Attacks Double in 2019: Medical Providers Can’t Recover and Shut Down

Consistent with our experience, security firm McAfee has confirmed in a report that ransomware attacks have doubled in 2019. Medical providers have been hit hard this year, and one provider, Wood Ranch Medical, located in California, is permanently closing following a ransomware attack.

Wood Ranch was hit with a ransomware attack over the summer, and its electronic medical records (EMR) were encrypted. Wood Ranch did not pay the ransom, and then discovered that its back-up hard drives were also encrypted by the attackers. The damage was devastating, and because Wood Ranch was unable to recover its data, it is winding down and will cease operation on December 17, 2019.

This comes after Michigan Brookside ENT and Hearing Center was hit with a ransomware attack. The attackers requested payment of $6,500 to decrypt the provider’s system containing its patient records, which the provider refused to pay. In response, the hackers wiped the entire system, which forced Brookside to also shut its doors.

There is no indication that these attacks will not continue, and could force other medical providers to decide to shut their doors because they are unable to recover from an attack. These examples show how important it is to have a robust and tested back-up system for providers’ systems, including the EMR  (which is required by HIPAA), and an incident response program that can be implemented quickly to avoid the disastrous consequence of going out of business.

Cybersecurity and the Electric Grid – New GAO Report Identifies Actions Needed to Address Cybersecurity Risks

The United States Government Accounting Office (GAO) recently issued a report on the cybersecurity risks facing the electric grid. The GAO reviewed the cybersecurity of the electric grid to determine the risks and challenges facing the grid, to describe federal efforts to address those risks, to assess the extent to which the Department of Energy (DOE) has defined a strategy for evaluating grid cybersecurity risks and challenges, and to assess the extent to which Federal Energy Regulatory Commission (FERC)—approved cybersecurity standards address grid cybersecurity risks.

The report was commissioned at the request of Congress and made several recommendations aimed at implementing a federal cybersecurity strategy for the grid. The GAO made one recommendation to DOE and two recommendations to FERC, which regulates the interstate transmission of electricity. GAO recommended that the DOE’s strategy for the grid address the key characteristics of a national strategy, including a full assessment of the cybersecurity risks . The GAO recommendations to FERC included considering adoption of changes to its cybersecurity standards to more fully address the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The second recommendation was to evaluate the potential risk of a coordinated cyber-attack on geographically distributed targets and determine if changes are needed in the threshold for mandatory compliance with the requirements in the full set of cybersecurity standards.

The GAO report identified threat actors to the grid as nations, criminal groups and terrorists, and recognized that the electric grid of the U.S. is becoming more vulnerable to cyberattacks against supply chains for industrial control systems, consumer Internet of Things (IoT) devices connected to the grid’s distribution network, and global positioning systems (GPS).  It’s no secret that a serious cyberattack on the nation’s electric grid would be devastating. The report contains many details of the different attack strategies, but more important, it recognizes that identifying resource needs and coordinating efforts through private/public partnerships will be critical in implementing a cybersecurity strategy to protect the grid.

Google Sued Under Illinois Biometric Information Privacy Act

Another day, another suit against a brand name for allegations of violation of the Illinois Biometric Information Privacy Act (BIPA). Plaintiffs’ attorneys are having a field day filing class action lawsuits based on BIPA.

Late last week, Google was sued in Cook County, Illinois in a proposed class action, alleging that it violated BIPA  by “collecting, storing and using Plaintiffs’ and other similarly situated individuals’…biometrics without informed written consent, in direct violation of BIPA.”

The suit alleges that Google is violating BIPA because it is “actively collecting, storing, and using—without providing notice, obtaining informed written consent or publishing data retention policies—the biometrics of millions of unwitting individuals whose faces appear in photographs uploaded to Google Photos in Illinois.”

The suit alleges that when an individual uses the cloud-based service Google Photos, “face templates” or “face prints” are activated, which use facial recognition software to identify individuals. It then groups individuals based upon the faces that appear in the photos, and also stores the group as a template in its database.

The allegations are very similar to the case against Vimeo which we reported on last week.

