Why are you getting this? You signed up to receive the Tips, asked to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB), or consented to receive them. Please read our Privacy Note & Communication Info at the bottom of this message for more information.
|
|
|
Why Privacy Invasion is Heating Up This Summer
You may be traveling this summer (like I was...see the photos, below). That can make you especially vulnerable to surveillance and data breaches. Relax, but know your privacy facts.
The pandemic, the recent overturn of Roe v Wade, and our adoption of tracking devices to measure our personal health all raise a wide range of issues around surveillance and the use of our individual health data and behaviors.
On June 24th, the Dobbs ruling gave rise to many new federal and state-level bills that relate to women's right to privacy as it relates to abortion. Among the Supreme Court's statements were opinions from Griswold (right to contraception and related privacy), Lawrence (right to same-sex relationships and associated privacy), and Obergefell (right to marriage equality and related privacy. These statements have raised the alarm for potential plans to cast the net to much broader areas of everyone’s life for privacy concerns.
Many consumers are more concerned than ever about their personal choices and health-related data.
So, who's really watching you this summer?
This issue of my Tips focuses on surveillance and how it can impact your personal and professional privacy. Get smarter, so you can enjoy a more relaxing and informed summer season.
|
|
|
Rebecca
We would love to hear from you!
|
|
Here's a glimpse of my travel to national parks with my son.
Remember to stay safe and aware throughout your own summer adventures!
|
|
![](https://imgssl.constantcontact.com/letters/images/sys/S.gif) |
Gooseneck State Park, Utah
|
|
![](https://imgssl.constantcontact.com/letters/images/sys/S.gif) |
![](https://imgssl.constantcontact.com/letters/images/sys/S.gif) |
With my son Heath at Valley of the Gods
|
|
![](https://imgssl.constantcontact.com/letters/images/sys/S.gif) |
|
August Tips of the Month
- Monthly Awareness Activity
- Privacy & Security Questions and Tips
- Data Security & Privacy Beacons
- Privacy and Security News
- Where to Find the Privacy Professor
|
|
Monthly Awareness Activity
|
|
August 7th through 13th is considered National Health Week, promoted by the National Association of Community Health Centers. This organization advocates for emergency community health centers and long-term funding for centers that serve all.
Ways we can build awareness of privacy and security during this week include:
- Educating individuals and communities (at a booth at a health center) about how to change settings on their health-tracking devices to strengthen privacy protection.
- Providing a list of the most secure and privacy-friendly health tracking devices and those that may be more unsafe.
- Asking local schools and companies what types of tracking devices they use in their buildings and buses. Then, find out how they secure and share that data.
What other engaging and educational activities do you suggest for that week?
|
|
Privacy & Security Questions and Tips
Rebecca answers hot-topic questions from Tips readers
August 2022
|
|
The June Supreme Court decision on Dobbs (see above) resulted in many questions from our readers about surveillance and health data.
Your wellness and personal health decisions are now more public than ever and extend way beyond HIPAA regulations. Please keep your questions coming.
|
|
Q: I use an Oura Ring. In the U.S., is the health data that's collected protected under HIPAA? Does GDPR protect it in the EU?
A: Oura rings and other smart IoT (Internet of Things) health and fitness gadgets provide deep insights into the wearer's health conditions, activities, and locations. They can be invaluable in helping your physician, personal trainer, or other health professionals monitor your health status.
But, in most cases, these direct-to-consumer health monitors are NOT protected under HIPAA.
How the data is used by healthcare providers is a complicated issue. Because most consumer health trackers are not approved by the U.S. Food and Drug Administration (FDA) as medical devices, they generally can't be prescribed.
The U.S. has not yet passed federal regulations specific to IoT security and privacy. In fact, the data your ring is collecting can usually be shared with or sold to third parties.
GDPR in the EU does provide data protections and other countries are adopting legislation as well.
If you have questions or insights into IoT health trackers, let us know!
|
|
Q: What types of apps collect my health data? Who gets access to it?
A: You may think of "health data" as only trackable through fitness devices. But other types of apps and technologies can also make smart assumptions about your health, based on your behaviors. This trend started at least a decade ago.
