Can you solve this riddle?

A man turned off the light and went to bed. Because of this, several people died. Why?

To get the answer, read on through this month's data security and privacy tips below. (I promise it's easy to find.) In the meantime, enjoy the sizable clue I've included in the images, which come from my family's recent trip to Lake Superior, one of the Great Lakes of the U.S. 


Whitefish Point Lighthouse and the Great Lakes Shipwreck Museum. Visitors engage with a huge amount of information about the 1975 wreck of the Edmund Fitzgerald (the one the 1976 hit song is about).
wireAre You Being Wire Tapped?

Malware turns Google Home, Amazon Alexa into undercover spies

Lighthouse in Marquette, MI, in Lake Superior's Marquette Bay
Voice-activated devices like Google Home and Amazon Alexa are recording everyone in their vicinity and sending those digital voice recordings to the cloud. The resulting data is then used in any number of undisclosed ways.

Of the device owners who are aware of this, some may rationalize the recordings with thoughts like, "I'm just one of millions. No one really cares what I, or anyone else who's speaking with me, have to say."

For starters, that's not even remotely true. You may be one of millions, but your data helps build a profile of you... and of people like you. These profiles are used by marketers, insurers, law enforcement and plenty of others to make assumptions and predictions about our behaviors, as well as things that can trigger those behaviors.

Second, a recently discovered vulnerability means your voice recordings could be exploited in a much more targeted way. Security researchers found it's possible to install malware on these devices that is capable of using on-board microphones to spy on the devices' owners. (Thanks to Clarinette Tara for this pointer!)

Don't think anyone wants to spy on you? Consider these examples from writer Graham Cluley:'s conceivable that a jealous partner might implant malware on your Amazon Echo to keep tabs on you after you have kicked them out of your life. It would also perhaps to be wise to consider that there is also a risk if you purchase a second-hand Amazon Echo.

A WORD OF CAUTION: While malware like this is only a possibility and no real-life incidents of targeted wire-tapping via Google Home or Amazon Alexa have yet occurred, it doesn't take long for theory to become reality. Truth be told, if the good guys are thinking about it, the bad guys probably thought about it six years ago.

wirelessWireless Crime on the Rise
Remote connections make stealing even easier
You've likely heard of card skimmers. The devices come in all kinds of shapes and sizes and are built to mimic the look and feel of ATM, checkout and gas pump card swipers. Crooks attach the malicious skimmers to a legitimate device, leave it on long enough to gather lots of valuable data from debit and credit cards, and then come back to retrieve it.

But that's the old-school way of skimming.

Now, fraudsters don't even have to return to the scene. With the help of burner phones and text messaging, skimming artists can now text the stolen data right to themselves. (Thanks to Scott Schober for this pointer!)

Skimming is a huge problem for credit card companies and the banks and credit unions that issue these cards. That's why they have implemented chip-based credit cards, which heavily encrypt the personal and account data typically held on the plastic card. 

But, until the day these cards (and the retailers accepting them) become ubiquitous, the vulnerable mag stripe is still on almost every chip-based card in circulation in the U.S. Skimmers love this, and they are getting better at exploiting them... now without even having to be physically present!

A WORD OF WARNING: Avoid using debit cards, especially, at gas station pay-at-the-pumps. ( Credit card companies offer greater fraud protections than their debit counterparts.)  Many of these gas terminals are still mag-stripe based, so you have to swipe your card, leaving your data vulnerable to skimming.  Fraudsters know this and are targeting gas stations heavily as a result. 
One of several lighthouses in Munising, MI
googleThe Next Google Glass
Snapchat gives smart glasses a whirl... and there goes your privacy!

Called Spectacles, the new camera-enabled smart glasses are capable of recording you anywhere and everywhere you are, which is not totally unlike Snapchat itself. (I have plenty of parent friends who have been "caught" in the background of their children's social posts doing or saying things they'd rather not have exposed to a community of adolescents.)

Unlike Google Glass, which raised all kinds of privacy concerns themselves, Spectacles are pretty accessible. Whereas Google Glass was only available to certain consumers, Spectacles are easily purchased on Amazon. And at less than $130, they are essentially affordable.

