The CyberPHIx Roundup: Industry News & Trends, 9/16/21

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

  • Details of 15+ breaches of business associate vendors servicing healthcare organizations that occurred in the last two weeks alone
  • Evolving cybercrime business models and the emergence of Initial Access Brokers (IABs)
  • Top cybersecurity and IT certifications that drive the highest salaries for security professionals in the industry
  • Recent OCR enforcement activity and fines for HIPAA Privacy Rule violations
  • Analysis of the cybersecurity “Bad Practices” catalog from the CISA and implications for healthcare entities


Brian Selfridge: [00:00:00] Good day and welcome to the CyberPHIx healthcare security roundup, your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices specifically for the healthcare industry. I am your host Brian Selfridge. In addition to this roundup, be sure to check out our Resource Center on which includes our CyberPHIx interviews with leading healthcare security, privacy, and compliance leaders as well as blogs, webinars, articles, and lots of other educational stuff. We have some intriguing updates to cover today, so let's dive into it, shall we?

Brian Selfridge: [00:00:50] We're going to start our day out today with some breaches, I know that's just what you want coffee and breaches to get things rolling for the morning or the afternoon or whenever you're listening to this. Meditology's sister company, CORL Technologies recently started putting out a bi weekly summary of health care vendors that have experienced cybersecurity breaches in the last couple of weeks. And having help, too. With the research on this, I found the volume and variety of breaches to be pretty compelling, so I wanted to share those with you today. If your organization is using any of these vendors, then perhaps you may want to look into any potential exposure for your own organization. And if not, it's still pretty useful, I think, to get a sense of the patterns of cyber breaches that we're seeing in the health care supply chain more broadly. So let's run through them.

Brian Selfridge: [00:01:31] First is Microsoft PowerApps. Microsoft discovered a breach with their PowerApps Portal app, which has 38 million records exposed. Unfortunately, the scale the vulnerability affected more than a thousand web apps and covered private information that includes COVID 19 tracing apps, vaccination registrations and statuses, employee databases with details such as home addresses and phone numbers, and even Social Security numbers. So that's a mess. Microsoft, you know, had their issues with the exchange breach earlier or late last year earlier this year. Power apps right behind there. So obviously a big target in the supply chain is Microsoft, so watch out for those breaches. Office 365 is also a heavy target.

Brian Selfridge: [00:02:15] Fujitsu had a four gigabyte data breach of stolen data by a group of well known threat actors called Marketo. I'm probably not pronouncing that right, but that's fine. They're bad guys, who cares? Fujitsu states that information appears related to customers, not their own systems, and not sure that makes us feel any better. Don't worry, just your data was breached, not ours. Samples of the data included confidential customer information company that budget data reports and other documents and projects. Marketo is not a ransomware group, but it does operate in a similar fashion to ransomware groups by stealing company data and threatening to release that information. So classic extortion involving a ransom. So it sort of feels like ransomware. But without the cool tech.

Brian Selfridge: [00:03:00] Nova Biomedical suffered a hacking related incident on their network that affected more than three thousand seven hundred some individuals. The details are pretty limited. They did post the breach to the Department of Health and Human Services. Federal breach portal, according to the notification requirement. So we know that Nova had a breach. We don't exactly know a lot of details, but we'll keep you posted if we do learn more about that one.

Brian Selfridge: [00:03:24] The State of Maryland Board of Podiatry was another victim of the Microsoft PowerApps breach that we mentioned earlier, but in this case, it exposed a total of 38 million records containing personally identifiable information, or PII. The information included employee information, as well as data related to COVID 19 vaccinations, contact tracing and testing appointments.

Brian Selfridge: [00:03:46] Sandhills Center, a mental managed care services company out of North Carolina, had its information exposed to the data for sale site Marketo. Those guys are back Marketo back again by and some unauthorized individual or group. They had 643 gigabytes of data that has been compromised, and their Sandhills has been sort of not really confirming the extent of the impact around any sort of protected health information, they said. There's at least four individuals with potential exposure, but the article that I read on this said that as Sandhills was pressured into reporting, they believe the number to be affected individuals be closer to a thousand individuals or so. So 643 gigabytes of data, a thousand plus individual individuals or at least four individuals still problem.

Brian Selfridge: [00:04:35] The state of Indiana was another victim of the Microsoft PowerApps breach, so you can see the sort of trickle down effect here where they had records containing personally identifiable information taken. Again, COVID 19 vaccinations, contact tracing, testing appointments very similar to some other breaches that we've seen with those power apps type apps.

