The CyberPHIx Roundup: Industry News & Trends, 3/24/22

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:11] Good day. Welcome to the CyberPHIx Healthcare Security Roundup. Your quick source for keeping up with the latest cybersecurity news trends and industry-leading practices, specifically for healthcare. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our Resource Center on Meditology Services, which includes our CyberPHIx interviews with leading healthcare, security, privacy, and compliance leaders alongside blogs, webinars, articles, and lots of other educational material. We have a great agenda to cover today quite a bit since it's been a little while. So let's dive into it, shall we? 

[00:00:46] First off is an announcement from President Biden literally just hours prior to recording this session. President Biden is reacting to the cybersecurity attacks relative to the Russia, Ukraine, cyberwar and beyond. So I'll read you a couple of snippets of the announcement. As it appears things are truly heating up on the cyber warfare front in addition obviously to the physical war currently underway. So President Biden says this is a critical moment to accelerate our work to improve domestic cybersecurity and bolster our national resilience, he said. He's previously warned us, which he has, about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we've imposed on Russia alongside our allies and partners. It's part of Russia's playbook, he says. Today, my administration is reiterating those warnings based on evolving threat intelligence that the Russian government is exploring options for potential cyber attacks. 

Brian Selfridge: [00:01:41] So this is very interesting. So it goes on to say that the federal government can't defend against this threat alone. And most of America's critical infrastructure is owned and operated by the private sector and critical infrastructure, much like you all in healthcare, as I'll add in here. And operators must accelerate efforts to lock their digital doors. So he urges all private sector partners to harden our cyber defenses immediately by implementing best practices. He says, we have the power, the capacity and responsibility to strengthen the cyber security and resilience of the critical services and technologies on which Americans rely. We need everyone to do their part to meet one of the defining threats of our time, he says. Your vigilance and urgency today can prevent or mitigate attacks tomorrow. So I think this is a read between the lines kind of warning, right? It's rare to have an ad hoc presidential statement issued unless there's very imminent and credible threats along these lines. And so we'll get into later in the update here some of these specific threats that we're seeing, that that may be part of what's leading the US federal government to provide these kind of warnings and announcements and requirements for critical infrastructure including healthcare. 

Brian Selfridge: [00:02:57] One of the other major updates coming out of the federal government this just past week is a new requirement that organizations have to report hacking activity or hacking successful hacking activity or incidents to the Department of Homeland Security within 72 hours. So this was bundled into a $1.5 trillion government funding package that President Biden signed this past Tuesday, which includes a whole set of cybersecurity legislation that will require critical infrastructure operators. Again, healthcare is sort of clearly in that critical infrastructure category to quickly report data breaches and ransomware payments in particular. So it says critical infrastructure is still officially being defined. So we can say healthcare generally, certainly providers, healthcare providers are going to be included in that. Other entities are going to be sort of it's going to be interesting determination to figure out whether or not if you're in healthcare if you're a critical infrastructure or not, and that we have to wait for further definition to come out. But entities and their business associates covered under HIPAA would still need to have to report breaches on the 60 day reporting obligations under HIPAA / HITECH requirements. So that doesn't change particularly for breaches of PHI affecting 500 or more individuals need to be reported to the wall of shame and all that good stuff. So that doesn't change. But now we have this additional 72-hour requirement which is just really aggressive. The CISA director Jan Easterly praised the Senate's passage of this bill and subsequent signing of the bill, saying it gives her agency the data and visibility that we need to better protect critical infrastructure and businesses across the country from the devastating effects of cyber attacks. 

Brian Selfridge: [00:04:32] She goes on and says every organization, large and small, must be prepared to respond to disruptive cyber activity. So that kind of is similar to what President Biden is saying as well just a couple of days later from Jen, Italy's announcement there. So for me, just looking at the analysis, that's a little bit 72 hours is a really tough mark I think for healthcare. So to hit and to navigate, you know, it often takes that long just to assess the situation and begin putting in place containment strategies to limit the impact of attacks when they start hitting your front lines. It's likely that I think reporting is going to increase as a result. Obviously, you're asking 72 hours, but there may be a ton of false positives in there or incomplete reports of attacks and impacts. As you know, speaking just as a former healthcare CISO myself, I know early in this sort of as these incidents play out, you're kind of trying to validate, is this a false positive? Is it real? How far extending is it? Can we I used to call it Whack-A-Mole, right? Can we go get it, knock it out, isolate it, and it becomes a non-issue if you can do that within hours and minutes. Very often there's no real incident to speak of. 

