The CyberPHIx Roundup: Industry News & Trends, 2/11/21

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:
-

  • Overview of a $931m telehealth fraud case and how patient information becomes monetized
  • Patient records from two health systems posted to the dark web from an extortion attempt
  • Nationwide Children’s research data stolen and sold to China
  • A breach at UPMC attributable to a third-party legal vendor; analysis of top breach vendor categories
  • Class action lawsuit against third-party vendor U.S. Fertility from ransomware attack in 2020
  • FTC settles with a fertility app called Flo for selling patient information & class action against another fertility app for selling data to China
  • Water treatment plant hack and related hacking techniques explained that apply to healthcare entities
  • Summary of Virginia’s new Consumer Data Protection Act
  • FDA appoints a newly created leadership position for medical device security
  • Summary of the proposed Public Health Emergency Privacy Act for protecting COVID-19 patient data

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:11] Good day and welcome to the CyberPHIx healthcare security roundup, your quick source for keeping up with the latest cybersecurity news trends and industry leading practices specifically for healthcare. I'm your host, Brian Selfridge. In addition to this roundup. Be sure to check out our Resource Center on MeditologyServices.com, which includes our CyberPHIx interviews with leading healthcare security, privacy, and compliance leaders, as well as blogs, webinars, articles and lots of other educational materials. We have a lot of ground to cover today, so let's dive into it.

Brian Selfridge: [00:00:46] The U.S. Department of Justice announced Monday that four people pleaded guilty in a telemedicine pharmacy fraud case that lasted for many years, a pharmacy owner faces 10 years in prison for a $931m dollar fraud conspiracy. So the quote from the case says, "After improperly soliciting patient information, these marketing companies obtained approvals through contracted telemedicine prescribers and sold these costly prescriptions in pharmacies in exchange for kickbacks." One company involved in this was HealthRite who solicited insurance information and prescriptions from consumers across the country from 2015 through 2018. They then billed those insurance companies and the payers back for those prescription drugs and even mark them up quite a bit.

Brian Selfridge: [00:01:33] Now I'm often asked about how this information, patient information gets monetized. Why are people stealing this information? What do they do with it? Well, there's nine hundred and thirty one million reasons why there they would acquire information. In this case, they collected information for three years, 2015 to 2018, very big money involved. Now it's not clear how HealthRite got this insurance information or how they collected it from patients. I think that was a little murky in that story. But a hacking campaign would have been just as effective, if not more effective in terms of the time to acquire patient information that could be used to be monetize in this very same way for in this case, telehealth fraud or could be any kind of claims fraud. So they attackers could hack in, get the insurance information, get the prescription details and submit fraudulent claims. This happens way more often than you may think. And this will not be the first or last fraud case related to stolen or acquired patient information, especially prescription drug information.

Brian Selfridge: [00:02:29] In other news, thousands of records were posted to the dark web for medical records coming out of the Leon Medical Centers in Miami and the Nocona General Hospital in Texas. This is yet another example of malicious actors monetizing stolen information. In this case, they were trying to extort money from these two hospitals and hospital systems in order to get money with the threat of posting them to the dark web. Now, the hospitals didn't pay up in this case, and the information got posted to to the dark web and sold for, again, similar sort of fraudulent purposes, we assume, from here on out. Now, the health systems have been pretty tight-lipped about their responses on the details to the attack, the extortion, which is pretty typical. We don't we don't usually get a lot of the ins and outs coming out of organizations that have been breached, but they are saying that they are updating their security policies and putting training in place. Maybe that's a little too little too late, perhaps, but hopefully they are making some improvements that will make a difference down the line.

