#DataInsecurity Digest Interview with FTC Commissioner Terrell McSweeny

National Consumers League: What is the state of data security in America? Should consumers be concerned about what companies, the government and other organizations are doing (or not doing) to safeguard the data that companies hold about them?

Commissioner McSweeny: The good news is many firms have taken the idea of security by design to heart and have integrated security into the product design process from the start. Many companies do have robust defense in depth security architectures to protect consumer data. On the other hand, there is a wide spectrum of data security practices in the marketplace. and it can be difficult for consumers to know what is going on behind the scenes at the companies that hold their data. I’m particularly concerned about the security of so-called “Internet of Things” products – connected appliances, wearables, cars, televisions etc. The FTC’s enforcement and business education efforts are raising awareness among businesses that they must put data security front and center. But the fact remains that in our increasingly interconnected world vulnerabilities remain and, I fear, will continue to plague consumers.

Consumers should think about what types of data companies are asking for and whether it makes sense to provide the requested data in connection with whatever products or services consumers wants to use.

NCL: Congratulations on another successful Start with Security event in Chicago! What other steps or events is the FTC planning to help companies, governments and consumers protect and secure their data online?

Commissioner McSweeny: In addition to law enforcement – which is the cornerstone of our data security efforts – outreach to businesses and consumers is a critical part of the FTC’s consumer protection mission, including when it comes to privacy and data security. We strive to keep our educational materials recent and relevant, and I hope that we will produce updated versions of our Start with Security Guide. We are always refreshing our educational materials, and we communicate the relevance of current law enforcement actions on our consumer blog and business blog.

In addition, we use our convening power to bring together industry members, researchers, and consumer advocates to discuss consumer protection aspects of developing technology. For instance, this fall we’re having a series of seminars on technology issues including ransomware, drones, and Smart TVs. And in January 2017, we’re having our second annual PrivacyCon to discuss the latest research in privacy and data security. Through events such as these, the FTC can stay on top of technological trends, identify where potential data security problems may arise for consumers, and start to look at possible solutions.

NCL: Recently, we’ve learned about some pretty huge breaches involving hundreds of millions of account credentials at places like MySpace, LinkedIn and Tumblr. We’re seeing those credentials being re-used in other attacks. What role does the FTC have in preventing password re-use?

Commissioner McSweeny: Besides educating consumers about using unique strong passwords and how to identify and avoid phishing attacks, we also advise consumers to turn on two-factor authentication at sites where it’s offered. And on the business side, we tell companies that they should require strong passwords, guard against brute force attacks, and not store passwords in clear text.

NCL: You’ve become something of a regular at some of the more popular hacker conferences like Black Hat and DEFCON in recent years. What are you hearing at these conferences that has influenced how you’re doing your job at the FTC?

Commissioner McSweeny: I think it is important to understand as much as possible about how technology works. I always learn a lot from security researchers I meet at these kinds of conferences and from the presentations of research at them. Some of our cases even come to our attention thanks to the work of hackers. I think it is important for the FTC to continue to build relationships with researchers who can be important partners in our work to protect consumer data security and privacy.

NCL: In March, the Federal Trade Commission’s Consumer Sentinel Network Data Book reported a 47 percent year on year increase in identity theft complaints. We also learned recently that the FTC’s Chief Technologist, Lorrie Cranor, was herself a victim of identity fraud. What is the FTC working on to help fight the ID theft problem and what can consumers do to help protect themselves? Should consumers be concerned about the security of two-factor authentication?

Commissioner McSweeny: Lorrie Cranor blogged about her experience and explained that someone used a fake ID with Lorrie’s name and the thief’s photo, and went to a retail store to acquire new iPhones that were charged to Lorrie’s account. This type of mobile phone theft – where someone goes through the time and trouble to create a fake ID with someone else’s name on it in order to steal a mobile account – appears to be on the rise, but is still relatively rare.

The reason Lorrie wrote about the experience was to educate consumers about the problem and let them know that they can take proactive steps – such as establishing a PIN or password that must be provided before making changes to a mobile account – to reduce the risk of having it happen to them. In addition, she highlighted that mobile carriers are in a better position to help prevent identity theft and should implement a multi-level approach to authenticating both new and existing customers.

We continue to educate consumers about ID theft and emerging data security risks, such as mobile phone account hijacking, to help them protect themselves as they navigate through the connected world. And for consumers who unfortunately do become victims, our website idtheft.gov offers a one-stop shop where consumers can get a personalized plan to report and help recover from ID theft.

NCL: There has been a lot of discussion recently around the issue of encryption, backdoors, and iPhone passcodes. Earlier this year, you wrote about concerns that businesses may be implementing encryption in insecure ways. Has your view about encryption technology evolved given all of the debate around the issue? How does the FTC help consumers take advantage of the security protections that encryption provides? 

Commissioner McSweeny: I personally have highlighted encryption as a vital practice that can allow firms to store and transmit personal information securely. I’m concerned that mandating back doors to break encryption would weaken security protections for consumers and make them worse off. As we connect more things in our daily lives – such as our TVs, watches, appliances, cars – we will increasingly need tools like encryption to make sure that they remain secure. The FTC advises consumers that encryption is key to keeping their information secure, whether it’s transmitted to a website, to a mobile app, or through a wi-fi hotspot.

NCL: Back in 2005, the FTC released a staff report on the threat of spyware, adware and other unwanted software. In 2008, the Commission testified about the threat of spyware and the principles it relies on in enforcement actions against spyware operators. We recently sent an alert about the related issue of unwanted software (UwS). What are your thoughts on the growing phenomenon of UwS and the threats it may pose to consumers’ online security? Can the FTC do more to protect consumers from UwS?

Commissioner McSweeny: Unwanted software remains a problem, and we have put out some consumer education on how to avoid it and remove it, including telling consumers to obtain well-known software only directly from manufacturers’ websites, and to be alert when installing new software. This is the type of problem that really needs a broad technological solution, and I know that industry members – such as browser manufacturers – are working diligently to fight the problem, including issuing alerts that will warn consumers about potentially harmful websites. In the same vein, app stores are working hard to police the app marketplaces to reduce the number of malicious apps. Depending upon the specific facts of the case, we could also potentially bring an FTC enforcement action relating to the installation of unwanted software.  

