The CyberPHIx Roundup: Industry News & Trends, 8/19/21

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:11] Good day and welcome to the CyberPHIx health care security roundup, a quick source for keeping up the latest cybersecurity news trends and industry practices specifically for health care. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our Resource Center on MeditologyServices.com, which includes our CyberPHIx interviews with leading health care, security, privacy and compliance leaders, as well as blogs, webinars, infographics, articles and lots of other educational material. We have some very interesting updates to cover today. So let's dive into it, shall we?

Brian Selfridge: [00:00:50] A group of investors filed a lawsuit against solar winds related to their recent high profile security breach. The lawsuit specifically calls out SolarWinds, its former CEO and also Tim Brown, who is the VP of Security and CISO for solar winds as well. So suing the CISO. Should we be worried? Let's let's talk about it. Maybe the primary witness in the plaintiff's case is a former SolarWinds employee that worked for the company for a few months and claims to have raised alarm bells about poor security, including the infamous solarwinds123 password that was hard coded into the application across the customer base. This former employee attest that there was no security team, no password policy, no documentation regarding data protection and controls, among other claims. The lawsuit indicates that the employee's account is corroborated by 10 other employees.

Brian Selfridge: [00:01:41] As expected, solar winds is not taking the lawsuit lightly and has fired back with a 48 page rebuttal to these claims. The gist of the rebuttal is that solar winds position that the claims are unsupported by evidence at this stage at least. Obviously, evidence will come out in the lawsuit if this progresses and gets traction. They also said there was no evidence that the solar winds one, two, three password was used in the infamous large scale breach earlier this year. Specifically, solar winds further makes the case that with such a sophisticated attack, it was unlikely their security team was going to be able to prevent the breach in the first place. They also claim that the named plaintiffs did not work on the Orion platform specifically or the software that was breached in question that the lawsuit is referring to. I'll spare you the rest of the angry legal speak on both sides. There is plenty to go around now from my perspective on this, particularly as a former health care CISO, I don't think suing the CISO is an appropriate or effective tactic. In my view. The CISO is an adviser to the business. Right, and an advocate for cybersecurity and certainly plays a part in executing the information security strategy and tactical plans. But, you know, the business ultimately owns the risk and needs to give the proper attention and investment to security in order to effectively manage risk. In my view, if the business has an ineffective CISO and I'm not claiming that that's the case here since I don't have any details there, specific security program or the named lawsuit earlier.

Brian Selfridge: [00:03:02] But I think if hypothetically, if the business has an ineffective CISO, then the leadership is bound to identify that gap and replace one or more individuals on the team as needed. Right. So, yes, it's true of any other position in the organization. Sure. If the company had an incompetent director of software development or coders that put the product functionality at risk and things weren't working well, well, they would have done something about that. Right? You replace folks, you train folks to do what you need to do. You know, I think sort of pinning it on on the developers would be equally kind of silly here as it would to be pinning on the security officer solely. Now, I'm not in a position to judge the merits of this particular case. So so take that as a as a hypothetical conversation. But, you know, if I look at the hardcoded, simple administrative password that solar wins one, two, three, that was used globally across customer base and running critical network software, it doesn't paint a great picture of a business that prioritizes information security, risk management, you know, in the year 2020 anyway when this all played out. So I think we need to factor that in. It remains to be seen how this how this case will play out relative to those allegations.

Brian Selfridge: [00:04:08] Now, suing the CEO, on the other hand, may potentially have more merit. I'm not, you know, not going to advocate for suing individuals outright as sort of our primary method. But, you know, if the facts bear out in this case or others that he or she, the CEO anyway, had knowledge of security risks and willfully neglected to act upon them and address them, I think you could have a case from investors that could have some merit to say, hey, we we were kept in the dark here. You put you put this stuff all under the rug, swept under the rug. And and we were left holding this risk and the impact, financial impact of the event. It's unlikely that this case will will succeed, in my view. I mean, just from looking at precedents, it's rare that suing individuals and proving harm goes through to its full completion. We'll see. Again, we don't know. But this does represent a pattern of litigation for class action lawsuits that are really attempting to address the accountability for cyber breaches that frankly, the market and regulatory regulations and enforcement just haven't been able to solve yet. So let's keep an eye on this case. Let's keep an eye on some others that are suing organizations and apparently see CISOs and CEOs as well as these these breaches continue to mount.

