Friday Five: 2/14 Edition
A voting app ignites a security debate, the US brings new charges against Huawei, and how the DPO and CISO complement each other - catch up on the week's news with the Friday Five!
1. Hamlin woman accused of unlawfully accessing medical records hundreds of times by Charles Molineaux
Interesting healthcare data security story with an insider threat angle: A former healthcare worker at ACM Global Laboratory faces 215 counts of felony computer trespass and 215 counts of misdemeanor unauthorized use of a computer, according to a story from Rochester, NY's NBC affiliate. The ex-employee accessed medical records belonging to several patients for more than two years, between March 2017 and August 2019, purportedly to glean data for use in a custody dispute. While there's no mention of a HIPAA violation or a mention of HHS' Office for Civil Rights looking into the case, it's probably safe to assume, it's imminent. State attorney generals can traditionally issue fines up to a maximum of $25,000 per violation category, per calendar year.
2. US brings new charges against Chinese tech giant Huawei by Eric Tucker
Thursday saw the latest in what feels like a lengthy list of criminal charges filed against Huawei, China's embattled telecom. This week’s charges adds racketeering and IP theft allegations against the company and its CFO, Wanzhou Meng. According to the indictment, the United States Department of Justice claims it found "decades-long" efforts by the company and its subsidiaries to misappropriate intellectual property from six US technology companies to boost its business. According to the court filing, some of the stolen information includes trade secret information, copyrighted works like source code, and user manuals for internet routers, antenna technology, and robot testing technology. Some of the charges - like that the company allegedly rewarded employees for stealing information from competitors - previously surfaced in indictments in January 2019.
3. Voting on Your Phone: New Elections App Ignites Security Debate by Matthew Rosenberg
Expect more and more stories about voting security as we inch closer to 2020's presidential election. This one, via the New York Times, on some Massachusetts Institute of Technology research, seemed to really engage information security Twitter on Thursday. The research identified vulnerabilities in Voatz, a blockchain-based voting app that’s already been used in some state elections. According to the paper – linked here (.PDF) – the app could “let attackers monitor votes being cast — and might even allow them to change ballots or block them without users’ knowledge.” While this New York Times article drives the point home ("... the app is so riddled with security issues that no one should be using it.") some tweets from J. Alex Halderman, a renown voting security expert, verify MIT's findings too:
In my view, based on MIT's findings, no responsible jurisdiction should use Voatz in real elections any time soon. It will take major advances in security technology before Internet voting is safe enough. 11/11
— J. Alex Halderman (@jhalderm) February 13, 2020
4. China's Hacking Spree Will Have a Decades-Long Fallout by Garrett M. Graff
We reported on the DOJ’s indictment of Chinese hackers for the Equifax hack on Tuesday but this article, via Garrett M. Graff in Wired, does a great job going beyond that news, examining just what the repercussions of the hack, in addition to other hacks also connected to China, like the US Office of Personnel Management, Marriott hotels, and Anthem, could mean. Graff gets to the crux of these hacks, the reality that Chinese intelligence has amassed a slew of data on Americans, data that will make identifying US intelligence officers even easier. With information like their health records, credit scores, personnel records, and so on, China's government and its Communist Party appears to have such a valuable cache of data it can feed off for years to come.
5. GDPR Compliance: Should CISO Serve as DPO? by Suparna Goswami
A quick primer via Bank Info Security on the roles of the CISO and the DPO as they relate to General Data Protection Regulation. There are differing viewpoints here; some of those interviewed say the DPO needs to be independent, separate from the CISO. Others say that the DPO and CISO should work in tandem as they're both working towards protecting the organization. One of the best takes, in our opinion, comes from Cathal Ryan, the assistant commissioner at Ireland's DPC: "DPO must be a strong, influential individual that sticks to their guns regardless of how the organization reacts to the issues raised... Perhaps uniformity throughout sectors is the most appropriate way to approach the role of a DPO, as each sector deals with data protection differently."