The CyberPHIx Roundup: Industry News & Trends, 10/27/21

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices, specifically for the healthcare industry. 

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

  • Highlights of 25+ Cyber Breaches to Payers, Providers, & Healthcare Vendors in the Last Two Weeks 
  • UPMC Hacker Gets 7 Years in Prison 
  • HITRUST Deploys a New Certification Option 
  • Google Launches AI Pilot with NJ Healthcare Provider 
  • Microsoft Launches New Privacy Management Framework for Office365 
  • Tips for Managing Remote and Hybrid Security Teams 
  • Russians Continue Aggressive Attacks Despite US Sanctions and Intervention 
  • State Department’s Plans for New Cybersecurity Office 
  • Ransomware Disclosure Act Bill Introduced with 48-hour Reporting Timeframe 


Brian Selfridge: [00:00:11] Good day, and welcome to the CyberPHIx Healthcare Security roundup, your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices specifically for the healthcare industry. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our resource center on Meditology Services, which includes our CyberPHIx interviews with leading healthcare security, privacy, and compliance leaders, along with blogs, webinars, articles, and other educational material. So we've got some great updates to cover today. Quite a bit, actually, so let's dive into it.

Brian Selfridge: [00:00:46] Ok, I'm going to shake things up a little bit here today and start off with a rundown of the many, many healthcare breaches that occurred in the last two weeks alone. It's getting really hard to keep track of these. There are about twenty five or so that I'm going to pick on quickly and efficiently. I hope I'm going to focus on a combination of vendors that were breached so you can stay tuned into any risk exposures for vendors, as well as other healthcare entities on the payer and provider side that I'll highlight as well. So you can see who else is getting hit out there and what's happening.

Brian Selfridge: [00:01:15] So let's start with the payers. We saw breaches with Aetna, who reported exposure of over one thousand eleven patient records. Humana also had a breach of approximately nine hundred and forty eight individual's information. The details were light on those just reported to HHS on the Wall of Shame and Anthem also had a breach. I want to spend a second on the second set of Anthem and Humana breaches. Believe it or not, there is a second round of those as their incident stem from a ransomware attack on one of their billing vendors, practice Max as the name of the vendor. The attack lasted from April 7th to May 15th and a server containing high was accessed and files were stolen from practice. Max, Humana and Anthem use this vendor to share information with another sort of provider called Village Health, which is a kidney care provider. So this is kind of a unique, perfect storm of supply chain risks, right? The fallout of the breach reporting is hitting the payers directly, so you get the sort of reputational damage at Anthem and Humana in this case, even though the vendors themselves are also taking a hit. Humana reported that this particular event impacted four thousand four hundred twenty four patients, and Anthem reported the breach to the California attorney general. But we don't have the volume of records that were not disclosed, so we don't have that available.

Brian Selfridge: [00:02:35] So next, I'm going to rattle off a bunch of vendors that were breached here in the last few weeks. So pay attention. See if you recognize any names that you might be working with. The Epilepsy Foundation of Texas lost data from a phishing attack. Cvs Pharmacy had eight hundred and twenty-six records stolen. This follows their massive breach of over one billion records earlier this summer. If you remember that one Intuit QuickBooks was targeted with a fraud attack and asked their customers to make fake renewal payments to this phony site that pretended to be QuickBooks. So that's kind of a QuickBooks breach if you think about it, perhaps. Zenith American Solutions is a third party health plans administrator that exposed one thousand nine hundred and seven member records. One digital was another company that was hacked. The Georgia Department of Human Resources and the State of Alaska Department of Health had breaches as well. Navistar is another company that lost data on forty nine thousand individuals. The Council on Aging had email accounts hacked and PHI exposed. Cox and Cox Health was hit by a ransomware attack. Accenture, the consulting firm, disclosed a ransomware attack as well. The American Osteopathic Association had a cyber attack impacting over twenty seven thousand people. Microsoft stated that a new Iran linked hacking group targeted more than two hundred and fifty offices, three sixty five tenants and compromised accounts for about 20 of those. We don't know which ones. Independent health corporations suffered a breach and Wiggin and Dana LLP had a hacking breach.

