The CyberPHIx Roundup: Industry News & Trends, 11/7/22

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. 

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: 

-

  • Deep dive into new CISA Cybersecurity Performance Goals (CPGs) for healthcare and critical infrastructure 
  • NSA releases new “hacker’s playbook” for operational technology (OT) cyberattacks 
  • American Hospital Association (AHA) endorses the Healthcare Cybersecurity Act draft bill 
  • Gramm-Leach-Bliley Act (GLBA) amendments become effective this December that may bring healthcare into scope for GLBA security requirements and enforcement 
  • Massive ransomware outage for CommonSpirit Health impacting over 142 hospitals and the Epic MyChart EHR platform 
  • Advances in quantum computing for encryption and the potential for “Q-day” events that could expose all encrypted data to unauthorized decryption 
  • HHS warns of abuse of common security and system administration tools that are being abused by attackers 
  • CISA alert about Daixin Team ransomware gang targeting healthcare PACS environments via VPN and RDP attacks 
  • New stats and guidance on public cloud security trends and recommendations 

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:00] Good day and welcome to The CyberPHIx healthcare security roundup, your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices specifically for the healthcare industry. I am your host Brian Selfridge. In addition to this roundup, be sure to check out our Resource Center on Meditologyservices.com which includes our CyberPHIx interviews with leading healthcare security, privacy, and compliance leaders as well as blogs, webinars, articles, and lots of other educational material. We have a unique agenda to cover today, so let's dive into it, shall we. 

Brian Selfridge: [00:00:45] We'll start off this roundup in the industry regulation standards and frameworks domain because there was a big new announcement from the CISA, which is our favorite new acronym of the decade, I think Cybersecurity and Infrastructure Security Agency. At the end of October, they made this announcement. So we're beginning to see some of the fruits of the labor mandated by President Biden's 2021 emphasis on cybersecurity. Most of you probably recall the May executive order on improving the nation's cybersecurity, which we covered in detail on this show. And go back and listen to that if you want to get the gist of it. But there was also a July 2021 National security memorandum on improving cybersecurity for critical infrastructure control systems, which is also covered previously if you want to dig into it. So this stemmed directly from the Colonial Pipeline ransomware attack if you'll recall, back in May of last year that shut down a major flow of gasoline to a huge portion of the eastern and southern part of the US, which is a problem. Right. I know it may seem like these roundup podcast episodes are an array of random and unconnected happenings in the industry as we sort of rattle them off each time. But I think if we look back at the last several years of coverage that we've done here, all this stuff kind of connects. It's like one of those mystery movies or shows you watch where the detective has a big corkboard with photos and thumbtacks and connect events and pictures and people with different colored strings. 

Brian Selfridge: [00:02:06] You know, I'm talking about if you don't I'm sorry, that sounds like a crazy thing. But if you do, it's kind of like that. We have all these stories that are floating around and they connect even over the course of multiple years. So but anyway, at the end of October, the CISA produced this cross sector cybersecurity performance goals, or CPGs, and I'm going to use that acronym. It's our new favorite acronym, I guess, after CISA, as I'm going to refer to it hereafter, because this is a pretty important document that was put out and I think really useful. So I'm going to spend a little more time covering it than usual. The average sort of story that I'll do here because I think there's a lot of import for our industry. So these CPGs were developed in response to that July memo from President Biden. The memo required, the CISA, in coordination with NIST and the interagency community to develop baseline cybersecurity performance goals again or CPGs that are consistent across all infrastructure sectors. And now, if you remember the last couple of episodes we were talking about, Jen Easterly, the CISA director, was kind of hinting at there's going to be these big announcements across critical infrastructure. Healthcare is going to be one of the ones that we're focused on. 

Brian Selfridge: [00:03:14] And I think this is what we were expecting to see. I mean, we didn't know exactly what we were going to get, but this is in line with that where they're trying to take more of a critical industry focus and lumping healthcare into that, which is great because it means we're getting more attention from the federal government, more resources, more documentation, support like this one. So I'm excited to kind of go through this with you. So quoting directly from the CISA on this, the CPGs are a prioritized subset of I.T and operational technology or OT cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques. The goals were informed by existing cybersecurity frameworks and guidance. They don't say it, but they mean NIST as well as the real-world threats and adversary tactics, techniques, and procedures which they call TTPs. Just bear with me and don't blame me for the acronyms we have CPGs, cybersecurity practices, and the TTPs, the adversary tactics, techniques, and procedures. So what are the bad guys doing that they observed by CISA and its government and industry partners? They say by implementing these goals, owners and operators will not only reduce risks to critical infrastructure operation, but also to the American people. All right. We are finally servicing the American people. You know, actually, we have been this whole time we call them patients, but there are people, too, will allow that the CPGs are intended to be, according to the CSA for things, and I'll run through them with you. 

