HHS Issues Guidance on Processor Vulnerabilities

In a follow up to an earlier alert regarding the critical problems in modern processors recently reported by Google, HHS issued its own “Technical Report.”  In Google’s “white papers,” they explain that their teams and other analysts and academics discovered and reported on vulnerabilities dubbed “Spectre” and “Meltdown.”  These are described as vulnerabilities that affect nearly every computer chip manufactured in the last 20 years. Recently, the patches also have come under scrutiny as Intel reports reboot problems and slowdowns following implementation.  Microsoft then reported new updates for Windows 10 to resolve such issues.

The fault arises from features built into chips that are supposed to help them run faster.  There is no evidence that the flaws have been exploited but reportedly such exploits may be difficult to detect.

HHS cautions in its alert that the vulnerabilities have the potential to expose sensitive information, such as protected health information (PHI), which is processed on these chips.  HHS warns that entities should employee risk management processes to address the vulnerabilities and ensure the security of medical records.  HHS list the major concerns as:

  • Challenges identifying vulnerable medical devices and accessory medical equipment and ensuring patches are validated to prevent impacts to the intended use.
  • Cloud Computing: Potential PHI or Personally Identifiable Information (PII) data leakage in shared computing environments
  • Web browsers: Possible PHI/PII data leakage
  • Patches: Potential for service degradation and/or interruption from patches

 

Searching medical

Privately disclosed to chipmakers in June 2017, the bugs became public after a series of leaks in early January 2018.  Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. HHS notes that although medical devices and support equipment may not resemble PCs, their operating systems (Windows, Linux) run on processors that could be vulnerable.  HHS states: “The risks of PHI data leakage is especially acute in shared infrastructure like cloud computing instances.”  Amazon Web Services, Google Cloud and Microsoft Azure all immediately deployed patches against the Meltdown attack.  HHS cautions that while the major platforms handled the response in a timely way, there are other cloud managed service providers and institutional or private cloud instances that may not have known about the vulnerabilities before January 3, 2018.

The HHS alert provides technical details and mitigation tactics.  The alert includes links to various references, support pages and press reports.  Technical Report on Widespread Processor Vulnerabilities

For more information on the vulnerabilities: The Meltdown and Spectre security flaws.  One congressman from California has sent a letter to Intel, AMD and ARM requesting  briefing on the vulnerabilities and the companies’ handling of them.  Congressman Requests Briefing

 

Class Action Filed Against Chrysler Following “Hack” of Jeep Cherokee

 Connected Cars Present Safety, Security and Privacy Challenges

The Connected Car
The Connected Car

On August 4, 2015, Plaintiffs filed a class action against Chrysler and Harmon International following a recent story in Wired Magazine that detailed how researchers were able to take control of a Jeep Cherokee via the vehicle’s uConnect system.  The suit essentially argues that there is a design defect in these vehicles as programs are pre-loaded onto the vehicle, which have been shown to be insecure and create security and safety vulnerabilities to owners and passengers.  Plaintiffs Brian Flynn and George and Kelly Brown filed suit, in the U.S. District Court for the Southern District of Illinois, on behalf of themselves and a putative class (Case 3:15-cv-00855).  The complaint alleges violations of the federal statute on warranties for consumer products (Magnuson-Moss), breach of implied warranty of merchantability, fraud, negligence, unjust enrichment, violations of the Illinois deceptive business practices act, fraudulent concealment/fraud by omission, and violations of the Missouri merchandising practices act.  Plaintiffs allege that because the uConnect system is always connected to the Internet (via 3G cellular data), even if a vehicle owner chooses not to use any Internet related services, there is no way to disable the cellular connectivity.  Plaintiffs argue that the vehicles are defectively designed in that essential engine and safety functionality is connected to the unsecure uConnect system.  Plaintiffs allege “malicious hackers could broadcast harmful signals over radio waves causing a security and safety related crisis as a large number of vehicles all fail simultaneously.”  The system allegedly is also accessible through the vehicles’ USB port, allowing anyone with access to the vehicle to load malicious software onto the system, which would spread to critical functions.  Plaintiffs argue that the uConnect system should be segregated from the other critical systems.  Plaintiffs argue that software updates are only remedial fixes as now that the capability to affect powertrain and safety functionality has been shown, hackers will find new vulnerabilities to exploit.  Plaintiffs argue that a recall is deficient as the vehicles designed this way will never be safe or secure.

