"Is Privacy Obsolete" Study Group Page"
Contents
- 1 Links
- 2 Study Group Mission and Scope
- 3 Deliverables
- 4 Reference Material
- 5 GDPR EU General Data Protection Regulations
- 6 Library
- 7 ISO Proposed Consumer Protection Standard for Privacy by Design of Consumer Goods and Services
- 7.1 From Chris Shawn, Security Cochair, VA
- 7.2 From Diana Proud-Madruga (Electrosoft) SOA Cochair
- 7.3 Devon Connor Green HL7 Norway, Privacy Attorney
- 7.4 Theresa Årdal Connor Privacy Attorney Norway
- 7.5 Suzanne Gonzales-Webb CBCP Cochair
- 7.6 Breach Investigations, Court Cases, Legistation, and Finds
- 7.7 ISTPA
- 7.8 Sharing with Protections - a New Paradigm
- 7.9 Facebook and Cambria Analytica
- 7.10 International Breaches
- 7.11 International Hacks
- 7.12 Unwarranted Surveillance
- 7.13 Privacy Protective Policy and Technologies
- 7.14 Counter Points
- 7.15 Study Group Members
Links
- Work Space
- Gforge Library
- Is Privacy Obsolete? The IPO? Listserve is an open mailing list that all are open to join. One does not need to be a member of HL7 or the Security WG. You can find it on the HL7 Security WG mailing lists page. http://www.hl7.org/Special/committees/secure/listserv.cfm
Study Group Mission and Scope
- Study Group PSS - TBD
Deliverables
- Is Privacy Obsolete Jan 2018 WGM ppt by Mike Davis
- Is Privacy Obsolete Jan 2018 WGM ppt by Mike Davis
- Breach Analysis Spreadsheet by Mike Davis
- BIOMETRICS: Balancing Privacy with Innovation by Devon Connor Green.
Reference Material
ONC Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA This Report: 1) analyzes the scope of privacy and security protections of an individual’s health information for these new and emerging technology products that are not regulated by HIPAA; 2) identifies key gaps that exist between HIPAA regulated entities and those not regulated by HIPAA; and 3) recommends addressing those gaps in a way that protects consumers while leveling the playing field for innovators inside and outside of HIPAA...This Report focuses on “mHealth technologies” and “health social media.” The former includes entities that collect or deal in personal health records (PHRs)5 and cloud-based or mobile software tools that intend to collect health information6 directly from individuals and enable sharing of such information, such as wearable fitness trackers. The latter includes internet-based social media sites on which individuals create or take advantage of specific opportunities to share their health conditions and experiences. Taken together, these mHealth technologies and health social media that are outside the scope of HIPAA are referred to as “non-covered entities” or NCEs. This Report does not cover products, services, and data sources where health information is derived from other data (such as GPS reporting, where one can infer an individual’s physical activity, 7 or air quality reporting data from which respiratory health might be inferred), or information casually disclosed by individuals, such as a personal Facebook post that one has the flu. Products that may meet the definition of a device under section 201(h) of the Federal Food, Drug, and Cosmetic Act (FD&C Act), such as apps that can control the inflation and deflation of a blood pressure cuff or the delivery of insulin on an insulin pump, also are not discussed here, though these tools also may not be regulated by HIPAA.
GDPR EU General Data Protection Regulations
- Useful GDPR regulation text reference
- Standards support for key GDPR Policies - Rene Spronk
- Impact of the GDPR on the use of interoperability standards
- IHE Whitepaper on GDPR
- May Cologne Connectathon 201805 GDPR
Library
From Mike Davis, VHA Security Architect
- Breaches References
- Breaches Spreadsheet
- Is Privacy Obsolete? Report out presentation for January 2018 WGM.
