The CyberPHIx Roundup: Industry News & Trends, 11/18/21

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:11] Good day and welcome to The CyberPHIx Healthcare Security Roundup, a quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices specifically for healthcare. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our Resource Center on Meditology Services (https://meditologyservices.com/resource-center/), which has CyberPHIx interviews with leading healthcare, security, privacy, and compliance leaders, along with blogs, webinars, articles, infographics, and lots of other educational material. We have some interesting updates today, quite a few to get through, actually, so let's dive into it, shall we? 

Brian Selfridge: [00:00:46] To start things off today, the U.S. Cybersecurity and Infrastructure Security Agency or the CISA released two new playbooks this week. The document is titled The Federal Government's Cybersecurity Incident and Vulnerability Response Playbooks. There are two playbooks and one document just to avoid any confusion there. And they were produced in accordance with President Biden's executive order earlier this year, titled Improving the Nation's Cybersecurity. We actually dedicated an entire episode of the podcast to these executive orders earlier this year. If you want to check those out and listen to them, you can get some more details on them from there. So the CISA says that the playbooks are intended to improve and standardize the approaches used by federal agencies and civilian enterprises to identify, remediate and recover from vulnerabilities and incidents affecting their systems. The incident response playbooks are designed to be engaged or used when a major incident has been declared or when a major incident cannot be entirely ruled out. So they're not for, you know, your low-level day today. It's an, you know, the stuff's really going down. Or it seems like it is, is when you want to pull out these playbooks and put them to use. 

Brian Selfridge: [00:01:48] So those two playbooks, as I mentioned one, is for incident response, the other is for vulnerability response. Both follow the classic incident response process flow of preparation, detection, containment, eradication, and recovery post-incident analysis and coordination. So if you don't already have an incident response plan or procedure for your organization with those exact titles or something very similar to them, then I would argue your incident response plan is not adequate and you want to go and go back and make sure you build that out. Also, if you only have an incident response policy and just, you know that says we shall have these steps and blah blah blah, you don't actually have a playbook and accompanying playbook or procedures. Then again, I think you have some work to do to immediately get up to speed and get those in place, as well as get the enterprise trained on their respective roles in that, in those plans and in those procedures and playbooks through tabletop exercises, training mechanisms and otherwise. Now these CISA documents could be great input documents for you to leverage. And if even if you do have an existing IRP Incident Response Plan, or if you're just sort of getting one off the ground, they're excellent resources to use as reference and make sure you've got everything covered. There are also some cool flow charts and graphics that I think can be easily repurposed for your own needs, and that's a bit of a rarity for four government-issued publications to have things like that. So we appreciate it. There's also some useful mapping to NIST MITRE and other security standards in there. So cool stuff. Check out those CISA playbooks for instant response and vulnerability response. 

Brian Selfridge: [00:03:15] Now, while we're on the subject of playbooks, the private industry consortium, the Cloud Security Alliance (CSA), released a really well-crafted playbook on medical device security this week. The document is called the Cloud Security Alliance Medical Device Incident Response Playbook. The playbook is written by Christopher Frenz, who is an assistant vice president of I.T. Security at Mt. Sinai South Nassau in New York, as well as Brian Russell, the head of the Cloud Security Alliance's Internet of Things or IoT Working Group. I really appreciate that this document gets specific about different medical device types and categories and approaches, since not all medical devices are created equal, that's for sure. There's a huge variance in the technologies that are used when we talk about medical devices or IoT or IoMT. Is it sometimes called Medical Internet of Things or Internet of Medical Things. And, you know, the impact of security events and the mitigations available depending on the type of device that's in use can really vary depending on their usage in different clinical settings. So to that end, the playbook includes some use cases on imaging device compromises, for example, personally implanted devices, as well as network infusion, pumps just to give a few examples. And those are very different scenarios, and I'm really pleased that they've gotten to that level of granularity to be able to articulate the difference of how you respond and react, depending on the type of device. 

Brian Selfridge: [00:04:35] Now, I'll give a quick summary of the major points covered in the playbook. And then you can check it out in more detail, you know, for your own program as you researched this one. So first off, it says they recommend you need to understand the scenarios, including inventory and devices, and classify devices and data for criticality and impact. There's even a section in the document that provides recommended classification levels and definitions toward the end of the document, which I think is an excellent resource. Again, just as a reference, if you're there starting from scratch with your own medical device security incident response, playbook, or program, you can probably dust those off and use large portions of them. If not, if not, the definitions, as is. The document also says you need to prepare your team by identifying and naming stakeholders, gathering tools, and training the team and other workforce stakeholders, which makes a lot of sense. And then they say you need to prepare the process, as they say, prepare the process meaning including communication procedures and vulnerability, handling, handling procedures and those types of things, making sure you have that all documented and figured out. 

