The General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. The GDPR strengthens privacy protections in the EU and includes a number of additional rights and responsibilities.
My cartoon depicts the discrepancy in the security and privacy budgets at many organizations. Of course, the cartoon is an exaggeration. In an IAPP survey of Chief Privacy Officers at Fortune 1000 companies in 2014, privacy budgets were nearly half of what security budgets were. That’s actually better for privacy than many might expect. Outside the Fortune 1000, I think that privacy budgets are much smaller relative to security.
Fortunately, it does appear that privacy budgets have increased according to the 2016 IAPP-EY Annual Privacy Governance Report which surveyed 600 privacy professionals from around the world. Though the data captured in 2016 has far more details, comparing the charts published by the IAPP in 2015 vs 2016, you can see a significant increase in total privacy spend.
This cartoon is about snooping, one of the most common HIPAA violations. HIPAA prohibits accessing information that people don’t need to do their jobs. It can be easy to look at electronic medical records, and people who snoop in this way might not perceive it as wrong. But the cartoon invites people to imagine how creepy the snooping would appear if it were occurring right in front of patients. Computers remove the interpersonal dynamic, making it harder for people to fully appreciate the wrongfulness of their conduct.
Though the high-profile, celebrity snooping incidents garner all the media attention, smaller cases affecting everyday individuals make up the bulk of the cases and legal activity. A large number of inappropriate access claims involve people checking on protected health information (PHI) about family and friends. Snooping is not intended maliciously. Often a concerned staff member will access the patient records of a family member or acquaintance out of worry or concern. In one case, a nurse in New York was fired for disclosing a patient’s medical history to warn a family member who was romantically involved with the patient of the patient’s STD.
A while ago, I wrote about a case involving a member of the St. Louis Cardinals baseball team staff who improperly accessed a database of the Houston Astros. There is now an epilogue to report in the case. The individual who engaged in the illegal access — a scouting director named Chris Correa — was fired by the Cardinals, imprisoned for 46 months, and banned permanently from baseball. The Cardinals were fined $2 million by Major League Baseball Commissioner Rob Manfred, and they must forfeit their first two picks in the draft to the Houston Astros.
According to an article about the incident in the St. Louis Post-Dispatch: “As outlined in court documents, the U.S. attorney illustrated how Correa hacked Houston’s internal database, ‘Ground Control,’ 48 times during a 2½-year period. He viewed scouting reports, private medical reviews and other proprietary information. The government argued that Correa may have sought to determine if Houston borrowed the Cardinals’ data or approach, but the information he accessed was ‘keenly focused on information that coincided with the work he was doing for the Cardinals.'”
As I wrote in my piece about the case, there are several lessons to be learned. One lesson is that it is a myth that hacking and computer crime must be hi-tech. Here, Correa’s hacking was nothing sophisticated — he just used another person’s password. The person had previously worked for the Cardinals, and when he went to the Astros, he kept using the same password. In my piece, I discussed other lessons from this incident, such as the importance of teaching people good password practices as well as teaching people that just because they have access to information doesn’t make it legal to view the information. The Cardinals organization appears to have learned from the incident, as the “employee manual has been updated to illustrate what is illegal activity online,” and the organization is using two-factor authentication to protect its own sensitive data. The article doesn’t say whether the Astros also stepped up their security awareness training by teaching employees not to reuse their old passwords from another team.
For Data Privacy Day this year, I’m happy to make available for the day two new short privacy training programs I created in collaboration with Intel. Ordinarily, I require a login to view my training programs, but for this day, I have put them outside the wall for anyone to see. So click on the programs below to watch them — I’ll keep them up through the weekend. Then, they’ll go behind the wall, so you’ll need to request an evaluation login to see them afterwards.
NOTE: These programs are now no longer publicly available. To see them, please contact us.
The first program is a short 2-minute awareness video about Data Retention.
The second program is an 8.5 minute program called Defining Personal Information. It seeks to explain how to identify personal information, which is a tricky issue because what counts as personal information is not static and is contextual and contingent in some cases.
