Report on Healthcare – Increase in Threats

Image
IoT and Healthcare

A whitepaper released by SANS Analyst Program (sponsored by Norse) predicts an increase in risks to healthcare systems and data given “more open exchanges of health care information between patients, insurers, doctors and pharmacists.”  The report subtitled “Widespread Compromises Detected, Compliance Nightmare on Horizon,” describes results from another SANS report, “Biggest Culprits: Internet of Things and Security Devices,” which concluded that since the healthcare and pharmaceutical sectors will employ more devices, the threats are greater.

Specifically, the SANS analysis showed that the healthcare system’s critical information systems are poorly protected and often compromised.  These issues affected radiology imaging software, video conferencing systems, digital video systems, call contact software, security systems and devices, including VPNs, firewalls and routers.  The report’s author warns: “As compared to traditional IT systems, incidents involving Things, such as a hacked MRI machine, can carry physical consequences, as well as policy and financial impacts.”

Notable Devices/Applications:-

  • Connected medical endpoints (examples: online health monitoring to radiology devices to video-oriented services);
  • Internet facing personal health data (example: web-based call center for medical supply entity);
  • Security systems and edge devices (example: enterprise network controllers).

The report details the findings of a study that reviewed the largest sources of malicious traffic.

To get a copy of the report, go to:http://norse-corp.com

Image

FTC Issues Report on Ways to Improve Mobile App Disclosures

smartphonelThe report, issued February 1st,  provides recommendations for the mobile marketplace, including operating system providers such as Amazon, Apple, BlackBerry, Google and Microsoft.  The report also addresses application developers, advertising networks, analytics companies and app developer trade associations.  The report describes that in the fourth quarter of 2012, consumers worldwide bought approximately 217 million smartphones.  Given such widespread use of the technology, the FTC staff notes that unprecedented amounts of data are being collected.  The FTC offers several suggestions for the “major participants” to improve mobile privacy disclosures.  The report recommends that mobile platforms should:

-Provide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation;

-Consider providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers would find sensitive in many contexts, such as contacts, photos, calendar entries, or the recording of audio or video content;

-Consider developing a one-stop “dashboard” approach to allow consumers to review the types of content accessed by the apps they have downloaded;

-Consider developing icons to depict the transmission of user data;

-Promote app developer best practices. For example, platforms can require developers to make privacy disclosures, reasonably enforce these requirements, and educate app developers;

-Consider providing consumers with clear disclosures about the extent to which platforms review apps prior to making them available for download in the app stores and conduct compliance checks after the apps have been placed in the app stores; and

-Consider offering a Do Not Track (DNT) mechanism for smartphone users. A mobile DNT mechanism, which a majority of the Commission has endorsed, would allow consumers to choose to prevent tracking by ad networks or other third parties as they navigate among apps on their phones.

App developers should:

-Have a privacy policy and make sure it is easily accessible through the app stores;

-Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information (to the extent the platforms have not already provided such disclosures and obtained such consent);

-Improve coordination and communication with ad networks and other third parties that provide services for apps, such as analytics companies, so the app developers can better understand the software they are using and, in turn, provide accurate disclosures to consumers. For example, app developers often integrate third-party code to facilitate advertising or analytics within an app with little understanding of what information the third party is collecting and how it is being used.

-Consider participating in self-regulatory programs, trade associations, and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.

Advertising networks and other third parties should:

-Communicate with app developers so that the developers can provide truthful disclosures to consumers;

-Work with platforms to ensure effective implementation of DNT for mobile.

App developer trade associations, along with academics, usability experts and privacy researchers can:

-Develop short form disclosures for app developers;

-Promote standardized app developer privacy policies that will enable consumers to compare data practices across apps;

-Educate app developers on privacy issues.

The FTC also introduces Mobile App Developers: Start with Security, a new business guide that encourages developers to aim for reasonable data security, evaluate the app ecosystem before development, and includes tips such as making someone responsible for data security and taking stock of the data collected and maintained.

The FTC also announced a settlement with the operator of the Path social networking app.  The FTC alleged that the app deceived users by collecting personal information from their mobile device address books without their knowledge or consent.  The settlement requires Path to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years.  The company also agreed to pay $800,000 to settle charges that it illegally collected personal information from children without their parents’ consent.

See update from NYT — loophole allows Path to share location data even when a user has turned off location: http://bits.blogs.nytimes.com/2013/02/01/path-photos-location-loophole/