The CyberPHIx Roundup: Industry News & Trends, 12/2/21

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:01] Good day, welcome to the CyberPHIx Healthcare Security roundup, your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices specifically for healthcare. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our resource center on Meditology Services, which includes our CyberPHIx interviews with leading healthcare security, privacy, and compliance leaders, along with blogs, webinars, articles, infographics, and lots of other educational material. So great updates today as we head toward the end of the year, so let's dive into it. 

Brian Selfridge: [00:00:32] In a big news item this week, the FTC issued their final rule for 16 CFR part one point thirty four standards for safeguarding customer information otherwise known as the safeguards rule. And that's what I'm going to call it from here on out because that's a little easier. As we reported in previous episodes here, the FTC also finalized their healthcare breach notification rule earlier this year, which for those that are into formal citations, is 16 CFR Part three. 18. The Healthcare Rule The breach rule is focused on healthcare vendors and apps that store and manage consumer patient information, so that's a little bit different from this latest rule. The new rule the safeguards rule from the FTC applies predominantly to financial institutions that maintain customer information for over 5000 individuals. 

Brian Selfridge: [00:01:18] The FTC rule is important for healthcare entities, in a sense for a few reasons. One, The FTC previously waded into enforcement of healthcare entities for failure to safeguard patient information with their enforcement action against LabCorp some years ago. For those that remember that this generated a bunch of debate in the healthcare industry about, you know, do we need to be subject to both HIPAA and FTC enforcement for cybersecurity? And where is that going to go and where's that headed? Well, the FTC has not given up that that attempt to enforce in healthcare. So we have to kind of keep an eye on that. However, the fact is that that FTC has enforced in healthcare before, and they may enforce again. So there's that thing to keep in mind. 

Brian Selfridge: [00:01:59] Secondly, the recent regulations these FTC regs are a great way to get a look into what the next healthcare specific federal regulations may look like. So as I'm kind of watching every single state regulation that comes out, but the federal ones always give me more cause for attention because of the fact that they may make their way into similar regulations focused on healthcare. So there's some very specific requirements in this one, and we'll get to them around pen testing, penetration testing, vendor risk management, multifactor authentication and some other areas that will be paying. We should all be paying attention to. So with that said, I want to actually give a rundown a little bit more detail of what's in the new FTC final safeguards rule.  

Brian Selfridge: [00:02:45] So first off, it says that organizations must designate a qualified individual to oversee the organization's information security program. The individual doesn't need to be an executive or a CISO per say. And I think that's a good thing. I think that's really a step in the right direction because this provides some wiggle room for entities to hire like a virtual CISO or some sort of part time support, which is a role that we're seeing crop up a lot in healthcare organizations this last year for a couple of reasons. One, just a cost factor. Also, the fact that more and more organizations are being open to CISOs, working remotely and from other geographies, and supporting the model. So we see that a lot in sort of especially small mid-sized organizations, and it's a service that we do ourselves as well for that reason, just based on that demand. So the FTC safeguards rules says that individual who whomever is designated as the information security overseer, I don't think that's what they call exactly. 

Brian Selfridge: [00:03:41] The Qualified Individual must submit written reports to executive leadership at least once a year. The final rule requires companies also to conduct routine security risk assessments, so that's just like every other reg that's out there. But they include those risk assessments must include testing for vulnerabilities and penetration testing explicitly. Penetration testing specifically needs to be conducted annually. And vulnerability scanning must be conducted at least every six months. 

