The CyberPHIx Roundup: Industry News & Trends, 6/7/21

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

  • Major shifts in cyber liability coverages and protections and results from a recently released U.S. Government Office of Accountability (GAO) report
  • Scripps Health system network outage continues a month after initial cyberattack
  • Russian SolarWinds attackers are back at it with a large spear phishing campaign following a compromise of USAID systems
  • Security firm Rapid7 becomes a victim of a software supply chain breach targeting source code
  • OCR’s latest settlement details and analysis on the resolution agreement with Peachstate Health Management
  • OCR and HHS “wall of shame” aggregate reporting trends for 2021 and analysis of major reported breaches this past month
  • U.S. House Committee on Homeland Security advances five new bills to improve cyber defenses


Brian Selfridge: [00:00:10] Good day and welcome to the CyberPHIx healthcare security roundup, your quick source for keeping up with the latest cybersecurity news trends and industry leading practices specifically for healthcare. I'm your host, Brian Selfridge. In addition to this round up. Be sure to check out our Resource Center on Which includes our CyberPHIx interviews with leading health care security, privacy compliance leaders, as well as blogs, webinars, articles and lots of other educational material. We have some great updates to cover this week. Lots going on in the industry. So let's dive into it, shall we?

Brian Selfridge: [00:00:48] All right, I want to get started with what I think is one of the most significant shifts that our industry has seen for some time that began really earlier this year and earlier this month in earnest. And that is around changes in cyber liability protections and coverages that have resulted from the surge in ransomware and other insurance claims this year. Now, I don't want to give away the ending quite up front here, but I will say that these are probably not the most positive developments for health care organizations overall. And let me explain why. And I'll do that by way of a report that was released by the Government Office of Accountability, the federal GAO, it's called, that provided some insights around the adoption of cyber liability insurance that is skyrocketing, up from 26 percent of organizations that bought cyber coverage in 2016, up to 46 percent in 2020.

Brian Selfridge: [00:01:41] So we're almost kind of doubling the number of organizations that have cyber liability insurance. That's a good thing, right? So no problem there yet. But as adoption rises, the prices for cyber liability coverages are also rising rapidly since 2020, even just in the last year or so. The report from the GAO states that higher prices have coincided with increased demand and higher insurance costs from more frequent and severe cyber attacks. No surprise there. And in a recent survey, insurance brokers, more than half of respondents clients saw prices go up 10 to 30 percent in late 2020. The report says. So we're seeing the adoption rates go up, higher costs for premiums. And at the same time, we're seeing coverage limits are also being reduced so that organizations are being paid out less than before for impacted events. So we got higher premiums, reduced payouts and a much higher likelihood of incidents, as we've seen with the number and volume of ransomware attacks and others that we've seen this past year and the business model that's really thriving around that for the the cyber malicious actors. And all of that is not a particularly good fiscal combination for health care entities.

Brian Selfridge: [00:02:54] Now, apart from the GAO report, I've also spoken with a number of clients who have relayed to me that the application process for cyber insurance has become significantly more onerous than prior years. They say it feels like an audit process almost that for some CISOs. Is that just to get approved for the coverage and to be able to to have coverage generally? So I have to admit, I'm not tremendously surprised by these developments. I remember when I was a CISO for a health system years ago and the cyber liability coverage had just come out as a thing. This is probably 10 or 12 years ago at this point. And the application that we had was I won't name the carrier, but it was a one pager. And every year I get it renewed and it asked five questions. I don't remember them all, but I remember there was something along the lines of there's one that said, do you have a network firewall in place? And there's literally a checkbox that was like, yes or no. Yes, I have a network firewall. Do you have security policies? Yes or no? And and that was it. And I remember thinking that, you know, cyber insurers and these carriers have a long way to go toward understanding the risk that they're underwriting here for these policies. And we had a we had a strong shop and I wasn't worried about that, but I just had the feeling they didn't really fully understand what they were getting into. And actually, over the years, I've made several forays into speaking with cyber liability providers to help educate and support their processes.