Brian Selfridge: [00:05:35] And they also need to prepare the network via traditional network segmentation and network traffic monitoring, which of course, makes a lot of sense for these legacy devices that need to be cordoned off into their own environments for their protection of themselves and others. Then you need to have a threat detection and analysis function established, they say in the report. And finally, you need to define processes to contain, eradicate and recover from incidents. Remember those terms? Those are the same ones from the CISA incident response playbook. So you know the extent if you do create any, any sort of sub playbooks to your master incident response plan, like we often see organizations create one on ransomware, for example, medical device security and other sorts of specific asset types or threats, you want to make sure they're all sort of using consistent language and rolling up to an overall plan so that you know the bones of your incident response process are pretty typical, regardless of the type of incident. But then you can kind of break out these individual playbooks to make sure that you're following specific guidelines for the type of incident that you're dealing with. 

Brian Selfridge: [00:06:38] Now, the other reason I love this report so much is that it mirrors the guidance and experience that we've had here at Meditology and building and managing medical device security programs for many of the nation's leading healthcare systems. You know, the documents also, it's specific and prescriptive, much like the medical device, you know, strategic plans, playbooks, and procedures that our own team here has developed over the years for our clients. So I've just been watching this because we've been doing this for a long time and a lot of what I've seen come out in the market from the FDA and others. And I'm not throwing stones at anybody in particular, but it sort of stops at a very high-level analysis and documentation of the problem statement saying, Hey, we've got a lot of devices that are legacy devices. You've got to patch them. You have a segment as they'll stay at the high level. But we're, you know until you get down and actually build one of these programs out, you don't quite realize the degree of complexity that needs to go into the plan itself and the specificity that you need to have for all the different stakeholder's groups, your internal medical device security specialist, if you have them, your security team, your IoT team, the network folks, your biomedical clinical, engineering folks, you've got compliance. You get a lot of people that need to be in the mix, even procurement for working with the medical device manufacturers. 

Brian Selfridge: [00:07:47] So I like that this report is one of the first I've seen starting to get to that level of specificity that that, you know, consulting firms like us that specialize in this have been doing for some time now. But I think the larger market has not really gotten to that level. There are there's one thing I think that the report lacks, however, and I think that's a comprehensive playbook for patching and remediation of known security gaps in legacy devices in particular. You know, I think one of the most effective actual risk mitigation strategies for medical devices apart from, you know, getting them at procurement and making sure that we secure them upfront as we're were purchasing or renewing contracts and devices. That's obviously something we have to do. But with these devices lasting for decades at a time, often, you know, it's not enough to just focus on the sort of intake of devices. We've got to look at all the stuff that we have out there in the network already. 

Brian Selfridge: [00:08:39] A lot of the what we've seen and what I've seen has been the most effective risk mitigation strategies for these devices, in particular, is it's really some of the less glorious tasks of scheduling downtime, coordinating with the manufacturers for patches, coordinating with internal stakeholders and really patching and updating or segmenting these devices. And that's it's a lot of not super exciting work. It's almost like a project, a lot of project management work and a lot of ways, which I think is not usually where security leaders and teams focus their attention right off the bat for a lot of the common other types of common challenges that we face. You know, we usually look for a tool or a technology first that'll solve the problem or some sort of automated patching or, you know, or we try to treat medical devices like any other asset in the network and follow those kinds of playbooks and all of which are strategies that just fall short in one-way shape or form. 

Brian Selfridge: [00:09:32] So the reality is you're going to need to have these devices. Is on your network for a very long time, so you need a comprehensive playbook and program for security medical devices, and this Cloud Security Alliance report has a lot of the right ingredients to get started. And then, you know, of course, you could. You could talk to us if you want to learn about some of the other pieces or things that we've learned over the years to make sure you get a holistic program in place. So that's enough for medical devices right now that we could spend an hour on that, so we better move on to other matters. However, speaking of medical device vulnerabilities, the CISA issued a security advisory this week for critical vulnerabilities impacting thousands of Siemens medical devices. Specifically, 13 new vulnerabilities were discovered for the Siemens Nucleus TCP/IP stack, which is used in over two thousand two hundred and thirty-three device types. The nucleus device models were actually acquired by Siemens in twenty seventeen a few years ago, and apparently, they also acquired Siemens acquired some vulnerabilities in that transaction as well. Oops. So I guess I'm going to go back and clean these up. The 13 vulnerabilities have a varying range of severity, with the most severe one getting a nine-point eight out of 10 ranking for the CVSS score, which is the standard rating system for vulnerabilities across the industry. 

