The CyberPHIx Roundup: Industry News & Trends, 9/8/22

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. 

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: 

-

  • Historic breach levels reached for healthcare between 2020-2022; trends and analysis 
  • Attackers shifting focus to target small hospitals, clinics, and vendors 
  • Cisco breach and related impacts on healthcare organization networks 
  • Stats from SecureLink’s new report on third-party data breaches and analysis of healthcare-specific takeaways 
  • LastPass source code breach and potential exposures to individuals and centrally-managed healthcare organization passwords 
  • Cyberliability trends and criteria required to obtain and maintain coverage 
  • NIST CSF 2.0 workshop highlights and industry feedback 
  • TEFCA selects HITRUST’s r2 certification for Qualified Health Information Network organizations to prove compliance with security practices 
  • Health ISAC (H-ISAC) guidance on zero trust implementation for healthcare entities 
  • Guidance from federal agencies on emerging cloud security threats and recommended practices 
  • FBI warns of new sophisticated scam targeting the healthcare workforce 
  • New federal advisory related to attacks from “Evil Corp” on the healthcare industry 

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:01] Good day and welcome to The CyberPHIx Healthcare Security Roundup. Your quick source for keeping up with the latest cybersecurity news trends and industry-leading practices, specifically for the healthcare industry. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our Resource Center on Meditology Services, which includes our CyberPHIx interviews with leading healthcare, security, privacy, and compliance leaders, along with blogs, webinars, articles, infographics, lots of other educational material. We have a lot to cover today, and quite a bit to cover a big session, which is great. I hope you're ready. Let's drop in and dive into it, shall we? 

Brian Selfridge: [00:00:35] We've crossed a frustrating threshold in June of 2022, at least according to a recent report, 5000 data breaches were reported to the OCR data breach portal since its inception in 2009. Those breaches impacted 342 million medical records, and as you know, individual breaches are only required to be reported to the portal if they're over 500 records. So the number of total breaches is actually far, far higher than that number. Interestingly, nearly one-fifth of the 5000 breaches occurred in 2022 alone. The report attributes that to the healthcare sector's focus on the pandemic, which makes sense. We had a lot going on. You might remember there were several threat actor groups that the FBI was reporting that were saying that they were going to target healthcare. And then there were further reports that said, well, we're going to leave healthcare alone during March and April of 2020, because healthcare is really important to us in this pandemic. 

Brian Selfridge: [00:01:28] All of a sudden, they had this moment of realization that they might be doing something morally or ethically wrong. But I think we're all pretty skeptical at the time. But the data shows that clearly, that didn't happen. They kept plugging along. In fact, they ramp things up during the pandemic, even more so than before. So that's not surprising that they kept going, a little surprising that they took the effort to write up how they're not going to attack us and then did it in historical levels. So the report that I'm referencing is developed by a company called Comparatis, the five largest breaches since 2009. I'll list them in order. Number one was anthem's 78.8 million record breach number two is Optum 360 clocking in at 11.5 million records. Number three is premier of Blue Cross at 11 million records. Four was LabCorp at 10.2 million records and five at least. And last on this list was Excel as a health plan at 9.3 million records. Now another attack pattern that we saw a sort of beginning to take shape in that 20, 20 timeframe, but is now really becoming a prominent trend. And it's been picked up by several sort of news stories and things. So I want to sort of just roll it up into a consistent theme. 

