The CyberPHIx Roundup: Industry News & Trends, 4/21/22

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:11] Good day and welcome to The CyberPHIx Healthcare Security Roundup. Your quick source for keeping up with the latest cybersecurity news trends and industry-leading practices, specifically for the healthcare industry. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our Resource Center on MeditologyServices.com, which includes our CyberPHIx interviews with leading healthcare, security, privacy, and compliance leaders alongside blogs, webinars, articles, and lots of other educational material. We have a full agenda to cover today, so let's dive into it, shall we? 

Brian Selfridge: [00:00:47] I'm going to start off today with some new legislation introduced by a bipartisan group of senators around healthcare cybersecurity, which is our favorite topic, or hopefully it is if you're listening to this. So on March 23rd, US Senators Bill Cassidy out of Louisiana, a Republican, and Jackie Rosen, a Democrat out of Nevada, introduced the Healthcare Cybersecurity Act. The bill has been introduced amid warnings of potential Russian cyberattacks, which is cited as actually one of the primary motivators for this new legislation and directs the Cybersecurity and Infrastructure Security Agency, or CISA, alongside the Department of Health and Human Services, to work together to collaborate around healthcare cybersecurity. Now, why they aren't collaborating already together is a bit surprising to me. As you know, healthcare has been formally identified as a part of the US critical infrastructure. So hopefully they've been coordinating all along. But I guess this sort of puts the formalization around that. 

Brian Selfridge: [00:01:40] The second major piece that the legislation goes into is around authorizing cyber training or cybersecurity awareness training for healthcare and public sector organizations. Now, I'm not sure if when they say authorize training if that means actually fund the training or provide resources. Certainly, organizations are already authorized, quote-unquote, to perform training and security awareness training and awareness training via the HIPAA rule itself. Security rule itself. In fact, they're compelled to do so. It's not even authorized. So I'm hoping that this means that there's some actual funding and support involved in this other than just sort of reminding us that we need to do cybersecurity awareness training and reminding the CISA and HHS that they have to collaborate together. So those were really the two major pieces. It also requires the CSA to perform a study on healthcare cybersecurity, which is a very common starting place for legislation and for the federal government to begin initiatives around understanding a sector and what methods need to be taken. I've been involved in such studies for the Department of Health and Human Services previously around medical device security and hacking and things in healthcare. The challenge is, if that's all this is if this is just a perform a study and then also authorize cybersecurity awareness training, which we said should already be authorized in a lot of ways, as well as requiring these organizations to collaborate together on the federal side. 

Brian Selfridge: [00:03:02] I think if that's all this bill covers and I think it falls a bit short in my mind of identifying any concrete action or investment that can be taken by the federal government and really seems to be a bit more lip service. Again, I could be missing something around the intent or how they're going to do it. So creating another survey and study is useful and could be informative if it leads to more investment. But the industry is full of studies and private organizations and as well as federal agencies have been doing a lot of analysis of the problem. I think we have a pretty well-defined problem statement at this point. It's time to start putting laws and bills in place that actually provide concrete investment resources and or requirements and some regulatory requirements for covered entities and business associates to do things like maybe providing more prescriptive security controls, like requiring multi-factor authentication, which is something we're seeing out of a lot of other regulations or industry certifications like NIST and HITRUST alignment certifying around common standard frameworks. And I think that would have a lot more of an impact personally than these new bills that are kind of just reiterating things that we should be doing already. So it'll be interesting to see how this plays out. I mean, ultimately, the only impetus, the driving impetus for organizations to invest in security right now is cybersecurity breaches. 

Brian Selfridge: [00:04:28] I think HIPAA has done a decent job of doing enforcement, but it's not getting to the point where we're really driving a lot of those laggards, the organizations that just haven't invested in the last couple of decades in HIPAA requirements, if they haven't done that by now there, I think a bill like this isn't really going to move those folks off the mark, and those are the ones we really need to focus on. So the good news is that this bill is yet another bipartisan proposal on cyber. So that's good. And it's clear that there is political will across the board to invest in this issue as a country. So I think we just need to get more effective tools in place and opportunities to make sure enforcement behind those are really driving the right behaviors for us. I'm not entirely convinced if you haven't sensed it yet, that this is the bill that's going to do that. But I like that we're getting more stuff in front of them in the House, in the Senate to be considered on our special area of interest of healthcare, cybersecurity. 