- Is Privacy Obsolete White Paper January 2018
Big Data Privacy, Security, and Provenance
India Privacy Law Changes
Thanks to Adrian Gropper for bringing this up
- India Supreme Court rules privacy a 'fundamental right' in landmark case Augues 24, 2017
- Privacy Laws in India and Privacy Rules and Regulations in India
- Privacy is not a right in India: What that means for the industry
ISO Proposed Consumer Protection Standard for Privacy by Design of Consumer Goods and Services
- Outline Description of Consumer Protection Privacy by Design
- Form 4 Consumer Protection Privacy By Design: ISO New Work Item Proposal
- List of potential sections in a consumer protection standard for privacy by design of consumer goods and services
- GDPR Guide referenced by this project
From Chris Shawn, Security Cochair, VA
Another article that may be relevant to the “Is privacy dead?” question:
“In practice, this means that we can no longer expect a meaningful difference between observability and identifiability — if we can be observed, we can be identified.”
https://www.nytimes.com/2017/10/05/opinion/privacy-rights-security-breaches.html?mwrsm=Email
From Diana Proud-Madruga (Electrosoft) SOA Cochair
- Privacy and Data Security Violations - What's the Harm?
- Privacy and Data Security Violations - What's the Harm?- by Solove - pdf
- Why Law often doesn't recognize Privacy and Data Security Harms
- Why Law often doesn't recognize Privacy and Data Security Harms by Solove - pdf
- Do Privacy Violations and Data Breaches Cause Harm?
- How Should the Law handle Privacy and Security Harms
- Is privacy dead in an online world - BBC News.pdf
- Information Accountability cacm Weitzner, Abelson, Bereners-Lee, Feigenbaum, Jendler, and Sussman
- Privacy as Business Opportunity - GDPR
- VA Data Breach
Devon Connor Green HL7 Norway, Privacy Attorney
- BIOMETRICS: Balancing Privacy with Innovation
- Why a right to explanation of automated decision-making does not exist in GDPR - Brief: Much was supposedly promised wrt to a consumer having prospective rights to explanation of big data algorithm decision making logic, which might impact, and retrospective rights to know exactly how the algorithm was used to make a decision about a consumer , e.g., credit rating. which has been broadcasted by government and media. Unfortunately, per this pretty detailed analysis, this GDPR safeguard is relatively toothless.
- Why is this company tracking where you are on Thanksgiving?A data collection service called SafeGraph collected 17 trillion location markers for 10 million smartphones during the holiday last year.
- The UK’s ICO Clarifies Myths Around GDPR Consent - Excerpt: Do you need consent to process personal data?
One of the most popular myths about the new European General Data Protection Regulations is that companies must have consent to process people’s personal data. According to the ICO: “Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent. The requirement for clear and and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.” But how can data only be processed if an organisation has explicit consent to do so? The answer to this is that the rules around consent only apply if you are relying on consent to process personal data, i.e. consent is only one way to comply with GDPR, there are others. For data processing to be lawful in the new General Data Protection Regulations, companies and organisations need to identify a lawful basis before starting. There are five other ways in the main (as well as consent):
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
This means that consent is not the only basis on which an organization can process personal data under the new European General Data Protection Regulations.
Theresa Årdal Connor Privacy Attorney Norway
Pertinent EU Links
- HIMSS - What Healthcare Organizations need to know about the GDPR and HIMSS Presentation recording
- Dutch referendum: Spy tapping powers 'rejected'
- Data retention legislation in Europe
- German Justice Minister demands Facebook explain data scandal
- Table of EU Data Retention Issues
- EU Data Breaches June 2017
- Google loses 'right to be forgotten' case
- The Paris Lawyer Who Gives Google Nightmares - Dan Shefet French attorney
- International Privacy Protection Law tool
- International Privacy Laws
- Norway Data Protection Laws and Regulations
Suzanne Gonzales-Webb CBCP Cochair
Nitasha Tiku 6/4/17 Wired A couple weeks ago, during an unassuming antitrust conference at Oxford University, a German bureaucrat uttered a few words that should send a chill through Silicon Valley. In front of a crowd of nearly 200 competition law experts—including enforcement agents, scholars, and economic policy-makers from the United States and Europe—Andreas Mundt, president of Germany’s antitrust agency, Bundeskartellamt, said he was “deeply convinced privacy is a competition issue.” It’s a conviction major tech platforms are listening to closely, especially since Mundt’s agency is in the midst of a high-profile investigation into whether Facebook abused its dominance as a social network by forcing customers to agree to unfair terms about the way the company uses their data. Mundt’s words may have sounded mundane, but his implication was anything but: the world’s foremost antitrust regulators were publicly discussing whether they should intervene if a transaction weakens consumer privacy protections, a pervasive concern in the era of big data.