Brian Selfridge: [00:04:42] Number one, a baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk reduction value. So I would read that to say stuff that we know works, which is good. Number two, a benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity. So I love the ability to kind of compare apples to apples, how are we doing? Are we keeping up? Because a lot of this you look at a lot of the ways security programs are rolled out. There's this idea, well, well, we're doing the best we can. We have limited resources, but we're still getting hacked. And it's not if but when we're going to get attacked and those types of things. But I think there's real benchmarks to say whether you're doing a good or better job than your peers. So that's pretty cool. The benchmarks. Number three, the goals of the CPGs are to create a combination of recommended practices for I.T and OT owners, including a prioritized set of security practices, and number four unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation. I mean, I love this big. Languages sounds so important. And it is. I'm not dismissing it, but we just, you know, we've been buried, right? Security teams have been buried in the basement of the hospitals and looked over and yelled at for making people use passwords and stuff. 

Brian Selfridge: [00:05:56] Hey, we're protecting the nation, folks. Don't you forget it. All right. The CISA also comments upfront that the CPGs are voluntary, which is an important distinction. Now, Biden's memo did not compel organizations to adopt the CPGs or provide reporting on them to any government agency. Obviously, it wouldn't be surprising to see something change there in the coming years, but for now, they're voluntary. That's kind of how this works, right? You get up adoption of something that makes sense, and then as legislators and law writers get involved in trying to figure out, like, how are we going to measure and how can we hold them accountable, they look to existing standards so that there's always a HIPAA. References NIST And you see that a lot. I think we'll see these new laws referencing these CPGs and if not requiring them at least sort of creating them as the standard. But that's a digression. We'll see how it plays out. CISA also comments that these CPGs are not comprehensive and don't identify all cybersecurity practices needed to fully manage the cybersecurity program. But they do capture a core set of practices that are a great starting point. I think that's an important distinction, right? We have NIST, we have 800-53, we have CSF, and we have HITRUST with those do a fantastic job with the comprehensiveness part. 

Brian Selfridge: [00:07:05] But at some point if you're looking to start somewhere, it's almost like that that SANS critical top 20 controls, which has now been changed to the CIS, I think top 20 critical controls. It's the idea that, look, if you're going to do anything, do these handful of things and then deploy the full framework. So it's not dismissive of the rest. Like it's just a way to start. So let's look into some of the I mentioned we're going to spend some more time on this one because I think these are pretty cool and some of the organizational constructs of these CPGs. So first of all, you should know that this does build on top of the NIST CSF. Everything the federal government puts out in the last recent memory has been aligned with the CSF. And I think that's a strategic decision, and rightfully so. So the CPGs are not a new framework and actually uses the CSF as its core and even recommends an abridged set of actions that the CSA itself calls a kind of quick start guide. If quote unquote for the CSF, CSA still recommends adopting the CSF as a way to build comprehensive cybersecurity program. Of course, of course. But CPGs are a way to start. So that's all stuff that they say about it. And the CSA explains its selection criteria for how it chose these particular ones, right? Because that's always a debate like what's most important. 

Brian Selfridge: [00:08:17] And we can have lots of discussions as security officers and leaders and team members about what's more important. So they provided a little bit of insight into how they chose these in particular. So there were three reasons. One, these are goals that are controls that significantly and directly reduce the risk or impact caused by commonly observed cross-sector threats and adversary TTPs. Remember TTPs? Right. Let me scroll back up. Threats and adversary tactics and procedures. I wish I could tell you I remember that one already. I don't. But it'll get there, right? We'll just repeat it. What's the rule is if you say something like seven times, you remember it. So maybe by the end of this will we'll know that acronym. At least I will. You guys are going to have to speak out loud to yourselves quietly. The second reason. So that was the first and second reason the CPGs were developed where they provide clear, actionable and easily definable goals. So they're not those that have ever done like NIST 853 control frameworks where they have these really high falutin security control technobabble controls that are kind of vague and kind of weird. I think they're trying to fix that the errors of the past and that making easily definable. No one can have to do a lot of interpretation. I think that's super helpful. 

Brian Selfridge: [00:09:32] The third criteria that they use for selecting these, I should say, is reasonably straightforward and not cost-prohibitive for even small and medium-sized entities to successfully implement. And this is something that is just a constant debate, right? Like how do you create a cybersecurity set of rules of the road that's applicable to the small or large, the complex, the simple, different types of healthcare organizations out there? And HIPAA is still grappling with this, right? I mean, I still get involved as a as an OCR expert witness and testifying on cases of HIPAA compliance. I still get involved in brought in to help describe what is reasonable and appropriate for an organization of this size or that size. And there's lawsuits and fines that sort of hinge on that. So I like that these CPGs are saying, look, these are ones that it's not it's reasonable and appropriate for everybody to do these. You can't say, well, what was me? I'm too small or even for large organizations saying, well, what's not really reasonable for me to do that? Because it's hard. And that's just what these cases kind of end up feeling like sometimes. Anyway, these CPGs, I love that they're making them taking that sort of discussion or debate out of the equation, hopefully with theirs. Their intent there. So each CPG, each goal follows the same basic model that includes 6 to 8 elements. Get a lot of lists today. 