Brian Selfridge: [00:05:20] In other news, the health care provider, Scripps Health Care, based in San Diego, announced a staggering figure for their estimated revenue loss due to a recent ransomware attack. Scripps said in its third quarter earnings report this week that expenses incurred during the ransomware event cost the company approximately one hundred and thirteen million dollars. Holy moly, this one hundred and thirteen dollars million was accounted for by ninety one point six dollars million in lost revenue and twenty one. One million dollars in incremental cost to address the cybersecurity incident and recovery processes, but don't worry, folks, they had cyber liability protection, right? Well, maybe not so much. Cyber liability covered five point nine dollars million in cost and could also potentially cover another fourteen point one dollars million in future claims, according to their report out. So as I calculate that, that still leaves over 90 million dollars in lost cost and expense that is unrecoverable, irrecoverable from cyber liability insurance. So that's really, really important for us as we think about how to how we're going to pay for these types of events.

Brian Selfridge: [00:06:25] The word on the street and speaking with other health care systems this week across the country have actually had the opportunity to talk about this particular topic is that cyber liability premiums are doubling this year for many organizations, even ones that are in good standing with no prior claims. So this means, I think, that the insurance carriers are getting worried about their ability to make these cyber policies profitable. So if your organization is heavily relying on cyber liability, knight in shining armor to to show up and emerge and cover your costs after the breach event, I think it's a good time to revisit that assumption and make some other investments in breach prevention, detection and response, because you're going to have, you know, in this case, another 90 million dollars that that could have been avoided some way or another outside of the one hundred and thirteen total lost revenue and cost for the ransomware event for Scripps.

Brian Selfridge: [00:07:14] Now, the damage is not entirely done yet either for scripts as reference in our prior story today, scripts also faces several proposed class action lawsuits stemming from purported harm to patient from the patients, from the ransomware events. So you can listen to our recent CyberPHIx episodes to learn more about this and some other class action lawsuits that we've covered in more detail in prior discussions.

Brian Selfridge: [00:07:34] Now, finally, on this topic, lest we think Scripps was an anomaly, we have the ransomware incident last year in Vermont where the CEO quoted similar revenue impacts with a total of 63 million dollars estimated cost. And there was a big hubbub when when he came out and said that and said, I use ridiculous 63 million, couldn't possibly be. And and it was sort of sort of mentioned in passing, I think seeing scripts come out with a former formal quarterly earnings report citing 130 million dollars means that these events are very much getting up into that that multi, not multimillion dollar, hundreds of millions of dollars figures. And if you listen in on the IBM report pantomimed report that we talked about last week, one of the big figures there was that if you have a breach that impacts more than one million records, you're looking at an average, what they call mega breach cost of four hundred and one million dollars. So that also seems high. Right. But but I think we're starting to see the real impact as we tally these up to to be in those ranges and even for midsize and small organizations getting big, big hits from these events and in fact, other ransomware activities this week.

Brian Selfridge: [00:08:41] Just to catch you up, there was another ransomware hit to memorial health system that has them turning away patients in their Ohio in West Virginia hospitals. The CEO there reported that the organization has switched to paper records for downtime procedures. So, you know, the clock has started on the mounting costs that I'm sure are beginning to pile up as we speak now for memorial health system. And we'll keep tabs on that one. You know, ransomware has actually gotten so much attention in the news and globally that even John Oliver of HBO's Last Week Tonight with John Oliver did a whole segment on it this week. It's worth a watch, if you don't mind, snarky humor and the occasional adult language, if you can if you can suffer through that. It's a good sort of recap of what's going on in the ransomware world that might supplement all the stuff that I'm telling you here.

