The CyberPHIx Roundup: Industry News & Trends, 6/11/20

TRANSCRIPT:

Brian Selfridge: [00:00:08] Good day and welcome to the CyberPHIx Healthcare Security Roundup. Your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices specifically for health care. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our CyberPHIx interviews with leading healthcare, security, privacy and compliance leaders at meditologyservices.com or on your favorite podcast hosting platform. Just search for CyberPHIx.

Brian Selfridge: [00:00:33] All right, let's dive into this week's update. The first topic that I want to talk through is a series of trends that are going on through cloud based attacks and protection mechanisms over the last, I want to to say, couple of weeks, but it's really within the last couple of months, where we see the attacks against cloud hosted platforms related to a lot of the COVID-19 time period are just ramping up through the roof. So a recent McAfee report showed a 630 percent increase in cloud attacks in the first four months of 2020.

Brian Selfridge: [00:01:04] Now, as our organizations and our health systems move from a lot of sort of traditionally delivered in-house healthcare provider capabilities into telehealth, into Office 365, in other remote workforce capabilities, the attackers are jumping on it, realizing that the footprints out there and that organizations are moving really quickly in that direction. So we're seeing federal alerts advising of targeted attacks from Russia, China, Iran, other sources. And that rapid adoption of telehealth and Office 365 and others is creating targets on the platforms underneath those like AWS, Azure and others. And even before COVID, healthcare had been shifting solutions to cloud hosted and third-party platforms in ways. It's not like this is purely related to COVID, but we certainly are moving faster toward that direction than we were before. We have accelerated things, and the attackers are just seizing right on it.

Brian Selfridge: [00:01:59] So what's our take away from this? I think the future of healthcare delivery in many ways, and the current state even, is through cloud hosted platforms and third-party hosted platforms. So security breaches are going to move from being a compliance and security kind of focus, which has been a big part of the discussion over the last decade or so, is don't lose PHI, I don't want to run into HIPAA security and OCR issues, which of course is still the case. But now we're seeing a lot of these critical systems, electronic health records, telehealth, other clinical and operational platforms are now cloud hosted. And those attacks are going to have a much more substantive impact on the business and the potential impact to patient safety in addition to compliance issues. And I think that's going to be the reality of the next decade, wherever you want to draw the line. I think healthcare security programs are going to be more about cloud hosted systems and platforms than they are about internally hosted. So some recommendations, if you if you're not already headed in this direction. Definitely get an inventory together and prioritize cloud hosted platforms. So you understand what you have out there, understand which of them are compliance focused priorities, might be having a lot of PHI going to data analytics or something like that. Which ones might be more clinically focused or business critical, things like healthcare operations, telehealth, electronic health records, billing, everything else, but getting a handle on on which are the most critical. Doing some prioritization, making sure you have clarity on the inventory. Doing some degree of targeted security assessments. We're seeing a lot of organizations over the last month or two just uptick on their targeted security assessments of Office 365, AWS , Azure, the telehealth platforms that they're rolling out in lightning speed and for lots of good reasons. But the security is sort of becoming an afterthought. So making sure that you get out in front of those. Doing some targeted assessments. A lot of organizations started to append tests as well to the cloud environments. Sort of getting that comfort level that there aren't necessarily any material exposures out there to the deployments of those newly released and rollout platforms.

Brian Selfridge: [00:04:09] We see a ramp up of third-party risk programs focused on cloud hosted environments. Of course, third-party risk is its own animal and needs its own prioritization and efforts. But the extent that you do have a third-party risk function, making sure that you're prioritizing those same cloud systems we're talking about, according with the inventory that you've created. And also pushing and requiring either third-parties or your own organization, depending on where you are, to push for third-party security certifications like SOC 2, HITRUST, just to get that third-party validation. The risks are just becoming too great to the business, not just compliance but operational, to not have that third-party assurance and level of comfort that the basics are being addressed. So if you haven't developed a cloud specific security strategy, arguably you may be a little bit behind the game at the moment, but we're seeing a lot of organizations in the last couple of months starting to figure out that we really need to get a handle on this and have a focused effort, so something to look at there. We're gonna continue to monitor this and we'll keep you posted on how it evolves.

