smartphone

September 20, 2017

Apps That Wreak Havoc On HIPAA

This is the era of multiple devices and millions of apps. Phones, tablets, and smartwatches are filled with apps intended to make our lives easier. And it seems almost daily we read about how some – or all – of those apps are spying on our lives.

Many people don’t care. To some extent, I am one of those. “I don’t do anything so special in life that anyone will want to hack me” is how I feel about most of my internet presence. I happily share photos of my family, my dogs, and my travels.

But, I do worry about money and health issues; the things that I feel need to be secure. So when my iPhone asked for access to my health information I was hesitant to share.

The iPhone comes standard with the “Health” app (Fitbit and other devices also take, store, and share health information). In the app, you can enter your health record data and share it with other health related apps on your device. It can also pull such data from your other apps too.

You can enter vitals, lab test results, and even track your reproductive health – where it asks for everything from your menstruation history, to sexual activity.

Wow. To say I was surprised to see this information on an app is an understatement.

Maybe I am old fashioned, but I cannot imagine grabbing my iPhone after sex and entering the event in; it’s akin to grabbing a cigarette in the old movies. And if you did enter it, if you ask Siri about the last time you had sex… would she answer? I will leave that alone for now.

Is your phone secure?

Naturally, I thought that if my phone wanted to hold my very private health information, it must be secure. So to play off the old movie reference, it’s For Your Eyes Only. But the app is not secured by any authentication. Well, once your phone is unlocked that is.

So, if anyone gains access to your phone, guess what…they would quickly be able to learn your sexual activity, recent blood alcohol content, and anything else you happened to trust your handy-dandy iPhone with.

Of course, if that information is on your phone…. guess who else has it? Apple, Google, Amazon, or whomever you have your back-up account with.

As I look at my phone, I realize that I have access to all my information but so does Apple. Certainly the type of information Apple Health is seeking from me is my private health information; HIPAA calls it Protected Health Information (PHI).

Thus, it could be subject to HIPAA regulations. If so it’s safe and secure under federal law. But, is Apple is an entity that would be subject to the privacy and security rules of HIPAA? Are they a Covered Entity (CE)? The answer is no.

HIPAA applies to doctors, hospitals, medical insurers, and other health care providers. They are what’s classified as CEs under HIPAA. So the people that normally treat you and deal with your medical records and billings have to comply with HIPAA. But, just having medical records does not create a HIPAA obligation.

Further, other companies which support CE’s can be subject to HIPAA as well – they are the Business Associates (BAs). An example might be a medical device manufacturer; a hospital’s cleaning service or vendor that supports medical care in some way.

Tech companies aren’t restricted by HIPAA

Apple is none of these things. So Apple has no requirement of privacy or security over my medical data. Likewise Fitbit, Sprint, or whoever is similarly NOT restricted by HIPAA. But they will have all my PHI… which is a scary thought.

As I read more and more about the medical profession and IT, it occurs to me that doctors and patients are using their smartphones to communicate. And we should ALL encourage more communication. But what if I use an app to share with my physician?

In that case the data gathered by the physician would likely come under the purview of HIPAA. But what if the app we are using, itself, is not secure (e.g. the Health App, or simply iMessage)?

Does the doctor need to comply with HIPAA privacy and security standards, even though we all know the data is already compromised by the patient’s method of delivery? I don’t know the answer to this one.

It would appear similar to a waiver of the attorney-client privilege when the information is shared in the presence of a third party. But, HIPAA has express provisions for when HIPAA can be waived; not a single word exists about an unintentional waiver.

Thus it would seem that a doctor would have to abide by HIPAA, even knowing that the patient has exposed the very records to others. Certainly you don’t want your doctor to send your records to anyone willy-nilly and have the defense be that you texted them to him/her. Once the doctor has the PHI, it’s protected.

But I have not seen anyone litigate this question.

HIPAA and the emerging tech world

Do we have HIPAA issues with our new-fangled “wearables”? The answer is… maybe. HIPAA does not apply to everyone. You can give your health records to whomever you want; after all HIPAA was created to protect “you” from unauthorized acts of “others”.

But HIPAA also has clear limiting applications to what they call Covered Entities and Business Associates of those entities.