Brian Selfridge: [00:04:16] But I have to say, I was met with a lot of deer in the headlights looks and even kind of outright dismissal by a lot of the carriers over the years. And, you know, I chalk this up to a lack of technical acumen and knowledge around security and risk. I mean, this is complicated stuff. And even those of us that spend our careers in it, it's still still hard to keep up with with all this stuff and a lot of the legacy cyber liability models that that weren't really built or designed for cyber protection and understand complexity and risk management ecosystems. So for a long time, I think carriers were just taking policies left and right without truly understanding what they were getting into. And I think that's clearly changed now with the new look at the GAO report, just as an example, but with increased scrutiny for policyholders and increased prices and reduced coverages that we're seeing, I think that's all a result of more awareness and seeing the dollars and cents and claims being issued on a much higher rate than ever before. So I expect that trend to continue.

Brian Selfridge: [00:05:14] I also hope we can get to a place where cyber liability policy costs are reduced substantially for organizations that have implemented implemented strong security programs, almost like the classic good driver discount rate that you get. If you are a good driver, you get you get a reduced premium cost. I think I think those discussions are starting to happen. But there are a long way to go until I think policyholders get meaningful cost reduction for their investments in security. And I'll predict that. I think a major factor for policy cost reductions when we get to that level of maturity with the carriers. Will be around the acquisition of security certifications like High Trust and SOC 2 just as a starting point, then I think I think it is going to feel more like an audit just to get coverage, as well as to certainly adopt any kind of reduction in premium costs for good driver behavior. A good security program behavior.

Brian Selfridge: [00:06:06] So moving on to breach updates, most of which I'm sure have some cyber liability implications so we can tie the topics together that way the Scripps Health Network is down or was down and out of the San Diego area. So Scripps Health is a large health system out of San Diego that has been hobbled by a major cyber attack that caused its Internet facing systems to be offline for several weeks. Different tallies, but about four weeks is what I've seen, including their website and their patient portal where were taken out even several weeks into the downtime and attacks. Scripps was not particularly forthcoming with the source or nature of the attack.

Brian Selfridge: [00:06:43] I think it was like three weeks in and all they would say is there was a malware, events were down and obviously they were down. Folks couldn't get to their patient portals and things. But about four weeks into the attack, which is which is fairly recently, Scripps announced that they had begun notifying one hundred and forty seven thousand individuals whose information was compromised during the attack, which this time in the announcement they called ransomware attack. So, you know, not a huge surprise there. You know, ransomware attacks against health care providers are so commonplace at this point that it's left some of us, I think, in the profession scratching our heads about why the degree of secrecy employed throughout the events in this particular case, systems were clearly offline. You had externally facing impacts. You know, not sure why they need to to hide the fact that it was a ransomware attack. I don't think there's as much victim blaming is as there used to be. As I've said before on this show and elsewhere, I think oftentimes it's the response to the breach that can impact a brand reputation even more so sometimes in the breach itself, you know, especially if it's not handled in a way that builds trust with the community, especially for health care provider. It remains to be seen how this event and subsequent response will play out for scripts in particular. But I don't know, the secrecy thing, I'm not sure that always works in in the favor in the long run.

Brian Selfridge: [00:06:43] In other breach and attack news, the SolarWinds APT hackers, remember those guys, they are now targeting U.S. organizations with a new spear phishing campaign. So Microsoft discovered a large scale spearphishing campaign being orchestrated by the same Russian based APT group that successfully attacked solarwinds earlier this year. The attackers used the mass email platform, Constant Contact, which is a legitimate email marketing tool and platform cloud based tool. They use that to issue targeted phishing attacks on over 150 organizations. What makes this attack especially effective is that the attackers took over the constant contact account of the U.S. Agency for International Development, or USAID. So the phishing emails appeared to be coming from a legitimate USAID .gov domain. So that's a problem, right? The messages claim Donald Trump has published new documents on election fraud with messages including a button to click and view the documents. And then down comes the malware, et cetera, et cetera. Pretty classic phishing attack. If you recall, from our prior conversations about the solarwinds attacks, we noted that the significance of that particular breach event was not just so much in its scale, although the scale was massive, write major government, private sector organizations, but it was that it allowed back doors to be created in hundreds of government and private sector organizations and networks that could serve as the launching point for attacks.