Brian Selfridge: [00:03:34] I've got another fraud case for you, a research and a medical lab at Nationwide Children's Hospital was arrested for stealing research data, including patients genetic data and selling it to China. This woman and her husband set up a company in China and stole at least five trade secrets and provided them to China in exchange for money and other support. The couple faces or has received some jail time and also has to pay $2.6m in restitution, along with giving up a bunch of their stocks that they have in other companies that were acquired as a result of this fraud. And reports are that China has been going after Americans' health care data and DNA record sets as well, according to a National Counterintelligence and Security Center (NCSC). So China is very active. We know Russia is active from our prior updates and ransomware activities. So if anybody after these updates doesn't think that healthcare is a target for our information and that it can be used for lots of purposes, financial fraud, espionage, trade secrets. You know, be sure to take a look at these recent stories. There are certainly painting a consistent picture for us. Another consistent picture that we've been seeing over the last several, really several years, but heating up in the last six to eight months is around breaches in health care that are attributable to third party vendors.

Brian Selfridge: [00:04:57] UPMC had a breach this week or at least reported a breach this week attributable to a billing and legal services provider. The legal provider is Charles J. Hilton and Associates. And it's important to note our sister company, CORL Technologies (https://corltech.com), that does third party risk management for health care and has a data clearinghouse on over 79,000 Vendors in the health care space in their security posture, they issued a report last year that noted did an analysis of all that risk data across the portfolio of vendors and noted that legal and billing companies are actually in the top tier, top three or four vendor types that have the highest likelihood and impact for breach events. We got a lot of questions about that. And so, it's not really on my radar. I'm focused on electronic health records, financial apps, other things. You know, legal services. That doesn't seem like a big deal. But our data and our numbers told us that. And it's really interesting to see these cases start to pop out where you see the breaches associated with these types of organizations.

Brian Selfridge: [00:06:06] Now, UPMC breach, just to be clear, hackers logged into a number of its employee email accounts between April one, 2020 and June 25th, 2020 last year. And the organization is alerting more than 36,000 patients that their data was involved, including Social Security numbers, birthdates, bank and financial account numbers, medical record numbers, diagnosis details, all the usual stuff. So we look at prioritizing which vendors to focus on. Definitely make sure you're getting legal services in the mix there. And some of the other top vendor risk categories that came out of that CORL report I mentioned were medical devices, health care consulting firms and clinical pharmacy providers. So those are in addition to the other vendors that you may be looking at. Those are the top tier of highest likelihood and highest impact.

Brian Selfridge: [00:06:53] We'd be remiss if we didn't have an updates in our CyberPHIx podcast about class action lawsuits, they are piling up. This one comes out this week against U.S. fertility, it's called, from a ransomware attack that they received last year. Eight hundred and seventy eight thousand individuals are impacted and U.S. fertility is a third party. Here's that theme again, right? Third party business associate to healthcare providers that provides it administrative, clinical and business services to infertility clinics. And the big question about these class action lawsuits as a whole is whether or not the plaintiffs can prove that there's been harm from the breach.

Brian Selfridge: [00:07:33] In this case, the individual whose information was used to file fraudulent unemployment benefits was cited in the plaintiff's case here. So they have sort of a real connection between the data was lost. It was used for unemployment benefits fraud. And that's a big theme we've seen this year as well. Following the the covid protocols and unemployment changes. There's been a lot of unemployment fraud, especially leveraging this this personal information that's been stolen over the years or more recently to get those unemployment benefits fraudulently. Now, part of the challenge of these lawsuits is proving whether or not there's been harm. And that becomes especially difficult as it's pretty complex to trace back when there's been a breach or a ransomware event back to actual patient harm or financial impacts or other impacts to specific individuals like we know which individuals were included in those lists. We know that certain medical systems are impacted whenever there's a ransomware event, but it becomes difficult because there's no group or individual typically that's looking at a post-mortem of the event from an external perspective and say, OK, let's look at what happened over the last several ransomware events and what information was released. And then let's look at these cases of where we're seeing information on the dark web and tracing it back.

