Why are you getting this? You signed up to receive the Tips, asked to stay in touch with Rebecca and/or  Privacy & Security Brainiacs (PSB), or consented to receive them. Please read our Privacy Note & Communication Info at the bottom of this message for more information.

Why Privacy Invasion is Heating Up This Summer You may be traveling this summer (like I was...see the photos, below). That can make you especially vulnerable to surveillance and data breaches. Relax, but know your privacy facts. The pandemic, the recent overturn of Roe v Wade, and our adoption of tracking devices to measure our personal health all raise a wide range of issues around surveillance and the use of our individual health data and behaviors. On June 24th, the Dobbs ruling gave rise to many new federal and state-level bills that relate to women's right to privacy as it relates to abortion. Among the Supreme Court's statements were opinions from Griswold (right to contraception and related privacy), Lawrence (right to same-sex relationships and associated privacy), and Obergefell (right to marriage equality and related privacy. These statements have raised the alarm for potential plans to cast the net to much broader areas of everyone’s life for privacy concerns. Many consumers are more concerned than ever about their personal choices and health-related data. So, who's really watching you this summer? This issue of my Tips focuses on surveillance and how it can impact your personal and professional privacy. Get smarter, so you can enjoy a more relaxing and informed summer season.

Rebecca We would love to hear from you! Did you find the tips we provided useful? Did you like this issue? Do you have questions for us to answer? Please let us know at info@privacysecuritybrainiacs.com.

Here's a glimpse of my travel to national parks with my son. Remember to stay safe and aware throughout your own summer adventures!

Valley of the Gods, Utah

Gooseneck State Park, Utah With my son Heath at Valley of the Gods

August Tips of the Month Monthly Awareness Activity Privacy & Security Questions and Tips Data Security & Privacy Beacons Privacy and Security News Where to Find the Privacy Professor

Monthly Awareness Activity

August 7th through 13th is considered National Health Week, promoted by the National Association of Community Health Centers. This organization advocates for emergency community health centers and long-term funding for centers that serve all. Ways we can build awareness of privacy and security during this week include: Educating individuals and communities (at a booth at a health center) about how to change settings on their health-tracking devices to strengthen privacy protection. Providing a list of the most secure and privacy-friendly health tracking devices and those that may be more unsafe. Asking local schools and companies what types of tracking devices they use in their buildings and buses. Then, find out how they secure and share that data. What other engaging and educational activities do you suggest for that week? Please share them!

Privacy & Security Questions and Tips Rebecca answers hot-topic questions from Tips readers August 2022

The June Supreme Court decision on Dobbs (see above) resulted in many questions from our readers about surveillance and health data.  Your wellness and personal health decisions are now more public than ever and extend way beyond HIPAA regulations. Please keep your questions coming.

Q: I use an Oura Ring. In the U.S., is the health data that's collected protected under HIPAA? Does GDPR protect it in the EU? A: Oura rings and other smart IoT (Internet of Things) health and fitness gadgets provide deep insights into the wearer's health conditions, activities, and locations. They can be invaluable in helping your physician, personal trainer, or other health professionals monitor your health status. But, in most cases, these direct-to-consumer health monitors are NOT protected under HIPAA. How the data is used by healthcare providers is a complicated issue. Because most consumer health trackers are not approved by the U.S. Food and Drug Administration (FDA) as medical devices, they generally can't be prescribed. The U.S. has not yet passed federal regulations specific to IoT security and privacy. In fact, the data your ring is collecting can usually be shared with or sold to third parties. An analysis of Oura ring security and privacy issues was published late last year. These issues do not relate just to this specific device. GDPR in the EU does provide data protections and other countries are adopting legislation as well.  If you have questions or insights into IoT health trackers, let us know!

Q: What types of apps collect my health data? Who gets access to it?  A: You may think of "health data" as only trackable through fitness devices. But other types of apps and technologies can also make smart assumptions about your health, based on your behaviors. This trend started at least a decade ago. For example, Target used consumer buying data in 2011 to draw conclusions about whether women were pregnant, sometimes even when the women and their families didn't even know. For example, A Minnesota father received discount coupons at home and discovered his teen daughter was expecting. Today, Artificial Intelligence (AI), online quizzes, Google searches, and shopping trackers give brands even more information about your body and your health concerns. Reproductive health is a real hot-button issue these days. Women should be wary of any app that tracks menstrual cycles and other reproductive health conditions. Here's how Wired ranks the privacy risks of these apps. What can you do? Review all the apps on your phone, tablet, and other devices and delete and completely uninstall the ones you don't use. Look at the privacy policies for every remaining app. If they don't indicate how they use and share your data, remove those apps. I have only about 10-15 active apps on my phone. The average smartphone user has more than 50!

