The CyberPHIx Roundup Special Edition: Russia/Ukraine Cyberwar Preparation & Response for Healthcare

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:11] Good day. Welcome to the CyberPHIx Healthcare Security roundup, your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices specifically for healthcare. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our resource center on Meditology Services, which includes our CyberPHIx interviews with leading healthcare security, privacy, and compliance leaders, along with blogs, webinars, articles, and lots of other educational material. We have a unique agenda to cover today, so let's dive into it, shall we? 

[00:00:45] Ok, we're going to focus the bulk of our session today on the emerging cyber crisis resulting from the physical and cyberwar underway currently as Russia attacks and invades Ukraine. Before we do that, I want to extend my support for the Ukrainian people during this terrible situation. I've actually spent a good amount of time in Ukraine and cities up and down the Dnieper River and on the Black Sea, and I've had the privilege of making great friends in Ukraine who are now struggling to protect their children and their families. So our thoughts and support are with you, and we hope everyone is able to stay safe or find a way to get to safety either inside or outside of the country. 

Brian Selfridge: [00:01:24] Now, as it relates to the matter at hand in terms of healthcare cybersecurity, healthcare organizations have been scrambling this week to adjust their cybersecurity preparation and response capabilities in the wake of potential cyber attacks stemming from this ongoing conflict between Russia and Ukraine. 

Brian Selfridge: [00:01:40] The U.S. Cybersecurity Infrastructure and Security Agency, or the CISA, has summed up the situation as follows "Russia's unprovoked attack on Ukraine, which has involved cyberattacks on Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our allies. Every organization, large and small, must be prepared to respond to disruptive cyber activity". 

Brian Selfridge: [00:02:13] So Meditology and I have been monitoring the situation closely and advising our healthcare clients on the latest threat vectors and response approaches to this situation. So we're going to cover updates today, including guidance for U.S.-based healthcare entities for prepping and responding to cyberattacks and cyberwar tactics deployed specifically as part of this ongoing conflict. So we're going to start off by talking a little bit about an overview of the Russia Ukraine cyberwar in general and then get into specifics of the actual threat vectors and attacks. So Russia's attack on Ukraine thus far has included a barrage of cyberattacks that could potentially introduce targeted or collateral damage to many industries, including healthcare. Cyberattacks stemming from this conflict are likely to impact organizations, as well as the software supply chain or the vendor supply chain, in our case, both within and outside of Eastern Europe. Healthcare entities in the U.S. are already facing a barrage of ransomware attacks, right? So it's not like this is entirely news to us, you know, stemming from these same Russian and eastern European sources that have specifically targeted healthcare organizations over the last couple of years. 

Brian Selfridge: [00:03:19] And we've had no shortage of coverage on that. So you can go back and listen to and check out our resources on those ransomware attacks sourcing from this region. Now, in addition to direct attacks, you know, many of the healthcare's third and fourth-party vendors have assets in Ukraine, assets in Russia, assets in Belarus, Eastern Europe, and these other related countries that could be impacted by the escalation of cyberattacks. So it would be nice for us to say that's a problem that's happening over there, that won't impact us. But I think that's pretty unlikely given the connected nature of our services and our industry with respect to vendors in particular. We've also seen counterattacks from hacktivists and other entities that are contributing to the situation that could either escalate the situation or create collateral damage in some cases on the cyber front. So the infamous group Anonymous has been very active in targeting and defending Ukrainian cyber assets, as well as conducting offensive attacks against Russian assets. And then another hacktivist group, for example, called the cyberpartisians. I don't know if I'm pronouncing that correctly. I never quite am. But they've also been active in Ukraine cyber defense. So we have a lot of folks getting into the mix. 