NCL: In the news recently there has been a rise in coverage of so called “ransomware,” attacks especially in the healthcare space. What is the FTC doing on the issue? Do you believe this is a distinct issue or is it a symptom of the larger data security problems facing the country? What can consumers do to protect themselves from ransomware?

Commissioner McSweeny: One of our fall tech seminars in September will be devoted to the topic of ransomware, precisely because it is such an important issue that is affecting more and more consumers. This seminar should help us learn more about the scope of the problem and help consumers understand how they can reduce their risk of a ransomware attack and how they should respond to one if they do become a victim. While ransomware is a distinct problem from the type of security breach that leads to wider-spread compromise of personal information held by a third party, it’s a problem that hits affected consumers closer to home, since consumers whose files are held for ransom see the immediate concrete and negative effects of an attack. I’m concerned ransomware could become an even greater problem as more of the things in our daily lives are connected to the Internet. We continue to provide consumers with information about how to protect themselves, including not clicking on unknown links in emails, checking the security settings on their browsers, and backing up their files.

###

Published by National Consumers League’s #DataInsecurity Digest
August 3, 2016 

Issue 24 | July 7, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Ransomware continues to make news and not in a good way. More than 650,000 patient records are being sold on the dark web thanks to data breaches in three states. The hacks underscore HHS Secretary Burwell’s urgent call on the healthcare industry to treat ransomware as a “major threat to all aspects of your business.” In a new Morning Consult piece, I take a look at this issue in depth and argue that Congress should do more to take on data security reform. Another hack of the Hillary Clinton campaign led to leaks of sensitive information, including an email discussion of how staffers can run interference on reporters. And while companies have for the most part been able to fend off lawsuits when their breaches affect consumers, that could be changing soon according to the Wall Street Journal. Alternatively, perhaps we hold consumers liable for their own lack of cyber hygiene, says a professor at the Rochester Institute of Technology. Finally, proof that not all hacks have to end badly—a NASCAR team netted a new sponsorship deal when they fell victim to a ransomware attack.

And now, on to the clips!

—————–

HHS Secretary Burwell: ransomware a “major threat to all aspects of your business.” The recent spate of ransomware attacks targeting hospitals is drawing the attention of the HHS. Last week, HHS Secretary Sylvia Burwell weighed into the data security discussion when she released guidance to healthcare providers on how to handle ransomware attacks. In addition to highlighting the importance of data security, Secretary Burwell called for “team member education, proper cyber hygiene, comprehensive backup and recovery procedures, and continuity planning,” also stating that, “Just like health care professionals wash their hands before procedures, we need to develop the habit of keeping our systems and data healthy, secure and recoverable.” (Source: Department of Health and Human Services)

Tooting my own horn: Ransomware attacks highlight need for Congressional action. Ransomware attacks at hospitals like DC’s MedStar Health are having real consequences for patient health, I write in Morning Consult this morning. The FBI reported this spring that more than $209 million in ransoms were paid in the first quarter of 2016 alone. In the MedStar hack, the hospitals actually had to turn away patients. “Hoping for the best—or worse, paying ransoms—is not an effective way to combat ransomware attacks,” I argue. The Senate took a good first step in convening a hearing in May, and the FTC will examine the issue in September, but more can and should be done by Congress. Head over to Morning Consult to read the full story.

For sale: 665,000 patient records, mostly unencrypted. This week, hundreds of thousands of records from three different poorly secured medical databases appeared on the dark web for sale—the largest of which has a price tag of 607 bitcoin. @josephfcox reports, “The breaches supposedly comes from three different healthcare organizations: one in Farmington, Missouri with 48,000 records; another in Atlanta, Georgia with 397,000 entries, and the third in the Central/Midwest US with 210,000 records.” @jdebunt observes, “All of this paints a very worrisome picture for hospital IT security in general. Storing confidential information in plain text is not acceptable. Moreover, using horrible security measures through common usernames and passwords is one of the worst ideas. Something has to change sooner rather than later, as this may only be the tip of the iceberg of what is to come.” (Source: Motherboard and The Merkle)

Could this be just the tip of the iceberg? 665,000 records is a daunting amount of personal information to be sold on the dark web, but reports are now surfacing that the same hacker selling the data could also be selling a database in excess of 9 million medical records. The database was discovered by @owlcyber and “was stolen using a zero-day exploit—otherwise known as an undisclosed software vulnerability—in Microsoft’s Remote Desktop Protocol.” (Source: Fed Scoop)

Phishing attack leads to embarrassment for Clinton campaign. News recently surfaced that the Hillary for America campaign suffered a spear phishing attack that ensnared a volunteer through a spoofed login page in March. The attacker targeted both senior and junior “individuals managing Clinton’s communications, travel, campaign finances, and advising her on policy,” reported @SecureWorks. @tsgnews obtained some of the stolen information from the campaign, which “provided hackers with a glimpse at the inner workings of a massive presidential campaign—from schedules and talking points to briefing books and assorted logistics.” @tsgnews also provided readers with an email chain from the breach where Clinton staffers coordinated interference efforts to keep certain reporters from getting close enough to ask Secretary Clinton a question at campaign events. (Source: The Smoking Gun and SecureWorks)

Hacks take Democratic House offices offline. On the heels of the DNC’s opposition research breach, one might assume that Democrats would be extra careful over their cybersecurity. Nonetheless, the official websites of 17 members were recently downed by hackers for more than a week. With this embarrassing and lengthy hack, Democrats are looking for who is to blame and that role appears to be falling on tech company DCS. Politico’s @ericgeller reports, “With the exception of (Representative) Perlmutter, all of the affected lawmakers have contracts with a company called DCS to manage their websites. DCS builds websites using Joomla, a content management system that has suffered from serious security flaws.” Despite the fix DCS was able to provide on Friday, Politico reports that aids are still unable to update and post new information to their websites through their admin account due to a new security feature. (Source: Politico)