Q: When I receive care in a clinic, how can my data be accessed? What is a Log4j vulnerability? A: Let's answer the second question first. A Log4j vulnerability is a weakness in a set of software code that allows attackers to execute arbitrary code on a compromised system or device, including those used by healthcare providers. Healthcare professionals have a responsibility to understand and correct these risks. Because Log4j code is used widely in a number of different technology products (including those sold by VMware, IBM, Oracle, Cisco, and SolarWinds), finding and fixing the issues is complex and time-consuming. The good news is that incidents of data breaches have been low. But Log4j vulnerability remains a real issue that may open the health care world to hacks for years to come for all products where the fixes have not been applied. If you work for an organization that hasn't yet assessed and fixed its vulnerabilities, use some of the readily-available tools to find and fix them. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) GitHub page is good for those who have experience with technology. They provide a “Read Me” page that will be useful.  Microsoft has Log4j scanning tools within Microsoft 365 Defender, including updates that provide a “consolidated view” of the organization’s exposure to the vulnerabilities on the device, software and vulnerable component level via automated and complementing capabilities.  CrowdStrike has a free Log4j scanning tool available, called the CrowdStrike Archive Scan Tool (CAST).  TrendMicro provides the Log4j Vulnerability Scanner and the Log4Shell Vulnerability Assessment Tool to help administrators secure their environment, and also provides a training video on how to use it.  Arctic Wolf also released a free scanner and accompanying training video.  Rezillion did research and provided tables comparing a variety of scanners.

Q: Will upgrading my work computer from Windows 10 to Windows 11 improve security and privacy? A : We’ve been impressed with the new security and privacy capabilities in Windows 11. Some great new privacy options, and privacy auditing, capabilities have been introduced as well.  Some businesses may have policies requiring employees to use specific types of operating systems, so check with your IT or privacy department first. Make sure the upgrade won't have negative impacts on other applications you depend upon, such as non-compatibility with your word processing, spreadsheet, photo editing, and other applications. If you don’t use your computer for business work, you should still consider upgrading to Windows 11 to strengthen your own security and privacy protections. Summer health applies to your equipment as well as your body!

Q: When I'm using an anonymous browser, can sites still tell where I've visited and what I've viewed? A: Anonymous browsers like Tor, Epic, SRWare Iron, and Comodo Dragon can limit the amount of data collected through searching but they don't prevent ALL data from being collected. Also, using the “incognito” setting in a Chrome browser limits some data from being collected, but a large amount of data about your visit to the website is still collected. (Most folks don’t realize this.) Data is very valuable to brands and marketers and, although efforts are underway to create truly anonymous browsers, smart and shady people are constantly looking for workarounds. For example, researchers from the New Jersey Institute of Technology warned this July that attackers are using a new type of technique to de-anonymize website visitors. The attackers use the visitor's cache as a side channel and then can access web visitors' identifiers, e-mail addresses, social media accounts, etc. In summary, using an anonymous browser can limit the amount of personal data a business or hacker can gather. But always keep in mind that some information that may be associated with you is still collected and accessible.

Q: My neighbor recently got a drone and flies it over our privacy-fenced backyard. I asked them to stop but they told me I don't own the air space. This is all causing me and my family summer stress. What are the privacy laws for drones? A: You need more neighborly neighbors! In the U.S. Federal regulations and state and local laws exist that are specific to drones (also called unmanned aircraft systems or UAS). People who fly drones must comply with FAA guidelines and regulations. Although they generally don't specifically address neighbors' properties, these guidelines cover registration requirements and other issues related to types of drones. At least 44 states have enacted laws specific to drones and an additional three states have adopted resolutions, which are listed and described here. Common issues addressed in the legislation include defining what a UAS is, how they can be used by law enforcement or other state agencies, how they can be used by the general public, and regulations for their use in hunting game.  To find local ordinances and laws you can check your City Council website or call local Council members. If your geography doesn't have restrictions, attend a Council meeting and make the case to have them established. A Congressional Research Service Report prepared for Congress a few years ago, “Drones in Domestic Surveillance Operations: Fourth Amendment Implications and Legislative Responses,” is still applicable. It focuses primarily on law enforcement surveillance with drones, including in and around homes. Some of this Report may be relevant to your situation. Outside of the U.S., data protection regulations often encompass drone use. For example, The EU General Data Protection Regulation (GDPR) is applicable in multiple ways, and several other data protection regulations cover drones throughout the world.

