The CyberPHIx Roundup: Industry News & Trends, 5/26/22

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:11] Good day. Welcome to The CyberPHIx Healthcare Security Roundup. Your quick source for keeping up with the latest cybersecurity news trends and industry-leading practices, specifically for healthcare. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our Resource Center on MeditologyServices.com, which includes our CyberPHIx interviews with leading healthcare, security, privacy and compliance leaders alongside blogs, webinars, articles and lots of other educational material. We have a great and huge agenda to cover today, so let's dive into it, shall we? 

Brian Selfridge: [00:00:47] US Senator Bill Cassidy from Louisiana, who is a physician by trade, led a session this week for the Senate Committee on Health, Education, Labor and Pensions, otherwise known as help on cybersecurity in the healthcare and education sectors. The session highlighted the growing importance of a strong cyber defense and the effect of cyber attacks on Americans, according to Cassidy's website. In the hearings, Cassidy cited the 2020 FBI alerts on imminent cyber attacks against healthcare, which we're actually going to talk about a little bit later. I'm sure you all remember that one as well as recent CISA alerts about Russian attacks on critical infrastructure. The hearing noted that nearly 50 million people in the US had their sensitive health data breached in 2021, which is more than triple the 2018 numbers. So we've got a problem. The hearing covered ways to improve public and private collaboration to solve these complex challenges. So participants that testified in the hearing included Josh Corman from the I Am the Cavalry Group, as well as our friend Denise Anderson from ISAC. 

Brian Selfridge: [00:01:47] There were hours of testimony, but here are some selected quotes that just want to give you a sense of some of the feedback and some of the information that was presented to this committee. So the first one is attacks on healthcare are increasing in volume, variety and impact, with consequences that now include the loss of life. The pandemic brought an untenable perfect storm of record high need for patient care in the face of record high adversary activity and severely diminished resources with which to defend healthcare delivery environments. I agree with all of that so far today, because of the rise in digital healthcare, the proliferation of advances in technology and the efficiencies of connecting devices and data, the cyberthreat surface in healthcare has ballooned on the threat actors have followed, which is what Denise Anderson from H-ISAC was saying. She went on to say, Coupled with a diverse base within the sector, a highly regulated environment, complex, siloed departments, and a lack of skilled cyber staff, which we talked about quite a bit, a lack of cybersecurity, situational awareness and a lack of knowledge and training for the medical staff, as well as the CEO and board level and lack of cybersecurity strategy, including a risk management approach. The health and public health sectors faces enormous challenges. That was a bit of a run on quote, but I guess that was how it was presented. 

Brian Selfridge: [00:03:03] Josh Corman also took issue with the voluntary nature of healthcare, cybersecurity practice requirements going on to say seatbelts weren't voluntary. I don't believe fire escapes were voluntary, nor kitchen sanitation codes for commercial restaurants. Public safety isn't free, he said. The lack of sufficient public safety and public good is also dis economic. Further crisis of confidence in the public in modern healthcare will drive devastating staying harms to the public safety, economic and national security. So in summary, I mean, a lot of comments there about just sort of the complexity and the challenge that we are up against. There was some conversation about what some proposed solutions were to these challenges, and they included further investments in software bill of materials or s bombs, which we talked about in our last episode, I believe, if not the episode before then. So you can kind of lean back into those to find out about bombs. I think those will be helpful in third party risk, if nothing else. And then Denise Anderson from H-ISAC urged Congress to place further emphasis on threat sharing and cyber education and provide incentives for adopting cybersecurity best practices. So by no means was this a session to solve everything. But it's really raising awareness within the federal government of the challenges that we're up against where we need investments. And these hearings are a really important way to get some of that out there. 

Brian Selfridge: [00:04:25] So we'll keep you posted on any sort of feedback from the committee, any follow ups, anything else that comes out of it. As we've talked about the last several weeks, there are a ton of bills and regulatory changes and things that are being proposed and put forward around healthcare, I.T. security, around medical device security, and a number of other sort of niche areas. So we'll keep you posted on all of that as it unfolds in further episodes. Of course, in other federal government news, the Healthcare and Public Health Sector Coordinating Council, or HSCC, has released a new checklist around cyber incident management and will go into some detail on that. I think it's a really good one. So for those who aren't familiar with it, the HSCC is a coalition of private sector critical healthcare infrastructure entities organized under the National Infrastructure Protection Plan to partner with and advise the government in the identification and mitigation of strategic threats and vulnerabilities facing the sector's ability to deliver services and assets to the public. Now, the HSC six new checklist is intended to provide a flexible template, at least according to the checklist itself, provide a flexible template for operational staff and executive management to respond to and recover from an extended enterprise outage due to a serious cyber attack. The checklist outlines recommended initial actions and considerations during the first 12 hours of cyberspace. 