Could your security software be your biggest vulnerability? Installing anti-virus software and keeping it updated is one of the basics of cyber hygiene. But, what can consumers do when the antivirus programs themselves have serious security vulnerabilities? That’s the question Google security researcher @taviso is asking after his research discovered critical flaws in Symantec’s entire suite of antivirus tools. Such vulnerabilities may be symptomatic of the security industry overall, writes @KimZetter. “This isn’t the way it’s supposed to be. Security software tasked with protecting our critical systems and data shouldn’t also be the biggest vulnerability and liability present in those systems. … In many cases, the same software can be running on every desktop or laptop machine on an organization’s network, exposing a large attack surface to compromise if the software contains vulnerabilities.” (Source: WIRED)

FTC opens inquiry into Ashley Madison hack. The massive breach at the dating website Ashley Madison last year cost the CEO his job, resulted in blackmail attacks, and at least one suicide among the 30 million affected users. Now the company is in the crosshairs of the FTC, according to @mmcphate. In an effort to rehabilitate itself, the site intends to now focus on more than just facilitating extramarital affairs. According to parent company Avid Life Media’s president James Millership, the new goal is “to build the world’s most open-minded dating community[.]” (Source: New York Times)

Personal information of nearly 2,500 U.S. military officers hacked and leaked. Ghost Squad, a hacking group that previously attacked the KKK and the Black Lives Matter Movement and has been associated with the Anonymous collective, recently published U.S. military personnel data as a protest against U.S. policies in the Middle East. @BatBlue confirmed the breach stating, “The leaked database is in the format of .txt file and contains nearly 5,000 lines of data on almost 2,500 United States Army officials. The leaked data includes military officials’ full names, phone numbers, email addresses, dates of birth, home addresses and credit card information.” (Source: Bat Blue)

Dating site Muslim Match hacked: Nearly 150,000 dating profiles and 790,000 private messages dumped online. Sensitive information such as user’s’ occupation, living situation, marital status, and whether they would consider polygamy were included in the data dump. The dump also contained the private messages of users discussing everything from religious debates to marriage proposals. @josephfcox provides us with a teachable moment in the wake of this poorly secured website breach (the site did not use HTTPS) by stating that, “Users should scope out a service they intend to use beforehand: Does it use encryption on login screens? Is it a forum based on a vulnerable piece of software like IP.Board? These checks could come in especially handy with services that deal with as much sensitive information as dating sites.” (Source: Motherboard)

Hackers slurp up card data at Noodles & Company. Consumers looking to get their pasta fix at the Noodles & Company chain of restaurants may have gotten more than just an excellent mac and cheese. Last week, the company announced that between January 31 and June 2, 2016, hackers installed malware on their systems, which collected customer names, card numbers, expiration dates, and CVV information. It’s unknown how many cards were affected, but the malware infected restaurants in 27 states and the District of Columbia, according to the company. The breach has been resolved, but Noodles & Company is recommending that you monitor your credit for fraudulent activity. (Source: Consumerist and Noodles & Company)

One tenth of OPM breach victims still not notified. It’s been over one year since the OPM breach that compromised the background files and Social Security numbers of 21.5 million people. Yet, upwards of 2 million victims have not yet been notified that their data was compromised. Typically, victims receive a formal letter informing them of their victimization and that, “They are eligible for identity restoration services and insurance for costs related to identity theft. While those benefits are automatic, affected persons have to enroll to gain additional free identity monitoring and credit monitoring services,” reports @EricYoderWP. OPM Acting Director Beth Cobert explained the extensive delay by stating, “About 10 percent of the letters intended to reach those impacted by the background investigation incident were returned because people had moved, the letters were incorrectly addressed, or other factors.” (Source: Washington Post)

Judges grappling with how companies should compensate consumers for breached personal data. As data breaches become increasingly common, more and more lawsuits are being filed on behalf of consumers demanding compensation for the breach of their personal and financial information. @nicole_hong reports that this has set up an interesting legal debate with plaintiffs arguing, “That [consumers] pay for a company’s services with expectations their privacy will be protected, and when that privacy is breached, it means they overpaid and should be reimbursed.” Companies on the other hand argue, “Having personal data compromised doesn’t necessarily equate to an injury that merits compensation.” (Source: Wall Street Journal)

Celebgate hacker pleads guilty. Edward Majerczyk, the man that was believed to be behind the 2014 “Celebgate” incident, in which the nude photos of more than 100 celebrities including Rihanna and Jennifer Lawrence, were leaked on the web, now faces up to 5 years in prison for his actions. Majerczyk, recently plead guilty to running a phishing campaign designed to trick celebrities into visiting malicious “security” websites to steal login names and passwords for more than 300 iCloud and Gmail accounts. Deirdre Fike, assistant director of the FBI’s Los Angeles office, condemned Majerczyk’s actions: “This defendant not only hacked into email accounts—he hacked into his victim’s’ private lives, causing embarrassment and lasting harm.” (Source: BBC)

Google CEO’s Quora account gets hacked. OurMine, the same hacker outfit that hacked Mark Zuckerberg’s Twitter account, just hacked Google CEO Sundar Pichai’s Quora account. Pichai’s hack gained notice when his Twitter account, which was linked to his Quora account, began posting updates such as “Hey, it’s OurMine, we are just testing your security please visit OurMine to update it.” (Source: The Verge)

Buy it now: Personal data still on used eBay hard drives. Security firm @BlanccoTech recently purchased 200 used hard drives on eBay and found that 67 percent contained personally identifiable data and that 11 percent contained sensitive corporate data such as emails, sales projections, and spreadsheets. @philmuncaster reports that Blanco Technology Group (BTG) purchased the “solid state drives from eBay and Craigslist in Q1 and then analyzed them to see if any data had been left behind by their previous owners. BTG warned firms that failure to properly wipe drives before putting them up for resale could result in a data breach which ultimately hits the bottom line as well as customer loyalty and the reputation of the brand.” (Source: Info Security)

