The CyberPHIx Roundup: Industry News & Trends, 5/5/20

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

  • Privacy, security, and HIPAA considerations for COVID-19 patient tracing and tracking apps from Google, Apple, and Microsoft
  • Discussion of “immunity passports” and privacy repercussions
  • Attack and breach trends for healthcare entities including themes for phishing, malware, and ransomware and foreign government malicious activity
  • Office 365, Zoom, and Webex attacks and security configuration recommendations for remote access “rushed deployments”

Brian Selfridge: [00:00:07] Good day and welcome to the CyberPHIx healthcare security roundup. Your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices specifically for the healthcare industry. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our CyberPHIx interviews with leading healthcare security, privacy compliance leaders at Meditology Services or on your favorite podcast hosting platform. Just search for CyberPHIx. CYBERPHIX. So let's dive into this week's episode.

Brian Selfridge: [00:00:35] We're seeing a major influx of activity into the creation of apps for tracking COVID contact and COVID spread. So we have Apple, Google, and Microsoft in particular, and a host of other technology firms are rushing out to innovate and create some of these COVID tracking apps. And that is raising some privacy alarms for folks just watching the appropriateness and boundaries around tracking, not only the COVID patient-related activity but also just tracking individuals whereabouts in general from a privacy perspective. So the ideas with these initial apps is that data would be pulled from Bluetooth connectivity alert to the proximity of potential exposures to other individuals or locations that have tested positive. Now, this is creating some concerns, as you might imagine, on tracking the health status and the aggregate scale of individuals. So what are some measures that the Apples and Googles and Microsoft's are taking? Well, and we can decide if these are enough. They're doing things like, well, we will promise to delete the data after the pandemic is over. That is, they're going to put some session time out type technology that says, we're not going to keep the duration of how long you were in contact with other people, more than a half hour or so. You'll just be able to track that there was a contact, but not necessarily how long you stayed near others and specific individuals.

Brian Selfridge:: [00:01:58] There is an opt in requirement being floated that you have to choose to participate. And then if you are diagnosed, those patients must give consent to expose what they call their diagnosis keys, which is a really scary thing. I think pre-Corona, the idea that we'd have publicly available diagnoses keys that would be shared through Bluetooth ubiquitously put it pretty, pretty wild, but desperate times, desperate measures, I suppose. Now, some people pulled, when asked about these apps, said that they would be more likely to trust the apps if they were managed by public health officials versus big tech firms.

Brian Selfridge: [00:02:40] I think big tech firms are having a struggling reputation around the ability to protect patient privacy, especially if there are financial incentives. Otherwise, sort of pulling them in the other direction. So you have your Facebooks and others to name a few that have high profile privacy issues, to say the least. Now, separate from the app development itself, there are also discussions underway proposing immunity passports to help prove that you have immunity and be able to open up businesses. So individuals with what sort of a passport can be allowed to enter or exit or go in closer proximity than others that perhaps haven't been granted a passport. There's a lot of logistical challenges with that, as you might imagine. Some equity challenges and who can get a passport and who gets tested and who comes in and a lot of all of those types of questions. But I'm sort of chuckling. I wonder if this is like if we're going to need immunity bouncers and there will be immunity fake I.D.s coming up. I used to work in bar as a bartender and checking I.D.s at the door as a doorman for a number of years and that type of thing. I think my sense is if there are 20 somethings out there with the ability to go out to a bar and all they need is a passport and their I.D., I think if they can get a new passport, it's probably pretty unlikely. But we'll see. Not to be joked about, we've got to do something. And these are all really interesting ideas. And I think, you know, weighing up the privacy and security aspects relative to them versus the public health benefits, so a very healthy debate.

Brian Selfridge: [00:04:14] Now, some have noted in some of these discussions that while your apps and your phones and everything is already tracking, you have Facebook, you have other apps, you have Apple already knows where you are and what you're doing, as you sort of opted in or were allowed to consent by downloading the apps to be able to be tracked in a lot of ways that individuals don't necessarily realize. And so, therefore, the argument was being made, well, maybe you might as well just allow it to keep tracking you and then use it for some useful purpose, like containing COVID. I personally struggle with that mentality and that sort of line of thinking. That's kind of like saying, well, we've had so many data breaches that we might as well just leave all of our sensitive information in the public on the Internet because, you know, it's going to get out there anyway and get breached. And I think that's a defeatist kind of approach to security and privacy. But it's a perspective that's out there. So I throw it to you to ponder on as well.

Brian Selfridge: [00:05:10] So what does this mean for, you know, healthcare, security, and compliance folks? You know, just it's important to note that HIPAA enforcement does not include public health use cases like this or use cases where patients are providing their information to a privately sourced app that's not part of the health system, not a covered entity. And so if individuals choose to share their information today, even given Corona, they can do that. And HIPAA is largely inapplicable. So this isn't necessarily a regulatory discussion. There's also a lot of HIPAA enforcement caveats being put out over things like telehealth and other stuff recently. So I don't think there's enforcement and HIPAA, you know, the angle here at the moment to be focused on. However, there are security things to pay attention to. So if we do go forward with one or more of these centralized apps from Apple, Google, Microsoft or whomever, there is the potential those will become targets for hacking, as you might expect. And, you know, there will be a need to make sure that we're designing security upfront with these rollouts, which historically for rushed to market innovations, security is often sort of left as that last key requirement that just wasn't met in time. And, you know, we to get out to beat Apple or Google or Microsoft or Market, whomever our competitor is. And security is sometimes an afterthought, at least in the degree of robustness that it needs to be, to prevent or mitigate some targeted attacking if that were the case. But whatever we take, you know, we need to make sure we have some sort of audited process to make sure that the data that's collected related to these emergency measures in these apps when we have all this public will power to share information from lots of appropriate reasons potentially, but making sure that we get back to deleted at some point, I think the industry has a horrendous track record of deleting anything ever with storage costs going down.

