Friday Five: 5/25 Edition
PHI data security worries, the Army's approach to risk management, and how GDPR will affect supply chains - catch up on the week's infosec news with this roundup!
1. Facebook is beefing up its two-factor authentication by Louise Matsakis
More modes of two-factor authentication can't be a bad thing, right? Facebook announced this week that its users are no longer bound to its code generator - previously the only 2FA option it accepted. According to Wired users can now use apps like Duo and Google Authentication as an added layer of security when accessing the social media site. 2FA isn't perfect but it's certainly better than nothing; if users haven't already they'd be well served to deploy at least one form, if not at the very least, SMS two-factor verification.
2. Army looks to retool risk management by Lauren C. Williams
A good idea of how the Army is adapting the Department of Defense's risk management framework this week via FCW. It's not a long read by any means, really more of an anecdote from Col. Donald Bray, the Army's acting cyber director, while at a conference held by AFCEA. It sounds as if the Army is flexible when it comes to the guidance, flexing it to fit their needs. “We're just at that point where we’re really looking at how to optimize, how to select which controls really apply to us, how to…not redo work, and how to tie that into operations so that we can continue monitoring that," Bray told the publication.
Army image via Mike Throm on Unsplash
3. Public Server Exposure Creates PHI Data Security Worries for 200K by Fred Donovan
MedEvolve, a firm that makes specialty practice management (PM) and EHR software with outsourced revenue cycle management (RCM) services is in hot water this week after reportedly leaving the information of over 200,000 patients online for anyone to see. HealthITSecurity recapped the news, which was originally reported by databreaches.net on Thursday. The information - which included some records containing Social Security numbers - were left on a public FTP server with no login required. It's unclear how long data was exposed; who accessed the files, or if anyone, patients or the HHS is being informed of the breach. Scary news regardless but given PHI and SSNs were exposed one would assume the HHS would be notified soon.
What Does the GDPR Mean for Global Data Protection? (Infographic)
4. Supply chains brace for new data standards by Craig Guillot
GDPR finally arrived, mercifully we might add, this week. The hot takes around the law showed no sign of slowing down throughout the week however. One interesting angle that global commerce firms have hopefully already taken note of is the fact that their data and the data of any organization they do business with is also subject to GDPR. SupplyChainDive pointed out this week that unstructured data, data that doesn't reside in a database, can be text heavy and contain dates, numbers, and facts, could especially be subject to the law. “Many organizations don’t always know what kind of data they have. Companies may have ‘unstructured data’ where people have entered information about someone, filled out an application, or taken and stored images…” Craig Guillot, a journalist with the site wrote this week.
5. Amazon Pushes Facial Recognition to Police. Critics See Surveillance Risk. by Nick Wingfield
Fairly chilling news if you're a privacy advocate this week: Amazon has apparently developed a new facial recognition system and is helping governments deploy it. The New York Times reported on the news, which was gleaned via paperwork obtained by the American Civil Liberties Union, on Tuesday. The system, Rekognition, was first introduced back in 2016 and Amazon doesn't deny marketing the software - it even hyped it in a blog post last year - but privacy advocates are concerned a company as big as Amazon if marketing it to governments. The ACLU says the technology is ripe for abuse, especially if it’s used in real time surveillance scenarios.