Brian Selfridge: [00:08:53] It's hard to concretely trace back the harm which which could put some of these class action lawsuits at risk. In fact, Brandywine Urology, for example, this week had a case dismissed against them for the very reason due to lack of proven harm. Connecting the dots can be tricky. The information that comes out about these attacks are very limited to the public. So it's hard to even know what happened. And it happened to be able to tie it all together. But we do know that when ransomware impacts systems, it has adverse impacts that can include death, like the case in Germany that we saw. You have impacts to delays in care and stroke situations where delays and time delays really matter as well as financial impact. So rest assured, in my view, there is certainly harm being done, both patient safety harm as well as financial data privacy and other issues. I think these stories will continue to unfold as attacks continue. We see more class action lawsuits and there's more efforts to kind of tie back that harm. I think we're going to see those stories coming out more clearly over time. As data gets misused, systems get misused for malicious purposes.

Brian Selfridge: [00:10:04] The FTC settled with another fertility app in a privacy settlement this week. So we had previously covered this story. There's a fertility app called Flo that said in their terms and services, when you sign up for the app that they would keep your information private. It's not going to be user disclosing all the boilerplate privacy policy stuff. But then they sold the information to marketing firms, including Facebook groups and many others. So Flo has been held accountable by the FTC and must now obtain independent review of their privacy practices on an ongoing basis, as well as get consent before taking data. All of which I my view should have been happening all along to begin with. What's also interesting is the FTC issued consumer guidance along with this to help organizations reduce privacy risks. However, I think this guidance may be a little too little too late, right? So if the Flo app had a terms and services that said we're going to keep your information private and then they didn't, I'm not sure what else an end user can do from a due diligence standpoint to say, OK, am I am I really reading the terms and services? If you were, you would have felt pretty good about it. Right. And then they turned around and sold the information anyway.

Brian Selfridge: [00:11:20] Surprisingly, another fertility app. This is a pretty wild theme that we're seeing this week called Premom has a lawsuit filed against them this week for selling data to China. That's also a theme and connecting some some dots here. So similar type of story. Information got out, selling the data, unauthorized use the information. So if you're tying all these stories together, we're seeing a lot of attacks, targeted fraud. We're seeing misuse of privacy policies and information that's collected particularly by third party vendors and applications, and then those third party vendors are either having breaches, unplanned breaches, of course, or selling that information to legitimate companies like Facebook, Google and others in one case or two other companies like China. So it's  getting dicey out there. And what's up with these fertility apps to do some research and figure out why why it's such a such a particularly fraudulent area these days?

Brian Selfridge: [00:12:23] Another big news item this week is not particularly related to healthcare, but it does have some corollaries, and that is a water treatment facility was hacked, actively hacked this week. And they attacker leveraged remote access software called TeamViewer that was compromised. And the attacker used that access. It's kind of like if you want to do help desk support you to use team viewer or VNC or remote desktop as other types of tools that let you sort of log on to somebody else's session. The attacker was able to get onto an admin's session and increase the dosage of sodium hydroxide, which is a sanitation agent in the water from 100 million to over 1000 parts per million.

Brian Selfridge: [00:13:05] Now, thankfully, a very alert and astute administrator recognized this change right away, he thought it was his boss making a change mission. And he took action right away to reset it back to normal levels, nobody was hurt. And I think it's worth pointing out that these heroics from this admin are really worth praising as an industry and as a society in that you can have all the cybersecurity controls you want and cybersecurity professionals, but those policies in those processes and those tools and and the like can only be as effective when the entire workforce is on the alert and paying attention. You know, whether that's regular end users not clicking on those email links or watching for suspicious activity as this this alert administrator did and acting and reporting on on the matter. So kudos to this administrator, alert administrator that made this change. And I think there's there's a lot of praise and a lot of support in the industry.