Brian Selfridge: [00:05:27] In other related news, the Department of Health and Human Services is actually seeking feedback on healthcare cybersecurity practices, specifically around the HITECH Act. So covered entities and BA's are being asked by, I'm sorry, business associates. That's my slang. I'm going to let you in on it. Business associates are being asked about information or clarifications of the newly drafted HITECH and OCR Office for Civil Rights provisions around implementing cyber best practices. So if you recall, this is a newly introduced draft requirement or I should say kind of we've been calling the HIPAA safe harbor. It's not exactly a safe harbor, but the idea that OCR is supposed to take into consideration if organizations have implemented best practices which they define as inclusive of adopting NIST cybersecurity framework controls or HITRUST common security framework certifications or adoption of controls. And if organizations do that, OCR is supposed to take that into consideration and essentially sort of knockdown and limit any enforcement and fines that might be related to HIPAA security rule violations and the like. 

Brian Selfridge: [00:06:33] So now OCR and HHS are asking us and asking the industry. They want to know, one, how are healthcare organizations adopting, adapting, and implementing these standards already? And how can they measure adoption of them to inform these safe harbors and sort of enforcement carrots, if you will, versus the sticks of true enforcement? And so that's kind of the open question where organizations are also being asked for information about how civil monetary penalties should be shared with individuals that have been the victims of breaches. So that's a really interesting development. And I want to divert here and talk about that for a moment because there's another case that's percolated this week that I think is relevant to this idea of can you share civil monetary penalties and OCR fines with the people with the massive of the breaches. 

Brian Selfridge: [00:07:22] So there was actually a settlement just recently that includes requirements to pay out the victims of a breach. Again, this is the private sector. So it's not the federal government in this particular instance, instance. But I think the lawsuit is driving it that same intent that OCR is asking about here around payment distribution. So the University of Pittsburgh Medical Center or UPMC is actually going to begin making payments to 66,000 employees that were the victims of a cyber breach in 2014. We've covered this case before on the podcast, so you may have followed that as this is gone along. If you haven't, don't worry. But basically, there was a hacker that stole and sold UPMC employee data on the dark web and was ultimately sentenced to seven years in prison. The data was actually used to file $1.7 Million in false tax returns by the criminals that bought the data on the Dark Web. So the settlement in this case against UPMC requires UPMC to pay $1.6 Million to an escrow account that will then be distributed to employees. Employees have been emailed that they can claim their compensation, which will range in wait for it. It's a staggering number. 

Brian Selfridge: [00:08:34] Employees will get between $10 and $20 for most employees, but there's a provision that says it could be up to $5,000 for those individuals. Employees were specifically their information was stolen and tax fraud was taken under their names and filed and paid out. So also, everyone, in the company, at least at that time, 66,000 folks, gets three years of credit monitoring. So this brings us to the question that OCR is asking about the typical settlement these days. For a large scale, a breach is somewhere around three or 4 million, plus or minus for a decent-sized breach. So maybe these payouts could be increased a little bit if you took a three or $4 million settlement from OCR and maybe that gets the average employee 40 or 50 bucks versus ten or 20. I don't know if that's more meaningful or not to individuals, but OCR is also going to need to use a chunk of these proceeds. We have to remember that they fund OCR itself and the many lawyers and individuals that are involved to execute these cases that sometimes can take years against covered entities that fight and protest the fines and end up in federal court. So we have two big chunks that are going to go into funding OCR itself. And then whatever's leftover, I suppose may be distributed to individuals that were impacted. It's unclear yet how exactly that's going to work, but that's why they're seeking input. 

