The CyberPHIx Roundup: Industry News & Trends, 10/9/20

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

  • Mega fines and legal costs totaling more than $270m related to two breaches for health insurers Premera and Anthem. We break down the details behind the OCR penalties, state fines, and class action lawsuits.
  • NIST releases the new NIST SP 800-53 Rev 5, the first overhaul of NIST 800-53 in over seven years. We discuss the major changes to the standard and its implications for healthcare entities.
  • The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) warns that it may begin to issue fines for organizations that facilitate payment to ransomware attackers. We discuss the difficult position healthcare providers face between patient safety and potential federal fines.
  • Highlights from the ransomware breach of Universal Health Services this week that may impact its over 400 locations.


Brian Selfridge: [00:00:11] Today, welcome to CyberPHIx health care security roundup, the source for keeping up with the latest cybersecurity news trends and industry practices specifically for health care. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our Resource Center on Meditology Services dot com, which includes CyberPHIx interviews with leading health care, security, privacy and compliance leaders, as well as blogs, webinars, articles and lots of other education stuff. So let's dive into this episode.

Brian Selfridge: [00:00:38] Big breaches and big money this week. I want to start off with highlighting some monumental breach costs for two health care payers that came out this earlier this week and into last week. The OCR and state attorneys general announced two settlements with Premera and Anthem that have capped some unprecedented regulatory costs for health care entities related to the breaches. I will warn you this a bit of a shock and awe to the way these costs are adding up to these organizations. The total breach costs related to OCR fines, enforcement from state attorneys general and class action lawsuits for these two breaches combined to a total of two hundred and seventy million dollars. Wow. That's not a typo. Two breaches. Two hundred and seventy dollars million over the last several years. Let's break that down a little bit. More detail. Premera had a breach resulting from an attack in 2014 that was discovered in 2015. In May 2014 and advanced Persistent Threat Group gained access to premiere's computer system, where they remain undetected for almost nine months. The hackers targeted the health plan with spearfishing attacks.

Brian Selfridge: [00:01:37] It's pretty typical that installed malware in the malware, then gave the bad guys access to names, addresses, dates of birth, email addresses, Social Security numbers, bank accounts, all the usual good stuff the bad guys go after, as well as health plan clinical information. The breach was discovered by Premera Blue Cross in January 2015. An OCR was notified about the breach in March 2015. The OCR issued a civil monetary penalty last week for six point eight dollars million and cited hyper compliance caps with multiple provisions of the hip of security rules. Specifically, there was a failure to conduct a comprehensive and accurate risk analysis, right? We've been talking about that all year. Risk assessments, risk assessments, risk assessments do a mild to them, right? Get the right scope. We could talk about that all day. We'll come back to it. But they're also cited their failure to reduce risks and vulnerabilities to a reasonable and appropriate level failure to implement sufficient hardware, software and procedural mechanisms to record and analyze activity related to information systems containing prior to March 2015, when that breach occurred and failure to prevent unauthorized access to. So pretty typical stuff in the OCR resolution. But six point eight dollars million is the second largest typifying to date.

Brian Selfridge: [00:02:48] So you may be thinking, OK, $6.8m. Where do the other hundreds of millions come into play that I just mentioned at the outset of this discussion. So let's break it down and get it there. It turns out the most costly aspect of these breaches is coming from state level enforcement, from state attorneys general and class action lawsuits. Premier has settled with the attorneys general of 30 states for ten dollars million in 2019, just last year related to this same breach. They also settled a seventy four million dollar class action lawsuit, also in twenty nineteen related to, again, this same breach. Seventy four million. Ten million. Now you can start seeing the numbers add up. So that's ninety million dollars in breach cause paid out for federal and state legal and compliance purposes alone. That does not include the costs related to breach, investigation, response, implementation and tracking of correct corrective action plans with OCR. All those things that they cited need to be tracked for multiple years. Implementation needs to be put in place. All kinds of costs associated with that. Legal costs, right. And so on. I won't venture a guess at those specific figures, but you can imagine that those costs would introduce additional material financial burden to the organization for paying for the breach over a five year period.

