Payments

Will the Federal Reserve support the use of cryptocurrency and related blockchain technology to push the movement to faster payments?

See Also: How to Measure & Communicate Return on Cybersecurity Investments

That was a hot topic at Information Security Media Group's Fraud and Data Breach Prevention Summit in San Francisco last week.

Summit speaker Robert Schwentker, co-founder and president of Blockchain University, raised eyebrows at the summit when he referred to a theoretical cryptocurrency called Fedcoin.

Proposed by David Andolfatto, vice president of the Federal Reserve Bank of St. Louis, Fedcoin would be a fixed-rate cryptocurrency issued by the Fed. Built on a bitcoin-like anonymous communal algorithm, Fedcoin could be used to facilitate faster payments in the U.S. via blockchain technology, the distributed database behind bitcoin and other cryptocurrencies.

"Fedcoin could offer a way for the Fed to move away from paper currency ... and there could be a real test of it in 2017," Schwenkter said.

Next month, the Fed will accept proposals for technologies that can help the U.S. market implement faster, near real-time payments. And some of those proposals likely will leverage blockchain technology.

But naysayers contend that blockchain could never support the volume of payments we have in the United States and that it's far from a cure-all for the many payments woes we face (Could Blockchain Play Broader Role in Payments?).

The Fed's View

Nevertheless, Jon Jeswald, vice president and payments strategy executive at the Federal Reserve Bank of San Francisco, noted during his summit presentation that the Fed is taking blockchain technology seriously. And he acknowledged that the Fed expects several proposals coming from the private sector for faster payments to be blockchain-based.

But he stopped short of saying the Fed supports the use of blockchain in the move to faster payments. "I won't say that we are leaning toward blockchain," Jeswald told me.

The Fed's Faster Payments Task Force is asking the private sector to submit technology proposals for review between April 1 and 15. The Fed will review these proposals to identify shortcomings and potential technology gaps that could prevent the U.S. from migrating to faster payments, Jeswald explains.

"The Fed is not going to promote one solution over another," he says "We just want to evaluate these solutions, so that we can identify gaps that we will publish in a report in March of next year."

I'll be covering all the latest developments in the move toward faster payments in the months to come.

EMV Shift and Chargebacks

EMV, not surprisingly, was another hot topic at our summit. The growth in chargebacks to merchants since the October 2015 EMV liability shift got quite a bit of attention.

David Matthews, general counsel of the National Restaurant Association, which represents more than 500,000 restaurants, grabbed attention when he contended that quick-serve restaurants have not yet been given realistic options for EMV deployment. That's because EMV chip transactions take too long and slow down the drive-thru line.

What's more, he said restaurants that don't yet accept EMV transactions have been getting hit with an exorbitant number of chargebacks for fraud since the October 2015 EMV liability shift date.

"Chargebacks started significantly increasing in October and November and they keep going up," Matthews said. "We don't feel like the banks are investigating these fraudulent charges [to determine if they are legitimately fraudulent or just consumers disputing charges] and instead are just putting everything back on the merchant."

Last year, Matthews said his association was not recommending that quick-serve restaurants and smaller restaurants and chains make the investment in EMV. That's because the association did not believe the expense associated with fraud would outweigh the expense of investing in EMV.

But given the number of chargebacks that are hitting the restaurant industry, Matthews said the NRA is second-guessing that recommendation. "These chargebacks were just much higher than what we ever expected."

I suspect the EMV transition will be an even hotter topic next month at our summit in Miami, where we are likely to learn more about how merchants plan to address the significant upticks in chargebacks they are seeing.

Breach Response , Cybersecurity , Data Breach

Cybersecurity attorney Chris Pierson says recent Federal Trade Commission actions linked to data security and breach response could influence other governmental agencies.

See Also: CISO Discussion: Secure Code

The FTC has been imposing steeper penalties against companies that expose sensitive consumer information, such as payment card data. Plus, the commission recently requested that several qualified security assessors, or QSAs, provide details about the ways they assess compliance with the Payment Card Industry Data Security Standard (see Could FTC Play Bigger Role in Card Security?).

"What they're [the FTC] really trying to do is keep up with where things are heading," Pierson says during this video interview at Information Security Media Group's recent Fraud and Data Breach Summit in San Francisco.

In the interview, Pierson discusses:

Pierson is general counsel and CISO for invoicing and electronic payments provider Viewpost. He also serves on the Department of Homeland Security's Data Privacy and Integrity Advisory Committee and Cybersecurity Subcommittee. Before joining Viewpost, Pierson served as the first chief privacy officer for the Royal Bank of Scotland's U.S. banking operations, where he oversaw RBS's privacy and data protection program. He also formerly served as a corporate attorney at the law firm Lewis and Roca, where he established the firm's cybersecurity practice.

