TLP White: In this edition of Hacking Healthcare, we detail the outcome of a German competition agency’s recent investigation into Facebook’ data practices.  Then, we examine Canadian crypto giant QuadrigaCX’s loss of assets and access to its digital coins.  Finally, we discuss a bipartisan effort asking the Department of Homeland Security to recognize that VPN apps could pose a national security risk.

Welcome back to Hacking Healthcare.

Hot Links –
  1. German Antitrust Regulator Cracks Down on Facebook’s Ad Business. Last week Facebook’s data collection practices were cast into the spotlight, again, as Germany’s Federal Cartel Office (“FCO”) forbid the company from tracking users and collecting and combining their data without their consent.[1]  The German antitrust authority began its investigation into Facebook in 2016, and on Thursday it issued a decision condemning Facebook’s practices.  The FCO alleged that Facebook requires users to assent to data tracking and collection in order to use its service, so users’ agreement to the practice through click-wrap terms does not constitute voluntary consent.[2]  Facebook, which uses the data it collects to build user profiles to enhance and enable targeted advertising, has appealed the German regulator’s ruling.[3]

Some media outlets have reported that the FCO’s decision is especially impactful because it asserts privacy as an antitrust issue.[4]  Because Facebook is ubiquitous and serves a unique function, the argument goes, users’ only way to avoid data tracking and collection is to decline to use the social network all together.  This does not give users much of a choice, so the German competition authority has asserted it is anti-competitive in nature.  The FCO’s enforcement action signals that European regulators are not only looking to the General Data Protection Regulation (“GDPR”) as a way to challenge companies’ privacy practices.  Antitrust authorities across Europe could also become more active in the space, as legal theories of privacy as an antitrust matter continue to gain ground.

  1. Cryptocurrency Exchange Loses its Founder and $137 Million. QuadrigaCX, a Canadian cryptocurrency exchange, lost millions of its users’ assets after founder, sole director, and officer Gerald Cotton passed away at 30 years old in December.[5]  Cotton maintained the crypto exchange’s coins in a “cold wallet”—a digital storing device for cryptocurrency that is not connected to the Internet in order to avoid threats from hackers.[6]  When Cotton died, no one could access the exchange’s digital wallet, which the founder held on his encrypted personal laptop.  Experts have attempted to recover access to the laptop, digital wallet, and coins to no avail.

This instability would be enough on its own to threaten the Canadian crypto giant’s viability, but QuadrigaCX is even more vulnerable due to other liquidity issues: approximately $53 million of its assets are currently tied up with at least three of its third-party business partners.[7]  As a result, customers of the exchange are uncertain whether it will be able to pay out on their requested withdrawals once (and if) the dust settles.[8]

Cryptocurrency’s rise in popularity and regulators’ inability to keep up has allowed online coin exchanges to grow with relatively few legal restrictions.  However, investors in these financial vehicles do so at their own risk.  The volatility in the crypto market has been widely reported,[9] and it’s no secret that coin exchanges remain almost completely unregulated in many parts of the world, including Canada—QuadrigaCX’s home nation.[10]

  1. Are Foreign VPNs a National Security Risk? That was the question posed by Senator Marco Rubio (R-FL) and Senator Ron Wyden (D-OR) to Cybersecurity and Infrastructure Security Agency (“CISA”) Director Christopher Krebs in a letter late last week.[11]  The growing use of mobile virtual private network (“VPN”) apps as a way to augment online user privacy has led to an increase in VPN app products from companies throughout the world.  However, the pair of senators are concerned that some of these products route information through, or store information within, the infrastructure of nations who oppose U.S. interests and may use these VPN products illicitly to gather intelligence.

The letter made specific references to China’s Huawei and Russia’s Kaspersky Labs as examples of national security risks posed by foreign companies.  It also urged the Department of Homeland Security to conduct a threat assessment on the security risks associated with government employees’ use of VPN services that may be surveilled by foreign actors.  The senators have requested a “Binding Operational Directive prohibiting [such VPN apps’] use on federal government smartphones and computers” if the CISA Director assesses that their use constitutes a national security threat.[12]

Congress

 

Tuesday, February 12th:

 

–Hearings to examine managing pain during the opioid crisis.  (Senate Committee on Health, Education, Labor, and Pensions)

 

Wednesday, February 13th:

 

–“Strengthening Our Health Care System: Legislation to Reverse ACA Sabotage and Ensure Pre-Existing Conditions Protections.”  (House Committee on Energy and Commerce Subcommittee on Health)

–Long Term Healthcare Challenges and Long Term Care Hearing.  (House Committee on Appropriations Subcommittee on Military Construction, Veterans Affairs, and Related Agencies

 

Thursday, February 14th:

 

No relevant hearings.

 

International Hearings/Meetings

 

            EU – No relevant hearings.

