The CyberPHIx Roundup: Industry News & Trends, 1/13/21

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:11] Good day and welcome to the CyberPHIx healthcare security roundup, a quick source for keeping up with the latest cybersecurity news trends and industry leading practices specifically for health care. I'm your host, Brian Selfridge. This is our first episode of 2021. And we're excited to catch you up on all of the healthcare, cybersecurity and compliance activity that took place over the holiday break and the early part of this year. In addition to this roundup, be sure to check out our Resource Center on meditologyservices.com, which includes CyberPHIx interviews, leading health care, security, privacy and compliance leaders, as well as blogs, webinars, articles and lots of other educational material. We have a lot of ground to cover today, so let's dive into account.

Brian Selfridge: [00:00:53] The House passed a bill that would amend the HITECH act to provide safe harbors for health care entities that adopt industry security, best practices and standards like NIST and HITRUST. The House Energy and Commerce Committee, which seeks to amend the HITECH to require the Department of Health and Human Services to recognize whether or not cybersecurity best practices have been adopted by covered entities and business associates.

Brian Selfridge: [00:01:15] Now, this is really, really important for us. For a long time there's been discussion about if you're doing the right things from a security perspective, will you have any sort of better standing with OCR in the event of a breach or regulatory enforcement activity? And for the longest time, that hasn't necessarily been the case. You're either compliant or you're not. And that is still certainly the situation with respect to the HIPAA Security Rule and HIPAA Privacy Rule. But if this bill gets passed now, a reminder, it's in the House to start and got past there. It's been passed over to the Senate, but OCR would need to consider if it gets passed when they look at their financial penalties for organizations that have been non-compliant. If in the last 12 months that organization has been doing the right things from a security standpoint. So that would be inclusive of things like adopting and complying with the NIST Cybersecurity Framework (CsF) or the HITRUST common security framework (CSF), both of which are named in the bill as relevant standards that would provide either safe harbor relative to the financial penalties or favorable termination of an audit or early termination of an audit if those things are in place and well orchestrated and run. Now, this is not finalized yet. As I mentioned, it went to the Senate on December 19th. So we have to wait to see if this gets passed in the agenda for the 2021 Senate, although precedent says there's a fairly high likelihood that it will pass given the bipartisan support for cybersecurity bills in recent months and years. Now, Meditology is also a HITRUST assessor organization. We do risk assessments based on the HITRUST and the NIST cybersecurity framework and help build programs based on the NIST cyber security framework and also provide the same for HITRUST CSF related initiatives, including HITRUST certification.

Brian Selfridge: [00:03:01] So if you want to get ahead of this and start building your safe harbor protection defensibility, you can reach out to us and we can help you get aligned with these standards and be able to demonstrate that you are doing the right thing and hopefully reduce those potential opportunities for financial penalties and other OCR related activity. It's not a cure all, but it certainly would help you position yourself very well in the event of a potential breach and regulatory follow up.

Brian Selfridge: [00:03:32] HHS and OCR have been busy otherwise this year. Toward the end of last year, OCR issued guidance for your health information exchanges recently around disclosures of patient information, particularly for public health authorities during the Covid pandemic. So in normal circumstances, his function as a business associate of Covid entities, health systems and hospitals predominantly as well as the payers. And they have to follow disclosure rules outlined in those business associate agreement consistent with the privacy rule. And so those those under regular circumstances would be in play. And that would be sort of the guiding principles for how he's engaged with disclosing information to public health entities. But during the pandemic, there's an initiative here to try to ease the red tape and challenges with getting covid test results and other related materials to public health entities and using the HIEs and health information exchanges and regional health information organizations or RHIOs to get that data directly to public health authorities. So with this guidance, OCR is indicating that will relax enforcement requirements for the do not report disclosures of PHI to public health authorities during the Covid pandemic period. And I say report disclosures to the Covid entity into the the Health Systems in most cases here. Now these these requirements and these exceptions will at some point expire when the Covid pandemic is over. But, you know, we expect to see this easing things up.

Brian Selfridge: [00:05:03] So, for example, let me just run through a scenario. If a lab provided a test result directly to an HIE, so let's say a lab like LabCorp or one of the big Quest Diagnostics or one of these big companies, if they provided that result to the HIE, which usually they will then sort of send it back to the health care provider. But at the same time, the HIE is now able to provide that data directly to public health authorities without sort of disclosing and waiting for permission or so running through any hoops with the health system to to make sure that that can go to public health authorities. And so those test results would be able to directly go to the public health entities and then become part of the Covid test reporting examples just just as one scenario. So this is not all that different from current practice. There are acceptance, exceptions for public health for. So that's that's not new, but they're just being very clear about in this case, they're going to reduce and relax the enforcement around this during this period. I think that helps and should ease the flow of information during this this crisis period. Now, of course, you still need to limit the data that they're sharing with public health authorities to minimum necessary data. It's not like they can just sort of provide the entire record and everything going on through the flow into the public health. It's going to be specific to covid testing and areas that are most important during the pandemic activity. So I just want to make sure that that's that's clear. Minimum necessary, very much still in play.