Brian Selfridge: [00:04:07] I want to make a quick reminder here to remember that revenue cycle debt collecting agencies and law firms are two of the highest risk and most likely vendors to experience the cyber breach, according to our data out of our sister company, CORL Technologies. So I think we saw a couple of breaches in there for both law firms and rev cycle companies, so definitely make sure you're assessing those in your vendor risk management process. If you aren't doing that already, they are a high likelihood. Finally, in terms of breaches on the provider side, UNC Health Care had seven hundred patient records breached. Phoenix Children's made an error and sent an identified email to three hundred and seventy employees, listing them as exempt from the hospital's COVID vaccine mandate sort of need that in the BCC and not in the CC. Emi Health launched an investigation into unauthorized access to their systems. Orange County HCA reported a breach to HHS. Osf Health Care had a breach and Springhill Medical Center experienced a ransomware infection, which is most notable for this. Subsequent lawsuits that came out recently brought by a parent of a patient who alleges that their baby's death was related and the result of the ransomware generated outage. So if you can believe it, that is not the full list of breaches in the last two weeks, but it should give you a sense of what we are dealing with across the industry.

Brian Selfridge: [00:05:30] In other news, in case you thought there may be no justice or accountability for cyber attacks, we're going to highlight a case this week where we saw at least a little sliver of justice in our space. I guess we'll take anything we can get at this point, right? So the hackers stole personally identifiable information and W-2 details from sixty five thousand University of Pittsburgh Medical Center, a UPMC employees, and were sentenced to seven years in prison this week, which is the maximum penalty allowed. Shawn Johnson, who's the individual that was sentenced in Detroit, initially hacked into UPMC systems back in twenty thirteen and twenty fourteen and later again in twenty seventeen. He sold the information in the dark web, and scammers then use the information to file two point two million dollars in fraudulent tax returns, of which $1.7 million of that two point two was paid out by the IRS. That one point seven million was converted into Amazon gift cards and high value products that were sent to Venezuela. So Johnson, this individual, had three other co-conspirators conspirators. One was extradited to the U.S. from Cuba and served six months. Another was a staff sergeant positioned in Washington state and got three years probation because he had actually not yet received the funds from the scam that he was part of orchestrating the last conspirator. A co-conspirator was a Venezuelan national named Maritza Maxima, Soler Nadarse, who received a 16 month term, and then she was deported to Venezuela.

Brian Selfridge: [00:06:58] So interesting to see some females involved in cyber fraud and hacking. I'm sure that happens all the time, but we don't always hear about that seems to be a very male dominated fraud area. From what we see in general, accountability. But overall accountability like this takes time to process and but we're glad to see some of the action in this case. I hope to see some more prosecutions like this as these hacks and breaches continue and escalate. We've got to catch some of these folks right. So it takes a couple of years, but we're getting there and we'll take what we can get.

Brian Selfridge: [00:07:25] Moving on to some other interesting news in the healthcare cybersecurity certification space. The two dominant enterprise cybersecurity certifications in healthcare are the HITRUST CSF Certification and SOC 2 type II reports or certifications. The HITRUST Alliance, who issues the HITRUST Certification, has announced that they're adding a new third certification option into the mix. The new certification is called I-one and is designed to be a lighter and more achievable certification than the traditional HITRUST CSF validated report. The certification targets smaller organizations and business associates that are really having trouble investing in the spend and the time required to get fully HITRUST certified. So the I-One has a subset of security controls required for certification based on the NIST 171 framework, and it can be used as a stepping stone toward full HITRUST certification for organizations that want to get on the certification certification path without committing to full blown HITRUST CSF certification.

Brian Selfridge: [00:08:24] The HITRUST I-One certification is also good for one year term, whereas the HITRUST CSF is a two year term with an interim assessment. So those that have been down that path know that not a little bit, but this is a traditional annual assessment, much more like SOC 2, if you think of it that way. And statistics from our sister company, CORL Technologies, show that still less than twenty five percent of healthcare vendors and business associates have achieved and maintain a cyber security certification. That number is creeping up month over month, year over year, but hopefully this new lighter weight option with the I one i1 will help us get some of those industry adoption numbers up for four certifications. And as we heard earlier and that whole vendor breach run down, our vendors definitely need some help getting accountability to protect against these breaches. Of course, Meditology is a certified HITRUST assessor organization, so we'll keep an eye on this one. And this new certification lets you know how organizations are faring with its adoption and the whole new certification approach out of HITRUST. We'll keep you posted in other updates.