Should we punish the victims of hacking? Josephine Wolff, a professor at the Rochester Institute of Technology, has raised several interesting questions in regards to whether or not data breach victims themselves should be punished. Wolff ponders, “For the most part, discussion of these careless mistakes and oversights on the part of people with poor computer hygiene centers on the need for better education and awareness-raising. Very rarely do we grapple with the question of whether, perhaps, the only way to get individuals to take this seriously and actually change their behavior––to be more attentive to issues of security––is if there are concrete penalties and consequences associated with participating in bots, falling for phishing attacks, failing to install security updates, and other basics of computer hygiene.” (Source: The Atlantic)

Dessert: NASCAR revs up the fight against ransomware. Driver Michael McDowell’s newest sponsor is not the typical NASCAR sponsor. Malwarebyte, a digital security company, recently agreed to sponsor McDowell after his entire computer system was the subject of a ransomware attack. Team Vice President Jeremy Lange was pleased that this sponsorship would enable them to spread the word about the risks of ransomware, stating that McDowell’s experience of being hacked proved that ransomware attacks can really happen to anyone. “It’s really to build awareness among the NASCAR community and elsewhere by talking to people … let them know about the story. [That] was really what drove us to reach out to Malwarebytes because it’s a real, live case study of sorts.” (Source: NASCAR and InfoSecurity)

Upcoming events

September 7 – Fall Technology Series: Ransomware – Washington, DC
The FTC’s first event in this year’s Fall Technology Series will take place on Wednesday, September 7, 2016 in Washington, DC. This half-day workshop will address how ransomware works, what victims should do, the role of education, and what technological measures can be taken to prevent a ransomware attack.

National Consumers League
Published July 7, 2016

2016 | Q2 Newsletter | Q & A with Health Advisory Council Members

 

Dorothy Siemon, Esq.

Vice President, AARP Office of Policy Development and Integration

Q. Tell us about AARP’s mission.

A. AARP is a nonprofit, nonpartisan, social welfare organization with a membership of nearly 38 million whose mission is to help people turn their goals and dreams into real possibilities, strengthen communities, and fight for the issues that matter most to families — such as health care, employment and income security, and protection from financial abuse.

AARP leads positive social change and delivers value to members through advocacy, service, and information to make things better for society and play a positive role in communities of all kinds. AARP’s public policies serve as the foundation of our work to fight for people 50-plus and help equip them to live their best lives.

Q. What do you love about your job?

A. I have been at AARP for a long time but in different roles. Prior to joining the Office of Policy Development and Integration in 2007, I was a senior litigation attorney for more than 10 years for the AARP Foundation, writing amicus briefs in federal and state courts, including the U.S. Supreme Court. In addition, I served as counsel in class action cases involving Medicare, Medicaid, and long-term care facilities. In 2007, I came to my current department as the director for health and long term care issues, and in 2014 I became vice president of the department.

Working as a litigation attorney is very different from working on policy development. I really enjoyed both functions. The litigation work is often about narrowing the issues to resolve the dispute about the law in that particular case; while policy development allows for much more expansive thinking about what is possible, not just what is legally required. It is a different mindset but both are very interesting and challenging.

Q. What are the biggest challenges and opportunities facing AARP today?

A. AARP’s membership represents nearly 38 million Americans age 50 and over. Our members span four generations and reflect a wide range of attitudes, cultures, and lifestyles. A growing number of them work full- or part-time because they want to or must. They are business owners, entrepreneurs, teachers, caregivers, and community leaders. Some are at the peak of their earning years with comfortable standards of living, and others are living alone and struggling with minimal resources. AARP members have many of the same concerns as younger members of our society—particularly around financial security, health care, and the neighborhoods in which they live.

Our challenge is to reimagine the traditional model of aging and take advantage of the wisdom, experience, interests, and contributions that older Americans make to the social capital of the nation. We want an America where people 50-plus have access to the care, information, and services they need to lead healthier lives; have the financial resources and opportunities to match their longer life expectancy; and are seen as an integral and inspirational asset to society. We envision an America where bedrock programs like Social Security and Medicare remain strong for all older Americans, as well as their children and grandchildren.

Q. What AARP initiatives would you like to share with the Council?

A. The executive director of AARP, Jo Ann Jenkins, is taking on the challenge of reimagining the traditional model of aging. In her national bestselling book, Disrupt Aging, she suggests it’s time to redefine what it means to get older. She encourages us to re-think the negative stories we tell ourselves and each other about aging. The book chronicles Jo Ann’s journey as well as those of other fearless individuals working to change what it means to age in America. Disrupt Aging shows us how to embrace opportunity and change the way society looks at getting older.

In addition AARP has a major campaign pressing the presidential candidates to Take A Stand – and lay out their plan to update Social Security so it’s financially sound with adequate benefits.

Relating to the Council’s work, AARP is extremely concerned by high and growing prescription drug costs. Older Americans use more prescription drugs than any other segment of the population—nearly two-thirds use three or more on a regular basis. AARP continues to advocate at the state and federal level to help reduce prescription drug spending while still maintaining appropriate patient access, and recently joined the Campaign for Sustainable Drug Pricing, a broad coalition working to lower drug costs. In addition, AARP’s Public Policy Institute produces an Rx Price Watch Report that tracks price changes among over 600 widely used prescription drugs. One recent report found that the average annual cost for one widely used specialty drug reached more than $53,000 per year in 2013.

Q. What does AARP value about membership in NCL’s Health Advisory Council?

A. Bringing the consumer perspective of individuals who are 50 and older to the Council.

For example, AARP is active in promoting and supporting consumers to play a more active role in their health and health care decision-making. Greater consumer involvement can be an important component to achieving a health care system aimed at better care, better health, and lower costs (referred to as the Triple Aim). The Health Advisory Council bringing together a wide range of organizations, experts, and stakeholders provides an excellent opportunity to highlight new ideas and approaches and stimulate thinking around new solutions in this area.

