The CyberPHIx Roundup: Industry News & Trends, 9/29/21

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:11] Today, welcome to the CyberPHIx Health Care Security Roundup, your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices specifically for health care. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our resource center on Meditology Services, which includes our CyberPHIx interviews with leading health care security, privacy and compliance leaders, as well as blogs, webinars, articles and lots of other educational materials. So great updates for you today. Also, be sure to like and follow us on LinkedIn so we can know that you're listening to these things. Looking forward to getting your feedback there. We have some great updates today, so let's dive into it. 

Brian Selfridge: [00:00:51] The Department of Health and Human Services has named Lisa J. Pino as the new director of the Office for Civil Rights, or OCR. This is an exciting development to get a new perspective in the leadership role for OCR. So let's get into a little bit of background on Lisa to get a sense of where she may take the department. Lisa previously served at the Department of Homeland Security and was appointed by President Barack Obama. At DHS, Lisa was a senior counselor who drove breach mitigation in the 2015 cyber attack on OPM, which compromised the records of four million federal personnel and twenty two million surrogate profiles, according to HHS. She led efforts to renegotiate seven hundred vendor procurements and establish new cybersecurity regulatory protections in the wake of that particular incident. 

Brian Selfridge: [00:01:38] It will be very interesting to see if the current trends from OCR on focusing on business associate compliance that we've seen over the last couple of years will continue to be a focus and maybe even be ramped up given Lisa's vendor risk background, coupled also with the escalation in supply chain attacks and activity we've seen targeting the business associate community at large over the last several months and years. Lisa also recently served as the New York State Department of Health's executive deputy commissioner, the agency's second highest executive, and that role. She led the New York's operational response to the COVID 19 pandemic, as well as several other critical health problems and programs in the state. If we think we have a tough year the last two years in cybersecurity, I bet Lisa's year has been a little bit rougher than ours, so we can count her count our blessings and let's see how she can help us out on the OCR side of things. So we congratulate Lisa Pinto on her appointment and look forward to working with her to take OCR into its next chapter of enforcement initiatives and helping to improve security and privacy for the industry going forward. Very exciting stuff. In other news, a major announcement from the FTC came out this week that expands the scope of its health care breach rule. 

Brian Selfridge: [00:02:48] Specifically, the FTC expanded its health care breach rule to include mobile health apps and devices that were not previously covered under HIPAA. The prior version of the FTC Health Care Breach Rule was released in 2009 alongside the HITECH Act, and was really designed to make sure that consumers were notified their personal health information was compromised. The FTC announced that the new rule now applies to health apps and wearable devices that collect health information from the consumer and breaches that data need to be reported. Penalties for non-compliance can be as high as forty three thousand seven hundred and ninety two dollars, exactly for each day that the notifications have not been issued, so that could add up pretty quickly. I want to provide a little bit more analysis on on this one, from my perspective, is I think it's an important shift in the industry. You know, historically, these consumer health apps have been excluded from HIPAA compliance. So these are your Fitbits and your wearables and all. There's a million of them out there and the apps that go kind of behind them. Apple Health and those types of things, they've been excluded from hippo compliance mandates because the patient is actually engaging directly with the app provider and therefore you don't have this sort of covered entity, relationship and all that good stuff. 

Brian Selfridge: [00:03:55] So at the same time this past year, you know, the 21st Century Cures Act came out and has interoperability mandates that require APIs or programming interfaces to be implemented to connect electronic health records. So your epic's your servers, the big EHRs to these types of consumer apps and wearables and the purpose of that Twenty First Century Cures Act is really to, you know, keep those air providers from doing what they call information blocking and keeping the patient from getting access to their own records and sort of the way that they choose to use it, whether it's an app or whether it's an offline record of any kind. So that's really the intent behind it. However, you know, with this model, the patient's been left with a significant exposure from a privacy and security perspective. Is there information that's been put at risk and the breaches that keep happening with these apps are escalating and we'll talk about that in a moment? And there's really little to no regulatory oversight at this point to drive accountability for security and privacy of the app vendors and the wearables that are being created. So if you want to get learn more about this, you can listen back to prior episodes where we've covered many of these high profile app breaches and actually some downright fraudulent privacy practices in some cases of these these organizations that create these apps. I'm not demonizing them, but there's definitely risk there and there is exposure that that really hasn't been covered.  