Brian Selfridge: [00:05:37] You've just addressed it. And so it's interesting that things sometimes can push a couple of days out while you're still investigating, figuring out if this is a true incident or a problem, a compromise or just some abnormal anomalous activity that may be part of everyday business. So I have a feeling we're going to see a lot of those types of gray area, quote unquote, incidents being reported based on 72 hours, just not enough time. We also have to figure out when does the clock start on the reporting time frame? Is it that when we first see some specific suspicious activity occurring, is it when we have some actual evidence of malware that's penetrated the environment? Is it after we've done forensics that have confirmed and validated that we have a true incidence and unauthorized accents, you know, where does that start? I suspect if it starts on the earlier side of that, that lens, then the CISA could end up quite frankly, getting overloaded with thousands of tens of thousands of reports a day, quite possibly, which I don't think will be productive for anybody. But I suspect they're starting somewhere and it will be a learning curve here as it goes. So 72 hours, quite tricky. That's a pretty big update. So you might want to start updating your incident response playbooks, your processes, your policies to make sure you address that time frame, which is, again, pretty aggressive. 

Brian Selfridge: [00:06:51] Now, there's another update on, I guess we'll supposedly call it the regulatory side, although it's not entirely accurate to say that. But the Securities and Exchange Commission, the SEC, proposed new rules and amendments this week or actually a couple of weeks ago, March 9th. When was that? A couple of weeks ago, around cybersecurity, risk management, strategy, governance and incident reporting. So the changes apply to public companies. Obviously, the SEC only sort of governs public entities, which includes some but not all of the healthcare entities. And very often these regulatory changes, you know, the reason we watch the SEC, of course, some of you this will apply directly to others. We watch these types of changes to see the ripple effects that can happen when these new requirements come out. And then other regulatory regulations that are evolved and adapted over time, we'll start actually adopting these types of requirements. So the SEC new rule requires well, it's still a proposed rule. So we'll the proposed new rule requires companies to disclose information about any material cybersecurity incident within four business days of determining that such an incident has a. So if you look at the scale here, we've got 72 hours coming out of the new day requirement, four days from the SEC, 60 days from of high tech. So one way or the other, you're going to have to disclose this stuff. So getting really, really good at being able to identify, document weed out false positives is going to become a pretty critical skill set. 

Brian Selfridge: [00:08:15] Otherwise, you get to report everything under the sun. And that's not great. Some of the other requirements of this SEC rule are that you have to disclose information about incidents, including when the incident was discovered and whether it's ongoing, which most likely it will be ongoing within four days. A brief description in nature and scope of the incident. You have to indicate whether any data was stolen, altered, accessed or used for any other unauthorized purpose. You need to document the effect of the incident on the company's operations and then whether or not the company has remedied or is currently remedying. I'm not sure I'm saying remediating remedying one of those words. Fixing the incident provided that the companies plan response to the incident is not required to be disclosed. That's sort of the official requirement. They also say you have to disclose any previously disclosed cybersecurity incidents that maybe weren't that could be related and whether or not any of the company's board of directors has cybersecurity expertise and if so, the nature of such expertise. And then the last piece says that a company's policies and procedures, if any, for identifying and managing cybersecurity risks must be reported along with the cybersecurity governance, including a board of directors oversight role regarding cybersecurity risks, as well as the management role and relevant experience in assessing and managing cybersecurity-related risks and implementing related policies, procedures and strategies. 

Brian Selfridge: [00:09:36] So quite a bit there that needs to be reported. So if you're a publicly traded company, got to get on this right away. It's not a final rule. It actually they just have comments out right now. And the proposed rule is to become public on May 9th or within 30 days after the publication in the Federal Register. So we've got a couple of months to comply with this. If you're in scope, if not, again, probably a good idea to start doing some of this and getting prepared as other regulations begin to come into play that look and feel and smell like this one. All right. I mention we would talk some more about Russia before we were through here. Of course, very, very difficult not to on these updates these days. So we did see a specific alert from the FBI and the CISA related to what they call mitigating threats posed by Russian state-sponsored cyber actors and their exploitation of default, multifactor authentication protocol and what they call the print nightmare vulnerability. So these are very specific technical weaknesses, vulnerabilities that are being exploited by Russian state-sponsored folks. So they go on to give some more details about that, including basically a vulnerability in the Windows print spoiler called print nightmare alongside a multifactor authentication issue. So going back as far as May 2021, so that a year ago, thereabouts, the Russian state-sponsored cyber actors took advantage of misconfigured accounts to set default multifactor authentication protocols at non-government organizations, allowing them to enroll a new device for MFA and access the victim's network. 

