The CyberPHIx Roundup: Industry News & Trends, 3/17/21

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:10] Good day. Welcome to the CyberPHIx healthcare security roundup, the quick source for keeping up with the latest cybersecurity news trends and industry lending practices specifically for healthcare. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our Resource Center on MeditologyServices.com, which includes our CyberPHIx interviews with leading healthcare, security, privacy and compliance leaders, as well as blogs, webinars, articles and lots of other educational material. We have some intriguing updates for you today, so let's dive into it.

Brian Selfridge: [00:00:45] Microsoft has reported a widespread critical exposure of their Microsoft Exchange email server environments, over 30,000 organizations, including health care entities, have been infiltrated by what's reported as a Chinese affiliated espionage group by a zero day vulnerability in the Microsoft Exchange email server environments. This attack has wide ranging impacts for health care. The majority of organizations in health care use Microsoft to provide email services either on prem, on premises servers or in the cloud and the Office 365 environment. The Microsoft Exchange breaches the second massive scale supply chain breach involving a third party business associate following the solar winds breach discovered late last year. If you want to read out more about the solar winds attack, there's a lot of similarities here. You can check out Meditology services, dotcom. We have a lot of material on this, blogs, articles, webinars, podcasts and all that good stuff. Check it out. I like the solar wind's attack. This Microsoft's attack is not necessarily thwarted by installing security patches alone, although certainly need to do that because many of the systems remain infected by back doors that have been configured by attackers even after the security patches have been applied that can allow them back in. Now, March 2nd of this year, Microsoft released patches that address the four security vulnerabilities in exchange email server environment that were being exploited. And the hacking group is called Hafnium. And I use them and they're relatively new. We haven't heard much from them, if at all. So they've sort of popped onto the scene. They appear to be an espionage group associated with China, as we mentioned, targeting those vulnerabilities. Now, the attack has been identified. It appears the hafnium is stepping up their efforts to widely disseminated this exploit and take advantage of the compromised systems before organizations go and clean everything up, as is certainly underway in full force.

Brian Selfridge: [00:02:28] The attacks, immediate media effect is allow the attackers access to emails, of course, which could include by now our own ethical hacking service group. We've done many of these tests and when we do get into Microsoft Exchange email environments, it's very common to find plain text log ins and passwords that have been shared via email that can allow access to ancillary systems and other clinical systems, back end systems and sensitive environments. So it's not just about the email environment is that often leads to other access. Another downstream impact this we mentioned is sort of the remote access in the Web shells that hafnium has put in here to create back doors and allow them to move laterally within the environments. And that's going to mean that they'll have the ability to potentially use that access for further espionage, for ransomware attacks, as we've seen with some of the solar winds. Things, you know, once they have that back door, there's a lot of things they can do with it to pull information or cause harm. So some of the recommendations, you know, certainly immediately patch all exchange servers with the relevant patch. Do that like yesterday or as soon as you hear this, prioritize those patches. As critical as you might expect. Would you recommend doing a targeted risk assessment to identify potential exposures, the attack, including looking at the implementation of Microsoft Exchange. So that includes the network architecture. So specifically, if you have exchange servers that may be Internet facing or have maybe not even by design, but might have sort of holes punched through the firewall that allows some Internet facing capabilities, look at your patch levels. Look at the specific indicators of compromise for this particular attack.

Brian Selfridge: [00:03:59] So a targeted risk assessment and then an internal external pentathlete associated with that penetration test to see if those vulnerabilities are actually exploitable is highly recommended as this is just a an unprecedented level of access for a platform used by the majority of health care entities. Microsoft has also put out a script that was created to run a check for hafnium indicators of compromise, or IOCs, to address performance and memory concerns. So you can check out that script and all of these information, as well as the updates from the CSA and Microsoft on this. Go to Meditology Services dot com. We just put out a blog yesterday with all those links and some more information around that. Also, make sure to update your risk tracking information, your risk registers, whatever you use to track ongoing risk beyond and outside of your formal annual risk assessments. Make sure you're documenting this risk, what you're doing about it, how you're prioritizing remediation. That's a big sticking point with OCR and HIPAA compliance and make sure you're getting your documentation together on that front.