The plaintiffs have not alleged that any of them have actually experienced a “system” failure or intercept.  The plaintiffs seek damages, of course, but not tied specifically to any statutory violation.  Also, plaintiffs seek a court order to monitor any recall program or remedial measure.

Plaintiffs appear to be trying to get out in front of potential arguments that a particular car manufacturer may make and that Tesla, for instance, is trying to address.  In Tesla’s case, it would likely argue that because Tesla is so “wired,” to borrow a phrase, the over-the-air updates are meant to identify and patch any vulnerabilities. Every three months every Tesla car receives automated software upgrades.

[See story at:

http://www.npr.org/sections/alltechconsidered/2015/08/06/429907506/tesla-model-s-can-be-hacked-and-fixed-which-is-the-real-news ]

However, Congress is likely to cast another critical eye on these issues.  Senators Ed Markey and Richard Blumenthal have introduced the Security and Privacy in Your Car Act (“SPY Act”) which would require automobile manufacturers to build IT security standards into connected cars.  Blumenthal has commented that the “same kind of advances in technology that can bring enormous benefits of wireless connections can also guarantee our privacy and security.”  If the bill were to become law, it would instruct the National Highway Traffic Safety Administration and the Federal Trade Commission to create IT security and privacy standards for vehicle electronics and associated in-vehicle networks.  Part of the effort, as illustrated by the Flynn allegations above, is to require that critical navigation systems would need to be isolated from access points and attempt to stop hacking incidents in “real-time.”  Another feature of the proposed legislation, which is not something the Flynn plaintiffs highlighted or alleged, are the privacy issues.  The legislators are focusing on the collection of data associated with these systems.  The legislation would prevent driving data from being used for advertising or marketing purposes (unless the owner “opts-in” for such use).

connected car 2

Bitcoin – “The Second Age” and Other News

Idea, solution, money
Idea, solution, money

For an update on the state of the online payment exchange landscape see Techcrunch article:

The Mt.Gox Arrest Is The End Of The First Age Of Bitcoin

Looking to move on from Bitcoin is the Winklevoss exchange, Gemini.  There is a dedicated website, which notes that their exchange operates (will operate) fully in the U.S., exclusively with American banks and the dollars never leave the country.  Although not yet operational, the twins filed an application with the New York State Department of Financial Services in July 2015 seeking approval to operate as a trust company.  The approval process may take months.  

http://moneymorning.com/2015/07/27/gemini-bitcoin-exchange-from-the-winklevoss-twins-is-one-step-closer-to-launch/

Back to hacking cars and now guns – what could possible go wrong? It seems like every week there is a new attempt to call out car companies by attempts to hack into remote services  …

http://www.wired.com/2015/07/gadget-hacks-gm-cars-locate-unlock-start/

…and now there are high tech firearms that reportedly can be altered.

Husband and wife hackers claim that high-tech sniper rifles can be hacked. The duo will present their findings at the Black Hat annual conference starting in early August.

http://www.wired.com/2015/07/hackers-can-disable-sniper-rifleor-change-target/

iStock_000054011980_Small

Illinois AG Proposes Updates to Breach Law

HiResIllinois’ Attorney General Lisa Madigan issued a report and a press release on March 2, 2105 addressing proposed updates to the Personal Information Protection Act, the Illinois breach notification statute.  In her press release, she states:

Madigan recently drafted legislation to strengthen the state’s Personal Information Protection Act (PIPA). Originally passed in 2005 at Attorney General Madigan’s direction, PIPA made Illinois among the first states in the country to require entities that suffer a data breach to notify Illinois residents if the breached information included residents’ drivers’ license numbers, social security numbers, or financial account information. Since the law’s enactment, the extent of sensitive information collected about consumers has expanded and the threat of data breaches has increased significantly, necessitating the need to update and strengthen the state’s law.