Brian Selfridge: [00:04:53] Nashua Regional Cancer Center suffered a hacking incident on the network that impacted approximately 520 individuals. This is another one where we don't have many details on it. They just reported it to HHS on the Wall of Shame breach notification portal. So we'll keep an eye on if we can learn more about exactly what that was all about.

Brian Selfridge: [00:05:13] Now, one of the larger breaches over the last couple of weeks was the DuPage Medical Group. I presume I'm pronouncing it correctly, DuPage. They suffered a cyberattack from threat actors, which caused a week long computer and phone outage, and DuPage notified approximately 600,000 patients that their data may have been compromised. This is the largest health care cyber breach reported thus far in 2021, so we'll spend a little bit more time on this one. The breach included patient Social Security numbers, medical procedures, diagnosis, date of birth and treatment dates. Details are still a little scarce in the attack, but we do know that it was a ransomware event not surprised. While this breach occurred just a few months ago in July and was cited to only have lasted a couple of days, or at least the sort of active intrusion was a couple of days, according to the initial reports. There's already a lawsuit underway. Two patients are taking legal action against DuPage Medical Group. The lawsuit claims negligence on the part of DuPage for not implementing proper cybersecurity and monitoring practices that resulted in the plaintiffs and their class action plaintiffs behind the scenes being exposed to heightened identity theft and fraud. The class action seeks damages for patients, including reimbursement for out-of-pocket expenses, and requires the page to invest in improving its cybersecurity program, which certainly seems reasonable to me. So we will wait and see how this one plays out and keep you posted. But that's one of the larger ones so far this year just occurred the last couple of weeks.

Brian Selfridge: [00:06:44] Metro infectious disease consultants is another vendor that suffered a incident affecting one hundred and seventy one thousand individuals. This was reported to the Department of Health and Human Services. They've been a bit mum on the details as well, so we'll keep an eye on that one, but that's a pretty sizable breach.

Brian Selfridge: [00:07:01] North Country Health Care also suffered a breach impacting approximately three thousand five hundred fifty individuals. Same deal here reported to HHS. No more details available for the North Country Health Care. Breach.

Brian Selfridge: [00:07:14] JPMorgan Chase has also admitted to the presence of a technical bug on its online banking website, an app that allowed accidental leakage of customer banking information to other customers. Personal details of the Chase Bank customers, including statements, transaction list names and account numbers, were potentially exposed to other Chase banking members. Now you say this is a banking breach. It's a big deal. While many health care entities actually conduct their corporate banking through Chase and JPMorgan, so many of the organizations that we work with that list who are their business associates and vendors, JPMorgan Chase are up there quite frequently, which is why we mentioned to you in case the same is true for you and another one that's also not, you know, a traditional sort of health care vendor.

Brian Selfridge: [00:07:58] But same kind of story as JPMorgan is used by health care vendors is T-Mobile, where they have an active investigation into a data breach after a threat actor claims to have hacked T-Mobile servers and stolen databases containing personal data of approximately 100 million customers? Yikes. The stolen data allegedly includes customers, phone numbers, customer names, security pins, Oops! Social Security numbers, driver's licenses and date of birth.

Brian Selfridge: [00:08:29] The medical technology giant Olympus also suffered a cybersecurity breach. Olympus, just for background, manufactures medical devices, including scopes, imaging equipment, surgical devices and a lot more. They're a pretty big player in the medical device space. Olympus appears to have suffered a ransomware attack by the cybercriminal gang Black Matter. The incident impacted the Europe, Middle East and Africa systems for Olympus. This is particularly intriguing for me as we just conducted a podcast interview a few weeks back with Mohammed Fadlalla of the cybersecurity firm ArchLight, discussing the brand new health care cyber regulations in the UAE and the Middle East. We may be seeing our first opportunity for enforcement of those laws with this Olympus breach. Check out that CyberPHIx interview with Mohammed Fadlalla. For more information, it's a good one, even if you only operate in the states. These global regulations and breaches are going to be reaching our shores one way or another, as these critical vendors that operate across geographical boundaries are going to continue to impact the supply chain, as we've seen with Olympus here and others over time.

