The CyberPHIx Roundup: Industry News & Trends, 4/21/21

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

  • Analysis of Mandiant’s M-Trends 2021 Cyber Attacks and Trends Report and implications for healthcare
  • Shifts in threat vectors due to remote work, ransomware focus, and adversary techniques. Teaser: phishing is no longer the top threat vector
  • FBI / CISA Alert: Top 5 “favorite” attack methods of the Russian SVR ransomware group targeting healthcare (e.g. Citrix, VMWare, and other specific exploits)
  • President Biden’s sanctions and diplomatic pressure on Russia for healthcare cyberattacks
  • Breach update: the latest healthcare supply chain breaches and trends with high-risk vendor “categories” like revenue cycle management; CareFirst healthcare payer breach analysis
  • $1.5m penalty for the New York DFS cybersecurity regulation and its impact for healthcare entities
  • 21st Century Cures Act updates


Brian Selfridge: [00:00:10] Good day and welcome to CyberPHIx healthcare security roundup, your quick source for keeping up with the latest cybersecurity news trends and industry leading practices specifically for healthcare. I'm your host, Brian Selfridge. In addition to this roundup. Be sure to check out our Resource Center on, which includes our CyberPHIx interviews with leading health care security, privacy and compliance leaders, as well as blogs, webinars, articles and lots of other educational material. There's a great update today to cover quite a bit to cover, in fact. So let's dive into it.

Brian Selfridge: [00:00:45] Mandiant, a.k.a. FireEye, released their annual security report recently, and this is always one of the better reports of the year, so I wanted to take some time to go through some of the more material updates and highlights and takeaways that I found from this report and share those with you, more organizations than ever before are detecting security incidents and attacks themselves as opposed to finding out from a public breach or from the FBI or other sources. Fifty nine percent, in fact, almost 60 percent have discovered the attacks on their own, and that's up 12 percent from the prior year. This is good news overall and a step in the right direction. Although I have to point out many of these attacks this year have shifted to ransomware, which isn't exactly the most difficult thing to detect since ransomware is designed to make itself known in a very public and very forward facing way as it takes over the screens and lets everybody know that things are locked up. However, I think we can take some positives from the situation in our monitoring capabilities are getting better and hope that this is translating into improved incident response and processes and catching these attacks earlier in the kill chain, so to speak, so we can detect them sooner and react to them sooner.

Brian Selfridge: [00:01:50] The dwell time overall is down for attacks as well, which is important. But again, that also might be a large part due to the noisy ransomware that happens, that gets detected fairly quickly and then dealt with pretty quickly as machines get locked up versus these more stealth attacks. I think the prior dwell time for several years running in health care was like three hundred in some days. Versus these more stealth attacks, I think the dwell time, according to the FBI, for several years running now for health care entities of these attacks was something like three hundred some days. And that, you know, that in and of itself is a problem as bad actors were operating sort of behind the scenes. And if we detected them and all, it was like a year later before we found out. So it's much quicker to detect now. Part of that is it's much quicker turnaround for revenue for the bad guys. As they get detected, the ransomware pops up, they get paid sooner. They have to wait a year to exfiltrate the data slowly and painfully and sell it somewhere. It's sort of a longer sales cycle for them, so to speak, or time to to to revenue. Now, I'm not sure anyone sort of misses the blissful ignorance we were in of prior attacks where the bad guys would spend a year in our environment stealing everything without us detecting them. I'm not sure we want to go back to that mode, but Certainly these more in-your-face attacks are getting all of our attention and allowing us to detect things earlier on in the process.

Brian Selfridge: [00:03:15] The Mandiant report also notes that ransomware is now using multifaceted extortion techniques to get paid. This is a phenomenon we've been reporting here for some time on this podcast, so I'm not going to go into it in great detail other than they mentioned. The methods to get paid include extortion, a couple of different flavors of extortion. The ransom itself, which we've talked about, our payment card theft was noted as one of the top areas, as well as illicit bank transfers. So those that are CISOs in the field that I've spoken with were getting a lot of those bank transfer notices, hacking in, change in the routing numbers and all that good stuff that's not so good, but very common attack. So I think one takeaway there is don't forget about the PCI stuff, especially for the health care audience here. You know, I've often seen this not getting enough attention for health care entities. We've got a lot of things to worry about with another compliance requirements. But PCI is a big motivator for the attackers. And it's in the top three ways that the bad guys are getting paid and actually monetizing their attacks. So as long as it's in that category, they're going to keep going after PCI and credit card data that's going to make sure we have that all locked up tightly from a PCI perspective as well as just overall risk perspective.

