The CyberPHIx Roundup: Industry News & Trends, 8/19/20

PODCAST TRANSCRIPT

[00:00:07] Good day and welcome to CyberPHIx health care security roundup, your quick source for keeping up with the latest cybersecurity news trends and industry leading practices specifically for the health care industry. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our CyberPHIx interviews with leading health care, security, privacy and compliance leaders at meditologyservices.com or on your favorite podcast hosting platform. Just search for CyberPHIx. Now let's dive into this week's episode. A database with over 3.1 million patient records was exposed to the public Internet this week and then mysteriously destroyed. Well, this is a little bit more of an interesting story than all that. I wouldn't just tell you about a breach because they happen every day and that's a little too boring for us. But this database was managed by Adit, a Houston based online medical appointment and patient management software company. What makes this interesting is that a new strand of automated malware called me "Meow-bot" detected the unprotected database through an automated scan, accessed the database and replaced all of the information, including sensitive patient information with the word meow. So the debate is on, is this a good cat or a bad cat? Is is a good meow or bad meow? As no ransomware was requested. It's unclear if the malware had copied any information prior to "meowing" it and replacing all the words with meow. So some are arguing that maybe this is a benevolent bot of sorts and out to protect us vulnerable humans from unauthorized access or sale of our information. But, you know, benevolent or not, I think any right minded security professional wants databases exposed to unauthorized bots of any sort to be outlawed.

[00:01:49] I don't think it's a good outcome for us, regardless of which bots are going to pick it up, be they good, bad or or feline. We talk a great deal on this podcast and other forums about the fundamentals of configuration management, which must now go well beyond servers, workstations and extend into databases, into cloud hosted platforms, into apps of all sorts. We've got to get better at configuration management. It's going to be the name of the game for 2020 for the next decade. Now, good configuration management is about establishing standards and baseline configurations that are well thought out and aligned with leading practices. It's about establishing procedures to configure new systems and application to those standards and to identifying deviations over time through audit scans, pen tests and adjust as new technologies or use cases evolve. I think a great example of this is when an Covid hit initially a few months ago, there was a a big rush to deploy videoconferencing solutions into health care and other industries, for example. And Zoom, if you recall, came under fire as there was all these these Zoom bombs where unauthorized individuals were all of a sudden jumping on Zoom meetings because of the algorithm that you could sort of just guess the the Zoom link. And so Zoom responded quickly. Right. And they put together better configuration options very fast, rectified that, and then many organizations moved to establish baseline standards based on this configuration.

[00:03:15] So, for example, we saw health care entities that had taken on Zoom as a as a preferred or available telemedicine or internal management tool, started requiring passwords for meetings requiring approval to allow folks to enter into the meetings, required enabling of encryption and other settings like that.

[00:03:33] So that that's configuration management 101, right. Like we've got to be aware of what are the security configurations that are available to us. This goes for, again, servers, databases, network, platform, whatever it's going to be, applications, making sure that we put some thought into those settings, establish a standard that's right for us in our organization. You know, you don't have to adopt NIST 800-53 or the CIS benchmark guidelines or anything really overly aggressive. But you need to look at those available standards, take advantage of people that have thought through it, decide what's right for your organization, and then apply that to all asset types that store managers manage sensitive information.

[00:04:09] So and that's an increasingly wide variety of systems and applications, including databases like your situation here, as well as Iot devices, medical devices, wearable patient devices. The list goes on. So that's a little bit about our what I thought was an interesting database story. Meow let's move on to the next topic and our update today. I want to talk also about, speaking of standards, a standard publication was put out by NIST this week around the Zero Trust Architecture or ZTA. I don't like acronyms and I don't like industry buzzwords, but those are two more for you. Zero trust. The last decade or two have shown us that the model for commonly deployed health care ecosystems, as well as other entities and industries of having that sort of hard, crunchy shell of a network and a soft chewy inside in the network, that whole idea does not work. It only takes one phish to gain access to the network, to punch through that shell, one guessed password or one poorly configured system or misconfiguration, right. We talked about the meow database. This happens over and over again, cloud systems, everything else. So one instance of bypassing that edge system and then all of a sudden you're on free to run wild and and steal and pillage and grab sensitive patient information, financial information on the internal networks. And unfortunately, that's still largely the philosophy that's been adopted over the last couple of decades.

[00:05:37] And we still see many organizations with that model. And that's leading to a lot of the breaches that we're seeing be successful or an even larger scale than in scope and damage than it could be. So zero trust is essentially just to sum it up for essentially better identity and access management controls, tighter security protections and monitoring for assets, regardless of where they sit on the network. So it's kind of saying, look, I don't care if you're out on an edge system or internally within Fort Knox here within our network, and we joke about being Fort Knox because the average health care networks is is is nothing of the sort. But this this whole zero trust model, the idea the concept is not entirely new. I mean, it's this is this is pretty fundamental BREAD-AND-BUTTER security stuff, but it does help us think about shifting the focus and attention of security programs toward controls and workflows that better reflect the modern computing era, the modern data management techniques and phenomenon and the threat landscape overall. So I'm always a little hesitant to jump behind the latest security buzzwords of the day. And I have to admit that the term zero trust has kind of bothered me a bit as it first came out, as I learned more about it.

