Thursday, September 17, 2020

Oops! We didn’t mean to kill you, sorry.

https://www.databreaches.net/did-ransomware-threat-actors-hit-a-german-medical-clinic-by-mistake-either-way-someone-died-as-a-result/

Did ransomware threat actors hit a German medical clinic by mistake? Either way, someone died as a result.

It was our nightmare realized: a medical center was completely paralyzed by a ransomware attack and someone died as a result.

As of last week, the University Clinic in Düsseldorf reported that it was in a state of emergency. Operations had been canceled, and ambulances had to be redirected to other clinics. On September 10, the clinic had posted an announcement:

A Google translation reads, in part:

There is currently an extensive IT failure at the University Hospital Düsseldorf (UKD). This means, among other things, that the clinic can only be reached to a limited extent – both by telephone and by email.

The UKD has deregistered from emergency care. Planned and outpatient treatments will also not take place and will be postponed. Patients are therefore asked not to visit the UKD – even if an appointment has been made.

Days later, the clinic remained paralyzed and unable to function normally, even as of yesterday.

And now we read that the threat actors’ attack has resulted in a death. Associated Press reports:

German authorities say a hacker attack caused the failure of IT systems at a major hospital in Duesseldorf, and a woman who needed urgent admission died after she had to be taken to another city for treatment.

Did the threat actors intend to hit the hospital? They may not have. According to the AP, citing German authorities, the extortion note appeared intended for the affiliated university, not the hospital. And when “police told hackers the hospital was affected, they provided a decryption key. The hackers are no longer reachable, they said.”

Does it matter that the threat actors may not have intended to hit the hospital and just hit it in error? Their criminal actions resulted in the death of someone, and they should be held accountable for that.

So far, I can find no mention of what type of ransomware this was or who the threat actors were.





I’m sure that EU police would share this software with US police if they were asked. And I bet they will be asked if it can be tweaked to work on other phones.

https://www.vice.com/en_us/article/k7qjkn/encrochat-hack-gps-messages-passwords-data?&web_view=true

European Police Malware Could Harvest GPS, Messages, Passwords, More

The malware that French law enforcement deployed en masse onto Encrochat devices, a large encrypted phone network using Android phones, had the capability to harvest "all data stored within the device," and was expected to include chat messages, geolocation data, usernames, passwords, and more, according to a document obtained by Motherboard.





Worth a listen?

https://www.insideprivacy.com/data-security/inside-privacy-audiocast-episode-4-a-look-into-the-aclu-of-californias-position-on-the-cpra/

Inside Privacy Audiocast: Episode 4 – A Look into the ACLU of California’s Position on the CPRA

On our fourth episode of our Inside Privacy Audiocast, we are aiming our looking glass at the California Privacy Rights Act, and are joined by guest speaker Jacob Snow, Technology and Civil Liberties Attorney with the American Civil Liberties Union of Northern California.





We’re willing to protect your privacy, except when it become inconvenient.

COVID-19 and HIPAA: HHS’s Troubled Approach to Waiving Privacy and Security Rules for the Pandemic

A snippet from the Executive Summary of a new report written by Robert Gellman and Pam Dixon:

This report offers an analysis of existing laws and practices regarding both types of HIPAA COVID-19 waivers. The report recommends that, when the current emergency subsides, the Secretary of HHS review in a systematic way the privacy, security, and legal questions about all HIPAA waivers. The report further recommends that HHS prepare for future health emergencies with advance planning for HIPAA waiver practices. The report recommends that the National Committee on Vital and Health Statistics be tasked with the fact-finding and policy work needed to develop legislative and administrative recommendations for HIPAA waivers. Discussions about HIPAA waivers should involve all relevant stakeholders. Finally, once the Secretary completes a review of waiver authority, the report recommends that the US Congress reform the statutory HIPAA waiver rules.

You can download their analysis and full report here.





For the pandemic and beyond.

https://www.cpomagazine.com/data-protection/adapting-data-governance-to-wfh-reality/

Adapting Data Governance to WFH Reality

Even if the pandemic subsides, the work from home movement is here to stay. Numerous companies have pushed out plans to return workers to offices and, even then, remote work will likely be more possible for more workers. Twitter, for one, has said WFH is a permanent option.

This all means that companies, many of whom shifted to remote workforces almost overnight earlier this year, should double check that data privacy and security policies are in place to enable a secure and efficient WFH workforce—while protecting consumer and corporate data.

This is no small task. Even before the pandemic and WFH rush, companies were having trouble complying with the European Union’s General Data Protection Regulation, passed in 2018, says consulting firm, McKinsey & Company.

Yet the goal for stepping up WFH data governance isn’t simply compliance. The ultimate aim is to go forward with policies and procedures that enable better results and build brand trust with consumers, business partners and others.

Here are four strategic steps to help enterprises update data governance and the WFH reality:





Could every company or industry do this?

https://www.bespacific.com/encyclopedia-of-ethical-failure/

Encyclopedia of Ethical Failure

U.S Department of Defense Standards of Conduct Office – Encyclopedia of Ethical Failure1Revised October 2019

The Standards of Conduct Office of the Department of Defense General Counsel’s Office has assembled the following selection of cases of ethical failure for use as a training tool. Our goal is to provide DoD personnel with real examples of Federal employees who have intentionally or unwittingly violated the standards of conduct. Some cases are humorous, some sad, and all are real. Some will anger you as a Federal employee and some will anger you as an American taxpayer…”



No comments: