The CyberPHIx Roundup: Industry News & Trends, 9/3/20

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

  • Key takeaways and analysis of the Cloud Security Alliance’s new report on Cloud Risk Management, including shared responsibility, third-party risk, new cloud audit & reporting models, and more
  • A new amendment to California’s Consumer Privacy Act (CCPA) regulation related to deidentification of patient data
  • The outcome of a lawsuit leveled at the Nuance transcription company related to their 2017 ransomware breach that impacted health systems
  • Details of the FBI and CISA alert this week for an ongoing voice phishing (vishing) campaign targeting remote workers
  • Analysis of a Harvard study released this week highlighting security risks with COVID-19 home monitoring devices


Brian Selfridge: [00:00:11] Good day. Welcome to the CyberPHIx Healthcare Security Roundup, your quick source for keeping up with the latest cybersecurity news trends and industry leading practices specifically for healthcare. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our Resource Center on, which includes CyberPHIx interviews with leading healthcare security, privacy and compliance leaders, as well as blogs, webinars, articles and lots of other educational stuff. So let's dive into this week's episode.

Brian Selfridge: [00:00:38] The Cloud Security Alliance released a new report this week titled CSA's Perspectives on Cloud Risk Management. There are some great insights here that are consistent with what we are seeing play out in healthcare cloud deployments and related security, privacy, and risk impacts for healthcare. I'll summarize some of the key points that I found most interesting and useful. But I do recommend you check out the full report at Cloud Security Alliance .org. The report emphasizes the need to focus on building a model that recognizes and incorporates shared controls. CSA has published information about this previously and we've actually recorded a webinar on cloud security that discusses this in more detail at Securing cloud configurations and implementations is a joint responsibility between the customer and the cloud provider. As breaches mount and accountability and blame is front of mind, those shared responsibilities are being more and more shifted back toward the customer. In fact, the CSA report cites a stat that through 2025, 99% of cloud security failures will be considered the customer's fault. You have to have cloud security models, of course, in place now and standards and configuration controls and governance that address your shared responsibility for cloud security controls. If you don't have them in place at a minimum, you are definitely getting behind the times quickly for being able to keep up with these evolving risks. The paper also discusses the need to maintain an inventory of cloud providers and get a handle on shadow IT.

Brian Selfridge: [00:01:51] The prior comment about shared security model doesn't really work very well if you don't know which cloud providers your organization is sharing sensitive data with. So the inventory really is front and center. It should come as little surprise as well that the CSA report touts the importance of a robust third party risk management program. An interesting nuance mentioned here in the recommendations is a push to move to a continuous auditing mindset and model. And what they mean by that is really getting away from just the sole reliance of point-in-time audits and assessments, conduct annual assessments or or reviews and supplement those with ongoing reporting of SLAs, metrics and KPIs that cloud providers should issue on a routine basis to demonstrate compliance with security control standards. They also recommend an intriguing model where IT staff are trained in some audit skills and the "audit mentality", as they call it, so that they're on the lookout for compliance with security standards and configurations as they work with cloud providers in the initial set up in monitoring and maintenance of those ecosystems and environments. They can be on the lookout for alignment with security controls according to standards, of course, also relying on third party assurance via security certifications like HITRUST and SOC 2 are another important way to keep an eye on third party assurance without having to audit every time you go and assess the vendor. Other recommendations in the report include an emphasis on enterprise risk reporting and governance for cloud security, which are both big themes that we've been covering with our clients this year.

Brian Selfridge: [00:03:13] So keep an eye on those themes as they evolve in the cloud space as well. We don't have time to run through the whole report, so check it out definitely and give it a read at cloud security alliance .org or reach out to us afterwards. We're glad to talk you through some of the nuances of it.