Brian Selfridge: [00:10:00] Regardless, I think any multimillion-dollar settlement will be a sting for healthcare organizations. It'll sting, it'll hurt, whether it's, you know, a legal settlement or OCR enforcement. I like this idea of the principle of getting these funds to the victims versus going elsewhere and to just general government coffers and those types of things. I would love to see, you know, requirements in these settlements that have the covered entities. Business associates must maybe commit a percentage of their spend of their budget on cybersecurity protections and investments. I mean, I think that's where the investments are really getting shorted, right? There's underinvestment in cybersecurity. And I understand bad things happen to good people sometimes. I'm not talking about that. But there's absolutely the cases I've seen and been involved with over the years have been organizations just really weren't doing the basics, weren't at the time when it was appropriate encrypting laptops, for example, or modern-day just not doing basic patching and things that they need to be doing to make investments in cybersecurity. Then they get breached and they get the fines. So I think we need to find a way to somehow make sure the funds from these fines are going back into cybersecurity programs without letting the organizations off the hook for their underinvestment over time. So it's going to be tricky, but I do love the idea of finding a way to get a chunk of that, if not a bulk of it, to the victims for sure. 

Brian Selfridge: [00:11:24] So it's a really interesting question. Let us know what you think. You can send me an email at CyberPHIx at Meditology Services, and I'd love to get your input we can help get that information over to the Department of Health and Human Services and OCR for answering their question that's been put out to the field. 

Brian Selfridge: [00:11:40] While we're still talking about federal government activity around healthcare, cybersecurity stuff. And that's I love that there are three or four updates this week on this topic, which means there's a lot of activity. We saw that there's actually new bipartisan legislation being done around the FDA for medical device security in particular. And it's being introduced. It's called the PATCH Act. So let me tell you a little bit more about that. So Senator Bill Casey out of Louisiana, if you'll recall his name, he's the same one that was involved in the prior bill. And Tammy Baldwin, a Democrat of Wisconsin, on Thursday introduced into the Senate the Protecting and Transforming Cyber Healthcare or PATCH Act, which contains the medical device proposals. So again, that's the same Bill Cassidy that we talked about before. I think I'm going to start calling him the cyber bill. I think that's the right name for this guy. So very pleased that he's putting all this stuff in there. 

Brian Selfridge: [00:12:37] Then there was also a companion piece to this, Representatives Michael Burgess, Republican of Texas, and Representative Angie Craig, a Democrat out of Minnesota, also introduced companion legislation in the House at around the same time as this past week. It's a carbon copy of the same bill running through the Senate. They just use the same one. I'm not sure the logistics of why they do that, but hopefully, that means that there is some momentum in both the House and Senate around the same sort of themes. So the PATCH Act, if signed into law, would amend the FDA or Food and Drug Cosmetic Act so that the FDA may require medical device manufacturers to implement cybersecurity requirements when they apply for the FDA premarket approval. So that's that whole FDA validation process that they have to go through anyway. And it's basically putting a hard requirement if you want to sell and administer your medical device in the healthcare setting, you need to do everything that's in that healthcare validation, FDA validation process, which would be inclusive of cybersecurity requirements, which would be really wonderful if you can find a way to make this happen. The PATCH Act would also require manufacturers to design, develop and maintain processes and procedures to update and patch medical devices and related systems throughout the life cycle of the device. And that's a really important comment throughout the life cycle means often these devices run 15 to 20 years in their lifetime in the healthcare system, and those are the ones that have been the most vulnerable. 

Brian Selfridge: [00:14:05] They're running outdated systems. The medical devices, manufacturers have in many cases, not in all cases, but on legacy devices, have kind of washed their hands of that problem and said, look, we're not issuing another device. We're not we're not going to take the time to patch it and the money and the investment it would take for these old components and it would be a significant investment. So we're left with all these insecure devices, and I think everybody is at least that listens to this podcast as well, aware of the exposure that puts to patient safety and otherwise. So the PATCH Act would also require the establishment of a software bill of materials (SBOM) for the device, which includes components such as commercial, open-source, and off-the-shelf software that would be submitted to the FDA and provided to users. SBOMs have been a really important tool going forward for managing third and fourth-party risks by being able to really map and locate which organizations and vendors are using vulnerable products or services. And the supply chain wouldn't have been. It would have been great to know exactly which devices and products used the Log4j Apache Software, for example, a few months back. Right. SBOMs. And this legislation would make that information readily available, at least for medical devices. 

