HHS Issues Guidance on Processor Vulnerabilities

In a follow up to an earlier alert regarding the critical problems in modern processors recently reported by Google, HHS issued its own “Technical Report.”  In Google’s “white papers,” they explain that their teams and other analysts and academics discovered and reported on vulnerabilities dubbed “Spectre” and “Meltdown.”  These are described as vulnerabilities that affect nearly every computer chip manufactured in the last 20 years. Recently, the patches also have come under scrutiny as Intel reports reboot problems and slowdowns following implementation.  Microsoft then reported new updates for Windows 10 to resolve such issues.

The fault arises from features built into chips that are supposed to help them run faster.  There is no evidence that the flaws have been exploited but reportedly such exploits may be difficult to detect.

HHS cautions in its alert that the vulnerabilities have the potential to expose sensitive information, such as protected health information (PHI), which is processed on these chips.  HHS warns that entities should employee risk management processes to address the vulnerabilities and ensure the security of medical records.  HHS list the major concerns as:

  • Challenges identifying vulnerable medical devices and accessory medical equipment and ensuring patches are validated to prevent impacts to the intended use.
  • Cloud Computing: Potential PHI or Personally Identifiable Information (PII) data leakage in shared computing environments
  • Web browsers: Possible PHI/PII data leakage
  • Patches: Potential for service degradation and/or interruption from patches

 

Searching medical

Privately disclosed to chipmakers in June 2017, the bugs became public after a series of leaks in early January 2018.  Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. HHS notes that although medical devices and support equipment may not resemble PCs, their operating systems (Windows, Linux) run on processors that could be vulnerable.  HHS states: “The risks of PHI data leakage is especially acute in shared infrastructure like cloud computing instances.”  Amazon Web Services, Google Cloud and Microsoft Azure all immediately deployed patches against the Meltdown attack.  HHS cautions that while the major platforms handled the response in a timely way, there are other cloud managed service providers and institutional or private cloud instances that may not have known about the vulnerabilities before January 3, 2018.

The HHS alert provides technical details and mitigation tactics.  The alert includes links to various references, support pages and press reports.  Technical Report on Widespread Processor Vulnerabilities

For more information on the vulnerabilities: The Meltdown and Spectre security flaws.  One congressman from California has sent a letter to Intel, AMD and ARM requesting  briefing on the vulnerabilities and the companies’ handling of them.  Congressman Requests Briefing

 

Bitcoin – “The Second Age” and Other News

Idea, solution, money
Idea, solution, money

For an update on the state of the online payment exchange landscape see Techcrunch article:

The Mt.Gox Arrest Is The End Of The First Age Of Bitcoin

Looking to move on from Bitcoin is the Winklevoss exchange, Gemini.  There is a dedicated website, which notes that their exchange operates (will operate) fully in the U.S., exclusively with American banks and the dollars never leave the country.  Although not yet operational, the twins filed an application with the New York State Department of Financial Services in July 2015 seeking approval to operate as a trust company.  The approval process may take months.  

http://moneymorning.com/2015/07/27/gemini-bitcoin-exchange-from-the-winklevoss-twins-is-one-step-closer-to-launch/

Back to hacking cars and now guns – what could possible go wrong? It seems like every week there is a new attempt to call out car companies by attempts to hack into remote services  …

http://www.wired.com/2015/07/gadget-hacks-gm-cars-locate-unlock-start/

…and now there are high tech firearms that reportedly can be altered.

Husband and wife hackers claim that high-tech sniper rifles can be hacked. The duo will present their findings at the Black Hat annual conference starting in early August.

http://www.wired.com/2015/07/hackers-can-disable-sniper-rifleor-change-target/

iStock_000054011980_Small

Illinois AG Proposes Updates to Breach Law

HiResIllinois’ Attorney General Lisa Madigan issued a report and a press release on March 2, 2105 addressing proposed updates to the Personal Information Protection Act, the Illinois breach notification statute.  In her press release, she states:

Madigan recently drafted legislation to strengthen the state’s Personal Information Protection Act (PIPA). Originally passed in 2005 at Attorney General Madigan’s direction, PIPA made Illinois among the first states in the country to require entities that suffer a data breach to notify Illinois residents if the breached information included residents’ drivers’ license numbers, social security numbers, or financial account information. Since the law’s enactment, the extent of sensitive information collected about consumers has expanded and the threat of data breaches has increased significantly, necessitating the need to update and strengthen the state’s law.