Brian Selfridge: [00:04:32] I think that's going to continue to escalate as this situation evolves. So healthcare entities need to be vigilant in preparing, responding to these attacks one way or the other. So we're going to talk some, some more in the, you know, the content here about the details about what to be prepared for and what to how to best respond. So I want to begin, I guess, I suppose I'm not beginning, but I want to talk about Russia's cyberwar capabilities and attack methods. I think that's probably first and foremost for folks to get a handle on to understand, you know, what you're going to do to protect against them. So Russia has launched a wide range of cyberattacks targeting Ukraine, including destructive malware, and we'll talk about that in some detail. Distributed denial of service or DDoS attacks, phishing attacks, brute force attacks, website and web-facing defacement, as well as, of course, ransomware attacks, right? No surprise there. So when I mentioned the destructive malware, I do want to dig into that quite a bit. So the Microsoft Threat Intelligence Center or the MSTIC and other threat intelligence sources have disclosed that the WhisperGate destructive malware is actively being used to target organizations in Ukraine and beyond. There's also the HermeticWiper malware is actively in use, which results in a boot failure and renders systems inoperable. Both are considered destruction, malware, and the Department of Health and Human Services Health Sector Cybersecurity Coordination Center, or HHS, has urged healthcare organizations to remain on high alert due to the destructive nature of the HermeticWiper and the WhisperGate malware. 

Brian Selfridge: [00:06:12] Recent CISA and FBI advisories have put out more information around this destructive malware and have noted that destructive malware may use popular communication tools to spread, including worms sent through email and instant messages. Trojan horses dropped from websites and virus-infected file files downloaded from peer-to-peer connections. Malware seeks to exploit existing vulnerabilities and systems for quiet and easy access. The advisories from the CIA and FBI further say that the malware has the capability to target a large scope of systems and can execute across multiple systems throughout a network. As a result, it's important for organizations to assess their environment for atypical channels, for malware, delivery and or propagation through their systems. That's sort of the end quote from those advisories. 

Brian Selfridge: [00:06:59] Now we've also been watching some updates from other cyber threat intelligence agencies and private sector organizations, and one of them is the cybersecurity firm Mandiant, as they've completed an extensive and ongoing analysis of Russia's cyberattack groups and capabilities. So cyber cyber attack groups linked to the Kremlin are designed to serve multiple functions for Russia, including general espionage activity, as you might expect, as well as offensive cyberattack capabilities, which we're seeing being deployed in this conflict. Mandiant notes that the three Russian teams, in particular of many and there's a whole sort of hierarchy. 

Brian Selfridge: [00:07:38] If you want to sort of learn about that, we can catch up with you offline. But there are three teams in particular that are focused on cyberattacks and that sort of offensive capability. And those attack groups are called sandworm, which is probably the most prominent one temp.isotope and temp. veles. I may be pronouncing that correct or not. I don't really mind defending them if I if am pronouncing it incorrectly, they're not good actors. So targeting from these Russian cyberattack groups focuses on the software supply chain, which we saw with SolarWinds last year, so you know, they want to make it as easy as possible to scale their attacks. That's been a big theme. We've talked about it here in the podcast over the last couple of years and months that that's really where these attack groups are headed, Russia in particular. So those supply chain attacks are a great way to sort of breach once spread your malware many times. They also look at strategic web compromises to kind of effect the same result, as well as direct targeting organizations when they want to go sort of one on one with certain organizations to go after them for ransomware or for other attacks historically. And now sort of obviously, as part of this Ukrainian conflict, there are several types of attacks employed by these groups that range from gaining initial access and then waiting for future exploitation of assets. 

Brian Selfridge: [00:08:58] So that's more of the sort of let's just get in, get a foothold, wait until there's a reason why we need to exploit it and sort of build up a library of breached inventory of breached organizations that then can be used later. Apart from that type of attack, they're also going after wiping or destroying of target systems. As we saw with that hermetic wiper and the other one that I mentioned earlier. So that's a known target and threat approach that they're using now, as well as their other favorite flavor, which is deploying ransomware or fake ransomware attacks. And I'm still trying to figure out exactly what fake ransomware does. It looks and feels a lot like ransomware. Your system's been infected. It gives you a warning notice, but they're not following up for actual ransom payments. I don't know if they're just using the templated malware as a way to get in, and they don't really want to customize it. They just want to get in and do what they're going to do. Still trying to figure that one out, but they do ransomware attacks and fake ransomware attacks. The CISA has also released details about a new malware, a different new malware called CyclopsBlink that targets network devices and is being used by the Russian Sand Worm Group. That one that I mentioned earlier, the CyclopsBlink malware brand new, collects device information, sends it to a command and control server, and is capable of downloading and executing files, as well as pulling down more code or exploits at a later time. 

