The CyberPHIx Roundup: Industry News & Trends, 10/13/21

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:11] Good day, and welcome to the CyberPHIx Healthcare Security Roundup, your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices specifically for healthcare. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our resource center on Meditology Services, which includes our CyberPHIx interviews with leading health care security, privacy, and compliance leaders, as well as blogs, webinars, infographics, and lots of other educational material. We have some great updates to cover today, so let's get into it.

Brian Selfridge: [00:00:46] Well, we've made it to October, which, as you may or may not be aware, is officially Cybersecurity Awareness Month, so I expect you all to be feverishly preparing your cybersecurity-related Halloween costumes. I hope to see some hooded hackers out there, maybe some little young ones dressed up as little bitcoins or some ransom notes or something like that. I'm still deciding on my costume myself. So if you have any suggestions, let me know. Maybe we can get a thread going on LinkedIn in the comment section of this episode with some ideas. Maybe I'll be a scary doctor going around giving everyone SQL injections or something like that I've got. I've got to think through it, but welcome your suggestions. So it's part of a cybersecurity awareness month. The National Cybersecurity Alliance put out a new report that has some interesting perspectives on how cybersecurity is perceived and adopted by the masses, the regular people.

Brian Selfridge: [00:01:32] So it's called the report is called Oh Behave, The annual Cybersecurity Attitudes and Behaviors Report 2021. It's an Austin Powers reference. I'm not sure what his position was on cybersecurity. I guess we'll find out now. It's a great report, so and a long report, but I'm just going to pick out some nuggets here today that I thought were particularly interesting. So the report spent some time highlighting the generational differences in reporting behaviors for breaches and cybercrimes. It seems like at least from the data here, that the older you are, the more likely you are to report cybercrime and identity theft. Baby Boomers, in particular on the charts, come in at the top at sixty-four percent most likely to report cybercrime, followed by Gen Xers at forty-three percent and millennials thirty-two percent, and Gen Z at twenty-one percent. The main reason given for not reporting cybercrime is that people didn't know whom to contact or how to report it. And I have to admit, I'm not entirely sure I know the answer to that either. If it were something on a personal basis, you know who we're going to go to. I'll use my FBI connections and let them know about sort of personal cybercrime that they don't care about, but I'm sure they care, but they have bigger fish to fry.

Brian Selfridge: [00:02:43] So the report doesn't speculate why the younger generations, in particular, don't report cybercrimes. But I think it's a good piece of intel in general as you roll out your own security awareness programs to spend some energy on educating the workforce young and old, where and how and where, and how to report suspicious behaviors or events, I think that's always a good thing to do. But this data shows us that the message isn't always getting through, particularly even in corporate settings. Other findings in the report noted that nearly half of all survey participants have never heard of multifactor authentication or MFA. For short of those that have heard of it, 90 percent are using MFA for online access of some sort or another. So once again, I think we have an awareness and education issue here, potentially. I'm hoping some of that fifty-two percent of folks that have never heard of MFA, perhaps, maybe just. It's because we're using our techie jargon, a multifactor authentication, and perhaps that could be part of the confusion. But I think it's frequently the case that unless your job provides or requires MFA, folks don't necessarily know or take the time or the initiative to set up multifactor authentication for personal use when it's given just as an option or maybe something you have to click and drill into or find on your own and watching the trends in legislation standards bodies this past year.

Brian Selfridge: [00:04:01] And we've talked about this somewhat on this show, but I expect MFA, in particular, to become a regulatory requirement, and certainly it's getting baked into standards like the new PCI 4.0 framework and other things along those lines. So hopefully that will increase our adoption and knowledge and awareness of what MFA is to the broader public. But let's get out there and start paving the way with some education of our own workforces to make sure they know what it's all about and why it's really, really important for ransomware and everything else that we're grappling with. Now, another interesting tidbit from this report is the perception of survey respondents about who is responsible for cybersecurity. Forty percent of the respondents perceive themselves to be least culpable and least responsible for cybersecurity when matched up against other choices like the company's security department. The IT department. Internet service providers. The tech industry generally or governments. The second and third highest categories in terms of who were perceived responsible for security or internet service providers and the government, as well as the security department. And sort of both were twenty-five percent government and security department sort of head to head. So we made it on. Their security team is responsible in the eyes of folks, but it's a little further buried down than you would think. And we actually dug deep much deeper into this topic.

