The CyberPHIx Roundup: Industry News & Trends, 5/12/21

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

  • National emergency declared for Colonial Pipeline ransomware attack; details and implications for healthcare entities
  • Analysis of the Cloud Security Alliance Report titled The State of Cloud Security Concerns, Challenges, and Incidents
  • CISA’s new guidance for managing supply chain risks, including lessons learned from a historical review of supply chain attacks for the past decade
  • CISA/FBI alert on the “FiveHands” ransomware attackers
  • A new GDPR EU directive and pending legislation requiring continuous due diligence of third-party vendors
  • NIST soliciting comments for updating their guidance on implementation of the HIPAA Security Rule


Brian Selfridge: [00:00:10] Good day and welcome to the CyberPHIx health care security roundup, your quick source for keeping up with the latest cybersecurity news trends and industry leading practices specifically for the health care industry. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our Resource Center on Meditology Services dot com, which includes our CyberPHIx interviews with leading healthcare, security, privacy and compliance leaders, as well as blogs, webinars, articles and lots of other material. Check it out. We have some intriguing updates to cover today. Intriguing is is a good word. Scary, intriguing, useful. Hopefully all those things. So let's dive into it.

Brian Selfridge: [00:00:52] A national emergency was declared due to a ransomware infection of a major US fuel pipeline this week, the Colonial Pipeline specifically. So you probably have seen that hit the news, I would imagine. But we're going to go a little bit into some more detail. The criminal gang DarkSide is attributed by the FBI as the source of the ransomware attack. The group is suspected to be operating out of Eastern Europe. No surprise there as the malware is one of those flavors where we've highlighted previously in this show where it avoids infecting computers that are configured with Russian language as the primary language for the operating system. So it bypasses those systems. And the FBI and folks, they know who these attackers are. The Biden administration said that the attack is not specifically attributed to the Russian government, although he's going to speak with Vladimir Putin about it this week.

Brian Selfridge: [00:01:38] Regardless, the DarkSide attackers have claimed that they did not intend to cause large scale damage. They put a statement on their website saying, our goal is to make money and not creating problems for society. That's quote, This response and perspective, I think, underscores the motives of these particular attackers, which we've talked about previously. To some extent, I'm actually doing a webinar this week about ransomware and the impact to patient safety and and where these attacks come from and who the actors are. So if you get to this in time before that to happen, you can join us live or you can watch the replay on Meditology services dotcom. But one of the slides that I have is around the attackers motivation in these particular types of attack. And I list the top three motivations and they are number three is money. Number two is money. And coming in at number one is money. So I think their their claim, DarkSide's claim here holds up pretty well to that that motivation. So we can provide more details about that. If you want to check out all the ransomware attacks in these types of groups that are doing these, I think the final point here with this particular attack for health care organizations now, this was on the US pipeline. Many of these organizations and not all of them of the attacking organizations just want to find unprotected systems anywhere that they reside in. Lock them up and get paid. Bottom line, right.

Brian Selfridge: [00:02:59] So health care or medical devices are endpoints are going to get hit. They don't have good vulnerability management nailed down and patches and all those good things. It's not like some of these attacker groups are specifically targeting the US pipeline or health care. I mean, they certainly are more on the radar and they aren't avoiding us, but they're not passive in that sense, you know, but that once they find an entry point in and a weak system, they're then going to move in manually, take the data, hold systems, ransom and all that stuff like they did with the Colonial Pipeline here and with the Colonial Pipeline attack, they actually stole 100 hundred gigabytes of data as well. So it wasn't like some automated malware that just came in and lock things up. And they were they were in there doing their thing and actual trading data.

Brian Selfridge: [00:03:42] The next update this week is the Cloud Security Alliance report that came out recently, and I'd like to highlight some of the results of almost 2000 IoT professionals that were interviewed or surveyed for this report. So, as expected, the shift to cloud hosting is accelerating pace. No surprise there with adoption rates going from 25 percent of infrastructure in the cloud in twenty nineteen to forty one percent in twenty twenty one. And a fifth of all respondents said they expect their own organizations to move to 80 percent to 100 percent of their infrastructure in the cloud by the end of twenty twenty one.

Brian Selfridge: [00:04:21] So it's even accelerating even quicker than we saw in twenty eighteen to twenty twenty one. Respondents are generally happy with security controls and capabilities managed by the cloud provider. However, it's a different story with the controls that need to be applied back on their own customer side. So that's that whole shared responsibility matrix for cloud security. If you're familiar with that whole model where you've got to do some stuff and they got to do some stuff from organizations that we've worked with are struggling to assign clear roles and responsibilities in the report from the Cloud Security Alliance reflects this as well for security configurations, where the report indicates distributed support for cloud security being managed by multiple stakeholder groups, including it set up security operations, general cloud teams, they call them network teams, also bearing the brunt of some of the work and and all kinds of other places. But those those are the big categories. And we know from our experience here at Meditology that, you know, it's the decision about who owns and controls the security requirements for cloud and configurations. If you can't figure that out and you're not sure and there's confusion about that, then balls are going to get dropped. And misconfiguration can lead to the types of breaches that we've seen many times over the last several years. And if you look at the breach reports from IBM, from others, the cloud misconfiguration remains a really top source of breach entry. So it's time to bust out those RACI matrices, or R-A-C-I if you're not familiar with those about figuring out roles and responsibilities for cloud and get working on that this year.