Brian Selfridge: [00:10:50] I hope you're keeping track, taking notes. The first data element is the security outcome the CPGs will enable. The second is the TTP or risk addressed by the CGP. I can't handle these acronyms. This is going to be really hard to get through anyway. The TTP or risk address by the goal is important because we want to know how these are mapping to current attacks. Because the attacks keep changing, the attackers change, and the methods change. We've talked about that. So what they did, CISA did here is they mapped every control to either the miter attack. TTPs. If you're familiar with the miter framework, it's just an awesome kind of tracking of the attack vectors and methods. Or they mapped it to a common language set of organizational risks that the CISA, that CISA develop themselves. So they put some thought into this one in order to keep aligned with the attack vectors out there. The third principle or data element, they say, is the scope of the security practice. So this mostly refers to I.T or OT or both, but there are some more specific examples like windows based I.T assets or departing employees and those types of situations and threats. The fourth area is recommended actions which are practical tips and examples of how an org can implement the CPG. So that helps. It's not just have the control and the goal, but how can we actually get this done, which is always why consultants and advisors and folks like myself in our organization are brought in to say, How do we make sense of this? Well, hopefully the CISA is helping us out with that. 

Brian Selfridge: [00:12:24] And finally, they map NIST CSF subcategory references that really relate most closely to the security practice. So again, that mapping back to the CPG, so you know, the stuff is still the stuff the government puts out is still a little kind of wonky to read through all the acronyms and stuff, but I think they're getting much better, much, much better. The CPGs also includes some really handy and practical materials to try to solve. Where do I begin with the problem? How do we get started? Which is a lot of what I think security practitioners struggle with, especially if they're taking on a new organization or a new framework. How do we just get off the ground with these behemoths? So the CPGs themselves serve as that quick start guide to get organizations, particularly ones that lack depth in cybersecurity, experience, resources or structure just on the road to getting towards CSF adoption. So you don't need some brilliant CISO or team. Now, granted, you need talent, but maybe some folks that don't have 30 years in the field can figure this out. I think that's kind of the goal. It also contains a worksheet with some components that would really come in handy for a lower maturity organization. I hope this doesn't come across as being kind of derogatory to anybody. 

Brian Selfridge: [00:13:35] It's just the reality. Some organizations just don't have that strong of a cybersecurity program. So the worksheet contains tables that include all the data elements we covered earlier, but it also includes a high, medium, and low impact rating for the control. So that's good high, medium, low complexity rating in terms of implementation. So how hard is this thing to actually get off the ground? They include specific verbiage on recommended actions relative to the scope of the control. So again, specific advice for OT versus I.T and so on. It even includes an assessment checklist for current state and one-year later state so you can get started. And then by the way, you should be maturing to this one-year later point. So if you don't have a system you already use to perform risk assessments, this can serve as kind of a starting point there. So finally this is the complete CPG matrix in Excel form that they provide that you can download and see every single data element that we've discussed all mapped together. All told, the product covers eight domains. This is the CPG sort of PDF, if you will, and you can check it out. There's eight total domains in 37 individual security practice, which is sounds like a lot, but you look at competitiveness and high trust like that's 37 controls is light lighter than light and that's great. 

Brian Selfridge: [00:14:50] That means it's specific. The domains include account security, device security, governance and training, vulnerability management, supply chain or third party. They call them both and I call them both to response and recovery And the glorious catchall domain at the end of other, which, as you read into it, includes network segmentation, detecting threats, and TTPs. There it is again. Did we get to seven yet? I don't know. It's pretty close and email security so a lot of ground cover and all the important areas that you would expect. But again, if you look through this thing, it's pretty cool. It's got a really simple kind of table structure. It's not just a puked out narrative of security controls, which some of these documents are or feel like it's got nice, crisp little tables that lay it all out there. So in my opinion, I think there's a lot of really, really good stuff in here. It's practical, it's implementable, and it's a step. Stone in a bridge to a larger, more comprehensive frameworks rather than being yet another framework to worry about. It is kind of the way onto the path. I think that's great. So if you're a smaller healthcare provider in particular or a vendor working in healthcare space, which may be in sort of the less. Not having a grandiose, huge security team and I've been there and involved in working with organizations of all those types. So if you're one of those and trying to figure out where do I get started, how can I get the most bang for my buck? How can I get things going in a defensible way that just doesn't rely on my own gut sense of what's important? This is a great companion and starting place. 

