Select Page
What Doctors Wish You Knew About HIPAA and Data Security

What Doctors Wish You Knew About HIPAA and Data Security

A former Department of Homeland Security adviser and a doctor, Chris Pierson is CEO of BlackCloak, a company that specializes in personal digital protection from financial fraud, cybercrime, reputational damage, and identity theft. He believes vigilance is key for doctors and patients alike.

Protect Your Entire Family

“I don’t think people realize that once someone is able to get just one piece of information, that can lead to opening others’ private data,” Pierson says. “It’s no longer the original individual on their computer, but additional family members’ identity that can be compromised.”

He explains that even if one organization keeps your data safe, another associated one may not, and that’s where criminals will strike. 

“It’s not just medical offices. It’s your pharmacy, labs, insurance company, anyone who keeps personal information. That has real value, and selling it is the priority.”

Victims of identity theft can be revictimized when personal information gets into multiple hands. A street address and verified phone number can go far, especially if the phone contains many contacts, who then become vulnerable to attack themselves.

“If you get Mom’s info, you can get the child’s as well. An ID card, social security, all of it, and then they have the ability to collect false medical claims or just extortion. It’s a two for one.”

Two-Factor Authentication Is Worth the Effort

Pierson mentions how critically important it is to use a multistep authentication system. Your level of protection goes up considerably just by using secure passwords and one-time authentication codes.

Thankfully, setting all this up is easier than it sounds. Apps on your phone or tablet can help. Google Authenticator, when paired with a service that supports authenticator apps, provides a six-digit number that changes every few seconds and can keep people out of your data even if they have your username and password. Other companies ask users to enter an SMS code as the second authentication factor, in addition to a password, although SMS codes are less secure than authenticator apps. Either approach is better than none—unless a hacker is in physical possession of your phone, they are not getting access.

Social Media and Tracking

Social media is becoming a popular way for health care providers and entrepreneurs to connect with the public—and often to sell them treatments or advice. These Instagram or TikTok accounts may offer tips from someone in the medical industry, which can appeal to those facing rising health care costs and difficulties accessing care. But an internet doctor’s background or popularity does not ensure that they observe strong privacy guidelines or secure their transactions.

My Instagram is flooded with offers promising everything from better sleep to improved sexual health. It’s nice to have options, but that help and any information you receive from those accounts or send to them isn’t covered under HIPAA. Any time you pay out of your own pocket for health-related items or services, or on a direct-to-consumer health app, there is no recourse if someone steals your personal information or shares it.

Along with social media and direct-to-consumer health options comes large-scale data tracking. Outside of official medical practices, you should view surveillance as an expectation, rather than an exception.

Ask Questions

When you sign up for any service, whether through a new doctor’s patient portal or an online supplement shop, ask how your data is stored and where it goes. Read the privacy policies and settings, even briefly, to find out what options you have to restrict the sale or reuse of your data. Check the default settings to make sure you’re not giving away too much information. Find out if the service or platform offers two-factor authentication and set that up if it’s available. Know that it’s rare for anyone to need your social security number, no matter what a customer service agent says. A birth date and address is usually enough.

Pierson and others agree that we all need to consider security from several angles and do our best to protect ourselves and our loved ones. “The sophistication of identity attacks will always evolve and change. Remember, they only have to get it right once, but we have to guess right all of the time.”

How Threads’ Privacy Policy Compares to Twitter’s (and Its Rivals’)

How Threads’ Privacy Policy Compares to Twitter’s (and Its Rivals’)

Meta’s long-awaited Twitter alternative is here, and it’s called Threads. The new social media app launches at a time when alternatives, like Bluesky, Mastodon, and Spill, are vying for users who are dissatisfied with Elon Musk’s handling of Twitter’s user experience, with its newly introduced rate limits and an uptick in hate speech.

Meta owns Facebook, Instagram, and WhatsApp, so the company’s attempt to recreate an online experience similar to Twitter is likely to attract plenty of normies, lurkers, and nomadic shitposters. Meta is working to incorporate Threads as part of the online Fediverse, a group of shared servers where users can interact across multiple platforms.

If you’re hesitant to share your personal data with a company on the receiving end of a billion dollar fine, that’s understandable. For those who are curious, however, here’s what we know about the service’s privacy policy, what data you hand over when you sign up, and how it compares to the data collected by other options.

Threads

Threads (Android, Apple) potentially collects a wide assortment of personal data that remains connected to you, based on the information available in Apple’s App Store, from your purchase history and physical address to your browsing history and health information. “Sensitive information” is also listed as a type of data collected by the Threads app. Some information this could include is your race, sexual orientation, pregnancy status, and religion as well as your biometric data.

Threads falls under the larger privacy policy covering Meta’s other social media platforms. Want to see the whole thing? You can read it for yourself here. There’s one caveat, though. The app has a supplemental privacy policy that’s also worth reading. A noteworthy detail from this document is that while you’re able to deactivate your Threads account whenever, you must delete your Instagram if you fully want to delete your Threads account.