The privacy implications are obvious, but consider some of the lesser-discussed aspects of wearable recording devices (as pointed out by IdentityGuard):
  • Unintentional recording of a credit or debit card number could lead to identity theft.
  • Snapchat data shows where videos / images were captured, which could help stalkers pinpoint the real-time location of their victims.
  • Voice and face recordings could be used to spoof biometric authentication solutions.
  • Worries about what you look like in a swimsuit could follow you even while underwater, thanks to waterproof Spectacles!
A WORD OF WARNING: Don't be afraid to ask a Spectacles wearer to remove the devices in your home, at work or in other non-public places. If you are a user, make sure you are aware not only of what you may be unintentionally recording, but how Snapchat may be recording your recordings. (And with whom they are sharing them!)
healthHealth Care Spotlight

Should Doctors, Nurses Be Punished for Falling Victim to Hackers?

One of the lighthouses on Grand Island, in Lake Superior.

A journalist recently posed the above question to me, and I struggled with it a bit. Here is how I answered her. I'd love to hear from the employers who read this message to see how you handle such circumstances.

Hacking and IT incidents are now the leading cause of compromised medical records, and one of the main points of entry these bad actors have is the email system.  

Thirty-seven percent of attacks on SMBs in the U.S. were reported as coming from a malicious email attachment; 27 percent were from a malicious link in an email. And 97 percent of employees may not be able to spot the traps hidden in these emails.

When unaware doctors, nurses and other health care workers click on nasty links, open infected attachments or hover over malicious icons, their practices and all of the patients they serve can be exposed to cybercriminals.

But should the employees who fall for these phishing attempts be held personally responsible? Should they lose their jobs?

The answers are ultimately up to each practice. That said, every employer should have a written policy for how it will both educate and hold responsible employees for cyber security incidents. There are numerous ways to raise awareness among employees, including required training and fake phishing tests.

HHS Waives Sanctions and Penalties in Response to Hurricane Harvey

Did you know the U.S. Department of Health and Human Services (HHS) occasionally suspends the compliance burden for care givers during public health emergencies? It's rare, but it happens, and now is one of those times. 

Yesterday, the HHS Secretary Tom Price  instituted the temporary policy stating that Texas and Louisiana hospitals that do not comply with certain HIPAA provisions will not be punished

Read more about HIPAA privacy and disclosures in emergency situations on the HHS site.

We are keeping the victims of Hurricane Harvey in our thoughts, and invite everyone, if they can, to offer any assistance possible.
readerReader Question
'Help! I Photographed My Driver's License'
I want to ask you about the data security and privacy implications of something I did with my phone. I took a picture of my driver's license because my headshot was one of the best pictures I'd ever taken, and I wanted to save it. 

I didn't send it to anyone. In fact, I started worrying about having it on my phone so I deleted it. The picture I took was of the entire license. Can anybody use that picture even though I haven't sent it anywhere? 

To understand if you're safe, check on these items:
  1. Does your phone automatically upload a copy of your photos to a cloud service? If so, that photo may still live in the cloud, including in the cloud service's own backups and archives.

  2. Do you have any apps on your phone to which you've given permission to access your photos? Such apps may take copies of any photos you've taken and/or stored on your phone.
There are a couple of things you can do to lessen your vulnerability. First, log in to the cloud service and remove the photo if it's still there. Second, turn off auto-backup or auto-save features that send your images to the cloud without your approval.
The risk of apps making copies of your photos is typically low (depending on the apps you have), but one of which you should be aware. If you are concerned, contact the app developer directly to ask how you can remove your photos from their systems.
Here are some best practices going forward:
  1. Delete all apps you don't use.
  2. Don't download apps that require access to all your photos and other files.
  3. Don't automatically sync/upload your photos and other files to the cloud by default. 

The Marquette Harbor Light in Lake Superior
riddleDid You Solve the Riddle? 
The man is a lighthouse keeper.  
The light he turned off was the lighthouse beacon. Doing so stopped a ship's captain from seeing the rocks, and he crashed his vessel, killing everyone on board. 