Brian Selfridge: [00:09:32] For many years to come in a lot of ways, that's why you saw the government talking about basically burning the networks to the ground and starting with fresh rebuilds. And that's that's what's going on in a lot of agencies, which is not a luxury or a cost that a lot of private sector organizations can take on, that's for sure. But, you know, this attack is absolutely just such an outcome that we had anticipated. Right. There's back doors in now. All of a sudden, the organization gets, you know, USAID gets compromised, constant contact gets compromised. Then then access is used for these spearphishing attacks. So I think we can expect to continue that and see that trend continue to happen. And if you want to learn more about, you know, that particular solarwinds attack and all the manifestations and even some of the predictions that we've we've sort of put out there around that, you can go to our resource center on, where we have webinars, podcast, blogs, all all on that specific topic. So definitely get caught up if you haven't. This new phishing campaign is is being investigated by the CISA and the FBI and constant contact. The organization has issued a statement confirming that the account credentials of one of its customers was compromised.

Brian Selfridge: [00:10:38] And they're saying this is an isolated incident. They've, you know, temporarily disabled the affected accounts, et cetera, et cetera, working with law enforcement, all the usual stuff. But I would say, rest assured, this is not the last we will hear from this particular Russian APT group, given their history and given the level of access that they've obtained in these series of attacks.

Brian Selfridge: [00:10:59] Speaking of supply chain attacks, the security solutions provider Rapid7 was victim of a software supply chain breach this month. To some, a Rapid7 source code was accessed in an April 15 breach where a malicious party gained access to Codecov, which is code code bash uploader, which is a tool and a script that's used by developers for various development purposes, system development lifecycle stuff. And they modified that script. Basically just trying to simplify this. And you can read up on all the techie details if if that's your thing.

Brian Selfridge: [00:11:35] Now, Rapid7's investigation determined that a subset of their source code repositories for internal tooling for their MDR service was accessed by an authorized party outside of Rapid7, Unauthorized party, it said authorized party, but that's not right. Rapid7 reported that no other corporate systems or production environments were accessed, and according to Rapid7, no authorized changes to these repositories were made. While we can't say for sure what the motives of this particular attack group were, if we think back to the solarwinds Supply-Chain attack that we just talked about, this may be a similar attempt to go after source code, look to potentially deploy malware through a trusted third party software provider.

Brian Selfridge: [00:12:15] In that case, it was solarwinds, in this case Rapid7, who's more trusted than your security firm. Right. And that software that's going to come down and those updates could have been a motive. There could have been just a directly targeting Rapid7, it's tough to say, but fortunately, they were able to kind of nip this one in the bud, so to speak. But speaking of trust, remember my comment earlier about the transparency in the breach process? I think this is a good example of transparency for Rapid7 to come clean on the breach, you know, fairly shortly after it happened and be clear about the boundaries and extent of the attack. All this while you're still going through an incident response and investigation process and sharing that intel as it becomes available. From the looks of it, it seems like Rapid7 handled this response pretty well, in my view, and, hopefully maintained trust with its customer base in the process. So I'm not just sticking up for security firms is as a as a security firm. But I just think I think there's a theme there that said Rapid7, you know, in other software firms in the supply chain really need to double down on their diligence of use of external code repositories for obtaining things like code libraries and, you know, make sure they aren't unwittingly bringing in malware in the process.

Brian Selfridge: [00:13:30] And the bad guys are getting very clever with their code modifications. And we, I think, need to get our system development lifecycle processes, SDLC processes to be, if not equally as clever, at least put the checks and balances in place to catch the misuse and breach of source code like we saw with solarwinds, like we saw with Rapid7, in which I expect we'll see with many organizations going forward to moving on from breaches.

Brian Selfridge: [00:13:53] Let's talk about enforcement. Everybody's favorite topic, OCR enforcement. So there was a settlement recently for a lapse in business associate due diligence assessment. So this one's got to it's got a little bit of some twists and turns. So I'll try to lay it out there as best I can for you. So OCR entered into a resolution agreement in late April with Peachstate Health Management LLC doing business as AEON clinical laboratories or peachstate in which peachstate agreed to pay twenty five grand to settle allegations of non-compliance with the rules. Now I'm less worried about the twenty five grand part, but this is an interesting case, I think for several reasons.