Breach Notification , Data Breach , HIPAA/HITECH

The recent surge in ransomware attacks on hospitals has at least one member of Congress contemplating whether HIPAA's breach notification requirements need to be clarified or updated to reflect the trend.

See Also: How to Illuminate Data Risk to Avoid Financial Shocks

A cyberattack this week on 10-hospital MedStar Health, which may have involved ransomware, follows ransomware attacks that targeted Methodist Hospital in Kentucky, two California hospitals and Ottawa Hospital in Canada (see Hospital Ransomware Attacks Surge; So Now What?). Plus, Hollywood Presbyterian Medical Center in California grabbed headlines in February when it announced it paid extortionists a $17,000 bitcoin ransom to unlock its data.

"New cyber threats require Congress to vigilantly review and update the laws already on the books," says Rep. Ted Lieu, D-Calif, in a statement provided to Information Security Media Group. "As ransomware attacks against hospitals become more frequent, it is critical for patients to know when their records are being held hostage and for the government to understand the scope of the problem. I am actively exploring legislation to achieve that transparency."

Lieu also told news outlet Bloomberg on March 23, "Right now under federal law, there's no requirement that a hospital has to report they've suffered a ransomware attack."

HIPAA Provisions

But a spokesman for the Department of Health and Human Services' Office for Civil Rights says in a statement provided to ISMG that some such attacks already are reportable under HIPAA.

"Because it is considered to be a 'disclosure' if access has been provided, without regard to whether or not the information actually was accessed or viewed - and hackers using ransomware do have access to the data - an impermissible disclosure has occurred, and notification is presumably required unless a 'low probability of compromise' has been demonstrated," according to the statement. "And 'whether the [PHI] was actually acquired or viewed' is only one of the factors."

The spokesman added: "OCR investigates all reported breaches affecting 500 or more individuals, and may also initiate investigations based on news reports. These investigations may include situations involving ransomware. Further, OCR coordinates with the [HHS] internal cyber breach working group on cyber issues including ransomware, and on specific breaches due to ransomware attacks."

Ransomware was the subject of an OCR "cyber bulletin" in February, he notes (see OCR Cyber Awareness Effort: Will it Have an Impact?).

Impact on Patients?

Attorney Kirk Nahra of the law firm Wiley Rein LLP contends ransomware attacks don't merit having new regulations for breach notification.

"These attacks really are directed at different kinds of issues - in most situations - than those where [breach] notice makes sense," he says.

"Something like ransomware is a real problem for a hospital, because it makes their records inaccessible and unusable, but I'm not sure there's any particular purpose to notifying every patient who was ever at the hospital about that kind of incident," he says. "There's always a question of what the purpose of notice is. The original purpose of notice laws was in situations where an individual could reasonably take some action - like checking credit reports in the event of a breach involving Social Security numbers where there was a risk of identity theft. For these kinds of attacks, there's nothing for the individual to do, so it's not clear what the purpose of notice would be."

Surging Threat

The uptick in ransomware attacks affecting the healthcare sector started about two years ago, says David Finn, health IT officer at security vendor Symantec.

"We've certainly been seeing a huge resurgence of ransomware, particularly in healthcare," says Finn, who was recently named a member of HHS' new healthcare industry cybersecurity task force that is examining security challenges facing the sector.

"We see ransomware in countries that have stronger economies. Surprisingly, I've seen numbers that up to 40 percent of victims are paying ransoms," he says. "The fact that one hospital in a dire situation paid [a ransom] is sad, but it's indicative of a much larger problem, and I don't think it's going away as long as people can make money."

As for the types of ransomware infecting hospitals lately, "there are a number that are in the wild today, such as Cryptowall, CryptoLocker and Locky," says James Carder, CISO of security services vendor LogRhythm.

"Ransomware is freely available or can be purchased, making it even easier for criminals to access," he notes. "Outside of ransomware, you see other crime packs, exploit kits and tools used by various threat groups. Some of these are customized and others that are basically 'off the shelf' or 'over the counter.' It depends on who the threat actor is and what that person wants to do to the healthcare organization - for example, maintain long-term presence or just hit the organization once."

Call to Action

Meanwhile, Sen. Lamar Alexander, R-Tenn., chairman of the Senate Committee on Health, Education, Labor and Pensions, said the attack on MedStar Health shows the need for the Department of Health and Human Services to immediately implement provisions of the Cybersecurity Information Sharing Act of 2015.

In a March 29 statement, the senator said: "The consequences of cyberattacks like yesterday's hacking at MedStar Health can be catastrophic for America's patients. Imagine an attack leaving doctors unable to access crucial information in a patient's health history or delaying a surgery for hours on end."

The cyber legislation, the senator notes, calls for HHS to "give hospitals and doctors clear information on the best ways to prevent a hack in the first place ... Yesterday's attack, which, unfortunately, is not unique, shows the need for HHS to implement the law with the urgency patients and hospitals deserve."

×Close

Request to Republish Content