The CyberPHIx Roundup: Industry News & Trends, 10/5/22

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:11] Good day and welcome to The CyberPHIx Healthcare Security Roundup. A quick source for keeping up with the latest cybersecurity news trends and industry-leading practices, specifically for the healthcare industry. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our resource center on MeditologyServices.com, which includes our CyberPHIx interviews with leading healthcare, cybersecurity, privacy risk, and compliance leaders. Alongside blogs, webinars, articles, and much more educational material. We have a lot of fun stuff to cover today, so let's dive into it, shall we? 

Brian Selfridge: [00:00:48] Okay, starting things off today, I do have to be fully transparent. I have a cold, as do the other five members of my family. All of our children. So sorry for the Lego Batman voice or whatever this is going to come out as. But I'll do my best to get through it. The first story we're going to talk about today is a study that confirmed the increase in mortality rates and poorer patient outcomes after cyber attacks, something we've always sort of surmised might be happening. Right. But it's always neat to see some studies coming out that confirm our greatest fears. So a new report issued by Ponemon and Proofpoint, puts some real data behind something that a lot of us security professionals have suspected but have been hesitant really, to talk about out loud for fear of crying wolf or making things seem like they are worse than they are. 

Brian Selfridge: [00:01:33] But this report is titled Cyber Insecurity in Healthcare The Cost and Impact on Patient Safety and Care. And it found that 89% of the surveyed organizations experienced an average of 43 attacks in the past 12 months. Those are pretty overwhelming numbers. But the real headline here, I think, is that 20% of the organizations surveyed suffered these attacks that suffered these attacks experience increased patient mortality rates. Yikes. It goes on to state that 57% of the organizations experienced poorer patient outcomes due to delays in procedures and tests. And that's understandable. Ransomware was specifically cited as the attack type most likely to have a negative impact on patient care leading to procedure or test delays in 64% and longer patient stays in 59% of the organizations surveyed. So I want to highlight a few other key survey's findings from the survey. I thought it was a pretty good report. Most of them won't surprise you, but still worth highlighting that the data backs these points up. First is Internet of Medical Things or IoMT. The average organization has more than 26,000 network-connected devices and they are concerned about security. But only half of the organizations included IoMT in their cybersecurity strategy. So that's a problem. The second point is around cloud security organizations feel most vulnerable when it comes to cloud compromise, averaging 22 such compromises over the past 24 months. At the time of this report, ransomware was by far we mentioned the type of attack that concerns survey participants the most, and supply chain attacks were the other attacks most prominently mentioned. 

Brian Selfridge: [00:03:05] So obviously, there's a lot in this report that I just I don't usually go line by line through every piece of it, but I think we've always been hesitant to lean too heavily into the life and death sort of patient safety aspects of healthcare, cybersecurity. It's easy to get hyperbolic with that and to lose credibility. I think it's still really important for us to keep our eye on that as it should be, a major business driver for us in our programs. So when you're talking to healthcare leaders and clinicians who truly deal with life and death as a daily part of their jobs, I think you have to tread lightly on this a little bit and make sure we're not overstating the case. However, this is one of the first times I've seen some real data to back up the suspected increase in patient outcomes and mortality. So good report. Good, good that we're starting to quantify this problem a little bit. So you can take a look at the stats in this report or use it to maybe back up some of your own business case for your security programs or things that you're trying to do in your own program. But again, be careful about the hyperbole and the exaggeration there. I want to make sure we're keeping it all in due context. All right. We mentioned third-party risk in that last report.  

Brian Selfridge: [00:03:05] Moving on to our next story. The next one is actually happening in the United Kingdom, in England. So it's a bit over the pond, but I think it's worth examining because it's such a stark example of one of these kind of worst-case scenarios when it comes to third-party risk management and incident management. I thought it was worth sort of mentioning to you all. So back in August, the United Kingdom's National Health Service or NHS, experienced a major disruption via one of its third-party software suppliers, a company called Advanced, which produces software for many of the British companies, experienced a ransomware incident that impacted seven of its core product offerings, advanced as the technology provider that powers several aspects of NHS operations, including NHS 111 and non-emergency call service to seek medical help, book appointments, call them prescriptions, etc. which is kind of cool. I think we need that anyway. It also affected care notes EMR used by NHS mental health facilities, so that's super important. And another system, NHS 111 that uses to dispatch ambulances and manage patients for emergency care. So similar to 911 on our side on that last piece. So all very, very critical functions as you might expect, Expect Advanced has stood up a public facing website to keep customers informed of their restoration progress. 