 

 

Conferences, Webinars, and Summits

–FIRST Symposium 2019 – London, UK (3/18/19-3/20/19)

<https://nhisac.org/events/nhisac-events/first-symposium-2019/>

–HEALTH IT Summit (Midwest) – Cleveland, OH (3/19/19-3/20/19)

<https://h-isac.org/hisacevents/health-it-summit-cleveland-2019/>

–National Association of Rural Health Clinics Spring Institute – San Antonio, TX (3/20/19-3/22/19)

<https://h-isac.org/hisacevents/national-assoc-of-rural-health-clinics-spring-institute/>

–HSCC Joint Cybersecurity Working Group – San Diego, CA (4/3/19– 4/4/19)
<https://h-isac.org/hisacevents/hscc-joint-cybersecurity-working-group/>

–H-ISAC Israel Showcase & Innovation – Tel Aviv, Israel (4/8/19-4/13/19)

<https://www.regonline.com/registration/Checkin.aspx?EventID=2551847>

–H-ISAC CYBER RX – IOMT Executive Symposium – Munich, Germany (4/15/2019–4/16/2019)

<https://h-isac.org/hisacevents/cyberrx-iomt-executive-symposium/>

–HEALTH IT Summit (Southern California) – San Diego, CA (4/23/19-4/24/19)

<https://h-isac.org/hisacevents/health-it-summit-southern-california-2019/>

–HEALTH IT Summit (Florida) – Wesley Chapel, FL (5/21/19-5/22/19)

<https://h-isac.org/hisacevents/health-it-summit-florida-2019/>

–2019 NH-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>

–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)

<https://h-isac.org/hisacevents/health-it-summit-southeast-2019/>

–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)

<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>

–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)

<https://h-isac.org/hisacevents/health-it-summit-rocky-mountain/>

–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)

<https://h-isac.org/hisacevents/health-it-summit-northeast/>

–2019 NH-ISAC Fall Summit – San Diego, CA (12/2/19-2/6/19)

<https://www.loewshotels.com/coronado-bay-resort>

 

 

Sundries –

 

–Apple patches FaceTime flaw and two exploited zero-days in new security update

<https://www.cyberscoop.com/iphone-update-facetime-flaw/>

–U.S. busts Romanian cybercrime ring that phished Americans, laundered millions of dollars

<https://www.cyberscoop.com/cybercrime-ring-romania-busted/>

–Indecent disclosure: Gay dating app left “private” images, data exposed to Web

<https://arstechnica.com/information-technology/2019/02/indecent-disclosure-gay-dating-app-left-private-exposed-to-web/>

–LibreOffice and Apache OpenOffice vulnerable to same bug; only one is fixed

<https://arstechnica.com/information-technology/2019/02/path-traversal-bug-is-fixed-in-libreoffice-but-not-in-apache-openoffice/>

–TWITTER STILL CAN’T KEEP UP WITH ITS FLOOD OF JUNK ACCOUNTS, STUDY FINDS

<https://www.wired.com/story/twitter-abusive-apps-machine-learning/>

–SENATORS GRILL FACEBOOK, GOOGLE, AND APPLE OVER INVASIVE APPS

<https://www.wired.com/story/senators-project-atlas-facebook-google-apple/>

–GOOGLE’S MAKING IT EASIER TO ENCRYPT EVEN CHEAP ANDROID PHONES

https://www.wired.com/story/android-encryption-cheap-smartphones/

–Intelligence heads warn of more aggressive election meddling in 2020

<https://www.politico.com/story/2019/01/29/dan-coats-2020-election-foreign-interference-1126077>

–Trump likely to sign executive order banning Chinese telecom equipment next week

<https://www.politico.com/story/2019/02/07/trump-ban-chinese-telecom-1157090>

 

Contact us: follow @HealthISAC, and email at contact@h-isac.o

[1] https://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2019/07_02_2019_Facebook

.html?nn=3591568

[2] https://techcrunch.com/2019/02/07/german-antitrust-office-limits-facebooks-data-gathering/

[3] https://newsroom.fb.com/news/2019/02/bundeskartellamt-order/

[4] https://www.wired.com/story/germany-facebook-antitrust-ruling/

[5] https://www.npr.org/2019/02/04/691296170/cryptocurrency-exchange-says-it-cant-access-millions-after-founder-s-unexpected

[6] https://arstechnica.com/information-technology/2019/02/digital-exchange-loses-137-million-as-founder-takes-passwords-to-the-grave/

[7] Ibid.

[8] https://www.cbc.ca/news/canada/british-columbia/quadrigo-cryptocurrency-bitcoin-exchange-gerald-cotten-death-india-1.5002955

[9] https://www.cbc.ca/news/canada/british-columbia/quadrigo-cryptocurrency-bitcoin-exchange-gerald-cotten-death-india-1.5002955

[10] https://www.reuters.com/article/us-quadrigacx-crypto-canada/canada-securities-watchdog-says-crypto-firm-quadriga-beyond-its-purview-idUSKCN1PW2MR

[11] https://www.cyberscoop.com/vpn-foreign-apps-dhs-rubio-wyden/

[12] https://www.wyden.senate.gov/imo/media/doc/020719%20Wyden%20Rubio%20VPN%20Letter%20to%20DHS. pdf; https://www.rubio.senate.gov/public/_cache/files/114510c9-e893-433c-a0df-f7980edb3753/368AAFFB6E7F458CC886AB96EBCC2606.020719-wyden-rubio-vpn-letter-to-dhs.pdf