The CyberPHIx Roundup: Industry News & Trends, 6/24/20

TRANSCRIPT:

Brian Selfridge: [00:00:08] Good day and welcome to the CyberPHIx Healthcare Security Roundup. Your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices specifically for healthcare. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our CyberPHIx interviews with leading healthcare security, privacy and compliance leaders at Meditologyservices.com or on your favorite podcast hosting platform. Just search for CyberPHIx. So let's dive into this week's update.

Brian Selfridge: [00:00:36] I've got three major themes to cover with you today. I want to start with a question that I've gotten many, many times over the years from colleagues, clients, board members, executives, looking to understand why would bad guys attack a hospital? Why would they attack health systems? What are their motives? What are they in it for? What are they out for? So I want to take a case of a news item this week where a hacker was just arrested for an attack in 2014 against a major health system in the US. So try to get a sense of sort of what this person was up to, how they gained from it, what was the approach. Now it is not going to represent all attackers and motives. But I think this highlights some of the common themes that we see from some of the bad guys out there. So the attack was against the University of Pittsburgh Medical Center, UPMC, a large health system in western Pennsylvania, which operates over 40 hospitals.

Brian Selfridge: [00:01:27] And in January of 2014, UPMC discovered that an H.R. server and human resources server had been hacked and it contained over 65,000 employee records, including their name, Social Security number, salary and tax info, and all kinds of goodies that you usually find in these H.R. databases when you do things like penetration tests, like we do at health systems, it is pretty common to find this stuff floating around. So the information was hacked and made available for sale on the darknet, including a global market called Alpha Bay Markets. The suspect arrested is Justin Shawn Johnson, a 29 year old man from Michigan who previously worked as an I.T. specialist at FEMA, the Federal Emergency Management Agency. So he's 29 now. I guess he was 23 or so at the time of the attack. So hundreds of fraudulent tax returns were filed in the name of UPMC employees, which prosecutors said resulted in around 1.7 Million dollars in false refunds being issued. So tax fraud, very, very common use case for stealing PII, personally identifiable information. And those funds, those refunds, were then converted into Amazon gift cards, which were used to obtain around 885,000 dollars in goods which were mostly shipped to Venezuela to be sold in online marketplaces.

Brian Selfridge: [00:02:47] Now, if you want to know, ok, so where did the money go? Why Venezuela? How did that chain all happened? Well, they also made arrest or indicted, in 2017 event Venezuelan national, who pleaded guilty to conspiracy and defraud in the United States and was involved in filing fraudulent tax returns. And then a Cuban national pleaded guilty to money laundering and aggravated identity theft in 2017. So these folks were both sentenced to time served and deported and all kinds of bad things. So what's the takeaway here? Look, it's always about, when you get into attacks, the bad guys and fraud and the like, it's about following the money, if you've ever been involved in these kinds of investigations. Healthcare data, including H.R. information in this case, but other also patient facing information is worth big, big bucks on the black market. This could be used for tax fraud, like we saw here, it can be used for health insurance fraud to be able to get false coverage or being able to file claims fraud, which is very, very big business in the black market. Medical and prescription drug access and sale through channels and access to information of individuals that have legitimate access to that and then reselling. And then there's traditional identity theft. There's just a ton of ways to monetize this stuff. And as you can see, the black market has a healthy market for it. And in this case,  this was chased to ground and caught, and some folks were held accountable. I wish that was the normal, but unfortunately, that's not usually the case. You see the number of breaches that we run into, a lot of folks making off with a lot of fraudulent money as a result of these attacks. So why did they attack us? It's all about the money. Got to follow it.

Brian Selfridge: [00:04:36] All right, our second major theme in our update today is around some pretty decent-sized medical device and I.O.T. security vulnerabilities in the news this week. The first one was related to a Department of Homeland Security, cybersecurity, infrastructure alert for vulnerabilities found in six medical devices. Some of these flaws could enable a hacker to launch denial of service attacks or alter system configurations, steal data, compromised information, all the usual bad things can happen. And, of course, you know, whenever we're talking about medical devices, we're worried about patient safety first. So any kind of denial of service or any kind of interoperability, the machine is a huge problem. In addition to the regulatory stuff of losing patient information, for all the reasons we just talked about, for bad guys, did resell that and the rest. In this case, the six different medical devices, different models, there was a laundry list of the specific vulnerabilities. But most of them had to do with clear text transmission of sensitive data. So unencrypted data in transit, and then hardcoded passwords and improper authentication are a big, heavy side for that, right.

Brian Selfridge: [00:05:44] This is a common issue. We've seen medical devices for years and years and years, hard coded passwords, very, very common issue, still pervasive, still causing issues. The second medical device in IOT Update this week was related to a series of 19 vulnerabilities that they're calling the ripple 20 vulnerabilities, ripple to money. And they're related to 19 vulnerabilities around the TCPIP communication stack. And I know I'm just losing some of you by even going into that detail, but basically the way that these devices communicate back to the servers that they need to transmit their information, to take care of patients, and get back into electronic health record and all the other things that these things do, the way that communication happens is insecure and unencrypted and able to be intercepted and manipulated.