- The Next Cold War Is Here, and It's All About Data Tom Pendergast Wired 03.28.18
Combatants in the new Cold War are fighting over the currency of the modern age: personal information. The battles are over who controls data. Vying against each other are those societies that believe that individuals have an absolute right to control their personal data—to exercise the same kind of dominion over data that they do over their bodies or their personal property—and those that believe that personal data is a good to be traded on the open market and thus subject to the same market forces at play elsewhere. May the most innovative, efficient company win.
Breach Investigations, Court Cases, Legistation, and Finds
- Data breach victims can sue Yahoo in the United StatesBy Jonathan Stempel, Reuters 3/12/2018. Yahoo has been ordered by a federal judge to face much of a lawsuit in the United States claiming that the personal information of all 3 billion users was compromised in a series of data breaches.In a decision on Friday night, U.S. District Judge Lucy Koh in San Jose, California rejected a bid by Verizon Communications Inc., which bought Yahoo's Internet business last June, to dismiss many claims, including for negligence and breach of contract.
- 2017 Updated State Data Breach Laws Account for Medical Information By Elizabeth Snell Health IT Security December 29, 2017 State data breach laws can be critical for protecting sensitive data, and healthcare organizations must ensure they adhere to them along with federal regulations. The data breach notification process is a crucial aspect to state law, and can lead to settlements should entities fail to adhere to state requirements. With large-scale data breaches continuing to be a regular occurrence in numerous industries – including healthcare – more states are updating their data breach response process. More states are also beginning to account for medical information and data protected under HIPAA regulations. Nearly every state has its own state data breach notification law in place, and there has even been a push in 2017 for one standardized national notification law.
- $2.3M OCR Settlement Reached for 21st Century Oncology Data BreachOCR found in its investigation that 21CO impermissibly disclosed the PHI of 2,213,597 of its patients and “failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI.” 21CO also failed to implement security measures to reduce risks and vulnerabilities and failed to implement procedures to regularly review information system activity. This included having audit logs, access reports, and security incident reports. The organization also disclosed PHI to its business associates without having a proper business associate agreement in place, according to OCR.
- What Should Entities Expect with OCR HIPAA Enforcement? By Elizabeth Snell November 02, 2017 - There have been nine OCR HIPAA enforcement settlements so far in 2017, highlighting the need for covered entities and business associates to focus on audit controls, risk management, and business associate agreements. While there has been a new administration leading the way, healthcare data privacy and security experts do not expect an exceedingly different approach when it comes to ensuring entities remain compliant. Under the current administration, OCR is taking a “back-to-basics” approach in terms of enforcement, Meisinger told HealthITSecurity.com. Rather than making policy statements, the agency is interested in enforcement.
- Single National Data Breach Notification Standard ProposedBy Elizabeth Snell HealthData Management October 13, 2017 “This bill will replace the patchwork of 48 state breach notification laws with a single nationwide standard that would clarify and strengthen companies’ obligations to report intrusions that compromise consumers’ personal information,” Langevin stated. “Americans put a lot of trust in companies by giving them personal and private information, and they should have confidence that their data is secure.”
- New York Reaches $1.15M Settlement over Aetna Data BreachBy Elizabeth Snell HealthData Management January 26, 2018 - New York Attorney General Eric Schneiderman announced that a $1.15 million settlement has been reached following the Aetna data breach that occurred in 2017. Aetna sent letters to patients in the mail back in July 2017. Information about ordering prescription HIV drugs was clearly visible through the envelope's clear window, with approximately 12,000 individuals total being impacted by the incident.T he HIV status of 2,460 New Yorkers was exposed, according to Schneiderman. Aetna will need to pay the civil penalty and develop and maintain enhanced operating procedures with regard to protecting PHI and personally identifiable information (PII) in mailings. The organization will also be required to hire an independent consultant to monitor and report on the settlement’s injunctive provisions Through its own carelessness, Aetna blatantly violated its promise to safeguard members’ private health information,” Schneiderman said in a statement. “Health insurance companies handle personal health information on a daily basis and have a fundamental responsibility to be vigilant in protecting their members. We won’t hesitate to act to ensure that insurance companies live up to their responsibilities to the New Yorkers they serve.”