Brian Selfridge: [00:05:24] And it's frankly a bit of a scary read if you dig into it. It appears that most of their environment for almost every product had to be rebuilt from scratch. Just wrap your head around that for a second. There are multiple updates a week from early August through late September with different status updates on rebuilds, how customers can access data manually in the meantime. So all that sort of continuity stuff was put out there on the site they had. Progress on reconfiguring customer-specific access environments. I'm sure everybody is trying to do this rebuild together. It's not like you can just rebuild the infrastructure and the core app. Everyone has custom configurations, every hospital has their own thing. For those of you working in the healthcare provider sector, you know that well, we customize well sometimes to a fault and most of the products at the time of this recording are still not fully restored. This is two months after the incident and at least one is projecting an all-clear timeline into late November or early December. Obviously, any of us that have been involved in an incident response situation feel terribly for the advanced staff and the team and the hospitals that are connected with this situation and handling the crisis, this is no fun, to say the least. I've been through several of these myself and no fun is an understatement. 

Brian Selfridge: [00:06:34] I wouldn't wish it on my worst enemies, but I'm also not here to conjecture too much about advanced cybersecurity practices. We don't really know before the incident. And I think it's, you know, be careful about victim blaming with these things. But we do want to include this story. And just point to the fact that regardless of the readiness of the third party platform of the hospitals, when these things happen, an instant response get kicked into play. It's pretty much every healthcare organization needs to be ready for these scenarios and be able to react and adjust. So you can't under prepare really and stronger your security control environment, the more likely you are to be able to limit the impact of these types of things. So as the technology explosion continues in healthcare, we're depending more and more on third parties for critical business operations. In this case, we're talking about 911-type stuff just to translate it to our environment and in other clinical care. And that's just absolutely essential. So we've got to keep our eye on these third-party vendors. So I think continuing to move the healthcare vendor industry toward third-party assurances, like making sure they're getting HITRUST certifications, SOC 2 certifications, other sort of avenues where you can have reliance. That third independent validation of the security posture has been done is really important. And our own internal third-party risk management teams can't scale to act to assess every single vendor in our portfolio to the degree we need like these. 

Brian Selfridge: [00:07:57] It's clear sort of this may not have had the oversight, perhaps again, conjecture there a bit, but we've got to make sure that our programs are strong enough to keep oversight and keep these vendors honest on their security practices. Even with that, no magic cure to prevent a cyber attack. So cyber risk leaders need to continue to work with their executive and clinical leaders to ensure business resilience activities. Getting these incident response plans in place, practicing them, getting ready for the big event, trying to avoid these multi-month downtimes, which is I think really where the most pain is done, both from a business operations perspective as well as regulatory risk and data loss, theft, and all those things. So we do cover NHS stories from time to time. I think this is a good one. There was the other one we did a few weeks or months back. I'm going to date myself here a little bit, but when there was the big ransomware attack on NHS that hit something like 88 hospitals, now, now my memory's failing me, but it's really important to use these use cases, these worst case scenarios, to try to get ourselves prepared. So hopefully you can take something useful from that story and get yourself ready for the eventuality of these types of situations involving third-party vendors in particular. 

Brian Selfridge: [00:09:07] All right. Continuing this third party risk, vein and topic. Now, look, I'm not I'm not picking these stories just to shove third-party risk in your faces here. It's just the news stories that are popping here. So don't blame me. Blame the third parties. But the FBI sent out a warning in mid-September that threat actors are specifically targeting healthcare payment processors. This is hot off the heels of two notable breaches affecting Practice Resources LLC out of Syracuse, New York, and Professional Finance Company of Greeley, Colorado. The FBI points out that the attacks use social engineering, which is not surprising. Most specifically phishing emails targeting financial departments of healthcare payment processors. They're often attempting to access internal files and payment portals and use requests for employees to reset both passwords and two-factor authentication phone numbers within a short time frame. Once compromised, employees are reporting they're locked out of payment processor accounts due to failed password recovery attempts. And as you know, we've discussed a lot on the podcast about the growing frequency of class action lawsuits. And predictably, class action lawsuits have been announced in both of these companies that we mentioned here. So I notice the FBI put this alert out there. But I'll tell you just anecdotally, I have several clients that have also had situations with high-profile targeted phishing attacks, particularly spear phishing of senior resources and attempting to obtain financial information. 