Madigan’s bill, which is sponsored by Sen. Daniel Biss and Rep. Ann Williams, will expand the type of information that requires a company to notify consumers of a breach, including medical information outside of federal privacy laws, biometric data, geolocation information, sensitive consumer marketing data, contact information when combined with identifying information, and login credentials for online accounts. The bill also requires entities holding sensitive information to take “reasonable” steps to protect the information and requires entities to notify the Attorney General’s office when breaches occur. Madigan said her office would create a website that lists every data breach that affects Illinois to increase awareness among residents.

One of the notable findings in the report is what the AG calls “confusion over breaches,” citing comments from consumer roundtable discussions.  The report states that the most frequent complaint from participants was that while they were well aware of breaches from the media, they were not always aware if those breaches had affected them directly.  The report outlines three principles the updated legislation should address:

1. Disclosure – the new law should require websites and apps that collect personal information to display privacy policies that explain what information is collected and who that information is shared with.

2. Protection – the updated law should require entities to establish reasonable security measures to safeguard sensitive personal information.

3. Notification – the legislation should expand the definition of personal information (medical, health insurance information, biometric data, geolocation information, sensitive marketing data, contact information when combined with additional identifying information like DOB, and log in credentials); require entities to notify the AGs office and create a database of breaches affecting Illinois; enable small businesses to notify local media rather than statewide media when breaches occur.

News reports suggest the legislation will go to the Illinois General Assembly shortly.

Tracking the Injury in Personal Injury

A Canadian law firm is utilizing wearable technology to provide information in assessing a personal injury client’s loss and potential damages.  McLeod Law in Calgary states on its website that it is using “Vivametrica’s Functional Activity Assessment tool provides a method for the early assessment of the strength of a client’s case. The Functional Activity Assessment closes the gap between what a client perceives and what is objectively verifiable.”   Vivametrica  states that it analyzes data from wearable sensor devices for the assessment of health and wellness.  While not exactly using Fitbit data directly, reportedly the technology “uses public research to compare a person’s activity data with that of the general population.”  As noted on the Vivametrica website, this technology also allows caregivers to engage on a more specific level with the wearers.  In the Canadian case, reportedly this is the first time such technology will be used directly in a court case.

This will be an interesting test case in terms of not only presenting the plaintiff’s case for damages but it will be interesting to see how defendants and juries respond to the introduction of such evidence and whether this presents a new standard for such cases.

http://www.forbes.com/sites/parmyolson/2014/11/16/fitbit-data-court-room-personal-injury-claim/

https://www.mcleod-law.com/news/vivametricas-analytics-platform-supports-personal-injury-claims

fitbitdownload

Brazil’s SPI: 45.2…Whatever That Means

Nate Silver’s Five Thirty Eight blog is featuring an algorithm versus the marketplace bracket mechanism.  While Brazil is heavily favored to win the World Cup, FiveThirtyEight favors them even more than the betting shops — based on “real math.”  Nate describes the system as such:

Today we’re launching an interactive that calculates every team’s chances of advancing past the group stage and eventually winning the tournament. The forecasts are based on the Soccer Power Index (SPI), an algorithm I developed in conjunction with ESPN in 2010. SPI has Brazil as the heavy favorite, with a 45 percent chance of winning the World Cup, well ahead of Argentina (13 percent), Germany (11 percent) and Spain (8 percent).

The overwhelming factor in this scoring is Brazil’s dominance at home.

Also, relative good news for Team USA — the betting line has them at a .3% chance of winning the World Cup while FiveThirtyEight’s SPI has them at .4%.

Good luck #USMNT – indeed!

Go to:

http://fivethirtyeight.com/features/its-brazils-world-cup-to-lose/

And:

http://www.ussoccer.com/stories/2014/06/09/19/44/140609-mnt-travel-to-brazil-feature

And, just in time, Symantec releases its 96-page report: “Latin American + Caribbean Cyber Security Trends.”  The report includes individual country reports, which provides details on government capabilities for dealing with cyber security and cybercrime, including any relevant statistics released by the governing authorities regarding sectors affected by cybercrime.  Symantec likewise provides some quick country stats, for example:

Brazil:

Population: 201,033,000

Internet Penetration: 49.8%

Fixed Broadband Subscribers: 9.2%

And, Symantec, along with its co-sponsor, Organization of American States, sounds the alarm bell for scams and potential vulnerabilities in relation to the World Cup.  From the report:

The 2014 FIFA World Cup in Brazil is expected to be one of the largest sporting events of this century.  While the world comes together to celebrate and compete in sport, cybercriminals have unfortunately identified vulnerabilities and may be plotting attacks against critical infrastructure.  In fact, members of international hacking groups such as Anonymous have recently made threats against official websites operated by FIFA, the Brazilian Government and corporate sponsors of the games.