Brian Selfridge: [00:15:14] So we applaud that here at Meditology. And for myself, in particular, the PATCH Act would also require the development of a plan by the device manufacturer to monitor, identify and address post-market cybersecurity vulnerabilities and request a coordinated vulnerability disclosure to demonstrate the safety and effectiveness of a device. So again, that's all the post-deployment stuff where we're actually able to keep these devices secure over time versus just issuing it, and then 20 years later, leaving it up to healthcare delivery organizations to figure out how to secure this stuff. It's a regulatory action like the PATCH Act that is much needed, in my view, around medical device security. I think it's pretty clear from the last 20 plus years that medical device manufacturers, on the whole, are not really willing to make the capital investments necessary to invest in cybersecurity, particularly for legacy devices, the new devices that are getting a little bit better at it, but they still kind of half, half effort in some cases. It's also clear that healthcare providers are not willing or able, perhaps, to foot the bill for the tools, the people, and the processes to effectively mitigate medical device cybersecurity risks. Without the support of the manufacturers, it's really hard to go it alone as a healthcare delivery organization. A lot of times you get up against the big medical device manufacturers and they'll just tell you, you know, you're too small, you can't push us around, which is true. 

Brian Selfridge: [00:16:35] And that gets very frustrating. Speaking as a former healthcare CISO, it was very difficult to put together a program, although we did and we did a lot to mitigate the risk. But I think as many are as are many of you. But we really need to get the manufacturers on board as they're the most critical stakeholder group for sure. Providers have bought tools and started to get more visibility. And we're getting better at sort of wrapping some controls around the risk for medical devices. But, you know, at best, I think if we're honest with ourselves, we're really just putting some Band-Aids on some really big gaping wounds of cybersecurity vulnerabilities for the medical device ecosystem. So we'll see if this bill makes it through the wringer of the House and Senate approval. Hopefully, you know, the bipartisan aspect of this bill, much like the prior ones we talked about, will give it some momentum. So fingers crossed in this one. I do really like this one as much as I perhaps didn't get the vibe, but I like the first one that much. This one's definitely worthwhile in my view. Speaking of the federal government, there is also our favorite group, NIST, the standard body National Institute of Standards and Technology, put together and released their final guidance for enterprise patch management. There's a lot of patch updates today, right? So this isn't just specific to medical devices. 

Brian Selfridge: [00:17:48] It's actually not just specific to healthcare either, although it's very, very important for healthcare. So the latest guidance is called the there's actually two particular standards, NIST, SP or special publication 800-40 and NIST Special Publication 1800-31. Both of these new standards emphasize the need to prioritize patching and preventative maintenance in order to avoid data breaches and operational disruptions and all the bad things that are happening every day. Ransomware and everything else. Patching is just critical. So I'll read out the formal titles of these as I think that'll be sort of informative of what they are. So NIST 800-40 is the guide to Enterprise Patch Management Planning, Preventative Maintenance for technology, and the NIST 1800-31 Improving enterprise, patching for general I.T systems, utilizing existing tools and performing processes and better ways. So pretty long titles and complex. I'm actually going to hold off on a full rundown of the standards because there's just there's so much involved in these and they really do get into best practices. So regardless of what level of maturity your enterprise patch management program is in, I highly recommend you check these out and compare them against your current program. I guarantee you'll find some things in there that you can leverage that either you may not be doing today or maybe you haven't formalized or thought about or simplified in the way that they have it in place. 

Brian Selfridge: [00:19:10] So great resource for everybody involved across the spectrum of making sure that we patch our devices both in-house as well as working with our third-party vendors to do the same. Now stepping back just for a second to this whole FDA medical device conversation for a moment. I also wanted to note that the FDA, apart from that, that sort of regulatory side of things, they've actually released new draft guidance for medical device manufacturers for pre-implementation of cybersecurity control. So this is guidance versus the regulation. So we talked about the regulation. Guidance is different. This is actually not the first time that they've put out this guidance. They put the initial version out in 2014 and then FDA issued a subsequent update in 2018 and now another one in 2022. And it is called cybersecurity and medical devices, quality system considerations, and content of premarket submissions. So this is much more of the voluntary hey, this would be really nice if you did these things type of guidance. The new guidance covers threat modeling and the requirement for a software bill of materials spam. We talked about that earlier for all, third party software components, security, risk assessment, security, risk management, the implementation of security controls, cybersecurity testing, vulnerability management planning, and the importance of cybersecurity transparency. So all the right stuff is built in there, in my view, in terms of guidance, again, this is maybe it's a carrot and stick conversation. 