Brian Selfridge: [00:04:28] Now, health care made it to the top five industries targeted this year alongside professional services, retail and hospitality, financial services and high technology. Health care rose to third on the list of targeted entities compared with last year's report in 2019 where we were 8th. So not a good trend. We're working our way up the priority list for the bad guys. And this report validates that. I think we've known that, but I think this report validates that quite a bit. Now, Mandiant notes some new threat groups are popping up that have been conducting large scale phishing campaigns this year for financially motivated attacks.

Brian Selfridge: [00:05:04] However, I think the bombshell takeaway in this report, in my view, is that phishing is no longer the dominant attack vector, as it has been for for a while now. Adversaries are now using exploits of vulnerabilities more than phishing for the first time in a long time. So twenty nine percent of breaches used exploits of known vulnerabilities and missing patches, configurations, those types of things. That's twenty nine percent. Twenty three percent leverage for phishing. So phishing is still a big player in a big entry point, but it's now number two. And that's an interesting trend.

Brian Selfridge: [00:05:34] And then the third trend is stolen credentials and brute force attacks are password attacks in general are right on their heels with 19 percent of the attacks. So those are the three areas we need to pay attention to. But very interesting, the phishing is starting to to fall back a little bit due to these remote exploits that are being used more prominently. The report notes that threat actors did take advantage of remote work from home models this year in 2020 and targeted their focus in vulnerability exploitation. So that can explain a little bit of why that number jumped up there. The whole remote work, vulnerable systems, more footprint, all that stuff that's happened with COVID and the pandemic workforce moving remotely. So if you do nothing else in the work from home arena, I'll be sure to double down on your vulnerability management and patch management capabilities. Of course, in addition to business continuity, disaster recovery and instant response, all those classic ransomware, you know, prevention and detection and management type of things, if you haven't done those already.

Brian Selfridge: [00:06:34] And here's a scary stat for you from the report. Twenty nine percent, almost a third of all breach victims had more than one threat group in their environments upon breach. That's double from last year. So that that's interesting to analyze. How is it that multiple attackers are ending up in there? This could be a couple of things. It may be just that these common vulnerabilities that the victim entities have in place, missing patches, easily hackable stuff that several bad guys are just getting on it and happen to be fighting over the turf. That's certainly one possibility. You know, you think of the analogy of an open window in your house or the doors open, like several people are going to come in. You might get some animals into a hole in you in the open window, an open door analogy, but basically anyone can come in. But also, I think in some cases, the bad guys are talking and selling the exploits and access to multiple parties and allowing several individuals in. So this isn't good news, right. One third of the breaches have multiple groups in the environment. So that's something we need to really be paying attention to. Not just one bad actor in one bad day could be much worse. So where are the bad guys?

Brian Selfridge: [00:07:42] The report indicates that the top APT advanced persistent threat groups are coming from China, Iran and Vietnam. Now, unclassified threat groups are all over the world with top sources in China, Iran, Nigeria, North Korea, Russia and a handful of other nations. Of course, we know that health care is specifically being targeted by Russia. And we'll provide some more information on that in a few moments. So hang tight on that piece.

Brian Selfridge: [00:08:10] The Mandiant report indicates that back doors are the go to malware source for the bad guys. So more than half of the attack that we see involved backdoor installations. This is certainly not surprising given what we know about the large scale supply chain attacks on SolarWinds. Microsoft Exchange that we saw this year, for example, as we saw back doors being a big part of that model. But it is concerning that, you know, a backdoor means much more difficult adversary to uproot once they're in. So it's not just a matter of you. You patched up your systems and it's all fixed up. You know, if they've installed those back doors, they're going to be coming back and they may do it now. They may do it later. And very often they'll install multiple avenues back into the environments once they've established those back doors. So that's something that the report is indicating we're seeing and something we really have to pay attention to. So what should we do?