 

Hilary Hansen

Director of Alliance Development, Merck

Q. What is your role at Merck?

A. I am the director of alliance development at Merck in our Federal Policy and Government Relations office. In this role, I serve as the Merck liaison to patient groups and third party stakeholders on federal policy-related issues.

Q. What would you like Council members to know about Merck?

A. Merck is an innovative, global health care leader that is committed to improving health and well-being around the world. Our core product categories include diabetes, cancer, vaccines, and infectious disease. We continue to focus our research on conditions that represent some of today’s most significant health challenges – like cancer, Hepatitis C, cardio-metabolic disease, antibiotic-resistant infections, and Alzheimer’s disease, and we are on the front lines in the fight against emerging global pandemics, such as Ebola. We also devote extensive time and energy to increasing access to medicines and vaccines through far-reaching programs that donate and deliver our products to the people who need them around the world.

Q. Tell us about some of your current initiatives.

A. Merck has a long tradition of discovering, developing, and delivering treatments to address the most urgent medical needs of patients around the globe. For example, in response to the Ebola crisis that started in 2014, Merck joined with the international health community in efforts to eliminate the Ebola outbreak and put necessary steps in place to help prevent another. In late 2014, Merck licensed from NewLink Genetics Corporation a promising vaccine candidate to prevent Ebola Zaire virus. Merck is now collaborating with others to advance this vaccine candidate to licensure as quickly as possible. It is currently being evaluated in Phase 1, 2, and 3 clinical studies in sites across the world, including three ongoing large-scale Phase 2/3 studies. If the vaccine candidate is licensed, Merck will use our manufacturing capacity and considerable experience with the technology to work with stakeholders to make it available rapidly and effectively to the population at risk. In December 2015, Merck announced that the application for Emergency Use Assessment and Listing (EUAL) for the investigational vaccine has been accepted for review by the World Health Organization (WHO).

Q. What is Merck doing to change the way people think about and approach health care?

A. Merck collaborates with leading health care organizations to develop innovative health solutions and support for patients and their caregivers. Our consumer website, MerckEngage.com, offers ideas and tools to help people make healthy choices, have better conversations with their health care providers, and stay on track with treatments. We have joined with multiple stakeholder organizations to address the serious public health problem of medication non-adherence, and we support the development of improved evidence-based interventions that can lead to improved adherence. For example, Merck’s outcomes research led to the development of the Adherence Estimator®, a one-minute, evidence-based assessment tool that can help health care providers identify patients at risk for non-adherence.

Q. What do you value about membership in NCL’s Health Advisory Council?

A. The Health Advisory Council is a wonderful opportunity for Merck to engage and partner with a diverse group of organizations on important issues relating to health policy. We look forward to continuing our participation in the Council to help create better consumer education and empowerment and on health-related policy.

Q. Tell us about some of your partnerships.

A. Merck has been a long-standing supporter of NCL’s Script Your Future campaign. We have been very pleased with the collaboration, as we believe in the power of community-based education and awareness-building of the importance of medication adherence. Merck is also collaborating with the National Council on Patient Information and Education (NCPIE) to develop American Medical Association-approved training for medical students and residents around communication and adherence intervention strategies that meet the new Liaison Committee on Medical Education guidelines for communications training.

Issue 23 | June 22, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Data security woes have reached the C-suite at the FTC and the heart of the presidential campaign. FTC Chief Technologist Lorrie Cranor became a victim of identity theft when her mobile phone account got hijacked. Cranor’s ID fraud problems are putting the spotlight on “SIM switch” scams, one way that hackers are looking to defeat increasingly common two-factor authentication technology. In other news, the Democratic National Committee’s opposition research file on Donald Trump was stolen, reportedly by Russian hackers–possibly an explanation for Clinton’s recent tough talk on cybersecurity. Meanwhile, it appears that web publishing platform VerticalScope may be the victim of a breach resulting in 40 million passwords from 1,100+ websites getting dumped onto the dark web, which occurred while the Internet is still reeling from aftershock of the record-setting breaches at MySpace, LinkedIn, and Tumblr. Hackers have wasted no time in using those compromised credentials and consumers’ tendency to re-use passwords to attack accounts at sites like Github. The news isn’t all bad, however. Two of the biggest spammers out there, including Sanford “Spam King” Wallace, are facing the music thanks to law enforcement crackdowns.

And now, on to the clips!

—————–

FTC Chief Technologist’s identity stolen through phone hijacking. When you’re in charge of advising the FTC Chairwoman about technology policy, the assumption is that you’re going to be better protected against identity fraud than the average person. Unfortunately, as FTC Chief Technologist Lorrie Cranor recently found out, no one is immune. Her description of how her mobile phone account was hijacked is riveting for data security geeks. Writes @lorrietweet, “[A] few weeks ago an unknown person walked into a mobile phone store, claimed to be me, asked to upgrade my mobile phones, and walked out with two brand new iPhones assigned to my telephone numbers. My phones immediately stopped receiving calls, and I was left with a large bill and the anxiety and fear of financial injury that spring from identity theft.” Fortunately for us, Cranor used the opportunity as a teachable moment on how industry can work to help users avoid this form of identity fraud. She writes, “[T]he security of two-factor authentication schemes that use phones as one of the factors relies on the assumption that someone who steals your password has not also stolen your phone number. Thus, mobile carriers and third-party retailers need to be vigilant in their authentication practices to avoid putting their customers at risk of major financial loss and having email, social network, and other accounts compromised.”