Brian Selfridge: [00:02:36] But we're starting to notice that attackers are shifting their focus more from large multinational type organizations, particularly around ransomware down to small hospitals, clinics and tech companies. There have been several reports that have tried to quantify this trend, and I'll note one from fierce healthcare news outlet that put some statistics out there. So they said that breaches reported to HHS that were associated with specialty clinics rose 31% this year, which is up from 20% in 2019. Attacks on physician groups rose 2% in 2021 to 12% this year. In healthcare, services and supplies accounted for 14% of breaches, up from 5% in 2019. So you see those big jumps, 5% to 14, 2% to 12, 22 to 30. So we're seeing some really major shifts in focus. And I think potentially there are a few reasons for this, right? Like certainly larger hospitals, health systems, and payors, those types of organizations are bigger targets and juicier targets from a revenue perspective. So the attackers may be thinking, if we can, we can crack this and we can get really a big payout. But I think what they've learned and are learning is that those larger organizations also tend to have more sophisticated cybersecurity programs, both in terms of monitoring as well as reaction and their ability to deal with the event. Whereas these smaller entities just don't have the same level of security preparedness, the same level of malware protection when it comes to sort of the ransomware types of malware that that are required for this and as well as the budgets just aren't there for them to respond as effectively and quickly. 

Brian Selfridge: [00:04:12] So, you know, we've seen historically that you could already healthcare across the board, you can be resident. I think it's like 277 days that attackers are in healthcare environments before they get detected. It's pretty crazy. It was a year for a while. We're getting better at it, but it's still pretty bad in the smaller organizations are definitely longer on that kind of spectrum so these attackers can kind of take their time, infiltrate the organization, wait for the right moment and then deploy. And then even then it's you know, it's catch up playing catch up from the small organizations to figure out what's happened and respond to it, whereas large organizations are just much quicker on that whole process. We also see this coincides pretty consistently with what we see on attacks on the healthcare vendor space. So that whole third-party risk management arena that we'll talk about a little bit more in our session today. And really the thought process is very similar, right? So if you attack a third-party vendor, you're going to see a lot more return on your investment as an attacker. Buy what we say, sort of hack once and breach many. So as many healthcare organizations are centralizing to cloud platforms and systemic technologies, they begin to think kind of differently on how they're going to attack that. 

Brian Selfridge: [00:05:23] So, you know, these reports that come out from peers, healthcare and otherwise are kind of harping on this point. They talk about the attackers putting focus on systemic technologies like EMS in particular, or electronic health records, electronic medical records, however, you want to call them, to siphon as much data as possible and cause as much operational damage and a possible push for ransom payments. So so those are interesting trends there. I don't think anything entirely new, but definitely worth keeping our eye on, particularly if you are in the small to the midsize size of your organization. You may want to just keep an eye on these trends, and understand that you're more in the crosshairs than ever before. And large systems, health systems, and payers, you're certainly not off the hook. But you know that because you have really good monitoring systems. Right. So you can see all that. All right. 

Brian Selfridge: [00:06:10] In other breach-related news, and we think this one is a pretty big one this week in mid-August, Cisco, that networking provider, if you've heard of them. I'm joking. I hope you've heard of them. They run the network infrastructure for, I would say, a great many healthcare organizations. They've reported that employees' credentials were compromised after an attacker gained control of a personal Google account, where credentials were saved in the victim's browser, and that we're being synchronized back to the cloud. 

Brian Selfridge: [00:06:41] And the bad actors were able to publish a list of files from the security incident to the dark web, which included over 3000 files and 2.8 gigabytes of data. Now, you know, we think of Cisco, we think of Google, all these big sorts of major brands that how could they possibly fall prey to these types of attacks? What's it's all about that sort of front line of defense, which is your employees and your awareness and security protocols around things like sharing cache credentials and password management and all that stuff applies very much too large organizations, just as it does to smaller ones. So so that's sort of an A. And take away for those that that may be sort of letting their guard down a little bit with respect to awareness around these types of password management issues. Now, from Cisco's disclosure notification, they said initial access to the Cisco VPN virtual private network was achieved via the successful compromise of a Cisco employee's personal Google account, which we mentioned. I'm still continuing the quote here. It says The user had enabled password syncing via Google Chrome and it stored their Cisco credentials in the browser, enabling that information to synchronize to their account. After obtaining the user's credentials, the attacker attempted to bypass multifactor authentication using a variety of techniques, including voice phishing, otherwise known as phishing, and MFA fatigue, which is the process of sending a high volume of push notifications to the target's mobile device until the user finally just gets annoyed with it. 