Several malware operations, phishing attacks, and email scams linked to the World Cup have already been discovered.

See the report at:

http://www.symantec.com/content/en/us/enterprise/other_resources/b-cyber-security-trends-report-lamc.pdf

braziliStock_000032665550Small

UPDATE:
US defeats Ghana in opening match (despite cramping and a bash to the nose):
USA-Soccer-
Back to Five Thirty Eight – chances of a team advancing: U.S. at 63% (I think).  And, significantly, Brazil SPI now at 91.3.  (The commenters suggest the model does not favor a tie).

 

And now, Belgium:

Belgium is dangerous, but not as dangerous as tournament favorites Brazil, Germany and Argentina. Meanwhile, the Netherlands, France, Chile and Colombia also look more threatening than Belgium based on the things SPI looks at: pre-tournament resumes, form so far in the World Cup and, in the case of Chile and Colombia, games closer to home.

Our match-prediction algorithm gives the U.S. about a 42 percent chance of winning a knockout-stage game against Belgium based on each team’s SPI rating as of Thursday morning.

http://fivethirtyeight.com/datalab/the-u-s-s-odds-of-beating-belgium-and-every-other-world-cup-opponent/


UPDATE:

So, by now, we know the real SPI belongs to Germany.  Cool graphic re: Twitter traffic during World Cup Final:

http://cartodb.com/v/worldcup/match/?TC=x&vis=30acae6a-0a51-11e4-8918-0e73339ffa50&h=t&t=Germany,B40903%7CArgentina,5CA2D1&m=7%2F13%2F2014%2016:00:00%20GMT,7%2F12%2F2014%2018:35:00GMT&g=147%7C#/2/-11.7/-8.4/0

FiveThirtyEight’s revised analysis:

Germany didn’t begin the World Cup as the favorite. That honor belonged to (ahem) Brazil. But that’s a slightly deceptive measure. This was a top-heavy World Cup; not only Brazil but also Germany, Argentina and Spain would have been the front-runners in many past editions of the tournament.

By the end of the World Cup, Germany left little doubt it is the best team in the world. In fact, it may be the best national soccer team ever assembled.

http://fivethirtyeight.com/datalab/germany-may-be-the-best-national-soccer-team-ever/

 

 

 

 

Data and Security – Balancing Use and Oversight

Using Anonymous Patient Data 

patient recordsiStock_000011715450Small (1)

The Washington Post reports on the developments of PCORI – the Patient-Centered Outcomes Research Institute.  This was part of the move to get better information, data, out of the electronic health records initiative funded and spelled out in the Affordable Care Act.  The anonymized or de-identified data is supposed to help clinicians draw some meaningful conclusions from the vast wealth of information gathered by physicians, researchers, hospitals, insurers and the pharmaceutical industry.  The PCORI network is supposed to identify patients who could be invited to join clinical trials.  The new national patient network will comprise eleven sub-networks, drawing on records from participating organizations.  Of importance to the privacy watchdogs is that the participating organization retains all of the personally identifiable information and only the aggregated data is submitted for use in a research project.

Go to: http://www.washingtonpost.com/national/health-science/scientists-embark-on-unprecedented-effort-to-connect-millions-of-patient-medical-records/2014/04/15/ea7c966a-b12e-11e3-9627-c65021d6d572_print.html


The FTC Can Seek to Enjoin

Hotel

In other news, the FTC overcame some question of its authority to police data breach incidents, in this case data specifically involving consumer payment card account numbers.  In the FTC v. Wyndham Worldwide Corporation matter, Wyndham hotels challenged the FTC’s authority to bring suit for injunctive relief following three breach incidents.  The FTC had alleged in its suit that Wyndham had failed to implement reasonable and appropriate security measures which exposed consumers’ personal information to unauthorized access, collection and use that “has caused and is likely to cause substantial consumer injury, including financial injury, to consumers and businesses.”  The FTC had alleged that after discovering the first two breaches, Wyndham “failed to take appropriate steps in a reasonable time frame to prevent the further compromise of [its] network.”  Accordingly, the FTC sought a permanent injunction against Wyndham, presumably then to enter into some kind of agreement to correct such practices.  Wyndham argued that the FTC overstepped its authority and moved to dismiss the complaint, arguing that the FTC’s “unfairness authority” did not cover data security and arguing that the FTC needs to publish regulations before filing an unfairness claim in federal court.  The US District Court for the District of New Jersey declined to “carve out a data-security exception to the FTC’s authority.”  Wyndham had tried to get the Court to analogize this situation to the tobacco industry cases (where the FDA had denied authority over tobacco).  Instead, the District Court noted the FTC had never disavowed its authority over unfair practices related to data security.