Brian Selfridge: [00:05:10] So the health care providers have been put in a really tough spot since they are required to support the APIs in the transmission of patient information to these devices, platforms, wearables and everything else. But they're also being asked or proactively providing guidance to patients on which apps are recommended or quote unquote improved by the health system. But they really, you know, don't have very they have very limited insights into the cyber risk and privacy protections of these apps and really no enforcement to drive that vendors to implement proper security and privacy measures. So, you know, in my view, the FTC moving forward is a step in the right direction if at least having some potential accountability for app providers to invest in privacy and security. We've got still a long way to go, and I think we're going to see more regulations in our space generally, but also sort of impacting these wearables and devices as time goes on because there really is very little coverage of providing that that kind of accountability. So we'll keep an eye on this. And of course, we'll keep you updated in the CyberPHIx updates as we go. 

Brian Selfridge: [00:06:09] Now, lest you think I'm employing any degree of hyperbole or exaggeration on these health app breaches, let's switch gears to highlight some of the health care vendor breaches identified this week, and there's been quite a few. First up is Apple's healthkit, Fitbit. GoogleFit, MapMyFitness and several other health apps. I'm going to lump them all into one because it really related to one single breach of over sixty one million records that was exposed by Get Health, which is a solution which stores health and wellness data from hundreds of wearable devices. The database health sensitive health information such as names, birthdates, GPS logs, height, weight and more. The system was secured within a few hours of identifying the breach, although it's unclear how long the records were exposed or who may have been able to access them. So right, there is a ton of patient information that otherwise would be considered protected health information or see if these tech companies and app companies were in scope for HIPAA. But as we discussed, there's a little that could be done on the accountability prior to this FTC update to the breach notification rule. 

Brian Selfridge: [00:07:04] While we're on breaches, I'll touch on a few others at a high level here just to keep you up to speed. It's been a busy week. Arizona based Queen Creek Medical Center, also known as Desert Wells Family Medicine, is in the process of rebuilding their EHR from the ground up and their medical records from scratch following a ransomware event that wiped out their EHR to an unrecoverable state. The organization sent a letter to patients stating the following. Upon discovering the extent of the damage, we engaged additional forensics and recovery services as part of our exhaustive efforts to do everything we could to try and recover the data. Unfortunately, these efforts to date have been unsuccessful and patient electronic records before May twenty one twenty twenty one are unrecoverable. So this is one of the worst case scenarios, right, that we have anticipated with these ransomware attacks, particularly against smaller providers that don't have the robust, robust I.T. and cybersecurity capabilities to defend against these types of cyber cyber threats. So let's hope this is a minority of incidents, but losing the record and restarting from scratch, I can't imagine as a patient how thrilled I would be about that particular circumstance and have to go in and, you know, provide all the history back again. So other high profile breaches this week include Walgreens exposure of COVID 19 patient testing data TTC, a customer support solution for many health care entities that experienced a widespread outage due to a ransomware event. Then, the VPN and network security firm Fortinet announced that a cybercriminal gang gained access to VPN login and passwords that access over eighty seven thousand SSL VPN devices. Yikes. There was a boatload of other breaches this week, and if you want to get a full list of them, check out our vendor breach digest from our sister company, CORL Technologies that we just released this week on corltech.com and those come out every two weeks as well. If you want to keep up on some of these health care breaches, particularly in the vendor side. 

Brian Selfridge: [00:08:53] So now that we've discussed all these ransomware events and breaches, the next update I'd like to introduce to you today is new guidance that was issued by the Cloud Security Alliance on preventing ransomware in the health care cloud. So I'll spare you the details of the business drivers and the pain points outlined in the report. I think as loyal listeners of the CyberPHIx podcast, you're well aware of these cyber risks and threats that are associated with the cloud and ransomware and the intersection of the two. Generally, I would imagine, if not, go back and keep listening. So I'm going to cut right to summarizing to some of the recommendations from the CSA Cloud Security Alliance's report. The guidance follows the NIST cybersecurity framework, or NIST CSF phases of identify and protect, detect, respond and recover for those that are familiar with that. So I'm going to highlight some of the identify phase recommendations just to give you a little flavor of some of the content that's in this document. Doing the whole thing would take up our whole podcast. So I'm just going to give you a little taste of it. 