Brian Selfridge: [00:11:16] So this is a long play, right? They're gaining multifactor credentials and then waiting for the right place and time to use them. The actors have then exploited a critical vulnerability called print nightmare to run arbitrary code with system privileges and then access cloud and email accounts for document. Exfiltration is sort of the attack. The FBI and CISA urge all organizations, healthcare included, to take immediate action to protect against this malicious activity, including such mitigations as enforcing multifactor authentication for all users without exception, and ensure that it's properly configured to protect against the fail open and re enrollment scenarios. So if you're not sure what those are, so basically some configurations of multifactor say, hey, if our multifactor server stops working and we can't issue out the text messages or whatever we need for you to gain that second factor, we're just going to allow everybody to log in with just a password, which obviously helps business continuity when you have some issues with your multifactor solution. But that what's called a fail open strategy becomes a real problem when the attackers get to disrupt or shut down your MFA. And then all of a sudden they can get access to every account for a period, even if it's for a period of time. 

Brian Selfridge: [00:12:29] They do it very intently or they will re-enroll and create new enrollment to their own cell phones numbers and then be able to gain access going forward. Other recommendations from the FBI and CISA are to implement timeout and lockout features, which you should be doing anyway to disable an active accounts uniformly and Active Directory multifactor and other sources updating software and prioritizing known exploited vulnerabilities which there wink wink are talking about this PrintNightmare vulnerability from windows, I'm sure, along with other commonly used exploits by the Russian folks. If you're not sure what those are, we've done some podcast episodes the last couple of weeks and months that'll go into more detail on those. But they say monitor your network logs for suspicious activity and implement security alerting policies. So nothing too surprising there in terms of recommendations, but definitely interesting to see the focused focus on multifactor authentication in particular. All right. Now, it's not Russia's not the only one engaged in cyberwar at this moment. We saw a barrage of hacktivist activity that are targeting Russian assets as part of the global reaction to Russia's invasion of Ukraine. And as a follow up to Ukrainian President Zelensky's request for such support from the global hacking communities. So we'll be releasing actually a special episode of the podcast in the coming days that recaps this activity in depth. And we actually look at some of the dark Web activity and cybersecurity recommendations related to the cyber war. 

Brian Selfridge: [00:13:57] So we'll get into the nitty gritty in that session. So so pay attention for that one. As we couldn't we couldn't cover it all here. There's just so much going on. But that said, some of the key hacktivist, what I'll call successes, you can decide which side of the cyber war you're on. Was this a success or whether it's an achievement or not? But they included some major breakthroughs in the last weeks. One is around hacked databases, so over 100 databases and one particular string of attacks were hacked, including the Russian Internet service providers and inter-governmental websites, including the Commonwealth of Independent States, or CIS, which is an organization made up of Russia and other former Soviet nations that was created in 1991 following the fall of the Soviet Union. So many of these CIS files were erased. Hundreds of folders were renamed to, and I quote 'Putin_stop_this_war'. So they just blew away the files and named them that. So another hacked database contained more than 270,000 names and email addresses. And other databases contain security information, internal passwords, and large numbers of secret keys which unlock encrypted data. Other, quote-unquote, successes from the hacktivist, like Anonymous and these other types of groups. Attackers were able to take over Russian television and broadcasted pictures of the Ukrainian war, along with a declaration of Anonymous, the group's responsibility for the attack, and then appeal directly to the Russian people to resist the war efforts. 

Brian Selfridge: [00:15:26] It's unclear how long this takeover lasted, but it was sufficient enough that I've seen some clips of it, that it was at least a couple of minutes long at a minimum and a pretty impactful type of hack when you think about it. To be able to hack live TV is certainly novel. Again, we keep talking about Anonymous with the International Hacking Collective. Anonymous just this past week announced that it's hacked the Russian censorship agency known as, I'm not going to say it right at all, Roskomnadzor. That was close. Probably not. Anyway, this group is basically the Putin's censorship group that's been shutting down the media, closing down all the non-state-owned television companies, media outlets, as well as anybody else that's not sort of forwarding the propaganda. So Anonymous hacked that particular group and released 364,000 files that it shows that it says shows intensified censorship around the perception of the Ukraine invasion, which is no surprise there. Russia's been very public about their censorship. That's not a not a secret. And President Putin actually signed into law on March 4th, a law making it illegal to express any kind of dissent against Moscow's war and campaign. And then after that, we had all kinds of global media organizations leaving Russia, including CNN and other basically everybody, as well as the privately owned Russian media organizations. 