Wyndham also challenged the FTC’s deception claim.  The FTC cited the Defendants’ privacy policy and alleged that the Defendants did not implement reasonable and appropriate measures to protect personal information from unauthorized access.  The FTC argued that the privacy policy representations therefore were false or misleading and constituted deceptive practices.  Wyndham argued that the FTC failed to meet a higher burden when alleging unlawful deception.  The Court rejected Wyndham’s arguments finding that a reasonable customer would have understood that the policy makes statements about data-security practices at the hotels, to the extent that the hotels control personally identifiable information.

There are other issues to be resolved in the sphere of enforcement and oversight of similar data breaches.  The injunction route can be fraught with technical issues and issues regarding how best to tailor oversight of an entities’ practices and promises.  However, for now, the FTC has asserted its authority in an important way, and some commentators believe this will embolden the FTC to bring  additional enforcement actions.  More than likely, the FTC will scrutinize those incidents that involve significant security lapses and/or some significant financial impact on consumers.

See FTC v. Wyndham Worldwide, Case 2:13-cv-01887-ES-JAD, Filed 04/07/14

Copy of case at: http://image.exct.net/lib/fefd167774640c/d/1/4.8%20Alert%20Wyndham%20Opinion.pdf

 

    ftc_logo_430-centennial

FTC Logo

Report on Healthcare – Increase in Threats

Image
IoT and Healthcare

A whitepaper released by SANS Analyst Program (sponsored by Norse) predicts an increase in risks to healthcare systems and data given “more open exchanges of health care information between patients, insurers, doctors and pharmacists.”  The report subtitled “Widespread Compromises Detected, Compliance Nightmare on Horizon,” describes results from another SANS report, “Biggest Culprits: Internet of Things and Security Devices,” which concluded that since the healthcare and pharmaceutical sectors will employ more devices, the threats are greater.

Specifically, the SANS analysis showed that the healthcare system’s critical information systems are poorly protected and often compromised.  These issues affected radiology imaging software, video conferencing systems, digital video systems, call contact software, security systems and devices, including VPNs, firewalls and routers.  The report’s author warns: “As compared to traditional IT systems, incidents involving Things, such as a hacked MRI machine, can carry physical consequences, as well as policy and financial impacts.”

Notable Devices/Applications:-

  • Connected medical endpoints (examples: online health monitoring to radiology devices to video-oriented services);
  • Internet facing personal health data (example: web-based call center for medical supply entity);
  • Security systems and edge devices (example: enterprise network controllers).

The report details the findings of a study that reviewed the largest sources of malicious traffic.

To get a copy of the report, go to:http://norse-corp.com

Image

Yahoo! Hacked

tumblr_static_y_tumblr_lockup

In a blog post, Yahoo reports that attackers now own an undisclosed number of usernames and passwords to Yahoo Mail accounts.  User names and passwords would be attractive based upon the premise that  consumers use the same name-password combination across multiple platforms, including for financial accounts.

http://www.pcworld.com/article/2092198/yahoo-acknowledges-yahoo-mail-hack.html

http://www.latimes.com/business/technology/la-fi-tn-yahoo-mail-breach-number-users-not-disclosed-20140130,0,3294421.story#axzz2ryl2Z3RX