Brian Selfridge: [00:10:46] CNN, the news agency CNN, actually did a report on these vulnerabilities and did a proof of concept where researchers were able to turn off the lights and the HVAC system and some other things in a mock patient room resulting from these vulnerabilities. Now, there are no known public exploits at the moment for these 13 vulnerabilities, but you know how that goes, right? Once these become public, it's usually just a matter of time before they get written into exploit code and hacker tools and all that stuff. So recommendations for addressing the issues with these, these Siemens vulnerabilities are the usual medical device guidance, right? So make sure your inventorying impacted systems, see what you have, see which ones are affected, get patches in place and there are patches available from Siemens. They've issued them quickly to their credit, as well as segmenting networks on the devices segmenting devices in the network. You can segment your networks or your devices and whatever. Or do you choose to? Someday, I'll do a CyberPHIx blooper reel, but not today. We'll leave it at that since I just gave you the keys to the kingdom on medical device incident response playbooks earlier in our diatribe around the cloud security lines playbook discussion. So we shall move on while we are on the subject of attacks and exploits. 

Brian Selfridge: [00:11:59] I want to take a moment to highlight the emerging trends that we're seeing on the vulnerability around application programming interfaces or APIs otherwise known as APIs to most folks. So for some context here, the implementation of the healthcare the 21st Century Cures Act, for those that aren't familiar with that, we've done prior publications and blogs. You can go just search for that on our research center. But the 21st Century Cures Act has information blocking protection rules that they've created to allow patient information to flow between electronic health records and other applications, both owned or and not owned by the companies. So that's effectively opened the floodgates for the electronic exchange of fees into and out of the platforms. More specifically, the implementation of these new rules has led to the development of APIs to connect the EHR platforms with things like third-party smartphone apps and the like. So healthcare, you know, even more so than other industries in some respects has begun sort of the mass development of these APIs, which are largely flying under the radar for many cybersecurity and risk management programs. So this week, the reason why this is this is sort of timely. The security company Akamai released a report this week on the evolving threat landscape for APIs, which, according to Gartner, will be the most frequent online attack vector by 2022. 

Brian Selfridge: [00:13:23] I mean, you can always rank this stuff. What's the most frequent? What's the highest risk? APIs are definitely up there, and mostly that's because they're not getting as much attention as other threat vectors like your sort of ransomware focus and other areas. Now the vulnerability of APIs is by no means a new phenomenon, but the volume and accessibility of the APIs, driven in part by the 21st Century Cures Act and in part by just the trends in technology and the need to connect systems to systems and APIs are a great way to do that. That is definitely something that's new and we need to watch out for. 

Brian Selfridge: [00:13:57] So going back in history, just briefly here on this, I actually started early in my career as an ethical hacker and penetration tester specializing web applications in API pen testing and which at the time those were brand new capabilities to the market, right? So they were fairly new. Nobody was quite sure how to secure them when they were building them and they were increasingly easy to break into using a variety of techniques. And the techniques that we developed back then for hacking APIs are largely still in use today, as are the mitigation and protection mechanisms. 

Brian Selfridge: [00:14:28] I think there was always a sense in the developer community, you know, that APIs could adopt what some call security by obscurity type of protection, meaning that as long as API connection details were not published and it's really just a developer to developer type of toolset and they weren't advertised, then they largely wouldn't be attacked or targets for attacks. And I think we know at this stage in the game, I won't date myself, but some, some many years later that those of us that we're in the field back then knew that that cyber security biosecurity model just doesn't work, that that whole concept. Eventually, somebody's going to find it. Some tools are going to find it. Some attacker is going to find it and then it's game over. So many of the APIs were written with back then and again still today, poor authentication models, for example, weak passwords, simple passwords, no passwords in some cases. So they're easily able to be brute-forced for password guessing and broken into because they weren't even doing the checks for the sort of failed password attempts because they're like, Oh, it's a system account, nobody's going to be guessing at it or,  mistyping the password. So they just sort of let you try as many as you wanted. They often lacked end-to-end encryption of data and other common security protections like parameter management to protect against things like SQL injection and other types of injection attacks. 

