The CyberPHIx Roundup: Industry News & Trends, 7/21/21

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:
-

  • The new DHS CIO speaks out on plans for supply chain risk management
  • PracticeFirst healthcare vendor breach impacting 1.2 million individuals
  • U.S. government launches one-stop shop for ransomware guidance (StopRansomware.gov)
  • CISA publishes cybersecurity guidance for managed services providers in the wake of the Kaseya breach
  • Former NSA director’s preview of HIMSS21 presentation on ransomware and cyber risks
  • China formerly accused by the EU, UK, US, and others of attacks against Microsoft Exchange
  • New SolarWinds zero-day exploit being used by attackers (second SolarWinds incident)
  • Urgent security warning for SonicWall supply chain solution and patching details
  • HITRUST announces the timing for release of HITRUST CSF version 10
  • Class action lawsuit updates against a PACs vendor, Kroger pharmacy, and Blackbaud

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:11] Good day and welcome to the CyberPHIx health care security roundup, a quick source for keeping up with the latest cybersecurity news trends and industry leading practices specifically for healthcare. I'm your host, Brian Selfridge. In addition to this roundup. Be sure to check out our Resource Center on MeditologyServices.com, which includes our CyberPHIx interviews, a leading health care security, privacy compliance leaders, as well as blogs, webinars, articles and lots of other educational material. We have some great updates today and quite a bit to cover. So let's dive into it, shall we?

Brian Selfridge: [00:00:47] The new Department of Homeland Security CEO, Eric Hysen gave an insightful take this week on the future of supply chain risk management, Mr. Hysen said that cybersecurity is the first and foremost a priority for him as CIO. And specifically in a recent interview, he told Government CIO Media magazine that he is in the process of standing up a new supply chain risk management office. Of course, this is very, very important. With everything we have going on, we'll talk about some of the supply chain risks and breaches and issues that are percolating this week. But the office may include the new office may include efforts to promote the creation of software, building materials or spam. So we talked about that and some prior episodes about the software building materials that were highlighted in President Biden's executive order on supply chain risk. If you want to learn more about that executive order, we actually did a whole episode specifically on that.

Brian Selfridge: [00:01:34] Now, Hysen went on to say, as we look at specifically addressing the SolarWinds breach, we're looking at better evaluating the security of off the shelf software and using our network or giving access to our data, as is the government's data. So is a relatively new area and one we're looking to be an aggressive early adopter. And he says he also indicated that he has interest in the tailored version or creating a DHS tailored version of the Defense Department's Cybersecurity Maturity Model Certification Standards, or CMMC. If you're not familiar with CMMC, it's it's a relatively new, actually quite new multilevel cybersecurity certification system for contractors that do business with the federal government and Department of Defense. In this case, there's five levels to CMMC. I just want to spend a second to tell you about that. I think if he's going to take that forward at DHS and in DOD, we might see it elsewhere. There's five levels. Basically, the first level is basic cyber hygiene practices. You get certified to saying you do the fundamental basic stuff. The second level requires documentation of those practices. So kind of procedures very similar to what we see with high trust or risk to requirements, for example. And the third level requires a top down plan for implementing and demonstrating those practices. The fourth level requires granular reviews of these practices to ensure compliance and effectiveness.

Brian Selfridge: [00:02:51] So that's more of the validation assessment piece. And then the final and fifth level requires standardization, optimization, optimization, a best practice, security practices across the organization. So very similar to other certifications, with the exception that I guess you can get certified at any particular level. And then the government agencies will decide whether or not that level is sufficient or they'll set a low bar of who can participate. And I think be really interesting to see the third parties and supply chain vendors sort of held to those standards and those particular certifications. We've been talking about that for years of when is the point where cybersecurity certifications are going to become required. We see health care organizations requiring high trust and SOC 2 certifications, for example, for their vendors. Some of the big payers. It's mandatory to to play the sort of you have to be certified to play in their environment, period. I've been expecting that trend to become the norm. Now that we see all these supply chain risks and breaches, I wouldn't be surprised if we see that trend continue as now we see with the Department of Homeland Security and finally Iraqis in the CISA. They're said we're looking to do what DOD has been doing with CMC and looking at different ways to pilot similar efforts for our vendors, he said. We have some elements in our Homeland Security acquisition regulations that may look a little different from DOD, but we're really mindful of not putting undue burden on vendors at the same time.

