The CyberPHIx Roundup: Industry News & Trends, 3/4/21

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:10] Good day. Welcome to the CyberPHIx healthcare security roundup, the quick source for keeping up with the latest cybersecurity news trends and industry lending practices specifically for healthcare. I'm your host, Brian Selfridge. In addition to this roundup. Be sure to check out our Resource Center on MeditologyServices.com, which includes our CyberPHIx interviews with leading healthcare, security, privacy and compliance leaders, as well as blogs, webinars, articles and lots of other educational material. We have some intriguing updates for you today, so let's dive into it.

Brian Selfridge: [00:00:45] United Health Services suffered a high profile ransomware breach in September of twenty twenty last year that impacted there many hospitals across the country. UHS announced that it cost more than 67 million dollars due to lost revenue and diverted patients as well as restoration costs. It's important to note that the company did not pay the ransom in this case. But these costs mount really quickly when systems become interrupted for extended periods of time. So the latest news I saw is that your house is still cleaning up in some respects and getting systems fully back and operational. Even now, months after the attack we've been talking about for some time here, the patient safety impacts when patients get diverted from hospitals and systems become unavailable. So this is not a new trend for us. But seeing that big revenue cost 67 million quantified, I think is a bit of a slap in the face and a shock value factor that, you know, these costs are much more than just those types of revenue costs. We also have the patient safety impact, as we've been talking about week over week here, and also potential regulatory action. I think the door is always open when you have large scale breaches like that and experience multiple breaches. We've seen OCR coming on the tails of that in many cases.

Brian Selfridge: [00:01:56] We have a long way to go and defending against these attacks and have become big business for international crime syndicates. And I think that's going to continue, unfortunately, for some years to come, if not decades to make sure you get your incident response tabletop simulations done, get the highest levels of leadership there at the table, double down on your phishing awareness and testing and perform routine penetration testing and give yourself a fighting chance against these attacks.

Brian Selfridge: [00:02:21] Our next update is providing a little bit of an overview of the enforcement activity from 2021 so far for OCR. And I'll be brief, since we've talked about some of these cases, but we have really four or five cases this year that are worth pointing out. We had the Excellus health plan settlement for five point one million dollars where they had a breach way back in September 2015. And Excel has filed that report that hackers can gain access to their systems for the breach that extended from 2013 through 2015. More than 9.3 Million people involved, classic case malware installed led to Social Security numbers, bank accounts and other information being taken out.

Brian Selfridge: [00:02:59] And, of course, yet another OCR settlement with failure to conduct a risk analysis or proper risk analysis. We talk about that theme a lot. And this includes corrective action, including a two year monitoring of OCR, which is also typical. Another case enforcement case this year in twenty twenty one is the seventy thousand dollar settlement with Sharp Healthcare in San Diego, where they announced this earlier this year related to the HIPAA Right of Access initiative. And there was a complaint in twenty nineteen for this one. The patients were able to get access to their electronic copies of their records that led to a serious investigation and the seventy thousand dollar settlement. And you'll sense the same theme here with the with the next couple updates from OCR this year.

Brian Selfridge: [00:03:45] We had Renown Healthcare, agreed to pay seventy five thousand dollars for another right of access violation. So a similar situation here. OCR launched the investigation, found that the organization was not providing timely access to requested records, including billing records. And they also have to do a two year corrective action monitoring plan by OCR.

Brian Selfridge: [00:04:06] And the last one Banner Health is a two hundred thousand dollars settlement. Also HIPAA Right of Access privacy rule violation, where we had a claimant request their access. Couldn't get access to it in December twenty seventeen didn't get it till over a year later, almost a year later. And then a second complaint where the patient requested access, couldn't get it. And then there had to be this whole investigation before or release the records. So, you know, you sense a theme here. Another two year monitoring by OCR, big focus on privacy, right to access violations, similar updates on lack of appropriate risk analysis. So many themes that continue. But hopefully you can take those to your own shop and see how you can prioritize your own program initiatives accordingly to anticipate some of those activities.