Brian Selfridge: [00:08:06] I'm not quoting anymore. And they and they sort of just finally say, Yeah, I'll accept this multifactor prompt because I just am getting so many of these that it's annoying. I must think the system's off or whatever. And so they either accidentally or simply attempt to silence the repeated push notifications they're receiving. So that's I was going to end the quote there, but, but I adlibbed a little bit in the middle, so you just have to roll with me on the intent of that. So currently, Cisco says there's no evidence that suggests that the threat actor group gained access to any critical internal systems such as those related to product development, code signing, etc. However, Cisco does believe that the attacker is an individual who had previously been identified as an initial access broker or IAB and has ties to the UNSC. 2447. This group and [name]. Now, that's the first time I've mentioned that name. That starts with a Y. I don't want to say it again. I feel like I did pretty good on the first time, but lapsed. Those that have been listening to the podcast are well familiar with that. Those that have been listening to the CyberPHIx podcast also know about initial access brokers, right? We talked about those at length in a prior episode. 

Brian Selfridge: [00:09:14] If you haven't seen that, I will include a link to that episode, perhaps in our overall abstract and show notes here. So this story is just another reminder that this can happen. These types of attacks can happen to any organization, no matter how mature your program is or how large you are. And it does appear that Cisco has handled the situation appropriately and responsibly, and disclosed this whole incident once their CSIRT incident response investigation concluded. So we talk about that a lot here, right? Like sometimes it's not always about the breach, it's not about exactly what happened, but how you respond to timeliness. The transparency and I would say this is kudos to Cisco for doing it right here, at least so far. Hopefully, that's the extent of the breach and not not more, although 2.8 gigabytes of data is nothing to sneeze at. So we wanted to mention this on the roundup because it's the kind of compromise that could lead to further supply chain attacks down the road. Right. So we say right now Cisco was breached. That was it seems like an isolated thing. But we're no longer in a situation where a single breach kind of stands on its own and it has a beginning and an end. A lot of times these breaches can be the precursors to larger breaches down the line, like we saw with SolarWinds, if you remember that the initial compromise, if we just said, Oh, SolarWinds was compromised, somebody got access to their code and we left it at that, we wouldn't really be giving an accurate account of the thousands of downstream customers of SolarWinds that were then compromised when the malicious actors pushed down their code as part of an auto-update feature of SolarWinds. 

Brian Selfridge: [00:10:48] So it's important for us to just start to connect these dots together and understand that the supply chain attacks that are much discussed can start with attacks like this. That may be the first foothold for the attackers, that then they later come back and exploit that access or what they gained from that access to attack other organizations that in this case perhaps use Cisco Equipment, VPNs network devices, which we know is many, many organizations in the healthcare arena. So if you do use Cisco, be sure to get this on the radar of your team. All of this in mind as the holiday season approaches and we wait for the next zero-day attack of supply chain breach announcements, hopefully not related to the Cisco breach, but you never know. All right. Sticking with a third-party risk theme here, it's hard to avoid it these days. A report from Secure Link produced some really interesting metrics on the state of third-party risk management in healthcare. So I want to run through some of those numbers with you so securely. Conducted a survey of over 600 organizations across a wide range of industries. 