So you may want to think twice about entering any personal heath data into your new device; it’s not secure as it sits on your device and your cloud provider has no obligations to make it secure.

But if you provide any of that information to your health care provider, they will have an obligation to meet HIPAA’s requirements for privacy and security for the data they receive.

September 14, 2017

Your Unlocked Phone In A Stranger’s Hand? It Might Happen When You Fly Internationally

Belts off, shoes off, keys, and pocket change in the bin.

Most of us know the routine by heart. Before we even get to the front of the line we have a security bin in our hands. It’s all become so routine it’s second nature.

On the one hand, we know it’s a complete pain but on the other hand most of us have adopted an “it’s better to be safe than sorry” stance on this matter.

When does it go too far?

When does security cross the line from vigilance to invasion of privacy?

Is it when the TSA agents are giving you the kind of pat-down that your doctor wouldn’t do? Is it when they’re grilling you about every minute detail of your trip? Is it when an agent is rifling through the unmentionables in your luggage?…

…Or, maybe, it’s when they’re asking you to unlock your smartphone?

You read that correctly. There is a staggering increase in the amount of searches where a traveler’s phone is being accessed by agents. Does that make you feel secure or violated?

Your smartphone is an extension of your life

Do you go around handing photos of your kids to complete strangers? How about confidential company documents? What about your personal medical documents?

Now think about what you keep on your phone. There is so much personal data on our phones. Data that we want to keep private. After all, that’s why we put passcodes and use thumbprint IDs to unlock our phones.

Our phones are more than just a device to make calls. It’s the one thing most of us use every day and carry with us wherever we go.

Think about your pictures, your emails, your documents, and even your message chats.

To say that our phones hold all the information about our lives wouldn’t be an exaggeration. Spend 30 minutes looking at someone’s unlocked phone and you will gain a lot of insight into that person.

So ask yourself, how comfortable would you feel with a stranger taking your unlocked phone into a private room for 30 minutes or more?

That’s the question many travelers are asking themselves lately.

The rules that you think are protecting you aren’t

Some of you may be tempted to dismiss this as a serious concern. After all it seems like it’s an illegal action being taken by overzealous border agents. And that’s what the constitution is for.

If there’s one thing most Americans are familiar with, it’s the constitution.

The Fourth Amendment prevents illegal search and seizure.

The Fifth Amendment prevents self-incrimination.

These are some of the bedrocks of the constitution and it protects the privacy rights for Americans. It also doesn’t protect you in this case.

Yes, that’s correct. The constitution doesn’t protect you when it comes to your phone being searched when you’re flying.

How is this possible? Well, the same way most questionable actions are legitimized…by a loophole.

Decades ago the Supreme Court created an exception for border agents with regards to the Fourth Amendment. So technically they can search whatever they want and there’s nothing to stop them.

So while it would be illegal for a police officer to stop you and ask you to unlock your phone, it’s perfectly legal for a border agent to do so.

What, me worry?

As you read about this issue another temptation might be to come up with reasons why you don’t think you should worry about this.

You might say to yourself “I’m a US citizen, this only applies to non-Americans”. But unfortunately you’d be wrong about that. American-born citizens have had to turn in their phones at the border already.

As a matter of fact, according to a recent lawsuit, NASA engineers, journalists, and even military veterans (all of whom are American citizens) have recently had to unlock their phones when entering the country.

Even phones that were government-issued and might contain confidential data were subject to being searched at the border.

So no one is immune from this scrutiny.

Another thing many people might say (wrongly) to themselves is the belief that “I’ve done nothing wrong so I’ve got nothing to hide”. But it’s never that simple.

Again, think about all the information that you have on your phone. Is it possible that a friend of a friend on Facebook is a criminal? What about the people you follow on Twitter? Guilty by association, perhaps?

Have you ever made a comment, seriously or in jest, about the government or the President? What if you’re reading a fictional book about a government revolution or terrorist attack?

It might seem extreme but it doesn’t take much for something innocent to lead to further scrutiny. Suddenly your phone isn’t just taken for 30 minutes but for 10 hours.

Different story now isn’t it?