Protecting against physical risks, such as keeping ships from hitting the hidden rocks in the waters where they sail, has been considered for centuries. The hidden digital dangers of collecting and sharing data, through online apps, social media and other sites, have only been considered for just a comparatively few decades. 

Breaches and misuse of data can sink a person's livelihood, reputation and friendships just as quickly as a ship hitting jagged rocks in a dark, stormy night.
It's up to all types of organizations to protect the personal data they collect and to share and use it only as necessary. It's also up to every person to make sure those organizations who collect their data are doing their best to protect it, and avoid sinking their privacy.

ppPrivacy Professor On The Road & In the News  

On the road...

One of my favorite things to do is visit with leaders in different industries - health care and managed systems providers to insurance and energy (and beyond!). Below are a few of the events I have scheduled for the upcoming season.

September 13, 2017:   Giving keynote address on preventing medical device nightmares in the Internet of Medical Things and facilitating a roundtable discussion at SecureWorld Detroit 
September 21, 2017:  Giving webinar, " Don't Let Third Parties Bring Down Your Business: Effective Vendor Management," hosted by AHIA    
September 28, 2017:  Giving webinar, "Using the ISACA Privacy Principles to Perform a GDPR PIA,"   hosted by ISACA.   

October 11, 2017 : Providing private executive briefing on healthcare security and privacy in the Internet of Medical Things in northern Rhode Island.

October 24, 2017: Giving webinar, "Risk Management - Third Party Vendors," hosted by ASAE

January 12, 2018: Panel discussion session, "HIPAA Protections for Cannabis Patients and Dispensary Profits," at The Medical Cannabis Business Executive Convention 

Surprising News at Internet of Medical Things Conference

Big  Bay  Point  Lighthouse in Lake Superior
We had a large amount of positive feedback for the July 27 Internet of Medical Things Conference.  Aside from the interesting (and alarming) insights from our panelists, we also got some long-awaited news from Deven McGraw, Deputy Director of Health Information Privacy at the HHS Office for Civil Rights (OCR).

Asked when we could expect finalization of the (very old) 2011 accounting of disclosures notice of proposed rulemaking (NPRM), McGraw said,

"We do not have plans to finalize that NPRM. However, it remains a requirement that we have to fulfill...we have to find some way of enabling individuals to receive accounting of disclosures [for when specific individuals get access to their patient data for treatment, payment and operations purposes] from an electronic health record as defined in HITECH... [The OCR is] going to need some additional public input on how we can implement this, given that what we had initially proposed was not feasible."

A full recording of the conference sessions is available on the Bio Pharma Research Council website

Privacy Professor In the news...

Healthcare Info Security

The morning TV broadcast regularly covers privacy and security tips with their guest, the Privacy Professor! Each is a brief 10-15 minutes and covers topics ranging from insider theft to connected vehicles. Check out this online library to watch recent episodes.

Here is my most recent visit to the studio in August, during which we talked about celebrity privacy, as well as the implication of using connected cameras everyday on our smartphones. I also shared tips on how to better monitor your credit cards in this breach-ridden society in which we live. 

On my August 1 visit to the studio, I spoke about new risks with USB drives, along with privacy risks and what you can do about them for your personal assistants, such as Amazon Alexa and Google Home. 

Questions? Topics?

Have a topic I should discuss on the  CWIowa Live morning show? Or, a question I can answer in my next monthly Tips? Let me know!

I hope you enjoyed the riddle (and the lighthouse photo clues, as well!). I've been a long-time fan of lighthouses, from as early as I can remember.

As my family and I were exploring these beautiful tributes to the history of maritime communities, I couldn't help but appreciate the symbolism. Privacy awareness, to me, is a lot like the beacons atop these structures. Without it, we simply can't see some of the dangers ahead.

Keep the awareness beacon shining bright. Consider sharing this tips message with friends, family and colleagues!

Here's to an excellent fall!


Need Help?

Permission to Share

Want to repurpose the information contained in this Tips? Yes, please forward in its entirety. 

If you prefer to use only excerpts, please use this attribution:

Source: Rebecca Herold, Founder, The Privacy Professor┬«,,,, 

NOTE: Permission for excerpts does not extend to images.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter