The CyberPHIx Roundup: Industry News & Trends, 7/9/20

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

  • UnityPoint Health in Iowa reaches a $2.8m class action lawsuit related to phishing breaches in 2018; discussion on implications for the industry, breach response lessons learned, OCR and class action risks, and recommended actions for healthcare entities
  • NIST report released looking at the statistical trends for financial losses related to cybercrime activity; analysis of the report and implications for healthcare security program investments
  • UCSF pays $1.14m ransom to retrieve COVID-19 research data; details of the case, FBI involvement and negotiations; recommendations provided for ransomware prevention and response
  • Bipartisan Senate introduction of an amendment to the 2021 National Defense Authorization Act that would provide funding for a cybersecurity coordinator in every state, and re-instate the national cybersecurity director position that the Trump administration eliminated


[00:00:08] Good day and welcome to the CyberPHIx Healthcare Security Roundup. Your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices specifically for health care. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our CyberPHIx interviews with leading health care, security, privacy and compliance leaders at or on your favorite podcast hosting platform. Just search for CyberPHIx. Alright, let's dive into this week's episode.

We've got quite a bit to cover with you, so I'll try to move quickly. The first thing we want to talk about, and this is a theme, for those that have been following this roundup podcast over the last several months. Yet another class action lawsuit has been put in place. And we are going to talk about this one, because I think it's a bit of a threshold moment or a watershed moment for the industry in a lot of ways. Unity Point Health in Iowa reached a 2.8 million-dollar class action settlement over breaches, well two breaches, that occurred in 2018. They were both phishing attacks. Nothing too, you know, abnormal there. One in 2017 and one in 2018. In 2018, this one was a little bit more targeted, with emails pretending to come from a Unity Point Health executive, so CEO, C level, director level person. Several patients impacted by these events filed a class action lawsuit in 2018 against Unity Point, saying that the healthcare system mishandled the breach.

[00:01:32] They delayed reporting of the incident and incorrectly told patients that their Social Security numbers were not impacted. They waited more than 60 days, the HIPAA required 60 days, to notify patients of the breach. And the lawsuit states that its officials misrepresented the nature, breadth, scope, harm, and cost of the breach. Patients were told no information to date, indicating that your protected health information involved in this incident was or will be used for any unintended purposes. Now we'll talk about sweeping it under the rug later. That was a botched sweeping under the rug job. The lawsuit states as much. So after a two year legal battle, and part of the case being dismissed, they still ended up with a 2.8 million dollar settlement. And also some, as I read the resolution agreement, settlement, whatever you call it, it still leaves open ended room for additional financial damages, in the way that I read it anyway. So I think 2.8 Million dollars is the number, but I think there's potential for more if there are further damages received by the patients involved in this. So, you know, this Unity Point settlement joins some of the larger health care breach settlements. Now, in addition to the class actions we've talked about over the last several weeks these numbers are now getting up there with those PR level numbers.

[00:02:47] We had Anthem, Premiere, Blue Cross - 10 million. Banner Health - Nine million. UCLA Health and Washington State. These are all multi-million-dollar OCR settlement breaches. But now the class action lawsuits are getting up there as well. So I think it's really important if you are taking a position that you're focused solely on OCR, Office for Civil Rights, federal level, government action following a breach and sort of making sure that you have all your ducks in a row there, I think you should certainly continue to do that. I think there is a possibility, likelihood, whatever you want to look at it, that OCR will come around if you've had a breach, particularly more than one breach. And these are these are phishing, ransomware, the things everybody is dealing with. So I think not only being ready for that, but you've got to get this class action stuff on your radar, if you don't already. Because I think the one-two punch of OCR class action is if one doesn't get to the other will. So start creating a plan for how you're going to handle this, if you haven't already.