Brian Selfridge: [00:04:11] So this is a really big change and one that I think makes a lot of sense for a lot of reasons. So many healthcare entities do perform some degree of annual penetration testing, but there's still a high volume of organizations that either don't conduct any pen tests or ethical hacking or penetration tests at all, or they limit themselves to to really periodic vulnerability scans. And, you know, I think the six month window is actually being really generous. From a regulatory perspective, perhaps, but I think best practice, we'd see it's really being kind of a monthly scanning cadence. If not, if not quarterly at the outset, six months is sort of leaving a little bit long in the tooth for your vulnerabilities to be hanging out there, especially with all those zero days we talked about earlier. Some organizations aren't are doing neither. They're doing not doing pen tests. They're not doing vulnerability scanning very well. And I can tell you those organizations are sitting ducks for ransomware and now potentially enforcement from laws like the FTC safeguards rule. So if you're not sure about what is required for penetration testing or vulnerability scanning, or if you're sort of on that earlier curve of maturity and want to get caught up, you can check out a blog post we published just recently on Meditology Services, where we provide answers to frequently ask questions about ethical hacking and pen testing in healthcare, and that can hopefully get you started off on the right foot. 

Brian Selfridge: [00:05:27] So the FTC final rule imposes greater security controls as well on covered businesses as they call them. So here are some of the more significant ones imposed by the rule. Just to give you a quick rundown. One is encryption, both in transit and at rest. No surprise there. Multifactor authentication is now required to be implemented for all remote connections. So that's again, somewhere the industry has been headed. Kind of pleased to see the regulations pushing that. I think that'll take a lot of those organizations that just haven't brought themselves to make the investment to actually go and get this done. They require the rule, requires audit trails must be in place and continuous monitoring to detect and log unauthorized access. There's also requirements around change management, which is not something that's always sort of called out in that terminology, though certainly it is part of every standard security framework in place. Just call it called a bunch of different things. So, you know that talks about any change within the technical infrastructure of the organization could introduce new vulnerabilities. So the rule requires covered businesses to implement formal change management procedures to be able to track and identify and approve those changes and hopefully reduce the likelihood of vulnerabilities sort of seeping in in the process. There's also requirements around secure disposal, so have to dispose of customer information when no longer needed. This applies to both digital and paper records. 

Brian Selfridge: [00:06:51] And I think a lot of times we still think about disposal as being paper records or removable media or those types of things or even hard drives. But I think at some point we're going to start talking about how do we actually get to dispose of data that's no longer in use, but it's just, you know, cheap to store and keep around and ends up getting breached. The rule doesn't quite go that far, but I think that's maybe where we're headed eventually. 

Brian Selfridge: [00:07:13] And then finally, the last piece is around secure development practices, which is, you know, in other words, SDLC or system software development, lifecycle security, which is an area that absolutely needs a ton of attention. So it says any applications that use or access customer information, whether developed in-house or by a vendor, have to implement secure development practices. So if you're looking at these regulations, looking at your third-party risk management program regardless. Definitely want to look at the software development and security development lifecycle for your vendors as part of that vendor assessment process that you hopefully are doing already for your supply chain vendors. Now, in one of the more important rule additions, in my view, the FTC is also create a mandates for vendor risk management security controls overall beyond just the SDLC part. This is a much needed focal area for organizations. As you know, these cyber attacks and supply chain just keep getting out of control. 

Brian Selfridge: [00:08:09] So covered businesses will be required to take reasonable steps in selecting service providers, which includes ensuring service providers implement and maintain appropriate safeguards for customer information. The oversight requirement is not just during the selection of vendors, but includes periodic assessments as well. So again, that's it's as covered. Businesses may no longer simply rely on a vendor's security certification or attestation, so those last two pieces are really big changes. I think a lot of third-party risk programs out there are still doing the process of assessing the vendor at the time of procurement, and that's sort of the main checkpoint and checkbox that they'll do and say, OK, well, we bought it. This idea of including periodic assessments, especially for your top tier vendors, I think, is something we've been talking about for a long time and implementing with our customers. And I think one that that really is critical now is the tech. Knowledge that your vendors use and keep evolving, and then the last part about certification certifications or attestations, you do want to request those, in my view, still request and require organizations and vendors to get certifications like SOC 2 Type II or HITRUST certifications or the two dominant ones. But you can't just rely on that and say, OK, just because you've got a security certification, then everything is fine. You still have some follow up to do and make sure that the implementation of your specific product and your environment is still covered. 