Brian Selfridge: [00:10:25] So, you know, you can see that being like just a utility tool for them to do whatever type of launch, whatever types of payload they would like to, depending on the attack, depending on the situation. So that's something that's been used actively as part of this Ukrainian attack over the last several weeks. Now, some other independent researchers have located web services hosting cloned copies of a number of Ukrainian government websites as part of this whole cyberwar. For example, the main web page of Ukraine's Office of the President is reportedly booby trapped with malware. The cloned version of this website was modified to contain clickable support the president campaign that once clicked downloads a package of malware to the user's computer. So they're using all kinds of methods to achieve the aim of gaining access, wiping systems, causing disruption, defacing, and all those things that we mentioned. Now we've also taken a look at some additional insights from a leading threat intelligence provider called DarkOwl, who we've partnered with, who's provided insights and analysis into dark web discussions and data exchanges on the dark web related to the Russian attack on Ukraine. So DarkOwl compiled and reviewed Ukraine-related data on popular deep web forums. 

Brian Selfridge: [00:11:46] I want to share with you quite a few insights that they're seeing in those dark forums on information related to these attacks. So, according to DarkOwl, several Ukrainian government networks were compromised during a series of cyberattacks in January of this year. So that's before the sort of full on invasion. The whisper gate destructive malware that we mentioned earlier was deployed in these particular instances. And then, within hours of Russia's initial cyberattacks against Ukraine in January, the data described as originating from the Ukrainian government appeared on forums across the darknet and the deep web, and many of the leaked archives were created within just a few hours of the attacks. So that was interesting. And the DarkOwl folks say there's no indication that they were directly obtained as a result of the January attacks or trying to figure out if this is data that was out there and just hit. They sort of post-it all to the dark web and made it available now that there was this formal conflict, or we're not quite sure what the history of events is, but we're definitely seeing those. And then multiple Ukrainian government, nonprofit, and information technology organizations experienced cyberattacks and website, Defacement says as part of this January situation, attackers used a ransomware style malware, as they're calling it, as the. The primary attack vector and they posted these ominous messages in the Ukrainian language, Polish language, and Russian, and I'll read you, I'll read you the language. 

Brian Selfridge: [00:13:13] You can decide if they're ominous or not, says Ukrainians: "All your personal data was uploaded to the internet. All data on the computer is being destroyed. All information about you became public. Be afraid and expect the worst." Ok, so I guess that's ominous. That sounds ominous to me. One of the leaked databases that were discovered in the dark web was actually a healthcare database called Medstar. SQL. So MedStar is a commercial cloud-based, they say digital medicine provider with telemedicine, prescription medical imaging, and laboratory medical services servicing Ukrainian locations and organizations, and health systems. So that's a tie to us and our healthcare side of things. Another database that was leaked or put on the dark web as part of this attack was a mobile app, information that contained official documents of citizens like passports and those types of documents, although it only contain information of 77 individuals that was made public. Although sometimes these dark web releases will just provide a sample and say, Hey, here's the data I have, and they want to sell it and they'll tell you they have a lot more data behind it. So it's unclear whether there's a larger database sort of available there. It's important to note that DarkOwl, the organization stated that there's no evidence to conclude that any of the recently shared data was sourced during the mid-January cyberattack. 

Brian Selfridge: [00:14:42] So again, was it just posted or was it sourced during these attacks? It's not clear. They also noted that the mid-January website defacement appeared to be a Russian sourced false flag operation intended to incriminate Poland, in particular in the Ukrainian hacks. The way they figure this out was the Polish translation used in the attack was determined to be from a non-native speaker, and as they stated in their analysis, it was very likely generated with Google Translate. So you know that that sort of leads it to being a non Polish orienting sourced attack. It should be noted that Ukraine has officially attributed these defacement attacks to a certain cybercriminal group operating out of Belarus. So, you know, attribution to these attacks is always a bit murky. So we're seeing different, different sources saying kind of different things. But regardless, the attacks happened and there's data out on the dark web, as referenced here. Now I want to change gears a little bit here and talk about, OK, so that's the those are some of the techniques that some of the malware being used, some of the approaches by the Russian cyberattackers. But now I want to talk a little bit about what are some recommendations for healthcare CISOs and healthcare leaders of all types CEOs inclusive of that. So the American Hospital Association or the AHA, issued guidance recently for healthcare organizations about, as they say, the growing cyber threat from rising geopolitical tensions. 

