NIST announces project to develop new Privacy Framework

Jon WashburnBy Jon Washburn on Posted in Announcements, ePrivacy

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) announced recently that it has launched a collaborative project to develop a voluntary privacy framework to help organizations manage risk. According to NIST Director Walter G. Copan, “The development of a privacy framework through an open process of stakeholder engagement is intended to deliver practical tools that allow continued U.S. innovation, together with stronger privacy protections.”

With a wide variety of privacy laws both nationally (many states have specific privacy laws, and all 50 states have breach notification laws) and internationally, an effective solution will need to be comprehensive enough to meet as many diverse privacy requirements as possible without being so onerous that it limits innovation and product development. It will also need to be flexible enough to respond over time to individuals’ changing expectations, and the continued expansion of the Internet of Things (IoT.)

NIST will be kicking off their first workshop for this conference on October 16th at the IAPP Privacy. Security. Risk. 2018 Conference in Austin, Texas, and will be posting a recording of this event on their Privacy Framework website, so stay tuned …

When was the last time you looked at RDP access?

Jon WashburnBy Jon Washburn on Posted in Cyber Attack, Cyber Crime, Data Breach, Security

A presentation at Black Hat recently revealed that the creators of the “SamSam” ransomware have netted over $6M to date, attacking mostly medium-to-large public and private sector organizations. And they’re showing no signs of slowing down.

In the most recent SamSam attacks, the attackers concentrated their efforts on brute-force hacking of weak passwords on devices accessible over the internet using Remote Desktop Protocol (RDP). Searching for devices using a tool such as Shodan will reveal thousands of IP addresses accessible over the Internet on port 3389, the default RDP port. While many devices using RDP may be secure, large numbers likely are not.  The combination of efficient search and readily-available brute-force hacking tools allows bad actors to more easily exploit RDP vulnerabilities.

If you’re not using RDP, consider blocking port 3389 at your firewall.

If you are using it, or you don’t know, we recommend taking these steps to help protect your organization from RDP attacks:

–          Review your RDP configuration to ensure that it is as secure as possible (patching, updated software, etc.)

–          Limit RDP access to only those users and devices that need it.

–          Consider enhancing remote desktop security by installing a Remote Desktop gateway.

–          Have an “account lockout policy” that will lock out user accounts after a certain number of failed login attempts, which will help thwart brute-force hacking attacks.

–      Have a strong password policy.

–      Implement two-factor authentication to ensure that a compromised password alone can’t let a bad actor onto your systems.

New threat targeting old medical imaging equipment

Jon WashburnBy Jon Washburn on Posted in Cyber Attack, Cyber Crime, HIPAA, Industrial Control Systems, Security

Health care providers and suppliers should be wary of the “Orangeworm” threat, an implementation of malware out in the wild that’s gathering information off of compromised medical equipment, especially old systems where file shares and Windows XP are still in use:

https://www.zdnet.com/article/mysterious-cyber-worm-targets-medical-systems-found-on-x-ray-machines-and-mri-scanners/

While this group seems to be limiting their actions to reconnaissance and compromising systems vs. patient information, that doesn’t mean they couldn’t pivot to some other form of mischief on the systems they’ve compromised.

While some people might find it shocking to learn that their medical provider is still using Windows XP, it can be tough to get budget approval to replace a $2M MRI machine that still makes perfectly good images just because you can’t upgrade the Windows OS. Eventually these outdated devices will have to be replaced – but until then, in addition to updating them as much as possible, here are some compensating measures owners of these systems should put in place to help reduce the chance of, or spread of, an infection:

  • Isolate the equipment on the network: don’t allow the old MRI machine to talk to anything on the network it doesn’t absolutely have to talk to, especially the Internet
  • Limit elevated access to the device: no one should have “administrator” access other than the people who maintain the equipment. Why would your physicians need to (or even want to) install updates?
  • Limit the use of mapped drives and file shares: ensure the output of your devices is securely transferred to a system that manages your medical imaging output, vs. just dropping the output on open file shares. If you can see a file share, whatever’s on the file share can also see you…
  • Control removable media ports: reduce the chance that an infected USB drive could compromise the device by limiting how they are used, or disabling them altogether
  • Monitor the equipment closely: knowing about a potential compromise as soon as possible could limit the potential impact
  • Subscribe to ICS-CERT:  the Industrial Control Systems Cyber Emergency Readiness Team sends out alerts on a wide variety of industrial control vulnerabilities, including medical devices

