Future of Privacy Forum (FPF) released a new infographic: Microphones & the Internet of Things: Understanding Uses of Audio Sensors in Connected Devices (read the press release here). From Amazon Echos to smart TVs, we are seeing more home devices integrate microphones, often to provide a voice user interface powered by cloud-based speech recognition. Last year, we wrote about the “voice first revolution” in a paper entitled “Always On: Privacy Implications of Microphone-Enabled Devices.” This paper created early distinctions between different types of consumer devices and provided initial best practices for companies to design their devices and policies in a way that builds trust and understanding. Since then, microphones in home devices — and increasingly, in city sensors and other out-of-home systems — have continued to generate privacy concerns. This has been particularly notable in the world of children’s toys, where the sensitivity of the underlying data invites heightened scrutiny (leading the Federal Trade Commission to update to its guidance and clarify that the Children’s Online Privacy Protection Act applies to data collected from toys). Meanwhile, voice-first user interfaces are becoming more ubiquitous and may one day represent the “normal,” default method of interacting with many online services and connected devices, from our cars to our home security systems.

As policymakers consider the existing legal protections and future direction for the Internet of Things, it’s important to first understand the wide range of ways that these devices can operate. In this infographic, we propose that regulators and advocates thinking about microphone-enabled devices should be asking three questions: (1) how the device is activated; (2) what kind of data is transmitted; and, on the basis of those two questions, (3) what are the legal protections that may already be in place (or not yet in place).

#1. ACTIVATION

In this section, we distinguish between Manual, Always Ready (i.e., speech-activated), and Always On devices. Always Ready devices often have familiar “wake phrases” (e.g. “Hey Siri,”). Careful readers will notice that the term “Always Ready” applies broadly to devices that buffer and re-record locally (e.g., for Amazon Echo it is roughly every 1-3 seconds), and transmit data when they detect a sound pattern. Sometimes that pattern is a specific phrase (“Alexa”), but it can sometimes be customizable (e.g. Moto Voice let’s you record your own launch phrase) and sometimes it need not be a phrase at all — for example, a home security camera might begin recording when it detects any noise. Overall, Always Ready devices have serious benefits and (if designed with the right safeguards) can be more privacy protective than devices designed to be on and running 100% of the time.

#2 – DATA TRANSMITTED

In this section, we demonstrate the variety of data that can be transmitted via microphones. If a device is designed to enable speech-to-text translation, for example, it will probably need to transmit data from within the normal range of human hearing — which, depending on the sensitivity, might include background noises like traffic or dogs barking. Other devices might be designed to detect sound in specialized ranges, and still others might not require audio to be transmitted at all. With the help of efficient local processing, we may begin to see more devices that operate 100% locally and only transmit data about what they detect. For example, a city sensor might alert law enforcement when a “gunshot” pattern is detected.

#3 – WHAT ARE THE EXISTING LEGAL PROTECTIONS?

In this section, we identify the federal and state laws in the United States that may be leveraged to protect consumers from unexpected or unfair collection of data using microphones. Although not all laws will apply in all cases, it’s important to note that certain sectoral laws (e.g. HIPAA) are likely to apply regardless of whether the same kind of data is collected through writing or through voice. In other instances, the broad terms of state anti-surveillance statutes and privacy torts may be broadly applicable. Finally, we outline a few considerations for companies seeking to innovate, noting that privacy safeguards must be two-fold: technical and policy-driven.

Download the full infographic here.

Source: FPF.org

Doctors — particularly the ones that work in emergency rooms — need to have strong stomachs and level heads, since they see illness and injury at their most serious. Violence, accidents and serious diseases are all a matter of routine in the ER.

Dr. Christian Dameff is a faculty member at UC San Diego’s medical school, has seen all of that and more, since he’s also a white-hat hacker and expert in medical IoT security. He warned the audience on Thursday at the Security of Things USA convention in San Diego that the state of that security is, frankly, alarming.

Technology is a central underpinning of all modern medical treatment, according to Dameff. Many younger doctors have never worked with paper charts, or written paper prescriptions, or looked at x-rays on a lightbox – it’s all digital.

“Software powers modern healthcare. It is as essential as antibiotics, x-rays and surgery combined.” he said. “Without our technical systems, doctors today are essentially helpless for taking care of strokes, heart attacks and traumas.”

There are two central issues, according to Dameff. Part of the problem is that the emphasis on security discussions in the medical field focus heavily on data security, mostly for regulatory reasons.

“When we talk about information security in healthcare, we talk about the HIPAA hammer,” he said, “because the fear of a HIPAA fine, and the fact that we have hundreds of data breaches every single year, has made this the focal point of your conversation.”

But a bigger issue is that the connected devices used to automate and speed up the tasks of care required by modern medicine are cripplingly, astonishingly vulnerable to compromise by outside agents.