Brian Selfridge: [00:05:45] Here's the incidents that are really important, critical time, and that is the scope of this particular checklist. So for those familiar with incident response planning in general, a common approach is to define incident response roles and responsibilities for various individuals and teams. It's a bit like everyone stopping their day jobs and putting on their volunteering firefighting outfits to address urgent situations. Right. So in that same spirit, the checklist here breaks down actions that should be taken by each of the incident response roles. The roles outlined in the document include incident commander, medical technical specialist or subject matter expert slash advisor, public information officer who serves as the conduit for information to internal and external stakeholders. Very important role. The liaison who functions as the incident contact for the command center to other agencies and groups. The Safety Officer who must identify, monitor, and mitigate safety risks to patients, staff, and visitors during a prolonged large scale outage. Now, that's very healthcare specific and one that put a note on that and make sure you get that one in there. There's the operations section chief who keeps the operational lights on for both clinical and operational functions. Imagine a ransomware event or something else where you need somebody just focusing on keeping the trains on time and getting through downtime procedures and all those things. There's also the planning section chief who oversees all incident related documentation, very important and very important to have that be one person for a lot of reasons. 

Brian Selfridge: [00:07:14] There's the finance section chief, the logistics section chief, and the intelligence section chief, which is labeled as IS/IT who coordinates the investigation and the technical response. So a lot of different roles there. And I highly recommend you take a look at your incident response plan and update it to incorporate as many of these areas and the checklist activities as you deem appropriate. Each of those roles has a really good sort of bullet list breakdown of what activities those individuals should be doing. It is healthcare-specific again. So there's I love that there's a whole piece around sort of keeping patient safety in mind and operations up and it can be directly applicable to your environment. Now, if you don't have an incident response plan, then stop listening to this and go and build one. Our folks here at Meditology can help if you need to. We've built a million of them and tweaked and tune them over the years. But as always, continue to practice and test your plans with tabletop exercises. Even if you update them with this content, make sure you get through those simulations before the real major breach events come to town. The next area I want to talk about is one that is garnering a lot of attention in the industry, and that's around cyber liability insurance for cyber security. The Wall Street Journal has recently released a report about how the ransomware boom has caused cyber insurance coverage costs to soar. 

Brian Selfridge: [00:08:33] And as we've discussed previously on the CyberPHIx, cyber liability premiums have skyrocketed this year and even beginning last year to an extent. Now, the Wall Street Journal report has helped to quantify that a bit in the aggregate. And here are some key stats. There are four of them that I want to run by you that I think are really interesting out of this Wall Street Journal report. So, number one, direct written premiums collected by the largest US insurance carriers in 2021 increased by 92% year over year, according to information submitted by the National Association of Insurance Commissioners. Wow, 92%. That's consistent with what I've been seeing and hearing in the industry. Number two, the price increase has allowed us cyber insurance industry overall to reduce the percentage of its income that it pays out to claimants to 65.4% in 2021, from 72.5% in 2022. The drastic rate increases are a sign that the new market is maturing quickly. That is what executives told the Wall Street Journal. Number three carriers are not only upping their costs, but are cutting what their policies cover, which is rightfully worrying. Security experts and others like myself who say that operations by non-state actors could expand the legal gray area around what is and isn't covered by insurance. The fourth and final stat that I'll share with you or point is that the market increase is being attributed to a surge of costly ransomware attacks. 

Brian Selfridge: [00:10:01] No surprise there that have disrupted businesses and organizations, as well as a wave of new cyber regulations from US government agencies. So very, very interesting on aggregate numbers there. Now, just about every CISO and healthcare security leader that I've spoken with this year is grappling with these increased rates and the uncertainty around coverage. I think the big takeaway here for me is that you cannot rely on cyber liability insurance to save the day when these big cyber events happen. You know, we need to continue to make substantive investments in both protection programs and instant response processes like those we've mentioned in the prior update on the HSK checklist. Now, cyber liability is still a piece of the puzzle. I'm not advocating to abandon it, but just. Go in eyes wide open that it may not cover as much as you think it does. It may become increasingly, if not prohibitively expensive at some point. We've got to watch out for when that that the scale tips across that level. We're not there yet, but it's getting very, very expensive. Now, if you don't know where to start in terms of building your security program, lining up with security standards framework like CSF or HITRUST, I think is the best place to begin. And, you know, even embarking on a high trust certification sometimes can help be a way to drive the organization to mature coverage around security controls in all critical security domains versus just again, some I hate I hate to say this, but it's true. 

