Never enough.
https://www.databreaches.net/ransomware-resources-for-hipaa-regulated-entities/
Ransomware
Resources for HIPAA Regulated Entities
The
HHS Office for Civil Rights (OCR) is sharing the following
information to ensure that HIPAA regulated entities are aware of the
resources available to assist in preventing, detecting, and
mitigating breaches of unsecured protected health information caused
by hacking and ransomware.
HHS
Health Sector Cybersecurity Coordination Center Threat Briefs:
January
28, 2021 – ATTACK for Emotet
March
12, 2021 – New Ryuk Variant Analyst Note
April
8, 2021 – Ryuk Variants
May
25, 2021 – Conti Ransomware Analyst Note
June
3, 2021 – Ransomware Trends 2021
July
8, 2021 – Conti Ransomware
July
8, 2021 – Phobos Ransomware Analyst Note
August
5, 2021 – Qbot/QakBot Ransomware
August
6, 2021 – Lazio Ransomware Attack Analyst Note
August
19, 2021 – REvil Update
August
24, 2021 – OnePercent Group Ransomware Alert
August
25, 2021 – IOCs Associated with Hive Ransomware Alert
September
2, 2021 – Demystifying BlackMatter
HHS
Resources on Section 405(d) of the Cybersecurity Act of 2015:
OCR
Guidance:
https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
HHS
Security Risk Assessment Tool:
CISA
Protecting Sensitive and Personal Information from Ransomware-Caused
Data Breaches:
CISA
Ransomware Guide:
FBI
Ransomware Resources:
OCR
Cybersecurity Newsletters:
REMINDER:
A
ransomware attack may result in a breach of unsecured protected
health information that triggers reporting requirements under the
HIPAA Breach Notification Rule. HIPAA covered entities and business
associates should review OCR’s ransomware guidance at
https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
for
information regarding potential breach notification obligations
following a ransomware attack.
Source:
HHS
Interesting ethical
questions. If you can decrypt my data but refuse, can I sue you for
the costs of the hack? If you notify the hack that you have their
decrypt key, won’t they immediately switch to a new one?
https://www.csoonline.com/article/3633667/yes-the-fbi-held-back-revil-ransomware-keys.html#tk.rss_all
Yes,
the FBI held back REvil ransomware keys
The
ransomware keys might have been acquired by an ally, which would
invoke the third-party doctrine where the decision to release was not
the FBI's alone.
The
Washington
Post reports the
FBI had secretly obtained the digital key to the Russia-based
ransomware group, Revil,
some three weeks prior to their distributing the key. When pressed
at a recent congressional hearing, FBI Director, Christopher Wray
noted that delay lays within the fact that the FBI was working
jointly with other agencies and allies. He explained, “We make the
decisions as a group, not unilaterally.” He continued, “These
are complex . . . decisions, designed to create maximum impact,
and that takes time in going against adversaries where we have to
marshal resources not just around the country but all over the
world.”
What
Wray may have really been saying, without saying it, is that the FBI
did not own the information that they had in their possession, the
keys were, as noted, “secretly obtained,” by which agency or
which ally is not revealed. The doctrine of third-party rule is that
one is permitted to use the information to advance their own
intelligence operations—which sources told the Washington Post was
to take down REvil.
https://www.pogowasright.org/9th-circuit-police-violated-google-users-privacy-rights-after-automated-email-scan-detected-child-pornography/
9th
Circuit: Police Violated Google Users’ Privacy Rights After
Automated Email Scan Detected Child Pornography
Alaina
Lancaster reports:
A federal appeals court found that law
enforcement violated a Google user’s constitutional rights when it
opened email attachments the platform flagged as child pornography
through an automated system.
The
ruling comes as Apple Inc. faced
backlash from
privacy advocates in August after announcing a feature that scans
photos on its devices for child sexual abuse materials.
In
an
opinion Tuesday,
the U.S. Court of Appeals for the Ninth Circuit turned back the
government’s arguments that its search of the email attachments
qualified for an exception under the Fourth Amendment.
Read
more on Law.com
(subscription
required)
Interesting question:
would you recognize all potential workplace risks? What if your AI
was not trained to recognize what seems an obvious risk?
https://venturebeat.com/2021/09/21/computer-vision-powered-workplace-safety-systems-could-lead-to-bias-and-other-harms/
Computer
vision-powered workplace safety systems could lead to bias and other
harms
Increasingly, AI is
being pitched as a way to prevent the estimated over 340 million
workplace accidents that occur worldwide every day. Using machine
learning, startups are analyzing camera feeds from industrial and
manufacturing facilities to spot unsafe behaviors, alerting managers
when employees make a dangerous mistake.
