The CyberPHIx Roundup: Industry News & Trends, 10/22/20

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

  • California’s Attorney General imposes a $250k settlement on healthcare app developer Glow, Inc. for privacy and security violations of the Confidentiality of Medical Information Act (CMIA)
  • British Airways GDPR fine of £20m; breach details, correlations to attacks on healthcare, and GDPR ramifications for healthcare organizations
  • FDA’s announcement of a new Medical Device Development Tools (MDDT) program that includes a rubric for applying CVSS vulnerability ratings to medical devices
  • Russians indicted in 2017 NotPetya ransomware attack
  • Rundown of the top 10 healthcare breaches this past month


Brian Selfridge: [00:00:11] Good day and welcome to the CyberPHIx healthcare security roundup, your quick source for keeping up with the latest cybersecurity news trends and industry leading practices specifically for healthcare. I'm your host, Brian Selfridge. In addition to this up. Be sure to check out our Resource Center on, which includes CyberPHIx interviews with leading healthcare security, privacy and compliance leaders, as well as blogs, webinars, articles and lots of other educational stuff. Now let's dive into this week's episode.

Brian Selfridge: [00:00:40] I am going to start with the California Attorney General announcing a settlement against Glow, Inc., a fertility app that captures women's personal and medical information. California imposed a two hundred and fifty thousand dollar penalty for privacy and security lapses in violation of California's confidentiality of Medical Information Act or CMIA. The specific allegations of the settlement were that the "partner connect" feature, which is a way to share your information with someone else, automatically generated links requesting certain sensitive information without obtaining authorization from the user. They also said that same "partner connect" feature failed to verify the legitimacy of the person with whom the information was being shared. There were some other issues cited, like glow app's password change functionality, which asked for old passwords without actually authenticating such passwords in the back end. So they asked for old passwords and kept them, and then didn't do anything with them. And then the last, I think most egregious part of it from my perspective, is they had privacy policy and terms of use that made representations about the company's privacy and security practices they said were "contradicted by Glow's actual practices". So that's a problem, right. So in addition to the fine, Glow, Inc. is required to complete privacy risk assessments and security risk assessments for the next two years, as well as build out and report on their security and privacy program status. Arguably, they should have been doing this all along already. Right. And so should you. If you haven't if you have an app or you're involved with an organization capturing patient information, even if you're not a HIPAA Covered Entity, Per se, you really should be getting privacy and security risk assessments and have a program together.

Brian Selfridge: [00:02:17] We still see a lot of organizations focusing exclusively on security and failing to get the privacy aspect and risk assessments done in a timely fashion. An assessment can unearth issues like the ones we saw the Glow, Inc. faced here before they become front page news and fodder for regulators and everything else. We also know Silicon Valley is a global epicenter of app development, particularly in the healthcare space. So I think we're going to see more scrutiny of app developers as the 21st Century Cures Act takes effect and more apps will have access to APIs and electronic health records being sharing that information with app developers and app products. Again, that may not be Covered Entities per se, but are going to have to sort of deal with these California laws, the CMIA law, as well as GDPR, as well as all kinds of other issues and ultimately potentially hippo concerns as well, depending on the app and how it's used and where it gets the information, whether their business associate of the third party, electronic health record or the provider or whatever else we're going to need to to get a handle on that. If you're not sure about the 21st Century Cures Act, don't worry. Still folks getting caught up on that. We actually have a joint webinar next week with the ONC and some other folks to explain that and explain the security and privacy around that. So if you're listening to this the week that we release this episode, you can watch that webinar next week. If you're catching up, that webinar is archived and recordings available if you want to listen to it on in our Resource Center.

Brian Selfridge: [00:03:42] A couple other enforcement updates real quick. British Airways was fined twenty million pounds over a data breach that impacted over 400,000 customers based on the GDPR regulation. There's nothing particularly new or surprising about the breach. A hacker broke in, stole data. British Airways was missing some basic protections like multifactor authentication. We've seen that before. Right. They also failed to detect the breach. And were only made aware of it when a security researcher notified the regulators of the information commissioner's office, or ISO, and then it got back to British Airways. And so then the investigation ensued and yada, yada, yada. We see that happen all the time. Right. Nothing too crazy about that story. But obviously we have an industry problem with breaches. But this is not healthcare specific. I recognize that. But it does follow that same similar trend for breaches that we're seeing and the regulatory enforcement activity in healthcare for US based entities, many of whom do have GDPR scope based on their business models serving global markets, particularly in the healthcare tech space. So if you aren't sure of your GDPR status, whether you're a provider or a business associate, an app developer or Payer whatever else, that I'd argue you're rolling the dice a bit there. A quick assessment for GDPR can validate your scope and also identify potential gaps that you have in compliance. Best to get ahead of those before they become available via researchers and the regulators.

