A Trump administration decision to loosen privacy requirements for doctors treating patients over phone and video apps during the coronavirus pandemic raises the risk of hackers snooping on people’s highly personal medical information.
But even cybersecurity experts say it’s worth making this compromise on cybersecurity to protect public health during the rapidly worsening crisis.
“We’re in a different environment today with this pandemic … Putting a patient in front of a doctor is what’s important,” said Curtis Dukes, a former top National Security Agency official who’s now executive vice president of the Center for Internet Security. “Given where we are today … this is a prudent step.”
The Trump administration is expanding Medicare coverage for digital doctors visits and effectively removing privacy barriers that made it difficult for doctors to use popular video apps, including Apple’s FaceTime, Google Hangouts, Microsoft’s Skype and Facebook Messenger’s video chat feature. The decision should allow both doctors and patients more flexibility about how to connect – and use free services instead of paying for those that have gone through the rigorous process of guaranteeing they’re following Health Insurance Portability and Accountability Act (HIPAA) rules that govern patients’ health information.
But this raises the risk that doctors will use video services without full encryption protections or that companies will store data from the chats in insecure ways. Hackers, preparing for an influx of digital visits, could compromise doctors’ computers to snoop on and record medical consultations. The risk is especially high for top government officials and executives who probably are already being tracked by foreign intelligence services that know which doctors they visit and are eager to find information that they could use to blackmail or extort them.
Cybersecurity experts pointed to the relaxed requirements as just another way in which the government is accepting digital risks that would have seemed too dangerous just weeks ago – but that now look minor compared to the public health benefit of keeping people separated to prevent the virus’s spread.
“The most important thing now is diagnosing people and getting ahead of the virus,” Mick Baccio, a former cybersecurity official at the Obama White House and for the Pete Buttigieg presidential campaign, told me. “Ordinarily, I’d say, ‘No, don’t do this. It introduces too much risk.’ But, given what we all woke up to the last few weeks, it makes sense.”
President Trump described the goal of this and other measures during a news conference as “sav[ing] the maximum number of lives.”
“Everything else is going to come back. A life is never going to come back,” he said. The White House is also urging states to expand telemedicine options for their residents.
The shift applies to any doctor-patient consultation, whether it’s about diagnosing coronavirus infections or for a general medical problem, such as a sprained ankle, a dental consultation or a therapy visit. But it specifically bars doctors from using apps that default to broadcasting video publicly such as Facebook Live, Twitch and TikTok.
And this is just one example of government’s increased willingness to accept digital risk during the pandemic. Large numbers of federal employees, for example, are also now working remotely and relying on outdated virtual private network systems that could buckle under the load. They’re also likely dialing into government networks using personal laptops and other devices that haven’t been fully vetted by cybersecurity professionals and could be more vulnerable to hacking.
Even before the government order, custom-designed apps for online medical consultations were already seeing a spike in usage from people wary of visiting a doctor in person, Jon Pearce, CEO of the telemedicine firm Zipnosis, told Tonya.
“We’ve seen a 100-fold increase in utilization this past week [and] have not had cybersecurity incidents,” he said.
The administration also urged doctors to “notify patients that these third-party applications potentially introduce privacy risks” and notes that “providers should enable all available encryption and privacy modes.”
Cybersecurity experts, however, recommended that doctors focus on using apps such as Apple’s iMessage and Facebook’s WhatsApp that have superstrong encryption as a default rather than walking patients through how to enable the protections.
“I think about telling my elderly aunts how to enable encryption before a video chat and they’d say, ‘What does that mean?’ ” Tony Cole, chief technology officer at the cybersecurity firm Attivo Networks, told me. “It’s better to have very strong security built in.”
Apple, Google and Facebook didn’t respond to requests for comment about whether the White House consulted them before releasing the relaxed rules or whether they would be sharing any specific guidance or best practices with doctors.
PINGED, PATCHED, PWNED
PINGED: There will be “severe ramifications” if the United States finds that a foreign government was behind recent hacking and disinformation efforts to spread panic about the coronavirus, Attorney General William P. Barr told the Associated Press’s Michael Balsamo.
The Justice Department is investigating the spread of an SMS-based disinformation campaign claiming that Trump would implement a national quarantine as well as a possible attack meant to knock out computer networks at the Department of Health and Human Services.
“When you’re dealing with something like a denial of service attack on HHS during a pandemic, that’s a very grave action for another country to take,” Barr told Michael.
He did not speculate about which country was behind the attack.
The misinformation campaign appeared to be aimed at spurring shoppers to rush to stores, emptying shelves and disrupting the food supply. Both national security officials and Trump debunked the rapidly spreading conspiracy.
The attorney general also slammed efforts by scammers to profit off coronavirus concerns. Barr urged U.S. attorneys to prioritize prosecuting people for scams and cybercrimes related to the pandemic in a memo Monday.
PATCHED: Democratic National Committee Chairman Tom Perez is urging states to increase voting by mail and to expand polling hours to prevent more states from delaying their primaries, my colleagues Michael Scherer and Felicia Sonmez wrote in our live blog. The call came as three states held presidential primaries last night despite mounting public health concerns but Ohio delayed its contest.
Perez joins a chorus of Democratic lawmakers who have pushed for expanded vote-by-mail in light of public-health concerns stoked by the coronavirus pandemic — and despite concerns it would be difficult to make the shift securely before the November contest.
The calls come as election officials are scrambling to respond to the pandemic and as multiple states have rescheduled their primary elections amid public health concerns.
Meanwhile, the Election Assistance Commission, which oversees more than $800 million in federal election security grants for states, announced it will allow states to use some of those funds to protect poll workers and voters from the virus. States can use the grant funding to pay for disinfecting wipes, masks and other cleaning supplies, the EAC noted in a news release.
The announcement comes as many poll locations struggle to afford basic sanitation measures, my colleagues Elise Viebeck, Amy Gardner and Isaac Stanley-Becker report. For instance, Illinois election officials promised voters cleaning supplies and disinfectants for Tuesday’s primary that were missing when they arrived.
PWNED: The White House is looking to partner with Facebook, Google and other companies on technology to use phone data location to combat the coronavirus, my colleagues Tony Romm, Elizabeth Dwoskin and Craig Timberg report.
White House officials insist they do not intend to create a database of users’ locations, but the move is still sure to spark a debate over the use of invasive surveillance technologies during the global health pandemic, my colleagues note.
The government is particularly interested in understanding patterns of people’s movements through anonymized data and statistics. The officials could then use the technology to predict coronavirus hot spots and where to allocate resources, they say.
Other countries have already begun to experiment with location-tracking technology to aid prevention and detection efforts. The Israeli spyware firm NSO Group — which has come under intense fire for allegedly helping autocratic regimes spy on their citizens — developed a similar product that it says can map people’s users to track the coronavirus, Gwen Ackerman and Yaacov Benmeleh at Bloomberg report. About a dozen countries are testing the technology they report.
— The U.S. Election Assistance Commission is hiring Maurice Turner, deputy director of the Internet Architecture Project at the Center for Democracy & Technology, as a senior policy adviser on cybersecurity, Sean Lyngaas at Cyberscoop reports.
— More cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
The world is vulnerable to a new type of trolling as people turn to Zoom video calls to feel connected amidst quarantines. Jerks are using Zoom’s screensharing feature to blast other viewers with the most awful videos from across the internet, from violence to shocking pornography.
THE NEW WILD WEST
— Cybersecurity news from abroad: