Not long ago, phishing attacks were easy to spot.

They’d be rife with misspellings or link to suspicious looking login pages. That’s changing, writes internet security expert Brian Krebs.

Hackers are getting more sophisticated, sending potential victims to legitimate looking web pages, sometimes hosted on the “secure” HTTPS domain. Web security firm PhishLabs recently reported that the number of phishing sites hosted on HTTPS has doubled in the past year.

That means companies and individuals need to keep on their toes. Krebs’ article offers some useful tips on how to thwart these new techniques.

On our HIPAA & Health Information Technology Blog, associate Ankita Patel discusses how Millennials’ embrace of newer forms of social media such as Snapchat and Instagram poses HIPAA challenges for health care organizations.

“With just a few taps and swipes, an employee can post a seemingly innocuous disclosure of PHI. Interns and residents of the younger generation may innocently upload a short-term post (be it a picture for two-seconds or an eight-second long video) of a busy hospital room or even an innocent ‘selfie’ without realizing that there is visible and identifiable PHI in the corner,”  Ankita writes.

It’s an intriguing read exploring the intersection of health care and privacy law, social sharing and the rapid pace of technological change. Read the full post here.

Cybersecurity professionals must work diligently to help business leaders understand that their work is more than just technology implementation, says Greg Touhill, the federal government’s first Chief Information Security Officer. It’s risk management.

“I keep on hearing executives talk about cybersecurity being a technology problem, and they keep pouring money into buying new stuff,” rather than focusing on risk management, Touhill said in a speech to a gathering of cybersecurity pros this week in Washington DC. Instead of buying the hottest new cybersecurity tools, companies should focus on remaining current and understanding the true value of their data.

Touhill made the remarks November 29 during a presentation to attendees of the INSecurity conference, a cybersecurity gathering sponsored by industry publication Dark Reading, which reported on his speech.

 

The Financial Times reports that many nonprofits are vulnerable to cyberattacks.

Many charities simply don’t want to invest time and money defending against hackers. A 2016 study found about half of nonprofits had not conducted a cyber risk assessment, and two thirds had no plans to increase spending on data security. But hackers don’t give nonprofits a pass. The article tells the story of a small, Indianapolis, Indiana-based cancer charity that lost all its client data in a ransomware attack.

“While it is not surprising that charities want to spend scarce resources on housing the homeless or feeding the hungry, some argue that those very services could be at risk if they fail to invest in cyber security tools and practices,” according to The Financial Times report.

Industry publication Data Breach Today reports hackers are increasingly exploiting weak Remote Desktop Protocol (RDP) credentials to launch ransomware attacks.

“Many enterprises use remote desktop protocol to remotely administer their PCs and mobile devices,” reports Executive Editor Mathew J. Schwartz. “But security experts warn that weak RDP credentials are in wide circulation on darknet marketplaces and increasingly used by ransomware attackers.” RDP credentials have long been used to launch distributed denial of service (DDoS) and malware attacks. Investigators recently found RDP credentials for sale for as little as $3.

To thwart hackers, experts told Data Breach Today, companies should use strong RDP passwords to stop brute-force attacks, keep an eye out for unusual network behavior and audit ports to prevent open and unsecured RDP or SSH ports.

Cloud computing offers greater flexibility, speed, and convenience, but some businesses were hesitating to take advantage of the technology due to fears of increasing vulnerability to cyberattacks.

But a recent study reveals a marked increase in moving sensitive data to the cloud as a result of increased confidence in security – and despite continuing struggles to monitor and manage the data once it’s there.

In a post on the Dark Reading blog, Kelly Sheridan reports that fewer than 25 percent of businesses had their applications, data, and infrastructure in the cloud two years ago, but that 44 percent are cloud-based today, and 65 percent are expected to be two years from now.

Read more:

https://www.darkreading.com/cloud/security-forecast-cloudy-with-low-data-visibility/d/d-id/1330239

 

Physicians have their hands full on the best of days. It’s not difficult to imagine why using a voice assistant such as Amazon’s Alexa or Apple’s Siri might be attractive.

In fact, a recent survey showed nearly one in four physicians uses the assistants for work-related purposes, such as researching prescription drug dosing. It’s likely many are unaware of the information security dangers they pose.

In an interview with SCG Health Blog, Fox Rothschild attorneys Elizabeth Litten and Michael Kline explain that the labor-saving devices pose a bevy of data privacy and security risks, and offer doctors six helpful tips for protecting their practices.

A number of employers in Illinois are involved in pending class action litigation regarding violations of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (the “BIPA”). The BIPA, which was enacted in 2008, addresses the collection, use and retention of biometric information by private entities. Any information that is captured, stored, or shared based on a person’s biometric identifiers, such as fingerprints, iris scans, or blood type, is considered “biometric information.” The Illinois Legislature enacted the BIPA because biometric information is unlike any other unique identifier in that it can never be changed, even once it has been compromised.

The BIPA requires that, before a private entity can obtain and/or possess an individual’s biometric information, it must first inform the individual, or the individual’s legally authorized representative, in writing of the following: (1) that biometric information is being collected or stored; (2) the specific purpose for the collection, storage, and use of the biometric information; and (3) the length of time for the collection, storage, and use of the biometric information. Furthermore, before collecting any biometric information, the private entity must receive a written release for the collection of the biometric information from the individual or the individual’s legally authorized representative after the above notice has been given.

The BIPA additionally requires the private entity to develop a written policy that establishes a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. That policy must be made available to the public. The collected information must be destroyed once “the initial purpose for collecting or obtaining such information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first.” 740 ILCS 14/15. In the pending cases, the private entity employers failed to obtain informed written consent prior to the collection, storage, and use of fingerprints and other biometric information. The employers also failed to publish any data retention and deletion policies for the biometric information.

The BIPA also restricts a private entity’s right to sell, lease, trade or otherwise profit from a person’s biometric identifier or biometric information. An employer who adheres to the requirements of the BIPA will be able to avoid class action litigation on this issue and maintain compliance with industry standards.

The Federal Trade Commission is investing nearly $3 million in technology to support an increasing need for e-discovery driven by massive data breaches such as the one disclosed recently by Equifax.

The news comes from the National Law Journal, which reports that the FTC awarded a one-year contract to Innovative Discovery LLC of Arlington, Virginia for a secure litigation support service. The agency awarded the contract without competitive bids because it “faces usual and compelling circumstances that require the immediate initiation of this pilot,” the Law Journal reported.

“The FTC is entering into an unprecedented year of investigations and litigation, including its investigation into the Equifax data breach and an usually high number of forensic data acquisitions in fraud cases,” agency officials wrote. The contract, they added, “is essential to enabling the FTC to successfully conduct investigations and litigation to stop consumer harm, thus enabling the agency to accomplish its mission.”

On Tuesday, November 7th from 2:00 to 6:30, Fox Rothschild and Kroll will be presenting the CLE: Staying One Step Ahead: Developments in Privacy and Data.  The CLE will take place at Fox Rothschild’s offices at 353 N. Clark Street in Chicago.  The speakers are Bill Dixon from Kroll, and Dan Farris and Mark McCreary from Fox Rothschild.  Cocktails and networking will follow the presentations.

If you are in the Chicago are on November 7th, I hope you will join us.  Click here to register for this free event.