Madigan’s bill, which is sponsored by Sen. Daniel Biss and Rep. Ann Williams, will expand the type of information that requires a company to notify consumers of a breach, including medical information outside of federal privacy laws, biometric data, geolocation information, sensitive consumer marketing data, contact information when combined with identifying information, and login credentials for online accounts. The bill also requires entities holding sensitive information to take “reasonable” steps to protect the information and requires entities to notify the Attorney General’s office when breaches occur. Madigan said her office would create a website that lists every data breach that affects Illinois to increase awareness among residents.

One of the notable findings in the report is what the AG calls “confusion over breaches,” citing comments from consumer roundtable discussions.  The report states that the most frequent complaint from participants was that while they were well aware of breaches from the media, they were not always aware if those breaches had affected them directly.  The report outlines three principles the updated legislation should address:

1. Disclosure – the new law should require websites and apps that collect personal information to display privacy policies that explain what information is collected and who that information is shared with.

2. Protection – the updated law should require entities to establish reasonable security measures to safeguard sensitive personal information.

3. Notification – the legislation should expand the definition of personal information (medical, health insurance information, biometric data, geolocation information, sensitive marketing data, contact information when combined with additional identifying information like DOB, and log in credentials); require entities to notify the AGs office and create a database of breaches affecting Illinois; enable small businesses to notify local media rather than statewide media when breaches occur.

News reports suggest the legislation will go to the Illinois General Assembly shortly.

Happy Data Privacy Day

dataprivacyiStock_000019536561XSmallThe Ponemon Institute has released its list of Most Trusted Companies for Privacy.  Spoiler alert, they include:

Amazon
American Express
PayPal
Hewlett Packard
IBM

http://www.ponemon.org/blog/ponemon-institute-announces-results-of-2014-most-trusted-companies-for-privacy-study

You might also celebrate by joining IAPP and getting access to the Prudence the Privacy Pro comic strip.

https://privacyassociation.org/news/a/guess-what-its-data-privacy-day/

In related news, the FTC has released a Report on the Internet of Things.  The report includes the following recommendations for companies developing Internet of Things devices:

  • build security into devices at the outset, rather than as an afterthought in the design process;
  • train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
  • ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
  • when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
  • consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
  • monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.

http://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices

And, finally, a move to update ECPA;

• Proponents of updating ECPA, or the Electronic Communications Privacy Act, are using today to renew their call for reform.

“The statute governing access to electronic communications was written in 1986, well before most Americans relied on email and mobile devices to communicate,” said Ed Black, president and CEO of the Computer & Communications Industry Association (CCIA), in a statement. “After nearly 30 years on the books, it’s long overdue for an update.”

An update is what reform legislation, which will reportedly be re-introduced in “the coming weeks” by Sens. Patrick Leahy, D-Vermont, and Mike Lee, R-Utah, would provide. The bill would require a warrant before authorities could search email or other online communications. Under today’s ECPA, no warrants are required for such content that’s older than 180 days.

http://www.siliconbeat.com/2015/01/28/data-privacy-day-canada-spying-ecpa-reform-ubers-god-view-protecting-info/

President Proposes Federal Breach Notification Law

ftc_logo_430-centennialIn advance of the State of the Union, President Obama appeared at the Federal Trade Commission today to preview a couple of administration proposals, which will be addressed in the upcoming speech to the nation.  The President addressed a potential federal breach notification statute:

…we’re introducing new legislation to create a single, strong national standard so Americans know when their information has been stolen or misused. Right now, almost every state has a different law on this, and it’s confusing for consumers and it’s confusing for companies — and it’s costly, too, to have to comply to this patchwork of laws. Sometimes, folks don’t even find out their credit card information has been stolen until they see charges on their bill, and then it’s too late. So under the new standard that we’re proposing, companies would have to notify consumers of a breach within 30 days. In addition, we’re proposing to close loopholes in the law so we can go after more criminals who steal and sell the identities of Americans —- even when they do it overseas.

So, the proposal is to standardize breach notification to 30 days (Personal Data Notification & Protection Act; Florida is 30 days; some states say as soon as practicable).