Brian Selfridge: [00:15:45] I don't want to get too technical with the group, but if we go back to the Akamai report for a moment, the report notes a what they call a frustrating pattern of API vulnerabilities where security remains an afterthought for API development and APIs have not been following standard software development lifecycle or SDLC security standard practices. So I'll spare you all the nitty-gritty details of the report itself is it largely follows the pattern that I've been talking about here that we used to see and still see. But I will mention just to be more useful to you here, hopefully, some recommendations that I have for API security measures to take in general. So first, if you haven't done this yet, get an inventory together of known APIs, particularly any that you've developed in-house. I think that's a great place to start because very often you're going to have an opportunity to sort of educate and address those security developers or developers in your environments and sort of nip it in the bud right now. So a good place to get started there. And then you're going to want to conduct some form of penetration testing using, you know, qualified web application, pen-testing firms like Meditology, or others. And if you're going to run vulnerability scans as part of the penetration testing or otherwise, make sure you're running scans that leverage the OWASP top 10 list and specifically the API security top 10 list out of OWASP in particular. 

Brian Selfridge: [00:17:04] You want to run both authenticated and unauthenticated scans because very often with authenticated connections. So that's a valid account that you give to a partner or somebody you want to be able to access the API. When you do some manual testing around those, a lot of times you can find that you can do silly things like query the target database with an asterisk, which basically allows you to return the entire contents of the database, which I don't imagine is something that most APIs were developed or intended to be able to produce, like through a single query. Just give me everything in the database. And very often that's possible. So make sure you're doing that. Parameter management and some simple testing can really go a long way and even vulnerability scanning to find that stuff and make some quick development tweaks to keep that from being a problem. You're also going to want to build OWASP standards and other security standards into your system and software development lifecycles you want to test. You're going to want to test the applications of web apps in the APIs against those standards before they go into production, right? So don't follow it after the fact and train your developers and security teams on how to do all of the above, not only at this point but as the technologies evolve and just making sure you have that cadence and rinsing and repeating on this process versus, you know, waiting for it to become a problem. 

Brian Selfridge: [00:18:19] And then finally, you know, make sure to include questions and require penetration testing results from your vendors that you contract with, many of whom have some form of API or API development in place or underway. If you don't ask about it, I promise you they won't tell you about it. It's an area that does get overlooked. So, you know, put the pressure on the industry to bake in security by design rather than all this sort of breach catch up we keep doing. After all, the damage is unfortunately already been done. Ok, that's enough for API today. If you're interested in this topic, though, just reach out to me. I can connect you with our healthcare, ethical hacking, and penetration testing team that works on attacking and defending APIs day in and day out. And we can help you get some more specific answers to your own environment. Usually, they're pretty quick tests and worth running to help you sleep a little better at night. 

Brian Selfridge: [00:19:08] Okay, next we're going to talk a little bit about some big ransomware updates this week. The Southern Ohio Medical Center reported that they had to divert patients in ambulances this week due to a ransomware outage. They also had to cancel many appointments and outpatient services. The staff has had to reportedly revert to pen and paper charting. That sounds like fun. We got really good at that, you know, 12, 20, 15 years ago. Take your pick. But I think we've lost the skill set of paper charting, so I'm not sure how effective that is. 

Brian Selfridge: [00:19:37] Also, outpatient medical imaging, cancer care services, cardiovascular testing, cardiac cath, sleep lab, and outpatient surgery and rehab all experienced disruption at the Ohio facility here due to the lack of access to systems from the ransomware attack. So this is still a fresh situation and being resolved alongside law enforcement, as you might imagine. We see this impacts to patient safety, financial performance for health systems. It's very much a move away from being a hypothetical occurrence or them, and that's always squeezing things into everything. Standard healthcare systems are driven by the booming business models for cybercriminals in attacking vulnerable healthcare providers. So we'll keep you posted as we learn more about this specific southern Ohio Medical Center situation, as well as other ransomware outages that pop up over time. 

Brian Selfridge: [00:20:28] In related news, there have also been several international partnerships and agreements enacted within the U.S., EU, and Israel, in particular, this week to address cyberattacks with a focus on ransomware specifically. So first up, French President Emmanuel Macron first made a call to international parties generally almost three years ago to take action and coordinate efforts to combat ransomware. 