Brian Selfridge: [00:04:00] We've been talking about on this podcast all year about emerging class action and other costs outside of HIPA and OCR compliance. And I frankly, even a little bit surprised myself. I mean, we had seen these class actions cropping up. They started to have some serious numbers, but we saw the trend. But I had no idea that these types of staggering numbers would start coming out. So let's let's talk about the next one, because this is not just, OK, Premera had a bad situation and maybe it's an outlier. Let's talk about Anthem. So Anthem experienced a breach from an attack in 2014. Hackers had targeted them with phishing emails, which then gave them a foothold in the network. And then the attackers were able to explore the anthem's network for months, trading data from its customer databases. And if you recall, I've cited a stat previously on this where the average dwell time for a bad guy in a health care entity is over over three hundred days. It was two hundred seventy days and it's escalated up to like, I think three twenty in the latest IBM report. So data stolen in this attack, same deal, dates of birth, health and health information, Social Security numbers, all all the goodies. And the breach was announced by Anthem in February 2015.

Brian Selfridge: [00:05:04] So that's coming up on a year after detecting. It's similar to Premera. And then if you've been following the news, last year, a Chinese national and an unnamed accomplice were charged in connection with the cyber attack in May twenty nineteen. So this stuff's been being worked. But let's talk about the fines, because that's really what we've we've let out with here. So OCR opened an investigation and the two parties settled on a sixteen million dollar resolution in October. Twenty eighteen. That was and remains the largest. A penalty to date monster No. Sixteen million compared to Premera, you know, just half that. Well, almost a third of that. This past week, though, is the reason why we're talking about this again, is the results of a five year long battle with the state attorneys general over HIPAA and state regulation violations resulted in a forty eight point two dollars million financial penalty. Ouch. That is well above and beyond the 16 million from OCR. We got forty eight point two. But that's not all. So don't you know, don't don't rest on that number, which is already a considerable number. In addition to that, there was a consolidated class action lawsuit that was settled in twenty eighteen for one hundred and fifteen million dollars.

Brian Selfridge: [00:06:09] So if you're keeping score at home, that's one hundred and seventy nine point two million dollars in hard legal fees and compliance costs related to this single cyber attack for 2014 for Anthem alone. So one hundred and seventy nine point two. What do we say for Premera that was ninety million dollars. So we get ninety million dollars plus a hundred seventy nine point two. And that's how we get to our two hundred and seventy dollars million for just two breaches. Now, as with Premera, the true cost of data breach for Anthem as well are estimated well above these formal legal and compliance fees. Anthem entered into a multi year corrective action plan with OCR and has had to incur substantive breach response and remediation costs, I'm sure.

Brian Selfridge: [00:06:47] So two hundred seventy million dollars plus for two breaches. So there's so many takeaways here for health care entities. Really starts up front with fundamental HIPAA compliance and investing sufficiently in your security and risk management programs. Prevention is the best medicine here to avoid the fines and also, by the way, greatly reduce the costs and risks of operational impacts from other breach events like ransomware, which we'll talk about again in a moment.  We will talk about ransomware, so we'll leave it at that for now. Big money, big cost. This is not just the big insurers, those state level fines and the class action lawsuits, as we've seen in the trends in prior episodes, go back and listen to them, are hitting small, medium, large size organizations alike. So not necessarily in those numbers, but they're going to be painful, I think, for whichever organization size you you happen to manage to run and be responsible for. So let's leave it at that for now and move on to our next topic.

Brian Selfridge: [00:07:41] The next one I want to cover is a pretty big update from NIST this week in the release of the NIST 800-53 Rev 5 update, the first of its kind in over seven years. We just released a blog about this yesterday. So check that out if you want to get all the nitty gritty details. Good. Or the Resource Center, Meditology Services, Dotcom, if you want to go into that depth, I'll just provide a quick summary here for the major points of this new revision to give you a sense of it, a little bit of background. So NIST 800-53 for those that may be familiar with it are not super familiar. You just need a refresher. This is what I called the granddaddy of security controls frameworks.