Brian Selfridge: [00:05:05] Right. Another update is around the FDA's announcement of a new medical device development tools program, MDDT, another acronym for you. The FDA said this is a way for them to qualify tools that medical device sponsors can use in the development and evaluation of medical devices. As part of the tool, there's a rubric for applying CVSS vulnerability ratings to medical devices based on a series of questions at various decision points to determine vulnerability ratings. This framework is designed to help manufacturers prioritize remediation for weaknesses, security weaknesses. They may pose a threat to patient safety. In particular, the framework recommends a multidisciplinary team to work on assigning the CVSS scores, including cybersecurity privacy folks, of course, device engineering, design and architecture teams, patient health impact from resulting hazards. So making sure you've got some patient health advocates and business level folks there, health care delivery organization, device usage scenarios should be considered along with clinical workflow impact, they say, and information technology integration and interoperability. So all things they want you to consider as you're designing these CVSS scores, using the tool. Now, while this particular tool doesn't solve many of the people process and technology issues that health care delivery organizations face when they're trying to tackle the medical device security risk management problem, it is another what I'll say, micro step in a positive direction to getting vulnerabilities identified and prioritized and remediated at the manufacturer level. So we'll take any wins we can get.

Brian Selfridge: [00:06:41] Still a long way to go with medical device and the FDA and health care delivery organizations generally. So we have a whole team of folks that specialize in medical device security. If you actually want to get a handle on how to build your program, take advantage of proven processes and strategies that have been build out in health care delivery organizations and want to get a step ahead of those, feel free to reach out to us. We can talk through that and give you sort of the more holistic view of what practical steps to take to actually reduce risk in this area.

Brian Selfridge: [00:07:11] Some other quick updates. Six Russians were indicted for their role in the NotPetya ransomware attacks in 2017. If you guys remember these, the six individuals are suspected members of the group, Russia's main intelligence directorate, specifically GRU Unit seven four or four or five five, which is also known as Sandworm. The sandworm Unit is believed to be behind a long list of offensive cyber campaigns spanning several years. And we've talked about that outbreak quite a bit the NotPetya ones. I'm not going to revisit in great detail, but basically it was a pretty large scale infection, an attack that took out organizations like Merck in the pharma space, many, many hospitals in the EU and Eastern Europe, and had some limited but impactful impacts to US based health care organizations. One of the more notable ones being Nuance transcriptions, which was down for an extended period of time from the ransomware and actually ended up introducing ransomware through the report into the US based healthcare organization.

Brian Selfridge: [00:08:08] So transcription services were impact for a long time, impacted for quite a while. And, you know, that's something that we've looked at. And actually, if you want to check it out, this is a quick plug for my interview and our CyberPHIx podcast that will be released next week with Stoddard Manikin, who directs security for the Children's Health Care of Atlanta organization, where we're discussing this use case as well as several others in diving deep into ransomware and health care and sort of looking at that 360 degrees around. So check that interview out. That'll that'll give you more intel on that particular attack. But in terms of this announcement that six Russians were indicted and groups involved, I think anyone that surprised by Russian involvement in the NotPetya attack hasn't really been paying attention. So so do keep your ear to the ground on these ones and we'll keep you posted. But not a ton of surprising activity. Glad to see some some action. Not sure if that's going to translate in any meaningful outcomes there, but important, we chased it to ground of where it came from. All right.

Brian Selfridge: [00:09:06] The last update I got to provide this week is just a quick rundown of some of the top breaches from this past month in healthcare. Just to give you a sense of why things are trending, nothing, again, too different here, but making sure you're aware of them. So we had Trinity Health, a business associate, had three million people affected by hacking it incidents. Network servers were targeted. We had Inova Health System where one million people were affected by another hacking incidents. North Shore University health system had had a breach of three hundred forty eight thousand individuals affected also by hacking incident SCL Health three hundred forty three thousand. Same story. Nuvance health on behalf of its Covered Entities. A health care provider. Three hundred and fourteen thousand hacking incident. Right? I think actually let me look at all these. Everything was a hacking incident, so I'll stop saying that. But you get the trend right. Where? This is not lost and stolen devices breaches anymore, attacking, hacking, hacking, Baton Rouge Clinic, three hundred eight thousand, Virginia Mason Medical Center, two hundred forty four thousand, University of Tennessee Medical Center, two hundred thirty four thousand records breach. People impacted a line of health, one hundred ninety nine thousand and University of Missouri Health Care one hundred eighty nine thousand affected by an I.T. hacking incident. Emails were targeted, et cetera, et cetera. So nothing super new there. But that is all just in the past month. So if you are thinking that this stuff isn't prevalent or not likely or whatever. Pay attention to the trends there. They are moving fast and furious.

Brian Selfridge: [00:10:46] So that's all for our session of the CyberPHIx health care security roundup. We hope this has been informative for you and we'd love to hear from you. If you want to talk about any of this, just reach out to us at [email protected]. So long and thanks for everything you do to keep our health care systems and organizations safe.