[00:06:45] It's OK, I get it. But really, to me it's about lots of trust, not zero trust, about lots of little itty bitty bits of trust that are well thought out designed so that we can we can basically kind of micro-trust, different assets, different information, different systems versus sort of the broad stroke levels of trust we were doing before. Like you're in the network or you're out of the network or you are an authorized user, unauthorized user, very sort of boolean thinking, a large scale sort of swaths like I always talk about using the the scalpel instead of the hatchet. Right. To apply security rules and being a little bit more precise. So I think that that concept of zero trust makes a lot of sense. Now, as with any security model, the devil's in the details of implementation. Health care is wildly complex. The technology landscape we're dealing with, the business structures, the diversity of systems and applications, the variety of settings that we need to have sensitive data moving in and out for patient care, for for financial systems, for all kinds of use cases is just getting getting wider and wider. And that makes it even more to more difficult trying to wrangle in these technologies as they as they evolve and we innovate on an unprecedented scale and timetable and complex ecosystems are very challenging to develop these kind of Zero Trust micro level access rules and the business logic logic when you deploy them at scale.

[00:08:14] So I would caution the overly ambitious security professionals of you out there that are thinking, let's get really preachy about zero trust. I'm going to apply it across the board and everywhere. And, you know, everything will be locked down and nothing will work. Be careful because this really does take time to deploy and you have to kind of pick and choose your battles a little bit of where you're going to leverage the concepts. But I think the concepts laid out in the NIST Zero Trust architecture, which I highly recommend you check out regardless of my my sort of picking on the acronym and that kind of thing and the terminology, the concepts behind them make a lot of sense and can really help drive prioritization of the program and remediation efforts. So, for example, the NIST framework promotes the adoption of better identity governance models. Yes, do that.  Deployment of micro segmentation? Absolutely. Let's limit those network segments to smaller nodules that that can be better protected in and out medical devices being a great example. No reason they need to be running out on a big, broad network like everything else. Zero Trust talks about application sandboxes tightening up.

[00:09:17] Multi-tenant cloud configurations or just cloud configurations in general. They talk about prioritization of protection for higher value assets, although, you know, we have PHI everywhere. But still there are some larger troves than others. And being being aware of those and prioritizing resources all makes a ton of sense. And I love that the document really distills that and drives our focus around that. And those are all initiatives that are worth pursuing, regardless of the label, the buzz term or the overarching philosophy that's driving behind them. I also like that with this publication NIST is and with the last several ones they put together, they're really driving linkages between the work that they're doing across different standards. So the NIST CSF is fantastic. The security sort of prominent security standard of the day, the new NIST privacy framework that came out last year is awesome as well and other related standards, the zero trust architecture, they've gone as far as to really map everything together and show how it interrelates. And I think these are excellent standards and resources. And I appreciate NIST efforts to drive consistent practices and coordinate the industry both in security and privacy in ways that I think the health care industry has struggled to sort of tie all that together ourselves and adapt to the new world order. So I love what they're putting out there.

[00:10:34] I think I think it's a resource, if nothing else, if you haven't seen the NIST privacy framework. We did a we did a webinar on that. I did some blogs on it and those types of things. You can check out our resource center to learn more about that one. And you can also check out NIST publication of this new zero trust architecture on the link that we provide in our CyberPHIx podcast episode on the Meditology services web page. Or you can just search for NIST and Zero Trust, and I'm sure it will pop up for you. All right. The last update for you for this week is a few quick, interesting trends around application privacy to share with you. One is Apple's new initiative around privacy nutrition labels, sort of a nutrition label approach. They're referring to it as which requires app developers developing Apple apps to disclose and obtain consent with users for the acquisition and sharing of their information. So where is the information going? How is it being used? Yada, yada, yada. This is a welcome shift for privacy awareness, I think, in the marketplace and should hopefully help us identify the calories, the fat, the salt equivalents we're dealing with when we're unknowingly taking in some of this stuff and ingesting it, when we're installing new apps or signing up for that new that new iPhone app or iPad or whatever else it Mac that we're going to use.

[00:11:52] So worth keep an eye on that. I think it's still evolving. I think it'll help toward a lot of the compliance initiatives with GDPR or the regulations that are really driving more toward fine-grained, privacy protections and awareness. So that's great. Another update on on this same topic around privacy enforcement. In this case, the FTE has, oops I mean FTC, these are both acronyms I use often. The FTC, Federal Trade Commission, has had a PrivacyCon conference this past month where they made it very clear that they're looking to up their involvement in enforcement of privacy violations. So the director of the Bureau of Consumer Protection, Andrew Smith, said we at the FTC "will not hesitate to take action when companies misrepresent what they're doing with consumers health information or otherwise put health data at undue risk". So that's music to our ears. Right. And there was a heavy focus in the conference and FTC perspective around app privacy. So application privacy in particular. Now, it's worth noting the FTC has a little bit of a tricky track record with with enforcement on security historically, where they were sort of jumping out and enforcing some cases that that might have overlapped with HIPAA OCR enforcement and sometimes had really murky requirements and expectations of trying to figure out exactly what the FTC was enforcing, what standards organizations needed to comply with.

[00:13:15] I think I think their heart is in the right place. And it's great that we're getting additional enforcement and controls. But it was it was a bit a bit murky there for a bit. And it remains to be seen if privacy is going to be enforced in a similar model. But I think regardless of the execution of it, I think all organizations are on notice now. Well, on notice that privacy is going to be paramount in 2020 in the next decade. And you can choose which enforcement agency you're going to use to keep you up at night, whether it's GDPR or HIPAA, FTC or the California regulations, whatever you want to worry about, you've got to worry about it. But you sure as heck better wake up and start putting some privacy controls in place in the morning as you wake up worrying about these these different enforcement entities. So that's it for this episode of the CyberPHIx Healthcare Security Roundup. We hope this is informative for you and we'd love to hear from you if you'd like to talk about any of this to reach out to us at [email protected]. So long for now, and thanks for everything you do to keep our healthcare systems and organizations safe.