Brian Selfridge: [00:05:16] The second major topic, we'll switch to some of the more regulatory enforcement and breach type notification type stuff. There was a new regulation put out effective May 19, 2020 from the Washington, D.C. attorney general, requiring that any breaches of residents D.C., more than 50 residents specifically, must be reported to the attorney general's office out of Washington, D.C., in addition to the OCR and HHS in the Wall of Shame reporting and everything else that we already know well about. There's also a requirement to provide 18 months of identity protection services for those affected individuals. And then they said in cases where the entity works with third-party service providers, they must enter into a service agreement with a covered entity confirming that they, too, will implement reasonable safeguards to ensure confidentiality, integrity, availability, personally identifiable information provided to them. So we have not only the requirements for notification, we have identity protection, you have to provide us contractual agreements. So if you have the potential at all to be having patients in your purview that are D.C. residents, suspect that it's probably pretty likely for a lot of folks even if you're not immediately in the D.C. area, to take a look at that regulation, do some deep diving, you can reach out to me and I'll tell you some more about it if you want. Oh, also, there's an encryption safe harbor, similar to some other regulations, where if data is encrypted and it's not believed or reasonably understood that that data can be decrypted by the attackers, then you don't have to report in that case. However, just a reminder that ransomware is one of the predominant sort of breach notification requirements at all levels these days. And the assumption is that the attackers have the keys, of course, because they told you they have the keys, and they're trying to sell them back to you. So something to pay attention to there.

Brian Selfridge: [00:07:11] The last area is just some hodgepodge of updates on the security news front. Ransomware actors are now auctioning PHI to the highest bidder. So in the case that they're not getting paid, or maybe they are getting paid also by the the entities who are the victims of the ransomware attacks, are now also taking that data and offering it up to the highest bidder through auctioning functionality. Just another flavor of the bad guys monetizing the data from these unfortunately rather successful ransomware attacks that are continuing to plague healthcare. And the ransomware attackers, there's one group that came out that's been reported to come out as now targeting healthcare specifically, even though some ransomware attackers have claimed they're going to hold off on healthcare. They're also attacking as well. There's no known honor among thieves in this situation, so don't expect there to be. We're also seeing a lot of phishing attacks, including fake VPN logins and other sort of remote worker COVID style attacks, themes of the phishing attacks that are getting a lot of coverage and traction. So keep an eye out for those. Make sure your education, awareness and training is really up to snuff. And understanding the latest flavors of the attacks. And that always shifts. But right now, it's very COVID, VPN, Office 365 specific attacks on the phishing side, and otherwise they're just the flavor of the month. So make sure that we're keeping an eye on those.

Brian Selfridge: [00:08:35] We've also seen an uptick in medical device acquisition. So if you work for a healthcare provider and you're dealing with COVID response, that's creating a lot of situations where organizations are buying large volumes of patient monitors and other systems, in addition to obviously the clinical stuff like the ventilators and other stuff like that. But there's also a lot of medical equipment that's being being purchased very quickly to deal with the situation as it evolves. So security teams need to make sure they're in the loop on that. By no means holding up that process. Patient care first, let's get the equipment in. Let's get it working. But there is this sort of limited window in the purchasing cycle and the contracting cycle to have leverage to make sure that the security assessments are being done and the contracts and the requirements are being put in place for security SLAs and those types of things. So just a recommendation for security teams to be making sure you're prioritizing these sort of recent purchases around medical devices or around telehealth platforms, for example, or other things that are being very quickly stood up and put in place. Office 365 is another one to be rolled out more broadly than before. Make sure you're prioritizing those assessments, getting help where you need to, getting the leverage to get remediation in place concurrently, with obviously deploying those systems quickly and effectively to run the business during COVID and during the pandemic and otherwise.

Brian Selfridge: [00:09:58] And just in terms of other updates, that's all I'll leave you with now. There's a lot of still moving pieces, if you've checked out our updates over the last couple of months. Two weeks ago, two weeks before that, we talked about COVID tracing apps and privacy issues that are coming up and regulations that have been evolving around that. Those conversations are continuing. The regulations are evolving. So stay tapped into that. There's also continued attacks on research organizations, anybody doing COVID researches in the crosshairs from international attackers trying to get the intellectual property there, as you might expect. So keep an eye on those. A lot of moving pieces, but I promise to keep this short for you also. We'll leave it there.

Brian Selfridge: [00:10:36] And that's all for this edition of the CyberPHIx Healthcare Security Roundup. I hope this is informative for you, and we hope that we can hear from you, if you have any topics that you want to talk about or if you want to follow up on any of this. Reach out to us at [email protected]. So long, and thank you for everything you do to keep our healthcare systems and organizations safe. And we'll talk to you next time.