Brian Selfridge: [00:03:25] The next update we have is a quick one for the California Consumer Privacy Act, or CCPA regulation. If you haven't checked that out, it is related to organizations that are involved specifically in dealing with patient information or person information in the state of California and surrounding businesses. Similar to GDP, it covers privacy regulations that are a lot more aggressive and comprehensive than traditional HIPAA regulations, for example. But they've made an important amendment to the law this week that allows identify data to be an exception to CCPA requirements as long as that the identification is done in accordance with federal identification rules. This applies to both covered entities and downstream business associates. I think this is an important amendment, in my view, to allow research and other critical uses of the identified patient data while still safeguarding patient privacy overall. So pretty good stuff. I like the amendment. I think it's heading in the right direction. Check it out. And if you're not really sure about CCPA, we put out some blogs and stuff on that. Check out our resource center for more information.

Brian Selfridge: [00:04:24] The next thing I'm going to talk about today is the company Nuance that does transcription. Now, some of you may have recalled the organization Nuance was hit with the NotPetya ransomware attack in 2017. This caused downtime of the critical service as well as spread the ransomware over VPN connections to many health systems. Ouch. Not good. One of those health systems, Heritage Valley Health System in Pennsylvania, sued Nuance for failure to maintain appropriate security safeguards that then led to a breach of their patient information, as well as downtime to critical patient safety systems. This is one of several such cases where third parties are being held liable for security breaches. This trend coincides with many class action lawsuits that are cropping up for both covered entities and business associates alike. Nuance in this case got off the hook for liability based on a contract technicality this week. The case was dismissed since the original contract for Heritage Valley was made with a company called Dictaphone, which was later acquired by Nuance. The judge dismissed the case since Nuance did not negotiate the terms of the original contract, although the judge accepted Heritage Valley's arguments and did not dispute the facts of the claims. So Nuance gets a free pass on this one. But I think the days of lawsuits related to security breaches are still going to be plentiful in the years to come. So we got a long way ahead of us and those that think they may be off the hook for these types of situations in the long haul, I think are off base, so we'll continue to keep an eye on that and report back to you.

Brian Selfridge: [00:05:44] The FBI issued an alert this week that an ongoing voice phishing or "vishing" campaign is being conducted targeting remote workers. The attackers purchased domains that are used to host phishing pages and spoof the VPN login pages, as well as use legitimate SSL certificates. Email addresses appear to come from the target company or your organization, for example. They then gather intel on employees via social media and use that to gain trust of employees by providing some legitimate information about individuals that they're calling and purporting to be fake. Phone calls are then made over VoIP and appear to come from members of important leadership within the company. They also ask employees to provide Two-Factor authentication codes sent to the personal devices and a follow up text message. The FBI recommends restricting VPN access to known devices and implement monitoring tools to detect anomalies and access patterns to VPN in particular. Now, there's absolutely nothing new in these types of attacks. These are the very same methods that our team uses when we conduct social engineering and penetration testing engagements. If you haven't conducted a social engineering test to educate your workforce about these risks, then you're at a much higher risk of breaches related to the attacks similar to those mentioned in this FBI alert. If you want to learn more and feel free to contact me and I can put you in touch with our social engineering and are testing leaders here at Meditology.

Brian Selfridge: [00:06:55] The last update this week is related to a Harvard study that was released highlighting security risks with COVID home monitoring devices. Technologies and devices have been developed to reduce the risk of exposure to COVID-19 and diagnose symptoms quickly to allow interventions and improve patient safety and limit the spread of the virus. The study was published in Nature Medicine and raises several concerns about these home monitoring tools as they were found to increase the risk to patient safety and privacy. This is another case of the rush to market with new technology where security privacy are taking a backseat. I do think we need to allow this rapid innovation to deal with the novel virus in the pandemic. However, we, as security and privacy professionals in the health care space, need to also rapidly develop plans to either address security upfront with these devices quickly and efficiently or quickly, retroactively catch up and assess and apply controls once these things start hitting the market. However, once they're in patient homes, I think upgrades of security and updates may be impractical, if not impossible. So we need to be mindful of all the genies we're letting out of the bottles during COVID and make sure we have some plan to get them back under control over time so we can bend the curve of breach events, a curve which unfortunately right now is looking more and more like a hockey stick.

Brian Selfridge: [00:08:06] That's all for this week. We've covered a lot of ground and we hope this information is informative for you and love to hear from you if you want to talk about any of this. Just reach out to us at [email protected]. So long. And thanks for everything you do to keep our health care systems and organizations safe and we'll see you next time.