Brian Selfridge: [00:06:29] So the DHS recommends, Homeland Security, says right now we're investigating who has fixes for this. Their list was no update for most of the manufacturers listed. So essentially, you're kind of on your own, like always, in medical device security. And they said, well, we recommend you run medical devices over VPN, virtual private networks, which I think for many of us in the field: thanks, but no thanks to that guidance. That becomes very impractical to implement in large scale environments and while maintaining patient's sake and other things. So we're sort of back to square one. So I'll lay out just some thoughts, very briefly, around medical device. I always try to figure out, well, how do we deal with this? Every week there's more stuff. If you don't have a medical device, security strategy or strategic plan in 2020, you need one. It's got to incorporate things like your governance and communication model across vendors, biomed, I.T. security, all the different stakeholders in the mix. You've got to have a playbook for device patching and how you interface with those different stakeholders to accomplish that. You need some sort of network isolation and protection scheme to keep the devices that are vulnerable, segmented from the rest of the environment. You need an access control program, especially around these default passwords and hard coded passwords, and making sure you have the ability to change those where you can and ones that you can't, you can apply some really controls. You need asset inventory. You need virus and malware protection rules. You need third party vendor risk and device assessment models. You need to train the team. There's a bunch of needs to happen. It usually requires a multi-year roadmap. If you haven't started down this path and are just waiting for the manufacturers to figure out their game plan, good luck. I'll leave it at that for now.

Brian Selfridge: [00:08:09] All right. The last update for this week is around some of the adjustments happening to security programs in the post-COVID, during COVID model. But basically the new normal that we are living in and can anticipate to continue beyond the COVID isolation. We're seeing many organizations recognizing the benefits of remote work and employees wanting to be increasing their flexibility of working remotely as well as in the office. And some of the different tools that have been utilized have changed. So I want to run down some of the conversations we've had with our clients over this past week around some of these trends that we're seeing, and how the new normal will change, and what the impact of security teams are. So let me run through this quickly for you.

Brian Selfridge: [00:08:53] First and foremost is run communication models. There's a definite sense that there is an email fatigue that's been going on for years, but I think coming to a head during this situation where everybody's just sort of hunkered down and trying to just keep up with the volume of emails, versus all the in-person conversations you usually have - a lot of this is transitioning to e-mail. So we're seeing a lot more creative and useful communication models, things like virtual town halls for teams to get together, to be able to have a video way to share information. But also have some of the chat functions in those town halls and those video conferencing communication tools like Microsoft Teams, Blue Jeans, there's several others that have a chat capability, as well as the ability to have different groups or sub teams work in an isolated environment on a specific project or set of projects or area, without having to use email as the blast out mechanism. So seeing a lot of adoption of these tools that will cut down on e-mail use and increase the ability for teams and groups to communicate. We've seen organizations using Chatbots and apps to communicate with the workforce in a way that's a little bit more interactive. We've seen large communications going out from the enterprise at corporate level communications - here's what's going on with COVID, the latest updates and information security, privacy complaints. Teams are sort of embedding themselves in that massive update and saying here's some information security things you need to know or here's what's happening. Here are the attacks that are changing. So sort of piggybacking on those large communications can help you get the message out without having to create your own yet another e-mail blast or the way to get out to the to the marketplace.

Brian Selfridge: [00:10:39] There's also some COVID specific web pages being stood up and sort of allowing individuals to pull information versus just trying to blast out to them all the time. So combination of communication methods there. We're also seeing remote work becoming the standard for many roles, including I.T. security roles, administrative functions, and employees just wanting to work remotely on a more permanent, consistent basis. So this is going to have impact to office space needs, different security controls we need to have in place for the remote workforce that may have been sort of stood up or accepted. The security exceptions during this period, but eventually you've got to tune that to to be a little bit more sustainable for the long term.

Brian Selfridge: [00:11:19] We're also seeing a lot of issues managing workforce remotely. So essentially, I'm going to use the term: good managers and bad managers for the sake of simplicity. But a lot of sort of ineffective managers that haven't had a good sense of accountability or oversight of their teams to begin with are struggling with remote access, because now they can't see the people and they don't know what they're doing and they haven't been tracking their outcomes. Whereas good managers, folks that really have tight accountability models and tracking, are actually doing better in some ways in this model, because everything really is funneling in through consistent communication channels and the like. So definitely part of the new normal is figuring out how to manage remote teams, and those that are good at it hopefully can help the ones that aren't so good at it.

Brian Selfridge: [00:12:02] And we'll also mention two more quick items. Telehealth is shifting. We're seeing the genie is out of the bottle a bit with the success of some of these commercial videoconferencing tools to support telehealth, things like Zoom, facetime, other applications that have been allowed as exceptions by HHS and OCR, are now really getting support from the clinicians as well as the patients. This is just a much, much easier way to conduct remote healthcare and telehealth, versus some of proprietary apps that weren't as functionality friendly. So I think that that's going to be unlikely to change. I think we're seeing a lot of these video conferencing platforms start to just gear themselves to be a little bit more security, compliance, friendly, HIPAA friendly and those types of things so that we can continue to use them. I think that trend will continue. I think it's unlikely that we'll go back to some of the clunky tools that were out there. And the last point I'll mention is around incident response for remote workers. The increasingly remote workforce organizations that are trying to figure out how to update their incident response playbooks to deal with what happens when we have an infected workstation with malware, somebody at home, or multiple all over the place. How do we get out? How do we get those devices back? How do we get clean devices to people without them getting infected? How do we support remotely? How do we get communication to individuals that don't have a computer that might be locked up with ransomware, yada, yada, yada? You get the idea. You brain can start spinning on that. But looking at incident response procedures, and making sure that we've got an adjusted playbook for a large remote workforce scale that might be different for many organizations to have dealt with previously.

Brian Selfridge: [00:13:43] So with that, we'll wrap up our session for now, as always, there's more we can cover, as lots of stuff going on with privacy of COVID patient tracing apps and all kinds of stuff. So we'll keep you posted on that as we go. But that's it for our session of The CyberPHIx Healthcare Security Roundup for this week. We hope this has been informative for you and would love to hear from you if you want to talk about any of this or just have any questions or comments or things you want to have covered. You can reach out to us at [email protected]. So long, and thanks for everything you do to keep our healthcare systems and organizations safe, and we'll see you next time.