The CyberPHIx Roundup: Industry News & Trends, 5/21/20

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, CyberPHIx host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

  • Identity and access management risk exposures and security exceptions specific to COVID-19 shifts in remote access, furloughed employees, and more
  • Remote access and RDP attack trends and mitigation
  • Federal security advisories on foreign attacks against US-based healthcare research entities for SARS-CoV-2 and COVID-19
  • Two new privacy bills introduced in Congress related to COVID-19 contact tracing apps

Brian Selfridge: [00:00:08] Good day and welcome to the CyberPHIx Healthcare Security Roundup. Your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our CyberPHIx interviews with leading healthcare, security, privacy, and compliance leaders. At meditologyservices.com or on your favorite podcast hosting platform. Just search for CyberPHIx, C.Y.B.E.R.P.H.I.X.  

 

Brian Selfridge: [00:00:33] All right, let's dive into this week's update. Several things to put on your radar. For one, we're seeing a major change in risk exposure for healthcare organizations related to business decisions to make exceptions and changes to address the COVID situation, particularly the remote working aspect in this, but not only the remote working aspect. So specifically, we saw a major uptick in attacks from remote desktop protocol or RTP protocol attacks. A report from Kaspersky this month noted an increase in brute force password guessing attacks. For instance, overall attacks in February were around 92 million attacks for the month. And then in April, that was all the way up to 326 million. So a tri-fold increase in overall attacks. And of those attacks, the remote desktop protocol, RTP, went from about 200,000 a week to 1.4 million a week by April, from the same timeframe, February to April. 

 

Brian Selfridge: [00:01:32] So what does all that mean? So remote desktop protocol, by its nature, is a single factor using password access, a remote control that is deployed by default for many Microsoft operating systems, if not disabled by policy. So attackers know that, and they know that that's a relatively straightforward place to do brute force attacks, very often those accounts don't always lockout. So there is basically a mathematical likelihood, if not the certainty, that attacks and RTP, especially ones without lockouts, are going to yield access, unauthorized remote access, to attackers. So given the uptick in remote access footprint and the number of workers that are accessing remotely, there is a likelihood that more RTP is out there, which we think is true, and the attackers are seeing that and taking advantage of it. So as we continue to roll out that remote access and mass for large portions of the quarantined workforce, there are some temporary security exceptions being made saying, OK, these aren't typical work from home people, but we're going to allow that. And there are other exceptions being made for security for individuals that may be working from home computers, for example, allowed to work from personal PCs. So many organizations are not tracking those exceptions quite as well as they could. You know, we were really great to be able to pivot and allow the workforce to work remotely, so that's awesome. And kudos to the industry for keeping their providers moving and the organization going. But at some point, we may need to revert back to traditional access models or at least roll back a lot of access for folks that have been granted temporary access. And absent tracking that and models, to be able to revert back, and a lot of organizations are going to really struggle with getting back to normal and closing this sort of larger footprint of remote access that's out there, if not tracked. And so that's can create a huge project and a lot of work to sort of trace our steps back and retrofit what we did and figure it out. And some organizations, frankly, just aren't going to do that or do it well. And so we're gonna be left with a very large remote access exposure that may persist for months or years or more, if not managed. So keep that in mind for now. Something to pay attention to. 

 

Brian Selfridge: [00:03:49] There's also a lot of healthcare resources or workforce members that are being allocated special assignments, maybe outside their traditional work assignments based on the remote work, based on the shifting of COVID patients and treatment to primarily inpatient, ICU focus versus a lot of the outpatient specialty treatments. So people are being diverted and put into different roles. Again, great agility by the system, but we've got to make sure we're tracking what access is being granted. Are access rights being added? Are any being removed? Are they being tracked and monitored? So those types of things need to be taken into consideration. You know, some employees may be furloughed or given reduced hours during this time. We know that the financial impacts of COVID are being felt in the provider's space pretty acutely. Workers that aren't actively working, either for extended periods of time or intermittent periods of time, organizations need to make decisions around: should that access be disabled, temporarily? Is there a way we can track that? Should it be left wide open, and we'll just live with the risk of that access being there? So important decisions, important changes. Make sure to keep an eye on those now. I think the longer that goes and having to sort of Band-Aid and fix this stuff later, it's going to be that much harder, several weeks, months, whatever, down the line. 