Brian Selfridge: [00:10:27] So, you know, it's this is not an isolated situation. So make sure you are paying attention to your phishing training, social engineering training, get those monitoring and logging and log correlation controls in place so we can see across systems when this stuff is happening and be able to react as quickly as possible to shut these folks out of there before they get access to the pain. And processing information. So keep an eye out for that. Alert your folks and make sure everybody's paying attention. All right. A couple other items for you. A few quick hitters in the breach settlement domain for you all. Speaking of class action lawsuits, Ambry genetics settled a two-year class action lawsuit for $12.25 million in September. This stemmed from a breach of over 230,000 patient records in January of 2020. I think we covered that in the podcast back in the day, and here we are two years later with the repercussions. So yet another example of this, but this is a pretty big settlement. So I wanted to mention it and another double-digit millions settlement tends to get your attention. Hopefully, if it doesn't, then you're rolling in cash and maybe you're not to worry about this stuff, but I don't think that's most of us. So in the spirit of what's old is new. Again, here's another one that I had to mention. Because of the relative novelty of it. 

Brian Selfridge: [00:11:42] In today's age of advanced persistent threats and nation-state actors compromising huge technology firms and cloud environments. So OCR just settled a case with New England Dermatology and Laser Center over an improper disposition of specimen containers. The labels on them included patient names, date of birth, date of sample collection and provider name. The containers were placed in a dumpster on the property, and a third-party security guard found one of the containers in the parking lot outside the dumpster. The clinic stated they disposed of containers this way from February 4th through March 31st of 2021 and identified 58,000 patients impacted by the issue. The settlement includes a $300,000 penalty and cap from OCR, requiring them to create new policies and procedures for disposing of PHI and training and sanctioning of employees. Obviously, we don't see these kinds of cases much anymore with cyber kind of taking much of the airspace, but it's a good reminder to recheck that you're handling disposition of physical property and disposal. Many of you may have put these controls in place years ago, right? I mean, remember, big focus, we used to do walkthroughs of facilities 15 years ago plus, and that was an area we'd just constantly be finding in the trash cans and things like this, like these containers. And it slowed down for a while and became less of a focus after laptop encryption became kind of the big breach issue. Well, it's easy to lose track of these things in the face of the onslaught of the more pressing digital threat we face. 

Brian Selfridge: [00:13:07] So make sure you're keeping the fundamentals in mind. Get this Paper records under control. And if you recall, CVS had a big issue to write a couple of years ago where they threw out a bunch of in the dumpsters in the back of the CVS. And that was a pervasive practice and something that they had to clean up. So so it's not all it stuff. Let's keep that in mind. And OCR is certainly helping us keep that front and center as well by picking up on some more FBI news. Let's go into a recent report that the Bureau sent out on addressing cybersecurity vulnerabilities in active medical devices. So we talked about IoMT a moment ago and it's coming back again. The report highlights that medical devices tend to stay active for up to 30 years long, outliving their underlying software like life cycles, along with other known problems like default configurations, difficulty patching and upgrading, and general lack of design. With security in mind. Now, I'm not sure I need the FBI to tell us that, but that's good for that. They're summarizing it. The FBI cites that 53% of connected medical devices and Iot, Internet of Things have known critical vulnerabilities. And in 2021, each medical device had an average of 6.2 UN remediated vulnerabilities. It concludes with some practical security recommendations around endpoint protection, identity and Access management, asset management, vulnerability management and training for employees. 

Brian Selfridge: [00:14:24] They do a pretty good job of giving some practical tips that take into account the challenges. And I think you've all probably seen some medical device advice that comes from folks that don't understand the problem and the practicalities of some of the more classic security mechanisms that don't quite work for a realistic medical device provisioned environment. But none of so none of the info in this report is particularly groundbreaking. Maybe that's just because we work in this space. Maybe it maybe it'll be more insightful for you. But it always helps to have the FBI kind of backing up our messaging and your messaging and to read practical security tips on the problem. Medical device security never hurts to get a different viewpoint perspective. So well worth your quick skim of this. It's a five-page report, probably worth checking out. And we've put out just a ton of material on medical device security. You can go to Meditology Services and our resource center, where we've got blogs and webinars and articles and a lot about really building the people process and technology, that whole strategic planning around medical device security because there's so many cooks in the kitchen between BioMed clinical engineering network I.T, legal procurement, medical device manufacturers like I'm not even finished the list, but there are so many people that need to be involved to get this fixed and manage it actively. 

