Fitness App, Equifax Lessons, Biometric Data

Posted by: Julia Annaloro      Date: July 17, 2018

TLP White: We start with the latest in exercise data shenanigans and then learn some lessons from the CISO of Equifax. We conclude today with a look at a law in Illinois dealing with biometric data and who owes who what when it is collected. Welcome back to Hacking Healthcare:

 

Hot Links –

  1. Polar Fitness App Revelations. You might recall a story from earlier this year regarding a company called Strava, whose fitness tracking app was found to be revealing the location of its users, including those on sensitive military and government installations.[1] Now we find ourselves in a similar situation with Polar. This time, the information exposure might be more significant, since it appears to show every “exercise a person has performed since 2014 on a single map, allowing potential snoops to gather scores of valuable information on potentially high-ranking people.”[2]

In fact, a group of researchers looking into the matter were ultimately able to identify 6,460 unique users. Those users were shown to have performed over 650,000 exercises at their homes and more than 200 sensitive locations. Example users included “…a nuclear airbase officer, an intelligence officer at a U.S. Air Force base; Western military members in Afghanistan and Iraq; and employees at the NSA and FBI.” Yikes.

 

All very interesting and concerning, but we’ll let the good folks at Polar describe why we think this is an important issue: “It is important to understand that Polar has not leaked any data, and there has been no breach of private data.”[3] You may have noticed that we have been seeing more of this in recent history. While actual breaches are occurring (sensitive information is being taken without authorization), there is increasing awareness of how data that is simply available publicly, or with very little effort, is creating risk for individuals and organizations alike.

[1] https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases

[2] https://www.scmagazine.com/polar-fitness-app-found-to-reveal-movements-of-military-personnel-government-agents/article/779853/

[3] https://www.polar.com/us-en/legal/faq/public_and_private_training_data_statement
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC. Read full blog below:
Hacking Healthcare 7.17.2018 TLP White

Big Tech Healthcare, AI and Cyber Insurance

Posted by: Julia Annaloro      Date: July 11, 2018

TLP White: Some of the big technology companies and their goals for healthcare, particularly with artificial intelligence (AI), and then continue the AI theme with a look at part of what the government is doing, and why it may not be enough. We conclude with a recent court case that is bringing some clarity to the world of cybersecurity insurance.

 

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC. Read full blog below:

Hacking Healthcare 7.10.2018 TLP White

FTC on Google/Fb data consent, WPA3, Botnets

Posted by: Julia Annaloro      Date: July 10, 2018

TLP White: Consumer groups urging FTC to look into Google’s and Facebook’s data consent practices, the new California privacy law, new security coming to Wi-Fi networks and some of the recommendations from the government’s recently released Botnet Report for device manufacturers.
 
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC. Read full blog below:

Hacking Healthcare 7.3.2018 TLP White

Significance of Healthcare Delivery Organization & Medical Device Manufacturer Collaboration

Posted by: Julia Annaloro      Date: July 01, 2018

The number of companies that comprise the current healthcare system is staggering. They range in size from quite small to immensely large and they all are interconnected in one way or another. Their collaborative efforts stretch across the entire continuum of healthcare practices and are immensely efficient. One of the most notable of these efforts is the partnership between health delivery organizations (HDOs) and medical device manufacturers. Together, they provide their patients with the best of the best medical care in the world at a truly affordable cost. According to Senior Principal Cyber Security Engineer, Bill Hagestad, a noted expert on the subject, “the taxonomy of competitiveness has developed into a true collegial cyber cooperative. MDMs now share immense amounts of information with each other about the latest cybersecurity issues.”

Here are some of the areas where their interests overlap:

  • The free market reigns almost supreme– The medical device manufacturing (MDM) industry is incredibly competitive. As such, the various manufacturers – from the new ones to the established – are quite territorial in their development of new equipment. Obviously, no company would choose to share its proprietary information about a new piece of equipment with a competitor, yet manufacturers and delivery organizations do, in fact, cooperate. MDMs share whatever information is needed to help provide better safety for their patients.

Continue reading “Significance of Healthcare Delivery Organization & Medical Device Manufacturer Collaboration”

FDA, SaMD, IoT, Apple macOS, Data Breach

Posted by: Julia Annaloro      Date: June 27, 2018

TLP White: FDA’s precertification plans,  next generation medical devices and IoT areas, a new Apple macOS discovery, a recent judgement requiring a large hospital to pay $4.3 million as a result of an incurring three data breaches.

Read full blog below:

Hacking Healthcare 6.26.2018 TLP White

MD Survey/Simulation, Facebook, HHS, FDA, PHI

Posted by: Julia Annaloro      Date: June 20, 2018

TLP White

Medical devices and patient safety, Facebook’s request for a federal breach notification law, HHS on an upcoming proposed rule  and small businesses,  FDA regarding vendors and the agency’s proposed fast-path program for premarket “software as medical device” approval, and survey findings regarding secure messaging for exchanging healthcare data.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:
Hacking Healthcare 6.19.2018 TLP White

FTC, Apple, Transparency, VPNFilter, HCCIC

Posted by: Julia Annaloro      Date: June 12, 2018

TLP White
FTC’s data security authority, Apple’s WWDC, software transparency, VPNFilter and the Healthcare Cybersecurity and Communications Integration Center (HCCIC).

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:

Hacking-Healthcare-6.12.2018-TLP-White-1

AHA’s Ask of FDA, Encryption, DDoS, BotNets…

Posted by: Julia Annaloro      Date: June 05, 2018

TLP White

 

In this issue: American Hospital Association’s ask that the FDA create a single repository for medical device manufacturers to report cyber vulnerabilities, FBI’s claims about going-dark and end-to-end encryption, botnet and distributed threats report, a new device that would allow Autonomous Vehicles to monitor a passenger’s health and alert local healthcare officials of a medical emergency, and a new Maryland law that incentivizes companies to invest in cybersecurity controls.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:

Hacking Healthcare 6.5.2018 TLP White

The Challenge of Data Security in a Large Enterprise Network – TLP White

Posted by: Julia Annaloro      Date: June 01, 2018

– TLP White

Globally, hundreds of thousands of companies employ “big data” in one way or another. With millions of devices connected to their respective enterprise servers, threat analysis and cyber security become a major challenge. In fact, most major companies have a team dedicated to the threat intelligence process. Here are a few insights into how these computer experts – in some instances more formally known as data scientists – do what they do with cyber threat intelligence.

Intelligence gathering – Identifying the risks associated with an enterprise level asset is the first step in a structured threat intelligence process. On a strategic level, this means producing a long-term overview of the enterprise’s cyber threat landscape. Secondly, on an operational level, it means proactively assessing potential threats associated with ongoing events, incidents and other activity. Lastly, on a tactical level, Continue reading “The Challenge of Data Security in a Large Enterprise Network – TLP White”

Breach, Failure to Update, NIST AI, Ransomware

Posted by: Julia Annaloro      Date: May 29, 2018

TLP White

 

In this issue: LA nonprofit breach, a new study that found users are failing (surprised?) to update their devices with the necessary patches and updates, a new standards-setting process issued by NIST for biomedical imaging and artificial intelligence, another SamSam ransomware attack and a discussion about a recent report addressing the impact ransomware attacks continue to have on the healthcare industry. 

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:

Hacking Healthcare 5.29.2018 TLP White