Brian Selfridge: [00:16:24] So that said, if you're a larger company with a more mature program, this is a good step to include in your risk assessment approach and make sure you're doing the most important things right, especially when you get to that prioritization and those corrective action type of discussions. We assessed everything in the CSF or HITRUST world or whatever you want to look at it and you have this big list of gaps potentially or potential risk exposures and everybody has them. Don't feel shy. We all do, you know, perhaps using these CPGs as a way to say, All right, if we're going to focus on anything, maybe it should be these eight domains and these 37 controls, if any of them have been identified as gaps. So that's pretty useful for larger organizations as well. So I'm really excited to see how the CISA continues to produce useful and practical work products like this. And this might be some of their best work yet. I think. I think we're really trending in the right direction for all of my quips to prior government support. I think this I think they're doing a fantastic job and we also get to support the nation and the American people, which is great. 

Brian Selfridge: [00:17:25] I continuing with some more good work by the folks at CISA. We're going to just heap praise on them today. In late September, the CISA and NSA partnered to write a short document called Control System Defense: Know the Opponent that provides some quick hitter guidance on securing against OT and ICS attacks, ICS being industrial control systems. So another acronym. It briefly explains some of these specific challenges in security, ICS, and OT, namely being difficult to secure due to the design for maximum availability and safety, coupled with their use of decades old systems that often lack any recent security updates. So, boy, that captures it pretty accurately, doesn't it? So the publication, The Playbook, walks through specific actions that attackers use when targeting these systems, the industrial control systems, and OT systems in five different steps here comes the list for you guys. One. Establish intended effect and select a target so your bad guys are looking for who to get next to collect intelligence. But about the target system that makes sense. Three Develop techniques and tools to navigate and manipulate the system for gain. Initial access to the system and five execute techniques and tools to create the intended effect. Now I have to say as a pen tester and a hacker on the good side of things, at least that's how I see it. 

Brian Selfridge: [00:18:47] That's a really dry description of the process. It's a lot more fun than that. I joke the bad guys should not be having fun. They're doing jobs, stealing, and hurting us all, so I don't like them. But you know, creating the intended effect is a little light way of saying getting all this stuff, getting their money. So the document, the Playbook, provides some outstanding details about each of these steps and then offers five mitigations that map directly to the steps. So you're just trying to keep in line with the attacker's methodology and make sure that you're doing the steps you can along each the way to stop them. They used to call that the kill chain where you can kind of identify the attacks earlier as the bad guys are doing their thing and sort of cut it off and kick them out before they get to that step five where they get to create the intended effect if you can do that. So those steps that they say are that that the offensive folks or I guess defense I'm sorry defensive folks ourselves can do to address this are limit the exposure of system information in public forums to disrupt the early intelligence gathering phase of the cyber kill chain. So no more message boards with all the great how-to’s on how to secure and run your industrial control system. Let's just kind of keep that stuff a little bit closely guarded. 

Brian Selfridge: [00:20:07] They say Identify insecure remote access points to reduce the attack surface. Remote access is everything these days because everybody's remote limit access to network and control system application tools and scripts to legitimate users performing legitimate tasks on the control system. So I'll interpret that as like when we're doing pen testing and hacking, you can run these like Shell script-powered PowerShell and all these different tools that will let you do a whole lot of really cool and terribly destructive administrative things if given the wrong hands. And so they're saying, Look, just make sure that's only in the hands of a few of your system admins and people that that should be doing that type of work. That's automation that they need to do their job and do it well, but don't give the attackers the ability to do that. And as again, faux attackers in our pen testing world, we do that a lot and it's tremendously helpful and useful in that capacity as it is to the bad guys. So they say conduct regular independent security audits, especially of third-party vendor access points and systems, and finally implement a dynamic network environment to limit the opportunities for intelligence gathering, long-term access, and bespoke tool development that static networks afford. I don't know if I can translate that to English, but basically, you're just trying to grapple with the fact that we have a lot of flat networks that just don't change that much in healthcare for a long time, and that allows attackers to get involved, gather intelligence, build their game plan before they actually really launch the attack or the exploit. 

