The CyberPHIx Roundup: Industry News & Trends, 11/12/20

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

  • The FBI’s alert for an imminent ransomware attack on the US healthcare system; summary of the evolving attack and protection measures
  • The Maze ransomware group calls it quits; details of their related announcement
  • Hackers targeting psychotherapy notes for ransom and extortion
  • California election results: citizens approve a new California Privacy Rights Act of 2020 (CPRA) which touts the “strongest online privacy rights in the world”. Note: this is different from the California’s related CCPA regulation.
  • Aetna hit with a $1m HIPAA fine from OCR related to three separate breaches
  • $350,000 class action lawsuit for St. Francis Healthcare related to ransomware attack


Brian Selfridge: [00:00:11] Good day and welcome to the CyberPHIx health care security roundup and quick source for keeping up with the latest cybersecurity news trends and industry themed practices specifically for health care. I'm your host, Brian Selfridge. In addition to this roundup. Be sure to check out our Resource Center on, which includes our CyberPHIx interviews with leading health care security, privacy compliance, leaders, as well as blogs, webinars, articles and lots of other educational stuff.

Brian Selfridge: [00:00:36] So let's dive into this week's episode, shall we?

Brian Selfridge: [00:00:41] The FBI issued an alert on an imminent ransomware attack on the US health care system last week. And to give you a sense of the alert and the attack, generally, we'll keep it pretty quick here. We actually have an entire webinar dedicated to this that you can watch in a recorded fashion, a Meditology services dotcom. But basically there was a credible and imminent ransomware threat attack from a European criminal group called UNC one eight, seven, eight. So the FBI and others have issued and indicated is one of the most brazen and heartless and disruptive threat actors that they've seen. There's a plan coordination on over 400 health systems of an attack that would be leveraging a specific ransomware malware called Ryuk and a another set of malware called Trickbot and BazarLoader as the entry points. Now, phishing emails were used to gain access in these attacks using a Google Drive PDF document, and the FBI provided resources and details on the attack.

Brian Selfridge: [00:01:40] Now, what makes this different than other ransomware attacks is that just the scale of the attack, 400 plus health care systems, long term planning, a sophisticated toolset. These actors are based out of Russia and Eastern Europe, and they have a leveraged toolset that allows them to gain entry even well in advance of these 400 health systems attacks. It's not like they just loaded up the malware today and sort of blitzed the market. They've been thinking about this for a long time and putting the back doors in place with the Trickbot malware and other capabilities. So a lot of long term planning and also the malware that they're putting in this new flavor of ransomware is extremely persistent and sticky. So it's hard to get out of the environment once it's there.

Brian Selfridge: [00:02:24] And it's also hard to detect as they put in some additional capabilities that delete shadow logs and other things that make it hard to sort of track where they are. And it is a classic advanced, persistent threat, APT type of attack where there are well qualified human hackers involved in executing the attack. So the FBI issued this alert as they saw some back channel communication that was indicating that this attack was imminent. And then there was somewhere between eight to 10 health systems that were affected and reported affected inconsistently with what the attack messages were saying within the first week. So I think that's why they went after the the attack. So lots to learn more about this one. Again, watch the webinar on this. I think you're going to be really sort of have some eye opening revelations as you dig more into this particular attack and how it's played out over the last week. And we'll continue to play out through 2020 and beyond with the specific attack and other types of attacks like it. On a related note, the Maze Ransomware Group who are operating as of twenty eighteen twenty nineteen with some pretty sophisticated attacks. These are the group, if you'll remember, that we've talked about in the podcast previously where they were not only asking for ransom to release the encryption keys to give you your systems back, but they also said if you don't pay us, we are going to release your information to the black market on the dark web and put it out there as another reason for you to pay the the the ransom where even if you had already had pretty good backups and everything else.

Brian Selfridge: [00:03:50] So that was a pretty, pretty substantial change in their game plan into twenty twenty. But they announced this week that they are done. So now, you know, ransomware and other malicious actors, when they go into retirement, often they can resurface again later. So you always, you know, take this with a little bit of grain of salt. But they issued an official press release and had kind of a a bit of a whacky message, but essentially saying, hey, you know, we were trying to warn you by these attacks that systems were unsafe and it was really just a public service effort on our part. I'm sort of paraphrasing. I don't want to read the, you know, the sort of manifesto they put out there, but that's the gist of it. And in all likelihood, there are really potentially just either the heat was getting too high, they might have been getting and sort of authorities on their tracks or other reasons why they didn't want to continue with this line of work for the near term. So it's kind of interesting to see that that that change to hear a malware group sort of call it quits, although it's not unprecedented. I think, for ransomware, though, don't you know, don't assume that ransomware is going to slow down by any means because of these guys sort of putting putting a halt on a little bit. The actors out of Russia, pretty exclusively out of Russia, involved in the twenty seventeen WannaCry attack, were just indicted.

Brian Selfridge: [00:05:09] The official Russian GRU government entity, agents for that particular series of ransomware attacks. This other latest attack from Ryuk is is also based out of Russian criminal syndicate. So those folks are not going to let up anytime soon. We're not sure who these folks are, but we'll take it if they want to stop for a minute and give us a little bit of a breather to deal with the other bad guys out there. In the other related news of bad guys that are doing bad things for ransom and extortion purposes, hackers have begun or at least a group of hackers have begun target. Psychotherapy notes and psychiatric notes and holding them for ransom and extortion, given the sensitivity of that particular type of data, you can imagine why individuals would not want that information shared with the public or with people that they know. Of course, that applies, you know, my mind to any patient information, but psychotherapy notes are especially sort of damaging. So this is a bit of a unique attack. And it involved a psychotherapy clinic in Finland and its patients where they were demanding two hundred euros for each patient or else we're going to publish their private conversations and put them online. So just another another sort of flavor of ransomware attack. It's happening out there as information becomes more digitized in the health space sensitive information included behavioral health and other stuff.