Brian Selfridge: [00:09:22] This week, there was an interesting development in Google's endeavors to innovate in the healthcare provider delivery space. Google announced a partnership with Hackensack Meridian Health in New Jersey. The health system will transition its systems to Google Workspace and Chrome OS throughout. To deploy more artificial intelligence and decision support capabilities for the organization, some of the first use cases they're looking to deploy will be applied to newborn health screenings and a few other areas like mammography and prostate cancer screenings. You know what I say if you have to add new untested technology in healthcare. Best to start testing it on newborns and babies first, right? Just kidding. Hopefully, though, this accelerates the screening processes in general that they've identified and maybe overall healthcare. Of course, being the paranoid security person that I am, I think that comes with the territory, right? If you have the CISO hat or any kind of hat in this field, you get worried. So I'm a little wary right off the bat of Big Tech taking patient records into their super clouds for AI or any other purposes. Big Tech does not have a great privacy and security track record unless security better than privacy. But given the whole. The whole hospital and the Google infrastructure could pose some privacy and security concerns, so, you know, we'll keep an eye out for that, but so far, the focus of the initiative has been on clinical use cases. Hopefully, security and privacy is being considered and baked into the process and their investments being made along the way.

Brian Selfridge: [00:10:45] We can certainly hope so, although I wish I could say this is usually the case. But unfortunately, security and privacy can often be an afterthought, with all the pressures to deploy a new launch and technology like this. So we'll keep an eye on it and let you know how that one works out. And if there's any broader implications for the industry.

Brian Selfridge: [00:11:03] In other Big Tech news, while we're talking about Google and such, Microsoft launched a new privacy management framework that is built into the Office 365 platform. The AI based solution is designed to help enterprises manage data privacy risks and automate responses to privacy incidents and privacy information requests from workforce members and patients and the like. So the solution includes dashboards and workflow tools to manage and report privacy incidents. It also scours the network for where sensitive privacy information may be stored, and it kind of maps it out. This is all sort of stuff it claims to do. I haven't played with it yet, but there's also some AI and logic that helps triage privacy incidents and legal conflicts, and other capabilities on the privacy front. So the software says it can actually intervene with employee actions and can alert and or even sort of halt some activities and block activities. I don't think we want to do much of that in healthcare, but it can require action before allowing some of the transactions to take place almost like a break the glass functionality.

Brian Selfridge: [00:12:04] I would equate it to our privacy experts here at Meditology are digging into the new platform and more detail, so I'll let you know what we learn about its deployment and sort of how it's being used in healthcare and some of the benefits for those that are already office. Three sixty five tenets. Hopefully, it's an additional add on that can be a really big help to both the privacy and the security departments in terms of incident management and privacy compliance overall. So glad to see that update. All right, next up, I want to give you a sneak peek into some of the takeaways from an upcoming webinar that we're hosting on the topic of managing remote and hybrid security teams. So in the post-pandemic post-COVID world, everybody is hybrid or at home. Still, I like to get out from time to time, but some other people are still stuck in there in their dining rooms and stuff too doing work. So the webinar is titled Architecting Virtual Security Teams Lessons from Virtual CISO programs. You can register now if you want to go check that out, or you can watch the replay if you happen to be listening to this after November Twenty Twenty one, so I'll share with you some highlights.

Brian Selfridge: [00:13:03] So I think big picture healthcare is gone historically from its on site culture, healthcare providers in particular, like you have to be here, we need to lock you in the basement and have you do it stuff that is starting to shift and we've got this explosion of the new virtual workforce. Organizations seem to be much more healthcare organizations anyway seem to be much more open to hiring, cybersecurity, both leadership and staff that live outside their primary geographies, which again, is just a whole, whole new opportunity for us. Now, some roles are better suited to remote work than others, which has led to these kind of hybrid teams. So in terms of some of the best practices that we've seen, you know, focusing internal and onsite staff on areas that require institutional knowledge makes a lot of sense. So if you're going to have people in-house that know the business, have them there, have them local, have them be really plugged into what's going on with the rest of the business, to the extent you can on site, you can leverage partners for managed services for key commodity functions, so they might be your managed service providers for your SoC, NOC network type stuff or for other capabilities. And that sort of lends itself to kind of a more remote and hybrid function. You don't need those people sitting down looking through logs all day in your facility.

Brian Selfridge: [00:14:16] Specifically, look to hire part time or staff augmentation resources to provide niche skill sets or support during peak cycles, right? So you don't always have to have an onsite full time person that does x y z, you know, again sitting in the office all the time when you may not need that skill set all the time. So having some part time folks that might be able to swoop in and out as needed and they can be remote for sure. And you know, I think the key is providing flexibility, but also requiring some degree of routine in office face time, whether it's once a week, once every few weeks, once a month, whatever it may, may work for you. We're learning that the teams do need some face time to sort of grease the skids on the program overall in relationships and communication, and just keep those bonds tight. And then, you know, in terms of managing remote teams, I know a lot of folks that are listening will have direct reports or have to manage individuals that might be remotes. So some of the best practices there are around scheduling daily check ins with the team, whether that's one on one or with the sort of broader remote team looking to really make sure that you have the videos on, so to speak. More often than not, it doesn't.