Brian Selfridge: [00:04:57] Another update this week. Accellion file transfer application and company had a significant breach. And this is yet another major breach associated with high profile attacks on the technology supply chain, not only for health care, but across multiple industries are getting hits from the supply chain attacks. So as you might expect, file transfer technology in particular shuffles around a lot of sensitive information and its large files, large sensitive files, stuff that can't fit an email and gets get sent around that way. It's like your box file transfers and everything else. But this one is a little bit different in the sense that it resulted from a classic SQL injection attack against the almost 20 year old software product in code. And this doesn't surprise me in the least. I mean, I was doing SQL injection attacks twenty years ago. As a protester and a hacker, and that was all the rage for software vulnerabilities, it's still out there a little bit, but this particular software hasn't been updated in 20 years. So I'm kind of not surprised that there's still SQL injection vulnerabilities on it. And so the key here is that the vulnerability has been here all along. Right. And like the solar winds attack that we've been talking about and we're still seeing that play out, the malicious actors here are starting to recognize and exploit the weaknesses of the supply chain and recognize there's this a lot of old legacy stuff out there. Folks haven't been paying attention to securing the supply chain quite that well. And so this stuff is just ripe for the picking for for the malicious actors.

Brian Selfridge: [00:06:21] In this particular attack with Accellion allowed the malicious actors to gain access to about a third of accelerants client base, or almost 100 hundred organizations, of which about twenty five received ransom threats over the data they had stolen through the platform. Now, these weren't traditional ransomware. It wasn't ransomware. They didn't install malware that's are locked up the systems. They took the data and threatened ransom for that information from the attack. If you want more information on these supply chain attacks, check out a webinar I just delivered last week with CORL Technologies on these attacks and their impact specifically on health care. It's posted on vendorsecurity.com if you want to check it out.

Brian Selfridge: [00:06:58] Speaking of solar winds and supply chain attacks. There are some news worth mentioning this week on that front as well. This massive third party breach is still playing out with SolarWinds. And we're learning more about the attack as as it unfolds. And as we look through investigations of the many organizations that were impacted, the attackers exploited a hardcoded password in the platform, which was the actual password was solarwinds123. Don't laugh. I hear you chuckling. This in and of itself is not terribly surprising. I hate to say we do penetration test of health care systems. We've been doing it for a long time and know that many such accounts exist in both hardcoded settings like this one and even more alarming cases where we see these generic administrator accounts that are used for remote access, even over traditional cloud access platforms and remote access technologies across the entire customer by customer base, using a simple password easily guessable that's shared across the entire ecosystem.

Brian Selfridge: [00:07:55] That's a problem and absolutely needs to be addressed across the supply chain in our assessment and implementations. And we've got to hold our vendors accountable for these absolutely unacceptable and negligent practices. But what's a bit more alarming this week with the solar wind's attack and response is that the SolarWinds CEO, Kevin Thompson, testified to the House Oversight and Homeland Security Committee this week and blamed the issue on an intern, which is kind of wildly absurd in my view. And I'll explain why. So this hardcoded password, easily guessable password, was created by Mr. Thompson's firm by SolarWinds well before this intern ever existed in their ecosystem. It's been deployed to thousands of clients for years and allowed to persist. So the intern did make a mistake and posted the code to a public GitHub code repository, which which does happen. That's not entirely uncommon. It does happen. I'm not saying it's a good thing, but the questions and finger pointing should not be about what the intern released, but in terms of blame and root cause. But why did this ridiculous password exist in the first place for access to the core update platform of this this critical system? And also, why did an intern even have access to it in the first place, let alone be able to post it?

Brian Selfridge: [00:09:11] Those of us that work regularly in the space know that several fundamental security control gaps were missed here and if caught and if emplace, would have mitigated either prevented this attack or mitigated it to a large degree. And we're talking about just industry standard frameworks like NIST, HITRUST, SDLC system development lifecycle standards that that absolutely should not allow this stuff to happen if you're assessing and building your program around those. So we have breakdowns here and configuration management and vulnerability management and the SDLC security checks and product quality assurance access controls for sure. Right. What's our intern doing with this access? Why is it that simple? Why isn't there privileged access control around important passwords, some pretty fundamental stuff. So those those are systematic and systemic fundamental issues.