Brian Selfridge: [00:11:24] Some organizations are kind of relying on cyber liability insurance and not making the investments in their program. I think that's just a major swing and a miss and setting up for some challenges in the future for those organizations in particular. All right. I'd like to switch gears and talk about what I will call the 'WTF' moment of the week we're in. A cardiologist out of Venezuela has been charged with designing selling ransomware in his free time. So isn't that exciting? According to the US Justice Department, Venezuelan cardiologist Moises Luis Zagar Gonzalez was charged in the creation and sale of malicious software that cybercriminals used in extortion attempts. The 55 year old physician was formally charged with attempted computer intrusions and conspiracy to commit computer intrusions, according to the federal complaint. This multitasking doctor, as it says, treated patients and built two ransomware strains Jigsaw Version two and Thanos in his spare time. Beginning in 2019, Dr. Zaghawa is accused of selling and renting out the ransomware tools to cybercriminals and teaching them how to use the programs. Isn't that nice? If convicted, the doctor faces up to five years imprisonment for attempted computer intrusion and five years imprisonment for conspiracy to commit computer intrusions. So, wow, again, what is going on in the psychology of that individual? You just have to wonder. 

Brian Selfridge: [00:12:49] I guess we'll we can only scratch our heads at this stage. Okay. Let's get back to more predictable updates. The law firm Baker Hostetler released an interesting report on healthcare data security incident response this week. That I think is pretty cool, which covers a very broad range of topics but has some unique insights for the industry, I think. So I'm just going to summarize a few of the more intriguing elements here for you. By no means can I cover the whole thing. But the first area from the Baker Hostetler report that I want to talk about is around third-party vendor risks. Our favorite topic here. The report noted that nearly 20% of the total cybersecurity incidents that their organization, meaning Big or Hostetler, the law firm handled last year, were caused by vendors. So 20% of incidents caused by vendors with more than half requiring notification. Public notification. Vendor incidents involved phishing schemes and inadvertent disclosures, but primarily resulted from ransomware attacks on vendor systems. No surprises there either. Now, these ransomware attacks often involved the theft of customer data from a vendors environment or even spread of the ransomware from the vendor to the customer. Yikes. By utilizing the vendor's own credentials. So that's a major, major problem and one that we feared for a long time. Right. Like when we talk about vendor access and proliferation of vendors that we use and the VPN tunnels and everything that sort of open up connecting these environments and access controls, once those gates are open, these attacks really do cross those boundaries pretty, pretty easily. 

Brian Selfridge: [00:14:19] And it's not the first or the last time we'll see ransomware jumping across from vendors to customer environments. And in this report, I think at least has enough data behind it to say that that's happening more frequently than may be reported. The threat actors can not only rely on their usual tactics for extorting payments but also leverage the added pressure of customers that need their data or the vendor's services to maintain normal business operations. So there becomes a bit of a pressure cooker, right? The report also notes some lessons learned for organizations that need to deal with vendors who have breached their data and systems. So I'm going to cover a few of those lessons here. First, the report notes that the time it takes vendors to notify their customers of an incident can vary greatly depending on the type and extent of the incident, the scope of the vendors, services and the parties, and legal or regulatory obligations. So in ransomware situations, vendors may rush to get a communication out to customers that is incomplete or inaccurate, requiring customers to repeat or expand their notification analysis as the investigation develops. So that's a problem. You don't want to send out notifications to your affected individuals more than once, reminding them that you had this breach if the information initially was inaccurate or incomplete. 

Brian Selfridge: [00:15:31] The report also notes the importance of creating a ransomware playbook and incident response plan that incorporates key vendors in the process. There we go. Incident response planning coming back right at us. That's going to be our theme this week, I think. All right. So secondly of the lessons learned, the report notes that information sharing from vendors to customers varies widely. Vendors control the investigation as you would imagine, they would add what information gets released and when is sort of dependent on the vendors prerogative as it plays out. And there's a wide variance there. Apparently, again, not surprising for vendors, it can be difficult to balance the need to provide accurate and complete information to customers with the desire for transparency. Even after completion of the investigation, vendors may be unable or unwilling to share full details, even when their contractual requirements to do so. The report recommends that vendors create a version of their forensics investigation reports that can be shared with customers. It doesn't have to be everything, but maybe enough to kind of make sure you're driving that transparency. So I thought that was pretty interesting. All right. The third lesson reported that I will note here is that the Baker Hostetler document discusses the criticality of vendor vetting and revetting. This is a familiar topic to our listeners here, I'm sure. And Meditology's sister company, CORL Technologies, is actually dedicated to providing technology and managed services for vendor risk due diligence exclusively for healthcare. 

