The CyberPHIx Roundup: Industry News & Trends, 12/9/20

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

  • A leading U.S. cybersecurity firm FireEye has been reportedly hacked by a nation state; implications for the healthcare industry are explored
  • A global phishing campaign is underway targeting the COVID-19 supply chain; we discuss the specific healthcare, pharmaceutical, IT, and other third-party organizations at risk
  • OCR issues their final penalty of the year
  • Kalispell Health proposes $4.2m legal settlement related to a 2019 hacking attack and breach
  • President-elect Biden names the new Secretary of Health and Human Services


Brian Selfridge: [00:00:11] Good day and welcome to the CyberPHIx healthcare security roundup, a quick source for keeping up with the latest cybersecurity news trends and industry leading practices specifically for healthcare. I'm your host, Brian Selfridge. In addition to this roundup. Be sure to check out our Resource Center on, which includes our CyberPHIx interviews with leading healthcare, security, privacy and compliance leaders, as well as blogs, webinars, articles and lots of other educational material. So let's dive into this episode, shall we?

Brian Selfridge: [00:00:42] A leading US cyber security firm, FireEye, has been reportedly hacked by a nation state this week. Early indications are that it's most likely Russia, given the high degree of sophistication of the attack, as well as some of the initial reports in from the investigators. The attack is believed to have been targeting high-profile U.S. government clients from FireEye as opposed to FireEye specifically, although the attackers did walk away with an acquisition of FireEye hacking toolkits, which are purported to be some of the most sophisticated hacking tools out there available in private industry at the moment. Now, if this is confirmed to be Russia, which which I'll emphasize that it's not officially confirmed to be of Russian origin just yet, then this could have implications for health care entities as the latest spate of coordinated ransomware attacks against US based health care systems has been identified as originating in Russia from sophisticated organized crime units there, if you'll recall. Also, the WannaCry ransomware attack from 2017 has also recently been officially attributed to the Russian government and their GRU attack unit. This acquisition of FireEye toolkit, in particular its security attack and defense toolkit, could potentially bolster those attackers in Russia and other places with a new portfolio of top-end security, offensive and defensive hacking capabilities. The short version is that this is not a good development for healthcare, if you haven't surmised as much already. We'll need to continue to be aggressive in our build out and testing of incident response capabilities as well as other security control measures.

Brian Selfridge: [00:02:14] We need to get our risk assessments done, especially pen tests. Make sure we can evaluate what would happen if our environment were to be attacked using these tools or other capabilities from sophisticated attackers or regular attackers. We need to pursue certifications, like HTRUST and SOC 2, and get more practice fine tuning our incident response practices. There's a ton more to be done. Those are just some of the key areas. Check out our webinar that we did a few weeks back where we break down the latest ransomware attacks, including who's behind them, why and how they're doing the attacks and how to protect your organization. It's available on our resource center, quick replay, as well as a transcript if you want to check that out.

Brian Selfridge: [00:02:56] Now for FireEye's sake, they're actively working with the industry and the cybersecurity protection tools and capabilities out there with the other peers in the market to develop and implement countermeasures and detection capabilities for their own toolset in this case. So we'll give you more to come on the story as it unfolds. This is not the first time government tools have been hacked. I want to note that the NSA, the federal government, NSA was hacked several years ago and we're still seeing the use of those tools, specifically the eternal blue vulnerability.

Brian Selfridge: [00:03:27] And the related tool that came out from the NSA several years ago is still in very active use against healthcare environments and one of the more prominent ways to gain access to several industries, including healthcare. So patch your Windows system, folks. EternalBlue in the NSA hack was in 2017. That's three, almost four years ago. We're still seeing it as an effective attack measure. So get those Windows systems and the supporting medical device middleware that all have these missing patches from three, four years ago. Got to get them up to speed. That's how our best defense against some of these latest types of tools. No excuses on that one.

Brian Selfridge: [00:04:07] Our second major update today is that IBM has reported a global phishing campaign aimed at covid-19 and specifically the covid-19 supply chain. Attackers are going after biomedical and health care research organizations, according to IBM and their supply chain, to attempt to gain access to their systems and network, presumably to obtain intellectual property for vaccines and other capabilities. The supply chain companies targeted in this particular spearphishing attack include health care delivery organizations, research into treatment and therapy type organizations, as well as vaccine distribution channels. They're using classic spearphishing attacks, impersonating high-profile executives and IoT personnel in the organization. The messages also appear to come from an executive in the Chinese Haier Biomedical Organization, which is part of the World Health Organization. This organization in particular, you may not have heard of them, but they're the world's leading cold supply chain distribution firm.

Brian Selfridge: [00:05:04] And you might imagine that "cold supply chain" and moving vaccines at cold temperatures is an important function right now. So they are going after that whole chain. They're also going after other companies in the supply chain, like the European Commission for Customs and Tax Energy Sector targets that support solar energy for the covid supply chain and also IT organizations that support health care and pharmaceutical organizations.

