Hacking Healthcare 5-28-19

TLP White: In this edition of Hacking Healthcare, we examine the Georgia Supreme Court’s recent refusal to hold a state government agency liable for a data breach.  We then discuss a United Kingdom (“UK”) Supreme Court decision allowing judicial review of government agency security choices.  Finally, we discuss new artificial intelligence standards developed by the Organisation for Economic Co-operation and Development (“OECD”). 

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog.

Welcome back to Hacking Healthcare.

 

Hot Links –

1. Georgia Supreme Court Declines to Hold State Agency Responsible for Data Breach.

Last week the Georgia Supreme Court decided that a group of plaintiffs failed to state a viable claim against the state’s Department of Labor (“DoL”) for failing to safeguard consumer personal information.[1]  The Georgia DoL accidentally disclosed a spreadsheet containing the names, Social Security Numbers, telephone numbers, email addresses, and ages of thousands of people who had applied for unemployment and other benefits offered by the state.  Some of the individuals whose information had been exposed alleged through a class action lawsuit that the state agency had been negligent, breached its fiduciary duty, and committed invasion of privacy as a result of the breach.  After a series of appeals, the Georgia Supreme Court heard the case and decided against the plaintiffs on all of the proffered legal theories, thereby declining to hold the DoL responsible for the data breach under state law.

This decision has taken many in the security industry by surprise, and some have even called it “bad precedent.”[2]  Consumers, the argument goes, have a reasonable expectation that a state agency will institute reasonable technical, administrative, and/or physical safeguards for protecting personal information.  The ever growing rate of cyberattacks and the damage that can result from them suggests that entities that collect and aggregate consumer personal information should maintain a certain level of responsibility for keeping that information secure.

2. UK Intelligence Agencies Must Answer for Security Decisions.

The UK Supreme Court has ruled that decisions by the investigatory powers tribunal (“IPT”), a UK spy agency adjudicatory body, are not entirely untouchable by British courts.  Pursuant to this recent Supreme Court decision, the security-related rulings of the IPT regarding activities of government entities such as MI5, MI6, Government Communications Headquarters (“GCHQ”), and police may be subject to judicial review.  Previously, the IPT’s decisions were not subject to challenge via appeal in the courts, but the UK Supreme Court’s ruling departs from that precedent.  Decisions surrounding spy agencies’ exercise of security and surveillance powers can now be appealed, challenged, and overruled in the country’s courts.[3]

The UK Supreme Court came to its conclusion thanks to a lawsuit filed by Privacy International.  Privacy International mounted a legal challenge against GCHQ for hacking and surreptitiously monitoring British citizens, which was adjudicated within the IPT.  As they currently stand, UK laws place few meaningful limits on spy agencies’ ability to gather information via surveillance.[4]  Consequently, the Supreme Court’s decision to review the IPT’s ruling represents a new approach and institutes an increased level of oversight on UK spy agencies’ surveillance choices.

3. Forty-Two Countries Agree to International Standards for Artificial Intelligence.

OECD has recently announced its publication of intergovernmental standards for artificial intelligence (“AI”) policies.[5]  The standards represent a concerted effort to support the continued growth and use of AI technologies while simultaneously encouraging their ethical and responsible use.[6]  In addition to the United States and thirty-five other OCED member nations, Argentina, Brazil, Colombia, Costa Rica, Peru, and Romania signed on and approved of the principles, resulting in a grand total of forty-two countries that have publicly expressed support for OCED’s voluntary AI standards.[7]

To develop the standards, OECD “set up a 50+ member expert group on AI… [which] consisted of representatives of 20 governments as well as leaders from the business, labour, civil society, academic and science communities.”[8]  The group’s aim was to create a set of principles that would assist national governments in designing appropriate legislation to govern the development and use of AI technology.  The published standards are separated into two sections, each of which is focused on trustworthiness of AI.  The first section sets forth value-based principles for the responsible stewardship of trustworthy AI, and the second is comprised of recommendations for national policies and international cooperation surrounding trustworthy AI.[9]

Congress –

 

Tuesday, May 28th:

-No relevant hearings

 

Wednesday, May 29th:

-No relevant hearings

 

 

Thursday, May 30th:

-No relevant hearings

 

 

International Hearings/Meetings –

 

            EU – No relevant hearings.