- Dutch referendum: Spy tapping powers 'rejected' BCC March 22, 2018. Voters in the Netherlands appear to have narrowly rejected new online data collection powers for intelligence agencies in a referendum. The Netherlands put to a referendum new legislation, officially the Intelligence and Security Law. The bill gives new powers to the Netherlands' intelligence services. They would be able to install wire taps on whole areas, rather than just individuals, store information for up to three years and share this data with other spy agencies.
ISTPA
International Security, Trust and Privacy Alliance
- ISTPA Privacy Tools & Technology FAQ January 20, 2003
- ISTPA Privacy Framework FAQ
- Managing Information Privacy Developing a Context for Security and Privacy Standards Convergence(ISTPA Privacy Framework ISO 20886)Robbins & Sabo
- Analysis of Privacy Principles: Making Privacy Operational v.2 2007
- ISTPA Privacy Framework v.1.1 2002
- Managing Privacy and Information by Sabo
- [https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/ISTPA/OASIS-Sabo-102207.ppt OASIS Data Privacy and�Government-Private Sector Information Sharing Systems for Critical Infrastructure Protection]�
- HHS Kolodner Privacy and Security Framework
Sharing with Protections - a New Paradigm
- Moving beyond Protection from Sharing in the age of Big Data, Learning Health System, and Health IOT
Balancing Clinician Need to Know (N2K) and Patient Privacy Expectations
- Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA
- Care Teams Consent Attributes and Security Labels
- Care Team Provisioning for LHS.pptx Care Team ABAC Provisioning
- Care Team ABAC Provisioning Table Example
- Healthcare Team Model Glossary
- Cambridge_Health_Alliance_Team-Based_Care_Toolkit
Facebook and Cambria Analytica
- Facebook under pressure as U.S., EU urge probes of data practices By Dustin Volz and Munsif Vengattil3/19/2018 (Reuters) - Facebook Inc Chief Executive Mark Zuckerberg faced calls on Monday from U.S. and European lawmakers to explain how a consultancy that worked on President Donald Trump's election campaign gained improper access to data on 50 million Facebook users.
- [Cambridge Analytica researcher touted data-mining in Russia speech https://www.fidelity.com/news/article/default/201803201101CNN_____MONEY____-2018-03-20-technology-aleksandr-kogan-video-facebook-cambridge-analytica-index_html?srcIndex=2 Cambridge Analytica researcher touted data-mining in Russia speech] by Marshall Cohen, CNNMoney.com 3/20/2018. The researcher at the center of the Cambridge Analytica data-mining scandal touted controversial techniques at a lecture four years ago in Russia, despite downplaying the methods in an email to colleagues after his work attracted international scrutiny.
- Cambridge Analytica researcher touted data-mining in Russia speech
- Cambridge Analytica CEO suspended after taking credit for Trump campaign on video
- 'Utterly horrifying': ex-Facebook insider says covert data harvesting was routine by Paul Lewis The Guardian March 20.2018. Sandy Parakilas in San Francisco. ‘It has been painful watching. Because I know that they could have prevented it.’ Hundreds of millions of Facebook users are likely to have had their private information harvested by companies that exploited the same terms as the firm that collected data and passed it on to Cambridge Analytica, according to a new whistleblower.
- Facebook must be restructured. The FTC should take these nine steps now By Barry Lynn and Matt Stoller The GuardianThu 22 Mar 2018. ‘Rather than simply carve away some of Facebook’s huge profits, the FTC should immediately move to restructure the corporation.’
- Facebook asked hospitals to share patient dataFacebook asked hospitals for anonymized data about their patients for a proposed research project (CNBC 4/6/2018). The social media platform reportedly intended to compare the data, which included prescription information and illnesses, with its own data that it collected from users, in order to flag users that may need hospital care. The social media company discussed its plan with organizations including Stanford Medical School and American College of Cardiology. The data the company would have collected would have been completely anonymous and only available for medical research, according to the report. Cathleen Gates, the interim CEO of the American College of Cardiology, said in a statement provided to CNBC that Facebook’s proposed data project could help medical research.“As part of its mission to transform cardiovascular care and improve heart health, the American College of Cardiology has been engaged in discussions with Facebook around the use of anonymized Facebook data, coupled with anonymized ACC data, to further scientific research on the ways social media can aid in the prevention and treatment of heart disease — the #1 cause of death in the world,” she said.