Brian Selfridge: [00:20:35] Can we find ways to incentivize medical device manufacturers to adopt these best practices now that we've defined them and are updating them? Can we have regulations, perhaps, if necessary, to enforce that implementation? I like the way these two things go hand in hand together. So the FDA's requested input on the new guidance in the comment period runs through July 7th of this year. If you want to get your two cents out there again, we can help you coordinate that if needed. 

Brian Selfridge: [00:21:01] Now, switching gears, I want to talk about some of the emerging threats and threat actors that have been targeting healthcare recently. As much as we talk about all this regulatory stuff, that's useful. But how about the real attacks that we're facing on the ground every day? So the Healthcare Sector Cybersecurity Coordination Center or HC3, if you're familiar with them, issued a threat brief outlining the tactics and targets of the lapses cyber threat group responsible for cyber attacks across many organizations, but inclusive of the Okta organization that impacted many organizations, healthcare organizations, sort of as a third-party provider. So lapses, if you haven't heard of these folks, they're pretty nasty. They've been targeting multiple high-profile organizations using bribery and nonransomware, extortion. So pretty classic, more classic financial extortion, although they're using their hacking techniques to facilitate that. 

Brian Selfridge: [00:21:54] Now, in a fascinating turn of events, these guys have only been around for a couple of years, but they've been really effective. And I say in a fascinating turn of events because their authorities in the United Kingdom actually announced just a couple of weeks ago that they arrested one of the leaders of the Lapses Gang who turns out to be a 16-year-old in Oxford, England. The teenager had amassed $14 Million in Bitcoin in about two years worth of cyber attacks, it looks like, plus or minus. The London police also announced that they arrested several seven other members of the lapsed gang, all between the ages of 16 and 21. So I remember back in the day we used to joke that the hackers were all these script kiddies and people were just, you know, didn't have too much time on their hands. And they were just sort of causing mischief. And that stopped for a long time as Russia got involved in cybercriminal groups and nation-states. And all of a sudden the attacks got really sophisticated, very serious, and very adult. So it's interesting to see a group like this having this kind of impact with a bunch of teenagers, essentially. So they talked to the boy's father, who was the ringleader, and his father sorry, his father wasn't the ringleader. The kid was the ringleader. And he thought his son was just playing games. They had no idea what he was up to. 

Brian Selfridge: [00:23:04] He's like, Well, it's really good at computers, but I thought he's playing games. And so you look over that shoulder their professionals make sure your kids aren't doing anything too nefarious. I'm sure. I'm sure they aren't. But anyway, this boy, the teenager cyber criminal was outed by other cybercriminals after they had a falling out. The other hackers revealed his name, address, and social media pictures. And apparently, some cybersecurity researchers have claimed that they also have been tracking this individual's activities for a while before it was sort of officially released and outed by their criminal colleagues. But unfortunately, these arrests may not be the end of the story for lapses and their attacks, as we often see with these types of cybercriminal groups and gangs. The following guidance was issued by HC3 for healthcare organizations specifically to protect against lapses, knowing full well that they had taken out a few of their key players. But also understanding there's still whole infrastructure and others involved that are likely to continue the attacks. So this is some of the guidance they put out. They said when comparing lapses, motivations, and tactics to healthcare sector operations, the healthcare sector is within their scope of targeting, so they steal data for extortion purposes. So that's the whole hack-in extort thing they target. And service providers. They want to get that sort of scale of extortion and their operations are global and they look for targets of opportunity on a global scale. 

Brian Selfridge: [00:24:31] So that allows them to sort of pick lower hanging fruit wherever they may be global. While law enforcement has begun pressuring the group and even arresting some alleged members, we just mentioned that they do expect operations to continue, it says, here in the HC3 guidance. Other members will likely continue to operate under the lapsed banner either legitimately as part of that group or just carrying the flag and claiming to be part of it. That happens a lot to the geographic diversity of the group will make them especially difficult to quash. It sounds like they're kind of all over the map in terms of their operators and the diversity of their tactics, HC3 has said, and their lack of reliance on specific malware variants makes them very difficult to detect or stop. So they seem to be pretty agile with the tools that they're using and diversifying the ways in which they break-in. In addition to learning about the group's tactics, healthcare organizations, they say, should implement multifactor authentication. We talk about that a lot. Virtual private networks, VPNs, zero-trust security policies, and network segmentation. So a lot of familiar recommendations there. But very interesting, this particular threat actor group. Now in some other cyber-criminal prosecution news. An Estonian man was sentenced today to more than what I think is today or this week. 