Cranor also warns that “SIM switch” attacks are gaining popularity. Another way that fraudsters are getting around carrier security measures is with the “SIM switch” scam. Cranor used her phone hijacking story to warn about this as well. “Thieves first purchase the victim’s bank account info or acquire it through a phishing attack,” wrote Cranor. “They may also look for publicly available information about the victim on social networks that can help them answer security questions. Then they impersonate the victim and call the victim’s mobile phone company to report that their phone has been damaged or stolen and convince the company to cancel the SIM card and activate a new SIM card with the victim’s phone number in the thieves’ phone. The thieves are then able to make bank account transfers, responding to phone calls and text messages directed to the victim’s phone number in order to complete the transactions. The victim’s phone stops working as soon as the SIM card is swapped. It usually takes them several hours or days to get their phone service restored, and longer to notice that their bank account has been emptied.” (Source: FTC and Ars Technica)

Will hackers beat two-factor authentication with “SIM reset?” Any data security geek worth their salt (including yours truly) will tell you that turning on two-factor authentication is one of the best ways to protect your accounts. However, as racial justice activist DeRay Mckesson found out, it’s not foolproof. Writes @kateconger “…Mckesson became the most recent example of a high-profile account breach this morning, when his Twitter account suddenly began tweeting endorsements for Donald Trump. … After regaining control of his Twitter account, Mckesson explained that the hacker or hackers were able to take over by convincing Verizon to reset his SIM. With the SIM reset, the person responsible was able to receive text messages intended for Mckesson and therefore bypass the two-factor authentication the activist used to keep his account secure.”(Source: TechCrunch)

Clinton says she’ll be “absolutely focused” on cybersecurity after DNC breach. Data security has increasingly made headlines in the presidential race, but not in the way one might think. Back in December, there was the kerfuffle over “Datagate” for the Bernie Sanders campaign. Then there are ongoing questions about the security of Secretary Clinton’s private email server. Those two instances could be trumped (pardon the pun) by the developing news about Russian hackers’ breach of the Democratic National Committee. Records compromised reportedly included the DNC’s opposition file on Donald Trump. @nakashimae reports,“[T]he depth of the penetration reflects the skill and determination of the United States’ top cyber-adversary as Russia goes after strategic targets, from the White House and State Department to political campaign organizations. This episode seems to have attracted the attention of Democratic nominee Hillary Clinton who stated in response to the hack that, ‘cybersecurity will be an issue that I will be absolutely focused on as president.’” (Source: New York Times)

Ohlhausen urges developers to put security ahead of rush to market. Last week, FTC Commissioner Ohlhausen kicked off the latest edition of the FTC’s “Start With Security” event series in Chicago with strong advice for developers more interested in shipping code than securing it: “Test your software and ensure you don’t leave consumers vulnerable to attack.” The event brought together experts from across the field to provide businesses with practical tips and strategies for implementing effective data security. (Source: FTC)

Ponemon: Average breach cost up to $4 million; even more for healthcare providers. Breach costs increasing is nothing new, but for industries like healthcare, the news is much worse. In the last year, the average cost of a data breach rose from $3.74 million to $4 million, according to a new report from IBM Security and the Ponemon Institute. @noyesk reports,“This year’s data uncovered a 64 percent increase in reported security incidents between 2014 and 2015. … In highly regulated industries like healthcare, the damage is even worse, reaching $355 per record.” The report faulted poor preparation for breaches as a major avoidable source of the high cost and highlighted that 70 percent of security executives do not have an incident response plan in place. (Source: CSO and IBM)

LexisNexis study finds that U.S. card issuers lose $10.9 billion a year to fraud. The study also found that fraudulent credit cards were the primary culprit behind 71 percent of all card fraud. The author of the study, Michael C. Smith, cautioned that although the financial industry is continuing to roll out EMV chip technology that makes card fraud more difficult, other types,such as application fraud, may proliferate. “With the window closing on easily replicable magstripe cards, we forecast a shift and bump in identity schemes—characterized by the use of synthetic identities and the misuse of true identities.” (Source Payment Source)

Morgan Stanley pays $1 million for failing to protect consumer information. The banking giant is just the latest in a string of financial service providers that have been in hot water over their data security (or lack thereof). Earlier this month, the U.S. Securities and Exchange Commission (SEC) settled with Morgan Stanley for an incident where 730,000 accounts were hacked and put up for sale online. “[G]iven the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection,” said Andrew Cersney, director of the SEC’s Enforcement Division. “We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information.” (Source: SEC)

Breach du jour: 40 million passwords from 1,100 different sites. Motherboard’s @lorenzoFB reports that 1,100 websites, ranging from Autoguide.com to Techsupportforum.com, are the latest victims of breaches that may have resulted in 40 million passwords being compromised. If the initial numbers are correct, it would be among one of the largest password dumps yet. Speculation about the source of the breach points to a possible vulnerability in VerticalScope, a digital platform that all 1,100 compromised sites apparently relied on. “Given the massive scale of this breach, it is also likely that VerticalScope stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale,” wrote LeakedSource. (Source: Motherboard)

Compromised passwords used to target Github accounts. When 642 million passwords from sites like Myspace, LinkedIn, and Tumblr get dumped, there is bound to be some fallout at other websites amongst users who are guilty of reusing their passwords. This week, the repository hosting service Github became the latest victim of password dumping fallout. @thepacketrat reports, “On June 14, someone using what appears to have been a list of email addresses and passwords obtained from the breach of ‘other online services’ made a massive number of login attempts to GitHub’s repository service. A review of logins by GitHub’s administrators found that the attacker had gained access to a number of accounts.” (Source: Ars Technica)

Krebs: Number of Wendy’s restaurants affected by breach “significantly higher” than originally thought. Shortly after Wendy’s acknowledged a credit card breach that allegedly affected fewer than 300 of the fast food chain’s 5,800 locations, a number of fraud experts began complaining to @briankrebs:“…There was no way the Wendy’s breach only affected five percent of stores — given the volume of fraud that the banks have traced back to Wendy’s customers.” Krebs also received complaints that Wendy’s credit card fraud problems continued well after the five percent estimate came out, suggesting that the breach may not be contained. (Source:KrebsonSecurity)

Think Facebook Messenger is secure? Think again. A vulnerability recently uncovered in Facebook’s chat function and its popular Messenger app could allow hackers to alter old messages previously sent by Facebook users. As @wirelesswench reports, the vulnerability could allow attackers to “manipulate message history as part of fraud campaigns, changing the history of a conversation to claim he had reached a falsified agreement with the victim, or simply change its terms … the vulnerability can be used as a malware distribution vehicle. An attacker can change a legitimate link or file into a malicious one, and easily persuade the user to open it.” (Source: Infosecurity)