These programs were created for Intel with their collaboration. Intel graciously allowed me to add generic versions of these programs to my training course library. And in support of Data Privacy Day, Intel was encouraging of my making them publicly available.
Here’s a cartoon on HIPAA and social media use to jump start your week. You can’t think enough about HIPAA these days. HIPAA audits are back, and OCR is having a vigorous enforcement year this year, something I plan to post about soon.
I created this cartoon to illustrate the fact that despite the increasing risk that privacy violations pose to an organization, many organizations are not increasing the funding and resources devoted to privacy. More work gets thrown onto the shoulders of under-resourced privacy departments.
It is time that the C-Suite (upper management) wakes up to the reality that privacy is a significant risk and an issue of great importance to the organization. Looming on the horizon is the enforcement of the new EU General Data Protection Regulation (GDPR), which will begin in 2018. It’s never too early for organizations to start preparing. GDPR imposes huge potential fines for non-compliant organizations — up to 4% of global turnover in many cases. For more information, see the FAQ page I created about the GDPR and privacy awareness training.
Of course, the C-Suite may be quick to say that privacy is very important, but what matters most are the actions they take. Privacy office budgets and sizes should be going up by a lot these days.
I have produced a new Privacy Shield training course that provides a short introduction to the EU-US Privacy Shield Framework. Privacy Shield is an arrangement reached between the EU and US for companies to transfer data about EU citizens to the US. Privacy Shield replaces the Safe Harbor Arrangement, which was invalidated in 2015 in the case of Schrems v. Data Protection Commissioner.
HIPAA is famously impenetrable, with so many special terms and definitions. I wrote this cartoon to capture the wonderful world of HIPAA jargon, which I hope fellow lovers of HIPAA can appreciate.
For those who want an introduction to HIPAA and how the Privacy Rule and the Security Rule work, I produced a series of courses on HIPAA for the American Health Information Management Association (AHIMA). Each course is approximately 1 hour long. The courses are:
• HIPAA Privacy: The Pillars of a Privacy Program
• HIPAA Privacy: Rights and Responsibilities
• HIPAA Security: Safeguarding PHI
These AHIMA HIPAA courses are not for the entire workforce — the courses are for personnel who focus on HIPAA compliance and need to understand the basics of how HIPAA works. My HIPAA training for the workforce is shorter as well as more basic and general.
I have another HIPAA cartoon here.
Recently, HIPAA celebrated its 20th birthday. HHS issued a celebratory blog post. HIPAA is 20 years old if you start counting from the date the statute was passed (1996). If we measure HIPAA’s age from the date that the HIPAA Privacy Rule became effective (2003), then HIPAA is 13.
So HIPAA could be 20 years old, eager to become 21 and be able to drink (right now, it just makes people want to drink) or 13 years old and about to begin being an unruly teenager.
A few years ago, I published an article in the Journal of AHIMA to celebrate HIPAA’s 10th birthday (counting from when the Privacy Rule became effective). The article discusses HIPAA’s growth and impact, and is a quick read if you’re interested. You can download it for free here:
HIPAA Turns 10: Analyzing the Past, Present, and Future Impact
84 Journal of AHIMA 22 (April 2013)
As ransomware escalates and poses serious security risks for healthcare institutions, many privacy experts and legislators have called for more specific guidance from the U.S. Department of Health and Human Services (HHS).
A few weeks ago, HHS responded to these calls with a detailed fact sheet to explain ransomware and provide advice. Although most of the document outlines what should be obvious for an organization that already has a solid data security plan (including reliable back-ups, workforce training, and contingency plans), the major headline is HHS’s verdict on whether or not a ransomware attack qualifies as a data breach under HIPAA.
Here’s a cartoon I created to illustrate the importance of security awareness training. I hope you find it amusing.
I recently created a new resource page — How to Make Security Training Effective. The page contains my advice for how to make security training memorable and effective in changing behavior.