 

Brian Selfridge: [00:05:06] Our second major topic to cover today is around the attacks on researchers and research-based organizations in the US, particularly those involved in SARS-CoV-2  and COVID-19 research, have been targeted by China, as according to the Cyber Security Infrastructure Security Agency, the CISA, Department of Homeland Security and the Federal Bureau of Investigation, FBI, have all noted an alert this month around attacks from China, attacks from Iran looking to gain access to intellectual property and research material. So it's important to note that the FBI is saying, look, thefts of intellectual property in these attacks jeopardize the delivery of secure, effective, and efficient treatment options. So if you do have research components that may touch on infectious disease in any way or may be assumed to do as much, even if you're not really actively working on it, you may want to consider additional controls around the research elements of your organization, whether that's tighter security controls, increased access monitoring, other protections related to those individuals and users involved in the research and the systems that support them. It would be good to put some extra attention on that in the near term, just given that advisory that we're seeing those attacks. Also, you may want to advise your security operations center, network operations center, SOC/NOC type folks, to watch and protect for any traffic coming from high-risk geographic resources or any abnormal activities coming through VPNs or unknown locations or abnormal user activity. That type of stuff is something you should always be looking for. I think if you do have those research components, paying extra attention to anything really looks out of the ordinary and putting some alerting and ideally protections in place, prevention protections, it would be a good time to put a little mini-project around that. 

 

Brian Selfridge: [00:06:53] Also, make sure to double down on patching and vulnerability management. Think again, that's bread and butter stuff we should be doing anyway. But the industry hasn't always done a fantastic job with that. And these attacks, from foreign entities or from whomever, are significantly less successful if we're able to plug up known security holes that are commonly used by these attackers as the low-hanging fruit and the ways to get in. So a couple of things you can do there to keep an eye on that and monitor the situation. 

 

Brian Selfridge: [00:07:21] And our last and final update for today, at least anyway, there's a lot going on, but we'll leave you with just a few key areas, is around two privacy bills that have been introduced by Congress relating to COVID-19 contact tracing apps that are now being developed by multiple large, big-box tech firms. So each major party, Republicans, Democrats, have introduced a bill, which really demonstrates a bipartisan consensus around this issue, around privacy for COVID tracing in general, which is a rarity, see this kind of consensus. But it illustrates that there is a priority for privacy and security during this time of crisis, but in general, from a public consumer focus. So the Republican bill is called COVID-19 Consumer Data Protection Act, and it is, quote, "to protect the privacy of consumers, personal health information, proximity data, device data, and geolocation data during the Corona Cirus, a public health crisis." The Democratic bill is called the Public Health Emergency Privacy Act, which "provides transparency over the health and location of data collected by contact tracing apps and gives the Americans control over the collection and use of their data." Effectively, the bills are aiming at the same types of items. There are some minor differences in execution that are very easily resolved, I think, with a little bit of conversation. Common themes around the bills are the ability for consumers to opt-out of information being shared, giving consumers control over how and where their data is used, including geo-tracking capabilities, making sure the data is destroyed or that it is not retained for a period of time, on the bill it says after 60 days, for example, of that contact tracing information. Look, you don't need to hang onto that. You've made your analysis. Let's make sure we delete it. So there are things that are, I think, pretty common sense from a privacy security practitioner perspective that hopefully, the parties will be able to get together and drive consensus around that and get something out to the market in a regulatory capacity, at least in the near term. 

 

Brian Selfridge: [00:09:26] So we promise to keep these quick for you. So that's it for now. There's a lot of other stuff going on. There are your usual ransomware breaches and other breaches and other stuff like that. So check your news, make sure you're staying on top of those and keep an eye on how that may impact your organization. But that's it for this session of the CyberPHIx Health Care Security Roundup. We hope this has been informative for you. And we'd love to hear from you if you want to talk about any of this. Just reach out to us at [email protected], or you can hit me up with a personal email if you'd like. I always welcome the conversation. So long, and thank you so much for everything you're doing to keep everybody safe and keeping our healthcare systems working and running during this time. Really appreciate everyone and your efforts. Thanks so much, we'll talk to you next time.