Never enough.
https://www.databreaches.net/ransomware-resources-for-hipaa-regulated-entities/
Ransomware Resources for HIPAA Regulated Entities
The HHS Office for Civil Rights (OCR) is sharing the following information to ensure that HIPAA regulated entities are aware of the resources available to assist in preventing, detecting, and mitigating breaches of unsecured protected health information caused by hacking and ransomware.
HHS Health Sector Cybersecurity Coordination Center Threat Briefs:
HHS Resources on Section 405(d) of the Cybersecurity Act of 2015:
Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx
Cybersecurity Reports and Tools https://www.phe.gov/Preparedness/planning/405d/Pages/reportandtools.aspx
OCR Guidance:
Ransomware https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
Cybersecurity
https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html
Risk Analysis
HHS Security Risk Assessment Tool:
CISA Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches:
CISA Ransomware Guide:
FBI Ransomware Resources:
OCR Cybersecurity Newsletters:
Making a List and Checking it Twice: HIPAA and IT Asset Inventories (Summer 2020 Cybersecurity newsletter): https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-summer-2020/index.html
What Happened to My Data?: Update on Preventing, Mitigating and Responding to Ransomware (Fall 2019 Cybersecurity Newsletter): https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-fall-2019/index.html
Phishing (February 2018 Cybersecurity Newsletter): https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-february-2018.pdf
Plan A… B… Contingency Plan! (March 2018 Cybersecurity Newsletter): https://www.hhs.gov/sites/default/files/march-2018-ocr-cyber-newsletter-contingency-planning.pdf
Cybersecurity Incidents will happen… Remember to Plan, Respond, and Report! (May 2017 Cybersecurity newsletter): https://www.hhs.gov/sites/default/files/may-2017-ocr-cyber-newsletter.pdf
REMINDER: A ransomware attack may result in a breach of unsecured protected health information that triggers reporting requirements under the HIPAA Breach Notification Rule. HIPAA covered entities and business associates should review OCR’s ransomware guidance at https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf for information regarding potential breach notification obligations following a ransomware attack.
Source: HHS
Interesting ethical questions. If you can decrypt my data but refuse, can I sue you for the costs of the hack? If you notify the hack that you have their decrypt key, won’t they immediately switch to a new one?
Yes, the FBI held back REvil ransomware keys
The ransomware keys might have been acquired by an ally, which would invoke the third-party doctrine where the decision to release was not the FBI's alone.
The Washington Post reports the FBI had secretly obtained the digital key to the Russia-based ransomware group, Revil, some three weeks prior to their distributing the key. When pressed at a recent congressional hearing, FBI Director, Christopher Wray noted that delay lays within the fact that the FBI was working jointly with other agencies and allies. He explained, “We make the decisions as a group, not unilaterally.” He continued, “These are complex . . . decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world.”
What Wray may have really been saying, without saying it, is that the FBI did not own the information that they had in their possession, the keys were, as noted, “secretly obtained,” by which agency or which ally is not revealed. The doctrine of third-party rule is that one is permitted to use the information to advance their own intelligence operations—which sources told the Washington Post was to take down REvil.
9th Circuit: Police Violated Google Users’ Privacy Rights After Automated Email Scan Detected Child Pornography
Alaina Lancaster reports:
A federal appeals court found that law enforcement violated a Google user’s constitutional rights when it opened email attachments the platform flagged as child pornography through an automated system.
The ruling comes as Apple Inc. faced backlash from privacy advocates in August after announcing a feature that scans photos on its devices for child sexual abuse materials.
In an opinion Tuesday, the U.S. Court of Appeals for the Ninth Circuit turned back the government’s arguments that its search of the email attachments qualified for an exception under the Fourth Amendment.
Read more on Law.com (subscription required)
Interesting question: would you recognize all potential workplace risks? What if your AI was not trained to recognize what seems an obvious risk?
Computer vision-powered workplace safety systems could lead to bias and other harms
Increasingly, AI is being pitched as a way to prevent the estimated over 340 million workplace accidents that occur worldwide every day. Using machine learning, startups are analyzing camera feeds from industrial and manufacturing facilities to spot unsafe behaviors, alerting managers when employees make a dangerous mistake.