Brian Selfridge: [00:09:01] The Mandiant report lays out some top recommendations to thwart the specific attacks that we saw this year. And these recommendations are definitely aligned with with our own experience here at Meditology, our own penetration testing and hacking observations and recommendations. So that's good to see that alignment with that. But the indicators in recommendations in the report include reducing the number of highly privileged accounts in your environment, particularly in Active Directory. So this would be your domain administrators or domain admins. In other words, they also note machine to machine service accounts, so privileged accounts that are used to log in behind the scenes from multiple systems having elevated privileges or domain admin privileges are also a big problem. And again, we see that with our hacking exercises all the time as well.

Brian Selfridge: [00:09:48] They also recommend minimizing privileged account access across domains and devices. So not just limiting the volume of administrator accounts you have out there, but also whether or not those accounts can be sort of "God level" access across all of your networks and all of your domains and really trying to figure out ways to segment that out a little bit better from an access perspective. And lastly, they mentioned modifications to group policy objects (GPO) or those in Microsoft that allow scheduled tasks to run and domain accounts and machines to be enumerated are a big attack vector from the bad guys to want to make sure we get our eyes locked down and and all the security hardening. There's some guides put out like the CIS benchmarks and things on your GPOs and your Windows server environments depending on the operating system. Definitely check those out, get those environments hardened. And again, these are the same types of attacks we've seen from tests. We've been successful with them in health care environments all year as well. And so the attackers are doing the same stuff.

Brian Selfridge: [00:10:50] The report provides some more technical configuration guidance around these different areas if you want to really dig in deep. It also goes into detail about backup and recovery processes, common technical missteps and issues that that are definitely worth checking out. So you can look at the full report: FireEye, Mandiant search for those things and you will find it, or you can hit me up and we'll get it to you.

Brian Selfridge: [00:11:13] Now, I mentioned we were going to talk about the Russians some more, so let's let's go there. So we know at this point that the Russians have been behind some of the more prominent large scale attacks on health care late last year into this year. And like any attacker, the Russian SVR group, as they're specifically called, has their favorite go to attack methods and techniques. And again, as pen testers ourselves and myself, we do the same thing. We there's a certain comfort level you get with certain techniques that you know are going to work every time or most of the time. And you use them year over year, attack over attack until they stop working. And just personally, I've seen I have techniques that I've used for almost 20 years, a handful of them that still work and are still just as effective. And that's a problem and something we are working to advise and counsel the industry on.

Brian Selfridge: [00:11:56] But the bad guys follow the same sort of methodology. What's the easiest way in? If I got a trick that works, I'm going to use it every time. And so in that context, the NSA, CIA and FBI released the Russian SVR group's favorite attack methods. And definitely a good idea for you to look into these specifically in your environment and see if you can lock them down and get these specific instances and applications and vulnerabilities patched up. So there's five of them. And I want to give you a rundown, because I think this is worth worth the time. The first one is a Citrix application delivery and Citrix Gateway or the CAG for those that are my network, an I.T. engineer, friends, as we always fondly call the Sitrick Access Gateway, older versions of the Gateway and the Citrix environment allow directory traversal which lets which lets the bad guys run hacking code on the system at elevated levels running as Citrix. And I promise you that most of you, if not many of you, are using Citrix in one way, shape or form. So good idea to go back to your teams and just make make sure those back end servers are updated right away and do some investigation and make sure you've got things are sort of cleaned up there.

Brian Selfridge: [00:13:05] The next update is a Fortinet Fortigate, the bad guys, Russian SVR, using this platform to download system files via resource requests. So I won't get into a ton of detail about that. But you can check the FBI alert if you want to go into the nitty gritty. The third one is VMware workspace or OneAccess, it's called. This has a command injection that allows lower level user user accounts to run code at a system administrator privilege level. So basically, it only takes one user password, general and user password. So think of phishing, right? How easy it is to get that to to use the VMware workspace to escalate privilege to an administrative level and then it's game over. Right for the attackers. So that's often a question like, well, they just get access to some end user. What's the big deal? That's the big deal. Take these exploits like VMware Workspace, all of a sudden your Admin level and off you go to taking over the environment, building back doors and everything else that we've talked about.