We will continue to see these cases filed and will watch them carefully and report on them as they wind through the court system. In the meantime, companies should be familiar with the requirements of BIPA as they develop and roll out products and services that collect or use biometric information.

Important Tool in Your Box: Spam Filter

I have been hanging out a lot with Chief Information Officers (CIO) and Chief Information Security Officers (CISO) these days at speaking engagements and conferences, as October – National Cybersecurity month – is always busy. The topic that keeps coming up in these conversations is phishing and how most ransomware attacks are started because an employee hits a malicious link or attachment. Although we continue to discuss how important employee engagement and education is to avoid these campaigns, another tool to use for cyber-hygiene for your company is a robust spam filter.

A spam filter is crucial to block malicious emails from ever getting to your users. Although not perfect, it reduces the ability of malicious emails to ever find their way to your users’ in boxes and the chance that it will be clicked on by an employee who may not have the ability to recognize it as malicious, or an employee working a bit too fast.

There is a constant balance between putting strong data security measures in place and your users being able to get their jobs done quickly and efficiently. I have heard from many CISOs that their company will not turn the spam filter on at the strongest level, which would keep out as many malicious emails as possible, because users will then have to go into their spam filter to release some of the messages, and users get up in arms when having to take that extra step.

We have to get to the point where users are as invested in cybersecurity hygiene as we are. We have to change the discussion so that users feel engaged in helping to secure the company’s data and WANT to take the extra step to protect the data and the company as vigilant data stewards and militia.

Employees really don’t want to be the one who clicks on the link that puts the company into a devastating tail spin. We just haven’t done enough to explain the risks and consequences of their digital actions and why they are one of the most important pieces in the data protection program. Once we adequately explain their role in data protection, as data stewards and the data militia for the company, they will complain less about the extra steps that have been put in place to protect the company. They will want to help. They will want to do the right thing. It is really no different than requiring employees to swipe a badge to get onto the elevator or into the office every day. We all know why it is important and we are willing to do it to protect ourselves and our company. It becomes a natural thing. The same should be true for protecting data.

Change the conversation with your employees and users so they are engaged in data protection and it becomes a natural and easy thing to do.

Another Delay in Issuance of UAS Remote Identification Regulations

The U.S. Department of Transportation (DOT) announced that the Notice of Proposed Rulemaking for remote identification of unmanned aircraft systems (UAS or drones) has been delayed – again. The Notice of Proposed Rulemaking is now scheduled for release in December 2019. These rules will address remote identification, which is the ability of a drone to transmit identifying information to other parties on the ground while operating in the national airspace. Those parties would include the Federal Aviation Administration (FAA), federal security agencies, and law enforcement officials.

Currently, UAS regulations do not provide a way for authorities to identify the owner of the drone except by physical inspection of a self-labeled registration number. Therefore, many drone operations can be conducted anonymously, even those that violate FAA regulations. The FAA aims to enhance the ability of state and federal authorities to respond to reports of a drone operating in an unsafe or unlawful manner (e.g., operation in a no-fly zone). The reason for this latest delay in releasing these remote identification requirements has not been expressed by lawmakers. However, the FAA will certainly be under pressure to act promptly and to try to meet this third deadline for release of these rules.

Privacy Tip #210 – HHS Office of Inspector General Issues Fraud Alert for Genetic Testing Scam Targeting Seniors

Everyone knows how I feel about those home genetic testing kits—most people don’t understand that when they send their DNA to a private company that it is not protected by HIPAA or any other law, and the company can legally use and disclose it, including selling it to other companies. Understand what companies are doing with your genetic data and DNA before you just pop it to them in the mail. 

With that said, this week, the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) issued a warning (Alert) to the public about a fraud scheme involving genetic testing. 

According to the Alert, “Scammers are offering Medicare beneficiaries ‘free’ screening or cheek swabs for genetic testing to obtain their Medicare information for identity theft or fraudulent billing purposes. Fraudsters are targeting beneficiaries through telemarketing calls, booths at public events, health fairs, and door-to-door visits.”

It is disturbing that fraudsters continue to prey on our seniors, and this is just another scam targeting them.