“Spam King” sentenced to 2.5 years in prison. Sanford Wallace, infamous for sending more than 700,000 spam messages through MySpace and 27 million through Facebook, has been ordered to pay $310,000 in restitution and has been sentenced to 2.5 years in prison. When he gets out, he’ll still be on the hook for $1 billion in damages levied against him in civil suits by MySpace and Facebook, reports @cfarivar. (Source: Ars Technica)

In other spam news, FBI raids spammer’s house. It appears that infamous spam artist Michael A. Persaud’s time as a free man may be coming to an end. @briankrebs explains that although no charges in relation to this investigation have yet been brought, the “FBI asked for and was granted a warrant to search Persaud’s iCloud account, which investigators believe contained ‘evidence of illegal spamming’ and wire fraud to further [Persaud’s] spamming activities.” (Source: KrebsonSecurity)

Upcoming events

September 7 – Fall Technology Series: Ransomware – Washington, DC
The FTC’s first event in this year’s Fall Technology Series will take place on Wednesday, September 7, 2016 in Washington, DC. This half-day workshop will address how ransomware works, what victims should do, the role of education, and what technological measures can be taken to prevent a ransomware attack.

National Consumers League
Published June 22, 2016

Jump to Information sharing from Health Advisory Council Members

Welcome and overview
Sally Greenberg, NCL executive director

Sally Greenberg welcomed the attendees to the Second Annual Spring Membership meeting of the Health Advisory Council. Sally thanked the members of the Council for their support, engagement, and enthusiasm. She then had the pleasure of introducing distinguished speaker Dr. Kathy Hudson, deputy director for science, outreach, and policy at the National Institutes of Health. 

Special guest speaker
Kathy Hudson, Ph.D., deputy director for science, outreach, and policy, National Institutes of Health

Dr. Kathy Hudson provided overviews of both the Precision Medicine and National Cancer Moonshot Initiatives and answered questions from Council members.

The Precision Medicine Initiative (PMI) Cohort Program will be the largest longitudinal study ever conducted in the United States and will unlock the door to a wealth of scientific opportunities. The PMI shifts away from the “one-size-fits-all” approach to treating disease and integrates environmental exposures and genetic factors into the development of 21^st Century solutions.

The National Cancer Moonshot Initiative is a program established by President Obama to accelerate cancer research. Led by Vice President Biden, the Initiative aims to make more therapies available to more patients, while also improving our ability to prevent cancer and detect it at an early stage. Immediately following the Health Advisory Council meeting, Vice President Biden announced the National Cancer Moonshot Summit, which will take place on June 29 at Howard University. The Summit will bring together scientists, oncologists, donors, and patients and will be the first cancer conference to focus on the broad spectrum of cancers, rather than on one particular form of the disease.

National Consumers League’s health program priorities
Karin Bolte, NCL health policy director

Karin Bolte gave an overview of NCL’s health programs and policy priorities. NCL carries out its health policy work through research, education, advocacy, and convening. NCL’s key priorities are:

• Safe and appropriate use of medicines, including medication adherence, vaccines, counterfeit drugs, and 21^st Century Cures/Innovation for Healthier Americans
• Helping consumers to navigate the health care system, including improving healthcare provider-patient communication, promoting health literacy, and improving healthcare transparency—on price, quality, and safety.  
• Quality of care, including ensuring that consumer-friendly quality measures are developed, and that there is subsequent reporting by healthcare providers and institutions on compliance with measures and standards, and that patient-centered outcomes are emphasized. 

Information sharing from Health Advisory Council Members

Following the overview of NCL’s health programs, Health Advisory Council Members had the opportunity to share updates on their programs, priorities, and initiatives. Below is a brief summary of member updates.

Kimberly Rawlings, Center for Drug Evaluation and Research, Food and Drug Administration (FDA) — Kimberly Rawlings reported that CDER’s priorities include reducing abuse of opioid painkillers, drafting pharmacy compounding guidance documents, and the reauthorization of PDUFA, GDUFA, and the Biosimilar User Fee Act (BsUFA). Kim also encouraged Council members to listen to CDER Director Dr. Janet Woodcock’s Director’s Corner quarterly podcasts on a number of topics.   

Kimberly Thomas, Office of Women’s Health, Food and Drug Administration (FDA) — The Office of Women’s Health is continuing its consumer outreach and research to help women make informed health choices. This past January, in conjunction with the NIH, the FDA launched the Diverse Women in Clinical Trials Initiative to raise awareness about the importance of diverse women of different ages, races, ethnic backgrounds, and health conditions participating in clinical trials. The OWH is also working to educate women about safe medication use during pregnancy.   

Alicia Subasinghe, Pharmaceutical Research and Manufacturers of America (PhRMA) — Alicia Subasinghe highlighted a number of PhRMA’s priorities, including PDUFA and GDUFA reauthorization. PhRMA is also encouraging the use of biomarkers and patient engagement as a whole and continues to be active in the conversation on value and patient-centeredness. Alicia explicitly mentioned a desire to reduce regulatory barriers that may prevent patients from getting the best care possible. Consumer education and empowerment, particularly regarding health coverage and health plans, is also a priority for PhRMA.

Dorothy Siemon, AARP — Dorothy Siemon identified cost and access, transparency, and consumer engagement as priorities of AARP. As older people tend to take more drugs, promoting comparative effectiveness and figuring out ways to help older populations better understand the healthcare system is of high importance. 

Nelufar Mohajeri, U.S. Pharmacopeia (USP) — Nelufar Mohajeri discussed USP’s Verified Program for dietary supplements, as well as a recent roundtable on gummy dietary supplements. USP is also assessing the feasibility of a standard for medical marijuana, developing sterile compounding and handling of hazardous materials standards, and addressing medication labeling and nomenclature issues. USP is engaged in efforts to combat counterfeit drugs and is modernizing 1,600 monographs through public comment.