Some express the concern (which is typically voiced by state Attorneys General) that a federal statute would dilute the effectiveness of the consumer protections in place. http://www.washingtonpost.com/blogs/the-switch/wp/2015/01/12/privacy-advocates-a-national-data-breach-notification-standard-might-actually-make-things-worse/

The political pundits comment that it is not clear whether such legislation would make it through Congress.  This is due to certain industry resistance to tackling a new federal statute having absorbed the various state rules; and then there are consumer groups, who worry about preemption on the issue. See comments at:

https://privacyassociation.org/news/a/obama-announces-legislation-on-student-id-consumer-privacy/

Another new proposal is the Student Digital Privacy Act.  This legislation would require that data gathered about students through educational programs can be used only in an educational context, not sold to third parties (similar to the recent California law).

The Administration is also going to revive its 2012 Consumer Privacy Bill of Rights, which lays out principles for online data collection (revised proposal to come out in 45 days).

sotu2015_logo_blog_0

UPDATE:

The President also took up the challenge of “precision medicine:”

I want the country that eliminated polio and mapped the human genome to lead a new era of medicine — one that delivers the right treatment at the right time. In some patients with cystic fibrosis, this approach has reversed a disease once thought unstoppable. Tonight, I’m launching a new Precision Medicine Initiative to bring us closer to curing diseases like cancer and diabetes — and to give all of us access to the personalized information we need to keep ourselves and our families healthier.

This is part of the movement toward tailored therapies and treatments for diseases and chronic conditions.  The example referenced in administration materials was that of a cystic fibrosis patient, given the medicine Kalydeco (developed by a company called Vertex).  Reportedly this is the first drug designed to counter the genetic cause of the life-threatening chronic lung disease.  The medicine targets the underlying cause of the disease for a small subset of patients.

Providing such targeted treatments likewise requires collection of more personalized medical information from patients.  Costs of collecting data and personalizing treatment is noted in reaction to such initiatives but its promoters also hope that “[m]ore research will allow clinicians to make more-precise diagnoses, which in turn drive better treatments.” http://www.modernhealthcare.com/

See also, The Patient-And Her Data-Will See You Now,

http://www.rwjf.org/en/blogs/

“Personalized medicine has the potential to transform our health care system, which consumes almost $3 trillion a year, 80 percent of it for preventable diseases,” Dr. Snyderman said.

Although the new tests and treatments are often expensive, he added, personalized medicine can save money while producing better results. “It focuses therapy on individuals in whom it will work,” he said. “You can avoid wasting money on people who won’t respond or will have an adverse reaction.”

California Updates and Tries to Strengthen Some Privacy Protections

California’s Updates on Breach and Security

Gov. Jerry Brown signed legislation beefing up California’s breach notification law. The new law, effective January 1, 2015, requires companies that suffer a breach to offer free identity theft prevention and mitigation services to consumers for at least a year if their Social Security or driver’s license number was compromised. The consumer will still be responsible for taking some action to accept those services.

The Governor signed other bills that also attempt to provide additional privacy and security protections, including restrictions on the paparazzi, laws addressing “revenge porn,” and a prohibition on the state from helping federal intelligence agencies collect telephone records without warrants:

  • SB 1177 – Prohibits the creation and distribution of “profiles” of minor students; prohibits applications from targeting K-12 students
  • AB 928 – Requires each state agency and department to conspicuously post its privacy policy on its website
  • AB 1256 and AB 2306 – Expand existing law regarding invasion of privacy (type of activity protected from unwarranted capturing of images or photographs; establishes zones of privacy around schools and medical facilities; eliminating the existing physical trespass requirement for invasion of privacy; renders illegal the use of drones and other electronic devices to capture images of individuals in their homes)
  • AB 1356 – Expands legal recourse for stalking victims (allows plaintiffs to plead “substantial emotional distress” as an alternative to the existing standard of “reasonable fear”)
  • AB 2643 – Creates private legal recourse against a person who intentionally distributes a sexually explicit image or video of another without his or her consent (allows plaintiffs to file a civil suit for damages against a defendant who posted intimate photos or videos of the plaintiff without consent)
  • SB 828 – Prohibits state agencies from assisting the federal government in the collection of personal, electronically stored data, except under certain circumstances (that the state knows to be illegal or unconstitutional)
  • SB 1255 – Expands existing law regarding the distribution of a sexually explicit image or video of another with the intent to cause serious emotional distress