Brian Selfridge: [00:09:45] The report says: don't rely on antivirus as a meaningful protection against ransomware attacks. Instead, the report recommends focusing on scanning inbound emails much more of an email focus scanning for malware using authentication like Sender Policy Framework or SPF Domain Message Authentication, Reporting and Conformance, or DMARC. For those that are familiar with that on the email side as well, and domain keys identified mail or DKIM to prevent email spoofing. They also recommend disabling macro scripts from office files sent via email. So a lot of sort of focus on the inbound email versus waiting for it to hit your endpoint and then hoping antivirus is going to clean it up just doesn't work that well doing it that way. The CSA report also recommends investing in network segmentation and implementing Active Directory group policies to block the execution of files from local folders, which is a common method employed in ransomware malware. There's also recommendations around privileged access management and limiting or reducing admin accounts, which is a classic bread and butter recommendation that you know really too often gets under investment and energy for security programs. They also recommend employing multifactor authentication so that one's a no brainer, and we talked about that quite a bit. So as many other recommendations along these lines, I think it's good stuff. I like the prescriptive level of detail in the report, even though some of it may be, you know, pretty common sense standard best practices for those that have been in the industry for a while. 

Brian Selfridge: [00:11:08] I think there's some really good nuggets and recommendations on the other phases like respond and recover and things you can do. The Cloud Security Alliance has put the effort to put together so you can get all that report from the CSA website. If you want to learn more, you can reach out to me and I will get it to you as well, whatever's easier for you. In other news, the U.S. Department of Treasury announced this week that they are taking action to disrupt cryptocurrency transactions related to ransomware laundering. So according to statistics by the Treasury Department, payments for ransomware attacks climbed to more than $400 million in twenty twenty. That's four times higher than the payments were in 2019. The Treasury issued a statement saying ransomware and cyber attacks are victimizing businesses large and small across America and are a direct threat to our economy. We'll continue to crack down on malicious actors as cybercriminals use increasingly sophisticated methods and technology. We are committed to using the full range of measures to include sanctions and regulatory tools to disrupt, deter and prevent ransomware attacks. End quote. U.s. Treasuries Office of Foreign Assets Control, or OFAC, is also released. A statement saying AU fact may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable, even if such person did not know or have reason to know it was engaging in a transaction that was prohibited under sanctions, laws and regulations administered by OFAC. That quote sounds like it comes from the government, doesn't it? But they are putting some actions behind their words and these these quotes do have some, some oomph behind them. 

Brian Selfridge: [00:12:41] So I'll give a rundown of some of the examples from OFAC where ransomware operators were designated as sanctioned malicious actors, including in December. Twenty sixteen, there's sort of one one every few years here. December twenty sixteen. The crypto CryptoLocker developer Yevgeny Mikolaevich Bulgakov was sanctioned for infecting more than two hundred thirty four thousand computers worldwide. So there's a start. And then in November of twenty eighteen to Iranian individuals were sanctioned for laundering Sam Sam ransomware funds. And in 20 19 September 2019, North Korea sponsored Lazarus Group. A North Korean group was sanctioned for infecting more than 300000 computers in 150 countries with WannaCry 2.0. Yes, we remember WannaCry and then two more. In December 2019, Russia based Evil Corp's founder was sanctioned for leading the distribution of the Dridex malware, which resulted in more than $100 million in theft. And then finally, in September of this year, that's very recent.

Brian Selfridge: [00:13:51] The Treasury sanctioned a foreign virtual currency exchange called Suex OTC for its part in supporting criminal activity cybercriminal activity. This particular action was historic move in the first of its kind by the United States, so there's definitely some changes happening to go. Follow the money, so to speak, as we always talk about in these types of fraud and cybercrime events, and try to cut off those either sanction or cut off those funds through the Treasury and OFAC. So keep it up, guys. That is every little bit helps. Now, the Biden administration also announced that they were releasing new security guidance this week to critical infrastructure companies to combat ransomware. I mention this because it hit the front page news of CNN, so I figured I'd be remiss if I didn't mention it here, but we're actually still waiting on the details of the guidance, which is scheduled to be issued actually later today. And I'll catch you up on that in the next episode once it becomes available. 

Brian Selfridge: [00:14:43] So that's all for this episode of the CyberPHIx Healthcare Security Roundup. We hope this has been informative for you and love to hear from you if you want to talk about any of this. Just reach out to us at [email protected]. That's all for this week. So, so long, and thank you so much for everything you do to keep our health care systems and organizations safe.