[00:03:59] Update your incident breach response planning and policies. Get with your cyber liability carriers to talk about limitations and coverages. Is class action covered or not? Or where are the boundaries to that? Get some tabletop exercises, simulations, running for how your organization would handle a class action breach response. And you know, of course, prevention is the best remedy. So making sure we continue to invest in security risk controls and capabilities, obviously. But also just having a clear game plan on how we're going to handle these post-breach events, I think is a necessary part of your program right now if you don't have that really well tuned. And also, for goodness sake, don't lie. Don't cover up the facts. This compounds the damage, with both OCR and class action settlements, as we see here with Unity Point Health. So, boy, lots to worry about. But a lot of the same actions we need to take to address both of those types of scenarios.

[00:04:53] All right, the next update I'm going to provide is around a recent NIST, National Institute of Standards and Technology, another federal government entity that has been great on promoting and creating cybersecurity's capabilities over the years. They released a report this week that looks at statistical trends for financial losses related to cybercrime activity across all industries but inclusive of health care. They looked at data going back to 2005 to present, and they took data from the Bureau of Justice Statistics, which NIST noted was the most statistically reliable data set available on this topic that they could find anywhere. They identified the range of financial loss is somewhere between, this is for 2016, they noted as the example that somewhere between 0.9% and 4.1% of GDP, which equates to about, for the 2016 example, equates to about a 167 billion at the low end to 770 billion at the high end. Now, NIST, this big takeaway here was that the lower bound of their statistical range of financial loss for cybercrime across industries is 167 billion. And this is 40% higher than the estimates that McAfee provided in a much-cited report, also recently in financial losses cross-industry as they're sort of normal number. Right, so this is saying, look, our low-end number is 40% higher than McAfee's just general estimated loss. So I think I'll read their conclusion because I think it sums it up pretty well. It says "The implication from this report is that it is widely accepted estimates of cybercrime loss may severely underestimate the true value of losses. One of the first steps in addressing a problem stand magnitude of loss. What types of losses occur and the circumstances under which they occur? Without further data collection, we are in the dark as to how we are losing. But the evidence suggests it's more than we thought."

[00:06:44] So if you weren't already up at night, now you can be up at night. But the numbers are numbers. This is a very reliable and trustworthy source on this stuff. And so it's a bit of a wakeup call. I think my analysis of this is, look, if you if you look at, again, our prior CyberPHIx Roundup episodes, these podcasts have been talking about it this year so far, the rate of increasing attacks that we're seeing, especially during the COVID and Corona virus situation, health care organizations are in a particularly difficult situation because we're crunched with budgets. If you're on the provider side in particular, we've had a reduction in elective surgeries and outpatient stuff. A lot of the big revenue drivers are not happening as much. They're starting to pick up again. But we've been furloughing employees. The budgets are really crunchy. And we're struggling to make large investments in cyber protections this year, as it is, although I will note that we've seen most of the organizations we work with are still investing solidly in cybersecurity stuff. I haven't seen that drop despite the economic uncertainty. But the combination of growing financial impact cited by NIST is just yet another indicator that we can't take our foot off the gas with building stronger and more resilient cybersecurity protections this year and beyond. That goes through both true protections, as well as just breach response activities. The train is here. It's arrived. We've got to make some sense of it and do what we can.

[00:08:13] So two more updates for you for this episode that I think are really interesting for this week. I want to talk about the University of California, San Francisco. UCSF paid a 1.14-million-dollar ransom. And the reason why this is particularly interesting, first off, ransomware reported numbers always seem to be lower than the actual numbers and there are a lot of reasons for that. But this is a very specific number, so we'll go with it, 1.14 million. That's a painful number. But the reason why they paid is particularly interesting. So they were currently involved in finding a cure. They're working on research for COVID-19, an antibody testing. And some of the files that were stolen, they don't believe patient data was taken, but the research data was encrypted and it was essential, deemed essential, for the research being conducted for COVID. And the university had really no other choice in their perspective than to negotiate with the attackers.