Brian Selfridge: [00:14:02] The fourth one is Synacor Zimbra Collaboration Suite, and I will admit I have no idea what this is, but if you have it, check it out. There is a XML escalation vulnerability that apparently is very easy to use and they're very happy to come back to it. And it may not be on the top list of things that we're all worried about since that is not exactly a household name. The final one is Pulse Secure VPN, and there's an issue with these that grants read access to files without authentication. So you can imagine that's a problem. If we can get access to files and read and find passwords and configures and all kinds of stuff that we're not supposed to see through the VPN, that's a problem.

Brian Selfridge: [00:14:44] So the CISA alert goes further to suggest that just patching these systems does not mean that you're in the clear if you're using those versions of the outdated version or the versions that you mentioned in the alert, then the likelihood of prior compromise is pretty high that somebody's already been in there, at least one or more attackers has been in and leveraging that. So they recommend investigating further activity to look for back doors, you know, reset your passwords, at least privilege and all the all the usual sort of recommendations that are in there. And they mentioned some other best practices that are fairly standard but rarely adopted effectively, like network segmentation, for example. So check out the full alert for the details there. I think there's a lot of important focus areas there that if we want to get caught up to the Russians in particular in a lot of these ransomware attacks, we'll be good to put some energy around.

Brian Selfridge: [00:15:34] In separate but related news, the US government named the official source of the SolarWinds supply chain attack as drum roll, please, the Russians. So I guess I gave that away with the earlier thread here. So for those that are watching the global stage, we saw President Biden formally attribute the solar wind cyber attacks to the Russians this week. This is, of course, no surprise to those of us that are here and are faithful CyberPHIx podcast listeners. However, President Biden has established sanctions and set up a summit with Vladimir Putin to address cybersecurity attacks on health care. And we're named in there as well as the attacks in the supply chain. So think solar winds and Microsoft Exchange as well as the election interference stuff. So, for the longest time these attacks are happening. There wasn't really even any lip service or action taken, you know, remains to be seen if this is going to have tangible action. But I think at a minimum, it's going to put some public and hopefully financial pressure on the Russians and other attackers when we start taking diplomatic and sanctions and those types of measures to to hopefully slow down some of this activity if not, stop, stop it altogether. In some cases, that's been running unchecked for several years now. So I'll take it as a positive and let's keep cranking in that direction.

Brian Selfridge: [00:16:53] You can check out our last CyberPHIx Roundup episode four more actions happening on the cyber accountability on the global stage, the U.N. and the US and all that good stuff. Check out our last episode for some details on that.

Brian Selfridge: [00:17:11] Now solar winds was not the first or the last Supply-Chain attack that we're going to see. In fact, we had a breach announced this month where a revenue cycle management vendor called Med-data. Med-data had a former employee of the organization saved offline and then upload it to a public website. And the breach as this is a supply chain issue and a vendor issue, impacted five health care entities, including the University Health in San Antonio, Memorial Hermann in Houston (and those folks have been on the OCR hot water area for several years now, so this is not good news for them), University of Chicago Medicine, Aspirus in Wisconsin, and OSF Health Care in Illinois.

Brian Selfridge: [00:17:55] I want to point out that you see revenue cycle management, you know, that's that's a surprise. It's actually particularly not surprising to me. And the reason is our sister company to Meditology Corl Technologies has vendor assessment data on over 79,000 Supply-Chain vendors servicing health care and have done assessments on them. And we've been tracking the different categories of which vendors pose the highest risk. And it's interesting that revenue cycle management companies have been up in the top three for several years running now, and it's always sort of a surprise and eye opener. People go, oh, you know, it's not the EHRs, it's not whatever else. It's revenue cycle management companies. And so I think it's really useful to dig into that data. And there's other categories that I think are often off the radar, like legal services, another one that's right up there, like, OK, my lawyers, you know, what's the big deal? But there are some of the highest likelihood and highest impact vendors out there for from a vendor risk perspective, along with medical devices and other things that may be a little bit more intuitive.

Brian Selfridge: [00:18:51] So if you want to check that out, we've actually published a lot of that data on  You can go to that resource center where we've got webinars, where we run down the full list of categories of which vendors pose the highest risk and help you prioritize your program accordingly. So that's worth checking out.