Brian Selfridge: [00:06:27] I think we'll continue to see these types of attacks on not only the availability from a ransomware perspective, but also the sensitive confidential nature of these of these notes. In other news, the California election results. We were all very focused on the presidential election, I think. But there are other things being voted on and put into place. One of them is the new California Privacy Rights Act of 2020 was approved by the California citizens. And it touts the strongest online privacy rights in the world. So just a side note. This is different from the California CCPA regulations. California Privacy Rights Act is the new one. The prior version was the CCPA. So the new one builds on the CCPA requirements and provides additional protections for California based consumers. Think of this very, very similar to GDPR and a lot of ways in the intent and scope of any information of California residents that is handled online, has additional privacy rights and requirements associated with it, and, of course, penalties. This was instituted and issued by Andrew Yang, who some might remember is a former US presidential candidate. And he's the chair of the Board of Advisors for Californians for Consumer Privacy. It was sort of a big voice behind this particular regulation. So like other related privacy regulations that are coming out, it adds more teeth and more enforcement activity in addition to more sort of prescriptive requirements for organizations to to enact privacy protections.

Brian Selfridge: [00:08:12] So it's a fairly long regulation. Fifty two pages long, so I won't attempt to get into it in detail here. We'll put out some blogs and some other information on it. But I think as a global trend, we see GDPR, California leading the way on privacy protections. It's very likely, in my view, that the next iteration of federal laws in the US will include many of these similar privacy protections that have been built out in regulations like CPRA and CCPA. Just add a new acronym to your life. So probably a good idea to start getting ahead of these requirements whether or not you have patients or constituents in California. Good idea to take a look at this either way and get ahead of it. Of course, if you do have those situations and you do you're involved in California and data that might flow to or from residents of California. And you definitely want to get a handle on this, get an assessment done, figure out where you stand and start putting policies and procedures in place to address it.

Brian Selfridge: [00:09:11] Another update this week relates to some HIPAA and OCR fines to catch you up on the major payer group Aetna was hit with a one million dollar hip fine from OCR related to three separate breaches. So the first breach was reported in June of twenty seventeen and had PHI information exposed over the Internet. A couple of Web services were used to display patient information and they didn't require login credentials. So pretty classic situation there. If it's put on the Internet with no login credentials or poor login credentials, that's going to be certainly something that gets the attention of the regulators and others and will be imminent for a breach in most like most likely scenarios. The second two breaches involved the exposure of impermissible disclosure of highly sensitive information with two mailings to plan members. So these are those window envelopes. If you've been involved in the the Covered Entity Payer side of the house for the last 15, 20 years. You know that this is an issue that crops up over time where you have these these physical mailing envelopes and they have that little plastic window in the front and you're not allowed to have any sort of exposed in those windows or allow it to slide around. There's protections you have to put in place to make sure that you can't somebody can't just pick up the letter in front of somebody's house and say, oh, you know, you've got this particular condition, treatment or other related activities. So they they missed that one. The words HIV medication could be seen through the window of the envelope.

Brian Selfridge: [00:11:11] And this is also in addition to two point seven million dollars in related settlements for HIPAA violations brought by the California state attorneys general, Connecticut, New Jersey and others related to the HIV medication situation. So this they also settled a class action lawsuit for 17 million for that one. So 17 plus three plus one. Right. We're getting up into those double digit millions of dollars of fines. And if you if you follow our update, last week, we talked about two hundred and seventy million dollars cumulative fines related to two breaches of two entities over earlier this year. So the numbers are getting very, very real, very, very big. And the class action lawsuits are just really the game changer in a lot of ways. And OCR is still doing its thing. So, you know, pay attention to those fines that are coming out and be aware of that. But I think if you're only focused on OCR and those penalties and the the HIPAA security rule and the and the audit protocol and all that stuff, definitely worth paying attention to. But remember that when you have the breach, ransomware, hacker exposed, Internet mailers, whatever it is that these class action lawsuits are really where the dollars come up big and can have a major impact on Covid entities. The last class action lawsuit that I mentioned, this is a smaller one, but related to a health care provider called St. Francis Health Care as they were hit with a three hundred and fifty thousand dollar class action lawsuit related to a ransomware attack. So this was a ransomware attack from September twenty nineteen on the Ferguson Medical Group, which is an owner of St. Francis health care system.

Brian Selfridge: [00:12:54] And like any ransomware attack, it rendered the data inaccessible and unusable and all the things that ransomware does. And some information was actually permanently lost for some patients based on the outage. So, you know, there they did all the usual stuff, credit monitoring and, you know, oops, we had a breach kind of situation. But this proposed settlement was to cover the related cost and impact to the to the patients at the community. And St. Francis had to agree to make multiple improvements to their security, their firewall, their patches, other sort of technical security access points and stuff, remote desktop, all those good things. So, again, reminder that it's not just about the class action lawsuit. Three hundred fifty grand is is what it is, but these requirements to actually build out your security program, you're going to have to do them one way or the other. You can either wait for a breach, then pay the OCR fines and the class actions and then go build your security program. Or you can build them up front, get your risk assessments done, get your pen test done and be a little bit more proactive about that and then avoid these types of fines and financial penalties or certainly reduce the likelihood and impact to them if they are to happen.

Brian Selfridge: [00:14:10]  that's all for the session of the CyberPHIx health care security roundup. We hope this has been informative for you and we'd love to hear from you. If you want to talk about any of this, just reach out to us at [email protected]. So long. And thanks for everything you do to keep our health care systems and organizations safe.