Brian Selfridge: [00:09:27] In related news, a report was issued this week by the medical device manufacturer Philips and a medical device cybersecurity solution firm Cyber MDX on the operational costs of downtime for hospitals related to these cyber breach events. The headline stat for the report indicates that cyber attacks cost hospitals an average of 47000 dollars per hour of downtime. So in the survey of one hundred and thirty hospital executives, we learned that large hospitals that experience a shutdown did so for an average of six point two hours per event, with an average cost of twenty one point five thousand dollars per hour for those same events now, midsize hospitals fared slightly worse. They actually had longer average downtimes at ten hours compared to the six hours for the large organizations and a much higher cost per hour at forty five thousand seven hundred dollars per hour cost for midsize organizations compared to again twenty one point five thousand, almost half of that for larger organizations. So they didn't go into details as to why that may be. I mean, I can speculate a little bit. I wonder if that that higher costs for mid-sized organizations may be due to less mature security incident response processes for for midsize and smaller organizations? I don't know. I guess we'll continue to dig into that number. But it's pretty, pretty interesting figure that came out in that report.

Brian Selfridge: [00:10:42] In other matters to cover today, the health care industry saw a return to our famed conference / three ring circus known as HIMSS staged in Las Vegas this year. This was the first in-person conference with a hybrid virtual option since the onset of the pandemic and the canceling of the HIMSS event last year. And twenty twenty hour Meditology team made the trek. And I thought I would pull out some key themes that we heard from the event on the cybersecurity front, maybe share some insights with you. By no means will we cover the entirety of the hymn cybersecurity conversation. But a couple nuggets here for you to take away. One of the panelists in one discussion talked about the escalation of cyber attacks and the general accumulation of bad news for cyber risks in health care is no, no surprises there. I'll spare you the details since they covered many of the same trends, some of the same trends that we discuss here routinely on this podcast. But they also discussed what I thought was kind of an interesting prediction of sorts, the future of artificial intelligence based cyberattacks that could make our lives a whole lot harder. One panelist noted that this is this is hypothetical. And I think they're sort of their view of some things that could possibly happen. And there's no evidence necessarily that AI cyber attacks are happening. But, you know, a cyber criminal can dream, can't they? And so. Well, you know, these groups are getting better funded and more automation, more tech from the cyber criminals is probably pretty likely.

Brian Selfridge: [00:12:02] So it's hard, hard to really disagree with them. There is. As to that outcome now, the timing of it, I guess we'll see. Might might be a few years yet out until that really hits reality. Another panel talked about the importance of engaging the business in collaboration to implement common sense, cybersecurity, fundamental controls. So one panelist noted that we need to get away from chasing the Big Bang Tech to solve all of our cybersecurity issues and risk management issues in health care and get really back to the basics. This includes a dialogue with the business, dialogue and conversation with our vendors versus just kind of, you know, hammering them over the head and as well as other stakeholders in the business to help solve this together, rather than pinning the hopes all on one miraculous intervention from a CISO or the security team to kind of swoop in and and fix it all. Speakers at HIMSS also noted that although the decision to pay ransoms can be difficult when prioritizing against patient safety and operational impacts and those types of costs, they said, even though those considerations considerations are difficult, health care is still kind of actively involved in funding attackers through ransomware payments per this this individual, they said funds are allowing attackers to invest in research and development for future attacks, which maybe goes back to our A.I. artificial intelligence comment. But they're building better, faster, cheaper mousetraps to ensnare us all. And we are the mice, unfortunately, in this case.

Brian Selfridge: [00:13:22] In other updates this week, NIST released a major update in its guidance for developing cyber resilience systems, now still a draft version, but NIST special publication, 801 60, was updated to reflect the changing techniques, tactics and procedures of cyber threat actors, including methods deployed in the latest ransomware attacks. The update specifically targets a change in thinking and the move away from perimeter defenses that have been shown to be ineffective in attacks against Colonial Pipeline, JBS Foods KCA and others that are named in the in the report. The alternative recommended approach involves adoption of zero trust models, which NIST has been really big on promoting this year. And that is where we assume that attacker has already gained access to the network. And this guidance defines processes to maintain resilience and limit the effectiveness and damage from attacks rather than sort of just thinking we're going to keep them all outside the four walls of the network, so to speak.

Brian Selfridge: [00:14:32] So in some other reports that were put out this week, CSO magazine published an article on Cicero's Sisco's 15 top strategic priorities for twenty twenty one. This report featured leading industry CEOs, including our own Meditology alum, Tyrone Jeffress, who is now the CEO for Mobiquity. So nice work, Tyrone. And adding to this list, along with, I think, 15 other CEOs providing their commentary. So here's a rundown of the top fifteen CISO priorities as defined by CSO magazine and their interviewees.