Brian Selfridge: [00:16:51] So if you're not sure how to handle that aspect of the vetting and revetting, there are organizations like CORL that can do that for you. So you can talk to our folks if you want to talk about that. But absolutely critical, whether you're doing it in-house or getting third party support to make sure you're covering your full portfolio of vendors or at least have a robust prioritization mechanism that really gets more coverage than just driving initial vetting of vendors for cybersecurity during the procurement cycle. We've got to sort of get get beyond that because the vendors tech is changing so frequently. So other lessons learned from the Baker Hostetler report include understanding and limiting what data is shared with vendors in the first place to limit the impact of vendor breaches. They also recommend that customers should include contract language that specifically sets forth the vendor's obligations to notify individuals and or regulators and the customer's request and approval at the customer's request and approval. So that makes a lot of sense to me, and I like that practical guidance of actually getting some contractual obligations in there. Again, whether or not they honor those in the heat of the moment is a different story. But I think that gives you a good ground to start from or push for it when the events do start to unfold. Finally, the report notes that even when an incident occurs at a vendor, we have seen customers, we being Baker Hostetler, I've seen customers face regulatory inquiries or class actions. 

Brian Selfridge: [00:18:14] Stay tuned for class action updates. While regulators will often focus primarily on the vendor that experienced the incident, they can and will also investigate a vendor's customers. Most often with regard to the notification individuals, the sufficiency of control the customer had over the vendor's security measures, and whether the parties entered into the appropriate agreements regarding their respective responsibilities. Now that is really a pretty strong statement. I guess this whole part around the control that the customer had over the vendor security measures. I want to highlight that because for the longest time and even to today and a lot of organizations, there's this sort of outsourcing of the risk. Right? We give the data to the vendor. The vendor is responsible for securing it, and maintaining it. And that's sort of the mindset that goes into it's a set it and forget it. It's their problem. But I think this is really critical that the regulators and the class action situations are looking into. Did you do your due diligence? I don't like that word control so much. I mean, I don't think you really have control over vendor's actions, but you certainly have the ability to set standards and expectations contractually and otherwise around the security of that data that you're sharing with them prior to doing that and while doing that. So I think that's a really important sort of key right there that the situation is changing and we all need to be responsible and accountable for making sure data is secured even when we share it through third and fourth parties. 

Brian Selfridge: [00:19:35] So that brings us to our next update on recent class-action lawsuits. That's why I highlighted that a moment ago. Solara Medical Supplies in Chula Vista, California, has proposed a $5 million settlement to resolve a class action data breach lawsuit. Solara provides medical devices and disposable medical products and is also a registered pharmacy, just for some context here. In June, just in June and June of 2019, Solara identified suspicious activity in an employee email account. An investigation confirmed unauthorized individuals had gained access to multiple Office 365 email accounts between April and June of 2019 via phishing campaigns. 114,000 customers were impacted by the data that was exposed, including Social Security numbers, driver's license info, health insurance details, and financial information. There are actually four class-action lawsuits that were filed and then consolidated down to a single case, which is pretty, pretty common. The six plaintiffs in the case will receive $4,000 each. And any class members that file and apply for the reimbursement will get 100 bucks each. $2.3 million of the settlement goes to attorney's fees. So somehow these numbers don't quite feel like justice to me. But accountability for breaches is certainly a trend we're going to continue to see and can expect to see. 

Brian Selfridge: [00:20:57] And they are becoming meaningful numbers for sure. I'll also point out that this is an example where the release of sensitive information of 144,000 individuals was in play. And that's a that's it sounds like a big number. And it is. But I want to compare that to the overall trend of what we're seeing week to week and month to month on breaches, because sometimes we pull these out of the air and we don't really have context on, well, is that is that a big breach or a small breach and what is a big breach anymore? So I actually compile a monthly blog for CORL Technologies called the CORL Vendor Breach Digest that summarizes vendor breaches. And the last two months alone, we saw breaches exceeding that number of 144,000 with just to give you a few examples, BLOCK Inc., formerly known as Square Inc., breached 8.2 million individuals, records, again, 144,000. We're talking 8.2 million records. Morally, companies breached 521,000 individuals records. South Denver Cardiology had 287,000 individuals, breached. Medical Health Solutions had 133,000 practice. Macs had 165,000 individuals breached the International Committee of the Red Cross with 515,000 individuals breach. So just compare this to 144,000 from Solara in 2019 and the four lawsuits that followed. It's pretty safe assumption that class actions will follow these other breaches I just mentioned that happened in the last two months alone. So you can imagine those class actions coming out in 2023, 2024 timeline time frame. 