Brian Selfridge: [00:06:31] Switching gears from the regulatory activity and into cyber attacks and breaches and all the bad guys and what they've been up to over the last couple of weeks, the NSA has issued a cybersecurity advisory for cloud attack techniques currently in use by malicious actors. So I want to break down these attacks for you a little bit, as I think they're very specific flavor and some recommendations on what you can do to mitigate the attacks as they're becoming higher profile and more prevalent and big impact to many health care entities. So in order for the malicious actor to leverage these attacks, they must have already gained access to the target network. So got on your internal network one way or another that could be commonly done through phishing attacks or other low level attacks. It's fairly, I would say, fairly straightforward, but it kind of is fairly straightforward for a bad guy to get basic network level access and then they escalate their access internally on the network. Again, a common a common path and use the trusted network that you're now they're not currently on. So your network in this case to bypass authentication controls and taking advantage of single sign on and SAML tokens, which will explain what that is in a minute. But basically the trust that your network has between other networks and particularly cloud hosting providers that say, OK, if you're on this trusted network of your health care entity, you're then allowed to sort of automatically pass through and pass through some some tollgates as if you're not on the external Internet, as if you're already sort of this trusted entity.

Brian Selfridge: [00:07:56] So they're leveraging that to get into cloud providers, especially email access. So we'll talk about that in a second. So they're also using the VMware Access and identity manager vulnerabilities that were widely reported in use by the Russian attackers late last year and are now being exploited more broadly, according to the NSA's information, which we can assume is valid and accurate. In another variation of the attack, attackers will compromise your global administrator account, which is basically domain administrator account for those in a Microsoft Windows environment. And they'll get access to Microsoft Active Directory Federation Services, or ADFS, that allows cloud services and dictates which cloud services can automatically pass through access to which other cloud services think. Think of single sign on there as sort of a parallel idea. And what they do is they get access to the sort of the rules engine that controls what you can get to, and they'll then allow themselves to automatically gain access to your Microsoft Office365 email, for example, if you already have access to other cloud resources or network access. So it kind of creates this this automatic pass through. Whereas otherwise, if you were trying to if they're trying to break into Microsoft Office365 directly, kind of through the front door, so to speak, there's a lot of other protections and monitoring and issues that they would get caught or blocked or otherwise. But by sort of coming in through the side channel, they can they can leverage that trusted access and then gain access to email that way. And, you know, that's particularly problematic because there aren't as much monitoring and and things like that of trusted network to trusted network traffic. So it would be less likely that anybody would even see that this this is suspicious or malicious activity. So it's kind of like instead of going in the front door to your secure location, they're kind of, you know, driving a car into the garage and then coming in through the garage door, if that's a fair analogy.

Brian Selfridge: [00:09:54] So what do we do about it? NSA recommends that you follow Microsoft's published Federation and SAML Guidance. Now, let's also not forget that the entry point for this may be multiple. It could be phishing attacks, but it could also be, for example, the SolarWinds attack that we saw late last year. I'm going to talk about that at the end of this session to catch you up on that if you're if you're not up to speed. But there's many ways it could gain initial network access and then allow them to escalate into these attacks, a trusted network to trusted network activity. So generally, you should assume that a malicious actor can gain access to your internal network remotely. That's not a far fetched scenario. And for those of us that do, penetration testing and network testing is fairly straightforward for us to get that initial level of access.

Brian Selfridge: [00:10:39] Some other recommendations provided by the NSA, they say harden your Microsoft Azure authentication and authorization configurations, review all tenant apps and credentials. So that's sort of that cloud to cloud access. What are those access rules look like? Do they are they overly broad or are they are they locked down sufficiently? And then follow Microsoft guidance for ADFS, deploy multifactor authentication? Of course, we hear that over and over again for lots of reasons. They recommend hardening on premises, servers and systems, which is pretty much standard guidance. Right. Patch, put in your endpoint protections, defense in depth, all that good stuff which we don't have time to go into. But you all know what to do there. And you should also be conducting routine penetration tests. This is my guidance, not the NSA's, to identify entry and escalation points in your network. So those phishing attacks and the solar winds. A test will help you figure out what those look like specifically for your environment and close them up. It's also a good idea to instruct your pen testing team, whether you do it internally or if you use a third party like Meditology to ask them to specifically test these cloud access rules. How can you get to ADFS command and control? Can you change the rules or what rules are in place? Can I can I leap from one cloud hosted environment over to my Microsoft Office365 email, for example? And what are those federated identity scenarios look like? And have your testers test that out and find out if you do have any exposures.