Brian Selfridge: [00:15:02] Number one, a focus on fundamentals. Get back to the basics. I think we heard that from him, too. So that's that's consistent. Number two, identifying, mitigating, third party risk, no surprises there. Third party supply chain risk. Glad to see that up top. We'd agree with that one. Number three, assuring security within enterprise code. So, yes, development coding, not only for vendors, but there's a lot more of that going on within health systems, payers enterprises. Getting that code right is going to be big for dealing with the supply chain attacks and other attacks targeting vulnerable software development. No, for defending against ransomware attacks. I've said their number five, getting board level support, number six, support and for transformation and strategic goals. And the way they framed this was basically making sure security is a business enabler versus just a compliance function. No disagreement there from my side. Number seven, increasing agility, which here is defined in the article as being able to be nimble, to react to evolving threats and sort of maybe not focus on one or two areas and be able to to move as the situation on the ground changes.

Brian Selfridge: [00:16:12] Number eight, upskilling teams, they particularly focus around cloud skills, threat, intelligence and identity and access management skills and capabilities, and making sure your teams have those particular capabilities in in strength, in appropriate volumes. Number nine, addressing Iot security. And of course, we would add medical devices into that for our own health care specific lens. Number ten is security by design, which says we must embed appropriate security, privacy, trust and compliance from the get go as we're building, releasing and using applications and systems. Number 11, more automation. OK, number 12, strengthening remote workforce security. That makes a lot of sense following the the move to remote work pandemic's. Is that a word? I'm going to add it if it's not to my little Microsoft dictionary here. Number thirteen, securing the cloud. That's a big statement. And what is the cloud? It's huge. It's everywhere. We've got to secure it lots. And of course, we've got lots of commentary on that. Wouldn't disagree. There are number fourteen keeping up with emerging, evolving privacy laws. I would add security laws to that, to their move into and last but not least 15, building continuity plans to account for global events. Right. So more than just my server systems are down, but how do we deal with when everybody's down? All right. Great article from CSO magazine. I always like to see these these top lists and see if our own perspectives are aligned. I think more or less they are.

Brian Selfridge: [00:17:42] In our final update today, we found out that the universal ransomware key for the, ah, evil attack, that's the ransomware gang out of Russia that was against Kaseya, the third party vendor, that universal ransomware key was leaked to the public in a hacker forum this week. Now, lest we forget, the U.S. attack impacted approximately fifteen hundred businesses. Huge attack. Seventy million dollar ransom put up. That is this big deal. Shortly after the attack, the evil group and its websites, however, and payment sites mysteriously disappeared. We wonder if they did that voluntarily. So there's a ton of speculation around what happened there. The timing was curious because President Biden had put the put the screws into to Putin, so to speak, on and up to his aggression and pressure on having Putin address the source of the evil group out of Russia and making sure that there were some ultimatums, ultimatums, I think put on the table there. So. Was that a contributing factor that happened a day or two before that the group disappeared, or was it some global offensive action by one or more state governments or entities that went went after these folks and shut them down? You know, we don't quite know for sure. I suspect someday we'll find out. But it's a bit of speculation for now. Now, the leak of the universal key decryption key, however, is good news for impacted companies so they can restore their systems without having to communicate with the now absent are evil group. Right. So if you can't even get in touch with them, how are you going to get that key? Or even if you wanted to pay the ransom?

Brian Selfridge: [00:19:11] And oh, by the way, this is not health care specific, but Accenture was also breached recently this past week with a ransomware attack that included six terabytes of stolen information and a 15 million dollar ransom demand. So let's not get too excited about our evil getting shut down in one ransomware group, sort of going away for a minute. And very often they come back and rename themselves. There's been a bunch of that this week. Some of the old groups that got, quote unquote shutdown have popped right back up. So other groups are coming into the picture and picking up the slack. So we went from 70 million dollar ransomware demands to fifty million dollar ransom demands. Tomato, tomato, you know, sounds about the same to me. So we got our work cut out for us.

Brian Selfridge: [00:19:52] That's all for the session of the CyberPHIx health care security roundup. We hope this has been informative for you and we'd love to hear from you. If you want to talk about this, just reach out to us at [email protected]. So long. And thank you for everything you do to keep our health care systems and organizations safe. And we'll see you next time.