The problem has existed for a long time, Dameff said, but the 2011 story of Jay Radcliffe, a diabetic security expert who discovered that a connected insulin pump he used was trivially easy to hack, helped bring the scale of the problem to the public’s attention.

“What surrounds the patient are dozens of wirelessly connected devices that are running legacy operating systems, that are unpatched, that have hard-coded credentials you can Google – that are controlling potent medications being infused into this patient that, if miscalculated or altered, can cause this patient to die. That is the state of modern healthcare IoT. We need to change it.”

Device makers need to work with doctors directly, Dameff argued, in order to usher in a newly holistic approach to the creation of medical IoT gear.

“Have them help you identify points of your product that, if it should fail, would result in patient harm, not just a compromise of their medical health information,” he said.”

Hacked hospitals

Nor are connected devices the only way that poor security affects hospitals. Aging, unpatched IT systems are vulnerable to a huge array of known hacks, and notorious attacks like WannaCry can knock whole systems full of hospitals with custom hardware offline.

For the everyday user, this is a headache, but for a healthcare provider, it’s a much more serious issue. Ransomware and denial of service kill people, Dameff stated, by inches – when the hospital’s systems are down, it hinders urgent care, so patients suffering from heart attacks or strokes have their treatment delayed by crucial minutes or even hours. That can mean permanent disability or death.

“We can’t take care of stroke patients without functioning CT scanners. We just can’t,” he said.

Worried you or a loved one could be fooled by a scammer? Seniors are increasingly being targeted by online scams that drain their bank accounts and threaten their futures. Here’s what you need to know to protect your family.

Why Do Scams Target Senior Citizens?

Seniors are popular targets for con artists for several reasons. For one, seniors are more likely to have nest eggs than their younger counterparts, according to the FBI. Moreover, since today’s elderly didn’t grow up with the internet, they’re less web-savvy and may be more likely to trust people online. Some scams also prey on seniors’ love for family members, and since many older adults live separate from extended family, they may not immediately recognize scammers’ stories as false.

Internet Security Scams

According to a report by the U.S. Senate Committee on Aging, a common ploy is for fake tech support employees to contact seniors about virus-riddled computers. After gaining a senior’s trust, a scammer asks for remote access to their computer so they can fix the problem. The scammer may then demand money to fix the invented problem or install spyware, malware or ransomware onto the senior’s computer. This type of scam is so common that, in a survey, 15 percent of people reported receiving a similar call, and 80 percent of people who fell for the scam lost money.

A few simple rules can help protect seniors from this crime: If you need tech support, contact the company directly using information from the company website or product packaging. Don’t give credit card information if someone calls claiming to be from tech support. If someone pressures you to provide credit card information or computer access over the phone, hang up.

Romance Scams

Americans lost more than $230 million to romance scams in 2016 alone, making this growing scam a major threat to seniors’ financial security. This ploy victimizes older women who are widowed and divorced. Typically, a scammer poses as an eligible bachelor on dating sites or social networks and forges an intimate connection before asking for money. Since the request comes after a relationship has been formed and is accompanied by a sympathetic backstory, victims willingly give money with the belief they’re helping a loved one in need. Only after they’ve lost thousands, if not tens of thousands of dollars, do they realize they’ve been swindled. Unfortunately, by then the scammer and the money are long gone.

Avoiding this scam doesn’t have to mean swearing off online dating, but seniors should be cautious of people they meet online, especially if they can’t verify their existence in person. Reverse image search profile photos to see if they’re stolen, ask to meet in person before advancing a relationship and never send money to anyone you don’t know personally, no matter how strong of a connection you feel.

Counterfeit Check Scams

While counterfeit check scams don’t happen entirely online, they often start there. Seniors who buy or sell items online are most vulnerable to this tactic, but anyone with an email address or social media account can be targeted. In one version, seniors receive a message that they’ve won a foreign lottery. In the other, a message to buy something the senior is selling on Craigslist or another online marketplace. In both manifestations, the check received is worth more than it should be and the victim is told to remit taxes and fees or wire back the overpayment. By the time the cashier’s check is detected as fake, the senior has sent their own money to the scammer.

Stay away from this scam by never accepting overpayment for an item you’re selling and never sending money by wire transfer. When buying and selling goods online, online payment serviceslike PayPal are a safer choice. Never pay for a prize or gift that is supposed to be free and be suspicious of winning any lottery or drawing you don’t recall entering.

For young, tech-savvy adults, spotting scams may not be too challenging; however, seniors may have a harder time detecting predatory behavior online. Share this information with the seniors in your life so they can watch out for harmful scams.