Brian Selfridge: [00:05:15] On a recent CyberPHIx interview earlier this year with TJ Mann, who is the CEO of a children's health care organization, and TJ gives a fantastic rundown of roles and responsibilities for cybersecurity across the organization. At each staff level, at each function level, really great stuff. Give that a list, and I think that's a very informed perspective on where accountability lies. The last point I'll note on this particular report is its commentary on password management, which we know is still one of the top weaknesses on cyberattacks overall for the industry, so password reuse specifically was identified as still a problem, with forty-six percent of participants saying they use different passwords for important online accounts, either very often or always. So that's again, about half the people very often are always using a different password. The rest of the group, the majority unfortunately only use different passwords, sometimes rarely or never. So in terms of password management, generally the highest volume of folks, thirty-one percent write down their passwords in a notebook. So how they sort of keep their passwords covered. Twenty-six percent just remember it themselves, so kudos to those savants who can actually remember their passwords. I know I've got so many and I am big on the complexity in different password thing, so there's no way I could remember them all, but good for you. Twenty-six percent of people can do that, 12 percent use a password manager now.

Brian Selfridge: [00:06:37] Others store them on their phone or in the internet browser or in a file on their computer or in their email. Let me just take a quick moment to make a short public service announcement. So do not store or send your passwords and email please or store them locally in a file like a word or excel document. Please, ever. Just as a pentester and a hacker, you're making it way too easy for us, and let's make the bad guys and ransomware actors and others kind of work for it a little bit. So keep it out of your email and files if you can, just as a starting point. Ok, that's enough for the awareness and behaviors report. Let's move on to other updates.

Brian Selfridge: [00:07:15] So moving on to our next update, there has been another market shifting move taken to attempt to combat third-party vendor and supply chain risks. The U.S. Securities and Exchange Commission, or SEC, has begun issuing fines related to inadequate disclosure of cybersecurity breaches. The SEC issued fines against two companies over inadequate disclosures, so the British publishing company Pearson PLC and the first American Financial Group were the victims or the culpable culprits. However, you want to look at it, the first fine was $1 million in the second one was for half a million dollars. Now, the second fine specifically was related to a failure to disclose a vulnerability that exposed eight hundred million image files that include Social Security numbers and other financial information.

Brian Selfridge: [00:08:03] Now, under SEC rules, businesses are required to properly disclose, quote-unquote risk factors in SEC filings to inform the investing public about the risks associated with stock purchases. Now, four health care organizations even if you aren't a publicly-traded company, many of your third-party vendors are. So if you, your vendors experience a breach and then you have a direct impact on your own business, if they experience a breach and they fail to notify the SEC, then you have the potential. They have the potential for fines. And then we've got OCR is also in the mix right for these sort of business associate breaches and vendor breaches. So you know, our vendor risk management data here shows that most vendors servicing health care are small or very small organizations. So many of these breaches and enforcement activities, you talk about a million dollars, half a million dollars, you may think we can absorb that, but a lot of those small third party vendors cannot. And what happens is they end up going out of business and folding under either the contractual pressure and loss of business or the fines or the combination of both. And that ends up sort of making critical systems and capabilities that you rely on become unavailable and often the sort of covered entity.

Brian Selfridge: [00:09:15] However you wanna think about this, this sort of parent organization, the customer is left with the fallout from the breach, the reputational damage, the issues, and the vendor folds. You're sort of left there sort of holding the bag, so to speak. And that's there's a number of incidents where that's happened in recent history. In a related story just to this whole S.E.C. fine situation, we also saw the credit and debt behemoth company Moody's make a large investment in supply chain risk this past few weeks. So it's clear that the SEC and others sort of in that universe of investment in stocks and vetting are now seeing third-party supply chain risk as a serious existential threat to the business, to it, to the vendors in particular. And we've spoken quite a bit here about the trends at the government level that are trying to get a handle on supply chain risks through executive orders, presidential executive orders. There are bills in the House, their state regulations, there are federal regulations in the works, all that stuff. So now we are seeing private industry really start to put more hard money and investment toward trying to stem the escalation of third party risks and cyber breaches overall. So that's really interesting. We can expect to see, I think, regulations in this space going forward and expect to see more of the market level corrections and investments that we're seeing here, the SEC, Moody's others to absorb the impact of what really is historical underinvestment in cybersecurity and the supply chain.