Brian Selfridge: [00:16:48] Anonymous also declared a full cyberwar on Russia late last month, and almost immediately the group claimed to have hacked websites connected to the Russian government. State media, banks. The decentralized, decentralized collective, which is anonymous, also hit the government website for Chechnya, a Russian republic that has vowed military support for Russia. And they also targeted and leaked 200 gigabytes of emails from the Belarussian weapons manufacturer Tetra Der, and claimed credit for hacking Russia's Internet service provider. So there is a full on war, cyberwar going on. The Russians have been very aggressive over the years. If you've been a loyal listener of this podcast, you've known that the vast majority of the ransomware attacks, for example, are coming out of Eastern Europe and Russia in particular. And they've been doing a lot of espionage and a lot of other sort of disruptive attacks against the West. So and we've talked about President Biden's had these summits even prior to the war. And so this has been escalating for some time. But now the gloves are off right as this is officially a cyberwar activity. And there's a lot of folks jumping into the fray on the hacktivist side of things, as well as I imagine, state sponsored sort of retaliation and defense activities on the cyber front. So this is only going to heat up and we'll keep you posted on how it plays out. 

Brian Selfridge: [00:18:07] Now, it also has had some side effects around things like Russia has had to not had to, but it's chosen to create its own TLS certificate authority to bypass sanctions. So for those that may not be familiar with the nitty-gritty of what a cyber. I'm sorry. Certificate authority does. Basically, any time you have these SSL certificate certificates or TLS, which is the little lock in your web browser that encrypts the data and controls, makes a trusted communication between you, the end user and your browser and the and the server that hosts the website that you were trying to get information from. There needs to be a third party certificate authority that kind of makes sure that there is trust that you're actually getting the information from the right place and there's no spoofing or anybody trying to pretend to be somebody else or listening in or sticking in their heads in the middle of the conversation. So the tricky thing is with all these sanctions and cyber attacks that Russia has had to rely on, US based certificate authorities, which are the dominant cert authorities out there, has to renew their certificates and continue providing websites and services to their visitors. Now, before it's invasion of Ukraine, websites based in Russia would pay international certificate authorities for the renewal of their certificates. However, since the invasion resulted in heavy sanctions, these signing authorities can no longer accept the payments. 

Brian Selfridge: [00:19:31] So once those certificates expire, which is typically they typically range about a year or two years on average, then you have to pay to renew them. And so if you can't pay, you don't get new certificates and that shuts down your website. So if that happens, the browser displays a message. You may have seen this sometime before when you've when you browse to some sites that if the user wants to visit the site, it's insecure and to work around the problem. Russian authorities have come up with their own certificate authority. The problem is right now, only two web browsers recognize the new Russian certificate authority, and those browsers are Yandex and Atom, both of which I have never heard of prior to this. I don't know what their deployment is in Russia specifically, but I don't think it's that they are particularly high adoption level browsers. So this the other issue with this and challenge is that this could become a way for Russia also to spy on its citizens and communications even further than ever before, because one of the roles that the certificate authority does is issues the encryption, so that unless you're the certificate authority and you have the encryption key, somebody from the outside, whether it's a government entity or otherwise, can't intercept that traffic, can't decrypt the data. 

Brian Selfridge: [00:20:53] It's gobbledygook as it goes across the wire, so to speak. But if you are the certificate authority and you have control of that, you can basically decrypt all the traffic coming between the Web browsers and the servers that things are going to that are hosted by those certificate authorities. So that's a major issue. I mean, it would be nice to say, oh, you know, they probably won't do that. They really just want to stand up a certificate authority knowing Russia and their tactics and behavior, it's very likely they will serve as that kind of man in the middle attack and unencrypted traffic and sniff it and spy on it and obviously take action where they deem it appropriate. So Anonymous and other cyber attackers are actually likely to go after this new Russian certificate authority. So that's kind of interesting, right? Because now it's become a single point of failure for all Russian Internet access and taking it offline could create a situation where you actually can take Russian Internet access down across the board if they're able to attack this. So very, very interesting, these sort of changes have to happen when we stop being able to have international payments and rely on the Internet connectivity and infrastructure that makes all this stuff run on a global basis. So we'll see how that one plays out. In other pseudo-related news, I suppose this is quite related. 