Brian Selfridge: [00:19:09] In other breach news, we saw CareFirst community health plan out of D.C. was targeted by a foreign cyber criminal group that was able to exfiltrate over 200,000 patient records, according to their forensics analysis and subsequent report to OCR and HHS. I think the confirmation of data exfiltration in this case is worthy of notes. You know, it's I often hear that, well, we had a breach and there's no evidence that the attackers acquired the data they got in. But we don't think they took anything.

Brian Selfridge: [00:19:37] And sometimes that is because we just haven't done enough due diligence and forensics to to spend the effort and the money to find out exactly what happened with the breach. I recommend assuming that data was actually traded rather than the other way around. And this is a good example with CareFirst where, you know, you do the diligence and dig into it. And I guess they took the data and we can validate that. And then it's, you know, it's anyone's guess as to their plans with that, although we know the different ways that it's often monetized. CareFirst seems to have handled the response pretty effectively from what we can tell at a high level here, don't don't have insider intel, but they performed the forensics work here, a deep dive for forensics initiative, and they were transparent about the results. I think I think, you know, they also provided some intel on their response activities around password changes and monitoring. So it's worth highlighting some of these, quote unquote, victim organizations that respond in a responsible way to these attacks, because often it's not just the attack itself, but it's how does the organization handle it? I think we need to sort of hold up some of these entities that that seem to be doing the right thing, post breach and recognize them for that as something that we all need to be working on to improve as an industry versus, you know, the cover ups and and sweep it under the rug or ignoring it or all the things that just do further damage and add insult to injury.

Brian Selfridge: [00:20:55] Now, this doesn't let CareFirst off the hook for OCR enforcement or other risk areas that they need to shore up in the program. But I think it's a step in the right direction of responding effectively, at least, which is, I think, useful for everyone.

Brian Selfridge: [00:21:10] In other news, the New York Department of Financial Services, or DFS regulation, has had some enforcement activity recently. So let me give you a little bit of context to to why that matters. About four years ago, New York State put out a new cybersecurity regulation that caused a big stir. It was it was fairly prescriptive and particularly for New York based entities, including health care organizations in that region. It was notable at the time because it required multifactor authentication as as a hard requirement in the regulation. And that's something that I believe that was the first regulation to say that you actually have to do this, not just recommended. It's not you know, it's not a risk management thing. It's like you actually you have to do multifactor. So if we fast forward to this year, there really hasn't been much enforcement action since. The law is introduction the DFS regulation in twenty seventeen. But that changed last month when New York State fined residential mortgage services or RMS with a one point five dollars million penalty related to an email breach that went unreported.

Brian Selfridge: [00:22:11] And they also lacked a cybersecurity risk assessment and some other violations of the DFS law. While this specific enforcement action is not health care specific, I think it does put our New York based colleagues and health care entities on notice for compliance that, you know, it might be a good time now to revisit that action plan that you drew up in 2017 and see if it's gotten stale and make sure you've got compliance going on. And certainly, if you haven't done multifactor yet, there's another reason to do it right away.

Brian Selfridge: [00:22:40] The final update for this week is a follow up from prior episodes of the CyberPHIx Roundup, where we reported on the developments of the 21st Century Cures Act and information blocking rules. Those rules are now officially in effect. Congratulations. So good time to get your program together. We will give you some more information on how this plays out in adoption and all that. But if you're not caught up on what all that is, the 21st century cures and information blocking. Listen back to some prior episodes of the CyberPHIx here. And you can search in the resource center for 21st century or blocking and it'll come up and you can either listen to those or look at the transcript notes just to get caught up on what all that is and what some of the implications are. And now that you know that it's officially in effect. So if you hadn't heard any of that prior to now, it's a good time to do some research and feel free to reach out to us if you want help figuring any of that out.

Brian Selfridge: [00:23:31] So that's all for this session of the CyberPHIx health care security roundup. We hope this has been informative for you and we'd love to hear from you. If you want to talk about any of this, just reach out to us at CyberPHIx, at Meditology Services, Dotcom. So long and thank you for everything you do to keep our health care organizations and systems safe. And we'll see you next time.