When Security Compliance Creates More Problems

None of us has been spared the incessant nagging website popups, which force you to accept that the site is using cookies. You can thank the GDRP rules for this addition to life’s little annoyances. Whether the merit of the privacy transparency attempted with these notices is valid or not, the real problem is that they create an additional security hole that renders these cookie monster popups a net step backwards for web privacy and security.

Because surprise, surprise – web publishers who aren’t careful are allowing their users to get hit with malware:

https://blog.sucuri.net/2018/08/cookie-consent-script-used-to-distribute-malware.html

After GDPR was enacted, many website owners were looking for an easy way to implement the changes to be GDPR compliant. Some webmasters turned to services that offered to display a cookie consent notice on their website through a simple JavaScript add-on.

Unfortunately, many website owners do not check the code they are adding to the website. This is a prime opportunity for hackers to trick website owners to add the malicious code onto their own website. It’s possible that initially, the code was benign and that the hackers were just waiting for a large number of websites to add it so they could modify the code and infect all of the websites at once.

So, in the attempt to give users control over their privacy, this compliance process is actually opening up users to all sorts of privacy compromises through any sort of malware injection you can come up with off the top of your head.

Add Some HIPAA to This Mess

Or take the recent example from a very large insurance company’s new app, which allows user to scan documents and upload them into an online beneficiary portal. Problem is, the images must be saved locally, then uploaded back to the app. Which means that very sensitive PHI, ie social security numbers, signatures, etc – are now locally on the customers device leaving them very vulnerable to not only device theft, but any sort of malware that can scan local image directories and (using a touch of AI why not?) surreptitiously upload infected device sensitive PHI scans to 3rd party servers.

Protect Your Business Against Its Protectors

Whatever side of the GDRP fence you sit, making sure that only clean code goes on your site is important. Whether you love or loathe the idea of HIPAA, making sure your health practice’s HIPAA compliance efforts themselves aren’t creating PHI vulnerabilities is critical.

Small business owners obviously must navigate the currents in this everchanging regulatory compliance environment. It would be wise to handle these compliance processes carefully. GDRP cookie popups can be managed properly if you take the time to see how it works on your site. Your practice can make sensitive PHI scanning work in a ‘best practice’ HIPAA compliant manner with a little foresite and planning.

SMB should expect more regulatory compliance management issues upcoming, certainly in the next 12-24 months as large government regulations are rolling out aspects certainly will be amended. Additionally, a fast changing cloud infrastructure means SMB will have better authorization tools that, while requiring some initial investment, should allow SMB to steer productively in the currently churning seas of privacy and security business compliance.

 

Leave a Comment