Brian Selfridge: [00:12:09] If you don't, great, you sleep better at night, but if you do, you can close those up pretty quickly and take advantage of addressing this attack that the NSA is now saying is is in the wild and happening frequently. The NSA has also released a free tool called Sparrow, which is while it's released by the CIA technically for detecting unusual and potentially malicious activity in Microsoft Azure and Office 365 environments. So if you want to get a handle on that tool, contact me or our team here at Meditology and we can get that over to you and get you to the link and make sure you have that free tools from the federal government. I say use them, take them. Why not?

Brian Selfridge: [00:12:46] Now, on the heels of the FBI's large imminent threat, alerts were the end of last year for ransomware. They issued another ransomware alert for specific strain called DopplePaymer. And this is a different ransomware group than the Russian based attackers in the November imminent threat situation where they were sort of going after 400 plus health systems all at once and all that good stuff. This is a different group of folks that are doing this particular ransomware. And I think it's important just to keep reminding ourselves that ransomware is not one actor.

Brian Selfridge: [00:13:18] Granted, the Russians have been very active, but it's not one group or one actor or one piece of malware. It's a whole series of bad actors, so to speak, and that are using a wide variety of attacks and techniques and motives, although motives are predominantly financial, pretty much for everybody. So it's important just to keep that that in mind. As we look at these threats now, this particular threat, DopplePaymer, is being used by a group called Evil Corp that I'm not making that up. Evil Corp that was behind the Locky ransomware, if you remember that one from a little while back. And these are one of the first groups to actually start cold, calling their victims with phone calls to pressure them into paying the ransomware. And this is a tactic that then has been adopted by other groups since they've even been as bold as to call individuals at home and call their relatives demanding payment. So this is really, really nasty and persistent folks that are looking to get their payment one way or another. Now, we've published extensive updates and guidance on preventing and dealing with ransomware attacks in the health care sector. So check out our webinar replay on this in particular. From December, November of last year, we put out blogs. We've got other CyberPHIx podcasts, including the one that I have with the CEO of Children's Healthcare of Atlanta, where we really go through ransomware from top to bottom for health care entities and what to do about it.

Brian Selfridge: [00:14:31] So check all that out if you want to dive deeper into that topic. And that's all accessible from our Resource Center on Meditologyservices.com And other federal government advisory news. The NSA has also released guidance on weak encryption or addressing weak encryption across entities but inclusive of health care. Now we still see meaning Meditology still sees many cases of health care entities maintaining outdated policies and implementations of old encryption standards. Now, it's not it's not the majority of organizations that have these old encryption standards, but there's enough that it's causing us to pay attention and the NSA to pay attention. So it's always been technically possible for attackers to bypass encryption. Right. If you have really strong encryption standards and algorithms and you're using the latest stuff that can take months or even years for high powered, expensive super computers to unscramble that data and break into it. And so that's much less likely that that's going to be feasible for most use cases. But attackers can easily bypass encryption that employs outdated algorithms, often in a matter of seconds or minutes. So it's essential for organizations to make sure their policies and their technologies are up to date. So this particular alert from the NSA references weak encryption for tools and SSL encryption for encrypting data in transit over the network. So they note that outdated tools and SSL provides a false sense of security because it looks like you are encrypting right.

Brian Selfridge: [00:16:00] You put that little padlock in https and the top of your browser window and everything looks like it's secure. But if it's using an old algorithm, again, relatively trivial to to bypass that encryption and decrypted and gain access to that information in transit. So specifically, the NSA recommends transmission's use TLS one point two or one point three only. That's it. Anything else? All of the rest of SSL versions, all other TLS versions are recommended to be deprecated and upgraded to the latest TLS. One point two and one point three standard, so probably a good idea to do an inventory of your SSL certs in your various places where you're using certificate based encryption and tools and SSL and get everything up to speed and see where you have gaps. Based on the NSA calling this out. You should be doing this anyway, frankly. But now's a good a time as ever to give it a quick look, given this particular alert that this is being exploited in the wild.

Brian Selfridge: [00:16:57] In other federal government news, NIST has released a PACS standard NIST SP 1800-24. For those that aren't familiar with that acronym is picture archiving and communication system. In other words, sort of radiology systems. Now, this has long been a problem for health care, where PACS environments are largely sort of a shadow type of function, where you have medical imaging that systems that have their own sort of server ecosystem and structure, they have their own endpoints for radiology, reading rooms and other purposes.