Brian Selfridge: [00:09:58] And up until now, I've been viewing solar winds as a as a bit of a victim here and had a high degree of sympathy for them. This is a large scale, sophisticated attack from a nation state using lots of resources. I mean, you know, no one's going to really point the blame at SolarWinds on that account. I think up until this point, however,  taking the position, the CEO to stand up in front of the House and say, you know, the cause for this as an intern is just absurd to me and shirk the responsibility that organizations have to fundamental security protections.

Brian Selfridge: [00:10:31] It's also more clear to me now why that password was never changed and other controls were not put in place in the first place. If you've got leadership as CEO on down, that demonstrates this kind of shirking of responsibility and perhaps a lack. Of understanding of their security obligations and control environment, then it's no wonder we kind of ended up here. So I'm far less sympathetic at this point. You know, it's kind of like use an analogy. It's kind of like giving the keys to your car, to your teenager. But before before he heads out for for his first ride, you  remove the brakes, take those out. You don't need those. Let's move fast. Let's let's not replace those burnt out headlights. Let's take off his glasses while we're at it. You know, make it a bit easier. Then let's send him home driving down a dark, windy road and then blame him for getting into an accident. Right. I mean, it's like it's not about the teenager's fault at that point. I think that's the case here by I kind of pointing this in an intern. But we've seen this with other breaches where, you know, sometimes the cover up and the deflection of blame does more damage than the attack itself, although it's hard to do more damage than the solarwinds attacking in particular, given the scope and scale of it. But the solarwinds folks appear to be headed that way with their position here in the case of doing more damage than help, in my view.

Brian Selfridge: [00:11:45] A closing commentary today is around some reaction to some comments that were made by Mandiant CEO, different CEO with a different perspective on this stuff and one that I think resonates a little bit better with me than the prior story we just covered. So I'm going to stay firmly mounted on my soapbox here at the end of this session for the rest of this update.

Brian Selfridge: [00:12:05] When we look at the future of cyber warfare in particular, was highlighted by comments from Kevin Mandia, who for those who don't know, Kevin is the CEO of Mandiant, which is now FireEye, which is arguably the world's leading branch response and forensics firm, just an impressive group of folks. Kevin made the bold and I believe accurate claim this week that the next global conflict or warfare between major powers will result in direct impact to everyday Americans. He says "apps wont work, appliances may not work. And people don't even know all these things that they depend on. And all of a sudden the supply chain starts getting disrupted because computers don't work."

Brian Selfridge: [00:12:45] I've been contemplating this phenomenon myself for some time as well. And in my years of watching these trends and seeing these security vulnerabilities play out, that we continue to live with these vulnerabilities, that in many cases we're actively building them into our latest systems and applications and software. So I believe these attacks against healthcare entities in particular and the supply chain are just the tip of the iceberg. You have, as we've seen with traditional warfare over history, when the rules of engagement change and anything goes, we start to see the real weapons and tactics of warfare come out to the surface that have been laying in wait all along. And we see the collateral damage start to start to happen and targeting of civilians and their networks and supporting infrastructure and systems.

Brian Selfridge: [00:13:29] I believe hospitals and health care entities will be one of the hardest hit sectors if and when our I.T. systems become interrupted by global scale cyber war attacks. What we're seeing so far is, I think, barely weapons range testing. This is just, again, the tip of the iceberg. Our opportunity to fortify our defenses and resilience capabilities is right here and right now, however, and we may not get another shot at it. So when the time comes, I think we can't say we weren't warned, at least by this spate of attacks that we're seeing that are really just just the beginning.

Brian Selfridge: [00:14:01] So sorry to end it all doom and gloom there. But but we do have an opportunity to get this right and hopefully will be those of you that are taking the time to pay attention to these type of updates, I'm sure are doing the right things to go take them back into your environments and start building more resilient and protected health care ecosystem.

Brian Selfridge: [00:14:18] That's all for this episode of the CyberPHIx Health Care Security Roundup. We hope this has been informative for you and love to hear from you if you want to talk about any of this. So just reach out to us at [email protected]. And thank you for everything you do to keep our health care systems and organizations safe.