Brian Selfridge: [00:22:07] The FBI has also issued more alerts on ransomware and a particular ransomware group targeting US organizations. So the alert and guidance is around the Ragnar Locker ransomware. So as of January of this year, 2022, the FBI's identified at least 52 entities across ten critical infrastructure sectors that are affected by this new RagnarLocker ransomware. There's a ton of technical analysis in the FBI alert, including indicators of compromise. And I would go into that detail here, but it'll take us forever and you'll fall asleep if we get into IP addresses and stuff. But I will highlight some of what I think are the more interesting points, including the way in which this ransomware malware flavor encrypts files. So RagnarLocker encrypts all available files of interest. So instead of choosing which files to encrypt, the Ragnar locker actually chooses which folders it will not encrypt. So it's kind of like the inverse where what this allows them to do is they say, okay, we're not going to encrypt the files that we know we need for the computer to run and operate our own malware. Right. So they'll they will let the operating system run normally while encrypting basically everything else. So, for instance, if it's a Windows machine, it avoids encrypting the C drive, it avoids encrypting some folders like Windows, Windows, old Mozilla, Mozilla, Firefox, Tor browser, Internet Explorer, Recycle Bin, Google Opera. So all the browser stuff it wants you to still be able to get to transfer information that way. 

Brian Selfridge: [00:23:40] So very interesting. Otherwise it locks up everything under the sun with the ransomware. Now, some of the recommended mitigations from the FBI are to backup critical data offline to ensure copies of critical data in the cloud are backed up to the cloud or an external hard drive or storage device that is air gapped from the network or otherwise segmented. It says this information should not be accessible from the compromised network. Secure your backups. All this is pretty standard stuff, right? Use multifactor authentication. Keep computer devices and applications patched and up to date. Monitor Cyber threat reporting regarding publication of compromised VPN login credentials and change your password settings. It says Consider an email banner to emails received from outside your organization. So that's a lot of office. 365 users will be familiar with that functionality. Disable unused remote access, remote desktop protocol. That's a huge one. There's just so many attacks. I saw a stat separately from the FBI and a big report they put out, so I'll just comment on this quickly that showed the different types of attacks, like a little line graph of like what? What are the most prevalent entry points for ransomware and remote desktop protocol was by far the top and then there's phishing was like right underneath that. So, you know, there's no valid technical reason why remote desktop should be used for your external access. 

Brian Selfridge: [00:24:58] You get Citrix, get something else, get some other remote access capability, but don't use Windows remote desktop protocol. It's insecure has been for a long time and it's easy pickings for this ransomware. So other recommendations are pretty standard monitor and audit administrator, privileged accounts, configure access controls with least privilege, and implement network segmentation. So all very standard recommendations on the ransomware front. But an interesting alert and flavor of ransomware from the Ragnar Locker ransomware this week. Now another sort of international cybersecurity news. You know, I think the US is taking a pretty clear stance and echoed by Biden's comments just this week about the need for the private sector, public sector and international communities to collaborate and cooperate to deal with these cyber attacks, the cyber war activities and everything else. It's really about banding together. This is kind of like a pretty classic good guy, bad guy thing, right? Like the good guys in the world are banding together to defend critical infrastructure, defend organizations, defend countries. And you've got these cyber criminals out to shut everything down, steal money. I mean, it's like a superhero novel, isn't it? Anyway, so there is a new cybersecurity collaboration between the United States and Israel that's designed to combat threats and bolster research and development cybersecurity. So the areas of cyber security cooperation between the Israel US collaboration is around combating terrorist financing, which is a big part of the puzzle, and creating an institutional vehicle to enable cyber-specific research and development and collaborating on transportation, cybersecurity. 