Brian Selfridge: [00:05:01] Another update this week is a new ransomware report cites over 20 billion dollars in losses for health care in 2020 related to ransomware. The new study, released this week by Comparitech, took a look back at ransomware costs for 2020 on US health care organizations and estimated a staggering twenty one billion dollar cost in 2020 alone. The study reports six hundred distinct clinics, hospitals and organizations that were hit with ransomware last year, the report importantly noted that infections impacting less than 500 patients often fly under the radar as this is the threshold for OCR reporting to the public meeting. So if you're ransomware attack results in more than five hundred records being compromised, you have to alert the media.

Brian Selfridge: [00:05:41] It's that old high tech breach notification stuff. But if it's under that threshold, you still got to report those to OCR and those go on in there sort of list of breaches and and the like. But we see a lot of organizations are really reluctant to go shouting to the hills that they have ransomware and they've been infected absent a requirement to report like like the OCR and HHS requirements. So it's very likely you've always felt the numbers of reported ransomware attacks an impact have been on a lot lower than than reality. I think this report is really helping us to to elucidate that. Now, some pretty useful stats cited in the report. And I'll rattle off a few of them, which I think they're pretty pretty cool. I mean, they're not good, but they're they're interesting. And there were 92 individual ransomware attacks on health care organizations, which is a 60 percent increase from twenty nineteen year over year. There were over 600 separate hospitals, clinics and organizations potentially affected and 18 million plus individual patient records, which is a four hundred and seventy percent increase from twenty nineteen. The ransomware amounts in terms of the actual payments or costs ranged between three hundred thousand dollars and one point one four million dollars in terms of the actual amount they wanted paid.

Brian Selfridge: [00:06:53] And the downtime vary pretty significantly between organizations from either weeks to months of moving to paper only systems and health care organizations sort of having various degrees of struggling with with dealing with the attack and recovering accordingly. And we'll talk about some of the cost of that in a second. So the average ransomware demand is around one hundred sixty nine thousand dollars. If you just sort of ransom, if you just average all that together. And hackers demanded an estimated fifteen point six dollars million in ransoms on the overall net aggregate, although we'll talk about the overall costs or fifteen point six million, is not really that the prevailing cost here. So I think that's that's pretty interesting. Overall, the cost of the tax estimated at around twenty point eight billion dollars. And the way they calculate that is they they look at the cost of downtime estimated at eight thousand dollars per minute, which comes from a study they cited in twenty seventeen that cites that stat.

Brian Selfridge: [00:07:46] Then they looked at the downtime, they looked at the cost, and they came up with that twenty point eight dollars billion number. They also point out some big ticket events like this, having a sixty seven million dollar loss this year, reporting that and a Florida orthopedic organization facing a ninety nine million dollar lawsuit. So those that have been following this Roundup podcast are well aware of those particular incidents and those numbers being something that is continuing to play out in class action lawsuits, as well as actual downtime reported costs. So that's where the big numbers are versus the fifteen point seven million in actual ransoms. You have a single incident cost is sixty seven million in downtime. That's where where the real hit comes. They also broke down ransomware by state. California and Florida are leading the way with ransomware breaches for whatever reason. So there's some other great insights in this report. You can check it out. It's published on comparitech .com and you can reach out to us. We can get you access to it as well. We don't have any affiliation with them. We just have the link and I can send it to you.