Brian Selfridge: [00:09:29] So final thing on the FTC rule is I know we spend a lot of time on it here, but. The rule will take effect 30 days after the date of its publication, which was earlier this week, So get ready for those anybody that has, you know, it's more of a financial institution focused at this point. But again, I think you can expect to see quite a bit more from the FTC, from other federal regulators using these types of requirements. I think this is a very no surprise type of regulation, but also we'll be tough to implement for a lot of organizations. I think so. We'll see how that plays out. All right. 

Brian Selfridge: [00:10:05] In other updates this week, a new report was released from two security firms that specialize in healthcare, cybersecurity threats and IoT Internet of Things security operations, namely CrowdStrike and Medigate. The report indicates that eighty two percent of health systems experienced some form of IoT cyber attack in twenty twenty. And they also cite several other external resources in the report. But they indicate that health systems experienced a forty five percent uptick in ransomware during that same time period, with thirty three percent of organizations paying the ransom. It's not clear to me whether or not this report is attempting to link the two circumstances of IoT attacks and ransomware attacks. I suspect they're not necessarily correlated. Nonetheless, the report cites some other interesting external sources that quantify the average ransomware payment by healthcare entities is just shy of $1 million per events, like nine hundred something thousand per events for payouts. I hadn't seen that particular figure before, so I think that's useful intel to have handy when you're looking at the return on investment of security protection investments. Now, that's just for the payment itself, right? So the actual cost of ransomware events is much higher. But that's just the payment, the average payment that goes out to the bad guys. 

Brian Selfridge: [00:11:19] This report also emphasizes the importance of endpoint security and visibility into asset vulnerabilities in particular, which is not entirely surprising recommendation from two firms that specialize in doing that. They do, however, note that the three most common vulnerabilities that both firms saw on IoT devices are DejaBlue, BlueKeep and netlogon so you can look those up if you're not familiar with them. So you may want to get your scans, vulnerability scans in place to look for these specific vulnerabilities and talk to your medical device manufacturers and your IoT vendors about patches for those specific areas. Again, DejaBlue BlueKeep and netlogon are the big ones to look out for. 

Brian Selfridge: [00:12:00] So finally, for this one, the report also discusses the importance of segmenting and segregating IoT devices on the network. They indicate that thirty eight percent of their clients are engaging in network access control and segmentation projects. Frankly, this has been the most dominant and most effective control measure for the last decade, plus that is around network segmentation. 

Brian Selfridge: [00:12:20] You know, despite all these tools and technology solutions that have cropped up in the IoT and Internet of Medical Things space, which all have their role, and I'm not dissing them, but it's still it sounds like network segmentation is still a huge part of the puzzle. And although it can be a daunting task, I've been through several implementations of these. It's probably time for you to start that network segmentation project for your IoT and medical devices if you haven't already done so. It's an area that's it works and it's not a silver bullet, but it has a huge risk reduction factor for it and something that does take time to build. But this problem isn't going away anytime soon, and it's pretty clear that the tech that's coming out isn't enough to solve it alone. So get your network segmentation projects underway. All right, so that's for this particular report for now.  

Brian Selfridge: [00:12:20] Another report was released this past week from the College of Healthcare Information Management executives, or CHIME, more commonly known for those that are familiar with this group. The Chime report focuses on a subset of the healthcare provider space and delves specifically into the security posture for ambulatory and long term post-acute care facilities. So the headline grabber from this report is that only 32 percent of ambulatory care organizations have a comprehensive security program in place, and only twenty six percent are about a quarter of long term. 

Brian Selfridge: [00:13:38] Acute care organizations have a comprehensive program in place. The measurement of what constitutes a comprehensive program is based on CHIME's own defined standards, which includes requirements like having a formal CISO defined. It sounds like the FTC rule having a formal training module and program in place, having dedicated cybersecurity committee and annual risk assessments. They also say that organizations have to conduct routine incident response tabletop exercises. They need to update their inventories of business associates and other similar requirements in order to make the grade for this sort of chime standard that would constitute a comprehensive security program. What I find interesting is that many of the ambulatory practices that we've observed or I've observed in the industry are often affiliated with larger health systems. 