Brian Selfridge: [00:14:32] So you kind of have to follow the cyber breadcrumbs here on this one to see how the breach occurred. So the original breach was reported by the Veterans Health Administration, U.S. VHA and upon further investigation, the breach arose from a platform managed by a third party business associate organization named AuthentiDate. And that business associate AuthentiDate had acquired another entity called PeachState back in 2016. So again, follow the trail. So, the VHA, their patient data was breached using this AuthentiDate, the AuthentiDate company who had acquired Peach State. So OCR investigated PeachState, sort of the I guess fourth party at this point and found compliance to be lacking with of the HIPAA security rule around risk analysis and risk management, all the usual stuff. So my takeaways from this one or two fold. One: covered entities need to continue to make investments in third party risk management. Right. We've got to update our business associate inventory inventories, conduct due diligence assessments for both, you know, risk assessment perspectives, but also for basic HIPAA compliance purposes. Are those third party vendors doing risk analysis? Now, I know that OCR is going to go to the third party as they did in this case. But, you know, if you've got some third party that that isn't even going through the basic motions of hyper compliance, you've got some there's certainly some risk exposure and potentially some compliance exposure there.

Brian Selfridge: [00:15:58] That's point number one, point number two, in terms of takeaways are I think we're in in a wild period of mergers, acquisitions, affiliations over the last couple of years, and you've got to make sure to conduct those risk assessments of acquired or merged entities during the transaction process or shortly thereafter. And certainly, at the least, you know, our folks here at Meditology, we've been doing a lot of these assessments, due diligence assessments for the last few years to get with these acquired entities or merging entities and and really shed some light on the security posture because, you know, we all know there's no security program that's perfect. So getting to a place where we can quantify that and understand what type of risk you're taking on in a transaction can be really critical. So need more of that for sure. On OCR reporting, generally, there was just a look back on the wall of shame and the volume of breaches that we've seen this year. And in particular, the breach tally jumped from one hundred and five hundred fifty nine breaches year to date as of April to two hundred and fifty one total breaches year to date as of May. So that's in a month, you know, about a hundred more breaches added and 70 percent of those breaches were categorized as hacking. So we'll see that trend continue, of course. And of those two hundred fifty one breaches, about 100 of those were business associates serving the health care industry.

Brian Selfridge: [00:17:21] Right. So very common themes that we just went through with a couple of case studies earlier in this update here. We're seeing play out in the aggregate numbers of breaches being reported to OCR and HHS. And one of the largest reported breaches this year is from CaptureRx, a third party business associate based in San Antonio, Texas. The breach of CaptureRx impacted nearly one point seven million individuals and CaptureRx has not made any public comments about the nature of the attack. So see my prior comments on transparency and to get a sense of my thoughts on that whole secrecy approach, we'll see how that goes for them. But that's one that's that's starting to create some ripples in the community. Another large reported breach was Rehoboth MacKinley Christian Health Care Services in New Mexico, which impacted two hundred and seven thousand individuals as part of a ransomware attack by the county ransomware group. So plenty of reportable breach events, plenty of public discussion around these. And we'll keep you posted on all of that as it as it plays out.

Brian Selfridge: [00:18:20] So one final update for you, and I'll keep this one quick so we can maybe dive into this later as this pans out. But the U.S. has advanced five bills to improve cyber defenses. So here come the cyber laws. Right? All of these breaches, all this enforcement activity, here come more laws. So in the wake of the solarwinds supply chain attack, the ransomware attack on the colonial pipeline, those are those are really some catalyst events. We saw President Biden cybersecurity executive orders, but now the US House Committee on Homeland Security has cleared five of the following bills. I'll just I'll tell you what they are. First one is the Pipeline Security Act. Second is the state and Local Cybersecurity Improvement Act. Third is the Cybersecurity Vulnerability Remediation Act. The fourth is the CISA Cyber Exercise Act. And the last one is the domains critical to Homeland Security Act. And there's really a bit too much in each of these to cover in detail today. But so you can read the bills online, we can reach out to get them to you. But they largely target the government sector intervention around things like vulnerability management, incident response, and really a lot of the other traditional security domains. So this is all part of that update of getting the US infrastructure and critical organizations up to speed on the security front. We've got a lot of catch up to do if you haven't listened to it. We did our episode last CyberPHIx episode on a full rundown of the President Biden's cybersecurity executive order. So you can really understand what where those trends are going in detail. So check that out if you can.