Rethinking online privacy

The Enterprise — Elizabeth Floyd Mair 
Patient safety: Bertine McKenna, Ph.D., former chief operating officer of Bassett Healthcare Network, talks about the need for hospitals to insist to the manufacturers of electronic medical devices that they also have access to the software controlling the devices.

The largest-ever cyber-disaster— the hacking of private information from nearly half the residents of the United States in this year’s data breach of credit-card reporting agency Equifax — got New York State Assemblywoman Patricia Fahy thinking about what could be done to better protect online privacy, she said last week.

She introduced a new bill this month, with State Senator David Carlucci, a Democrat from Clarkstown, that would expand the definition of what constitutes “private information” and would therefore, if breached, require organizations to notify customers.

Under current law, “private information” is defined as Social Security numbers; driver’s license or state identification-card numbers; or credit card, debit card, or bank-account numbers; current law further specifies that the credit, debit, and bank-account numbers need to be accompanied by a password in order to qualify as a breach of personal information.

Fahy and Carlucci’s bill would define birthdays, home addresses, and telephone numbers as private information so that, if companies were in possession of these and they were breached, the state protections would be triggered.

Those protections include: a requirement to notify affected consumers, and the state attorney general, within “a reasonable amount of time,” Carlucci said. The senator added that he has also drafted a separate bill that would require preliminary notification of consumers and the attorney general sooner; this second bill does not yet have a sponsor in the State Assembly.

Carlucci said that this second bill would apply only to data that is held by companies and organizations with the presumption of privacy.

Information like addresses, telephone numbers, and birth dates can also be used “maliciously,” Fahy said.

Bank-account and other passwords are not needed for identity theft, said Fahy. If someone manages to get a Social Security number and a birth date, “That’s all you need,” she said.

 

The Enterprise — Elizabeth Floyd Mair 
Cyber talk: Kurt Bratten, compliance attorney with O’Connell & Aronowitz of Albany, at left, discusses cybersecurity at a symposium in Albany on Oct. 11, as Special Agent Timothy Lambie of the FBI listens. Bratten said he expects that, in the future, consumers will have more options for the ways that they identify themselves, so, “If I really want to protect myself and am willing to pay for it, I can have any number of layers: biometric, multi-layer, and everything.” 

 

She knows firsthand what a “nightmare” it is to clean up the aftermath of an identity theft, she said, noting that her two experiences were not even full-on identity theft, but stemmed from confusion over a name.

“We’re going to see if there’s more we can do” in addition to the current bill, Fahy said. She added, “These are hard to pass, because there’s a lot of opposition to this kind of stuff, but we thought this was one we could actually get through.”

Fahy’s spokesman, Jacob Egloff, said this week that the opposition that the office would generally expect would be from larger finance-industry companies such as banks, brokerages, and credit agencies. He said, “We’re really focused on trying to get legislation through that can pass, and we think this is narrowly tailored enough that we can protect New Yorkers from future breaches and still have a hope of actually passing the bill.”

Cybersecurity symposium

The Equifax breach and how to prevent a repeat of it were hot topics at a cybersecurity symposium held in Albany on Oct. 11.

The symposium, offered by GreyCastle Security of Troy, opened with a panel moderated by Will Pelgrin, former president of the Center for Internet Security.

Pelgrin said the best thing he had ever done was freeze his credit 10 years ago.

Panelist Kris Cottom, chief information officer of The Healthcare Association of New York State, said that she intends to no longer give her Social Security number when asked for it, “unless legally necessary.” She intends to say to the person requesting the number, “‘You don’t need that. You need my name, address, and health-insurance card.’”

Cottom said, “We need a way to be able to identify people without compromising their security.”

A member of the audience asked if it might be possible to come up with a system of disposable identification.

Cottom said that that would be great, “if we had a five-minute password and could say, ‘Yeah, here’s my info; it’s good for five minutes.’”

Special agent with the Federal Bureau of Investigation’s Albany office Timothy Lambie said, “I don’t know of any technology that would allow us to that. Maybe the first step would be to find a two-factor identification system to allow us to identify ourselves.”

In a two-factor authentication system, a temporary code is sent to one electronic device and must quickly be typed into another in order to verify identity.

The panelists also discussed possible cyber-disaster scenarios in the healthcare industry. Pelgrin asked Cottom, “What if you have a hit where the intent is not money [as with ransomware], but harming patients?”

Bertine McKenna, former chief operating officer of Bassett Healthcare Network, said, “We drill mass casualties all the time, but we never drill this. What if a patient’s pacemaker got hacked?”

Both McKenna and Cottom agreed that hospitals use devices containing software that can be accessed by the manufacturers, but not by the hospitals themselves, which often have information about the software being used. Cottom said, “If there’s a mass casualty due to devices delivering twice as much insulin as they’re supposed to, or more radiation than they’re supposed to — the companies don’t want that on their plate.”

Cottom said that if she were the chief executive officer of a hospital, she would tell the manufacturers of such devices that she needed access to the software controlling them, and would say, “I'm not going to put that in my hospital unless you tell me how to use it”

More Regional News