Training the workforce is an essential way to protect data security, but not all training endeavors are successful. Poor training is akin to shouting into the void. This resource page is designed to provide some tips and advice about training that I’ve learned from being an educator for more than 15 years. Continue Reading
What laws require security awareness training? What topics do the laws require to be covered? What should be covered? How frequently should training be given?
I recently created a new resource page — Security Awareness Training FAQ — to answer the above questions and more. I discuss various legal and industry requirements for security awareness training. I also discuss best practices. I hope that you find this resource to be useful.
After years of careful study and extensive analysis, I have arrived at a solution to all the privacy and data security problems worldwide. Although I’ve been advised that I shouldn’t give away such a perfect solution to such a vexing problem for free, my drive to altruism is simply too strong.
Without further ado . . .
Don’t collect personal data.
There is another solution — not quite a miracle cure all, but definitely very helpful — privacy and cybersecurity training! And that’s no joke.
With Professor Woodrow Hartzog, I have also solved the challenge of legal compliance more generally: The Ultimate Unifying Approach to Complying with All Laws and Regulations, 19 Green Bag 2d 223 (2016).
The past 20 years have seen the remarkable emergence of the privacy profession. Starting from nothing, this profession originally included a handful of people called Chief Privacy Officers (CPOs). Nobody grew up saying they wanted to be a CPO. Nobody knew what CPOs did.
Ransomware is on a rampage! Attacks are happening with ever-increasing frequency, and ransomware is evolving and becoming more powerful.
Several major media sites, such as the New York Times, BBC, AOL, and the NFL, were recently infected with malware that directed visitors to sites attempting to install ransomware on their computers.
Ransomware has the potential to attack the Internet of Things. In one instance, a researcher was able to infect a TV with ransomware.
Ransomware is now attacking smart phones.
Last month, one hospital paid $17,000 in ransom when ransomware attacked its computer system. The computer network was down for more than a week, and patients had to be transferred to other hospitals.
Back by popular demand, it’s time for another round of the funniest hacker stock photos. Because I create information security awareness training (and HIPAA security training too), I frequently find myself in need of a good hacker photo.
But good hacker photos are hard to find. I often browse through countless images, each one more ridiculous than the next.
I created a new poster about information security training, which is debuting at the RSA conference. This poster is based on the fact that the vast majority of information security incidents and data breaches occur because of human mistakes. Information security is only in small part a technology problem; it is largely a human problem.
If you’re at RSA and are interested in information security awareness training, please drop by the TeachPrivacy booth at Moscone North 4802.
You can pick up a copy of this poster. And you can also learn about our newest training, which includes a really neat Where’s Waldo style game where users spot privacy and security risks.
I’m pleased to announce a new training program: Spot the Risks: Privacy and Security. The program is a Where’s Waldo style risk-spotting game that takes about 5 minutes to complete. Trainees are asked to spot the risks in an office. Feedback is provided about each risk so trainees learn many of the most important best practices.
I created some new training programs last year, and here are some of the highlights:
The Ransomware Attack (~5 mins)
This short program (~5 minutes) consists of an interactive cartoon vignette about malware. The program is highly interactive, and trainees engage with a scenario involving ransomware. Although this program involves ransomware, the lessons it teaches apply broadly to all malware. The program focuses on how to avoid having malware installed on one’s computer and what to do (and not to do) if this ever happens.
The Life Cycle of Personal Data (~ 15 mins)
This privacy awareness training course (~ 15 minutes) is a highly-interactive overview of privacy responsibilities and protections regarding the collection, use, and sharing of personal data. The course has 8 quiz questions. The course tracks the life cycle of personal data, starting from when it is collected or created. The course concludes with a discussion of data retention and destruction.
A new report by Verizon, the PHI Data Breach report, analyzes 1,931 data breaches of protected health information (PHI) under HIPAA, The incidents occurred between 1994 and 2014, with most occurring from 2004-2014. An article from Computer World sums up the findings of the report.
The report notes that 3 types of incident account for 86% of the data breaches:
(1) Lost or stolen portable electronic devices
(2) Sending records to the wrong individual
(3) Improper access to PHI by employees
What do these things have in common?