(Related)
https://spectrum.ieee.org/ai-failures
7 REVEALING WAYS AIS FAIL
Interesting article. Can AI do worse?
Government by algorithm: Can AI improve human decisionmaking?
Regulatory bodies around the world increasingly recognize that they need to regulate how governments use machine learning algorithms when making high-stakes decisions. This is a welcome development, but current approaches fall short.
As regulators develop policies, they must consider how human decisionmakers interact with algorithms. If they do not, regulations will provide a false sense of security in governments adopting algorithms.
“AIs ain’t peoples! How dare they pretend to think!”
https://www.theregister.com/2021/09/22/court_of_appeal_ai_patent_inventor/
Court of Appeal says AI software cannot be listed as patent inventor
'A patent is a statutory right and it can only be granted to a person'
… Thaler has applied for multiple patents for these designs, each time naming DABUS as the inventor, in countries including the United States, UK, Australia, Israel, and South Africa.
When patent-granting agencies denied his requests, Thaler took legal action seeking to overturn those decisions. In the UK, the Intellectual Property Office rejected his applications, saying only a person or persons can be recognized as an inventor as per the nation's Patents Act. Thaler appealed to the High Court in London and lost.
… In July, he took his case to the Court of Appeal, arguing that he truly believed DABUS was the inventor, which ought to be enough to satisfy section 13(2) of the act. That section of the law calls for a patent applicant to identify the person or persons they believe to be the inventor.
On Tuesday, he was shot down by judges who upheld those previous decisions in a 2-1 judgment.
Lord Justice Birss, who wished to allow the appeal, noted that if Thaler had a "genuine belief" that DABUS was the inventor, and if the Intellectual Property Office had decided to record no such person on the forms, there would have been no reason to deny the patent.
"In my judgment Dr Thaler has complied with his legal obligations under s13(2)(a)," the judge said, referring to the section in the Patents Act.
"The fact that no inventor, properly so called, can be identified simply means that there is no name which the Comptroller has to mention on the patent as the inventor. The Comptroller in these circumstances is not obliged to name anyone (or anything). The absence of a named inventor when it is clear why no name has been given and it cannot be said the applicant is not giving their genuine belief, is no basis on which to find that s13(2) has not been complied with."
Perspective. Imagine this in the context of organizational data mining. We look for your data so machine learning can understand your business, but you don’t know where your data is?
A generation that grew up with Google is forcing professors to rethink their lesson plans
The Verge – File Not Found “Catherine Garland, an astrophysicist, started seeing the problem in 2017. She was teaching an engineering course, and her students were using simulation software to model turbines for jet engines. She’d laid out the assignment clearly, but student after student was calling her over for help. They were all getting the same error message: The program couldn’t find their files. Garland thought it would be an easy fix. She asked each student where they’d saved their project. Could they be on the desktop? Perhaps in the shared drive? But over and over, she was met with confusion. “What are you talking about?” multiple students inquired. Not only did they not know where their files were saved — they didn’t understand the question. Gradually, Garland came to the same realization that many of her fellow educators have reached in the past four years: the concept of file folders and directories, essential to previous generations’ understanding of computers, is gibberish to many modern students…”
Perspective.
https://knowledge.wharton.upenn.edu/article/whats-the-future-of-the-office/
What’s the Future of the Office?
Wharton management professor Peter Cappelli is the author of the new book, The Future of the Office: Work from Home, Remote Work, and the Hard Choices We All Face. Cappelli, who has for decades studied the forces shaping and changing the workplace, says the choices employees and employers must make about the future of work could be among the most important they face.
Brett LoGiurato: Could you share your overall message about what you believe is at stake for the future of the office?
Peter Cappelli: I don’t think it’s going to surprise many people to get the sense of how big an issue this is, about whether we go back to the office or not. If you think about the value of commercial real estate, what happens if we don’t need offices and all the supporting services and the little businesses and restaurants that support offices? And commuting? All those sorts of things matter. In addition to whether this might be better for employees, one of the things we know is that not everybody agrees that they want to work from home. There is the issue of whether it’s actually going to work for the employers, and that’s not completely clear.
No comments:
Post a Comment