Jeffrey Ekoma, American Association of Colleges of Pharmacy (AACP) — Jeffrey discussed AACPs continued dedication to professional and graduate education and identified the reauthorization of the Higher Education Act and creating pipelines for middle and high school students who have an interest in pharmacy as AACP priorities. Interprofessional education is also a priority of AACP, as well as innovations in health.  

Rob Nauman, North Carolina Alliance for Healthy Communities — Rob Nauman explained the expansion of the Script Your Future campaign from a pilot city in Raleigh-Durham to a North Carolina-statewide coalition. He also touched on the importance of leveraging the wealth of information from HAC member organizations and disseminating it to communities.

Gay Johnson/Lilly Pinto, National Association of Nurse Practitioners in Women’s Health (NPWH) — NPWH is currently working to address the lack of women’s health providers in military facilities, as well as addressing the lack of services for rape, sexual assault, and harassment victims on college campuses and in the military. Gay also announced that NPWH will be hosting a Women’s Health Summit in the fall to raise awareness about older women and their access to care.

Jillanne Schulte, American Society of Health-System Pharmacists (ASHP) — One of ASHP’s main priorities is working to have pharmacists recognized as medical providers. ASHP is also working on opioids, substance abuse and misuse, antimicrobial and antibiotic resistance, and compounding. Jillanne also announced ASHP’s summer meeting, which will be held in Baltimore, and their Midyear Clinical Meeting which will be held in December in Las Vegas.   

Bri Morris, National Community Pharmacists Association (NCPA) — Bri Morris reported that there are currently 1.6 million people enrolled in Simplify My Meds, NCPA’s medication adherence program. NCPA will continue to help community pharmacists provide quality care to their patients, and work towards achieving provider status for pharmacists. 

Colleen Creighton, Consumer Healthcare Products Association (CHPA) — CHPA continues to promote the safe use, storage, and disposal of drugs through the Know Your Dose and Up and Away campaigns. Both campaigns have had a significant impact on consumers, with 22 million impressions for the Up and Away campaign in this year alone. CHPA continues to utilize the messaging toolkits sent by the CDC and recently did a materials and messaging push during Poison Prevention week. The next safe storage push will be in June, which is National Safety Month.  

Katie Allen, Horizon Government Affairs — Katie Allen highlighted the various coalitions that Horizon runs, including the Council for Affordable Health Coverage, Prescriptions for a Healthy America, and Clear Choices. Katie announced that Horizon launch a new campaign, Prescriptions for Value on Drug Pricing, this summer. The purpose of this coalition is to convene ALL stakeholders to participate in the discussion about drug pricing. The pharmaceutical industry is particularly encouraged to participate as an integral part of the conversation.

Lee Lynch, Lynch Advocacy Solutions, LLC — Lee Lynch discussed effective care coordination and medication adherence through the Medicare Advantage Care Coordination (MACC) Task Force. She also discussed the importance of innovations in Medicaid and bringing awareness to specific issues including preterm labor and behavioral health.

Karl Uhlendorf, Astellas — Karl Uhlendorf highlighted a few of Astellas’ priorities, including PDUFA, MACRA, the Part D Demonstration Project, 21^st Century Cures, and continuing the value-based framework discussion. This April, Astellas hosted its second annual Patient Advocacy Summit, which focused on patient-centeredness, quality measures, how to incorporate the patient voice in the value discussion, and best practices for the patient advocacy community. Karl also announced the launch of Astellas’ new interactive, patient-focused website, Changing Tomorrow Together, as well as their Patient Advocacy Advisory Committee, which currently has 13 members.

Aimee Gallagher, Society for Women’s Health Research (SWHR) — Aimee Gallagher announced that the SWHR will release a report in August on the top 10 topics relevant to women living with diabetes. In October at the University of Colorado, SWHR will sponsor a conference focused on women’s health, diabetes, and cardiovascular disease. Aimee also mentioned a few of SWHR’s upcoming projects that will tackle issues such as perinatal health, oral health, and ingredient safety.

Erin Mackay, National Partnership for Women and Families (NPWF) — NPWF is currently focused on MACRA and the shift from volume-based to value-based care. Erin also discussed NPWF’s Get My Health Data campaign, which promotes patient access and supports patients in asking for and receiving their digital health data. 

Mara Gandal-Powers, National Women’s Law Center (NWLC) — Mara identified reproductive rights and access to coverage of abortion and birth control as priorities of the National Women’s Law Center. Mara also called attention to coverher.org, which is a NWLC resource for women who may still be paying out-of-pocket for their preventive services.

Lindsay Clarke, Alliance for Aging Research (AAR) — Lindsay Clarke announced that the Alliance for Aging Research will be celebrating its 30^th anniversary this September. The AAR will continue to work on issues that impact older populations, including safe medication selection, use, storage, and disposal, vaccine education, and stroke prevention.

Deborah Davidson, National Council on Patient Information and Education (NCPIE) — NCPIE will continue to work with SAMHSA on prescription drug abuse prevention and awareness, and with the FDA on the Talk Before You Take campaign. NCPIE also completed a consumer health project with Pfizer last year on self-care. Deborah discussed the campus dialogues NCPIE sponsored at colleges across the country. Each dialogue focused on a particular student population, such as Asian or Native American students. The reports from these dialogues will be released soon. 

Michele Oshman, Eli Lilly and Company — Michele Oshman said that exploring the burden of care and determining the challenges facing everyday people across the healthcare spectrum is of particular interest to Lilly. Lilly also hosts quarterly Dialogues on Discovery events, and recently hosted one on value models.

Grace Whiting, National Alliance for Caregiving — Grace Whiting announced that the National Alliance for Caregiving will release a White Paper on cancer caregiving on June 20.

Closing remarks
Karin Bolte

Karin Bolte thanked the Health Advisory Council Members for attending and for their continued support of NCL. She asked members to send her topic and speaker recommendations for NCL’s Fall Policy Forum on Access to Healthcare.