Data Security & Privacy Beacons* People and places making a difference

The US Cybersecurity and Infrastructure Security Agency (CISA) for providing their Vulnerability Summary of the Week newsletter. Sign up for them to stay up-to-date with the identified vulnerabilities within the tech you use. Your IT, cybersecurity, and privacy teams will find this very valuable.   Dr. Mich Kabay’s ”Contemporary Issues in Information Assurance,” “Weekly Resources,” contains a huge amount of great examples of a wide range of topics. Check out the “Overview” bar at the bottom of the page; each of those boxes have an index code that goes to a different type of attack, threat, breach, etc., page with many real-life examples.   The FTC for providing a page describing, “How To Report Spam Text Messages.” It's very useful! HHS HC3 for publishing their Monthly Cybersecurity Vulnerability Bulletins, and many other publications, to help healthcare-covered entities and business associates better protect their patients' and insureds' health data. The AARP for their, “7 Tips for Women Traveling Solo.” However, these tips apply to everyone, so the title could actually leave out “Women.” From a privacy and security perspective, particularly focus on #3. GoTo Meeting (also known as GoTo and LogMeIn) provide information to their clients describing how online meeting hosts can secure their online meetings: “Tips for Staying Secure Using GoTo Meeting.” Kim Komando for her useful article, “Privacy Tip: 5 ways you’re being tracked you must stop right now.” Lloyd’s for providing their insightful, free report, “Shifting powers: Physical cyber risk in a changing geopolitical landscape.” The report uses scenario-based analysis to help manage uncertainty around the interconnected threat of cyber and geopolitics, looking specifically at the perils of state-sponsored cyber-attacks. NIST for releasing the first four Quantum-Resistant Cryptographic Algorithms in the first group of winners announced from its six-year competition. Techradar for their new list, “Best secure smartphones of 2022.” They describe the best secure smartphones with built-in security and privacy features. The Australian Cyber Security Centre for releasing an update to their "Security Tips for Social Media and Messaging Apps" guidance document. Computer scientist, Amit Sahai, PhD, and his clear explanation of Zero Trust in 5 levels of difficulty.

*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Privacy & Security News Visit the PSB News Page often!

We continue to get great feedback on the Privacy & Security Brainiacs (PSB) News Page. Thank you! PSB News pages contain articles grouped by month and by topic. We curate the news we find of most concern and interest, so you can see the kind of info we pass along to our own clients and employees.

Brand New Training Courses Clearing up common confusion around HIPAA

We are excited and proud to announce our new online class! Too few healthcare employees are confident in their understanding of HIPAA. We want to change that. Beginning this month, HIPAA covered entities (CEs) and their business associates (BAs) will have access to “HIPAA Basics for Business Associates 2022.”  The course includes coverage of both temporary HIPAA requirements that are still in effect, as well as proposed permanent HIPAA rules. It also covers common BA misconceptions and HIPAA compliance errors. Ask us about our deeply discounted beta testing user pricing.

Where to Find the Privacy Professor

See our new Privacy & Security Brainiacs page for our business in the news! We have added several new items.

Rebecca's Radio Show If you haven't checked out Rebecca's radio show, Data Security & Privacy with the Privacy Professor, please do. Guests discuss a wide range of real-world topics within the data security and privacy realm.  Latest Episode First aired on Saturday, July 2, 2022 Dr. Joseph Turow IoT Data Creates Frankenstein Profiles Claiming to Be You Dr. Joseph Turow wrote the book, “The Voice Catchers: How Marketers Listen In to Exploit Your Feelings, Your Privacy, and Your Wallet,” and describes how your voice, and video, recordings are collected, analyzed, and used to do marketing, and make many other decisions that impact your life based upon the associated AI algorithms…which are often not accurate. Next Episode First airing on Saturday, August 6, 2022 Dr. Mich Kabay Privacy Breaches Can Be Prevented with Secure Coding   Dr. Mich Kabay describes how some of the largest privacy breaches in history resulted from not using secure coding concepts. From women’s lingerie to allowing health data to be stolen, and more, Dr. Kabay will not only describe the real-life vulnerabilities, but also how each could have been prevented, including for CISA’s Top 25 Most Dangerous software weaknesses.

The Privacy Professor | Website Privacy & Security Brainiacs| Website

‌ ‌ ‌

Permission to Share If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution: Source: Rebecca Herold. August 2022 Privacy Professor Tips.  www.privacysecuritybrainiacs.com NOTE: Permission for excerpts does not extend to images. Privacy Notice & Communication Info You are receiving this Privacy Professor Tips message as a result of: 1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com; 2) making a request directly to Rebecca Herold; or 3) connecting with Rebecca Herold on LinkedIn. When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message to each of them when accepting their invitations. That message states that each month, to support the LinkedIn networking purpose and goals, and to stay in touch with her links, she sends her LinkedIn connections one security and privacy tips message via email each month. If they do not want to stay in touch with her in this way, LinkedIn connections are invited to let Rebecca know they do not want to get email messages from her by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com. If you wish to unsubscribe, just click the Safe Unsubscribe link below.