Brian Selfridge: [00:07:04] Apps have been collecting data not only for the near term usage, but also in the hope or desire that that information will become monetized later in some other way. And so there's a lot of cloud apps and applications and cloud storage, everything else that is keeping data indefinitely. And so I think we've got bigger fish to fry on the aggregate with that trend. But certainly with related to Covid diagnoses, anything health related, we want to make sure we have a plan to remove that data at some point or have guardrails around it. So you're welcome to continue to debate around that. But at least they'll catch up, hopefully, with some of the discussion that's happening this week.

Brian Selfridge: [00:07:44] I'm going to switch gears to our second major topic here, second final major topic, which is around some of the recent attacks and breaches that we're seeing in the last few weeks. As you might expect, there's a lot of targeted attacks focusing on the healthcare industry and further focusing on COVID-19, Coronavirus themes. So some of the themes that we're seeing are attacks for a fake World Health Organization, WHO links, fake charity solicitations. There's a lot of offering free fast food takeout coupons to help with, you know, staying at home and having to get food ordered in. HHS has been targeted by, Department of Health and Human Services. We, of course, have seen a spate of ransomware attacks and that has been continuous. But now we know that healthcare organizations are getting specifically targeted, given that they're in a relatively vulnerable state. On the phishing side, a lot of phishing attacks. We've seen Microsoft Teams, which is the video conferencing technology. Spoof emails targeting particularly Office 365 access. So the bad guys are sending fake Microsoft teams links, like, hey, you missed the meeting or starting one up here, spoofing it look like it comes from legitimate source or a colleague. Click here and then you click here and says, oh, you know, you got to log in to Office 365 again to get access to teams. And that's the spoof. And that's the fish. And there go the credentials. So targeting a lot of remote workers that maybe haven't been using Office 365 that much, they are historically on desktop jobs, those types of things. Similar tax for WebEx and Zoom. For WebEx, we're seeing attacks around critical WebEx updates that need to go out, like hey you're going to use WebEx, you've got to click this update. Dishes now wear down to you. And that similar type thing. Zoom as well.

Brian Selfridge: [00:09:36] In fact, U.S. search, the federal government issued a formal alert this week around Microsoft Office 365, particularly focusing on what they're calling rushed deployments of Office 365 that haven't been properly configured for security. So we'll talk some more about that in a moment on some recommendations on how to deal with that. But there has been a big uptick in that formal notification from the government. And we saw Google reported this week at least a dozen foreign government backed hacking groups are targeting healthcare. So they went into some reports on that, some in South America, some elsewhere. So the bad guys, particularly the bad guys with money, are putting efforts into targeting healthcare around these different areas. So in terms of some of the breaches that we've seen this week, there's a handful. We saw Aurora Medical Center had a phishing attack. 27,000 patients this week, they had to notify those patients accordingly. University of Pittsburgh Medical Center, UPMC Altoona, had a breach and notified 14,000 patients, following a physician's account that was phished and attacked and gained access to potentially that many patient records. We had Parkview Medical Center in Colorado as the victim of a ransomware attack, where staff has all switched to pen and paper until the situation can be resolved. That's the quote. "We're on pen and paper." For those in the provider setting, I can't imagine what that's like in the middle of Coronavirus, having to move to pen and paper for a variety of reasons. And then the last one I'll mention is there was a genetic testing lab, Ambry Genetics in California, that was the victim of an e-mail breach and notified 232,000 patients that their information was exposed. So these secondary uses of PHI for genetic testing, research, other purposes and large volumes of information. So there we are 232,000 records out there.

Brian Selfridge: [00:11:35] And that's all just this week. I think we saw the stats that I had for a presentation I did earlier with some 42 million records released last year in breaches. So we are busy with breach exposures and unlikely to see a downturn in that any time soon. So some recommendations for, you know, security compliance leaders. Certainly want to double down on training and awareness for phishing attacks, including spear phishing, testing for executives, you want to hint your general population on some of the themes that we talked about, Office 365, Zoom, WebEx. Make sure everybody's aware of the remote access risks. Watch for external communications inbound referencing Zoom, Office 365, or Teams from unapproved sources. So, you know, if you can filter out that half of those are coming from Microsoft or legit sources, maybe waitlist those and try to do some blocking on the other references to those platforms. And then I mentioned Office 365 recommendations specifically. So I'll just close with thoughts around that. Couple of things to take care of right away. If you don't have them in place, and you did rush out Office 365 for remote access use cases. Make sure to get two-factor, multifactor, authentication in place right away. That's probably the most important thing you can do if you do nothing else. Look to assign administrator access or administrator access through our back role based access capabilities within Officer 365. Make sure you enable the logging and alerting functionality capabilities for suspicious activity. Make sure somebody is reviewing those, and you roll those into your instant response programs. Take a look at the Microsoft security scorecard tool that comes with Office 365. It'll tell you if you have the reconfigurations in place or not. And then just a final sort of plug. We've got a whole team of people that do this work around cloud security, Office 365 assessments and configurations and can help you tighten that up. So if you want to talk to our folks, we'd be glad to sit down with you and take a look. Reach out to us if we can help you with any of that any time.

Brian Selfridge: [00:13:37] So we'll leave it there to keep things brief this week. And that's all for our episode of The CyberPHIx healthcare security roundup. We hope this information has been informative to you and would love to hear from you. If you want to talk about this or have any questions, just reach out to us at [email protected] So long. And thanks for everything you do to keep our healthcare systems and organizations safe. Make sure to stay safe and healthy yourself the best you can. Thanks so much, everybody.