Brian Selfridge: [00:04:13] So it's going to be an interesting balance. So that's a little interesting trend on the supply chain risk side. Now, in terms of supply chain breaches, there was a very, very big one since we last spoke with you a couple of weeks ago. And that is in other related news, the New York based company PracticeFirst reported a supply chain ransomware breach to HHS that impacted more than one point two million individuals. PracticeFirst provides medical management services as a vendor to health care entities. So, again, supply chain stuff here. And the breach occurred late last year. And it looks like practice first paid the ransom according to their breach notification. But what's interesting here is that this breach was apparently paid not necessarily to bring systems back online, which we've seen in the past, like good backups. I got to bring them back online, got to pay for the decryption key. In this case, it was more of the extortion path where it was paid in order to receive promises from the cyber criminals that they would not release the information that they stole or launch further attacks against practice first. So, again, that's extortion type of model. Now, there's so many factions and deaths and rebirths of these ransomware gangs that I'm not quite sure how much a promise is going to get you and whether there's value in paying that.

Brian Selfridge: [00:05:26] Obviously, I don't know their situation. They made their decision. But that's interesting to see how these organizations are getting paid in different ways. The cyber criminals that is now in related news. The US government launched a one stop ransomware resource at Stop Ransomware .gov this past week, DHS says on their website. That's top ransomware of establishes a one stop hub for ransomware resources for individuals, businesses and other organizations. The new stop ransomware dot gov is a collaborative effort cost across the federal government and the first website created to help private and public organizations mitigate the ransomware risk. So great to see some resources being pulled together. And I think what's most important about this particular update is that you have all these different updates coming out. Whenever there's a ransomware attack or a spate of attacks, you have the FBI releases some guidance, the CISA releases some guidance. Homeland Security, like everybody's kind of putting out their own thing. I think it's become a little tricky for businesses to figure out, OK, where do I need to go? Who do I need to contact? What do we need to do? How do I prevent? So this is sort of a one stop place to deal with that. And now the notification also mentions attacks on hospitals specifically as one of the motivating factors for creating their resource center. I'm calling a resource center, @StopRansomware.gov.

Brian Selfridge: [00:06:41] Call it whatever you want. So it's consolidating all those alerts and guidance, including NIST as well. I didn't mention NIST. Now, based on my initial review of the site, it seems a little more slick and easy to navigate than your standard government resource website. Usually they're a little clunky around the edges and just a sort of a lot of hard links. But this this is very sort of well laid out, simple to follow three main areas that you can go into. There's a clear focus on vulnerability and patch management and incident response, as well as some kind of level setting educational materials depending on audiences that may be just trying to figure out the lay of the land here. So I recommend you give it a scam and see if there are resources that you can bring back to your own team. I may do a deeper dive analysis on this app, stopransomware dotcom site on a future episode at some point. Drop me a note actually on LinkedIn or otherwise, if you think that's something you might be interested in or hearing about, and I can do that. If not, we'll just continue to give you dribs and drabs and updates as it sort of evolves.

Brian Selfridge: [00:07:38] Now following the Kaseya breach of yet another IoT managed services provider in the supply chain. So we're sticking on our supply chain topic for the moment. The CISA has released new guidance documents to help manage service providers or MSPs, as well as small and midsize businesses to secure their environment.

Brian Selfridge: [00:07:55] So the document the CSA put out is called Mitigations and Hardening Guidance for MSPs and small and midsize businesses. Guidance includes provisions for managing supply chain risks, architecture risks, authentication and authorization and accounting procedure risks. They go through some contractual requirement arrangements and recommendations for dealing with vendors and some more guidance there. It's pretty short and sweet. I mean, it's not I wouldn't call it sort of holistic and comprehensive, but it's definitely a good place to to get started and just maybe check to see if there's any tidbits that you want to take away from your own program. It's also important to note that the CISA has confirmed a new cybersecurity chief this week. Her name is Jen Easterly and she is most recently worked for Morgan Stanley in the private sector in the security capacity. And we wish her the best in her new role. And I'm really excited to see all the talent entering the sea level ranks of the government agencies as the Biden administration really sort of prioritizes and invests in this area and start supporting cybersecurity initiatives. So welcome Jen Easterly to the party.

Brian Selfridge: [00:08:57] Now, that's the new regime. Now the old regime, so to speak, no ageism here at all, but there was some other news where Admiral Michael Rogers will be speaking at the HIMSS21 conference in a few weeks. He shared some insights in his upcoming keynote. So he was he played a role as the former NSA director. So he's got some insights for for several administrations. He was there for Obama. He was there for Trump. And so be really interesting to hear what he has to say. By the way, a quick aside for him, Meditology services and our sister company, CORL Technologies will be at him this year as well. So come stop by and see us at our booth. Number 7401, we got some free, free stuff, some giveaways, and you get to meet all of our professionals and chat them up about how up to speed you are on all these issues and you can test them and make sure they're they're aware, too. I'm sure they are.