Brian Selfridge: [00:26:35] Those are the big areas. Israel is phenomenal with research and development if you're familiar with their high tech sector out of Haifa, out of Tel Aviv, just amazing companies doing stuff there. So it's exciting to get access to that talent and those capabilities. And the Israel National Cyber Directorate said that the purpose of the agreement was to promote advanced technologies for cyber protection and strengthen information sharing on the ground and expert exchanges in fields like artificial intelligence. Quantum computing. Homomorphic encryption and navigation technology now. Let me just pause there, because let's all pretend that let's not pretend that we know what Homomorphic encryption is. Right? I certainly don't. But I looked it up for you, so let's talk about it. Homomorphic encryption basically allows for applications to perform mathematical calculations on encrypted data in a way that's never been possible before. So what they mean by mathematical calculations is, you know, a lot of times once data is encrypted, you can't do anything with it. It's just it's just gobbledygook. You can't really run any pattern recognition. You can't do anything useful with it. You need to decrypt it and then do data analytics and things. And that's a problem for things like healthcare organizations and large data sets that have protected health information, for example. 

Brian Selfridge: [00:27:44] So there's actually some cool use cases with homomorphic encryption where you can actually do some predictive data and analysis with this new mathematical capability on large data sets without having to decrypt or de-identified the data, which is really amazing. So you can figure out some things about the data, about the patients, about the populations while still protecting and encrypting the data, which is really, really neat and not being able to re identify it to specific individuals. So that's just one of the promise of this technology. So that's the type of research and development that they'll be the US and Israel will be working on together as well as other activities. So pretty cool stuff there. We look excited to see what comes out of that relationship. Now in terms of alerts, there was a series of vulnerabilities released this month around Iot and medical devices that I think is very much worth mentioning, particularly for any healthcare provider listeners here or those with involved in the medical device sector or even third and fourth party risk management to a large extent. So anyway, there were seven vulnerabilities that were called Access seven and its Access Colon seven, if you're trying to Google it, that have been identified in web-based technologies, PTC, Axeda, and Axeda desktop server, which are used to allow one or more people to securely view and operate the same remote desktop via the internet. 

Brian Selfridge: [00:29:05] So if exploited attackers can gain full system access. The vulnerabilities were first identified by researchers at Forescout, Video Labs and CyberMDX is one of these medical device security conglomerate groups. The vulnerabilities are known to affect more than 150 device types from over 100 different vendors, which ultimately amounts to hundreds of thousands of devices globally. So take a look at that. If you have a medical device security population program, any supporting tools and automation where you can scan for these and make sure you get your devices patched or segmented or otherwise protected. All right. Some other updates. The Office for Civil Rights has issued its quarter one newsletter for the year. So Health and Human Services, HHS and OCR providing tips for defending against some of the most common healthcare cyber attacks. So I want to kind of run down some of the key takeaways from this. It's a pretty big newsletter, actually, but it's worth highlighting some of the areas that could be. They say cyber attacks could be prevented if organizations implemented these HIPAA security rule related requirements to address common attack types, including phishing exploitation of known vulnerabilities and weak authentication protocols. So here are some of the five key areas that they point out in this Q one newsletter. So they say healthcare organizations are frequently targeted by phishing attacks. So this year, 2022 organizations should continue to test phishing programs and train employees on how to combat and identify phishing attacks. 

Brian Selfridge: [00:30:29] Again, back to my ransomware comment. Phishing still number two, right below remote desktop protocol as the common attack vector. So make sure you get that under control. The second area, HHS and OCR recommend is that remote access technology such as VPNs, virtual private networks or technologies using remote desktop protocol. Ding, ding. Right. You're sensing the themes here should be used sparingly. So that's a good comment too, that not only just shutting down remote desktop and providing an alternative, but like making sure that your remote access technologies are truly necessary. Do you need to have every single user have access to every single system for remote access? No, probably not. Like so. So limiting that down as much as possible. The third area out of five that they mentioned is analyzing how your healthcare organization can be compromised by suppliers, vendors, business partners, customers, and service providers. That is the understatement of the year. Yeah. Take care of your third party risk program. That is just a huge, huge whole domain of energy. And that's we have our sister company, CORL Technologies, that does nothing but that third party supply risk for healthcare entities. And it's just there's a whole ton of work to do there. So if you're not investing in your third party risk program, got to get on that right away. Way behind the times. Continue to invest. They're number four out of five is be aware of new threats or new cyber criminals who may pose a threat to your organization. 