Brian Selfridge: [00:25:45] I was a little thrown off by the exact timing of when these things get released. But recently he was sentenced to five years in a US prison for his role in at least 13 ransomware attacks that caused the losses of approximately $53 Million. I imagine that's just in the ransoms themselves, not to mention the operational impacts. Prosecutors say that the accused individual, this Estonian guy, also enjoyed a lengthy career of cashing out access to hacked bank accounts worldwide. So his name is Maxim Berezin, 37 years old, out of Estonia. So he was actually apparently a long-time member of Direct Connection, which is a Russian cybercriminal forum that existed up until 2015 and I'm sure has taken on other iterations since then and acting on information from US authorities. A little while ago, the Latvian police searched his residence and found a red Porsche. A black Porsche. They have the specific names, but really no Ducati motorcycle and an assortment of jewelry alongside $200,000 in currency and $1.7 million in Bitcoin. So he was effective, right? And he was spending that which he took in. So he was extradited to the United States and they found even more involvement in ransomware activities. So this sort of has played out over the last several months. And the post extradition investigation determined that he had participated in 13 ransomware attacks, seven of which were against US victims, and that approximately $11 million in ransom payments flowed into cryptocurrency that he controlled, according to the US Department of Justice at his Sentencing Bears and was sentenced to 66 months in prison in order to pay $36 million in restitution to his victims. 

Brian Selfridge: [00:27:31] So score one for the good guys. Taking another bad guy off the map. Although we know well that there's plenty more behind him that are continuing to carry the banner. But let's stick to this theme. I like good news. I think I think we need more of that in our updates here. So in other good news, Germany has shut down the world's largest illegal marketplace on the darknet with help from the United States. The hydra market was a Russian language marketplace that had operated via the terror network since at least 2015 and was known for extensive drug trafficking. Hydra's market sales were over €1 billion in 2020 alone, they say, and the market's 17 million known customers were also known to buy and sell forged documents and stolen credit cards. So you're talking about massive darknet fraud that's inclusive of cybersecurity stuff. Now, the German authorities seized Hydra's server infrastructure in about $25 Million in Bitcoin last week, and numerous US agencies, including the Drug Enforcement Administration, the DEA, the IRS Criminal Investigation, and others were involved in the operation. And in a statement the US Treasury Department said, and I'll quote this out: the global threat of cybercrime and ransomware that originates in Russia and the ability of cybercriminal leaders to operate with their impunity is deeply concerning to the United States. 

Brian Selfridge: [00:28:52] Our actions send a message today to criminals that you cannot hide in the darknet or other forums, and you cannot hide in Russia or anywhere else in the world. So score another one for the good guys here. I think cuts to this week. We'll take all the winds we can get. Now, despite these wins, there are still plenty of threat actors out there, as I mentioned. So the CISA has also warned of a new. UPS or uninterruptible power supply, not the Postal Service device cyber attacks. So for those familiar with UPS devices, there typically will provide the backup power. If an electronic power outage happens to a hospital, for example, UPS is critical of literally keeping the lights on and the systems running and everything going. So threat actors have deployed cyberattacks via UPS devices, which they say are Internet-connected devices. So to mention that as much as they're sort of an electricity business continuity thing, they are Internet-connected and they do have default passwords, believe it or not, username and password. So that is not surprising that that's how these attacks are unfolding. It's a common issue with third-party provider devices, including medical devices, which we've talked about today to some length, and now apparently UPS devices to use the manufactured default admin username and password that's usually pretty well-published or easy to figure out if you have a UPS device or if you have Google. 

