The CyberPHIx Roundup: Industry News & Trends, 4/7/21

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:11] Good day and welcome to the CyberPHIx health care security roundup, your source for keeping up with the latest cybersecurity news trends and industry leading practices specifically for health care. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our Resource Center on MeditologyServices.com which includes our CyberPHIx interviews with leading healthcare, security, privacy and compliance leaders, as well as blogs, webinars, articles and much more educational material. We have some intriguing updates to cover today, so let's dive into it.

Brian Selfridge: [00:00:46] President Biden issued a supply chain executive order last month. The order says that United States needs resilient, diverse and secure supply chains to ensure economic prosperity and national security. So if you've been listening to this podcast, we know all about supply chain issues, phones, Microsoft and the rest of the executive order highlights cyber attacks in particular and calls for renewing the National Security Council system, also for conducting a supply chain risk assessment in the next hundred days across several departments, including Commerce, Energy, Defense, Agriculture and our favorite Health and Human Services. The HHS assessment in particular is to focus on the risks to the pharmaceutical supply chain, in particular, as you might expect, given the vaccine development and distribution criticality that's going on at present. The order also requires a risk assessment of the supply chains reliance on digital products, it says, and those that may be vulnerable to failures or exploitation. So some of my thoughts on this one:

Brian Selfridge: [00:01:42] I think this is a long overdue response from the federal level to the inundation of attacks of a supply chain that we've seen from cyber criminals and nation states like Russia, China, that we saw mentioned including SolarWinds, Microsoft Exchange, and the coordinated ransomware attacks, of course, in the late 2020. So I think this assessment, corrective action plan, coupled with some increased governance and oversight that they're setting up here with that Security Council is going to be a first step in the part of a larger response that will include, you know, other diplomatic and economic pressures on those attacking our critical infrastructure, including health care. I wouldn't be surprised if we see some legislation and regulation on third party risk and supply chain risks soon, given the momentum that we're seeing of these attacks and the bipartisan support over the issue more broadly. So we'll stay tuned for that.

Brian Selfridge: [00:02:36] Another update this week in other news, there was a pretty prominent case in the health care fraud arena that saw a CEO of a hospice company convicted of defrauding tens of millions of dollars in health care claims. This gentleman, Bradley Harris, and gentleman is a loose term here, out of Texas and his companies called Novus and Optimum Health Services. They cooked up a scheme, he and two other co-conspirators to submit claims for prescription drugs that were issued without physician approval and routinely signed off that patients were terminally ill and end of life when they were not.

Brian Selfridge: [00:03:12] Harris and two others negotiated a deal with another company called Express Medical to grant them access to even more patient information to grow the scale of the fraud. Now, what's interesting is there HHS was actually on to them. At one point there were a number of fraud complaints. Somebody had sniffed this out and they shut down the Novus company. But these guys just transferred their patients on paper to the hospice company that they owned and continue the fraud from there as if nothing had happened. And this is so troubling. It's a bit more than just financial fraud. You know, tens of millions of dollars is no small change. But it's the case is a bit bigger than that, as they were actually acquiring high doses and administering high doses of illegitimately obtained controlled substances and giving them to patients to hasten their deaths without physician involvement or approval. So there's some moral and ethical problems going on with these folks. And I'm often asked why is patient information valuable to attackers? Why do we have to worry about it getting into the hands of somebody that could do something wrong with it? And fraud is a major source and a major part of that story, in addition to all the things we talk about, breaches and ransomware and and nation states, but just regular old fraudsters looking to make some money.  And there's lots of ways you can do it when you have the eye and the information, as evidenced by these folks out of Texas.

Brian Selfridge: [00:04:38] In other updates to provide an overview of a recent report that came out that was titled Consumer Health Care Cybersecurity Threat Index, and from a company called Morphisec, the report found that one in five Americans had a health care provider affected by cyber attacks in twenty twenty. And that's twenty percent in twenty. Twenty of patients felt or were aware of a cyber attack on their own health care providers, but that's up from six percent in twenty nineteen. So it's almost triple the amount of folks that are aware of a breach of their health care providers in just a year's time. The report also notes that sixty one percent of patients are worried about ransomware attacks. And twenty one of those sixty one percent said they would consider switching to a new provider from their current provider if they experienced the ransomware attack. 57 percent of those folks said they would consider switching providers depending on how their provider handled the breach. So it's a couple of things there. They you know, patients are becoming more aware. They're more willing to select different providers. I think that's an aggregate trend that, you know, for a long time you had your doctor and that was it. I think people were willing to shop around, especially with telemedicine, the ability to kind of see different providers.