Brian Selfridge: [00:08:13] It's been around health care, has been utilizing it really predominantly a federal focused standard that has been used for the US government entities and related facilities. But then over time bled out into critical infrastructure like health care and adoption of the hundred fifty three standard became pretty commonplace prior to the release of the NIST CSF framework. In what year was that? 2014. So a lot of health care organizations using NIST CSF or the NIST 800-53 or combination of both were high trust, which we'll talk about, which all include and sort of point back to NIST 800-53. So pretty important standard for a lot of different ways and then seven years since it's been updated. So it was getting a little bit long in the tooth, a little stale, a little outdated, a little antiquated. Choose your word. But let's talk about high trust for a second, because there are implications there. So a lot of health care organizations using a high trust security framework and they released their CSF in 2007, which heavily relied upon NIST 883 as well as ISO controls and HIPAA some other stuff. So so this update will also be for organizations that are aligned with, I trust, NIST 800-53 Revision 5, which is the new version is going to be applicable for for those certifications or just your programs overall. So it's got it's pretty broad ranging ripple effect here. So what's new between reversion for, reversion, revision for and revision five, four and five is NIST has said and I think it's accurate, it's not just a minor update, but a complete renovation of the standard red five adds more than forty five new base controls, 150 new control extensions and one hundred new parameters.

Brian Selfridge: [00:09:50] So a lot more stuff, a lot more control areas to worry about. And, you know, the major areas that they are focused on there would be different from before. I think the biggest one is integrating supply chain risk management into the framework as a whole new domain Essar domain, if you're familiar with NIST and get these little acronyms for each family of controls. So there's this new one around supply chain risk management, which has become a dominant theme for health care security programs in twenty, twenty up to ten to twenty, twenty beyond. And that's going to continue to be the major focus. So really pleased to see NIST 800-53 coming around to having some specific controls around that would be very helpful for all of us to make sure we're staying in coordination with that particular domain and then some other updates where they made the controls more outcome based. So this. Movement to an outcome based focus is really pretty similar to the mindset that we at Meditology have been focused on the last several years and particularly this year, around moving away from this idea of just doing sort of tactical security work. And so almost like busy work of sorts, all important stuff, but really focusing on strategic outcomes of the activities that we're doing and how do we measure risk and make sure we're actually reducing risk versus just sort of going through the motions. So I think that's that's a really important thing.

Brian Selfridge: [00:11:05] We put some publications out on that as well. If you want to check out a resource center, which I keep plugging today, but a lot of good stuff out there. Some other updates, are they consolidated? The control catalog had to make more logical sense or to combine some things. And I think that sort of care and feeding is really important. There are you know, there's some challenges when you when you start shuffling the deck around controls and controlled numbering and names. I mean, if you have a program where you have to trend compliance over time with how are you maturing the program and how are we doing today compared to yesterday, compare apples to apples. Sometimes these big changes can be difficult to to do that mapping and to sort of stay on top of the controls, as well as just overhaul your security controls program with the latest and greatest updates. But I think it's very necessary, right? We can't continue to rely on decades old security controls when the world has fundamentally changed in health care business models, the threats have changed all that stuff. So there's other updates in the NIST framework I mentioned. You can check out the blog for all the details there. There's a bunch of other changes. I don't I'm not going to claim that that's that's all of them. But those are a couple that are pretty big deal.

Brian Selfridge: [00:12:07] And I'm looking forward to seeing sort of how that plays out over the course of time as it organizations sort of move from four to five, update their programs and strategies, see how high trust plays us out and certifications and lots of implications. Talk to us or reach out to us. If you wanna talk about that some more, we can certainly go through that with you. The last item I want to touch on today is some pretty big news from the US Treasury Department's Office of Foreign Assets Control, or OFAC. The Treasury Department warned that companies that facilitate ransomware payments to cyber criminals on behalf of victims of the attack could face sanctions for violations of OFAC regulations. So this is tricky right there. Concern is very valid. They're concerned that ransomware payments can at times be going to state sponsored actors. And, you know, very they're not good people don't know how you put it that are issuing these attacks. But we had the Lazarus Group in North Korea, for example, that was behind the WannaCry ransomware in twenty seventeen. And a lot of these these bad actors are sort of having international implications when these these large dollars start going overseas to different parties. But this puts health care organizations, particularly health care providers, in a really, really tough position. So health care, health care providers, top commitment typically in mission is to protect patient safety, deliver safe and effective care, protect their communities, all that stuff.