Visiting With SKW Schwarz at IAPP’s Global Privacy Summit

Amy CarlsonBy Amy Carlson on Posted in EU, Events

Hunter Ferguson and I were joined by Dr. Matthias Orthwein and Dr. Volker Wodianka at IAPP’s Global Privacy Summit 2018.  We had many interesting discussions about GDPR, German data privacy law and DPO services. Our firms, Stoel Rives LLP and SKW Schwarz Rechtsanwalte are members of TerraLex ®, an international network of 155 leading independent law firms serving the business needs of clients around the globe. You might find SKW Schwarz’s Introduction to the German Federal Data Protection Act to be useful if you are doing business in Germany!

France – CNIL

Amy CarlsonBy Amy Carlson on Posted in EU, Regulators

France’s Commission Nationale de l’Informatique et des Libertés (“CNIL”) provides great tools and resources as well.

Germany – BfDI

Amy CarlsonBy Amy Carlson on Posted in EU, Regulators

Germany’s Bundesbeauftragte für den Datenschutz und die Informationsfreiheit published the Federal Data Protection Act to adapt GDPR. Germany provided some extensive guidance on GDPR here. Germany also publishes the standard data protection model, SDPM, in English on its site. Also available from the site are guidance materials about GDPR from the German Data Protection Conference, Datenschutzkonferenz or DSK:

  1. List Of Processing Activities
  2. Supervisory Powers / Sanctions
  3. Data Processing Of Personal Data For Advertising:
  4. Data Transmission To Third Countries:
  5. Privacy Impact Assessment:
  6. Right To Information Of Data Subjects, Article 15 DS-GVO
  7. Market Place Principle: Regulations For Non-European Companies
  8. Action Plan “DS-GVO” For Companies
  9. Certification According To Art. 42 DS-GVO
  10. Duty To Provide Information In Third-Party And Direct Collection
  11. Right To Cancellation / “Right To Be Forgotten”
  12. Data Protection Officer For Responsible Persons And Order Processors
  13. Employee Data Protection
  14. Video Surveillance
  15. Order Processing, Art. 28 GDPR
  16. Joint Data Controller, Art. 26 GDPR
  17. Special Categories Of Personal Data

UK ICO

Amy CarlsonBy Amy Carlson on Posted in EU, Regulators

The United Kingdom’s Information Commissioner’s Office (“ICO”) is a great resource for companies looking for clear DPA guidance. The ICO has provided a Guide to the GDPR which is very targeted and comprehensive as well as resources for organizations including several guides. Getting Ready For GDPR Resources is a nice package of information prepared by the ICO to assist smaller companies. Companies can also quickly report breaches when necessary. The ICO also provides a search capability of the Register Of Data Controllers.

Article 29 Working Party

Amy CarlsonBy Amy Carlson on Posted in EU, Regulators

The European Commission – Data Protection links to the Article 29 Working Party Guidelines which supplement our understanding of GDPR:

Additional “News” from the Art. 29 WP may be found here. Despite prominence on the Commission’s website, the Commission stated on December 12th, 2017 that the Art. 29 WP does not speak for the Commission (see here). Guidance, opinions and other statements of the Art. 29 WP are generally given a great deal of attention by those affected by GDPR because it is composed of the following:

  • A representative of the supervisory authority(ies) designated by each EU country;
  • A representative of the authority(ies) established for the EU institutions and bodies;
  • A representative of the European Commission.

On March 27, 2018, the Commission posted a new link to the Article 29WP archives from 1997 to November 2016.

European Commission – Data Protection

Amy CarlsonBy Amy Carlson on Posted in EU, Regulators

The European Commission – Data Protection provides links to EC data protection policies, information and services.  The Commission provides the official GDPR text in multiple languages, describes the European Data Protection Board and its responsibilities, provides detailed guidance and resources on data transfers outside the EU, and some focused discussion of the changes to the EU data protection rules as a result of GDPR, including:

 

 

The Commission provides an interactive infographic with a countdown clock that is a glossy overview that could be useful for a very high level overview of GDPR and its implications to companies. Recently, on March 7, 2018, the Commission updated their  Overview of the National Data Protection Authorities where you can find links to each DPA. Note that many of the DPAs provide their resources in their county’s language, and not in English.

LexBlog