The CyberPHIx Roundup: Industry News & Trends, 1/13/22

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:
-

  • Microsoft issues updates on the critical Apache Log4j vulnerability and active exploits
  • HR and payroll giant Kronos experiences weeks-long ransomware outage
  • EHR vendor QRS has been sued for insufficient cybersecurity protections in the wake of a major breach
  • Healthcare provider settles for $425,000 cybersecurity enforcement from NJ state attorney general
  • OCR issues guidance on Extreme Risk Protection Orders
  • HIPAA Privacy Rule and OCR enforcement changes due to come into effect in 2022
  • EHR giant Cerner is acquired by Oracle; implications for healthcare organizations
  • NIST launches new international cybersecurity and privacy resources website
  • Norton antivirus discovered to be pre-loaded with crypto mining software

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:11] Happy New Year and welcome to the CyberPHIx Healthcare Security round up your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices specifically for the healthcare industry. In addition to this roundup, be sure to check out our Resource Center on Meditology Services, which includes our CyberPHIx interviews with leading healthcare security, privacy and compliance leaders, along with blogs, webinars, articles, and lots of other educational material. We have some great updates to cover. It's the New Year. Let's dive into it, shall we?

Brian Selfridge: [00:00:45] Ok, while we were away for the holiday break, yet another massive supply chain breach hit the scene and is causing organizations to scramble to patch a critical security vulnerability with the Log4j utility. For those unfamiliar with this, one Log4j is a Java based utility deployed in many applications and implementations, including the popular Apache Web Application platform. More specifically, Log4j is a Java library that logs and keeps a record of application events that can be used for debugging, troubleshooting, security, and other purposes. The vulnerability is rated critical by the U.S. Cybersecurity and Infrastructure Agency, or the CISA as we know it due to the wide deployment of the popular open-source library, you know, coupled with the relative ease of use of exploitation of this particular vulnerability. Now, specially crafted code string can be sent to a vulnerable server and can allow attackers to gain full control over the target device and applications.

Brian Selfridge: [00:01:40] That's not good in translation, so Microsoft just this past week warned organizations that in there. Through a blog post that continued active exploitation of the Log4j is underway in the New Year. So Microsoft has observed both nation state actors and commodity actors taking advantage of vulnerabilities and expects expanded use of the vulnerabilities in the near future. Microsoft also found that many existing attackers added the Log4j vulnerability exploits into their existing malware kits and tactics and techniques, which isn't surprising. The majority of observed attacks so far have consisted of mass scanning, establishing remote shells, red team activity and coin mining, according to Microsoft. I like how the remote shell and red team activity is just kind of casually mentioned. There was basically means that it's game over right for administrative access to one or more of your systems and the environment that take advantage of this exploitation, which we know from experience, usually means that attackers can elevate to administrative access across the entire network from that point very often and launch ransomware and other types of data exfiltration attacks and the like. So Microsoft recommends that customers do additional reviews of devices where vulnerable installations are discovered. And at this point, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments, as they're the quote from the Microsoft folks. Now, from my experience, patching on-premises systems for Log4j seems to have largely been addressed at this point over the last several weeks.

Brian Selfridge: [00:03:11] Certainly, if you haven't done that yet, get on it. But the major risk exposure still remains for third-party vendors, business associates, and their subcontracting vendors or fourth parties. You know, I think that's where we're going to still see a lot of the exposure, and it's really hard to quantify that. So, for example, Meditology sister company, CORL Technologies, we've run vendor risk programs for hundreds of healthcare entities, and we've had to deploy our SWAT team processes to identify vendors and their products that are vulnerable with Log4j Vendors are being required to respond and demonstrate that they have scanned not only scanned their systems, but they have a plan in place to remediate any Log4j. Versions that remain unpatched. So I highly recommend your vendor risk management team does the same thing or something similar if you haven't already done so, as this vulnerability is just so easy to deploy and exploit for the malware actors that they're going to continue to pound away at systems looking for this particular weakness for four years to come, for sure. You know, it becomes a standard check, you know, much like standard check, at least for the bad guys that are trying to break in. Much like the external blue Microsoft vulnerability, if folks remember that one from several years back now, but that allows administrative access for attackers and that that is a gift that keeps on giving year over year for malware actors.