Brian Selfridge: [00:05:55] Another noted area in the report is the lack of cloud security expertise being a big gap for many organizations, which is a trend we've seen well before the pandemic. So there's not anything too new there. Our own health care cloud security team here at Meditology has been in high demand not just for cloud specific strategies like a big cloud project, but more so because cloud is now embedded in everything that we do in health care settings. And it's it's hard to look at security controls and risks anywhere with whether it's your electronic health records, your infrastructure or anything else without running into a cloud component or some sort of cloud aspect that includes mobile apps and our own security tools and medical device middleware and everything else. So. Fifty five percent of the respondents of the survey said they are sending personnel to cloud security training in addition to outsourcing to firms like us to help fill that skill gap. So got some uphill battle to do there. And half of the respondents are also bolting on additional security capabilities to what the cloud provider provides out of box, so to speak. So examples of this would be network cloud solutions like CASB providers or cloud firewalls that cover multiple cloud instances for the organizations implementations. They have host based security tools that they're putting in place, and even some homegrown scripting is being used.

Brian Selfridge: [00:07:17] So I thought that was pretty interesting that the report was talking about all this extra security we're putting on in addition to the cloud provider security and the goals targeted for these tools include better monitoring and logging capabilities around the cloud, automated change and configuration management, cleaning up some of the configurations with excessive rates. There's some tools that to do that, as well as regulatory compliance reports and an increase, increased cloud topology visibility, which means just seeing what we have out there. Right. So that's it for that report. You can check it out. CSA Alliance issued that this week.

Brian Selfridge: [00:07:54] Now, we couldn't get through a CyberPHIx round up session in twenty twenty one without some discussion of supply chain risks, right. The US Cyber Security and Infrastructure Security Agency, or the CISA, released a new report this week that provides guidance for managing supply chain risk. It's a pretty comprehensive report. And I'll give you some of the highlights here just so you can get a sense of it. The report's called Defending against software supply chain attacks and provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Security Chain Supply Chain Risk Management Framework, or C-SCRM. Now, the acronym leave it to NIST to give us another acronym. That's OK. We'll allow it. And the Secure Software Development Framework SSDF. There's another one, to identify, assess and mitigate software Supply-Chain risks.

Brian Selfridge: [00:08:45] So this report includes, I think, an interesting list of supply chain life cycles and threats, areas and historical context that is more than the where our immediate focus on Microsoft Exchange and solar winds in these pigs attack and these big attacks. So, you know, we're all familiar with those, but they go into some details about other attacks like hijacked cellular devices in twenty sixteen. They talk about end user device malware that was deployed in 2012 that was prepackaged with malware coming out of some of the system bios and laptops and things. If you those of us that live through that, that was a fun time of third party risk to deal with. There was a time when Kaspersky antivirus came preloaded with malware, if anybody remembers that in twenty seventeen and then also they talk about some sensitive data spillage from improperly wipe devices that they cited in twenty nineteen. So this isn't the first type of trend that we've seen or that the instances around supply chain attacks. But I think these giving us that historical context I think is pretty useful to remember that we've got to really tackle this holistically.

Brian Selfridge: [00:09:52] The report also highlights self signed certificate says a common attack method used to circumvent traditional trust models with SSL and other certificate authentication. It notes that this is a particularly favored approach for attackers out of China to leverage those self sign certificates to bypass trust protocols. They also note that compromising open source code is another common threat vector. Attackers insert malicious code into public code libraries like Python libraries. And these are these libraries are common accelerators for developers that can reuse public code for common tasks and functions. Right. You don't want to have to code everything from scratch. As a former developer, I can appreciate that. So we're seeing more and more clients actually look to train their development team on SDLC security and highlight these types of attacks, like the open source code that's embedded with malware, for example, and raise that level of awareness and skill sets for in-house development teams. I think that's going to be a continued focus area.

Brian Selfridge: [00:10:51] The report also talks about privileged access being a big problem to many apps and systems in the supply chain are getting nice, big, juicy, elevated access rights assigned to their their accounts and their service accounts in particular. So this is a ripe source for attacks against the supply chain, which can lead directly to the escalation of privileges on your network. If attackers are able to get access to those those service accounts, those machine to machine accounts that have been given elevated access rights in many cases. And I know as penetration testers, that's a common source for us as well. So you're going to want to look at really getting those service accounts under control, making sure that they don't have elevated rates, doing some inventory and audits routinely on your domain administrator accounts, as well as setting up alerts for when privileges get escalated to that level so you can quickly adjust.