For example, Target used consumer buying data in 2011 to draw conclusions about whether women were pregnant, sometimes even when the women and their families didn't even know. For example, A Minnesota father received discount coupons at home and discovered his teen daughter was expecting.
Today, Artificial Intelligence (AI), online quizzes, Google searches, and shopping trackers give brands even more information about your body and your health concerns.
Reproductive health is a real hot-button issue these days. Women should be wary of any app that tracks menstrual cycles and other reproductive health conditions. Here's how Wired ranks the privacy risks of these apps.
What can you do?
-
Review all the apps on your phone, tablet, and other devices and delete and completely uninstall the ones you don't use.
- Look at the privacy policies for every remaining app. If they don't indicate how they use and share your data, remove those apps.
I have only about 10-15 active apps on my phone. The average smartphone user has more than 50!
|
|
Q: When I receive care in a clinic, how can my data be accessed? What is a Log4j vulnerability?
A: Let's answer the second question first. A Log4j vulnerability is a weakness in a set of software code that allows attackers to execute arbitrary code on a compromised system or device, including those used by healthcare providers. Healthcare professionals have a responsibility to understand and correct these risks.
Because Log4j code is used widely in a number of different technology products (including those sold by VMware, IBM, Oracle, Cisco, and SolarWinds), finding and fixing the issues is complex and time-consuming.
The good news is that incidents of data breaches have been low. But Log4j vulnerability remains a real issue that may open the health care world to hacks for years to come for all products where the fixes have not been applied.
If you work for an organization that hasn't yet assessed and fixed its vulnerabilities, use some of the readily-available tools to find and fix them.
|
|
Q: Will upgrading my work computer from Windows 10 to Windows 11 improve security and privacy?
Some businesses may have policies requiring employees to use specific types of operating systems, so check with your IT or privacy department first. Make sure the upgrade won't have negative impacts on other applications you depend upon, such as non-compatibility with your word processing, spreadsheet, photo editing, and other applications. If you don’t use your computer for business work, you should still consider upgrading to Windows 11 to strengthen your own security and privacy protections.
Summer health applies to your equipment as well as your body!
|
|
Q: When I'm using an anonymous browser, can sites still tell where I've visited and what I've viewed?
A: Anonymous browsers like Tor, Epic, SRWare Iron, and Comodo Dragon can limit the amount of data collected through searching but they don't prevent ALL data from being collected. Also, using the “incognito” setting in a Chrome browser limits some data from being collected, but a large amount of data about your visit to the website is still collected. (Most folks don’t realize this.) Data is very valuable to brands and marketers and, although efforts are underway to create truly anonymous browsers, smart and shady people are constantly looking for workarounds.
For example, researchers from the New Jersey Institute of Technology warned this July that attackers are using a new type of technique to de-anonymize website visitors. The attackers use the visitor's cache as a side channel and then can access web visitors' identifiers, e-mail addresses, social media accounts, etc.
In summary, using an anonymous browser can limit the amount of personal data a business or hacker can gather. But always keep in mind that some information that may be associated with you is still collected and accessible.
|
|
Q: My neighbor recently got a drone and flies it over our privacy-fenced backyard. I asked them to stop but they told me I don't own the air space. This is all causing me and my family summer stress. What are the privacy laws for drones?
A: You need more neighborly neighbors! In the U.S. Federal regulations and state and local laws exist that are specific to drones (also called unmanned aircraft systems or UAS).
People who fly drones must comply with FAA guidelines and regulations. Although they generally don't specifically address neighbors' properties, these guidelines cover registration requirements and other issues related to types of drones.
At least 44 states have enacted laws specific to drones and an additional three states have adopted resolutions, which are listed and described here.
Common issues addressed in the legislation include defining what a UAS is, how they can be used by law enforcement or other state agencies, how they can be used by the general public, and regulations for their use in hunting game.
To find local ordinances and laws you can check your City Council website or call local Council members. If your geography doesn't have restrictions, attend a Council meeting and make the case to have them established.
|
|
Data Security & Privacy Beacons*
People and places making a difference
|
|
-
The US Cybersecurity and Infrastructure Security Agency (CISA) for providing their Vulnerability Summary of the Week newsletter. Sign up for them to stay up-to-date with the identified vulnerabilities within the tech you use. Your IT, cybersecurity, and privacy teams will find this very valuable.