Brian Selfridge: [00:14:07] Now, this type of attack, you may think, OK, is this a far fetched, unlikely thing? Somebody can take over remote access? It's actually really not, and particularly in healthcare. So when we do our white hat hacking and penetration testing work, I've actually done this myself several times where we've taken over the remote work session of a technician, a tech admin. I remember one where we we waited to see if the tech admin was on there anymore. It seemed like he had gone to lunch. And so we went on and started taking over a session, moving his mouse around and essentially creating an administrative account for ourselves. And then we saw that he came back and he was a little freaked out about it and put up a notepad and said, hey, who is this? Who's doing this? And we just closed the notepad and continued creating our administrative access for ourselves, closed everything out and moved on.

Brian Selfridge: [00:14:53] And what was really interesting for me is that contrary to the case with the water treatment facility, this administrator didn't tell anybody about it. And our report eventually was, of course, including that we were able to bypass this remote access technology and get in there. And that's that's a relatively easy fix and was closed up pretty quickly. But our bigger finding was that the the administrator didn't report this to anybody. You know, we don't know if he was afraid of getting in trouble or wasn't sure what happened or thought somebody was goofing on him with his peers or something. But but that became one of the bigger findings that, you know, that alertness and that awareness and that training and education that then followed for that organization is really, really important. So these pen tests really do help to simulate real world attacks and identify not only the technical aspects that may be problematic, but also the more sort of social engineering and awareness capabilities of the organization can come into play and be resolved as a result.

Brian Selfridge: [00:15:49] A few more small updates for you as we wrap up the session, the Virginia Consumer Data Protection Act was signed this week and it's very similar to CCPA in California and GDPR out of the EU and has continued the trend of states moving in the direction of stronger privacy regulations that really all look and feel a lot like GDPR and CCPA in general. The scope of the Virginia Consumer Data Protection Act is inclusive of individuals that and persons that conduct business in Virginia, so similar to the Massachusetts law, similar to the California law. And they have a pretty broad definition of personal data and sensitive data. And the law also requires you to do data protection assessments, very similar, again, CCPA, GDPR, all of that stuff in there. However, one very important thing is the law actually exempts health care organizations that are governed by Hip-Hop, which is all health care organizations. So that's a carve out that's been in place in some cases, some of these state laws. But this is probably the strongest one that says that health care, you got your own law. You worry about that for now. However, I'll point I'll point everyone to the fact that these state laws are really gaining traction. And there is, in my view, an imminent federal law coming in the next several years that's going to look and feel a lot like these laws. So I would advise getting ahead of getting your privacy data protection plans together, getting those assessments done, signing your chief privacy officer officially and data privacy officer, all the things that these laws require. Get ahead of that now to make it a lot less painful as you get into more state laws and federal laws as this ramps up.

Brian Selfridge: [00:17:27] Another update, the FDA appointed our friend Kevin Fu as the first director of medical device security for the government. Now, this is a big step forward for a couple of reasons. One, medical device has really needed a bigger push from the federal government and the FDA. And Kevin is a great resource to make that happen. Kevin's out of the University of Michigan, has been working in this field for a long time. And those of us that have been in the medical device security space for a long time, as we have here at Meditology know that Kevin's going to be a great asset to help move the program forward in the right way and get some support from the federal government in addition to private industry to get some traction on medical device security.

Brian Selfridge: [00:18:05] The last update for today is that Democratic senators introduced a Public Health Emergency Privacy Act to apply protections to patient information that had been collected during covid-19 vaccination processes still remains to be seen if this is going to pass or whether it's going to be applied. But certainly it's good news that we're thinking about as we amass all this information for the purposes of this acute covid-19 situation, that that information stays in use for those purposes only and doesn't become sold for fraud and all kinds of other issues and leaked out the way that we see in these other cases that we talked about today. So we'll keep you posted on how this plays out going forward and whether or not that actually becomes law.

Brian Selfridge: [00:18:46] That's all for the session. The CyberPHIx Healthcare Security Roundup. We hope this is informative for you and we'd love to hear from you. If you want to talk about any of this, just reach out to us at CyberPHIx @ meditologyservices.com. So long. And thanks for everything you do to keep our health care systems and organizations safe.