Brian Selfridge: [00:10:39] So I contend that this is just the beginning and we will. To see more activity around third-party risk from all angles. Now for your own programs, I think now's the time to start getting caught up on looming third-party risks and start making investments to address the existing risk of the business, as well as stay ahead of the likely regulations that might be coming down the line on supply chain.

Brian Selfridge: [00:11:04] Moving on to other updates this week, the cyber risk scoring company Risk Recon released an update to their 2019 report called Ripples Across the Surface, which looks at the impacts of breaches and their effect on multiple parties or, in other words, third and fourth party impacts. So think SolarWinds Microsoft breaches those types of sort of scaled attacks that while they impact not only those sort of organizations themselves but many others down the line? So some interesting takeaways for me from this particular report include the statistic that breaches impacting multiple parties cause 10 times the financial damage as a single party breach with the worst events like SolarWinds, for example, would be a case study for that cause twenty-six times the financial damage as an individual breach.

Brian Selfridge: [00:11:52] So the report notes that the damages take time to manifest downstream. It's not like an instant, you know, 10 times, boom. There's the financial impact, but its sort of is this cascading rolling effect. And in fact, it takes, according to the report, takes three hundred and seventy-nine days for a typical Ripple event, as they call it, to impact. Seventy-five percent of its downstream victims. So we're looking at a year plus until really the impact of these things are felt. So the clock's ticking on SolarWinds and as are the dollar signs and other breaches of third-party supply chain in particular. Now the report is a cross-industry report, but it did have some healthcare-specific data that I think is worth mentioning. For instance, over a 10 year period, health care was the seventh on the list for industries where the breach originated, so sort of the originating source of the breach. However, health care is fourth on the list of industries that are impacted by breaches that have originated across all industry sectors. So in other words, we are taking a larger hit in downstream impact from breaches that happen in other industry segments like technology and the supply chain of things that we rely on. And health care is sort of getting the downstream impact. Now, since this report cuts across 10 years, I would suspect that the last three years in health care should, should, and would show a much higher placement on the directly breached industries.

Brian Selfridge: [00:13:13] And I think we've seen a big uptick there as well as, you know, higher up on the list of impacted industries. I think we certainly at least would still be fourth place, maybe higher, but that's just an assumption on my part. The report doesn't necessarily sort of go into that level of detail now. One interesting point to note is that the professional services and financial sectors were the source of 70. No, not 70. Forty-seven percent of all ripple generating events like this word ripple. So make sure you evaluate your professional services vendors when you look at your third-party risk programs. I think that's they're ones that often fall under the radar and our own data from CORL Technologies vendor risk assessments that we do back actually backs up this stat pretty well. So, you know, they also are. CORL data also says pay attention to your revenue cycle vendors and law firms and some other categories as well that often fly under the radar and introduce high risk, but are often overlooked for assessments and remediation activity. All right back to the port. So one other reference to health care in the risk recon report was around the time it takes for each industry to feel the impact of a multi-party incident.

Brian Selfridge: [00:14:25] Health care is number two on the list behind the public sector to identify and report breaches. I think that's probably largely due to our breach of notification laws. It's not that we're that great at detecting it better than others. I think we just have to make more noise about it and let folks know due to the breach notification laws. Other industries don't have those and they're waiting a year or half a year or more in some cases before anybody finds out about it. And that's, I would argue, a problem. All right.

Brian Selfridge: [00:14:51] Well, we're certainly on a roll with all these new reports. So let's keep that going. There was another one released this week. Maybe it's that whole Cybersecurity Awareness Month thing. Everybody's got to get their report out. But this next day, updates to cover is a deep dive analysis conducted by the security firm Mandiant on the prolific ransomware group Fin 12 that is aggressively pursued health care targets this last year and prior. If you recall the big imminent threat FBI alert from earlier this year in late 2020, that's the one that we're talking about. That's the same Fin 12 group now as we would expect from Mandiant. The report is very technical and does go into some impressive detail of attacker attackers or technology-specific indicators of compromise. All that good stuff, but I'm just going to highlight some of the big themes here for brevity's sake.

