The SecuriTea News - Issue #16
Each week The SecuriTEA Report brings you the past week’s interesting Cybersecurity News. Here's what's new for this week:
Google Under Healthcare Fire Over Privacy Concerns.
Google is under community and regulatory fire over a project that might be violating healthcare patient laws. The technology giant has partnered with a non-profit health organization, Ascension, to provide cloud infrastructure services, as well as artificial intelligence services, that involve “piloting tools that could help Ascension’s doctors and nurses more quickly and easily access relevant patient information, in a consolidated view.” The partnership project, named 'Project Nightingale', is raising concerns over a part of the project that involves Google gathering complete health histories and personal contact information for patients spread across 2,600 hospitals, doctors' offices, and other facilities. Google hopes to apply AI to this data in the hopes of recommending better treatment plans, cross-referencing relevant medical events, recommending replacement of doctors and much more. The issue that arises from this is project is that Google is reportedly doing this without the patients being aware that their information is being shared with Google in the first place, as well as the possibility of an employee going rogue and selling this data. Google attempted to address these issues, in a blog post, after The Wall Street Journal first released the project details and stressed that the law in question that they are violating, HIPAA or the Health Insurance Portability and Accountability Act of 1996, does allow medical providers to share protected health information (also known as PHI) with business partners without explicit consent by the consumer. Roger Severine, the officer director for the Office for Civil Rights in the Department of Health and Human Services, told the WSJ in a statement that the division has opened an inquiry that “will seek to learn more information about this mass collection of individuals’ medical records to ensure that HIPAA protections were fully implemented.”
Beware Of Using USB Charging Stations. The Los Angeles County district attorney's office issued a new warning against those popular public charging stations for a new concern called "juice jacking." The D.A. urged people to avoid using public USB charging stations at airports and other public locations because it could be susceptible to tampering. Criminals can load malware onto the convenient charging stations or through the cables left at the kiosk and once a device is plugged in, it becomes infected. The malware could send a full backup of the phone plugged into the affected kiosk directly to the criminal. Cyber experts and D.A. officials shared a few tips to keep devices and data safe:
1) Use an AC power outlet, not a USB charging station.
2) Take AC and car chargers for devices when traveling.
3) Consider buying portable chargers for emergencies.
The Time To Save A Life Increases After Health Breaches Study Shows.
A study by three researchers at the Vanderbilt's Owen Graduate School of Management found that IT security measures implemented following data breaches at hospitals may cost valuable time in delivering life-saving care. The paper dives into the discussion about who bears the cost of data breaches - individuals or firms and how the implications for patients is much higher when their data is stolen. Hospitals are required by law to report data breaches to federal authorities, who then may open an investigation and oversee corrective action. This could mean enhanced authentication processes, longer passwords, quicker logout times for idle computers, and so forth. The research highlights how these new processes and additional security steps are delaying care at crucial moments by impeding quick access to computerized systems. Using breach data and quality data on more than 3,000 hospitals from 2012-2016 they found that following a breach, time-to-EKG and mortality rates both rose, and continued to rise, for about three years before tapering off. Specifically, the average time-to-EKG increased by as much as 2.7 minutes and an increase in the 30-day mortality rate for heart attacks translated to as many as 36 additional deaths per 10,000 heart attacks per year. Researchers stated that this long timeframe tells us that in breached hospitals, it’s the remediation efforts—not the breach itself, but the post-breach remediation efforts—that are impacting these time-sensitive processes and patient outcome measures.” They also cautioned that they were not able to determine exactly what was causing the change after the breach or which security measures, in particular, may be associated with the delay, but said these findings suggest that federal authorities and hospitals need to carefully consider usability when recommending and implementing changes.
Microsoft to Apply California’s Privacy Law to All U.S. Users.
Microsoft is extending a California law aimed at protecting user privacy to all of its users in the United States, an unexpected move supporting tougher requirements to disclose exactly how the company uses the consumer data it collects. The California Consumer Privacy Act, known as CCPA, is scheduled to go into effect on Jan. 1. It demands more transparency from companies about how user data is being used and disseminated and requires them to give consumers a way to opt-out of these actions. In a blog post about the move, Julie Brill, Microsoft’s chief privacy officer, praised the law and the “robust control” it gives people over their data. “We are strong supporters of California’s new law and the expansion of privacy protections in the United States that it represents,” she wrote in the blog post. “Our approach to privacy starts with the belief that privacy is a fundamental human right and includes our commitment to provide robust protection for every individual.” Though the specifics of CCPA and how companies must comply are still being ironed out, Brill said Microsoft will stay up to date on these policies and ensure it is compliant with them regarding all of its users when the law goes into effect. “Microsoft will continue to monitor those changes, and make the adjustments needed to provide effective transparency and control under CCPA to all people in the U.S.,” she wrote. The company also will work with its enterprise customers to help them comply with CCPA and provide them with any tools and guidance they need, Brill added. Not everyone is so enthusiastic about CCPA, however, not least of all Microsoft competitors. But more than opposing data privacy, technology leaders rather have taken a stand that they wish to promote a national law that provides consistent guidelines rather than is subject to individual state laws, which will require more investment on their part.
Amazon Fixed Flaw in Ring Devices That Could Leak Wi-Fi Credentials.
Amazon has patched a vulnerability (meaning they have fixed a flaw) in its Ring smart doorbell device that could allow attackers to access the owner’s Wi-Fi network credentials and potentially reconfigure the device to launch an attack on the home network. Researchers discovered the problem in Amazon’s Ring Video Doorbell Pro IoT device, a smart doorbell that combines security cameras with motion-detection to help protect people’s homes against intrusion. If exploited (aka taken advantage of), the problem, outlined in a whitepaper published online, would allow an attacker physically near the device to intercept Wi-Fi network credentials, according to Bitdefender, a security company, that discovered the flaw. The issue with this device lies in how users first configure the device: If you have a smart device, for example, an Alexa, when you enter setup mode the device creates a separate Wi-Fi access point for you to connect to in order to complete the setup. The Ring device setup has this same type of configurations step but requires you to send your regular wifi credentials over this separate connection. This separate Wi-Fi connection is insecure, unprotected by a password, and transmits (or sends) credentials in plaintext. (Plaintext means it is not encrypted, protected, and can be read by any human eavesdropping on your wifi). Now while your neighbor using your Wi-Fi may not seem like the end of the world, the other issue with this is that if evil neighbor or just rogue attacker in the neighborhood just so happened to be eavesdropping on your wifi network and get these credentials, they can further access and attack the rest of your smart devices connected to your wifi, possibly taking it down altogether or more. No Amazon Ring users at this point appear to have been affected by the flaw.
And that's a wrap for your Weekly SecuriTea Report. Be sure to check out the latest every week for the latest in Information Security News. Follow us on social media for daily news.