Brian Selfridge: [00:15:30] Some cultures are sort of video on all the time, and that can be actually too stressful. You're going to, folks be able to turn it off from time to time based on the role or their participation rate. But generally speaking, for those that are going to be truly remote, got to see their face, build that rapport, try to get that culture going for both in office staff and remote people like don't just make the remote people turn their videos on, but have everybody in their laptops have their videos on as well. And, you know, focusing on outcomes and objectives versus kind of micromanagement and tactical oversight of day to day activity. If you're trying to do that at at scale with a large remote or hybrid team, you're going to run out of cycles to kind of keep an eye on what everybody's doing. So, you know, getting those KPIs, metrics, outcomes defined and you're the hit the target or you don't the more you more work you put into that, the better outcomes you can have with the remote team and really leave that leash a little bit longer for them to to get the job done, you know, with a little bit more autonomy. The other trick is being available setting, you know, set rules of engagement around chat, email availability, time almost like I think of like professors hours in college, right? Like make yourself available and make sure that that folks know how to reach you versus just stacking back to back meetings.

Brian Selfridge: [00:16:44] Also, things like town halls and remote team socially oriented sessions can really work to keep people connected. I think we learned a lot about that over Covid, but if this becomes a normal thing, you know, having that stuff routinely really makes a makes a big difference. And then getting people in the office from time to time as a group, whether it's happy hours or some other lunch or celebration or just for the heck of it really makes a big difference. So those are just some ideas. Check out that webinar architecting virtual security teams, and we're going to get into a lot more detail of how to build and maintain hybrid teams. So hopefully that's helpful for you. Some aspect to that.

Brian Selfridge: [00:17:19] I'm going to round things out today with a few federal updates on cyber activity. First, Russia launched another huge cyber attack on the U.S. from the same group that. Responsible for the SolarWinds supply chain attack earlier this year, the group referred to as Cozy Bear, had previously been linked to Russian intelligence services. This new attack targeted providers of cloud software services, including Microsoft and others. And this Cozy Bear group is reportedly working to piggyback on access to cloud providers to then attack other private industry targets. So another, you know, classic supply chain attack here.

Brian Selfridge: [00:17:55] Taking a page out of their SolarWinds playbook, attack once and gain entry once and then be able to leverage that many times across the industry. So this activity all comes after some much-documented diplomacy and sanctions from President Biden in the U.S. that stemmed from the SolarWinds SolarWinds attack in particular. Biden and Putin had a summit on the topic earlier this year. If you listen to the podcast, you've sort of been following that along. It looks like those efforts, at least thus far, may not be yielding as much return on our investment at this stage. But I guess they got to keep they've got to keep that pressure going either way. But it appears that the Russian folks have not slowed down in the least on the supply chain attacks and or their methods. So we'll keep an eye on this, too.

Brian Selfridge: [00:18:40] In related news, the U.S. continues its march toward building new cybersecurity, defensive, and offensive operational capabilities, and the U.S. State Department has announced plans to create a new Bureau of Cyberspace and Digital Policy. Cool name. Details are limited right now, and we'll let you know what this looks like once more information becomes available. They didn't announce it yet. They announced that they're going to announce it. And then, you know, we'll let you know when they announce it and what that cybersecurity defensive position looks like. The Bureau of Cyberspace and Digital Policy.

Brian Selfridge: [00:19:12] One last update on the federal front a new Ransomware Disclosure Act bill was also introduced into the House that includes a 48 hour requirement to report ransomware payments. Now I understand the motivation behind this one, but I don't expect this requirement to stick necessarily, you know, particularly for healthcare. The idea of increased visibility and breach reporting is not our problem at this stage. We have plenty of breach reporting mandates at this point. I do think we need some more legislation aimed at improving protection, response and enforcement, cybercriminal activity and certainly lots more, lots more help. And things that we're seeing out of standards and other regulatory work is much needed, especially around the supply chain. So I do think we need to keep pushing down that, requiring us to report in 48 hours or 28 hours or 24 hours or whatever. I'm not sure how much that's going to help move the needle at this moment in time, but that's just my two cents.

Brian Selfridge: [00:20:07] Well, that's all for this session of the CyberPHIx healthcare security roundup. We hope this has been informative for you, and we'd love to hear from you if you want to talk about any of this. Reach out to us at [email protected], and that's all for this week. So, so long. And thank you for everything you do to keep our healthcare systems and organizations safe.