[00:09:10] So through a wide range of online negotiations, a payment of 1.14 million Was decided upon. The FBI is involved, and they are always sort of involved, but they won't tell you whether to pay or not. And they'll be there to help you get intel on the attackers and that type of thing. It usually it ends up being down to the organization to figure out what to do. So, by the way, this is a net walker ransomware, so if you want to know what flavor, there are a bunch of flavors out there. And there were several other attacks in June for other universities, including Columbia College, Chicago and Michigan State University. And it is also in the article that I've referenced here, noted that it's believed that Columbia College has also paid the ransom. So we're seeing some targeted attacks on COVID research. We talked about that in our prior updates. Now the ransomware is coming down, and the payments are coming out. So, again, if you haven't done a ransomware tabletop or figured out how you're going to handle pay or not pay and gone through that with your executive team, you're behind the game. Increasingly likely we're going to see that play out.

[00:10:17] So the last update I'll provide you with today is on the federal front, a bipartisan group, that's right, a bipartisan group of U.S. senators, if you can believe it. They're talking to each other and they're putting stuff forward together, has introduced an amendment to the 2021 National Defense Authorization Act. So basically, the budget, we're in budget season and we're putting in requests for money. And this would provide a funding for a cybersecurity coordinator in every U.S. state. So there are a couple of pieces that are really interesting to this one. The coordinators would be responsible for responding to cyber threats. This is on a state by state. Everybody would have a person, the cyber person, and the act would also bring back a cybersecurity director in the White House, which is a position that President Trump had eliminated. And, you know, given that there's been an increase in threats in the past two years, the senators are noting that government healthcare facilities are particularly vulnerable. There was also a report put out by the Cyberspace Solarium Commission. They recommended the creation of a national cyber director, as well, at the federal level, at the White House level, in their March report. And under this legislation, the director would coordinate cybersecurity strategy and policy and act as the president's principal adviser on cybersecurity. Again, a position that's been currently eliminated. Let's bring that back. Let's actually put that in place and provide more state officials with the ability to prevent and protect cybercrime in their own states. So for the state side, it says the coordinators would facilitate the sharing of information on cyber risks among federal and state agencies. They work on raising awareness and financial and technology resources available for cybersecurity, help plan for quick recoveries and ransomware attacks, all the stuff we've talked about earlier here, and serve as a point of contact on cyber incidents affecting state, local and private organizations. So right now, the House and Senate are debating their own versions of the 2021 defense bill, given the bipartisan nature it may be more likely to pass than other stuff or be included. And I think, again, if we look at the trends that we're talking about in the aggregate here in this update, there's clear indicators that now is not a great time to be gutting your cyber security investments, protections for the infrastructure, and that goes on an organizational level, but also the federal state level. And so it seems to be that there's more proposals to sort of get us back on track there.

[00:12:49] We're falling behind the greater cyber fight; with private industry getting squeezed on budgets, which we talked about in the provider sector, with the challenges and the nature and volume of attacks that we're seeing, with the workforce being remote and sort of being particularly vulnerable to password attacks and other sort of remote base attacks. Lack of two factor in some organizations, those types of things, we're going to need to continue to invest in all angles we can. Continue with the private sector, continue at the state level, continue at the federal level, and then get some better coordination across all those entities, the FBI and others, which we mentioned earlier. And let's all row the boat in the same direction and try to combat the larger attackers out there, financially motivated attackers, again the NIST mentioned earlier.

[00:13:37] So I'm hopeful. I'm sort of cautiously hopeful that at least the bipartisan support aspect to this increases some likelihood of the chances of getting some budget at the federal level for this particular initiative. But we have a long way to go, both federally and locally, and hopefully you all are doing everything you can to make these case and use this data and these anecdotes as best you can, in your own organizations to try to make the case for additional support, funding processes, attention, awareness, all that stuff.

[00:14:05] All right. That's all for this session of the CyberPHIx Healthcare Security Roundup. I hope this has been informative for you, and we'd love to hear from you if you want to talk about any of this, just reach out to us at [email protected], or you can hit me up directly. So long, and thank you for everything you do to keep our healthcare systems and organizations safe, and we'll talk to you next time.