Brian Selfridge: [00:13:27] And then everything else sort of falls after that. Right, our regulatory compliance. And to do it in a compliant way, we're do in a safe way and a operational, cost effective way to for large scale ransomware attacks. This often means making some really tough decisions to pay ransoms in some cases where it may have the opportunity to avoid patient harm, including death. I mean, if you saw our update from last week when we did this, this podcast, we talked about the German ransomware attack last month, that that verifiably resulted in at least one patient death that had to get diverted from this facility while their systems were down. They were trying to get the ransomware key and they even pay. They even paid the amount, but paid it a little bit too late, didn't get the keys and get it deployed in time. And then somebody passed away as a result. So, you know, check that out if you're not familiar with that case. But those types of decisions of do we allow that to happen versus worry about pressure from the Treasury Department and other regulators that are going to issue fines for issuing ransomware payments is a really tough rock and a hard place to be between. So, I mean, I think that's the direction that the decision will take for many health care organizations will still be toward patient safety.

Brian Selfridge: [00:14:35] I think we're going to lean that way. But heaping additional further financial burden on health systems that are in the midst of a pandemic is perhaps a bit of insult to injury and really, really tough to manage, although, you know, very much understand the pressures on all fronts. And I think that we need to avoid paying ransoms wherever possible. And some organizations that just haven't got the systems and the backups and haven't done their prep work to be able to minimize these attacks. So it leads to a ransom where payment being a very viable and sometimes necessary option, again, not an ideal one and one that should be avoided at all costs. So ultimately, the best way to avoid such a conundrum is to have an effective security program and controls in place. Right, so we can avoid the ransomware infection in the first place, limit the spread if it does happen, make sure we have proper backups, well rehearsed incident response planning. If we do all that stuff, it won't be as likely to be in the place of having to choose between paying ransom, patient safety and financial burden from regulators and otherwise. So tricky position. A lot of balancing going on, I think. The Treasury Department's announcement is going to cause quite a bit of debate, I've weighed in on my initial reactions here and I'll stand by them, but we'll work with the industry to see how this plays out and what's the best outcome for everybody.

Brian Selfridge: [00:15:46] It may be a case by case basis for organization, as we've seen play out with our own clients and customers. So I'll close with mentioning that this is not a hypothetical discussion. This is not a What-If. And, you know, sort of a if we have ransomware, what are we going to do? We just saw universal health services, very, very large health system with over 400 locations hit with a large scale ransomware attack this week. And this one is really fresh. So it remains to be seen if a ransom will be paid or of subsequent fines will be issued by the Treasury Department or otherwise. I mean, this stuff takes a little while to play out. And very often the organizations keep the details close to the vest during an active breach, which makes sense. So we'll see how this works. But we have enough cases from 2016, 2017 through to this year to show that these ransomware attacks are happening. The ransomware ransoms are getting paid, and it's causing major, major impacts to organizations, including patient safety type issues like the one we just mentioned. So lots more for us to figure out and to pay attention to on that front. And we'll keep you posted in these updates every few weeks. And hopefully you can you can follow the drama along with us and make some decisions for your own organizations.

Brian Selfridge: [00:16:54] So that's all for the session. CyberPHIx Health care security round up. We hope this is informative for you and we'd love to hear from you. If there's a topic you wanna talk about or if you want to talk about any of these issues or challenges directly and get with our experts to figure out how to handle them. So just reach out to us at [email protected], CyberPHIx. So long and thank you for everything you do to keep our health care systems and organizations safe.