These are problems that deal with the human factor. The problems are preventable, and the risk of them can be significantly reduced through training.
To train on these things, organizations must do more then merely say: “Be careful” or “Do not do.” The training must have an impact on people. And education is most effective with repetition. People must be repeatedly educated, over and over again.
By Daniel J. Solove
ProPublica has been running a series of lengthy articles about HHS Office for Civil Rights (OCR) enforcement that are worth reading.
A ProPublica article from early in 2015 noted that HIPAA fines were quite rare. The article noted that from 2009 through 2014, more than 1,140 large data breaches were reported to OCR, affecting 41 million people. Another 120,000 HIPAA violations were reported affecting fewer than 500 people. “Yet, over that time span,” the article notes, “the Office for Civil Rights has fined health care organizations just 22 times. . . . By comparison, the California Department of Public Health . . . imposed 22 penalties last year alone.”
Information security and privacy education is more important than ever because new gadgets and technologies enable more healthcare workers to collect and share data.
In September 2015, Cancer Care Group agreed to settle HIPAA violations by paying a $750,000 fine and adopting a “robust corrective action plan to correct deficiencies in its HIPAA compliance program.” One of the major requirements for Cancer Care Group was to review and revise its training program, because the breach was caused by an easily preventable employee action (leaving a laptop with clear text files of 55,000 patients in an unsecured car).
Training needs to be more than once a year, and as soon as, or prior to, the start of employment. There also need to be ongoing awareness communications and activities, as required by HIPAA.
Every organization of every size needs to invest some time and resources into regular training and ongoing awareness communications. Besides being a wise business decision, it’s also a requirement in most data protection laws and regulations to provide such education.
To this, all I can say is: Amen.
Rebecca is the author of several great resources on HIPAA, including The Practical Guide to HIPAA Privacy and Security Compliance.
I’ve been going through my blog posts from 2015 to find the ones I most want to highlight. Here are some selected posts about security:
I’ve been going through my blog posts from 2015 to find the ones I most want to highlight. Here are some selected posts on privacy issues:
Ransomware is one of the most frightening scourges to hit the Internet. Ransomware is a form of malware (malicious code) that encrypts a person’s files and demands a ransom payment to decrypt them. If the money isn’t paid, the encryption keys are destroyed, and the data is lost forever.
Ransomware began to emerge in 2009, and it has been rapidly on the rise. Recently, it was ranked as the number one threat involving mobile malware. According to one estimate, “at least $5 million is extorted from ransomware victims each year.”
Ransomware became a household name in 2013, when CryptoLocker infected about 500,000 victims in just 6 months.
CryptoLocker was eventually defeated. But new variants of ransomware started popping up more frequently.
Last week, the EU issued the General Data Protection Regulation (GDPR), a long-awaited comprehensive privacy regulation that will govern all 28 EU member countries. Clocking in at more than 200 pages, this is quite a document to digest. According to the European Commission press release: “The regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU.”
The GDPR has been many years in the making, and it will have an enormous impact on the transfer of data between the US and EU, especially in light of the invalidation of the Safe Harbor Arrangement earlier this year. It will has substantial implications for any global company doing business in the EU. The GDPR is anticipated to go into effect in 2017.
Here are some of the implications I see emerging from the GDPR as well as some questions for the future:
Under Article 79, violations of certain provisions will carry a penalty of “up to 2% of total worldwide annual turnover of the preceding financial year.” Violations of other provisions will carry a penalty of “up to 4% of total worldwide annual turnover of the preceding financial year.” The 4% penalty applies to “basic principles for processing, including conditionals for consent,” as well as “data subjects’ rights” and “transfers of personal data to a recipient in a third country or an international organisation.”
These are huge penalties. Such penalties will definitely be a wake-up call for top management at companies to pay more attention to privacy and to provide more resources to the Chief Privacy Officer (CPO). Now we can finally imagine the CEO at a meeting, with her secretary rushing over to her and whispering in her ear that the CPO is calling. The CEO will stand up immediately and say: “Excuse me, but I must take this call. It’s my CPO calling!”