Below is all the data collected by Threads that’s mentioned in the App Store. Do you have the Facebook or Instagram app on your phone? Keep in mind that this data collection by Meta is comparable to the data those apps collect about you.

For Android users, the Google Play Store doesn’t require you to hand over the same amount of extensive data to try out Threads. You have more control than Apple users, since you can granularly toggle what personal data is shared with apps.

Data Linked to You

Third-Party Advertising:

  • Purchases (Purchase History)
  • Financial Info (Other Financial Info)
  • Location (Precise Location, Coarse Location)
  • Contact Info (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
  • Contacts
  • User Content (Photos or Videos, Gameplay Content, Other User Content)
  • Search History
  • Browsing History
  • Identifiers (User ID, Device ID)
  • Usage Data (Product Interaction, Advertising Data, Other Usage Data)
  • Diagnostics (Crash Data, Performance Data, Other Diagnostic Data)
  • Other Data
What to Do When Your Boss Is Spying on You

What to Do When Your Boss Is Spying on You

You’re not being paranoid. If you always feel like somebody’s watching you, as the song goes, you’re probably right. Especially if you’re at work.

Over the course of the Covid-19 pandemic, as labor shifted to work-from-home, a huge number of US employers ramped up the use of surveillance software to track employees. The research firm Gartner says 60 percent of large employers have deployed such monitoring software—it doubled during the pandemic—and will likely hit 70 percent in the next few years.

That’s right—even as we’ve shifted toward a hybrid model with many workers returning to offices, different methods of employee surveillance (dubbed “bossware” by some) aren’t going away; it’s here to stay and could get much more invasive. 

As detailed in the book Your Boss Is an Algorithm, authors Antonio Aloisi and Valerio de Stefano describe “expanded managerial powers” that companies have put into place over the pandemic. This includes the adoption of more tools, including software and hardware, to track worker productivity, their day-to-day activities and movements, computer and mobile phone keystrokes, and even their health statuses. 

This can be called “datafication” or “informatisation,” according to the book, or “the practice by which every movement, either offline or online, is traced, revised and stored as necessary, for statistical, financial, commercial and electoral purposes.”

Ironically, experts point out that there’s not sufficient data to support the idea that all this data collection and employee monitoring actually increases productivity. But as the use of surveillance tech continues, workers should understand how they might be surveilled and what, if anything, they can do about it.

What Kind of Monitoring Is Happening?

Using surveillance tools to monitor employees is not new. Many workplaces continue to deploy low-tech tools like security cameras, as well as more intrusive ones, like content filters that flag content in emails and voicemails or unusual activity on work computers and devices. The workplace maxim has long been that if you’re in the office and/or using office phones or laptops, then you should never assume any activity or conversation you have is private.

But the newer generation of tools goes beyond that kind of surveillance to include monitoring through wearables, office furniture, cameras that track body and eye movement, AI-driven software that can hire as well as issue work assignments and reprimands automatically, and even biometric data collection through health apps or microchips implanted inside the body of employees.

Some of these methods can be used to track where employees are, what they’re doing at any given moment, what their body temperature is, and what they’re viewing online. Employers can collect data and use it to score workers on their individual productivity or to track data trends across an entire workforce.

These tools aren’t being rolled out only in office spaces, but in work-from-home spaces and on the road to mobile workers such as long-haul truck drivers and Amazon warehouse workers.

Is This Legal?

As you might imagine, the laws of the land have had a hard time keeping up with the quick pace of these new tools. In most countries, there are no laws specifically forbidding employers from, say, video-monitoring their workforce, except in places where employees should have a “reasonable expectation of privacy,” such as bathrooms or locker rooms.

In the US, the 1986 Electronic Communications Privacy Act laid out the rule that employees should not intercept employee communication, but its exceptions—that they can be intercepted to protect the privacy and rights of the employer or if business duties require it, or if the employee granted prior permission—make the law toothless and easy to get around.

LastPass Data Breach: It’s Time to Ditch This Password Manager

LastPass Data Breach: It’s Time to Ditch This Password Manager

You’ve heard it again and again: You need to use a password manager to generate strong, unique passwords and keep track of them for you. And if you finally took the plunge with a free and mainstream option, particularly during the 2010s, it was probably LastPass. For the security service’s 25.6 million users, though, the company made a worrying announcement on December 22: A security incident the firm had previously reported (on November 30) was actually a massive and concerning data breach that exposed encrypted password vaults—the crown jewels of any password manager—along with other user data. 

The details LastPass provided about the situation a week ago were worrying enough that security professionals quickly started calling for users to switch to other services. Now, nearly a week since the disclosure, the company has not provided additional information to confused and worried customers. LastPass has not returned WIRED’s multiple requests for comment about how many password vaults were compromised in the breach and how many users were affected. 

The company hasn’t even clarified when the breach occurred. It seems to have been sometime after August 2022, but the timing is significant, because a big question is how long it will take attackers to start “cracking,” or guessing, the keys used to encrypt the stolen password vaults. If attackers have had three or four months with the stolen data, the situation is even more urgent for impacted LastPass users than if hackers have had only a few weeks. The company also did not respond to WIRED’s questions about what it calls “a proprietary binary format” it uses to store encrypted and unencrypted vault data. In characterizing the scale of the situation, the company said in its announcement that hackers were “able to copy a backup of customer vault data from the encrypted storage container.”