Brian Selfridge: [00:15:35] So you really do need a strategy. And while some of these quick-hit recommendations from the FBI are great, you really need a comprehensive program much similar to your overall cybersecurity program. Kind of a microcosm of it. In some ways that is specific to medical devices because these are very unique. Our next story is a follow-up. We did a lot of coverage of this story earlier in the year around the Russia-Ukraine war and this sort of following cyber war that came along with it. So I think many of us were pleasantly surprised, I guess, by the lack of cyber attacks that spawned out of the Russia-Ukraine conflict. There was a lot of hype about it and there was sort of a lot of discussion out of Russia saying, hey, we're going to ramp things up. Everybody's kind of ready for it. But I think I think Russia got distracted by the realities of the physical war and perhaps took their eye off the ball and the cyber stuff just by lack of manpower, focus, and attention. Now, there's still a ton of sort of independent cyber criminal gangs and those types of folks operating out of Russia and out of Eastern Europe. So I think that's where you still see a lot of the ransomware attacks and those types of things that haven't slowed down and arguably have kind of escalated since then. So there's this difference between the state-sponsored stuff and the cybercriminals, and they do overlap and they do have relationships. 

Brian Selfridge: [00:16:50] So I want to be clear about that, but just interesting to see how this plays out. So the updates that we're looking at is Ukraine's military intelligence agency warned last week that Russia could soon again ramp up its cyber attacks against both Ukraine and its allies. And I quote, The defense intelligence of Ukraine said it expects the Kremlin to carry out massive cyber attacks against critical infrastructure facilities in Ukraine and allied countries. These cyber attacks will be paired with increased missile strikes on electricity supply facilities, primarily in the eastern and southern regions of Ukraine. Russia will also increase the intensity of the distributed denial of service or DDoS attacks, which overwhelm a site with bot traffic to make it inaccessible against organizations in Poland, the Baltic States, and other allied countries, end quote. The article points out that low-level DDoS attacks have been the go-to tactic really thus far during the conflict and that we've not seen the major attacks and sophisticated attacks at scale that we thought we might see before the war began. But it's definitely within the capability arsenal of Russia to escalate if they choose to invest in focus and get themselves organized enough. I don't know quite what the root cause is, but it's certainly not off the table yet. So it remains to be seen where we go from here. 

Brian Selfridge: [00:18:02] But I'm just going to keep you apprised of how things are playing out in this latest update from Ukraine's military intelligence I think should be taken with a degree of seriousness as they don't often put out updates like this and they must have some intelligence to back that up. So we'll keep an eye out for you and let you know how it will impact the healthcare industry in the US and more broadly, as we learn more as it unfolds. We'll now back to our own continental US cybersecurity situations. President Biden signed a new cybersecurity guideline or a set of guidelines after the CISA Advisory Committee advised as much advised him to do so. So this is really some major news stemming from the executive order on improving the nation's cybersecurity that was issued by President Biden in May of 2021. We did a whole episode about that. If you want to go back and listen again to May 2021, you hear what that executive order is all about. But a quick refresher if you've forgotten the order directed organizations like NIST and the CISA to develop capabilities around several key areas of improvement. These include threat info sharing between private sector and government, modernizing federal government cybersecurity standards, improving software supply chain security. That's a big one. Establishing a Cyber review board to perform post-mortems on major incidents similar to how the National Transportation Safety Board, the NTSB, conducts investigations and improvement of suggestions after airplane accidents. 

Brian Selfridge: [00:19:26] So it's kind of that post mortem thing creating standardized playbooks for responding to cybersecurity vulnerabilities and incidents and finally improving investigative and remediation capabilities for federal government organizations. All right. So now we're refreshed on what that executive order was all about. And there's been some updates. The first is the Office of Management and Budget, or OMB is going to require federal agencies to use third-party software that complies with the National Institute of Standards Technology or NIST guidelines on Secure Software Development. Federal agencies are required now to obtain a self attestation from the software producer before using the software. The third-party assessment can be substituted by the software producer rather than an attestation. Right. So we've already done a lot of assessments as an industry against these third parties, and so you don't have to do an attestation as well, it sounds like either or. Very interesting to see that. I wonder if that will sort of roll over into other industries or if we can benefit from any of these attestations that are being done. Although, you know, I'm a big fan of trust but verify. Right. And attestation is just trust and know verify. So we'll come back to that at some point. But anyway, it's a step in the right direction. The second update is related to federal agencies that are purchasing third-party software may obtain from software producers artifacts that demonstrate conformance to secure software development practices or SDLC. 