Cases and Classes: Updates on Litigation, Decisions Relating to Data Breaches

Sony

In the Sony Gaming Networks litigation, currently pending in the U.S. District Court for the Southern District of California, the trial court entered a decision on January 21, 2014 ruling on Sony’s Motion to Dismiss class action litigation, which arose out of the April 2011 breach of Sony’s PlayStation Network. Sony sought dismissal of plaintiffs’ First Amended Complaint on several grounds, including standing. Sony argued that plaintiffs did not have standing to pursue non-Ohio state law claims on behalf of non-Ohio residents (the consolidated action includes Named Plaintiffs from Massachusetts, New Hampshire, Florida, California, Missouri, Michigan, Texas, Ohio and New York – fifty-one claims in the consolidated action, included negligence, negligent misrepresentation, breach of express/implied warranty, violation of state consumer protection statutes, violation of the CA Database Breach Act, violation of FCRA and bad faith). The court dismissed without leave to amend the Ohio and FCRA claims. In addition, Sony sought to dismiss on the basis of Article III standing – that plaintiffs’ allegations failed to allege an “injury-in-fact” as a result of the intrusion. Essentially, Sony sought another ruling on the issue in light of the Supreme Court’s ruling in the Clapper v. Amnesty International ruling. In Clapper, journalists and human rights activists alleged they were potential targets of the government under the Foreign Intelligence Surveillance Act (“FISA”) because their work requires them to communicate with international subjects. The Clapper plaintiffs argued that they would be targeted under the Act and they already had undertaken costly and burdensome measures to protect the confidentiality of international sources. The Supreme Court found that the claimants failed to show that the “threatened injury” was “certainly impending.” The Supreme Court stated that a “speculative chain of possibilities … based on potential future surveillance” was not enough. The Supreme Court also noted that if parties could base Article III standing on reasonably incurred costs to avoid the risk of future harm, this would water down the fundamental requirements of Article III.
Sony argued that the Clapper ruling resulted in a more “tightened ‘injury-in-fact’ analysis” than the standard relied upon by the trial court (under Krottner v. Starbucks). Judge Battaglia in the Sony Gaming decision refused to acknowledge a distinction between the analyses he previously made based on Krottner and the Supreme Court’s standards outlined in Clapper. Judge Battaglia stated that courts in the Ninth Circuit “have routinely denied motions to dismiss based on Article III standing where a plaintiff alleges that his personal information was collected and then wrongfully disclosed…” Judge Battaglia said that although Sony argued that plaintiffs’ allegations were insufficient because none of the named plaintiffs alleged that their personal information was actually accessed by a third party, nonetheless, plaintiffs “plausibly alleged a ‘credible threat’ of impending harm…”
So, another test of the injury-in-fact issue relating to so-called fear of identity theft. The cases cited by Judge Battaglia addressed whether personal information was disclosed (Facebook), whether personal information was even exposed (LinkedIn) or whether personal information had been disseminated (Google). The distinctions in the cases regarding whether a plaintiff can allege some kind of injury, for now, appear to relate to whether a court finds that the plaintiff(s) have alleged sufficient facts to show some kind of collection and disclosure of personal information. As more and more data breach scenarios are tested in class litigation, we likely will see courts continue to refine this analysis.
Kaiser
In other breach news, the Attorney General for the State of California filed suit on January 24, 2014 against Kaiser Foundation Health Plan alleging violations of unfair business codes because of Kaiser’s alleged delay in disclosing a breach of its security systems. The AG alleges that on September 24, 2011, Kaiser learned that an external hard drive containing unencrypted personal information of former and current Kaiser employees had been purchased by a member of the public at a thrift store in Santa Cruz. Included in the data were employee names, SSNs, DOBs, addresses and personal information of some employee spouses and children (data going back to 2009). Kaiser secured the data and conducted an exam revealing over 30,000 SSNs and other sensitive information, which exam was completed by December 28, 2011. Kaiser continued the inventory and the AG alleges that Kaiser had sufficient information to identify and notify at least some individuals between December 2011 and February 2012. Instead, the AG notes, Kaiser began mailing letters on or about March 19, 2012. The AG also alleges that Kaiser violated CA code by publicly posting or displaying SSNs of 20,000 plus residents. The AG seeks $2500 for each violation.
Horizon
On January 28, 2014, a putative nationwide class action suit was filed against Horizon Healthcare Services (d/b/a Horizon Blue Cross Blue Shield of New Jersey) alleging that Horizon failed to secure PII and PHI including names, DOBs, SSNs, addresses, demographic information, medical histories, lab results, insurance information and other data collected by Horizon. The allegations deal with an incident in November 2013 when two unencrypted laptops were stolen from Horizon’s headquarters in Newark, New Jersey. Plaintiffs allege violations of the Horizon privacy policy; that Horizon did not undertake encryption measures even though it suffered a similar breach in 2008; that Horizon ignored government and industry warnings regarding encryption. The counts include violations of FCRA, negligence, breach of contract (the members’ health insurance contracts or handbook include privacy representations/safeguards), violations of NJ consumer fraud statutes (misrepresentations/omissions re: privacy policies and encryption; failure to destroy unneeded records; failure to expediently notify following a breach).
Yet another example of how the healthcare, health insurer industry will continue to remain a target given the wealth of member information they manage. As with the recent Target data breaches, predictably, legislators took the opportunity to investigate and interrogate company officials.  See article at:
http://www.nj.com/politics/index.ssf/2014/01/nj_senate_health_panel_grills_horizon_about_two_stolen_laptops.html

lawkeyshutterstock_148983662