Brian Selfridge: [00:11:43] If there were to be a malicious actor kind of escalating their activity, you could catch it a bit quicker in the kill chain and kick them out before they can do too much damage. So the CISA report or whatever we want to call it, resource, provides in-depth recommendations for software customers and vendors and next steps for prevention, mitigation, resilience and all kinds of other things. So you can check it out. You can search for it either looking for the search term CISO and defending against software supply chain attacks. Or you can reach out to me and I'll get it to you. Begin to send you a copy before we move on from the CISA. They also published another alert this week on a specific flavor of ransomware called Five Hands that is targeting small and medium sized businesses. The alert goes into all the techie detail that you might expect, and I won't regurgitate at all here for you. But I will say that they talk about this being a particularly unique and stealthy attack approach. And I think you would do well to to read up on it and get your technical folks looking at some ways to establish some monitoring around these particular attacks, given the scissors, raising this up to be such a significant area. And it's a little surprising that a stealthy attack. Right, they named it five hands. I think you'd be a little more clumsy if you had five hands and less stealthy.

Brian Selfridge: [00:13:00] I'm not sure there. They need to work on their marketing. And while we're talking about third party risk, there's an update in the PR world that is set to what they say, rock the world of third party regulatory requirements. And I'm not sure what it takes to rock the world, but might might not be on the top of the list. But but for those that it's applicable in scope, then it's it could rock some of our compliance world. So we'll allow that that hyperbole. So the E.U. has issued pending directives and legislation that has expansive scope that is expected to be passed later this summer. It's called the EU Directive on Mandatory Human Rights, Environmental and Good Governance, Due Diligence, and it's deployed alongside Germany's corresponding corporate due diligence act. So these are pretty significant pieces of legislation, around third party supply chain risk that are expected to become law in the next couple of months in the EU. But I'll explain why. I think that has some implications for us here, too. This may change the way that third party risk programs are designed globally and could impact the approach for health care organizations in the US and abroad for sure, in a couple of different ways. But first, a little bit of detail about what it does. So the legislation is reported to have some serious teeth for non-compliance above and beyond traditional GDPR that will require organizations to implant thorough and continuous due diligence of third party relationships in the context of environmental practices, social and human rights and governance to address corruption.

Brian Selfridge: [00:14:30] So that's a mouthful that they put that in there. But basically, you have to it's going to force the development of a robust third party risk management program. Right. And so that's that's really where the answer to supply chain risks are, as is in that whole discipline. And the the new directive goes on to state that due diligence should not be a box ticking exercise, but should consist of an ongoing process and assessment of risks and impacts which are dynamic and may change on account of new business relationships or contextual development. So it's all about building the program versus responding to specific attacks. And, you know, this change with the GDPR in the EU is not happening in a vacuum. Pretty much every piece of legislation and standard that we've seen come out in the last couple of years has some degree of third party risk requirements or ramped up third party risk requirements. We saw this with the NIST eight hundred fifty three revisions late last year that included an entire new domain around Supply-Chain risk. We say we see it in a ton of state regulations that are coming out. We had presidential executive order around supply chain a couple of weeks ago, which we talked about on the podcast. You can go listen to that. There's a UN charter around this stuff. You know, so we've been saying for a while and I've been saying for a while that I think this is also going to lead to US federal law that's going to put some more requirements around third party risk.

Brian Selfridge: [00:15:50] I think that momentum is moving too strongly now and now that it's just another domino in the chain sort of pushing us in that direction. So if you're not sure about all those other examples I just gave, again, we've covered them in prior roundups here so you can check them out by searching in the Meditology Services Dotcom Resource Center. You can search for NIST eight hundred fifty three or anything if you want to check out those things in more detail. The final update today, and this is also NIST related, is that the National Institute of Standards and Technology, or NIST, is planning on revising and updating its guidance on implementing the HIPAA's security rule and is seeking comment from stakeholders on aspects of the guidance that should be changed. This is always fun and I'll explain, I think, why this matters a little bit. But first, the NIST comment period says covered entities and business associates have complied with HIPAA's security role in a range of different ways. And NIST is seeking information on any tools, resources and techniques that have been adopted to have proven useful. I've been adopted and proven useful for covered entities and have seen success in their compliance programs to safeguard basically so, you know, in my view, I think these comments and this comment period and your participation in is it in it is important because this can go a long way for NIST and OCR and others being able to identify what is reasonable and appropriate practice for some of the HIPAA security rule measures.

Brian Selfridge: [00:17:21] And in particular, there are several addressable requirements and provisions within the HIPAA security rule. And there's always some ambiguity about what's reasonable and appropriate and what isn't. And that requires folks like me to translate and interpret, interpret sometimes. But I think if you if you go on record, if you've got some cool way that you're adopting compliance, some effective method that you think should be considered compliant and addressable and reasonable and appropriate, you know, get it in there in the comment period. And it either could become part of the actual guidance from NIST, which would be really cool, or it could be a mechanism for you to say, hey, you know, we've participated in the process, we've been doing this thing. We believe this is reasonable and appropriate and sort of get your position on the record, so to speak.

Brian Selfridge: [00:18:02] So that's all for this session of the CyberPHIx health care security roundup. I hope that's been informative for you and we love to hear from you. If you want to talk about any of this, just reach out to us at [email protected] So long. And thank you for everything you do to keep our health care systems and organizations safe and see you next time.