Brian Selfridge: [00:04:29] And still, to this day that Microsoft External Blue still contributes to ransomware and hacking infections that we see routinely. Despite years of having a patch available for Microsoft to plug it up. So I think Log4j is unfortunately headed down that path. So you've got to keep diligent on this one now and over time. If you don't, you can expect to see breaches, you know, may not surface even now. They may surface a year or two from now based on that sort of precedent we've seen with other similar vulnerabilities. So get yourself patched if you haven't and check out your third parties.

Brian Selfridge: [00:05:01] Another major third party vendor breach occurred around the same time as log for J, but I think got a bit overshadowed in some ways just given the magnitude of the Apache language issue. So that is the major downtime for the HR application Kronos. Kronos is widely deployed at healthcare providers and other companies for things like time tracking. Payroll is often used to manage hourly workers like pool nurses and other workforce members, and those types of things in healthcare providers, just as an example and is an also has that little sort of not so important issue of payroll and benefits that are provided by Kronos, right? I'm being facetious, of course.

[00:05:41] Kronos was hit with ransomware and experienced service outages for weeks on their cloud-based solution. This kind of harkens back to a theme that we've been covering for weeks about the impact of business associate breaches for healthcare operations and finances. You know, it can get wildly costly and disruptive to be missing a core HR capability, you know, for weeks and perhaps months on end, including the ability to issue payroll for some organizations and of course, time tracking that revert back to manual processes or paper processes. We've heard from some organizations. So that's that that is mightily disruptive. Kronos announced that solutions using the Kronos private cloud are unavailable due to the ransomware attack that happened initially on December 11th, and so this serves as another reminder that these sort of turnkey ease of deployment cloud-based solutions can definitely come at a cost when events like this arrive. The Kronos Private Cloud is described as a secure storage and server facility hosted at a third party data center or data centers. So in other words, it's not really cloud technology in the way we think of, you know, AWS's and Google and those types of cloud solutions. It's basically just Kronos hosting your information in someone else's data center or their own data center. So be sure to look into this Kronos outage and breach if you haven't, and particularly if you use them and missed out on maybe evaluating this risk while you were scrambling to put out Log4j. So definitely pay attention to this one, if you haven't already.

Brian Selfridge: [00:07:10] In the continued theme of third party breaches and electronic health records, vendor QRS has been sued for an August 2021 cyberattack that impacted almost three hundred and twenty thousand current and former patients and unauthorized third party access to one of the QRS dedicated patient portal servers and potentially acquired sensitive information, including Social Security numbers, patient ID numbers, portal usernames, names, addresses, birth dates and medical treatment information. So basically everything. The lawsuit argues that by entering into HIPAA Business Associate Agreement or BAA with its clients, QRS knew or should have known that it was responsible for keeping the plaintiff's information safe from cyber attacks. As this comes from an individual that's suing in this case. So the law, on behalf of the class action on behalf of all of the 320,000 patients. Of course, the lawsuit cites several cybersecurity measures outlined by the Cybersecurity Infrastructure Security Agency or CISA and the Microsoft Threat Protection Intelligence Team and says that QRS should have implemented all of these measures in order to prevent the ransomware attack. The plaintiff also reasoned that you know, QRS should have taken extra precautions to protect PHI given the number of cyber attacks targeting the healthcare sector in recent years. So that's an interesting sort of line of logic happening with these lawsuits that, you know, there's certainly the hip of regulations and enforcement around that.

Brian Selfridge: [00:08:33] But there's also this kind of common sense course being taken. Like if you didn't know that healthcare was under attack, then you've had your head under a rock kind of thing. And that's no excuse for not implementing industry-standard security protections, such as the case that they're making here. So in this case, like many other cyber breach lawsuits in recent months, the plaintiff is going to have to prove that they suffered some measurable harm and that the lawsuit goes into detail of how they think that that harmed the individual identity theft, protection and loss of all the stuff. You know, some cases that have gone through these, these sort of class action things have proven that point and others have not. So we'll have to wait and see how this one plays out. In the meantime, if you and your legal counsel teams have not yet discussed or pulled together a playbook for dealing with class-action lawsuits, then you may be in for quite a scramble as these cases are surfacing all over the place in the last year or so. So make sure you get those conversations going. Maybe even do some simulations get some plan of attacks ready to go on how you would handle a class action lawsuit because they're coming fast and often.