Brian Selfridge: [00:16:15] HHS said that hospitals and health systems may become incidental victims or collateral damage to Russian deployed malware or destructive ransomware that inadvertently penetrates U.S. healthcare entities. So basically, as a result, you know, healthcare organizations, you know, my view and I think in many others need to heighten their alerts and preparations for attacks on the infrastructure and supporting it systems and applications. You know, healthcare entities need to also defend against risks associated with third-party vendors. I mentioned that a little bit earlier and the software chain. So approaches for protecting the supply chain include identifying potential targets in the vendor portfolio, identifying which vendors are susceptible to these types of attacks, and also which ones which vendors have assets or data or services and capabilities in Eastern Europe in particular, and obviously in Ukraine or Belarus. These types of areas, we want to know that more particularly and sort of look at your inventory, do some analysis, do some reach outs and assessments to vendors to just identify how to do that. And there's a bunch of tools and capabilities that can do that. Our sister company here to Meditology, Corl Technologies, has run some analysis on those vendors. You can reach out to me separately for that. If you'd like to know which vendors in healthcare are more susceptible and at risk to these locations and attacks, we can catch you up on those. 

Brian Selfridge: [00:17:38] And I may put something out on that later when we have a chance to compile all that for you. But so and then also, you know, monitoring these vendors and their resilience capabilities to see if they're able to withstand these ongoing cyberattacks, not only the ones that are geolocated in these areas but others that may become collateral damage just as our own organizations may maybe ourselves. So the CISA, the FBI, the NSA and other federal agencies in the United States has put out guidance in the last several days and several weeks on how to deal with this emerging cyberwar crisis, if you will. So the guidance is aimed at reducing the likelihood of a damaging cyber intrusion as they call it. So specific recommendations for healthcare entities include one validate multifactor is in place for remote and privileged access, so don't necessarily need multifactor for every single interaction you have internally on the network, but certainly any remote access. And for those keys to the kingdom, privileged users want to make sure MFA is in place for those because that's where a lot of the attackers will spend their time going after those. Those elevator accounts, those domain admins, those application admins, those types of things. They also say to make sure your software is up to date, no surprises there. That's classic patching stuff. And as was mentioned earlier, the Russians and these attacks are using known exploits and known vulnerabilities to gain an easy and sort of silent, quiet way in so patching is everything. 

Brian Selfridge: [00:19:09] If you're not doing that well now, it's a good time to ramp up on that. They say disable unnecessary ports and protocols, as well as validate cloud security configurations and make sure they're aligned with industry best practices. I thought that was pretty interesting for them to call out cloud-hosted and cloud security in particular. Again, that's a whole separate sort of can of worms that we can we can talk about, and our Meditology cloud security folks are all over this and you can reach out to us if you want to know specifically what to do there. The CISA also recommends taking steps to quickly detect a potential intrusion, including enabling logging. And they're saying, you know, go above and beyond on your logging capabilities, right? You should be not just doing the standard day-to-day looking for anomalous activity or the standard alerts you set up. But really, make sure logging is enabled even at a heightened level on key systems, network devices, key applications and that obviously somebody is looking at those logs and their systems are analyzing those logs for anomalous behavior. They also recommend the CISO does, focusing cybersecurity and IT personnel on monitoring activities. So kind of ramping up your standard monitoring, whether you have one or two folks or a SoC knock type of environment really sort of tuning that up and turning the dial up a bit on that, adding more personnel where appropriate to make sure that you're monitoring in every way you can. 