Brian Selfridge: [00:21:42] They're kind of just poking around there in your environment for a long time, weeks, months, years, in some cases. So just trying to get it get a way to have more dynamic network environments that aren't so predictable and static. So that's the way I read that. But that's a tricky one. All right, that's enough. That was a big a lot of cover around this stuff. So thanks for sticking with us. But I think that was really, really cool stuff they're putting out there and very helpful. So definitely check those out if you haven't already and look for ways to apply them in your organization. Now, in other federal news, the American Hospital Association (AHA) went public this week with its support for the Healthcare Cybersecurity Act. Now, I'm not sure if you recall, but we've covered the many teases around the Healthcare Cybersecurity Act. That has been. Posed. Over the last several months, we've covered it on the show here. So I'm not going to kind of rehash that because I don't want to bore you with stuff we've talked about already. But the proposed bill would require the CISA to collaborate with HHS, the Department of Health and Human Services to improve healthcare cybersecurity by making resources and providing cybersecurity training to healthcare asset owners. 

Brian Selfridge: [00:22:45] We mention this because any time I think H.R. or the American Hospital Association throws its support behind legislation, it tends to carry some weight. And the cybersecurity professionals, I think, need to know that. Now, the AHA has done that with this particular bill. Again, a lot of my peers and our clients and customers, they'll there's a lot of just wait and see with these draft regulations and bills of saying, well, let's see if this really gets legs before I start spinning up resources and processes. So seeing the AHA get behind this, I think can give you a little sense that, hey, you might want to pay a little closer attention to the Healthcare Cybersecurity Act just in the event that that may become a real thing. Although the act has a lot to do with how federal agencies interact with each other and provide support to the to the industry. So, you know, there may not be that much that changes your day-to-day life anyway, but we'll see how it plays out. And of course, we'll keep you updated as it continues to evolve and as we put more pins on the map and put more ropes connecting those pins. Is that analogy still working? I've lost everybody twice now. All right, let's move on. So one more for this is not it for today's podcast, but one more in the regulatory domain just didn't want to get you to excited there. 

Brian Selfridge: [00:23:58] We got a lot more lots more to cover around. Regulations is down a slightly different path than most healthcare or cybersecurity pros may be used to, and that is because it's related to the Gramm-Leach-Bliley Act or GLBA, if you like to say it that way. But I like GLBA because why wouldn't you? So GLBA is being amended as of December 9th, 2022, that it may affect your organization. So let's talk about it. Historically I've thought of this rule is only really applying predominantly to financial institutions and not really have much of a play in the healthcare space. But under this amended rule that quote-unquote financial institutions includes a wide array of businesses, including those that engage in the following traditional banking functions to making, brokering or servicing extensions of credit. Three Property appraising for collection services five credit reporting, six asset management, seven leasing property and eight real estate settlements, and finally nine bringing together buyers and sellers of any product or service that the parties negotiate and consummate. So I have to think that some of our listeners might fall into the category of making brokering or servicing extensions of credit collection services. Obviously, healthcare collections are a big thing. You get those things in the mail they send out and collection agencies or they may be part of healthcare and these may be part of bringing together buyers and sellers of any product or service that parties negotiate and consummate. 

Brian Selfridge: [00:25:29] I mean, jeez, can you get any more broad than that? So each of you should probably consider reviewing this expansion to see if your business has GLBA in scope or just wait. And we'll help you figure that out as this as this plays out. But if you do or you think you might have GLBA in play, then the safeguards rule is the one that impacts cybersecurity, the GLBA safeguards rule. Here's a quick rundown of some of the things it requires. In case you're thinking like, okay, if this isn't scope, so what requires a qualified individual appointment as a security leader? And that's the trend we're seeing with a lot of the regulations and standards and especially around the third-party stuff. You've got to have a CISO or equivalent named and mapped and dedicated. They also require a risk assessment with some specific criteria that must be met. So that shouldn't be new to healthcare risk assessments. We nailed it, except for all of those OCR cases we do where they don't nail it. I'm kidding. It's still a lot of healthcare organizations not doing risk assessments properly. Please, please, please do those and do them right. Accurate and thorough. The GLBA rule also requires some specific criteria on safeguards that should be implemented, including access controls, data inventory, data disposal, and change management. 

Brian Selfridge: [00:26:45] They require informing system monitoring and pen testing. That's a big one. Again, we see that like some of the state laws and some of the emerging things are outright requiring penetration testing now, which I think is the right thing to do. This new rule requires training for security personnel, and requires assessments of service providers, meaning third-party risk management, basically. Right. Of course, our sister company, Core Technology, specializes in third-party risk management. If you need help getting that started, wink, wink, plug, plug. I don't plug too much on here, but there's one for you. It requires written incident, response plans and reporting to the board of directors by qualified individual appointed security leader. That first one we talked about. If you don't have that person, you can't report to the board in a qualified way. So you get two strikes against you if you don't have a security leader. So get those security leaders in place. Now, if you already have an operational security program, hopefully, none of these things should be a bridge too far. But you may need to evaluate whether or not you can prove that you're doing them in the event of a GLBA or GLBA audit or legal concerns. So if you have a well-kept control inventory with effectiveness ratings, you probably already have this, but not everybody does. So go back and take a look if you don't. Of course, now that I've plugged one thing, I'll plug another thing. 