Brian Selfridge: [00:05:31] Attribution for the attack is unknown, and there are many potential attacker candidates. The vaccine details likely have a wildly high value in the black market, as you might expect for many nations and states and individuals that would want to have access to this information. The recently terminated Department of Homeland Security cybersecurity leader Chris Krebs has advised this week that Russia, China, Iran and North Korea are all targeting the vaccine supply chain. Now, this is very credible intel from a very credible resource with recent access to the situation on the ground with respect to cyber attacks. For those that haven't been following the story in particular, Krebs was relieved of duty for political reasons a few weeks ago and has a strong track record in our industry as a reliable and capable cybersecurity professional. So I think we can rely on the intel coming out of Chris this week.

Brian Selfridge: [00:06:22] So what are some recommendations here? First off, incident response like we've been talking about, related to recommendations for ransomware response, upgrade your incident response plans, test them, test them often, rinse and repeat, and make sure that you are as resilient and as possible for any type of attack, whether it be related to research for covid vaccines, ransomware, or the many other reasons that these breaches are happening.

Brian Selfridge: [00:06:49] Also, pay close attention to your third party vendor risk and supply chain function. There's a big reason why NIST added this whole domain around supply chain to the latest release of 800-53 Rev 5 standard. There's a big reason why we have third party risk is one of the top areas in our top 10 health care security focus areas for 2021 that we just put out recently in our publication. You can check that out on as well. And supply chain is just the most extensive and vulnerable part of the data security picture heading into2021. It's right up there. At least it's certainly in the top one or two.

Brian Selfridge: [00:07:24] IBM recommends other controls like multifactor authentication, phishing awareness, training and controls. And we would certainly agree with those recommendations. We also would add to that to make sure you're building a comprehensive cybersecurity program aligned with and validated against frameworks like NIST CSF or HITRUST CSF. So it's not just about fixing one sort of piece of the puzzle. Make sure you've got that comprehensive program that you're assessing risks against those security frameworks, that you're doing your penetration test. So you can see how the bad guys might be able to get access to your specific network and close those holes up as soon as you can and get better at responding to the incidents when folks do break through with valid phishing attempts or other malicious attacks.

Brian Selfridge: [00:08:09] The third area will cover today is a collection of a few different updates for you around OCR fines, some more legal settlements related to breaches, and the appointment of the new Health and Human Services secretary. So OCR's final penalty of the year goes to the University of Cincinnati Medical Center, stemming from the organization's delay in providing patients with requested patient records and HIPAA right of access. Provisions require that patient records be supplied within 30 days of the request. But in this case, the patient had filed a complaint after still not having received the records after 13 weeks, they filed the complaint with the OCR. OCR intervened and the patient was granted access to their records through the legal channels related to that intervention after five months. And that federal government intervention not good, right? Shouldn't take that much effort and activity just to get the patient their records. The organization was fined sixty five thousand dollars and also required to adopt a corrective action plan to put policies and procedures in place for patient right to access processes. And OCR course will continue to audit this over time, as they always do. And of course, they will also be paying attention to other HIPAA security and privacy compliance areas for the University of Cincinnati Medical Center, I would suspect.

Brian Selfridge: [00:09:29] Another update is the Kalispell Regional Health Care System in Montana has proposed a $4.2 million settlement to resolve a lawsuit related to the impermissible disclosure of the health records of over 130,000 patients. Attackers gained access to Kalispell systems in May of 2019, so not that long ago, sense a theme here? Hack's, breaches, OCR involvement, lawsuits. Right? We've been talking about these for months, for weeks on this show and in other publications. So really need to be ready for these attacks and the downstream ramifications of them, regardless of where we are in the country, the size of our health system, or whether we are payers, business associates, providers or otherwise. The data's is there. It's valuable and the bad guys are going after it.

Brian Selfridge: [00:10:18] The final update for this week's CyberPHIx roundup is that President elect Biden has named Xavier Becerra as the new secretary of Health and Human Services. Becerra will need to be confirmed by the Senate, of course, alongside other cabinet appointments in the new administration next month. So we will wait to see how that plays out and are interested to see how the new organization takes shape. And we would expect to see continuation of trends around OCR as activity around the HIPAA privacy and HIPAA security enforcement, as well as just ongoing evolution of that whole world and universe as we've been talking about. That's another one that's on our top 10 list for 2021 to check out. If you want to look at that on the website.

Brian Selfridge: [00:11:04] That's all for this session of the CyberPHIx Healthcare Security Roundup. We hope this has been informative for you and we'd love to hear from you. If you want to talk about any of this, just reach out to us at [email protected]. So long, and thanks for everything you do to keep our healthcare systems and organizations safe.