Brian Selfridge: [00:09:36] In related news, a New Jersey healthcare provider organization paid four hundred and twenty five thousand dollars to settle enforcement cases related to two cybersecurity breaches that expose sensitive patient information. The New York, I'm sorry, the New Jersey Attorney General Division of Consumer Affairs investigated and ultimately achieved a settlement agreement with the Regional Cancer Care Associates, or RCCA, which is the organization. Or it's just a group of healthcare providers that were impacted and being targeted by the breach and the subsequent regulatory enforcement. Now I have to pause here for a quick shout-out to all my state attorneys general, consumer protection agencies out there, and teams who have been battling cybercrime for decades. We don't often talk about them, we don't often think about them, but they've been grinding away with their sleeves, rolled up and tracking and prosecuting all kinds of cybercrime for for a very, very long time. I know this firsthand because it actually literally the first professional job I had in this space was serving at the Pennsylvania Office of Attorney General and their consumer protection division. Many, many, many years ago, and we were specifically at the time tasked with tracking down spammers and unsolicited email providers, and cybercriminals. And one of the cases that I worked on still makes me chuckle a bit. This was a well-publicized case, so I'm not divulging any state secrets here. But we had been tasked with tracking down spammers, and there was this group that was spamming out fake university degrees like you could get your college degree or a college degree that was fraudulent for about 300 bucks, three hundred fifty bucks.

Brian Selfridge: [00:11:10] And you get a full transcript, you get whatever courses you wanted and all that good stuff. So we took it upon ourselves on behalf of the Pennsylvania Office of Attorney General to get a fake degree for my, my, our sort of prosecutor, the lead prosecutor's cat whose name was Colby Nolan. You can look this up. It was the first feline to achieve a master's degree in. I forget what? Forget what the degree was in, but something pretty, pretty prestigious. So regardless of those types of cases, we did a lot of anti-spam work back then. It's just been going on in many states across the country, and we really appreciate that work that that takes down sort of one at a time. Some of these attackers and cyber-criminal syndicates. So pretty cool stuff.

Brian Selfridge: [00:11:58] Ok. The next few updates I will cover some guidance and changes underway for OCR, for HIPAA regulatory enforcement activities. First, the OCR issue guidance on HIPAA and disclosures of fee for extreme risk protection orders or ERPO extreme risk protection orders temporarily prevent a person in crisis who poses a danger to themselves or others from accessing firearms. ERPOs are intended to improve public safety and reduce the risk of firearm injuries and deaths, according to OCR.

Brian Selfridge: [00:12:28] Part of that process involves obtaining affidavits or sworn oral statements from petitioners and witnesses. In the event that you have these sorts of ERPO situations and healthcare providers, if they're involved in those, then the HIPAA privacy rule applies in places restrictions on disclosures of fees. So OCR has confirmed that healthcare providers are permitted to disclose information about an individual to support an application for an ERPO against the individual. And in such situations, it says that the individual will not be required to authorize a disclosure under certain conditions. Again, sort of if you have that situation where someone poses a danger to themselves or others related to their acquisition of firearms, and that that subsequent request.

Brian Selfridge: [00:13:11] So for all those privacy officers and compliance legal listeners out there, take a look at the new guidance and make sure you have an opportunity to update your privacy policies and procedures, according to the new details of the guidance. I haven't covered it all here. I'm going into the nitty-gritty. Just wanted to sort of make you aware of it, so be sure to look up that ERPO guidance on the OCR website for more information.

Brian Selfridge: [00:13:33] Also, don't lose track of the second update around OCR, and there's the pending HIPAA privacy rule, regulatory changes that are in draft and due to become effective later this year. So the Biden administration actually recently released the Fall United regulatory agenda, which is a listing of all the stuff they're going to do this year. The indicates that HHS will likely issue final rulemaking sometime toward the end of 2022. The Biden administration also notified the industry that it's planning to issue new draft rulemaking related to substance use disorder or sued as a follow up to its related provisions in the Coronavirus Aid, Relief and Economic Security Act, or CARES for those that follow snappy government acronyms.