There are several threats to children going online for the first time, supervised or otherwise. Before you let them loose, make sure they appreciate the risks by sharing this guide with them. Ensure that they are as capable as you of protecting your family from privacy and personal security risks online. What Is Catfishing? Named after a documentary (see video trailer below) in which the truth and lies of online dating are highlighted, “catfishing” is the insidious act of creating a fake online identity. But this isn’t (usually) a scam to squeeze money out of you. The purpose of catfishing is to fool an individual (typically someone with romantic intentions) and ultimately humiliate them.

https://youtu.be/1xp4M0IjzcQ

So, how is this done? In short, it’s all about digital fakery, with the perpetrator pretending to be someone they’re not. This is achieved by posting false personal information, specifically using some else’s profile pictures, on social media sites. The aim is to trick someone to fall in love with the scammer.

Catfishing is typically aimed at children (mainly teenagers) and young adults, but not always. Regardless of age, you should be concerned about catfishing. Fortunately, there is plenty you can do to reduce (or completely negate) its impact.

1. Make Friends Offline Before you go online, remember the importance of healthy relationships offline. Talking to people face to face, enjoying trips and games — these are far superior to digital exchanges. Although social networking is about communication, verbal, present discussion is far more important and valuable than anything done on a phone or computer.

The digital aspect is really just a gimmick, a shortcut. Keep it genuine. Expanding on this further, it’s not embarrassing or creepy to let your friends meet your parents, or vice versa. It’s useful to put a face to a name. And if a lift to the cinema or a party is ever required, it avoids unnecessary awkward moments.

2. Don’t “Friend” Strangers Getting access to a social network for the first time is exciting. But like anything, you shouldn’t get overexcited. Stick to the same core group of friends that you have at school, or college. If you know a person well in real life, then add them on Facebook (or your social network of choice).

When it comes to strangers, things change. Even if the person is cute/handsome/attractive or whatever, if you have yet to meet them in real life, don’t add. It’s a simple rule that guarantees safety.

Unfortunately, social networks don’t help, throwing up “people you may know”-style suggestions all the time. Incoming friend requests don’t help either. So just remember that rule: Don’t know them? Don’t add them!

3. Set Privacy Controls on Your Social Networks Social networking services come with privacy controls. Typically, these are enabled, but often not to the full extent. As we don’t know which social network(s) you’re using, we can’t possibly go through every single option. However, as a general rule, you should set privacy settings to restrict anyone who isn’t a friend from seeing photos — including the profile pic.

In Facebook, open Settings > Privacy and ensure the options are set to Friends or Only Me. This way, your Facebook account will be protected from being viewed by strangers.

4. Don’t Put Personal Photos on Twitter Access and privacy is a little more complicated on Twitter. Tweets and photos — including profile pics — can be quickly taken out of your control here, thanks to retweets. Within minutes, a photo can go viral, or it can be whisked away for catfishing, before you’ve had a chance to deal with privacy settings.

It’s worth, therefore, opening the Settings page for your Twitter account, going to Privacy and safety, then checking Protect your Tweets. Doing so blocks strangers from viewing your tweets. Anyone who wishes to follow you on Twitter must henceforth be approved. This tightens things up nicely.

Clearing the check against Tweet with a location will help maintain privacy with regards to your location. Meanwhile, you should also select Do not allow anyone to tag you in photos to maintain photo security.

Note that anyone who already follows you prior to protecting your account will still be able to view your tweets and photos. You can, of course, block any of these previous contacts by opening the Followers page, selecting the vertical ellipses, and selecting Block @[username].

You should also disable the option to Receive Direct Messages from anyone, limiting this facility only to your friends.

5. Search Google Images There are at least two victims in catfishing: the target, and the person whose photo is used as a fake profile. Often, these are just models, photos of random attractive people picked up from a Google search. Fortunately, this same tool can be used to track photos.

For instance, if you’re concerned that your profile photo has been misused, you can check. Simply open Google Images at images.google.com, and drag the profile pic from your computer into the browser window. All instances of the photo online will then be displayed.

You can use the same tool to check the photos of your contacts. Of course, you shouldn’t have any followers who aren’t already known to you in real life, but if you do, use Google Image Search to verify their honesty (or otherwise).

6. Delete Inactive Accounts What if you already have a social media account that you’ve forgotten about? Older readers might have a dead MySpace account, leaking their secrets. If you’re younger, perhaps you have an Instagram account that you don’t really use. Either way, these accounts are ripe for farming by catfishing identity thieves.

It can take a while to regain access to old accounts, but it is worth doing so. You’ll often need access to older email accounts, but in some cases, simply being able to recall the setup information (like the name of the email account) will be enough to forward the credentials to your new account.

Once you’ve gained access, delete the photos on the social network profile, and then delete the account

Beyond Catfishing These tips will help shore up privacy holes in a more general way too, giving your child the opportunity to protect him or herself from other online threats.

Moving forward, this whole exercise is a good starting point to safe activity online. Underline the fact that an internet connection doesn’t just deliver the positives of social interaction into your home. The negatives are often included too. Taking steps to mitigate these risks will educate your child, and help to guarantee online safety in future.