Brian Selfridge: [00:28:03] Meditology can help you out with all that stuff, so feel free to reach out if you need any help. All right, Let's move on to the fun stuff. Some breach news, right? You were just when you were wondering, hey, if there have been any breaches in the last couple of weeks, You betcha. I'm not going to cover them all, but I'm sure many of you may have seen some headlines on the CommonSpirit Health ransomware event. This was a pretty big one. It's another one of those kind of nightmare scenarios with extended outages. So I want to get into some of the details on it because I think cases like this are so useful for us to learn from and we wouldn't have time to go through every incident. There's been just so many, but we'll try to pick out the cool ones for you to learn from the timeline of attack as we know it at least, Right? It's always sort of incomplete information on October 3rd, portions of the countries. The second largest non-profit health system remain without full access to IT systems as of. As of this week, I can't tell you like today or yesterday whether they fixed it, but they've been out this whole week. CommonSpirit Health operates 142 hospitals with over 2200 sites of care within 21 states. So this is a massive health system, right. And it's made up of several subsidiary brands across those states. 

Brian Selfridge: [00:29:16] This attack apparently only affected a subset of those subsidiaries, the most prominent, which is see my health. Now, I'll take a quick moment to just point you back to another ransomware case that we talked about in the UK. And we did a whole kind of episode really focused on that. If you want to go back and listen to that as another monster health system attack at the time we said, Hey, you know, we know this is the UK, it's not the US. If your listeners or US based, they're probably like checking out of the conversation. But I said, Look, this could come up, this could hit us in the States. We've got to learn from this. And here we are a couple of months later. It really hasn't been that long when we have this common spirit health incident. So the known outages for the incident were related to Epic MyChart, the electronic health record. Right. This is not your minor outage. That is huge damaging for the organization. So of course that allows it's the patient portal, it's the provider portal. You guys know Epic, right? You know my chart, It's everything. It's a full electronic health record. We still don't know many details on the attack. They're keeping that pretty close to the vest. But Common Spirit has publicly said that they are in the process of conducting a forensics investigation to pinpoint the nature and entry point of the attack. 

Brian Selfridge: [00:30:31] It's probably all the same stuff we've been talking about, but we don't know for sure yet. Given the size of common spirit, I imagine that you know, when these details do emerge, there will be a lot written about it and occurred and all the sort of post-mortem things that we saw with that that UK-based ransomware a little while back. So of course we'll give you the full details when that becomes public. We don't know if they paid the ransom or what kinds of backups or disaster recovery practices they had in place. But we do know it was a major outage and whatever processes they had in place didn't hasn't gotten them back online quickly so that we can say with confidence because we're here, we are and it's still there's still out, gosh, almost a month later. Now, if we tally it up. So, you know, as you all know, having those backups in disaster recovery plans doesn't always mean that it's going to go exactly as you planned when the worst case happens. So you remember to do those tabletop exercises, do those scenarios. I think they're very eye-opening when we do those with our clients to see what could happen, and how these scenarios can shift, even if you think you're ready. Sometimes the little curve balls are enough to leave your systems offline for a long time. 

Brian Selfridge: [00:31:38] So we're going to keep an eye on this one. But I think ultimately this brings into stark relief some of the regulatory topics. We've touched on the podcast every month, really some of the different activities going on that will help the healthcare industry through more collaboration, through federal government assistance, through just simply implementing implementable security frameworks, and getting third parties and medical device manufacturers to take their portion of accountability here. And there's a lot that sort of leads into these breaches getting as far as they do. And so we'll see over and over again that smaller entities are more targeted now due to their lack of resources and security maturity. But even these really super large behemoth organizations like Common Spirit are not immune to these types of attacks. And, you know, and Epic and these big electronic health record systems where you say like, oh, well, it couldn't happen there, it couldn't happen this to this big system. They've got all these teams and processes. Guess what? It's here, it happens, it's everybody. So let's do everything we can to get prepared, folks. And I know you all are doing your best, but we'll keep serving up the resources for you to do even better. Switching gears to the threat landscape, so let's talk more about what those malicious folks are up to. I saw an interesting article a few weeks ago, but I'll bring it forward about quantum computing. And I know it sounds futuristic, it sounds crazy, but let's just bear with me. 