 

Conferences, Webinars, and Summits –

–HEALTH IT Summit (Mid-Atlantic) – Philadelphia, PA (6/3/19-6/4/19)

https://endeavor.swoogo.com/2019-Philadelphia-Health-IT-Summit
–H-ISAC RADIO discussion on Payer risk. (6/10-/19) Link is in Member Portal

–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)

<https://h-isac.org/hisacevents/health-it-summit-southeast-2019/>

–H-ISAC Healthcare Cybersecurity Workshop- Buffalo, NY (6/18/2019-6/19/2019)

<https://h-isac.org/hisacevents/h-isac-cybersecurity-workshop-buffalo-ny/>

–Healthcare Cybersecurity Workshop – London, UK (7/10/19)

<https://h-isac.org/hisacevents/workshop-london/>

–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)

<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>

–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)

<https://h-isac.org/hisacevents/health-it-summit-rocky-mountain/>

–HEALTH IT Summit (California) – Los Angeles, CA (9/19/19-9/20/19)

<https://endeavor.swoogo.com/2019-LosAngeles-Health-IT-Summit>

–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)

<https://h-isac.org/hisacevents/health-it-summit-northeast/>

–2019 H-ISAC European Summit – Zurich, Switzerland (10/16/2019-10/17/2019)

<https://h-isac.org/summits/european_summit/>

–HEALTH IT Summit (Southwest) – Houston, TX (11/14/19-11/15/19)

<https://endeavor.swoogo.com/2019-Dallas-Health-IT-Summit>

–Health IT Summit (Northwest) – Seattle, WA (11/19/19-11/20/19)

<https://endeavor.swoogo.com/2019-PacificNorthwest-HITSummit>

–2019 H-ISAC Fall Summit – San Diego, CA (12/2/19-2/6/19)

<https://www.loewshotels.com/coronado-bay-resort>

 

 

Sundries –

 

—Lawmakers Propose $2.2 Billion to Advance AI Over the Next Five Years

<https://www.nextgov.com/emerging-tech/2019/05/lawmakers-propose-22-billion-advance-ai-over-next-five-years/157169/>

—Female-voice AI reinforces bias, says UN report

<https://www.bbc.com/news/technology-48349102>

—Legal Threats Make Powerful Phishing Lures

<https://krebsonsecurity.com/2019/05/legal-threats-make-powerful-phishing-lures/>

—Real-time bidding, a thriving ad targeting technique, is becoming a GDPR dilemma

<https://www.cyberscoop.com/real-time-bidding-gdpr-violation/>

—WannaCry? Hundreds of US schools still haven’t patched servers

<https://arstechnica.com/information-technology/2019/05/two-years-after-wannacry-us-schools-still-vulnerable-to-eternalblue/>

—The US DOC gives Huawei a 90-day window to support existing devices

<https://arstechnica.com/gadgets/2019/05/google-and-huawei-can-support-devices-for-90-days-thanks-to-us-ban-exemption/>

—Equifax is spending a ton of money on cybersecurity. Wall Street analysts don’t like it.

<https://www.cyberscoop.com/equifax-wall-street-downgrade-moodys-cybersecurity-spending/>

 

 

Contact us: follow @HealthISAC, and email at contact@h-isac.org

[1] Georgia Dep’t of Labor v. McConnell, located at https://www.gasupreme.us/wp-content/uploads/s18g1316.pdf.

[2] https://www.securityweek.com/georgia-supreme-court-rules-state-has-no-obligation-protect-personal-information

[3] https://www.supremecourt.uk/cases/docs/uksc-2018-0004-judgment.pdf

[4] https://www.theregister.co.uk/2018/07/23/investigatory_powers_tribunal_gchq_15_years_illegal_surveillance_no_penalty/

[5] https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0449

[6] https://www.oecd.org/going-digital/forty-two-countries-adopt-new-oecd-principles-on-artificial-intelligence.htm

[7] https://www.nextgov.com/emerging-tech/2019/05/42-countries-agree-international-principles-artificial-intelligence/157189/

[8] https://www.oecd.org/going-digital/ai/principles/.

[9] Id.