Brian Selfridge: [00:09:49] Anyway, back to Admiral Rogers. He says that ransomware has gotten much worse since his retirement in twenty eighteen. So that's only three years ago. But he pins this on the fact that attackers have gotten much more aggressive due to all the money that can be made. Right. That's what we've been talking about, where there's money, they will come at the same time, he says nation states, nation states have gotten much more brazen and crossed lines that many in the cybersecurity community thought would remain sacred for for a long time. And he goes on to say that nation states are now willing to take much greater risks than they ever were before on sort of the global theater.

Brian Selfridge: [00:10:20] And it goes well and well above and beyond ransomware when it comes to nation states as well. So I think it's important to note that it's more cyber espionage in addition to the ransomware attacks that we see from some more some countries and some organizations. Admiral Rogers points out on the positive side, though, that the President Biden and Congress are paying attention. And that's good news. And there's an acknowledgement that we're not where we need to be on protecting against these threats. So all these investments in the. It means that we're talking about the executive orders, I think he thinks are a very I take away that he has comment. They're saying that they're paying attention means that they're actually taking action and that's a good thing, he said. Federal agencies and standards groups are putting out content to the market, but all too often they're not collaborating effectively between those organizations, as well as collaborating enough with the public sector and the private sector. So stop ransomware attack of is a good way of getting the public sectors sort of information together and consolidated. And I think more forays into sharing information with private sector and back and forth. This is going to continue.

Brian Selfridge: [00:11:20] So speaking of brazen nation state attacks, the U.K. and E.U. joined the U.S. this week in formally accusing China of perpetrating the coordinated attack against Microsoft Exchange just late last year and early this year, I should say. Now for listeners of the CyberPHIx podcast here, you already know that we are pretty sure China launched this attack even since the outset. And that was that was pretty well confirmed by the U.S. agencies. However, what makes this story this week noteworthy is the rare instance where multiple world powers have joined together to lay the blame of the attack on another major world power. And so we also have, in addition to the U.K. and EU, Japan, Australia, Canada and New Zealand have joined NATO in issuing issuing a statement of solidarity as well. So China was called out specifically for a pattern of reckless behavior. Was the term used in the in the announcement and they say in the announcement says, we believe that cyber operators working under the control of Chinese intelligence learned about the Microsoft vulnerability in early January and were racing to exploit the vulnerability before it was widely identified in the public domain. The UK Foreign Office said the Chinese government had ignored repeated calls to end its reckless campaign instead of allowing state backed actors to increased the scale of their attacks and act recklessly when caught, the White House said it reserved the right to take additional actions against China over its cyber activities.

Brian Selfridge: [00:12:41] And the EU, meanwhile, said the hack had resulted in security risks and significant economic loss for our government institutions and private companies. So if you want to know more about this attack, then check out a detailed blog post we put out on MeditologyServices.com, or you can listen to the prior podcast episode where we covered this in more detail. Just go to our resource center on Meditology services dotcom and search for exchange or Microsoft. And both of those things will pop up for you to check out.

Brian Selfridge: [00:13:07] And just in case you thought we were done with supply chain breaches this this week, think again. SolarWinds is yet again in the news as a zero day attack was discovered by Microsoft that targets solar winds and is reportedly in active use in the wild. So, yes, you heard me right. I did say SolarWinds. Yes, I said they're under attack again. And yes, this is different from the first time. So I know you're you're asking all those questions to me loudly and shaking your fist. But now SolarWinds is back or not is not a repeat news story. The vulnerability is limited to SolarWinds Serv-U managed to file, transfer and Serv-U secure FTP products. Other details are sparse on this one other than the patching information that's been released. So needless to say, I hope is that you need to patch all these products immediately or discontinue use of them altogether if possible. I'll leave it up to your imagination to determine which one of these two options I think is the best route to take wink wink. If you don't need it, don't use it. But if you need it, lock it up.

Brian Selfridge: [00:14:04] Along similar lines, an urgent security notice was released this week for the third party SonicWALL solution, specifically their secure mobile access or SMA 100 series and secure remote access products. So get yourself patched up there. We won't go into too much detail again. There's not really that much out there on it other than to get patched up. And maybe you can avoid another SolarWinds type scenario with our SonicWALL product this time. So get on it. If you have that pretty popular product, make sure you get it patched up

Brian Selfridge: [00:14:33] Moving on from ransomware and supply chain issues. Since I'm getting signs of early onset of ransomware fatigue here myself and maybe you are to some progress is being made in the cyber defense and standard circles within our industry. And there's an announcement from the High Trust Alliance that they'll be releasing version ten of their common security framework early next year. A specific date has not yet been set, but this is a push back of the schedule from the originally targeted release in Q2 of twenty twenty one. Now, for those unfamiliar with high trust or the details of the certification, that the framework is basically one of the two most widely adopted cybersecurity certification standards for health care. Alongside SOC 2 Type 2's are the other ones. Many health care organizations are requiring vendors in the supply chain to get certified.