Brian Selfridge: [00:32:59] A Deloitte study of 400 cybersecurity professionals revealed that 50% of respondents said that their organization is at risk of harvest now decrypt later attacks, whereby cybercriminals extract encrypted data in anticipation of the time when quantum computers are able to break existing cryptographic algorithms. And this is really super important, right? If you just are collecting the garbled crypto text, if you will, cipher texts or whatever they call it, I have to dig back into my KSP training to remember the proper terms. But you guys know what I'm talking about. You collect the gobbledygook. Gobbledygook. And then at some point every encryption algorithm gets broken at some point and just you collect that, you keep it in the background, and then when it's broken, all of a sudden you have this treasure trove. You've got the secret key. I'm thinking of my kids in their little black light pens and their invisible ink things. Once you get that little pen, you can read everything. Oh, boy. Is the world become a much more interesting place. So apparently this tactic technique is called Q-Day, which is not a term I had heard before, but maybe you haven't either. So you've heard it here. But it's a growing concern that in the next 5 to 10 years, this attack capability could potentially leave all digital information vulnerable to threat actors unless we're able to develop some sort of quantum secure encryption solution, in which case we could do that before the bad guys can decrypt. 

Brian Selfridge: [00:34:25] It's going to be a race like it always is with encryption. Now, the good news is that this is not happening completely in the dark. NIST is in the process of selecting the encryption algorithms to become part of its planned post-quantum cryptography p q c Standard. Back in July, it announced four encryption tools that can withstand quantum computing attacks, and it has a two-year timeline to officially publish them. And for those that were around, I mean, this kind of mirrors the as advanced encryption standard that they had the big bake-off for encryption protocols with blowfish and all these different ones that got to compete to see who was going to become the as the encryption advanced encryption standard. And then that became the law of the land. So this is kind of similar try and trying to stay ahead, get the competition, and get a standard in place before it's too late. I'll confess I'd seen the NIST news on these algorithms, but I hadn't really gone deep into them. But it might be time for us to kind of dig our heads a little bit more into quantum computing just because it could be such a game changer. It's one of those. What is the likelihood of quantum computing decryption ahead of quantum computing encryption going to happen? I think it's less likely. 

Brian Selfridge: [00:35:41] But you know what, Boy, if it does happen, we are in a world of hurt, an absolute world of hurt. So I think it's worth us paying attention to this as an industry and as security leaders and practitioners just, you know, taking stock of our organization's ability to rapidly switch to cryptographic algorithms if we needed to, obviously everyone would be in the same situation, so we'd all be scrambling. But the question is, can you do that without upending your entire infrastructure? And there's a term emerging for that that are calling crypto agile. I didn't make that up, but I think it's just something to keep on your radar so I won't go too far into it. It's all kind of a bit I don't want to say science fiction, but its sort of it's ahead of where we are right now, and maybe that's fun to think about, but also kind of scary. In other news, an October six white paper from the Department of Health and Human Services Cyber Security Coordination Center, C, C, C, or C three is a more fun way to say it. They put out this white paper that warned about a handful of legitimate security tools that are most often abused by hackers. I don't think any of these will come as a surprise to a lot of our listeners, but I think it's worth noting the tools specifically mentioned include Cobalt, Strike, and PowerShell. 

Brian Selfridge: [00:36:49] That's what it's talking about, the shell tools earlier. Mimi Katz, CIS internals, any desk, and brute Rotel. HC3 is not advising organizations to stop using these tools. In fact, some cases like PowerShell, I mean that's an impossible ask to stop using PowerShell. It's just such, it's like the, the Batman utility belt for, for sysadmins. You just, need it but it is simply alerting those are commonly used for real attacks. So I'd advise working with your internal SOC Security Operations Center or managed security operations center provider just to understand the use cases of, Hey, where are we using these tools? How are we using them? Who has access and kind of doing some of that minimum necessary type of work to see, make sure it's limited to not only the people that should be able to use these tools but the IPS, the ports and the protocols, and the network segments and those types of things that can really do a lot to take those very powerful tools out of the hands of adversaries that are using them routinely. And as HC3 tells us that that is happening, I can tell you from real-world experience that's happening all the time as well. Much easier said than done on all of this, of course, but worthwhile undertaking to do those assessments, spend some time figuring outs, and definitely limit the likelihood and impact of big ransomware events like the ones we saw with the big CommonSpirit when we talked about a moment ago. 

Brian Selfridge: [00:38:13] All right. We can't leave without giving one more shout out to the CISA. It's just they just keep putting out such good stuff. So one more mention for them. They issued an advisory Friday that outlined how a new ransomware crew called known as Dioxin Dai Xin. I'm sure I said it wrong, but who cares? They don't deserve to be pronounced correctly. That's the insult I have for the ransomware crew. But they've been infecting and extorting healthcare and public health providers. The intel was credited to the FBI and CrowdStrike and notes that dioxin, dioxin. How do you want to say it? I don't know. Send me an email and let me know how you call it. So these hackers are specifically targeting healthcare companies and have taken a particular interest in accessing database imaging and diagnostic systems within the network so that your PACS systems get some alerting put on those PACS environments. As a result, if you don't already have that, their primary method of initial access is through VPN servers. The alert specifically sites exploiting an unpatched VPN server in one instance and using compromised credentials obtained through phishing to access a VPN server that didn't require MFA in another instance. Then they use SSH and RDP Remote Access Remote Desktop Protocol to move laterally and try to gain privileged account access through credential dumping and pass the hash. 