Brian Selfridge: [00:31:53] So that's just listening to updates like this and paying attention to the evolving threats. And last the fifth item is to utilize government resources designed to help. Healthcare organizations from cybersecurity threats. So this is I do have to applaud the work that the federal government has done with putting out new resources this year, even in the last 6 to 8 months, things like the shields up advisory over the Russia Ukraine cyber cyberwar activity was tremendously helpful. All the FBI and CISA alerts around specific cybersecurity ransomware attacks in particular have been awesome. They've been putting out these case studies. They put out a case study around the Ireland health system, the 54 hospitals that are infected, 80% infected with ransomware. I did a podcast episode on that a couple of weeks ago. You can you can dig into that. But all that that guidance is just awesome. And I'm actually going to cover some more of it in these updates as we go, but really appreciative of the work that they're putting in to share that Intel and provide actionable guidance for us. Now, it's up to us to actually go and do it right. It's not easy as no silver bullet. All right. So the next update I want to talk about is actually the organization HIMSS, the Health Information Management Systems Society. 

Brian Selfridge: [00:33:05] That's probably close enough. Someone will yell at me if I didn't get that quite right. But HIMSS is obviously the dominant healthcare industry resource group, it also has some cybersecurity activity. They just put out a survey that's called the HIMSS Healthcare Cybersecurity Survey. Well, clever name provides insights into the state of healthcare cybersecurity based on feedback from 167 healthcare cybersecurity professionals. So it's not you know, it's not everybody and it's not it's not all executives. It's a swath of sort of analyst level folks all the way up to senior type resources and leaders. But I think it's a statistically relevant sample to get some themes. So some of the things that the survey came away with is that healthcare organizations still continue to be slow to patch. Many organizations are just taking way too long to get these patches out there. However, patching is quicker in response to an active security incident. So if you have an actual threat or somebody is, you know, the ransomware is in the front doors and exploiting a patch, then things get patched immediately. But that's not a good place for us to be as an industry. We've got to get better at sort of getting in those 24 to 48 hour patching windows with these levels of tax we're seeing. That's why ransomware is just being so darn effective as we just we can't get the patching figured out. And when we say slow, I mean, it's not even just like, oh, instead of 48 hours, take 72, there's organizations haven't patched for six, eight, nine months a year, in some cases several years. 

Brian Selfridge: [00:34:28] There's still Microsoft Eternalblue vulnerabilities out there. And on medical devices and other assets that that's a good five, six, seven year old vulnerability that still provides keys to the kingdom. So kind of get better patching. And I think when I think about the patching, it's like we're basically healthcare gets really good at being firefighters, right? We're still geared at like going and putting out the incidents, but we should actually start moving toward being more home inspectors than firefighters. Right. Reactionary models are necessary. Certainly, we need to have that gear to be able to respond quickly, but still leaves a whole lot of burning cyber buildings if we're still just firefighters. So let's try to get this stuff ahead of time. So other updates from the survey are phishing and ransomware are the most common significant security incidents reported. No surprises there, but phishing dominates with 45% of these significant cybersecurity incidents, ransomware has 17% and the rest are all around 5% or less. Phishing is also noted as the primary entrance vector for significant attacks, including ransomware. So that's according to this survey. So that's a perception of cybersecurity people. But honestly, I trust the FBI numbers a little bit better. And they say RDP is actually a slightly, slightly bigger deal, although phishing is still very, very important. 

Brian Selfridge: [00:35:41] The survey also covers the threat. Actors are mostly targeting financial information directly from the attacks, with 52% of the attacks, while employee and patient information are targeted 43% of the time. And so remember that it's not all about I keep an eye on financial crown jewels and information, as that is definitely what's being targeted. Healthcare is spending, according to the survey, spending 6% or less of I.T. budget on cybersecurity. And a whopping 24% of respondents said that no specific carve out is allocated for cybersecurity within the IT budget, which is just bonkers to me. Absolutely nuts. You know, I understand when security rolls up through I.T., there's sort of an understanding that it's going to get a part of that budget. But you've got to start getting a little more specific these days and have a dedicated cybersecurity budget that is defended and doesn't get gobbled up the next time there's a major need for it applications, cloud infrastructure or whatever else that that can gobble up those budgets. We just can't keep stealing from cybersecurity assets. Now, presumably those organizations are still spending on cybersecurity, but we just have to get better at allocating that and getting more I.T. cybersecurity-centric budgets. Now, 40% of respondents also said that cybersecurity budgets did not substantially change year over year from 22 to 2021, which is also kind of crazy, I think, given the massive escalations. 