Brian Selfridge: [00:20:45] Security practices as needed. This portion is really interesting to me that it says they may rather than must. So anytime you get this sort of soft suggestion, I think it's problematic. Four of the six sub-points in the order are about software bill of materials (SBOM). And again, if you're not familiar with that, that's a requiring organization to maintain a list of the different components and third and fourth parties that go into their software. And that's something that is getting a lot of attention. And they say in this report that SBOMs or software bill of materials may be required. I think we really need some harder action going on. I realize it puts some regulatory burden on organizations and there's a lot of debate about that. But we need some better way to do third-party risk software bill of materials is a big part of it. Third and fourth party risk for that matter. 

Brian Selfridge: [00:21:35] Finally, this report, it goes on to state that agencies must ensure that they've inventoried all of their software in 90 days and that private vendors hoping to sell to federal agencies must have accreditation for critical and non-critical software furnished within 270 and 365 days respectively. That's obviously an incredibly tight time frame for an undertaking of this size. I think I think the skeptics among us may say, okay, that's a pretty aggressive timeline, but I like the idea of keeping the foot to the gas pedal here so that we can really start pushing vendors to get these accreditations and things that can independently validate security postures because the way we're doing things now just isn't working. 

Brian Selfridge: [00:22:16] I think that's clear enough. So, you know, some lack of clarity, I think in some of these guidelines, depending on which news sources you read, you'll find self attestation that a vendor is following NIST guidance or you find NIST is actually responsible for accrediting software produce like we don't it's not really clear. I saw a couple colleagues saying, Whoa, watch out, NIST is now accredited doing accreditation and they're going to get overloaded by the volume of third parties need to go through this process. I don't think it's been figured out yet, frankly. I think the guidelines are there and then it's let's go figure out how to execute. So any time you have those situations, you're going to have quite a bit of time for that gets figured out. So between 270, 365 days, again, that's pretty aggressive. But I like where this is heading and the general intent of it. So let's see if we can figure it out together as an industry. But regardless of the potential realistic or unrealistic nature of this sort of implementation, the hurried implementation, I think it's a positive thing. And this is directed, remember, at federal government entities and those selling software to them right now. 

Brian Selfridge: [00:23:17] So it's not applicable to healthcare organizations as a hard requirement, but these things often trickle down into the mainstream, especially if your industry is considered critical infrastructure with which healthcare is, and especially with the inclusion of NIST and so much of this effort, that's going to be really interesting to see how the industry evolves to support this and what ways healthcare can advance its own third party risk capabilities with tools and processes and guidelines and frankly, precedents like this in place. And we can maybe jump on the back of it and make it even bigger and better in our own environments. And finally, for our last story today, how about a little happy news to send you out with since we covered so many heavy topics today? Vera Code recently issued a report that the healthcare sector takes first place for the proportion of software security flaws that are fixed. We passed financial services, which is good as a top performing industry in 2022. This is the 12th issue of the report and it was created by analyzing 20 million scans across 500,000 applications in healthcare, financial technology, manufacturing, retail, and government sectors. I don't want to pump us up too much here, but, you know, all it took to get first place was hitting the 27% mark. But we're still in first and we will take it. And you can take solace in knowing that we're doing the right things in healthcare and the industry is moving the needle, at least in one measure, in the right way. 

Brian Selfridge: [00:24:32] So while we top the list on IBM's breach cost report of $10.1 Million, well exceeding financial sector almost by a third, I'm glad to see us winning some of these more positive control report area, so we will take it. So about to wrap up here, just a quick shout out and thanks to my sick daughter and her little stuffed toy puppy who joined us for the recording of this session and didn't cough too much. If you did hear her, I apologize for that. 

Brian Selfridge: [00:24:59] So that's all for the session. The CyberPHIx Healthcare Security Roundup. We hope this has been informative for you. We'd love to hear from you. If you want to talk about any of this, just reach out to us at [email protected]. So that's all for this session. So, so long and thank you for everything you do to keep our healthcare systems and organizations safe.