Some cybersecurity experts are asking if new types of federal oversight are needed to prevent the growing number of HIPAA violations due to hacking. In 2020, Google and Apple announced a joint effort to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of COVID-19 “with user privacy and security central to the design,” according to Google.1 The company’s COVID-19 contact tracing app, however, reportedly had a significant security flaw, and individuals who used the app are suing Google for violating their privacy.
Google and Apple launched the Exposure Notifications System (ENS) to help combat the spread of the coronavirus. With this system, the Bluetooth function provides alerts to nearby individuals of potential exposure to COVID-19. It was unveiled on April 10, 2020, and it came on the market May 20, 2020. It was added to devices via a Google Play Services update on Android. The ENS has been adopted in more than half the states and has millions of users.
Individuals who used California’s public health COVID-19 contact tracing app have filed a lawsuit against Google claiming the app exposed their data and violated privacy laws. “Google is not the only tech giant to face court action for perceived violations of privacy laws and exposing data of their users,” said Maya Levine, a technical marketing engineer for cloud security at Check Point Software. The real cost for these companies, according to Levine, is not just money or loss of public trust but mounting evidence calling for a shift in regulation.
Many devices are Bluetooth enabled, so companies and individuals need to be aware that Bluetooth functionality can be compromised because of what has been dubbed “BlueBorne” vulnerabilities, Levine said. It is widely and wrongly believed that Bluetooth cannot be intercepted and that a hack always requires some sort of user interaction. “The BlueBorne vulnerabilities proved both assumptions wrong, as merely having Bluetooth on a device switched on renders it vulnerable to an attack,” Levine said.
Most people leave Bluetooth on their devices on constantly, but they should shift to enabling Bluetooth on devices only when needed. This is easier said than done, however, and unlikely to be widely adopted. “For example, many headphones nowadays are Bluetooth enabled. Are people willing to not listen to music at all in high risk zones such as airports or public transit centers? I think what is important here is to educate both individuals and companies of the risks and allow them to make informed decisions,” Levine said.
European countries have changed laws to put the responsibility of users’ data onto the tech companies and levy heavy fines for irresponsible practices, she said. “These tech companies have operated largely unregulated for a length of time,” Levine said. “I believe that this free rein is quickly coming to an end. Hopefully, more regulations and a more watchful eye over this industry will lead these companies to increase their investments in security.”
This article originally appeared on Renal and Urology News