Brian Selfridge: [00:14:25] So this report doesn't necessarily say if the ambulatory practices here in scope for this survey, do they get credited if they have support from the mothership, so to speak, on their cybersecurity program, elements like the dedicated CISO compliance committees and all that stuff? That said, many of the standalone ambulatory and long term care organizations that we work with here at Meditology have often have their assigned security role to someone like a CTO, chief technology officer or chief information officer that plays a dual role and wears multiple hats. We mentioned, you know, that whole virtual CISO model earlier, and I find that these types of smaller organizations, ambulatory practices, those types of things are perfect for that virtual CISO or partial CISO model. 

Brian Selfridge: [00:15:10] You still get that independence and expertise of a veteran CISO without having to to source an expensive, full time security leader for the role, which sometimes can be really difficult to maintain for smaller entities. So the Chime report notes that ambulatory organizations have a much more heavy reliance on security tools and technology and an underinvestment in people and process. So for all those people process and technology cheerleaders like myself, that's not a good equation that's being played out in these settings. You know, it's clear these organizations, you know, have not invested in the people part. I think that's probably the root cause issue because it makes the generation design execution of process almost impossible if you don't have the right skills skill sets in-house. 

Brian Selfridge: [00:15:10] In short for this report, ambulatory organizations are going to be soft targets. I think for some time to come if investments aren't shifted somehow into the cybersecurity arena, either. By having these, these ambulatory organizations partner up with larger health systems for the cybersecurity piece or larger business function that that have the capability of investing in FTEs or managed services to to get the job done so. If you're not able to partner up with third party health system, you know, it might be a matter of having to start to increase the spend to get some support in this arena, either partially or for a managed service perspective. 

Brian Selfridge: [00:16:32] All right, for our next set of updates today, I'm going to rattle off a few alerts that were issued by the federal government this week. First up is an update from this US CISA, who issued a critical cybersecurity alert about some emerging threats heading into the holiday season. The alert says that recent history tells us that this could be a time when these persistent cyber actors halfway across the world are looking for ways big and small to disrupt the critical networks and systems belonging to organizations, businesses and critical infrastructure. Now, the report, the alert didn't note specific threats, but it does harp on a persistent trend that overseas attackers use holidays and long weekends in the U.S. to attack healthcare entities when they're minimally staffed, for example. The CIA recommendations include identifying IT security employees who would be available to work during the weekends and holidays in the event of cyber attacks. That's for all of you that are in that category. I'm sorry that that's the recommendation of killing your holiday, but they also advise implementing multi-factor authentication for remote access and administrative accounts, mandating strong passwords and ensure that they aren't reused across multiple accounts. That's pretty, pretty standard guidance and ensuring that potentially risky services like Remote Desktop Protocol or RDP are secured and monitored. So I think all of that is excellent guidance put a little bit extra Band-Aids around the environment over the holidays. 

Brian Selfridge: [00:18:00] The next critical security alert comes from the H-ISAC public private partnership used to be healthcare ISAC, now high tech for healthcare, threat monitoring and alerting. This alert indicates that the Iranian government has sponsored attacks and hackers targeting key U.S. infrastructure, including healthcare, in somewhat of a surprising turn. The alert notes that Iranian attackers are using ransomware as part of their attack portfolio, which is really rare for state sponsored actors, and to be using ransomware and is usually limited to cyber criminal syndicates who want to get the return on the investment, whereas the state really isn't usually in it for the money. But the alert says that more specifically, the Iranian hackers are exploiting known flaws in software made by Microsoft and the California based vendor Fortinet's, which if you've listened to the last couple of updates, we talked about some Fortinet breaches. Those are the VPNs for the most part and are allowing access to systems and try to lock them up with ransomware and other techniques. So the alert says that these Iranian government sponsored actors can leverage that access that initial access for follow on operations such as data exfiltration or encryption or ransomware and extortion. So get your systems patched, get Fortinet updated if you have that in place and get your monitoring on high alert for the next few months for those types of attacks. 