Brian Selfridge: [00:30:19] So the CISA says that organizations can mitigate attacks against UPS devices by immediately removing management interfaces from the Internet. Right. There's no reason for you to manage it from internet-facing places, so keep that on the internet guys. They also recommend reviewing the CISA and DDOS published guidance on mitigating attacks against UPS devices for additional mitigations and information. So you can check that out if you want to shore up your UPS device and for goodness sake, change the password on that thing if you do nothing else. In another CISA warning, the Government is alerting healthcare organizations to a security issue in the Philips MRI monitoring software, specifically for the Philips Healthcare's Alert. Magnetic Resonance Imaging Monitoring Software. So software version 2.7 in prior releases of Philips Alert contains a security vulnerability that could potentially allow authorized users to remotely shut down systems. Now, Philips released its own warning on March 29, stating that it had received no reports of exploitation to this vulnerability and that their software does not pose a risk to patient safety because it is not a medical device. I am biting my tongue. It's not exactly the most politically correct answer in my view. I mean, MRIs are pretty darn important for patient care. So we wonder why we need laws to motivate medical device manufacturers to take action on cyber risks. 

Brian Selfridge: [00:31:43] Not particularly thrilled with the statement that I don't worry about it. It's just in an MRI machine. No problem. So Philips has not yet released a fixed and they said they plan to do so by July of this year, according to their statement. So they're not in a super hurry to address this one. So let's see if we can ask the questions and make sure we get some pressure on these types of issues to get them resolved a little bit sooner. There's also a new zero-day vulnerability that's unrelated to Philips just in general. In the spring core, Java framework called Spring4Shell, that's been publicly disclosed. It allows unauthenticated remote code execution on applications, which basically means malware can run indiscriminately, indiscriminately. Anyway, spring Spring4Shell is a very popular application that allows software developers to quickly and easily develop Java apps with enterprise-level features so the applications can be deployed on servers like Apache, Tomcat, standalone packages, and the like. This is very similar to the whole sort of log4j craziness we just went through earlier this year and some of us in organizations are still going through it to an extent. So the best that we can get on top of these patching these types of zero-day supply chain vulnerabilities, this one does impact Apache as well. So it's kind of similar in that sense. 

Brian Selfridge: [00:33:03] Then if we can get in front of them now, we can hopefully avoid them blowing up into larger issues as we saw with Log4j, SolarWinds, and these types of large scale third party breaches. So connect with your I.T. and Web development folks at a minimum to see if they're using the spring for Shell or that's the spring core Java framework is technically the term and see if you can get that patched up. 

Brian Selfridge: [00:33:28] Our final update this week, the US State Department announced the creation of a new Bureau of Cyberspace and Digital Policy. And get ready for it. You get a new acronym, the CDP, Cyberspace, and Digital Policy. The newly created organization will help shape norms and responsible government behavior in cyberspace and help U.S. allies bolster their own cybersecurity programs. So the CDP Bureau will is designed to address the national security challenges, economic opportunities, and implications for US values associated with cyberspace, digital technologies, and digital policy. According to the announcements, the Bureau will focus on incorporating emerging technologies into policy decisions. So this is more coordination across geographical boundaries and governments and the like, which is much needed. The Bureau marks the return of a high-ranking cyber diplomat in the federal government after the Trump administration eliminated the cybersecurity role a few years ago. I'll close here with just a quote from the US Secretary of State, Antony Blinken on this one on the new CDP bureau, where he says on cyberspace and emerging technologies, we have a major stake in shaping the digital revolution that's happening around us and making sure that it serves our people, protects our interests, boosts our competitiveness and upholds our values. 

Brian Selfridge: [00:34:42] We want to prevent cyber attacks that put our people, our networks, companies, and critical infrastructure at risk. We want the Internet to remain a transformative force for learning, for connection, for economic growth, and not a tool of repression. We want to shape the standards that govern new technologies so they ensure quality, protect consumer health and safety, facilitate trade and respect people's rights, and argue with any of that. And love a bureau that can get that done all behind the CDP. Let's go. All right. 

Brian Selfridge: [00:35:10] That's all for the session of CyberPHIx Healthcare Security Roundup. We hope this has been informative for you, and we'd love to hear from you if you want to talk about any of this. Just reach out to us at [email protected], so long. And thank you for everything you do to keep our healthcare systems and organizations safe.