Brian Selfridge: [00:17:32] And everything sort of comes from the vendor sort of purpose built and installed on the Health Systems Network in a way that is managed and configured differently than sort of every other standard workstation and server in the environment. And that sort of shadow environment is sort of separate IT environment creates its own challenges, making sure those are secure. So this NIST packed standard on the security aspect of this is really welcome. And very often I think organizations don't quite realize how much patient information is in those packets images. So there's when we do penetration tests and other sort of assessments for health care entities, very often we find these large PACS images. So your X-rays and your your other sort of imaging data and you can use tools that the same tools are used to read the images for the clinical care folks to look at the metadata behind each of those images. And very often that metadata will have the patient information, their name, Social Security, the medical record, no specific treatment and care information, all kinds of sensitive information that are embedded in those documents. So it's very important to pay attention to securing that data. And also with these PACS environments, they're they're often sort of built for ease of use for clinical purposes.

Brian Selfridge: [00:18:43] So I mentioned the reading rooms, other places where you a lot of times you'll have a generic log in to these workstations. That's always on the time outs are disabled so that clinicians and radiologists can just sort of walk in, load up the images and do what they have to do. So that can create sort of security lapses, as you might expect. And often these based on the nature of the PACS environment, they need to be on the organization sort of flat network to communicate to many other systems in the environment so they're not segmented or isolated or in their own sort of environment. So they sort of pose a risk to the larger environment generally. So the NIST publication is great. They issued draft guidance actually in late twenty nineteen for PACS following some high profile breach activity and the guidance is now final and includes standards for asset management, access controls, data security monitoring and incident response, planning and recovery. The standard also touches on cloud storage and risk management approaches for PACS environments specifically. So I think it's a good idea to run a quick assessment of your PACS environment against the new standard. Given that you have this very sort of specific guidance and you can do sort of a line by line review of where you may have risk exposures to the standard, identify low hanging fruit and other adjustments to make. And you can work with your packs vendor or your internal team, wherever appropriate, to actually implement some upgrades to harden and tighten up the security around your PACS environments so you can conduct an assessment in how so you can leverage a third party like Meditology we do this stuff or you can even tee this up for your internal audit teams as a topic for the twenty twenty one for those auditors that are still kind of building your audit plans out. This would be a good topic to throw in there.

Brian Selfridge: [00:20:27] Now, the last update for today is the last, but certainly not least, and we're going to keep it relatively short here is this has been a longer than usual episode to catch up from the new year. But I want to talk about the SolarWinds attack. This is a groundbreaking cyberattack against the Texas based SolarWinds network solutions provider. This is well documented. We have a large blog post that goes line by line on what happened here. But I realized that we hadn't covered it in the CyberPHIx. I just wanted to make sure this was on your radar. This is a very sophisticated supply chain attack where the Russian entities, which have been confirmed recently that this is a Russian based attack, leverage the third party solar winds and their network monitoring solution to gain access to the the back end of that software, which is deployed in arguably a majority of health systems, health care entities in the country, as well as other entities like governments and other targets where they gain the sort of command and control of that environment and then pushed out malware through the upgrade platform of SolarWinds to create a back door into environment.

Brian Selfridge: [00:21:34] So remember, we talked about a moment ago, you know, what it takes to get about an initial entry point to the network? This is this is a classic case where it just drops them on your network and allows them to then escalate privileges and go and attack other parts of the organization once they're on the network. Now, this is a this is a very sophisticated attack and one that has taken a long time in planning and execution and has resulted in some major breaches of big companies, Microsoft, the federal government, FireEye, VMware, just to name a few. And the list goes on. Hundreds of entities have been impacted, probably the biggest cyber security breach events in in recent memory. And so there's guidance that we've put out on what health care entities can do to respond to this, including sort of upgrading and patching or decommissioning their solar winds platform. The Orion software in particular, it's called setting up monitoring around this, addressing access controls and administrative stuff. So, again, don't really have time to go into the line by line and check out our blog on this in addressing your near-term objectives with securing this solar winds attack, but also your overall third party risk and supply chain risk management practices. We have lots of guidance on that through Meditology services, as well as our sister company, CORL Technologies (CORL - vendorsecurityrm.com) that specializes in this.

Brian Selfridge: [00:22:58] That's all for the session of the CyberPHIx healthcare security roundup. We hope this has been informative for you and love to hear from you. If you want to talk about any of this, just reach out to us at [email protected] So long and thanks for everything you do to keep our health care systems and organizations safe.