Brian Selfridge: [00:20:32] Also confirming the anti-malware software is applied across all systems. So that's been a big gap is sort of we see this with assessments of organizations as well just where there's an assumption that, well, we have this. This AV tool or anti-malware solution, and it's deployed everywhere, but very often there's gaps and there's some issue where certain systems aren't getting updates or don't have it applied for some reason. So really making sure you do that scope analysis and make sure that you have consistently applied anti-malware and sometimes that requires just do and walkthroughs and sampling of your environments and making sure that stuff's up to date and validating that assumption that everything's deployed centrally effectively because not very often it's not. And that's where those are, the systems that get hit, and then it starts spreading from there. They also recommend monitoring and inspecting any traffic coming from Russia or Ukraine. No surprises there and then reviewing access controls related to any of that traffic. So even if it's legit or pseudo legit looking at, you know what access to the individuals on either end of that transmission have to other assets in your organization. So that's that whole kind of lateral movement concern. The guidance also includes ensuring that your organization is prepared to respond if an intrusion occurs, including designating a crisis response team, identifying points of contact for technology, communications, legal and business continuity resources, ensuring availability of staff for incident response, as well as they say providing and preparing for a means to handle surge support for incident response. 

Brian Selfridge: [00:22:03] So those, as you know, the big incident happens. You have, you know, retainers, somebody on contracts, some additional arms and legs and resources to help you get through it. And then, of course, they recommend conducting tabletop exercises about this particular cyberwar situation as well as just routinely in general. Now, the CISA is also weighing in on ways that healthcare entities can maximize the organization's resilience to a destructive cyber incident, including testing backup procedures for critical data and systems and isolating backups from network connections. That's often a step that's missed if their network, they can be hit just as well and knocked out. The U.S. federal government urges CEOs in particular and leaders to empower chief information security officers during this crisis, so I hope that's music to all of your ears over there. It's time for the CSO to get the resources they need become empowered, even more so. So hopefully that you can send that, that those advisories onto your leadership and say, See, we're important. Please give us money, time, and resources to help fix this or prepare. So organizations are advised to lower reporting thresholds to identify, capture, and respond to attacks or abnormal network activity. 

Brian Selfridge: [00:23:13] So that's that whole idea of sort of increasing your monitoring capability. And healthcare organizations are further advised to focus on business continuity processes and capabilities and to quote-unquote plan for the worst. So don't just assume it's unlikely you'll get hit or there won't be any collateral blame for the worst. Be ready to go. Do those tabletop exercises and Meditology has issued all kinds of guidance on business continuity incident response planning. Again, you can check out a resource center and filter a little drop down on incident response. If you want to see our podcasts and blogs and infographics and webinars and all that good stuff on how to do that well in healthcare setting. So the CISA has also issued an alert to specifically protect against destructive malware like the WhisperGate and the HermeticWiper malware that I mentioned earlier used in Russia's latest attacks against Ukrainian assets. So recommendations from the scissors alert and if you want to look this up, it's alert a two zero five seven a CORL destructive malware targeting organizations in Ukraine and includes recommendations that I'll summarize for you here. If you don't want to look that up, they say, you know, make sure to establish network segmentation and access control lists. So that's to prevent or reduce the spread of the malware or the or the malicious actor across the entire kind of flat network is a lot of healthcare networks are flat and open, and that's good for connecting and getting health information to the right places. 

Brian Selfridge: [00:24:43] But it also is bad news for these type of attacks. They recommend putting network and storage devices on separate, restricted VLANs as lot organizations don't. Don't take that step, but that's a big one. Those are your crown jewels requiring multifactor authentication. We already talked about that. They also recommend restricting the everyone, the domain users and the authenticated users groups in Active Directory in particular to making sure that those can't be accessed, every workstation environment, every server in the environment, shares and all those types of things. They also talk about service accounts in particular. So those machine to machine administrative accounts and recommend denying access to network shares to the service accounts and prohibiting local and interactive lagoons from service accounts. And that's a big one. From hacking and pen testing that we do very often you get a service account with elevated privileges, either a domain admin or similar. And then all of a sudden you can get to everything and log in to devices directly. There's really no good reason for a service a. A machine-to-machine service account to be able to log in locally to a workstation or a server just, well, maybe some servers, but just doesn't make sense. And it's fairly easy to turn that off. Well, nothing's easy, right? It's scale, but fairly straightforward, at least, so they recommend also logging and monitoring network flow, detecting port scanning and detecting network configuration changes. 