Brian Selfridge: [00:22:27] And just watch this snowball building. Right. And it takes it's legal, right? So it takes a couple of years for these things to play out. But if we're getting that volume of breaches at this much of a clip, I've said it before and I'll say it again here, class actions are going to be a big deal in the next five years and the penalties and settlements are going to really sting organizations. So keep your eye on this. Make sure you've got a plan, talk to your legal counsel. Just be ready for this stuff. Obviously, the best medicine is prevention, but also being prepared for these lawsuits and being prepared to defend with all the things that you were doing to mitigate the likelihood and impact of these things happening. So you could make a case in court. And I'd argue if you're not doing some of the basics, then you're not going to have much of a case when it comes to these situations. By the way, you can access that CORL vendor breach digest on CORLtech.com under our blog section and in the Resource Center on that same website. If you want to check those out and keep up with them again monthly, just get a feel for how these things are trending. I want to move on here from class actions and talk about some of the various technical security and threat alerts that have been released in the last few weeks. 

Brian Selfridge: [00:23:34] I think really important to get these on your radar. The first one, the CISA, released an alert titled Weak Security Controls and Practices Routinely Exploited for Initial Access. Really, really great alert and really highlighting many of the common issues that pervade healthcare security lapses at organizations. So I'm going to spend a little bit of time on this one because I think this is pretty good stuff. The release indicates that cyber actors routinely exploit poor security configurations, either misconfigured or left unsecured. We control and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim's system. The Joint Cyber Security Advisory identifies commonly exploited controls and practices that include best practices to mitigate those issues. So when we do penetration testing here at Meditology and those types of things, these are a lot of the same issues that we see. And really it's those initial access points that are so critical because once a threat actor is in the environment, unfortunately, many of you know these healthcare environments are very sort of large, flat, diverse networks. And once you're kind of beyond the network walls, as much as we talk about Zero Trust and all this stuff, it's not really happening today, right, in healthcare in particular. So that's why that initial access is so important to stop or at least get visibility into as much as we can. 

Brian Selfridge: [00:24:52] So there's a long list of commonly exploited, weak security controls that are provided in this alert. And there's an even longer list of mitigation measures. I'm going to summarize the key ones here, at least give you a sense of them, again, spending a little more time on this, because I think I think they're all right on the mark. So in terms of weak security controls, the list includes the following ten areas. One is multifactor authentication is not enforced. We've talked about that quite a bit. Huge factor there. Number two, incorrectly applied privileges or permissions and errors with access control list. So this is like when you have those firewall rules sets and you say, okay, well, we're, you know, we're sectioning off the environment, we have this VLAN that VLAN, but when you have everything allowing the access permissions between these segments of the network to talk to everything else on those other networks, you don't really have network segments, right? You just have one big flat network still and these buckets that you name stuff, but they don't really do anything. So that's at the network level. But the same thing applies to user level access, service level accounts, domain admin credentials on service accounts, and the list goes on. All right. Number three, software is not up to date. Patching, patching, patching, right. Number four, use of vendor supplied default configurations or default login usernames and passwords. And I got to tell you, that is one I would probably move that up to like number one, you know, when we look at our pen testing and stuff of just how easy it is to to get that initial access into most healthcare organizations, the vendor logins and default passwords are just a goldmine for the malicious attack attackers. 

Brian Selfridge: [00:26:21] Number five, remote services such as virtual private network VPN lacks sufficient controls to prevent unauthorized access. Number six Strong password policies are not implemented. I can't believe we're still talking about strong password policies in 2022. This is a multi-decade-long, straightforward thing to fix and I've got to get on that one. Number seven, cloud services are unprotected and that's a whole you could spend an hour on just talking about cloud services, and security. We have a whole group that does that. Number eight, Open ports and misconfigured services are exposed to the Internet. Number nine, failure to detect or block phishing attempts. And number ten often here, poor endpoint detection and response. Now switching over to the list of mitigation recommendations, it includes the following list of actions. Now, some of these are, I'll say, kind of pie in the sky generalization. Sometimes you have this like secure everything, lockdown this or that, like it's kind of general, but there are some very specific items that can be implemented right away and a little bit more prescriptive way. So I'm going to give you all of it and you can decide which is which. 

Brian Selfridge: [00:27:26] So there's 15 of these, by the way. So so hang in there to hear all of them. Number one, mitigation approach is adopt a zero-trust security model. I've given you my perspective on the word zero trust in the past. Take you can interpret that one however you will. Number two, limit the ability of a local administrator account. Huge. That's local administrator accounts, both on workstations and servers. They're different, right? They're very often different. And how those are managed are different, but both really, really critical. Again, that's from personal testing experience. Number three, control. Who has access to your data and services? Number four, change default passwords. Ding, ding, ding. Definitely do that one. Number five, harden conditional access policies. Number six, verify that all machines, including cloud-based VMs, and virtual machine instances, do not have open RDP ports. Let me just say that one again. Make sure everything in your universe does not have an open RDP port. That is just if you're still using remote desktop protocol for any reason, reconsider that and look at an enterprise-grade remote access technology. The bad guys are really going after RDP and it's such an easy way to gain remote access, get that foothold and launch your attacks. So again, in terms of prescriptive recommendations, do an audit on RDP, please, and make sure you're using it effectively and appropriately. Number seven, implement multifactor authentication. Number eight, change or disable vendor supply default names or user passwords? Yes. 