Brian Selfridge: [00:11:52] We're going to focus on the healthcare nuggets that they pulled out, thankfully for us. The first is 55% of healthcare organizations that responded to the survey said that they had experienced a third-party breach within the last 12 months. So that's over half within this. I was going to say calendar year, but this actual year, this was the second highest percentage of all industry sectors beaten only by the financial sector where 58% of companies said they experienced a third-party data breach. 65% of healthcare organizations said they did not feel that their I.T. systems are making third-party security and access a top priority. Now, if they said the right systems, I presume they meant their IT teams. But we know what they meant. Right. So that's a feel stat. I always am a little wary of who feels what in the security realm because a lot of times we're a bit zealous, aren't we? If we're honest with ourselves as security practitioners and risk practitioners, we're always sort of trying to make sure everybody knows that there's this threat. And I think there's a little bit of hyperbole that sometimes happens, a little bit of exaggeration. So 65% of organizations saying they don't feel their it is up to snuff and up to the task. It's probably about right. But you just got to take it with a grain of salt. 

Brian Selfridge: [00:13:03] Now, across all industry sectors, 50% of companies said managing third-party security is overwhelming and a drain on internal resources. Resources. Now, that is a theme that I can absolutely stand behind. I think. I think 50% is light on that front. It's just the way that we do third-party risk as an industry is just not sustainable. I think folks are realizing that we just put out a blog article on Corltech.com, Corl Technologies where we co-authored it with HITRUST, who's the Healthcare Security Standards Organization, just about this very situation of how overwhelming third-party risk is right now. So check that out. There are a bunch of good insights from our friends at HITRUST, along with our team here that you can look at on CORL tech dot com. A few other stats from this report that I think are worth mentioning. 49% of organizations had a comprehensive inventory of all third parties that had access to their systems or their data. So that's about right. Less than half having I think that's even being generous that you say I've got a comprehensive inventory, there's so much shadow it the inventory around third party systems is really just sometimes it's in GRC, it's spreadsheets, it's across multiple systems. If your healthcare provider, you may have an inventory of medical device providers, for example, that's separate and distinct from your other I.T systems that come through other procurement channels. 

Brian Selfridge: [00:14:24] So inventory is a big problem. 48% of organizations said that the complexity of their third-party risk relationships is a major problem for them, and I agree with that. That's when you start getting into third party risk, fourth party risk, some of these sort of fourth party products like Log4J. The breach we saw with that or these even Cisco could be considered in some ways in that category. Just continue to make things far, far more complex in understanding who you need to secure and who you need to work with and who has your data, and who, if they are breached, will cause a problem for you. 3030 6% of organizations say they have automated processes for monitoring third parties, and 47% say that they are not highly effective at detecting third-party threats. I think that's all. Generally, you can argue with the stats and all that, but I think that's all. They're all in the right ballpark, more or less. Now, I'm a little surprised that the numbers aren't a little higher in some of these areas. You know, maybe it's an awareness issue where you take some folks in the cybersecurity risk or I.T. part of the business that maybe just aren't focused on third-party risk. And I think that's actually part of the reason why third-party risk programs are kind of weak in a lot of cases is there's this assumption of like, oh, well, we're dealing with that. 

Brian Selfridge: [00:15:35] We have it under control when in reality, the organization is if you talk to the third party risk focused teams, they're underwater, totally underwater. They're not able to keep up with the new assessments that come in for each sort of procurement of annuity system or third party. They certainly can't get back and look at legacy vendors that they've had for years and understand how their risk may have changed. So I think it kind of depends on who you ask, right? So it depends on how effective organizations are and the perception of that within the organization. So the numbers are a little bit lower. I think it still paints the picture. Well, we're struggling. We need to rely more on automation, and the reuse of vendor risk data. We need to know our third-party and fourth-party populations better and just find a better path forward. So that's kind of what one of our companies here, CORL Technologies, does and focuses on. And there's a lot more innovation underway there that needs to happen for the industry to tackle this one. All right. Now, we don't typically stray. Outside of healthcare-specific news. They try to keep us focused and keep you focused. Right. But there are a couple of stories this last couple of weeks or so that are affecting the entire cybersecurity ecosystem and industry that I think has relevance in healthcare as much as anywhere else. 