To date, EU enforcement of its privacy laws has been spotty and anemic, so much so that many characterize it as barely existent. Will the new GDPR change enforcement? With such huge fines, the payoff for enforcement will be enormous. We could see a new enforcement culture emerge, with more robust and consistent enforcement. If privacy isn’t much of a priority of upper management at some global companies, it will be soon.
A popular way some organizations are raising awareness about phishing is by engaging in simulated phishing exercises of their workforce. Such simulated phishing can be beneficial, but there are some potential pitfalls and also important things to do to ensure that it is effective.
Think about the data that you gather about employee performance on simulated phishing. It can be easy to overlook the implications of maintaining and using this data. I look at it through the lens of its privacy risks. This is personal data that can be quite embarrassing to people — and potentially have reputational and career consequences. How long will the data be kept? What will be done with it? How securely will it be kept? What if it were compromised and publicized online?
The Payment Card Industry (PCI) Security Standards Council recently released a helpful short guide to preventing phishing attacks. Merchants and any other organization that accepts payment cards most follow the PCI Data Security Standard (PCI DSS). One of the requirements of the PCI DSS is to train the workforce about how to properly collect, handle, and protect PCI data.
A major threat to PCI data is phishing, with almost a third targeted at stealing financial data.
According to a stat in the PCI Guide, Defending Against Social Engineering and Phishing Attacks,: “Every day 80,000 people fall victim to a phishing scam, 156 million phishing emails are sent globally, 16 million make it through spam filters, 8 million are opened.”
I am pleased to announce the launch of our new training program, Social Engineering: Spies and Sabotage. This course is a short module (~7 minutes long) that provides a general introduction to social engineering.
After discussing several types of social engineering (phishing, baiting, pretexting, and tailgaiting), the course provides advice for avoiding these tricks and scams. Key points are applied and reinforced with 4 scenario quiz questions.
A study recently revealed that nearly 25% of data breaches involve phishing, and it is the second most frequent data security threat companies face. Phishing is an enormous problem, and it is getting worse.
In a staggering statistic, on average, a company with 10,000 employees will spend $3.7 million per year handling phishing attacks.
by Daniel J. Solove
One of the most well-known classic privacy books is George Orwell’s 1984, and it has been published in countless editions around the world. I enjoy collecting things, and I’ve gathered up more than 50 book covers of various editions of the novel. I find it interesting how various artists and designers try to capture the novel’s themes. I thought I’d share the covers with you.
Orwell’s 1984 chronicles a harrowing totalitarian society, one that engages in massive surveillance of its citizenry. Everywhere are posters that say “
NSA Big Brother Is Watching You.” From the novel:
by Daniel J. Solove
Recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) publicized its resolution agreement in its HIPAA enforcement action against St. Elizabeth’s Medical Center (SEMC). SEMC agreed to pay $218,000.
The case began with a complaint filed with OCR back in 2012 that employees were sharing PHI of nearly 500 patients via an online sharing application without a risk analysis on such activities being undertaken. OCR investigation found that the medical center “failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome.”
by Daniel J. Solove
Here is a brief synopsis of the webinar:
For the past nearly two decades, the FTC has risen to become the leading federal agency that regulates privacy and data security. In this webinar, Professor Daniel J. Solove will discuss how the Federal Trade Commission (FTC) is enforcing privacy and data security. What are the standards that the FTC is developing for privacy and data security? What sources does the FTC use for the standards it develops?
A common misconception is that the FTC’s jurisprudence has been rather thin, merely focuses on enforcing promises made in privacy policies. To the contrary, a deeper look the FTC’s jurisprudence demonstrates that it is quite thick and has extended far beyond policing promises. The FTC has codified certain norms and best practices and has developed some baseline privacy and security protections. The FTC has laid the foundation for an even more robust law of privacy and data security. Professor Solove will discuss some of the potential ways this body of regulation could develop in the future.