ECRI Institute Releases List of Top 10 Health Technology Hazards

While dirty hospital mattresses and the failure to properly disinfect medical gear are among top safety risks posed to patients, ransomware and other cyberattacks will pose even bigger threats to patients in 2018, according to the ECRI Institute. The non-profit patient safety research organization named ransomware and cybersecurity threats as the No. 1 health technology hazard for 2018.

"This is the first year ransomware has been included in the ECRI Institute's Top 10 Health Technology Hazards list," says Juuso Leinonen, senior project engineer at the health devices group of ECRI. "Cybersecurity topics have been covered in the past, but this is the first year acybersecurity topic has been ranked No. 1 in the list."

During the past year, ransomware showed its potential to disrupt healthcare delivery, he says. "We saw several global ransomware attacks that impacted various organizations, including some hospitals. Ransomware has the potential to impact technologies crucial for patient care, such as patient information systems and medical devices," Leinonen says. "Lack of access to these systems and devices can result in compromise or delay to patient care, which can lead to patient harm. Ransomware can also result in financial losses due to disruption to hospital operations such as postponed appointments and elective surgeries."

ECRI's top 10 list of health technology hazards identifies the potential sources of danger involving medical devices and other health technologies that the research organization says warrant the greatest attention for the coming year.

Global Health Threat

Global attacks, including those involving WannaCry and NotPetya, have had a heavy impact on the healthcare sector across the globe so far in this year, from the National Health System in the United Kingdom to medical device manufacturers including Bayer AG and pharmaceutical giant, Merck.

During the WannaCry ransomware attacks back in May, at least two U.S. hospitals reported that their imaging systems from Bayer AG had been infected.

Numerous other hospitals and clinics in the U.S. have also been victims of ransomware attacks that have greatly disrupted the delivery of patient care.

For instance, just last month, Arkansas Oral & Facial Surgery Center acknowledged that a ransomware attack in July not only shut down access to some electronic patient data but also rendered imaging files, including X-rays, inaccessible for an undisclosed period of time.

One of the highest-profile cyberattacks in 2016, which was suspected of involving ransomware, greatly disrupted patient care for several days at MedStar Health. The 10-hospital system serving Maryland and Washington area said it shut down many of its systems to avoid the spread of malware.

Ransomware and Medical Devices

The Food and Drug Administration recently called attention to the risks malware poses to medical devices. In an Oct. 31 blog post, Suzanne Schwartz, M.D., associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health, wrote: "A computer virus or hack resulting in the loss of or unauthorized use of data is one thing. A breach that potentially impacts the safety and effectiveness of a medical device can threaten the health and safety of an individual or patients using the device."

Schwartz, who'll be a speaker at Information Security Media Group's Healthcare Security Summit in New York on Nov. 14-15, wrote that the FDA "encourages medical device manufacturers to proactively update and patch devices in a safe and timely manner" to avoid having their products compromised by ransomware or other cybersecurity threats.

Taking Action

Managing cybersecurity in a healthcare environment is extremely difficult, ECRI's Leinonen says, because a hospital might have "thousands of devices from hundreds of vendors."

Healthcare facilities need to acknowledge that mitigating the risk of ransomware is not solely a problem for IT, he stresses.

"Collaboration within your organization is a key to success. Various departments, including IT, clinical engineering, information security, risk management, purchasing and clinicians all have a part to play," he says.

Susan Lucci, chief privacy officer and senior consultant at security consultancy Just Associates, says all healthcare entities can take two steps to better prepare and deal with emerging cyber issues that can pose a hazard to patient privacy and safety.

"Have a well-established privacy and security committee that meets to review subjects like this regularly, and have a clearly defined breach response plan and breach response team to quickly respond to immediate threats that may arise," she says.

Malware can pose risks to patients in several ways, says Curt Kwak, CIO of Proliance Surgeons in Washington state. "Ransomware will halt workflows, halt data processing and the [malware's] ongoing threat of data corruption could jeopardize the practitioner's trust in the data that they are utilizing to treat their patients," he says.

Nevertheless, some organizations fail to realize that ransomware poses a threat to patient safety, says Keith Fricke, principal consultant at tw-Security. For example, he notes, "those entities that have experienced ransomware events may have been inconvenienced by files getting encrypted that did not directly impact patient care." So they may not see ransomware as a patient safety issue.

Fricke says many organizations' data backup plans are insufficient, putting them at additional risk. "In addition, those with mature backup strategies have to be wary of ransomware-encrypted files getting replicated to their offsite backups," he points out.

And because ransomware and other cyberattacks show now sign of abating, Kwak stresses that it's "critical for the organizations to continue to monitor and protect their data environment and educate their end users on the best cybersecurity practices."