Brian Selfridge: [00:09:35] The last breach update for today is Beaumont Health System in Michigan was the victim of a recent cyber breach, but this one was sourced by one of their third party business associates. Goodwin Procter LLP Goodwin Procter had been using the Accellion file transfer application, which was one of the large scale supply chain breaches from earlier this year that we've covered on the show. And otherwise, if you can remember about that and a pretty big one, by the way, folks, if you're still using Accellion file transfer, you really, really need to rethink your risk calculus there and potentially go back and take a look at your thought process for keeping them involved. I also know this one's interesting because when we do studies of this is on the CORL technologies vendor risks. I did a big study on there like 80000 vendors and in health care in which ones pose the biggest breach. Actually, one of the top categories is loss law firms. And, you know, looking at the scope when Proctor and these types of firms that carry a lot of data, they're consistently showing up as the highest likelihood and impact for breach events. And so we're starting to see that play out from the assessment data itself. So take a look at your law firms. Don't forget about them.

Brian Selfridge: [00:10:43] All right, that's enough for breaches for for this week. That's quite a bit, but we thought we take the time to run through it with you. In other updates, I want to touch on this phenomenon emerging in cyber criminal business operations for a group of malicious actors called Initial Access Brokers or IABs. We're seeing a pretty sophisticated division of labor going on across the cyber criminal ecosystem and individuals, as well as their business model continues to boom with high revenues from ransomware and other attacks. The cybercriminal business is starting to resemble other large enterprises and is making quote unquote improvements to scale the business and do more damage and increase their return on investment like any other organization would. These business adjustments include the increased reliance on independent contractors and individuals and groups that are being referred to as an initial access brokers. So the job of an initial access broker, or I'll just call them IAB from here on out their job is to gain internal access to a target company's network. They can use a variety of techniques to do this, including phishing exploits and missing patches and so on. The labs then sell that access in the black market for a price that aligns with the relative value and demand for the target company. So other cybercriminals will then purchase that access and launch attacks using tools and processes where they have a specialization like ransomware, extortion, data theft and sale, you know, whatever their sort of specialty is.

Brian Selfridge: [00:12:09] So it takes a village of cyber attackers to to make all this work. The Black Matter ransomware group, for example, is actively advertising and seeking jibes with the focus request around remote access via RDP. It's a Microsoft Remote Desktop Protocol, VPN credentials and web shells to use to launch their next series of attacks. So expect to see more breach roundups like I gave earlier every two weeks as we put those out, as these guys are just getting better and better at what they do. What's particularly interesting this week beyond the general rise of the prominence of ABS is that the ABS are now focusing specifically on cloud accounts. They're realizing that the black market is willing to pay huge premiums for access to Amazon, Google and Azure, for instance. And the biggest return on investments are administrative credentials for these environments in particular, although there's still play high price tag just for any level of network access or user account access. As an aside, there is also an increase in malware being developed that targets cloud systems. Specifically, we'll save that update for another time. But that's interesting to see occurring.

Brian Selfridge: [00:13:19] Ok, let's switch from the bad actors to the good actors for a minute. We've covered extensively in prior CyberPHIx episodes that there is a substantial shortfall of cybersecurity talent needed to combat these threats that we're all facing and that we've been talking about earlier in this episode.

Brian Selfridge: [00:13:34] One of the most impactful ways to build up our cyber defense capabilities is to get more people trained and certified in cybersecurity and risk management skill sets. So to that end, CIO Magazine put out a good article this week on which certifications are the most valuable for individuals and yield the highest average of salaries for those with those certifications. The list includes both I.T. and security certifications, but I think it's telling that the list is nearly dominated by cybersecurity certifications, or at least has a significant cybersecurity component to them. There's also a heavy dominance of cloud focused certifications, which is not necessarily a surprise, as organizations are dying for cloud skills at this moment and willing to pay a high premium for them. So get that certification will bump up to the next level. So here's the list I want to give you a rundown, which I don't believe is in any particular order as far as I can tell. So I'm just going to kind of run through them here.