Brian Selfridge: [00:20:52] That sort of request, and that discussion is now being heeded by the international community and the vice president of the United States. Kamala Harris made the following comments in a peace process summit this week. So I'll run off a little bit of a long quote here, but I think it's a good one, she said. We talked extensively both in our bilateral but with others and again yesterday on the stage about what we as nations must do, who have similar values, whose nations were founded on similar principles to apply those principles and norms, and how we engage each other to interpret each other's actions as it relates to our use of technology and of course, cybersecurity being the most obvious point there, addressing what we've seen in the United States and around the world. Hackers that have compromised systems ransomware, not to mention the daily abuse of individuals. Privacy and manipulation and monetization of other people's data and personal information. 

Brian Selfridge: [00:21:42] So that was a lot. But I think it's really important that we have global leadership starting to make these types of not only comments but agreements. So just to give you some more examples of other action that's happening on the sort of international front in this sense. The U.S. Commerce Department also recently announced that the U.S. is joining other nations in the Wassenaar Arrangement, which sounds really interesting and that would start controlling the export of cybersecurity tools that could be used for both commercial and military purposes. And then, you know, just it's worth noting that China and Russia have surprisingly not signed onto the Paris cybersecurity agreements. And President Joe Biden is set to speak with the Chinese President Xi early next week, during which cybersecurity and alleged cyber-espionage and Chinese espionage attacks on U.S. companies will be on the agenda. So we'll see where that goes. 

Brian Selfridge: [00:22:39] The U.S. also separately announced a partnership this week with Israel to combat ransomware. The partnership will include work to develop a memorandum of understanding supporting the information sharing related to the financial sector in particular, such as cybersecurity threat intelligence staff training and study visits to promote cooperation in the area of cybersecurity. And they also mention cross-border cybersecurity exercises that will be developed to link to global financial institutions, financial and investment flows. So the U.S. Israel Partnership is largely focused on combating the threat against financial services and the financial fintech sector to combat money laundering and terror financing and those types of things. But I suspect the healthcare industries and other industries will benefit from any successful disruptions made to ransomware actors or groups resulting from this new partnership. So great to see all of that international collaboration on ransomware attacks. 

Brian Selfridge: [00:23:34] In other ransomware news, the U.S. has charged two major ransomware operators in their continued takedown of the REvil ransomware gang. You remember Revil? We talked about them at some length in our prior episodes and their massive attacks against U.S. companies and the supply chain with the IT vendor Kaseya. Write big deal and go back and listen to that if you haven't and check out our blogs on that one. 

Brian Selfridge: [00:23:57] So the U.S. Attorney General Merrick Garland announced charges against Ukrainian Yaroslav Vasinskyi and Russian Yevgeniy Polyanin, alleging them to be part of the REvil ransomware gang. Officials said Vasinskyi was recently arrested in Poland and that the U.S. government had recovered $6.1 million in ill-gotten funds from Polyanin, and the Treasury Department also announced sanctions against these ransomware operators as well. And what it said was a virtual currency exchange called Chatex, which the department reported was used by ransomware gangs to exchange funds.  

Brian Selfridge: [00:23:57] The European law enforcement authorities also announced Monday earlier this week that they had arrested two suspected ransomware operators with links to the Revil gang in Romania and then authorities in Kuwait arrested another accused hacker last week. And South Korean authorities have arrested three others since last February, and a seventh was arrested last month in Europe. These were all part of a law enforcement investigation called GoldDust, which is a cool name, that involved the United States and 16 other countries. 

Brian Selfridge: [00:25:02] The U.S. Justice Department in June seized two point three million dollars in cryptocurrency from a payment made by Colonial Pipeline following the ransomware attacks. So I thought it would be nice to close on these types of good news. Close on some good news here. 

Brian Selfridge: [00:25:16] It seems it's all hands on deck to stop these ransomware attacks. We have healthcare entities implementing playbooks. We talked about that today and prevention mechanisms and response programs. That's excellent. Got to keep doing that. You all need to keep doing that if you're not. We have law enforcement getting some big wins here, big arrests and disruptions, and taking some of the money back. That's excellent. We have international cooperation and diplomacy underway. So great stuff. Let's keep our foot on the gas pedal here and create some disruption to this business model for these cybercriminals to make it at least a little bit harder for them to knock us out, take our money in impact and put our patients at risk. 

Brian Selfridge: [00:25:52] So that's all for The CyberPHIx Healthcare Security Roundup. We hope this has been informative for you and we'd love to hear from you if you want to talk about any of this. Just reach out to us at CyberPHIx@Meditology Services.com. And that's all for this episode. So, so long. And thanks so much. Everything you do to keep our healthcare systems and organizations safe.