Brian Selfridge: [00:15:40] So Mandiant observed that the Fin 12 group remained active in targeting and infiltrating healthcare organizations both before and after the FBI imminent threat alerts earlier this year. So I guess they weren't particularly deterred by the FBI's outing them in their and their activities. The report notes that other cybercrime groups state at least an intention to avoid healthcare, although they're not always doing that. But there's a sort of honor among thieves kind of thing that that is purported by some of these groups and said, you know, we're going to we're not going to bother with healthcare. We know it's a pandemic. We'll give you guys a break. However, our fin 12 goofballs here and friends have no such moral compass and they are actively going after healthcare. And that is not something that bothers them, apparently. So most of the victims of the Fin 12 group are in North America, though there's some evidence that they're looking to expand operations in other geographies. Mandiant believes that the fin 12 groups targeting calculus is based on annual revenue, as the vast majority of victims' health care victims have over $300 million in annual revenue. There was also evidence that the makers of the Ryuk ransomware, which was used for these attacks, also have a minimum threshold for revenue. So there are, you know, different pockets of these cybercrime businesses that target different industry segments.

Brian Selfridge: [00:16:58] And so these are clearly kind of an upmarket targeting group. Now, while we're talking about the malware part of this, I mentioned that Ryuk malware. In addition to that piece, Fin 12 also takes advantage of TrickBot and bizarre loader malware platforms that are offered by separate criminal gangs. So you can kind of think of this like the criminal gangs have their own third-party criminal supply chain, right? They get their malware from one source, they get their entry initial entry from another place. They get their ransomware software from even a third party, and they pull it all together and pull off the heist. Citrix Access is also noted as a big component in their entry tactics, just so you have that on your radar as well. So Fin 12 is noted as being one of the fastest-acting ransomware groups, you know from the time they gain initial access. They apparently prioritize speed as their sort of differentiator speed to compromise, rather than waiting the standard weeks and months of a classic attack that we see from other groups before they sort of are in the environment and off to actually introducing the ransomware or the malware or whatever attack they're undergoing. So Fin 12 average is just two point five days from when they gain initial access to when they actually deploy the ransomware. So that's pretty frightening, right? You can read the full Mandiant report on Fin 12 in the article they published recently on their website. If you want to check that out or get to me and I'll send it over to you.

Brian Selfridge: [00:18:19] In a related story, the FBI released an alert this week on the ramp-up of the Conti ransomware attack or attacks. The FBI and CIA have observed that the Conti ransomware has been used in more than four hundred cyber attacks in the U.S. and globally. Now, Conti is one of those ransomware groups that also steals the data and holds it for multipronged extortion and in addition to the ransomware itself. So you remember, we've talked about that phenomenon. Conti ransomware actors deploy a variety of techniques to gain access, including phishing and spear phishing, with malicious email attachments that have been exploited in them. They also do some brute force attacks on Microsoft Remote Desktop Protocol or RDP. And oh, by the way, they also use the TrickBot malware, so they're using the same supplier as the Fin12 folks. Trickbot folks must be doing pretty well. So some of the recommendations from the FBI to defend yourself against the Conti ransomware attacks include I'll sort of rattle them off here, use multifactor authentication if you know what that means. Apparently, fifty-two percent of folks don't. I'm hoping you all do, knowing that the field that we're in, so there's multifactor again, implement network segmentation and filter traffic, scan for vulnerabilities, and keep software updated.

Brian Selfridge: [00:19:34] It's a pretty bread and butter stuff there. Remove unnecessary applications and apply controls to removing unnecessary applications in health care. Not likely to happen anytime soon, but a great idea, I think. Implement endpoint and detection response tools. Limit access to resources over the network, especially RDP. Ok, that's a good one. Do take a look at inventory. Why do you need RDP anyway? Honestly, besides your network, people are going to be doing internal RDP traffic in those types of things. Even there, you've got to have a better way. Let's try to get RDP out of our lives. Certainly on the externally facing front. No, no excuses for that. One secure user accounts as a recommendation. That's pretty general. Sounds like a good idea and ensures critical data are backed up with backup stored off. Line and tested to ensure file recovery is possible. Agree with that wholeheartedly.

Brian Selfridge: [00:20:22] Well, that's all for this session. The CyberPHIx Health Care Security Roundup. We hope this has been informative for you. We'd love to hear from you. If you want to talk about any of this or give us any Halloween costume suggestions, just reach out to us at [email protected]. That's all for this week so long, and thanks for everything you do to keep our health care systems and organizations safe.