Brian Selfridge: [00:05:43] And if you're telemedicine provider, it's all based on technology gets breached. I think there's going to be an increased likelihood that you get a little bit squirrelly about continuing to share your information over those electronic capabilities and areas. So it seems that awareness of these attacks is finally moving into the public sector after bouncing around for so long in the information security departments for the longest time where we we were really the only ones, not the only ones, but the dominant folks that were paying attention to these types of issues. And now health care boards and executives have gotten aware of these types of impacts over the last several years. But now really seeing this report highlight the patient level awareness and, you know, awareness is important, but we need to translate that awareness into concrete investments and development of robust cybersecurity and risk management programs in our industry. I think we we could all agree we've got a long way to go on that front. Now, interestingly enough, the report notes that patients are more concerned about the security of their patient data now that telemedicine is rolled out where 50 percent of telemedicine patients surveyed had increased concerns over security versus in-person encounters of telemedicine versus in-person encounters. I find this to be particularly telling that patients and the general public are not aware of the risks of the troves of PHI that are used by the health care system and business associates and stored managed.

Brian Selfridge: [00:06:59] So it's almost like once they see the technology in front of them, they're like, oh jeez, this stuff could be could be attacked when in reality the data has been attacked, it's been stored and all that's been going on kind of behind the scenes. And this is just interesting to see that awareness level raise up. And, you know, in reality, the introduction of telemedicine does very little to raise the overall threat and attack thresholds, in my view. And we've been living with these risks behind the scenes, from behind the scenes, from patient views for for a very long time now. So but we will accept awareness and we can only help us in this kind of harkens back to our. Our first story here in presidential order is in all these potential looming regulations that may come out of this, this this kind of awareness that the citizenry level may create some pressure to make some big moves in cyber protections in the coming months and years from the federal level as people become more aware, more concerned and all those things.

Brian Selfridge: [00:07:55] In related news, the U.N. has taken action on cyber attacks as well by establishing and agreeing upon accepted standards for nation state online behavior. While the rules alone will not stop nation states from attacking, they could still lay the groundwork for some enforcement and deterrence for large scale attacks like we saw against solar winds and Microsoft that have been attributed to nation states, Russia and China, respectively.

Brian Selfridge: [00:08:18] In those cases, the UN rules specifically set requirements to protect the information communications technology or ICT supply chain, as they call it. It's important to note that this isn't a knee jerk reaction from the UN. These particular rules have been in the works for over two years by the UN's open ended working group on Cybersecurity, and they've been updated five years ago as well. So this is this is an ongoing conversation, but one that's getting increased attention. The rules specifically recognize the need to protect health care from cyber attacks. So we were called out specifically and it's important to note the US is not the only victim of such attacks as the the new provisions site attacks on hospitals in the Czech Republic and Spain, Thailand and even against the World Health Organization. So I'll put a little teaser in here for a news piece we have coming out of the major publication in the next week or so where I've had a chance to weigh in on these very topics and what we can do as an industry to address them. So stay tuned for that. I'll send you details once that goes out. And you can have some more color commentary on on all that stuff.

Brian Selfridge: [00:09:22] So as we look back on these updates and just to recap here a bit, my theme this week is going to be momentum, momentum, momentum. I think we're seeing some aggregate patterns of awareness and actions from the citizen and patient level all the way up to federal and even global governing bodies that are out there looking to tackle these issues, particularly around supply chain, cyber risk in general. And the momentum of cyber cyber attacks against healthcare and critical infrastructure looks unstoppable right now, you know, at face value. But I think we all know better in this industry at this point. Right. If we've been working here long enough, we know if we get the right investments in our programs and the tools of government to support us and these sort of governing bodies, regulations and other things to to keep us focused, then we absolutely can stunt that momentum and stem the tide of these attacks to at least a more manageable state. But we've got to keep grinding day in and day out and keep keep up the awareness, keep up the good fight, keep making those investments, keep making the small changes that that allow us to really create resilient programs over time. And our cybersecurity and risk roles and functions are starting to come out from the shadows of the basements of hospitals and places where we've been sort of buried behind the scenes for a while. And now it's out onto the global stage, which is a good thing. So it's an exciting time, I think, to rally together to meet this challenge.

Brian Selfridge: [00:10:37] I'm looking forward to doing that with you all. And I'll just leave one last final mention before we close things out here. There were, of course, a ton of breaches the last few weeks. I'm not going to take the time to recap them here because we're running short on time, but I'll cover them in about two weeks time. But one of the more notable ones, of course, was another Facebook hack, another Facebook hack. Five hundred and thirty three million people impacted, personal information, phone numbers. And that's not health care specific. But anytime you get everyone's personal mobile numbers out there, we all know the different types of attacks and scams that take advantage of those numbers and the personal information that can be misused for a variety of attacks that could impact our health care workforce and organization. So we'll catch you up on all those breaches. There were a lot of the normal breaches to the typical ones, and we will catch up on those in a few weeks.

Brian Selfridge: [00:11:25] So that's all for the session of the health care cybersecurity roundup. This has been informative for you and we'd love to hear from you. If you want to talk about any of this, just reach out to us at [email protected]. So long and thank you for everything you do to keep our health care systems and organizations safe.