The Alert says that if a person agrees to genetic testing, that individual is asked to confirm his or her Medicare information, and receives a cheek swab, an in-person test, or a testing kit in the mail. These tests have not been ordered by a physician and have not been determined to be medically necessary.

The fraudsters then submit a claim with Medicare for reimbursement, and when it is denied, the beneficiary is responsible to pay for it, “which could be thousands of dollars.”

The Alert gives ways you can protect yourself, including:

  • If a genetic testing kit is mailed to you, don’t accept it unless it was ordered by your physician. Refuse the delivery or return it to the sender. Keep a record of the sender’s name and the date you returned the items.
  • Be suspicious of anyone who offers you “free” genetic testing and then requests your Medicare number. If your personal information is compromised, it may be used in other fraud schemes.
  • A physician that you know and trust should assess your condition and approve any requests for genetic testing.
  • Medicare beneficiaries should be cautious of unsolicited requests for their Medicare numbers. If anyone other than your physician’s office requests your Medicare information, do not provide it.
  • If you suspect Medicare fraud, contact the HHS OIG Hotline.

Please pass this along to the seniors in your life to help protect them from this fraud.

Click2Gov Portal Compromised in Eight Cities

Many cities in the United States utilize a self-pay portal for residents to pay bills online, known as Click2Gov. Click2Gov was compromised in 2017 and 2018, when hackers were able to access over 300,000 payment cards and reportedly made more than $2 million in the heist.

It is being reported this week by security researchers that starting sometime in August, Click2Gov systems have been attacked again, compromising the systems in eight cities so far. Six of those cities – Deerfield Beach, Florida, Palm Bay, Florida, Milton, Florida, Bakersfield, California, Coral Springs, Florida, and Ames, Iowa – also were hit in the previous attack.

According to the researchers, over 20,000 records have been compromised in the new attack, and credit card information attained from the attack is being sold on online crime forums. The researchers say that not only is the credit card information of the residents in the listed cities and states compromised, but also that payment cards belonging to individuals living in all 50 states may have been compromised in the attack.

Security experts are recommending that individuals who have paid any bills through Click2Gov check their payment card statements closely to detect any fraudulent transactions.

Vimeo Hit with Class Action for Alleged Violations of Biometric Law

Vimeo, Inc. was sued last week in a class action case alleging that it violated the Illinois Biometric Information Privacy Act by “collecting, storing and using Plaintiff’s and other similarly situated individuals’ biometric identifiers and biometric information…without informed written consent.”

According to the Complaint, Vimeo “has created, collected and stored, in conjunction with its cloud-based Magisto service, thousands of “face templates” (or “face prints”)—highly detailed geometric maps of the face—from thousands of Magisto users.” The suit alleges that Vimeo creates these templates using facial recognition technology and “[E]ach face template that Vimeo extracts is unique to a particular individual, in the same way that a fingerprint or voiceprint uniquely identifies one and only one person.” The plaintiffs are trying to liken an image captured by facial recognition technology to a fingerprint by calling it a “faceprint.” Very creative in the wake of mixed reactions to the use of facial recognition technology in the Facebook and Shutterfly cases.

The suit alleges “users of Magisto upload millions of videos and/or photos per day, making videos and photographs a vital part of the Magisto experience….Users can download and connect any mobile device to Magistoto upload and access videos and photos to produce and edit their own videos….Unbeknownst to the average consumer, and in direct violation of…BIPA, Plaintiff…believes that Magisto’s facial recognition technology scans each and every video and photo uploaded to Magisto for faces, extracts geometric data relating to the unique points and contours (i.e., biometric identifiers) of each face, and then uses that data to create and store a template of each face—all without ever informing anyone of this practice.”

The suit further alleges that when a user uploads a photo, the Magisto service creates a template for each face depicted in the photo, and compares that face with others in its face database to see if there is a match. According to the Complaint, the templates are also able to recognize gender, age and location and are able to collect biometric information from non-users. All of this is done without consent of the individuals, and in alleged violation of BIPA.

Although we previously have seen some facial recognition cases alleging violation of BIPA, and there are numerous cases alleging violation of BIPA for collection of fingerprints in the employment setting, this case is a little different from those, and it will be interesting to watch.