-
Dr. Mich Kabay’s ”Contemporary Issues in Information Assurance,” “Weekly Resources,” contains a huge amount of great examples of a wide range of topics. Check out the “Overview” bar at the bottom of the page; each of those boxes have an index code that goes to a different type of attack, threat, breach, etc., page with many real-life examples.
-
The FTC for providing a page describing, “How To Report Spam Text Messages.” It's very useful!
-
HHS HC3 for publishing their Monthly Cybersecurity Vulnerability Bulletins, and many other publications, to help healthcare-covered entities and business associates better protect their patients' and insureds' health data.
-
The AARP for their, “7 Tips for Women Traveling Solo.” However, these tips apply to everyone, so the title could actually leave out “Women.” From a privacy and security perspective, particularly focus on #3.
-
GoTo Meeting (also known as GoTo and LogMeIn) provide information to their clients describing how online meeting hosts can secure their online meetings: “Tips for Staying Secure Using GoTo Meeting.”
-
Kim Komando for her useful article, “Privacy Tip: 5 ways you’re being tracked you must stop right now.”
-
Lloyd’s for providing their insightful, free report, “Shifting powers: Physical cyber risk in a changing geopolitical landscape.” The report uses scenario-based analysis to help manage uncertainty around the interconnected threat of cyber and geopolitics, looking specifically at the perils of state-sponsored cyber-attacks.
-
NIST for releasing the first four Quantum-Resistant Cryptographic Algorithms in the first group of winners announced from its six-year competition.
-
Techradar for their new list, “Best secure smartphones of 2022.” They describe the best secure smartphones with built-in security and privacy features.
-
The Australian Cyber Security Centre for releasing an update to their "Security Tips for Social Media and Messaging Apps" guidance document.
-
Computer scientist, Amit Sahai, PhD, and his clear explanation of Zero Trust in 5 levels of difficulty.
|
|
*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.
|
|
Privacy & Security News
Visit the PSB News Page often!
|
|
PSB News pages contain articles grouped by month and by topic. We curate the news we find of most concern and interest, so you can see the kind of info we pass along to our own clients and employees.
|
|
Brand New Training Courses
Clearing up common confusion around HIPAA
|
|
Too few healthcare employees are confident in their understanding of HIPAA. We want to change that. Beginning this month, HIPAA covered entities (CEs) and their business associates (BAs) will have access to “HIPAA Basics for Business Associates 2022.”
|
|
Where to Find the Privacy Professor
|
|
We have added several new items.
|
|
|
real-world topics within the data security and privacy realm.
Latest Episode
First aired on Saturday, July 2, 2022
Dr. Joseph Turow
Dr. Joseph Turow wrote the book, “The Voice Catchers: How Marketers Listen In to Exploit Your Feelings, Your Privacy, and Your Wallet,” and describes how your voice, and video, recordings are collected, analyzed, and used to do marketing, and make many other decisions that impact your life based upon the associated AI algorithms…which are often not accurate.
Next Episode
First airing on Saturday, August 6, 2022
Dr. Mich Kabay
Dr. Mich Kabay describes how some of the largest privacy breaches in history resulted from not using secure coding concepts. From women’s lingerie to allowing health data to be stolen, and more, Dr. Kabay will not only describe the real-life vulnerabilities, but also how each could have been prevented, including for CISA’s Top 25 Most Dangerous software weaknesses.
|
|
|
|
Privacy & Security Brainiacs| Website
|
|
|
Permission to Share
If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:
NOTE: Permission for excerpts does not extend to images.
Privacy Notice & Communication Info
You are receiving this Privacy Professor Tips message as a result of:
2) making a request directly to Rebecca Herold; or
3) connecting with Rebecca Herold on LinkedIn.
When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message to each of them when accepting their invitations. That message states that each month, to support the LinkedIn networking purpose and goals, and to stay in touch with her links, she sends her LinkedIn connections one security and privacy tips message via email each month. If they do not want to stay in touch with her in this way, LinkedIn connections are invited to let Rebecca know they do not want to get email messages from her by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com.
If you wish to unsubscribe, just click the Safe Unsubscribe link below.
|
|
|
|
|
|
|