Brian Selfridge: [00:28:54] Number nine, set up monitoring to detect the use of compromised credentials on your systems. Number ten, ensure that each application and system generates sufficient log information and there's a whole sub-list of logging monitoring recommendations here the alerts. And this comes down to post-breach. When you do have the incident, you're trying to figure out what happens. That whole forensics process, if you don't have logging in place or sufficient logging in place, it's a waste of time and money for everybody. And you're really not going to know what happened without otherwise just some broad strokes ideas of what happened. You're not really going to know what information left and how it happened and how to solve it. So logging is so critical and it's not storage is not that expensive anymore to do proper logging. Logging number 11, deploy anti-malware solution, and monitor antivirus scan results on a routine basis. And I've seen this a lot, I got to say, over the years of doing audits and assessments of organizations where there's this idea that you just deploy the antivirus software, the anti-malware software, and then it's going to stop everything. And you just let it go right? And it's going to do its job. You've got to look at the logs of those. You got to see what's getting triggered because a lot of times there's their sort of low level malware and hacking tools that will be detected and even blocked. 

Brian Selfridge: [00:30:09] But if you're not if you're just saying, okay, well, block stuff and I assume it's doing its job well, if someone's using hacking tools and you're seeing your manual hacking tools get detected and blocked, like that's in the logs, and somebody's got to look at that and say, Oh, no, you know, this system and that system is under active attack. And if you're not, yes, technically it's stopping that particular attack. But you've got an active adversary that's going to with time and often not that much time, kind of get around that and use other tools that will work and get past those controls. So got to look at these antivirus anti-malware solution logs. Number 12, implement endpoint protection software and intrusion detection intrusion prevention systems both on the endpoint and the network. Number 13, conduct penetration testing on a routine basis. Now, this is one of my favorites. I mentioned a few times here how I'm an ex-pen tester. I guess still currently we just don't do it that much actively anymore. So this is critical for me getting the real-world weaknesses identified in your environments. One thing to kind of look at your control environment, follow a framework like you should definitely do that and audit against that. But nothing beats doing a pen test, finding out where folks can actually break in, closing up those loopholes, building a tangible list of remediation items that you can report against and say, okay, we did the test, here's the critical, here's the highs, here's the mediums, this is how many we got resolved. 

Brian Selfridge: [00:31:29] Take whatever amount of time you need to do that and then repeat the test a year later or less or quarterly, whatever you want to do so that you can. If you get into that cadence in that rhythm, I guarantee you'll harden your environment substantially more than just doing a purely controls-based security controls-based sort of model. Now, of course, you should do that too, right? So you combine your controls-based assessments and HITRUST, NIST those types of things along with your pen-testing. And it's it is the secret ingredient to really hardening systems. All right, number 14, conduct. Vulnerability Scanning Number 15 used cloud service provider tools to detect over shared cloud storage and monitor for abnormal accesses. And then there's two more. I said 15. There are 17. 16. Maintain rigorous configuration management programs. And last but not least, number 17, implement asset and patch management processes. It goes without saying. But we said it anyway. Right. That's all for that. CISA Weak security controls list alert. A lot to digest in there. You can look it up on the CSA of websites, but let's move on to other areas now. So for another update that was released by the CSA, they warned organizations not to install the May Windows Patch updates on the Windows Domain controllers specifically. 

Brian Selfridge: [00:32:47] Now for those less technical listeners, domain controllers are basically special Windows servers that dictate the configuration settings for all connected Windows devices. And they also do things like authenticate your logins and your access controls from any Windows device on the network. They have to ping check-in with the domain controller to do that authentication. For example, for the technical listeners out there, you know that domain controllers do a whole lot more than that and that you may be probably upset with me for that oversimplification, but regardless of how you feel about my description, it's important to note that any impact to multiple domain controllers can have catastrophic impacts to your Windows Network and connected devices. The reason the CISA advises not to install this Windows update is because apparently, it can create some authentication issues, which is very, very critical. Right. Every machine can't log in. Everybody's dead in the water. So the patch update this month included 73 other important security updates. So you make sure to apply those patches to all the other Windows devices that are not domain controllers. So I just want to be clear about that. Don't skip the whole patch cycle. It's likely that Windows will offer up an updated patch in the near future that will not create the authentication issues that we saw this time. That's usually the case of what happens here, especially with something as big as messing around with domain controllers. 