Brian Selfridge: [00:26:06] That's another big one, as well as staggering automated patching schedules. And this is because there's an issue where a lot of times these attackers will first focus on hijacking your automated patch deployment software so that they can just push out the malware and one shot. So the recommendation is, you know, have your patch deployment software deploy to just a subset of systems each day and, you know, through a course of a week or whatever, everyone is staggered so that you can sooner detect if something malicious has been put out and then at least only a subset of your environment has been impacted as opposed to like it just gets blown out to the whole system within hours, right? So we talked about their desire to scale their attacks, and that's one of the methods that they use. So I thought that was an interesting recommendation. They also recommend hardening systems with patching scanning and best practice operating system configurations. There's lots of examples of that. The CIS benchmarks are great for your operating system configurations. If you want to look at hardening those and then the last thing they recommend is performing a business impact analysis. So that comes back to that whole business continuity preparation stuff. So just wrapping up, we've spent a ton of time on this, but I hopefully this is a topic you want to know about. 

Brian Selfridge: [00:27:22] I hope I did want to know about this and have enjoyed the process of staying on top of it. But ultimately, these cyberattacks stemming from the Russian invasion of Ukraine are likely to continue for some time as the conflict escalates and evolves into the summer and beyond. So we just have to continue to make proactive investments in cybersecurity, defense and response capabilities keep that heightened state of readiness to combat the growing threats of ransomware by itself, sort of independent of all this, as well as obviously this cyber warfare activity in the months ahead. So we'll keep monitoring the situation for you and we'll keep updating you in these sessions and otherwise as the crisis evolves. All right, moving on from the Russia Ukraine situation, I want to provide a few HIPAA related updates quickly here first. First and foremost is there's actually a deadline this week to report high breaches impacting less than five hundred people. It's actually March 2nd, which is, I think, exactly when we're dropping this episode. So if you're listening to on the day of you've got it, if you're listening to it after that, you get on it. Don't be too late with submitting this. Of course, any breaches impacting more than five hundred individual individuals need to be reported in more real time in alignment with breach notification and breach reporting rules. But we can't forget about these, this annual checkpoint where we need to report all of the other stuff, all the other low flying breaches that most healthcare organizations experienced some form of that throughout the course of the year. 

Brian Selfridge: [00:28:48] So, so stay compliant, folks. Make sure you get your information into HHS wouldn't want to see you end up on an investigation audit list by not getting your intel in there. Now, in other hippo news, U.S. Senators Tammy Baldwin and Bill Cassidy have introduced the Health Data Use and Privacy Commissions Act, which is intended to modernize health data privacy laws and reflect the current tech landscape. So this is basically a new bill to modernize HIPAA and bring it up to speed. You know, we're coming up. 1996 was quite a while ago and Hippo was originally created and the privacy and security rules in the early 2000s. It's time for this to update whether this bill becomes the actual one that gets through. It's we've been talking about this, how it's going to continue to evolve and a lot of these early attempts at it, I think, are going to be lay the groundwork for what we can expect to see in larger HIPAA overhauls. But this is very specific. So highlights of this bill include the act would establish a commission to review existing health data protections and assess current practices for health data use. So there's kind of an assessment component of this up front. 

Brian Selfridge: [00:30:04] So the commission would also provide recommendations on whether federal legislation is necessary. Again, that's the sort of HIPAA overhaul, and if so, they're going to provide specific suggestions on proposals to reform, streamline, harmonize, unify or augment current laws and regulations related to individual health privacy. So it's got that whole privacy feel is going to be a security feel to it. The potential reforms to existing laws would consider, as they say in their announcement here in the draft bill, they consider enforcement preemption, consent, penalties for misuse, transparency and notice of privacy practices. So the senator stated that the impetus for this change is that HIPAA must be updated for the modern day, which I would agree. The proposed legislation has also already garnered support from organizations like Athenahealth, Epic, IBM, Teladoc, the Federation of American Hospitals and the American College of Cardiology, the Association for Behavioral Health and Wellness, among others. So we'll keep an eye on this one and let you know if this becomes law or if it moves forward and how this plays out over time, but that's a pretty interesting one. 