Brian Selfridge: [00:16:48] So want to kind of dive into a few of those just in the interest of making sure you see Eyes Wide Open, everything that's that's happening around healthcare, even if it's not healthcare specific. So the first example of that is LastPass. So on August 25th, the popular password manager, LastPass. If you guys haven't used this, it's one of those password keepers where you have a primary login and then you can get to all of your other passwords. For those of us that can't remember all of our passwords, many people, particularly in our field, have to use these encrypted password-keeper things. And LastPass is one of the most popular ones, I think, if not the market leader. So LastPass notified the public that they had experienced a compromise and now quote directly from the CEO's post here. They said, two weeks ago we detected some unusual activity within portions of the last past development environment. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults. We've further continued the quote. We've determined that an unauthorized party gained access to the portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally, so I don't know whether to be more worried about that or less worried. They certainly take a stance that, hey, it's not that big of a deal, single account, single breach, but that I emphasize that point about taking portions of our secure source code and technical information that is really, really worrisome. 

Brian Selfridge: [00:18:29] So this obviously got the attention of not only me raising my eyebrows as I sort of read that out loud to you, but many of our security brethren here are users of LastPass and our private lives. And there are definitely lots of companies that use the enterprise versions of LastPass. So it's not this is not just like an individual employee awareness thing. There are actually a lot of organizations that will keep their service accounts, their machine-to-machine accounts, which often have high-level privileged accounts. You've got a lot of domain administrator accounts in your last past enterprise systems that manage those privileged accounts. So and are used to do password sharing or to securely access systems centrally so. So lots of reasons for concern here. Lastpass has stated many times over that no master passwords or data within the vaults or personally identifiable information of its customers have been compromised. So again, I think that's good. But how concerned should we be about the line from their post about secure source code? I think it's a pretty big one. When you look at these trends again of downstream impacts, it's this is the first step and we're starting to get more visibility in source code is taken there's then some weeks and months may go by and then all of a sudden there will be some zero-day unknown attack. 

Brian Selfridge: [00:19:43] And people are like, How did this happen? These attackers are really good and very often it can come back to these type of breaches where they were able to compromise something like LastPass password vaults have a backdoor into those and then use that to gain access elsewhere. And it's not just financially motivated attackers, but obviously, your nation states and your espionage, and those types of disruptive actors or cyber warfare would greatly benefit from access to that source code. So something we need to sort of watch out for there. Now, there's certainly some counterpoints just to be fully to tell the whole story. There are some counterpoints out there in our field that would say, well, source code may not be as valuable as it used to be, given the fact that there's so much leverage of open source code things like log4j, we saw that. But there's a whole Java, there are all kinds of libraries, things that get pulled from developers. So the actual source code that's in play for code like these, these LastPass and other sorts of applications aren't perhaps may not be as juicy information as you may think. So that doesn't necessarily make me rest easier on a breach like this, but it's also you've got to keep this stuff in the context of understanding what's the actual ability to exploit source code, what's the exposure. 

Brian Selfridge: [00:20:56] And I'm sure that work is going on aggressively at LastPass and other organizations, but worth keeping this on your radar. Maybe file this one away and we'll let you know if we hear if anything actually comes of this. Or maybe it's a one-off and we wipe the sweat off our brow and move on to the next actual breach. Now we've noticed a few articles just moving on to some of the topics here that have hit the news wire and hit our scene in the last couple of weeks that are reporting on organizations being unable to afford cyber insurance. And I talked about that in the prior episodes of the podcast. So we're seeing organizations receiving insufficient coverage or no coverage policy at all within the last 12 to 18 months or so. I think when you sort of start to pull together what we're hearing from our clients, what's being reported in the news, there's a couple of kind of key themes that are going on. You first. The insurance providers and carriers are not getting enough in premium income to match the payouts they are having to pay just flat out for ransomware and other compromised organization compromises. And as I've said kind of from the beginning here, going back years you can audit me on this and prior CyberPHIx episodes, but I think the cyber insurance carriers have never really quite been aware of what they're getting into with these coverages. 