Brian Selfridge: [00:34:01] But in the meantime, leave those two main controllers alone, please, for a couple of weeks until that comes out and patch everything else. Okay. The last set of updates and I say set of updates because there are a few that I want to cover today relate to some emerging trends and alerts around our favorite topic, ransomware. I keep saying favorite topic. There are a couple of them third-party risk and ransomware. Those are the two that I'll keep in the category. The Department of Health and Human Services, or HHS, issued an alert to healthcare providers, warning them to defend against the exceptionally aggressive hive ransomware group. So here are some summary notes to know about the alert from the HHS alert on the Hive Ransomware Group. Number one, the group uses many common ransomware tactics, including the exploit of remote desktop protocol or VPN. We talked about phishing attacks. We've seen some talk about that. And in the cases earlier around class action lawsuits, in addition to more aggressive methods like directly calling the victims to apply pressure and negotiate ransomware ransom payments. Geez, don't want to get that phone call of the negotiation with the ransomers. All right. Second, in this alert that other tactics deployed by the group, the hive group, includes searching the victim's systems that are tied to backups and either terminating or disrupting those connections, deleting shadow copies, backup files or even system snapshots. 

Brian Selfridge: [00:35:23] So that's where they're trying to basically take away your your your best weapon, which is, hey, we've got backups. So if you ransomware, all of our stuff, we're just going to ignore you, reboot everything, and load from backup. And that's of course appropriate plan a, but when these this hive group is really spending time upfront to disable that stuff either before or during the ransomware attack, and that's a big problem. Third, Hive also conducts double extortion and supports this with their data leaks site while operating as a ransomware as a service model. How convenient. And lastly, HIVE has claimed attacks on approximately 355 companies within 100 days of operations. That is an aggressive pace. Right. And doing some pretty aggressive tactics. So you could see why HHS is really getting the notice out there of this group. In particular, HHS is urging healthcare organizations to increase their preventative security measures. It's that doesn't sound right. But anyway, such as two-factor authentication, strong passwords, sufficient backups of the most critical data, and continuous monitoring. I think we could also add to the list all the weak security control areas we just talked about earlier. We have to shore those up if we stand a fighting chance against ransomware in general. In other ransomware news, the Conti Ransomware Group has racked up an astonishing toll on the healthcare industry in the last few years. Now, if you recall from our previous updates, and I mentioned it a little bit earlier at the front end of this episode, Conti was the Russian ransomware group that was featured in the FBI's Imminent Attack Alert in late 2020 that leveraged the Ryuk ransomware strain. 

Brian Selfridge: [00:37:00] So if any of those words mean anything to you if you're around the industry back then, really big deal, right? The FBI said huge attacks are coming. They're targeting healthcare. It's a big deal. And as it turns out, they did so. As the pandemic arrived, Conti announced that they would refrain from targeting healthcare providers. And if you guys remember this, this totally BS claim that we noted at the time where they're saying, hey, you know, look, this pandemic is pretty serious. We were going to leave the healthcare providers alone. We're going to ransom everybody else. Well, it turns out that due to thanks to some excellent reporting from Krebs on security is one of our favorite sources of information has tallied up the total attacks on healthcare providers since that time and notes that surprisingly, Conti has attacked more than 200 hospitals and healthcare entities since that declaration was made. So, so much for honor among thieves. Jeez, we thought maybe they would stick to their word. They didn't. Surprisingly, maybe not surprisingly. So estimates on the cost of these attacks vary. But in all likelihood, we're talking billions of dollars in damage and impact to the healthcare providers nationally and globally. 

Brian Selfridge: [00:38:04] Conti Ransomware, I mean, tying this back to these other FBI alerts that we're talking about when we highlight these things, it's not to create fear, uncertainty, and doubt. It's not to raise alarm unnecessarily. You know, look at that alarm. Look at what was raised and look at what happened in two years. 200 organizations were hit, billion-plus dollars worth of damage. I mean, this is big stuff. All right. Speaking of Russian attacks, HHS also issued a threat briefing this week on advanced persistent threat groups linked with the Russian intelligence services, in particular, that are targeting healthcare organizations. So again, for avid listeners of the podcast, we spend a lot of time talking about the Russian attacks. Even before well before the Ukrainian situation, the Russians have been busy and not behaving themselves. So this particular threat brief from HHS provides information on four key advanced persistent threat actors out of Russia which conduct offensive cyber activities and espionage within the Russian intelligence services. These apt actors have been linked to the Federal Security Service, FSB, the Foreign Intelligence Service, SVR, and the main intelligence directorate of the General Staff of the Armed Forces Forces or the GRU. I'm just leaving in all these messaging mess ups because you know what? You guys need to laugh. The FSB is equivalent to the FBI here in the US. So I'm pointing out all these different groups because when we get into the individual threat actors, they have ties to different parts of the Russian agencies. 