My webinar was written up at the Wall Street Journal. If you’re interested in seeing it, it’s free and available here. Below is some background about the FTC as well as some of my writings about the FTC that may be of interest if you want a deeper dive.
by Daniel J. Solove
Recently, I wrote about the challenges in accessing health information about family members. In this post, I will explore patients’ access to their own medical records.
HIPAA doesn’t handle patient access to medical records very well. There are many misunderstandings about patient access under HIPAA that make it quite difficult for patients to obtain their medical information quickly and conveniently.
Getting records is currently like a scavenger hunt. Patients have to call and call again, wait seemingly forever to get records, and receive them via ancient means like mail and fax. I often scratch my head at why fax is still used today — it’s one step more advanced than carrier pigeon.
by Daniel J. Solove
Suppose your elderly mother is being treated at the hospital for a heart condition. Your mother tells her doctor that you can have access to her health information. The doctor, however, doesn’t disclose the information to you.
The doctor thinks that you can only have the information with a signed written authorization. Is this correct?
No. HIPAA doesn’t require a signed or even a written authorization. If a patient tells a doctor that protected health information (PHI) can be shared with family or friends, then that’s all that is needed. The doctor can disclose it to you.
So has the doctor violated HIPAA by refusing to disclose the PHI?
by Daniel J. Solove
I’ve really been enjoying the new TV series Mr. Robot on USA. Network. It presents highly-engaging depictions of hacking and social engineering, and it is great entertainment for privacy and security geeks.
The protagonist is Elliot Alderson (played by Rami Malek), a tech who works at a cybersecurity firm in New York City. The show is narrated with voiceover by Elliot, and we get a glimpse into the mind of this reclusive and quiet person. Voiceover can often falter as a technique, but here it works wonderfully — and all the more impressive because Elliot speaks softly, often in monotone. But Elliot is such a fascinating character and Malek delivers Elliot’s monologue so effectively, that it becomes surprisingly engaging.
Elliot is very smart and clever, and he sees many around him as idiots. He suffers from severe bouts of depression, is a recluse who wants to be invisible, and he is very awkward around other people. He lives most of his life inside his head. The show presents the stark contrast between what he says to others and what he is thinking. In one scene, we see him speaking to his psychiatrist, telling her hardly anything. But we hear his thoughts and know that he is pondering quite a lot.
by Daniel J. Solove
There are certainly many hackers with sophisticated technical skills and potent malicious technologies. These threats can seem akin to Leviathan — all powerful and insurmountable.
It can be easy to get caught up focusing on the Leviathan and miss the low-hanging fruit of cybersecurity. This low-hanging fruit consists of rather simple and easy-to-fix vulnerabilities and bad practices.
by Daniel J. Solove
There is a great quote in this article from HealthcareInfoSecurity: that expresses very well the importance and goals of HIPAA training programs:
Workforce training is important not only for preventing breaches, including those involving ID crimes, but also to help detect those incidents, [Ann Patterson of the Medical Identity Fraud Alliance] says. “Each employee must understand their role in protecting PHI. Equally important is regular and continued evaluation of the training programs to make sure that employees are adhering to the policies put in place, and that the ‘red flags’ detection systems are keeping pace with changing technologies and workplace practices.”
by Daniel J. Solove
I recently created a new resource page for the TeachPrivacy website: Text of HIPAA’s Training Requirements. This page provides excerpts of the training provisions in the HIPAA Privacy Rule and the HIPAA Security Rule.
This page is designed to be a useful companion page to our resource page, HIPAA Training Requirements: FAQ. The FAQ discuss my interpretation of the HIPAA training provisions, but the full text of those provisions is located on the separate new resource page above.
By Daniel J. Solove
Privacy and cybersecurity have become issues that should be addressed at the board level. No longer minor risks, privacy and cybersecurity have become existential issues. The costs and reputational harm of privacy and security incidents can be devastating.
Yet not enough boards are adequately engaged with these issues. According to a survey last year, 58% of members of boards of directors believed that they should be actively involved in cyber security. But only 14% of them stated that they were actively involved.