Fitness App, Equifax Lessons, Biometric Data

Posted by: Julia Annaloro      Date: July 17, 2018

TLP White: We start with the latest in exercise data shenanigans and then learn some lessons from the CISO of Equifax. We conclude today with a look at a law in Illinois dealing with biometric data and who owes who what when it is collected. Welcome back to Hacking Healthcare:

 

Hot Links –

  1. Polar Fitness App Revelations. You might recall a story from earlier this year regarding a company called Strava, whose fitness tracking app was found to be revealing the location of its users, including those on sensitive military and government installations.[1] Now we find ourselves in a similar situation with Polar. This time, the information exposure might be more significant, since it appears to show every “exercise a person has performed since 2014 on a single map, allowing potential snoops to gather scores of valuable information on potentially high-ranking people.”[2]

In fact, a group of researchers looking into the matter were ultimately able to identify 6,460 unique users. Those users were shown to have performed over 650,000 exercises at their homes and more than 200 sensitive locations. Example users included “…a nuclear airbase officer, an intelligence officer at a U.S. Air Force base; Western military members in Afghanistan and Iraq; and employees at the NSA and FBI.” Yikes.

 

All very interesting and concerning, but we’ll let the good folks at Polar describe why we think this is an important issue: “It is important to understand that Polar has not leaked any data, and there has been no breach of private data.”[3] You may have noticed that we have been seeing more of this in recent history. While actual breaches are occurring (sensitive information is being taken without authorization), there is increasing awareness of how data that is simply available publicly, or with very little effort, is creating risk for individuals and organizations alike.

[1] https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases

[2] https://www.scmagazine.com/polar-fitness-app-found-to-reveal-movements-of-military-personnel-government-agents/article/779853/

[3] https://www.polar.com/us-en/legal/faq/public_and_private_training_data_statement
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC. Read full blog below:
Hacking Healthcare 7.17.2018 TLP White

Big Tech Healthcare, AI and Cyber Insurance

Posted by: Julia Annaloro      Date: July 11, 2018

TLP White: Some of the big technology companies and their goals for healthcare, particularly with artificial intelligence (AI), and then continue the AI theme with a look at part of what the government is doing, and why it may not be enough. We conclude with a recent court case that is bringing some clarity to the world of cybersecurity insurance.

 

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC. Read full blog below:

Hacking Healthcare 7.10.2018 TLP White

FTC on Google/Fb data consent, WPA3, Botnets

Posted by: Julia Annaloro      Date: July 10, 2018

TLP White: Consumer groups urging FTC to look into Google’s and Facebook’s data consent practices, the new California privacy law, new security coming to Wi-Fi networks and some of the recommendations from the government’s recently released Botnet Report for device manufacturers.
 
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC. Read full blog below:

Hacking Healthcare 7.3.2018 TLP White

FDA, SaMD, IoT, Apple macOS, Data Breach

Posted by: Julia Annaloro      Date: June 27, 2018

TLP White: FDA’s precertification plans,  next generation medical devices and IoT areas, a new Apple macOS discovery, a recent judgement requiring a large hospital to pay $4.3 million as a result of an incurring three data breaches.

Read full blog below:

Hacking Healthcare 6.26.2018 TLP White

MD Survey/Simulation, Facebook, HHS, FDA, PHI

Posted by: Julia Annaloro      Date: June 20, 2018

TLP White

Medical devices and patient safety, Facebook’s request for a federal breach notification law, HHS on an upcoming proposed rule  and small businesses,  FDA regarding vendors and the agency’s proposed fast-path program for premarket “software as medical device” approval, and survey findings regarding secure messaging for exchanging healthcare data.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:
Hacking Healthcare 6.19.2018 TLP White

FTC, Apple, Transparency, VPNFilter, HCCIC

Posted by: Julia Annaloro      Date: June 12, 2018

TLP White
FTC’s data security authority, Apple’s WWDC, software transparency, VPNFilter and the Healthcare Cybersecurity and Communications Integration Center (HCCIC).

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:

Hacking-Healthcare-6.12.2018-TLP-White-1

AHA’s Ask of FDA, Encryption, DDoS, BotNets…

Posted by: Julia Annaloro      Date: June 05, 2018

TLP White

 

In this issue: American Hospital Association’s ask that the FDA create a single repository for medical device manufacturers to report cyber vulnerabilities, FBI’s claims about going-dark and end-to-end encryption, botnet and distributed threats report, a new device that would allow Autonomous Vehicles to monitor a passenger’s health and alert local healthcare officials of a medical emergency, and a new Maryland law that incentivizes companies to invest in cybersecurity controls.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:

Hacking Healthcare 6.5.2018 TLP White

Breach, Failure to Update, NIST AI, Ransomware

Posted by: Julia Annaloro      Date: May 29, 2018

TLP White

 

In this issue: LA nonprofit breach, a new study that found users are failing (surprised?) to update their devices with the necessary patches and updates, a new standards-setting process issued by NIST for biomedical imaging and artificial intelligence, another SamSam ransomware attack and a discussion about a recent report addressing the impact ransomware attacks continue to have on the healthcare industry. 

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:

Hacking Healthcare 5.29.2018 TLP White

State Breach Notification Laws, Info Sharing…

Posted by: Julia Annaloro      Date: May 22, 2018

TLP White

 

In this issue: a roundup of state breach notification laws and related federal proposals, MyFitnessPal breach, a new approach to improving information sharing between the private sector and the government and one last GDPR reminder before the highly anticipated EU regulation goes into effect on the 25th.  Welcome back to Hacking Healthcare:
 
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:

Hacking-Healthcare-5.22.2018-TLP-White-1

Hack-Back Veto, NIST, DHS Cyber, MS 365, Vendor Bans

Posted by: Julia Annaloro      Date: May 15, 2018

TLP White

In this issue: A Governor’s veto of a bill that would have criminalized unauthorized computer access and permitted companies to engage in hack-back activity, a recently issued NIST request for input on improving the cybersecurity of healthcare imaging systems, a new report that claims the DHS plans to take on new initiatives to curb systemic cyber risk and supply chain threats; a new zero-day vulnerability discovered in Microsoft Office 365; and the effect a US government’s ban on vendors would have on businesses. 

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:

Hacking Healthcare 5.15.2018 TLP White