Brian Selfridge: [00:39:31] So we actually did a webinar a couple of months ago, a month or two ago on the ransomware attacks and all the sources that come from that. And there was a whole section around the Russian attacks and the agencies, and you actually can see and go back and watch the replay on Meditology services on this ransomware thing we did. And you can see like an org chart within the Russian government of the different groups and which ones do which type of activities and which ones are more espionage, which ones are more cybercrime and theft. And then there are some that are just pure destruction. So I'm going to highlight some of those because this actual alert from HHS kind of provides some of that similar information. So that's why I want to let you know all the different names. So I mentioned the FSB is like the FBI on our side. The SVR is equivalent to the US Central Intelligence Agency or CIA and collects foreign intelligence on military, strategic, economic, scientific, and technological targets, those types of things. And then the GRU is basically like the Defense Intelligence Agency in the US that collects foreign intelligence, military issues, espionage, and also they're the ones that do the destructive cyber attacks. And we'll talk about that a little bit more in a second. 

Brian Selfridge: [00:40:45] So the apt groups are Turla also known as Venomous Bear, Iron Hunter, Krypton, and Water Bug. Now some of these names are less menacing than others, like Water Bug, right? I'm not really too frightened of the Water Bug. Maybe I should be, but it's kind of like sports teams names, right? Like some are really intimidating and others aren't. I'm kind of like really chuckling at all these different Russian hacker name things. So, like, I was never really all that concerned about falling into the deadly grips of the mighty duck or getting jazzed to death or whatever, like some of these sports teams. So that's why I feel about some of these apt groups. Anyway, the second Russian app group is called APT 29, also known as Cozy Bear. Once again, not an intimidating name, right? So they operate under the direction of the FSB and mostly target industries such as academic energy, government, military, telecommunications, research, pharmaceutical companies, and foreign embassies this group operates under. The direction of the SVR mostly targets the academic, energy, financial, government, healthcare, media, pharmaceutical, and technology industries, and think tanks as well. So these folks are after us, right? Healthcare was on the list. The Cozy Bear folks, watch out for the Cozy Bears. This group mostly targets European and native countries and is known to conduct spear-phishing campaigns to gain stealthy long-term access to target networks. And it's especially persistent and focused on certain targets. 

Brian Selfridge: [00:42:07] So rather than sort of large spraying of attacks and that we'll see from other groups. The group steals information but does not leak that information. They're also the ones that were responsible for the SolarWinds attack a little while back. I hope you remember that. If you don't look that one up, the third APT group is APT 28, also known as Fancy Bear. Seriously, I'm not making this stuff up like you got a google. If I could make up sillier names, I'm not sure I could compete with these anyway. Fancy Bear. The group operates under the direction of the GRU and has been active since 2004. The group targets aerospace, defense, energy, government, healthcare, military, and media industries and dissidents. So that makes two Russian groups that are out to get us so far. If you're keeping track out of the three that we've talked about, two of them are out to get healthcare. These fancy bears are known to use password spraying, unique malware phishing, and credential harvesting, and tend to conduct noisy rather than stealthy attacks. The group also steals and leaks information to further Russia's political interests. So again, contrast that with the prior group steals keeps it in house for espionage and intelligence purposes. This one leaks it out and makes a mess of political geopolitical situations by releasing information. The fourth and final group is Sandworm and operates under the direction of the GRU where mainly targets the energy and government sectors and is the most destructive of all the threat groups. 

Brian Selfridge: [00:43:35] That's the one we really need to watch out for. These are nasty folks. Sandworm targets ICS and computer systems for destructive purposes, such as conducting wiper malware attacks, which has been the big trend. And these guys are getting major action following the Ukraine incursion and the following follow-up Russian attacks against Ukraine and other places. They're really ramping up these wiper malware and destructive malware trends and techniques. So these folks, these are the ones that also conducted the NotPetya ransomware attacks in 2017. Again, if you're sort of keeping tabs on the biggest cybersecurity incidents we've had in the last couple of years, they all tie back to Russia and they all tied back to these specific groups. So very, very interesting there. And by the way, so we did that webinar. You can look at the replay. We cover all this in a lot more detail. Meditology services dot com so you can look it up there. It's free. All of our stuff is free. You're welcome. Hope you're enjoying it. 

Brian Selfridge: [00:44:33] But with that, that's all for the session of The CyberPHIx Healthcare Security Roundup. We hope this has been informative for you. We'd like to hear from you. If you want to talk about any of this, just reach out to us at [email protected]. And that's all for this week. So, so long. And thank you for everything you do to keep our healthcare systems and organizations safe.