And for those of you that aren’t American and are shaking their heads and thinking “this would never happen in my country”, you might want to rethink that position. Similar scenarios have already happened in Canada and there are reports of it occurring in the UK and Australia as well.

They have the power, you have the control

This situation sucks. The bad (and obvious) news is that you’re left without a choice. Border agents have all the power in this situation and if you want to get back into the country you need to comply.

The good news is that you do have a choice in how much information they get. As we’ve been known to say around here, awareness about an issue is the first step. So now that you’re aware, you can prepare yourself.

Here are some options that you can take before your next flight:

Don’t take your devices with you: This might be easier said than done. But for many people going on vacation, is it really necessary to bring your phone with you?If you need to take pictures you can bring a digital camera, if you want to connect to the Internet then you can take something like an iPod that has Wi-Fi capabilities. There are alternatives to having to take your smartphone with you.
Restore your phone to factory settings: Just backup all the data on your phone so it’s saved securely, and once it is you can restore your phone to its factory setting for your trip. All your files and apps will be off your phone and anyone who looks at it will be looking at essentially a blank device. When you return you can restore your backup so your phone is back to the way it was before your trip.
Buy/rent a temporary phone: If you really need a phone on your trip you can leave your main phone back at home and grab a rental or prepaid phone in your new destination.You’ll get a number for people who need to contact you and many of them come with a data plan as well. You just use it for the duration of the trip and then return it once you’re done, or simply save it for your next trip.

Doors locked, oven turned off, private phone data secured

These solutions might seem a bit extreme but keeping your data private is not a joke. It’s just a fact of life that this is something you may encounter when it comes to flying.

It’s always important to be prepared and aware whenever there’s a situation where your private data might get accessed by someone you wouldn’t want. Unfortunately this is where we’re at in society.

For better or worse security has taken us here, so it’s up to us to determine how much information we want to give up.

Ultimately it’ll be up to each individual to decide if they’re comfortable handing an unlocked phone to a complete stranger or not.

If this is something you aren’t comfortable with then at least you know what you’re up against and you can take whatever steps you need.

Traveling comes with enough stress and anxiety, and the last thing you need to worry about is an invasion of privacy. By taking these steps you’ll be ensured that your vacation is smooth sailing all the way.

August 10, 2017

You Don’t Own Your Data… Here’s Who Does

Do you own your photos?

How many photos will you upload to an online service this year? How many have you uploaded in the past?

Because of smartphones, a camera is always handy when we need it. All of the photos and videos that we take have to be stored somewhere, and increasingly the cloud is where we look for a solution to this problem.

But, when you upload your photos to the cloud, did you consider the fact that you may be giving your photos to someone else to store on their computer? Who will have access to them? More importantly, who owns those pictures?

Data ownership is a complex subject with few clear answers. You created the photo, but once you put it on someone else’s computer, is it still yours?

What rights do we have?

The rights that we retain to our data all boils down to what is in the terms and conditions of the service that we are using. Every service provider has an End User License Agreement, or EULA, of some sort. It could be called Terms of Use, or Terms of Service, or Terms and Conditions, or a Privacy Policy, or they may all be lumped together, or the documents may be separate but incorporated by reference.

There are a ton of service providers out there. Reviewing all of them is impossible. So let’s take a look at some of the biggest data storage providers out there. Chances are that you have something personal stored on one of their servers anyway.

The terms.

One company outlines the rights that you have to your content in their Terms of Service.

The terms start out by stating: You keep ownership of intellectual property rights held in that material. What is yours is yours.

Awesome, right? My stuff is still my stuff. Thank you very much!

Okay, let’s keep reading…

When you upload, store, or do other stuff with files using our Services,

Yup, my pictures are uploaded and stored through their services, so I guess my pictures qualify.

You grant us a worldwide license to use your material at our discretion.

Wait, what? First of all, what is a worldwide license? A license is a right that you grant in your property to do something. A license can be limited in time and geographic scope, among other things. So, I’m giving them a license to do stuff to my stuff anywhere in the world. I’m sure they will modify those terms when space travel becomes a reality.

So, what can they do with my stuff? Sounds like they can do a lot. The license is to use your material at our discretion. That’s pretty broad. I guess the easier question to answer is what can’t they do? I think they pretty much covered it.