Brian Selfridge: [00:14:28] There's the Google Certified Professional Data Engineer, there's the Google Certified Professional Cloud Architecture. Those are both cloud focused certifications, IWC certified solutions architect associates and kind of deal there in the cloud. Now we get into some of the more security ones certified in risk and information systems control or CRISC. I don't know if that's how you say it. Certified Information Systems Security Professional. We know that one; CISSP, the big dog. Certified Information Security Manager System Project Management Professional PMP. There's also Nutanix Certified Professional Multi-cloud Infrastructure NCP, Dash MCI who? That's a mouthful, but another cloud cert. Check it out. Certified Information Systems Auditor (CISA), the VMware Certified Professional Data Center Virtualization 2020 is a big one. On the Microsoft side, Windows Server in particular, Microsoft Certified Azure Administrator Associates and other Cloud Cert Cisco Certified Network Professionals camp. That's been a big one for years. Citrix Certified Associate Virtualization K, Dash V and the last one is Comptia security+.

Brian Selfridge: [00:15:39] So if you were looking for that next certification, it's probably best to grab one of these that we listed here to maximize your salary return and also maintain relevant skills for clearly for the next decade or so. If you can get cloud under your belt and security or both, you're going to be in good shape both salary wise and job security wise.

Brian Selfridge: [00:16:01] In other news, this week there was another OCR penalty imposed Children's Hospital and Medical Center in Omaha, Nebraska, was fined $80000 by OCR for violations of the HIPAA Privacy Rule right to access provisions. OCR had received a complaint from the parent of a patient who had to follow up several times over the course of six months to obtain a full copy of her daughter's medical record. This is another example of a big push from OCR in 2020 and 2021 to enforce requirements around timely access to medical records for patients as defined in the privacy rules. So yet another enforcement action there wanted to bring you up to speed on that one.

Brian Selfridge: [00:16:40] Now, in our last update for today, the CSA has updated their catalog of bad practices on cybersecurity. I'm going to give you the top categories. If you're doing any of these things, then you need to spin up a corrective action plan right away and keep focus until you eradicate these behaviors. So the top three categories can get your corrective actions in place. Let's start number one using software that as end of life, (Windows XP) Excuse me, I usually edit out my coughs and sneezes, but I'm leaving this one in for some reason. The obvious areas to weed out our infrastructure, systems and applications that have modern and updated versions out there, and therefore much more secure versions available. If you have things like legacy medical devices that can't be readily replaced to the latest versions, either for financial reasons or otherwise, then get those segmented in their own networks, put extra security controls around them and monitoring around those systems. I mean, don't just put them in a separate network and then leave all the access control lists open, but actually protect them separately. If you can't upgrade them for some reason. So that's category number one end of life stuff.

Brian Selfridge: [00:17:48] Category number two, default credentials and crappy passwords. Ok, so the CISA didn't say "crappy passwords", but I can assure you that that's what they meant. And this includes default credentials for your vendor systems, many of which still use the same simple password across their entire client base. This is not hypothetical, and we see this over and over again in our penetration testing of health care entities. I've seen it personally for the last 15, 20 years. It's not going away as fast as it should. This default password guidance also includes your own internal IT systems and default accounts that you use in-house, and you may, you know you may go far at that. Oh, we don't. We don't have such things, but I trust me. Talk to your I.T. admins and even your technicians, sort of the workstation technicians, those types of folks. I'm willing to bet you dollars to doughnuts. I don't know dollars or donuts, whatever you want. And maybe you prefer that you have several of these accounts, at least in your environment. And those I.T. technicians, they know what they are. They may not be keen on changing them because it takes time and therefore money to do so. It's a big pain, but I promise, you know, I promise you that they know what they are and they know where they are you. So talk to those folks and see if you can get it out of them.

Brian Selfridge: [00:19:00] Lastly, the third and last bad practice is getting rid of single factor authentication on externally facing systems. No excuses implement multifactor. Now, I don't know how to say it different ways. We've discussed this at length before in the show, so enough said for now on one get multifactor right away. So make sure you have all those bad practices weeded out for your own systems, as well as making sure that you hold your vendors accountable on these as well. If you tackle these three items, these three categories, then you will be leaps and bounds less likely to experience a breach event. And if you do nothing else, put those on your corrective action plans and assess your environments for those three areas.

Brian Selfridge: [00:19:40] So that's all for this session of the CyberPHIx health care security roundup. We hope this has been informative for you and we'd love to hear from you. If you want to talk about any of this, just reach out to us at [email protected]. Also, please give us some likes on LinkedIn and the Meditology services post for the CyberPHIx so we can know you're listening. It's very, very lonely talking to myself in these episodes; let me know that you're out there, hit that like button on LinkedIn and we'll get a chance to generate some dialogue. So that's all for this week. So long, and thanks for everything you do to keep our health care systems and organizations