Brian Selfridge: [00:31:31] All right. In other news, the HHS, the Department of Health and Human Services, has issued some really solid guidance on securing electronic medical records. I'll share some of the key takeaways with you. I thought this was a really interesting artifact that they put out in the last couple of weeks. So in twenty twenty-one, HHS received reports of data breaches from five hundred and seventy-eight healthcare organizations, impacting more than forty-one point forty-five million individuals. And there's that whole reporting process we just reminded you to do. So that's in just the last year alone. That's a pretty staggering amount of individuals effective 41 million. So the following list here is organizations with the most individuals affected last year. So I'll just rattle them off. It's kind of interesting Florida pediatric health. Pediatric organization says pediatric twice for some reason, but at three point five million individuals affected by that Florida vision care provider was three-point twenty five million patients. Wisconsin dermatologist two point forty one million patients in Texas Health Network with one point six million Indiana general health provider one point five two million patients affected individuals affected the Ohio pharmacy network, 1.4 million Georgia Health Network 1.4 million. Also Nevada University Health Center 1.3 million New York anesthesiologists, one point twenty seven million New York medical management solutions provider at one point two. One million So those are the those are all sort of million and above, obviously all over the country, a lot of East Coast there, for sure, but quite a mess to deal with. 

Brian Selfridge: [00:33:05] Now, some of the top threats that the HHS notes against electronic medical records in particular and health records are phishing attacks, malware and ransomware encryption blind spots. And I'll tell you what they mean by that in a second and cloud threats, as well as just employees and insider threats in general. So what they were talking about with this, this sort of encryption blind spot is the idea that you have these spots within your networks, obviously anything coming from the external network to your internal network. Very often that's pretty typically encrypted using all the usual stuff, SSL and the like. But what happens is a lot of times you'll have this sort of boundary zone where information then gets internally into the network and then gets translated to other environments in the network. And sometimes even internally, there are systems that get encrypted once it gets into your electronic health record sort of ecosystem or this network or network, it's it sort of becomes encrypted again. But there are these gaps where it's getting transferred between different network segments, basically across unencrypted channels, and those are the ones that they're worried about, and those are the ones that they're seeing issues with in terms of those blind spots. So that's about as technical as I want to get with it right now, just in the interest of time and our focus here. 

Brian Selfridge: [00:34:23] But the report also notices and takes notice of strategies that healthcare leaders should consider to strengthen their organization's cyber posture, so they talk about evaluating risks before an attack. So that's your whole security risk assessments, your hip or risk assessments, all that stuff. Getting that done, pen tests using VPN with multifactor is really big. They recommend and I'd agree with that developing an endpoint hardening strategy, developing endpoint detection and response capability, protecting emails and patient records in general. Engaging cyber threat hunters, another one they mentioned, and then conducting red team blue team penetration testing exercises as well. So leaders in the healthcare industry should consider developing a strategy to combat ransomware that targets specifically remote desktop protocol, they say so RDP and other applications that are internet facing. So I found that to be pretty interesting now and that whole thing around cyber threat hunters, they elaborate on that a little bit, and I want to sort of mention what that means. So threat hunting is a proactive practice that finds threat actors or hackers who have infiltrated a network's initial endpoint security defenses. And this type of human threat detection capability operates as an extension of the organization's cyber team so they can track and prevent or even stop potential cyberattacks. So these very often that sort of threat hunting then feeds into red and blue team exercises or purple team exercises as another flavor of those which basically create that sort of face-off between the two teams of highly trained cybersecurity professionals. 

Brian Selfridge: [00:36:00] So an organization like Meditology is often the red team that's attacking simulating the bad actors and using real-world techniques to do so. And then the blue team will be incident responders and defenders just trying to detect and respond and address that. So I'm sure a lot of you have done those types of exercises, but HHS is really calling that out as being a very important thing to focus on and spend some energy on it. If you want to learn more about that, feel free to reach out to us. We can tell you all about how those work and help you out with them, if necessary. So alas, we've spent an above-average amount of time on this update, and we've got several more updates for you for next time. We're going to cue those up because we want to keep you engaged and not falling asleep from my ranting and rambling on all of these things. 

Brian Selfridge: [00:36:50] That's all for this session of the CyberPHIx Healthcare Security Roundup. We hope this has been informative for you, and we'd love to hear from you if you want to talk about any of this. Just reach out to us at CyberPHIx@Meditology Services.com. And that's all for this week and so long, and thank you for everything you do to keep our healthcare systems and organizations safe.