“In my opinion, they are doing a world-class job detecting incidents and a really, really crummy job preventing issues and responding transparently,” says Evan Johnson, a security engineer who worked at LastPass more than seven years ago. “I’d be either looking for new options or looking to see a renewed focus on building trust over the next few months from their new management team.”

The breach also includes other customer data, including names, email addresses, phone numbers, and some billing information. And LastPass has long been criticized for storing its vault data in a hybrid format where items like passwords are encrypted but other information, like URLs, are not. In this situation, the plaintext URLs in a vault could give attackers an idea of what’s inside and help them to prioritize which vaults to work on cracking first. The vaults, which are protected by a user-selected master password, pose a particular problem for users seeking to protect themselves in the wake of the breach, because changing that primary password now with LastPass won’t do anything to protect the vault data that’s already been stolen.

Or, as Johnson puts it, “with vaults recovered, the people who hacked LastPass have unlimited time for offline attacks by guessing passwords and attempting to recover specific users’ master keys.”

5 Best Password Managers (2022): Features, Pricing, and Tips

5 Best Password Managers (2022): Features, Pricing, and Tips

There are apps for Android, iOS, Windows, MacOS, and Linux, as well as extensions for all major web browsers. Bitwarden also has support for Windows Hello and Touch ID on its desktop apps for Windows and MacOS, giving you the added security of those biometric authentication systems.

Another thing I like is Bitwarden’s semiautomated password fill-in tool. If you visit a site that you’ve saved credentials for, Bitwarden’s browser icon shows the number of saved credentials from that site. Click the icon and it will ask which account you want to use and then automatically fill in the login form. This makes it easy to switch between usernames and avoids the pitfalls of autofill that we mention at the bottom of this guide. If you simply must have your fully automated form-filling, Bitwarden supports that as well.

Bitwarden offers a paid upgrade account. The cheapest of the bunch, Bitwarden Premium, is $10 per year. That gets you 1 GB of encrypted file storage, two-factor authentication with devices like YubiKey, FIDO U2F, Duo, and a password hygiene and vault health report. Paying also gets you priority customer support.

After signing up, download the app for Windows, MacOS, Android, iOS, or Linux. There are also browser extensions for Firefox, Chrome, Safari, Edge, Vivaldi, and Brave.

Best Full-Featured Manager

Dashlane app

Courtesy of Dashlane

I first encountered Dashlane several years ago. Back then, it was the same as its competitors with no standout attributes. But recent updates have added several helpful features. One of the best is Site Breach Alerts, something other services have since added as well. Dashlane actively monitors the darker corners of the web, looking for leaked or stolen personal data, and then alerts you if your information has been compromised.

Setup and migration from another password manager is simple, and you’ll use a secret key to encrypt your passwords, much like 1Password’s setup process. In practice, Dashlane is very similar to the others in this list. The company did discontinue its desktop app earlier this year, moving to a web-based user interface, which is a little different than 1Password and Bitwarden. (The desktop apps officially shut down on January 10, 2022.) I primarily use passwords in the web browser anyway, and Dashlane has add-ons for all the major browsers, along with iOS and Android apps. If a desktop app is important to you, it’s something to be aware of. Dashlane offers a 30-day free trial, so you can test it out before committing.

After signing up, download the app for Android and iOS, and grab the browser extensions for Firefox, Chrome, and Edge.

Best DIY Option (Self-Hosted)

KeePassXC app displayed on Microsoft Windows

Courtesy of KeePassXC

Want to retain more control over your data in the cloud? Try using a desktop application like KeePassXC. It stores encrypted versions of all your passwords into an encrypted digital vault that keeps you secure with a master password, a key file, or both. The difference is that instead of a hosted service like 1Password syncing it for you, you sync that database file yourself using a file-syncing service like Dropbox or Edward Snowden’s recommended service, SpiderOak. Once your file is in the cloud, you can access it on any device that has a KeePassXC client.

Why do it yourself? In a word: transparency. Like Bitwarden, KeepassXC is open source, which means its code can be and has been inspected for critical flaws.

Download the desktop app for Windows, MacOS, or Linux and create your vault. There are also extensions for Firefox, Edge, and Chrome. It does not have official apps for your phone. Instead, the project recommends KeePass2Android or Strongbox for iPhone.

Another Option

NordPass app shown on Mac laptop

Courtesy of NordPass

NordPass is a relatively new kid on the password manager block, but it comes from a company with significant pedigree. NordVPN is a well-known VPN provider, and the company brings to its password manager much of the ease of use and simplicity that made its VPN offering popular. The installation and setup process is a breeze. There are apps for every major platform (including Linux), browser, and device.

The free version of NordPass is limited to one device, and there’s no syncing available. There is a seven-day free trial of the premium version, which lets you test device syncing. But to get that for good, you’ll have to upgrade to the $36-a-year plan. (Like its VPN service, NordPass accepts payment in cryptocurrencies.)