Brian Selfridge: [00:19:21] The third and final alert that I'll highlight today is a warning from the U.S. Department of Health and Human Services, or HHS, about an uptick in the threat of zero day attacks. So zero day attacks are those attacks that leverage previously unknown security vulnerabilities to launch large scale attacks. These can be particularly difficult to defend against and respond to is there. There's often no patch or solution readily available at the moment of the incident or the time of the incident. I actually lived through one of these major zero day events as a healthcare case CISO years ago, and I can tell you it's a harrowing experience. So there's really little or nothing you can do, and you're right at the outset because your anti-malware vendors, your security technology partners, besides like the forensics folks and those that can sort of get geared up can't do much for you up front on the tech side because there's just no patch, there's no signature. There's nothing you can do to get these zero days under control. So you have to do a lot of the investigation, the diagnosis, the triaging of the situation very quickly on your own in the opening hours and sometimes days after the initial attacks. So they're very, very damaging. The HHS, the HHS Department of Health Human Services, reports that 80 percent of attacks leveraging zero day attacks are successful breaches. So while successful from the attacker perspective, anyway, so if it's a zero day, they're eight times out of 10 going to get in. I'm surprised at the two percent that don't get in, but we'll have to dig into that. 

Brian Selfridge: [00:20:44] The advice from HHS is to patch early patch often and patch completely. They also recommend implementing a web application firewall to review incoming traffic and filter out malicious input that can prevent threat actors from reaching security vulnerabilities. Finally, they discuss implementing runtime, application, self-protection or rasp agents that can sit inside your application's runtime to detect anomalous behavior and prevent threat actors from executing zero days. So that's a great extra technological wrapper to put in place. Around zero days and zero days are not going away any time soon. They're just constantly being researched and developed by especially Nation-States that have the resources to really spend on the R&D to identify those. 

Brian Selfridge: [00:21:27] All right, the last update for today, it's not an alert, but this is a report from the Russian security firm Kaspersky, who released their predictions for key trends in advanced, persistent threats heading into twenty twenty-two. Kaspersky predicts that there will be a continued rise in the development and adoption of commercial surveillance software used by cybercriminals and state actors. Some of the other predictions include that mobile devices will be exposed to wide, sophisticated attacks targeting personal devices with zero day attacks. There's zero days again on Apple iOS in particular, they're sort of expecting to see. Kaspersky also anticipates an increase in supply chain attacks, as well as continued exploitation of work from home networks and models as a means to enter corporate networks. They also expect an explosion of attacks. They say that's quite a very visceral kind of term to use, but explosion of attacks against cloud computing and software architectures. 

Brian Selfridge: [00:22:22] The report also indicates that low level attacks using bootkits are hot again, as they say. So for those that don't know bootkits, bootkits are like a malware variant type that modifies the boot sector of a hard drive, including the master boot record. So basically, you get your malware built in right in the device rather than at its boot time, rather than having the bad guys having to hack the other way in from the outside in. 

 

Brian Selfridge: [00:22:47] Speaking of end of year predictions. I plan to have some fun in our next episode to recap my own previous New Year predictions for the healthcare cybersecurity trends over the last several years, and we'll see how I fared with predicting the future. I'm not going to give away the answer to that. You'll have to tune in to find out. I'm then going to provide my predictions for 2022 and see if we can get ourselves as prepared as possible heading into the new year. 

Brian Selfridge: [00:23:10]  that's all for this session of the CyberPHIx healthcare security roundup. I hope this has been informative for you and love to hear from you if you want to talk about any of this. Just reach out to us at CyberPHIx at Meditology Services. So that's all for this week and so long, and thanks for everything you do to keep our healthcare systems and organizations safe.