H-ISAC Hacking Healthcare 7-21-2020 -

TLP White: This week, Hacking Healthcare explores the recent Schrems II decision that invalidated the US-EU Privacy Shield Framework and all of the uncertainty that comes with it. Next, we brief you on how the UK’s rush to implement contact tracing has run afoul of privacy regulations and ponder the effect of regulation on emergency response. Finally, wrapping up our European coverage, we break down the UK’s decision to remove Huawei from its telecommunications networks and what effects that may have on their cybersecurity.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

1. US-EU Privacy Shield Struck Down.

The Court of Justice of the European Union (“CJEU”) made a significant, if not an altogether unexpected, decision last Thursday when it struck down the US-EU Privacy Shield Framework (“Privacy Shield”). The invalidation of the Privacy Shield continues a trend of EU legal decisions that highlight how the divergent approaches of the EU and US regarding data privacy and protection are causing difficulties for those attempting to operate in both markets.

The Privacy Shield, which was created in 2016, was designed to “provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data.”[1] It came together in the wake of the invalidation of its predecessor, Safe Harbor, the year prior.[2] However, even before its adoption, critics believed that the Privacy Shield was flawed and was unlikely to survive legal scrutiny. Last Thursday, that prediction was confirmed in a case brought by the same individual who invalidated Safe Harbor, Max Schrems.

The reason for the ruling essentially comes down to the interpretation by the CJEU that data privacy and protection standards within the United States do not meet the legal requirements of the European Union, and the Privacy Shield does not effectively mitigate the difference.[3] In effect, CJEU noted that the surveillance laws within the United States are considered to be too overbearing and in direct conflict with EU law. The United States government voiced its disappointment in the ruling, which could affect a large portion of the 5,000-plus organizations that were Privacy Shield certified.

Action & Analysis

*H-ISAC Membership Required*

2. NHS Test-and-Trace vs. GDPR and Privacy Groups.

In a new admission by England’s Department of Health and Social Care (“DHSC”), it appears that in their rush to develop a COVID-19 contact tracing initiative, they may have strayed into violation of the General Data Protection Regulation (“GDPR”).

The recent admission comes months after the privacy focused Open Rights Group (“ORG”) initially threatened legal action over how much data would be collected through the department’s test-and-trace program and how long that data would be stored for potential use. Part of ORG’s complaint included an accusation that a data protection impact assessment had not been completed at the time of the initiative’s launch, which is a requirement under GDPR.[4]^, [5]

The UK government has been defensive about the admission, stating that they are confident that the data collected is secure, there is no evidence that the data is being used unlawfully, and the need to get a contact tracing initiative up and running to combat COVID-19 contributed to the decision to proceed without completing an impact assessment.[6] However, that last point has been rebutted by ORG, who has stated that such actions undermine trust in the government, which is sorely needed during a pandemic.[7] In an effort to mitigate concerns, DHSC announced they have been working with the Information Commissioner’s Office to ensure proper data processing, and that the outstanding data protection impact assessment is being “finalized.”[8]

This is just the latest of several issues that have plagued the UK’s contact tracing efforts. The government’s decision to launch its own contact tracing application has led to a series of missed launch dates stemming from concerns over privacy, effectiveness, and related technical aspects. Current estimates suggest a contact tracing application won’t see a nation-wide rollout until this winter.[9] More concerning are allegations from last week, when The Times reported that UK contract tracing staff had been found sharing details of COVID-19 patient data on social media and other messaging applications.[10]

Action & Analysis

*H-ISAC Membership Required*

3. The UK Bans Huawei.

On July 14^th, the UK government announced that it will ban Huawei from its network infrastructure. The decision likely comes as a major relief to the US government, which has spent considerable time and resources persuading its allies, especially its European ones, that Huawei’s involvement in next generation networks represents a significant national security threat.

The UK government’s press release states that the “decision follows a technical review by the National Cyber Security Centre in response to US sanctions.”[11] The press release goes on to outline that:

Buying new Huawei 5G equipment is banned after 31 December 2020
All Huawei equipment is to be removed from 5G networks by the end of 2027
The existing ban on Huawei from the most sensitive ‘core’ parts of 5G network remains

There was little clarity that the UK would make the decision to ban Huawei in the weeks leading up to the announcement, especially because it differs from the UK’s initial plan to allow limited use of Huawei components in non-core or critical segments of the country’s telecommunications infrastructure.[12] Huawei and China have already voiced their disappointment, with the latter alluding to potential consequences.[13] The UK may find that its newly acquired freedom post-Brexit comes at the cost of having less bargaining power when navigating the geopolitical tensions between the US and China–two of its major trading partners.

Action & Analysis

*H-ISAC Membership Required*

Congress –

Tuesday, July 21st:

– Senate – Committee on Commerce, Science, and Transportation – Subcommittee on Manufacturing, Trade, and Consumer Protection: Hearings to examine protecting Americans from COVID-19 scams.

-House – Committee on Energy and Commerce: Hearing: “Pathway to a Vaccine: Efforts to Develop a Safe, Effective and Accessible COVID-19 Vaccine”

Wednesday, July 22nd:

– Senate – Committee on Commerce, Science, and Transportation: Business meeting to consider bills relating to healthcare and broadband, AI Federal Advisory Committee, and AI standards

– Senate – Committee on Homeland Security and Governmental Affairs: Business meeting to consider bills relating to pandemic response and cybersecurity

Thursday, July 23rd:

– No relevant hearings

International Hearings/Meetings –

EU –

– No relevant hearings