International Breaches
- Aadhaar: 'Leak' in world's biggest database worries Indians Indian officials in charge of a controversial biometric identity scheme have filed a police complaint after a report that citizens' personal details were being sold for as little as 500 rupees ($7.8;£5.8) online.
- 10 Largest Healthcare Data Breaches covered by HealthData Management 2017affecting nearly 1.9 million individuals.
- German Justice Minister demands Facebook explain data scandal news@thelocal.de @thelocalgermany 22 March 2018. Germany is the latest country to demand answers from Facebook after it emerged data from 50 million users was used to inform targeted election campaigns. German Justice Minister Katharina Barley on Thursday called such methods "a danger to democracy." It's unacceptable that data is used "against users' will in order to bombard them with election advertising or hate against political opponents," she continued. "Such campaigning methods are a danger to democracy."
International Hacks
- US Reports North Korea Caused WannaCry Ransomware Attack By Elizabeth Snell Health IT Security January 02, 2018. The WannaCry ransomware attack that affected numerous sectors around the world, including healthcare organizations, was caused by North Korea, according to Tom Bossert, assistant to the president for homeland security and counterterrorism. Bossert explained in a Wall Street Journal op-ed that North Korea was directly responsible for the cyber attack that “encrypted and rendered useless hundreds of thousands of computers in hospitals, schools, businesses and homes.”
- 10 largest breaches that HealthData Management covered in 2017 affecting nearly 1.9 million individuals.
- Hackers halt plant operations in watershed cyber attack Dec 14 (Reuters) - Hackers likely working for a nation-state recently invaded the safety system of a critical infrastructure facility in a watershed attack that halted plant operations, according to cyber investigators and the firm whose software was targeted.
Unwarranted Surveillance
- The House That Spied on Me By Kashmir Hill and Surya Mattu. This story was produced with support from the Mozilla Foundation as part of its mission to educate individuals about their security and privacy on the internet. "I thought the house would take care of me but instead everything in it now had the power to ask me to do things. Ultimately, I’m not going to warn you against making everything in your home smart because of the privacy risks, although there are quite a few. I’m going to warn you against a smart home because living in it is annoying as hell."
- Chinese police spot suspects with surveillance sunglassesPolice in China have begun using sunglasses equipped with facial recognition technology to identify suspected criminals. The glasses are connected to an internal database of suspects, meaning officers can quickly scan crowds while looking for fugitives. But critics fear the technology will give even more power to the government. The sunglasses have already helped police capture seven suspects, according to Chinese state media. Police used the new equipment at a busy train station in the central city of Zhengzhou to identify the suspects. The seven people who were apprehended are accused of crimes ranging from hit-and-runs to human trafficking.
Privacy Protective Policy and Technologies
- Special Report: The policies, processes and technologies to guard the IoT for healthcare By Bill Siwicki HealthcareIT News March 15, 2018. Experts are anticipating the wrath of cybercriminals targeting the hundreds of thousands of IoT devices already deployed in 2018 and beyond. While medical equipment has long presented thorny security problems, Internet of Things devices in hospitals bring entirely new, and often daunting, cyberthreats.
Counter Points
Study Group Members
x | Member Name | x | Member Name | x | Member Name | x | Member Name | |||
---|---|---|---|---|---|---|---|---|---|---|
x | Mike Davis - Study Group Lead | x | Christopher ShawnSecurity Co-chair | x | Kathleen ConnorSecurity Co-chair | . | Trish WilliamsSecurity Co-chair | |||
x | John MoehrkeSecurity Co-chair | x | Suzanne Gonzales-Webb | x | David Staggs | x | Diana Proud-Madruga | |||
. | Mohammed Jafari | . | Beth Pumo | . | [1] | x | [2] | |||
x | [3] | . | [4] | x | [5] | . | [6] |