Brian Selfridge: [00:39:35] I mean, basically that's anybody that's ever done an attack. That's how you do it. You get a foothold through phishing, through some other method. You then move laterally, you do the RDP stuff, you poke around and until you get something juicy, you dump out the hashes, crack those, and break them. You use the passwords you find, you hope one of them's an administrator, and usually, it is. If you do enough of them, you'll find somebody with elevated privileges. So that's what the bad guys are doing. It's the most common way of attacking and moving laterally and getting domain administrative level access in order to conduct their attacks. So you can see the alert that CISA put out four specific indicators of compromise, IP addresses, and all that good stuff. They've got all that in there. You can see the alert for will tell more about what volumes the malware encrypts. So you can kind of keep an eye out for that file extension names and the ransomware message itself and all that good stuff. So you can kind of put your feelers out there to see if any of that's going on in your environment. If you're not already. You should also subscribe to the CISA alerts for sure as a way to pass this kind of info to your defenders on the front lines. Okay, now for our final update for today. 

Brian Selfridge: [00:40:43] Thanks for hanging in with us this far. A new reports or articles put out from SC magazine around public cloud security, which is one we just all need to be kind of on top of. They shared some statistics that I think will confirm what a lot of us thought perhaps. But these stats help us to just kind of make sure we're steering in the right direction and prioritizing the right things. And certainly, cloud security and public cloud security is a big one right now. So here are some of the stats. The average company storing data in the cloud is estimated to have about 157,000 sensitive records exposed to anyone on the Internet due to insecure software as a service apps, which amounts to roughly $28 Million in data breach risk. If you kind of tally up as they have here, they also say 26% of cloud compromises are the result of attackers exploiting unpatched vulnerabilities. So that's pretty classic get your patch management done. Now I know a lot of the prior publications that have been put out, I think probably a little more comprehensive than this particular report are like the IBM Ponemon Institute report, for example, talk about not just the attackers exploiting unpatched vulnerabilities, but also the misconfigurations and just the accidental sort of wrong configs that end up getting put out there that really are the bulk of cloud risks these days. Although again, this stat says 26% are unpatched vulnerabilities. 

Brian Selfridge: [00:42:06] But I think the other like 74% right, are misconfiguration. So don't lose sight of that even with a stat like this. They also say even though two out of every three organizations are known to host sensitive data or workloads in the public cloud, just under a third of respondents, 31% were either not confident or only slightly confident about their ability to protect sensitive data in the cloud. They also said 37% of respondents surveyed in this report said that organizations experienced a cloud-based attack or breach in the last two years alone, amounting to an average of four attacks per victim since 2020. The report cites five common challenges in public security. So I'll rattle those off because that's useful. They say poor visibility, understanding, and prioritizing risk in the public cloud, insecure APIs, application programming interfaces, misconfigured settings, and resourcing and expertise. So they're saying, I mean, that's really it, right? There just aren't enough cloud security experts out there. And that's why you get misconfigurations, that's why you get insecure APIs. And I'm not surprised by that. That's going to be a challenge we're going to live with for a while. So if you don't have a cloud security program going, if you haven't built expertise in-house, you know, you've got to bring in folks like, again, this is sound like a plug, but you don't have to do just Meditology it. Meditology has got a whole team that does nothing but this and is experts in its you've got to bring in somebody like that to make sure you've got your configuration settings right, make sure you've implemented the and the Azure and the public cloud, the Google cloud environments correctly, even Office 365 and all this stuff just validate that it's done right. 

Brian Selfridge: [00:43:44] It's no disrespect to your folks that are doing the best they can. It's just super, super complicated. There's a lot of options, there's a lot of variables. There's a lot of flags that you need to set the right way. And of course, there's missing patches and stuff too. We've got to keep on top of so definitely really pay attention to this stuff. There's so much more that we could dig into, but making sure that you get that support to assess pen, test your cloud environments, make sure you've got the right implementation in place. Please, please, please do that if you haven't already. If you can hire a cloud security expert in-house, by all means, do that. There are few and far between. They're super expensive, but they're worth it if you can really deploy them correctly and keeping tabs on your environment overall. All right. 

Brian Selfridge: [00:44:28] That's all for this session. The CyberPHIx Healthcare Security Roundup. We hope this has been informative for you and love to hear from you. If you want to talk about this, just reach out to us at [email protected]. That's all for this session. It's been a true pleasure so long and thank you for everything you do to keep our healthcare systems and organizations safe.