Brian Selfridge: [00:37:02] We've had ransomware just go crazy over that same time period. And budgets are still static. That's showing an industry that's while they may be more aware of threats and before or is not reacting quickly enough to actually translate that awareness into actionable investment in cybersecurity protections. Now, in terms of budget spend, most organizations are spending more on cybersecurity tools and staffing than they ever have before. So 31% of respondents spent more on penetration testing as well, as well as tools and staffing. So we're seeing when they do spend more that these are the areas that they're putting the money into. Now, legacy operation legacy operating systems, I should say, remain a thorn in the side for healthcare organizations. We still have so many disparate systems applications, and it's just a perpetual challenge to keep them all up to speed on the latest operating systems patch levels, which again comes back to that slow patching thing. It's just the volume of systems we have to worry about and the typical legacy operating systems that are outdated and need to be replaced or upgraded are in healthcare. Windows Server 2008, which 35% of organizations having those Windows seven, 34% of organizations still running Windows seven. That's crazy. And then led legacy medical device operating systems, which is 25%. Now, that's a really interesting survey. I bet you there's way higher than 25% have medical device operating systems. 

Brian Selfridge: [00:38:25] They just don't know whoever's responding to these surveys doesn't isn't paying attention or isn't the visibility. I think it's way higher than 27, 25% personally. But there's the stat and you can decide for yourself. There's also some industrial control systems, operating systems in healthcare, 21%, Windows XP, 20%. Oh, boy. There's no excuses for Windows XP, folks. 20% of you still have it out there. Get an emergency. Talk about firefighters. Get out there and get those patched, get them upgrade and get them removed. And the last is Windows Servers 2003 and 2003 are too with 19% of entities still having those around. So does not paint a good picture for us. That's why we're getting hit with ransomware. It's not a surprise in terms of implemented security controls. The report notes that less than half of health organizations, mobile device management controls, are in place for most of their organizations. So it means like that we're just not getting full coverage of MDM mobile device controls, which is kind of surprising to me in some ways. They also say that only 23% of organizations have MDM fully 100% deployed. So they say single sign on is also spotty on implementation, with half of the organizations only having single sign on deployed for the majority of systems. So gosh, the way these stats read is really difficult to dissect. It's like more than half of organizations have less than half deployment. 

Brian Selfridge: [00:39:46] So I'm sorry to confuse you, but that's the way these things read. It's been really, really hard to digest. They also talk about multifactor authentication as being moderately implemented for healthcare organizations. So when we look at these HHS updates, Biden's advisories, the Russian attacks, multifactor is such a critical layer and healthcare is only moderately implementing it. So get on that if you haven't already. All right. 

Brian Selfridge: [00:40:10] The last update for today and we've covered quite a bit, so thanks for hanging with us. If you've made it this far is around Microsoft teams and hackers using Microsoft teams as a launchpad for malware. And that's this is emerging. So we're still trying to figure out exactly how this is working. But hackers are starting to realize that Microsoft Teams is actually a pretty efficient means of spreading malware and tentacles throughout organizations. Network-specific attacks around teams involve attaching files to team's chats. The name of the file is something like UserCentric.exe, but that can easily be changed to another generic and innocuous-sounding label. So there are these attackers are kind of just plopping these into random teams meetings and teams chats. And then once downloaded, somebody clicks on that executable. It writes data to the Windows Registry, installs DLL files, and creates shortcut links that allow the program to self administer, self propagate, and basically allows the attacker to take control over the victim's computer. 

Brian Selfridge: [00:41:07] So but to be able to use this avenue attack, hackers need to take control of a Microsoft team's account. So it's not like you can just send it from an unauthorized location. But that's where we have our phishing. We have our other compromises. So once an attacker gets access to just a regular end-users, Microsoft Office 365 accounts, that's when they can start launching against teams and sending these malicious files or other attacks. So this is a new attack vector. So we're going to keep an eye on it. Awareness is probably likely the best method of protection right now. Obviously, your endpoint protection stuff will maybe kick up pick up some of this. But we'll see if Microsoft gets on this trend and is able to do any other kind of checks and balances for executables in particular, again, in teams. I don't think the average user needs to be swapping around executables in general, so hopefully, they can do something about that. So get some awareness in place for your program and hopefully. Keep an eye out for anybody reporting such activity. All right. 

Brian Selfridge: [00:42:06] That's all for the session of CyberPHIx Health Security Roundup. We hope this has been informative for you. We'd like to hear from you. Can we talk about any of this? Just reach out to us at [email protected]. Now, that's all for this week. So, so long. And thank you for everything you do to keep our healthcare systems and organizations safe.