(Related)
https://spectrum.ieee.org/ai-failures
7
REVEALING WAYS AIS FAIL
Interesting article.
Can AI do worse?
https://thehill.com/opinion/technology/573252-government-by-algorithm-can-ai-improve-human-decisionmaking
Government
by algorithm: Can AI improve human decisionmaking?
Regulatory bodies around
the world increasingly recognize that they need to regulate how
governments use machine learning algorithms when making high-stakes
decisions. This is a welcome development, but current approaches
fall short.
As regulators develop
policies, they must consider how human decisionmakers interact with
algorithms. If they do not, regulations will provide a false sense
of security in governments adopting algorithms.
“AIs ain’t peoples!
How dare they pretend to think!”
https://www.theregister.com/2021/09/22/court_of_appeal_ai_patent_inventor/
Court
of Appeal says AI software cannot be listed as patent inventor
'A
patent is a statutory right and it can only be granted to a person'
… Thaler
has applied for multiple patents for these designs, each time naming
DABUS as the inventor, in countries including the United
States,
UK, Australia,
Israel, and South Africa.
When
patent-granting agencies denied his requests, Thaler took legal
action seeking to overturn those decisions. In the UK, the
Intellectual Property Office rejected his applications, saying only a
person or persons can be recognized as an inventor as per the
nation's Patents Act. Thaler appealed to the High Court in London
and lost.
…
In
July, he took his case to the Court of Appeal, arguing
that he truly believed DABUS was the inventor, which ought to be
enough to satisfy section 13(2) of the act.
That section of the law calls for a patent applicant to identify the
person or persons they believe to be the inventor.
On
Tuesday, he was shot down by judges who upheld those previous
decisions in a 2-1 judgment.
Lord
Justice Birss, who wished to allow the appeal, noted
that
if Thaler had a "genuine belief" that DABUS was the
inventor, and if the Intellectual Property Office had decided to
record no such person on the forms, there would have been no reason
to deny the patent.
"In
my judgment Dr Thaler has complied with his legal obligations under
s13(2)(a),"
the judge said, referring to the section in the Patents Act.
"The
fact that no inventor, properly so called, can be identified simply
means that there is no name which the Comptroller has to mention on
the patent as the inventor. The Comptroller in these circumstances
is not obliged to name anyone (or anything). The absence of a named
inventor when it is clear why no name has been given and it cannot be
said the applicant is not giving their genuine belief, is no basis on
which to find that s13(2) has not been complied with."
Perspective.
Imagine this in the context of organizational data mining. We look
for your data so machine learning can understand your business, but
you don’t know where your data is?
https://www.bespacific.com/a-generation-that-grew-up-with-google-is-forcing-professors-to-rethink-their-lesson-plans/
A
generation that grew up with Google is forcing professors to rethink
their lesson plans
The
Verge – File Not Found
“Catherine Garland, an astrophysicist, started seeing the problem
in 2017. She was teaching an engineering course, and her students
were using simulation software to model turbines for jet engines.
She’d laid out the assignment clearly, but student after student
was calling her over for help. They were all getting the same error
message: The program couldn’t find their files. Garland thought
it would be an easy fix. She asked each student where they’d saved
their project. Could they be on the desktop? Perhaps in the shared
drive? But over and over, she was met with confusion. “What are
you talking about?” multiple students inquired. Not
only did they not know where their files were saved — they didn’t
understand the question.
Gradually, Garland came to the same realization that many of her
fellow educators have reached in the past four years: the concept of
file folders and directories, essential to previous generations’
understanding of computers, is gibberish to many modern students…”
Perspective.
https://knowledge.wharton.upenn.edu/article/whats-the-future-of-the-office/
What’s
the Future of the Office?
Wharton
management professor Peter
Cappelli is
the author of the new book, The
Future of the Office: Work from Home, Remote Work, and the Hard
Choices We All Face.
Cappelli,
who has for decades studied the forces shaping and changing the
workplace, says the choices employees and employers must make about
the future of work could be among the most important they face.
Brett
LoGiurato: Could you share your overall message about what you
believe is at stake for the future of the office?
Peter
Cappelli: I don’t think it’s going to surprise many people to get
the sense of how big an issue this is, about whether we go back to
the office or not. If you think about the value of commercial real
estate, what happens if we don’t need offices and all the
supporting services and the little businesses and restaurants that
support offices? And commuting? All those sorts of things matter.
In addition to whether this might be better for employees, one of the
things we know is that not everybody agrees that they want to work
from home. There is the issue of whether it’s actually going to
work for the employers, and that’s not completely clear.