The rights granted are intended to be used in the management, operation, and promotion of our Services.

Thanks for limiting your rights in the license that I gave you for my uploaded stuff.

This license continues in perpetuity.

So they can do what they want to my stuff forever? That’s a long time!

Some of our Services may provide methods to access and remove material that you have uploaded.

Some, not all? Looks like additional research might be necessary. How many services does this provider have anyway? It is a lot, but don’t worry, they are always developing new ones.

What does all this mean for you?

So, what does all this mean for the average consumer? I mean, you don’t have a way to negotiate with the big guys, right? They provide a free service, after all, and they are a big corporation trying to make a buck.

What it means is that your stuff really isn’t yours anymore when you store it using some services. With some freely provided services, a consumer essentially has no rights. A company can say “take it or leave it”. You are free to use the service, but you must agree to their terms and conditions. It would be nice if you could keep all of the rights to your data, but that just isn’t possible.

What can you do? If you want to keep all of the rights to your data and still use a freely available service, you’re going to have to choose your service provider more carefully. There are services out there that don’t make you upload a file to someone else’s server. You can use one of those. You can also transfer your photos via USB connection. Or just don’t take any photos. If you don’t take any photos, you don’t have to worry about losing them or giving them away.

July 13, 2017

The Future of Digital Storage

As we rush out to the store to grab the latest and greatest smartphones and bask in the glory that is our never ending thirst for all things media, a thought occurs . . . ”where are we going to store all of this stuff?”

I mean, sure, we proudly flex the muscle of our portable devices, capable of producing 12 megapixel images or shooting full motion video and effortlessly streaming it to our 4k-capable retina display . . . but where is all this data going to be kept?

A cursory glance at the storage market tells us that any portable devices with any real storage capacity come at a premium. Ok, we get that, so we begin to seek other avenues to store our wealth of media that will still give us instant access.

Naturally cloud storage is the first and most viable option. So we immediately enter our email address, create a quick password, and hop onto the internet to store our digital world. Initially it’s great! We can get our stuff from anywhere, and many of the services give us a couple of GBs of space in the cloud for free . . . but at what cost?

The cost equation for the storage of your digital world comes down to “ease of access” versus “control of content”. Anyone who has read the terms and conditions of the typical cloud companies can tell you that you’re virtually giving up all license and all control of your content once you enter it into a public server.

The cost of your “free 5 GB account” is that your content is no longer in your direct control. Sadly, the only real alternative seems to be spending a significant amount of up-front cash on devices that have more built-in storage, or going to the store and buying one of those cloud boxes that you put on your desk at home and try to configure for remote access. It’s clunky and costly, but it’s safer. So how do you decide?

The plot thickens when you realize that every smartphone that is introduced is capable of generating even larger files, videos, images, and media content, yet the storage spaces on these devices continue to remain the same.

So what can be done to enable us to take advantage of all the powerful features of our smart devices without giving up ownership and control of our digital content?

Technology will continue its furious pace towards integration of content and expansion of storage components. How will that future look and who will win that race? Smart money says that the folks developing smartphone, laptop, and tablet technology will continue to lead. Why? The answer is simple really. These devices are not meant to be kept forever.

Look at the typical release cycle for new smartphones and tablets. Just when you get comfortable with your new device, a bigger-better-faster-smarter alternative hits the market.

And how long do you typically keep your tech devices? 1 year? 2 years? Longer? Are you the type that has to be on the train to the latest-and-greatest device available? Or are you still carrying around your series one Motorola flip phone? Don’t worry, there is no wrong answer. But, the fact remains that technology will continue to steamroll ahead whether we’re ready for the “next big thing” or not.

So where does that leave us with our original question about storage and ownership of our content? Will storage manufacturers be able to keep up with the ever-growing needs of the social media networks?

What will the online cloud providers do when they see a market where people still want privacy and control over their digital lives? Will companies like Amazon and Google own your content in an endless sea of server farms? Or will your network evolve into one that you and you alone control?

As it stands today, we’ve got far more questions than we have answers. Once thing is certain in all of this commotion . . . technology won’t stop, so keep your eyes on the horizon and together we’ll see how the innovators answer these growing concerns.