Brian Selfridge: [00:15:15] We talked about that a little bit earlier. And hitrust has really been been sort of the the gold standard and goes a little bit above and beyond, quite a bit above and beyond SOC 2, for instance. And we really see the industry heading that way, whereas the government's moving toward the CMMC type of solution. Healthcare is absolutely moving toward HTRUST and SOC 2 as as the default standards for vendors as well as for payers getting certified pretty exclusively and then some providers and certainly vendors servicing the industry. Now the news of the push to the HITRUST framework update to version ten to twenty twenty two is not an entirely unwelcome for the industry. I trust historical updates to the CSF framework and certification requirements have often introduced new requirements that it just cost some effort and cost for organizations to adopt the new control standard. So if you had, you know, three hundred and some controls to comply with in version nine, version ten, speculating maybe another 50 hundred controls or more, that's sort of what we've seen with prior releases. And while that's great for the industry to continue to mature our security programs and adapt. To these new threats and evolving threats that we're dealing with in the supply chain, otherwise, that certainly we need to move that maturity needle forward. However, it does create sort of a lift for organizations that are certified already need to sort of address the new controls put in place, policies, procedures, implementation to address them.

Brian Selfridge: [00:16:38] And then they've got to keep those up to date over time. So that's that's time and cost and money, as you might expect in four organizations just starting the certification journey. It just means that that mountain's a little higher to climb on the first time out. So we'll continue to keep an eye out on the progress of the hydrous framework. We do think high trust is a great way to demonstrate assurance of your program and help secure the supply chain, as well as health care industry in general. However, we don't entirely mind the delay of the new requirements through to the New Year. I think that's going to be a little helpful and a breather. Breathe a breath of relief for organizations, some organizations.

Brian Selfridge: [00:17:12] Now, there's several updates on health care cybersecurity class action lawsuits that I want to just quickly hit on this week for you and I'll give you the high level details because there were a couple of them. First, as a class action lawsuit against Northeast Radiologist's, and Alliance health care, which is a PACS imaging provider group, if you're familiar with that, imaging capabilities. And this was related to a breach reported to HHS affecting almost 300000 individuals. Now, the lawsuits very much in the early stages. So we'll see how that one plays out. But another class action news, a federal judge allowed a blackboard consolidated class action data breach lawsuit to proceed this week.

Brian Selfridge: [00:17:52] For those that they may recall, Blackbaud had a breach ransomware related breach last year and try to think of the date within recent memory. And Blackbaud had filed a motion to dismiss the case in May. However, the judge concluded that the plaintiffs had sufficiently alleged Blackbaud was a plausible source of their personal information being lost. And there was a plausible connection between the types of data they allege were compromised and the injuries they had sustained. The judge said it's premature to dismiss the plaintiff's claims on the grounds of traceability at this stage. So we keep watching these cases. And I've got one more for you after this. Where there's a question is, are they going to have have legs and are they going to be able to make the case of harm from the breaches? Because, you know, you see the breach information is out there. There's ransomware systems get locked up, but is there tangible harm? And that's why we're seeing, you know, more movement toward the cases where that is being concluded and there are fines being levied and judgments being levied. So in this instance, finally, do you think that these class action lawsuits have no teeth? The pharmacy and supermarket chain Kroger has proposed a five million dollar settlement related to their cyber security breach. And that breach resulted from the compromise of the third party solution Accellion File Transfer in December of last year or a hefty sum.

Brian Selfridge: [00:19:10] You may have been following that story with us. The settlement covers three point eight two million individuals affected by the breach. So I was a little concerned about that. So by my math, which isn't always reliable, so don't don't take it for what it's worth. That sounds to me about, you know, one dollar and 30 cents recompense for individual each individuals whose information was breached. I'm not particularly impressed by that five million dollar settlement, almost four million people. And I don't know if that smells right to me, but hopefully some accountability there one way or the other. But again, remember, this is not a breach of the organization's systems directly. It's via a third party. So we've got to get third party risk under control. Hopefully you've sensed a theme for today. And we will continue to help you try to do that by keeping you posted on what's going on and the different things that the government and individual organizations and all of us can come together to address all of this stuff.

Brian Selfridge: [00:20:03] So that's all for this session of the CyberPHIx health care security roundup. We hope this has been informative for you and we'd love to hear from you. If you want to talk about it, just reach out to us at C[email protected], so long. And thank you for everything you do to keep our health care systems and organizations safe. And we'll see you next time.