Brian Selfridge: [00:08:45] In other news this week, a major hack of security cameras allows external parties to view ICU rooms and access other health care organization security cameras. Big Problem, a hacking group called Verkada Inc, or INC, has gained unauthorized access to over one hundred and fifty thousand security cameras, including hospitals like Halifax, Health and Daytona, Florida and Wadley regional and Texas, I am probably mispronouncing that, The hackers were able to view cameras in ICU rooms in the hospitals as well as other organizations. And the one hundred fifty thousand is not just health care that's across organizations. It's important to note that this hacking group claims to be on the white hat hacking side and is attacking in order to raise awareness on these issues. And I just want to take a moment to note that all true white hats and white hat hackers agree to ethical terms when we get our CISSP certifications or ethical hacker certifications that we will abide within legal and ethical boundaries. And that's the whole ethical part of our Meditology ethical hacking service line. For example, now, accessing any systems in hospitals or otherwise, including security cameras without permission or a contract, is certainly outside of those boundaries. So that I think they're misusing the white hat term here. That said, this breach does underscore the growing vulnerability in Iot devices that are deployed in health care. We've been talking about this for a long time. You Meditology has a dedicated team focused on Iot and medical device security. So we've got folks out in the field that have been helping organizations identify these issues, resolved them for a long time.

Brian Selfridge: [00:10:14] And this has been really percolating for almost a decade now with these Iot devices becoming a single point of failure. And it looks like a reckoning for IoT is coming soon, especially as we couple these vulnerabilities with increased attacks on third party supply chains. Think SolarWinds, think Microsoft, as a means to gain entry and health care entities either for espionage, ransomware, deployment, whatever it is, this stuff is all interrelated and certainly not happening in a in a silo. On the regulatory front, they hit the privacy rule review period deadline has been extended, which is pretty welcome news to most privacy folks in the industry. HHS is overhauling the HIPAA privacy rule, if you haven't seen that already. Another plug for our website. We've put out a webinar a couple of weeks ago that we ran down the full updates to the privacy rule. There is many. There are many. And we give you a full rundown. You can go to the webinar that we delivered on Meditology Services, Dotcom and our resource center. We put out some related blogs and stuff says way more than I can cover here. And I think I may have covered them in prior round up podcasts as well. So you can go there if you just want to do the listening part or listen to the webinar that's at the pertinent update this week is that the comment period on the proposed privacy rule changes has been extended by 45 days.

Brian Selfridge: [00:11:26] So it was originally set to expire on March 22 or next week and has been extended for 45 days to May six of this year. Acting OCR Director Robinsue Frohboese said, I quote, The 45 day extension of the comment period to May six twenty twenty one will give the public a full opportunity to consider the proposals and submit comments to inform future policy, which is all very true and could well end quote before it's all very true. So watch our webinar, check out the updates and react to them and have those visceral reactions and then get your comments and OCR in HHS, you got a few more weeks to do it and I guess about a month or so get on it.

Brian Selfridge: [00:12:07] Our last update for this week is around covid-19 vaccine registration websites that are getting hit by malware bots. Yikes. So many of these websites, registration websites are getting set up very quickly, which is great because we want to get those vaccines out to everybody as quickly as possible. And OCR even bypassed enforcement on these websites in order to encourage organizations to get them up faster, get them working. However, a poorly coded website is still a poorly coded website, regardless of the purpose of it. And it's still susceptible to automated malware bot attacks, which could either acquire patient information.

Brian Selfridge: [00:12:41] Sometimes they just inject garbage data into the web forums and the databases and screw up the registration process. And other times they're impacting the website availability and accessibility for folks to be able to sign up. So this is pretty, pretty important deal. So our recommendations are, don't, you know, slow down deployment of these get those sites up, get them get them working functionally as fast as you can, but you still want to make sure you do some security, due diligence and technical risk assessment, even if it's after the site has gone live. So many of our clients have been asking us to do these Web application penetration tests, usually quick, fairly low cost, low effort, get a sense of where the gaps are closing up before the bots get to your site. So reach out to us if that's something you want to check out.

Brian Selfridge: [00:13:24] So that's all for the session of the CyberPHIx health care security roundup. We hope this has been informative for you. We'd love to hear from you if you want to talk about any of this, to reach out to us at CyberPHIx, at Meditology Services dot com. So long. And thanks for everything you do to keep our health care systems and organizations safe.