Brian Selfridge: [00:14:18] Meditology has issued blogs and podcasts on the OCR privacy rule changes previously last year. So if you want to do a refresher on these changes, definitely check that out on the website. You can see we issued several blogs, we did a webinar on it, or you can just reach out to us at CyberPHIx @ meditologyservices.com and we can connect you with our privacy experts to help you prepare for those HIPAA privacy rule changes coming down the pipeline.

Brian Selfridge: [00:14:42] So we're running a bit short on time here, so I'm going to give you a quick update on a few other items before we wrap up this week's episode. One of those items is the electronic health records giant EHR giant Cerner was acquired by the tech giant Oracle for a staggering twenty-three point eight billion dollars. The deal still has to be approved by federal regulators, though, as always, is the case with these monster acquisitions.

Brian Selfridge: [00:15:07] The industry is still trying to analyze what this means and in the shake-up to the vendor space, but it certainly means that Cerner is going to continue to give Epic a run for its money as the dominant EHR vendor in the space, and Oracle is doubling down on its investments and focus on healthcare in recent years. So we expect them to be taking a larger role, not just with this acquisition, but other related movements and investments. And for Oracle, it seems to be all about leveraging their data analytics and data management capabilities to drive innovation and better care and healthcare, such as sort of the premise of this. This deal and acquisition and data is frankly the name of the game for the next decade, I think on all tech fronts and healthcare being inclusive of that and cybersecurity as well. So we're going to keep an eye on this one for sure, and we'll keep you posted on how that plays out.

Brian Selfridge: [00:15:57] In other news, NIST has issued a new international cybersecurity and privacy resources website. It appears that NIST is attempting to promulgate their standards and guidance across the international community, including issuing translations of their popular risk management frameworks and control frameworks. And I suspect this is a recognition that, you know, no matter whether you're doing business securing U.S. based systems for cyberattacks where we're ultimately dependent and tied to kind of the lowest common denominator of vulnerable systems, whether they be hosted in the United States or internationally or other countries.

Brian Selfridge: [00:16:30] So I should note that you know, the U.S. systems and companies have a very, very long way to go themselves and ourselves and securing our own shop. But there's a lot more work to be done across the board, both locally and internationally, and any steps we can do to get these types of standards in place across the board, I think is going to to be the rising tide that kind of secures all boats, lifts all boats.

Brian Selfridge: [00:16:53] The final update I'm going to mention today is a story from KrebsOnSecurity that the news outlets and research entity investigative entity about crypto mining software that has been embedded into the popular Norton 360 consumer antivirus platform and product. This was not accomplished by hackers, believe it or not, but is actually a business ploy to monetize and arguably hijack the computing power of the end-user systems for financial benefit via bitcoin mining. It's not yet clear how much of the mining revenue goes to the customer for whom this software has been installed in their machine, or to Symantec, who owns Norton, and how much of a cut they're going to take. But given the fact that it's not particularly well-publicized and sort of this add on that, you know, nobody perhaps asked for and now has installed in their machine, it's a bit fishy.

Brian Selfridge: [00:17:47] One customer, I think, summed up the situation pretty well, saying "Norton should be detecting and killing off crypto mining, hijacking software, not installing their own. I'm absolutely furious." That's what the quote was from one customer, and it's hard, hard to disagree with that perspective. I apologize that I don't have time to go into bitcoin mining one on one discussion. So if you're if you have no idea what I'm talking about. Definitely. Look that up. If you're curious about how it works and how you can use computing power to mine bitcoin and make money. Apparently, Norton is not the first software company to pull this little trick. There have been several others that were cited. So hopefully this kind of publicity from Krebs on security and others will help influence organizations to at least provide a lot more transparency about what they are up to here with their bitcoin mining software that is installed in other platforms like antivirus that we would not expect to be doing such functions. So we will keep an eye on this one. It's a bit worrisome.

Brian Selfridge: [00:18:46] All right, that's all for this session of the CyberPHIx Healthcare Security Roundup. We hope this has been informative for you and want to hear from you if you want to talk about any of this. Just reach out to us at [email protected], so long, and thank you so much for everything you do to keep our healthcare systems and organizations safe.