Hot Links –
- Google gets Aggressive: I’m a fan of simple and intuitive security disclosures that can inform (or nudge) the market to reward good security practices. Google Chrome’s move towards more intuitive and visible markings for unencrypted web traffic is a good step in the right direction. Tinder better catch-up!
- Olympic Destroyer: It looks like the Olympic organizers dodged a bullet ahead of the opening ceremony. Talos says that the purpose of the attack was disruption and destruction – rather than any attempt at theft. “The destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment.”
- Budgets: Last Friday, the President signed a two-year spending bill into law.
This week, the White House released a proposal for its next budget. While the proposal included big spending cuts across the board – security spending got some bumps. The budget proposes a significant increase in the DHS office that handles critical infrastructure security and federal network security.
That being said, Treasury, Education, Energy, and Interior all had proposals to increase their ability to support the cybersecurity of key critical infrastructure. HHS didn’t get any of the same attention. What gives?
No one believes this proposal will be adopted by Congress. But it does serve an important role in signaling the Administration’s priorities. The new HHS Secretary is due to defend the proposal in a hearing on Wednesday morning. Let’s see if he talks cyber.
- GDPR: As we started to discuss last week, GDPR is the new General Data Protection Regulation that comes into effect on May 25. GDPR establishes the rights of European residents in relation to their personal data. It is designed to protect the privacy of European citizens and residents – and in doing so impacts all organizations that are located in Europe or that collect or store the information of European residents.
GDPR pertains not only to how an organization must protect information and notify impacted parties in the event of a breach, but also when and how it is permissible for an entity to collect, store, and process personal data.
Personal data is the broad term under GDPR for “any information relating to an identified or identifiable natural person (data subject).” This is a more inclusive definition than PII in the U.S. – a name or even an IP address can constitute personal data under the GDPR.
Health data is given special consideration under the GDPR. Under the regulation there is a default prohibition against processing health data – which includes “data concerning health,” biometric data, and genetic data. To process health data certain conditions must be met. One condition is for the data subject to provide “explicit consent.” This is the strongest grounds for an organization to stand on – and is somewhat like the provisions requiring disclosure and affirmative consent within HIPAA. There are further conditions where health data can be processed – most notably when “processing is necessary for the purposes of preventive or occupational medicine.”
GDPR sets an expectation that organizations will report any breaches very quickly – “without undue delay and, where feasible, not later than 72 hours after becoming aware of it” – to the relevant national supervisory authority. There is a further obligation to notify the data subject without undue delay.
Similar to OCR’s view, ransomware may constitute a data breach that requires reporting under GDPR unless an organization can demonstrate that the ransomware attack “is unlikely to result in a risk to the rights and freedoms of natural persons.”
 “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”
 Article 9, Paragraph 2.8
 Definitions, from Article 4, paragraph 12: “’personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.
Read full blog below:Newsletter_NH-ISAC_Public_021318