Brian Selfridge: [00:22:11] I mean, that goes back years, that goes back 15 to 20 years where there's just there are underwriting policies that I don't think they had the correct cybersecurity expertise on staff to say, hey, you're taking on a lot of risks here. And the game changer for the realization that that that was actually going to play out was just the volume of ransomware and other attacks that I think came as a surprise to the cyber liability industry, but not to those of us that have been working in this niche space cybersecurity for as long as we have. So, you know, guidance coming from those monitoring this space is that insurers will continually rely more and more on forcing organizations to demonstrate key control effectiveness for your classic cybersecurity control areas, particularly during the underwriting process. And then they're going to find all kinds of reasons to either increase your premiums or deny coverage. So that's just something we're going to have to live with. And arguably, maybe they should have been doing that all along to some extent. Hopefully, they'll begin to rely on things like third-party cybersecurity certifications like your SOC 2, your HIRTUST things to almost like you get those safe driver discounts if you're for your car insurance if you're a good driver and your stats look good and all that stuff if you get good grades, that's the only one. 

Brian Selfridge: [00:23:27] So what I remember from being younger, I'm like, I couldn't quite correlate it, but they had, they had so many mathematicians and actuaries and things that could make that correlation, say, hey, smart kids apparently getting less accidents. I think we'll start to see more correlation-type work from cyber liability providers that really look closer at the control by control level maturity of organizations to inform their policy writing. And so that would be a welcome change, although nobody wants to deal with yet another security questionnaire and audits in our world. But unfortunately, that's kind of part of the nature of the way things operate right now. And we'll talk about the future state in other sessions. But I think the industry has to move away from these sort of everyone assesses everyone else all the time to more of third party assurance models like HITRUST and others that where you can just let's get a third party validated position on our cybersecurity posture and use that to explain to vendors why we have good security, to use it to explain to cyber liability providers why we have good security. And I think that's going to be one of the things that that has to happen and will happen in the industry. So you can quote me on that a couple of years out as well, if necessary. But the specific control areas, if you want to know that that cyber liability insurance providers right now are focused on, are some of the ones you might expect. 

Brian Selfridge: [00:24:47] But just if you're not doing if you don't have strong protections in these areas, definitely bolster them up. So they are multifactor authentication. That's huge. One, endpoint protection, restricted administrator rights, vulnerability and patch management, staff awareness and training, and suitable and regular backups. And then finally tested business continuity and disaster recovery planning. I mean, apart from cyber liability insurance providers pointing that out to us, I think those are that's a great punch list of top controls that pay attention to. It's almost like that sans critical controls that they would put out of the CES, critical control benchmarks for those that are familiar with those where just tell me what are the or the top ten, for example, what are the top areas that if I did nothing else in my cybersecurity program, what should I focus on? And I think that list I just rattled off is an excellent summary of the most important areas that if you get those areas and controls done right, you will significantly reduce your exposure and potential and impact for breaches. So that's I'm glad that we're all on the same page in that respect. And finally on this one, the other area that they're focusing on, the liability providers, is around your ability to handle third-party risk management. And how are you dealing with the vendors that you share your data with or which you allow into your network or your ecosystem for critical or sensitive information? I think that is really telling. 

Brian Selfridge: [00:26:08] So we're getting away from just specific controls to now. How well are you managing your third parties? And, you know, that's not an easy thing to demonstrate. And I think if most organizations looking at some of the stats we cited earlier just not really don't have a good handle on their third-party inventory. Right. And aren't doing the right things and they may feel like they're doing enough. But I think when you start getting that report back from you start getting denied cyber liability insurance coverage, I think that sort of blows out of the water. The whole idea that you've got third-party risk management covered, I just think there's a false sense of security happening right there in that space in a lot of organizations. So, you know, we'll see the pressure continue on third-party risk. We'll see the pressure continue on these control areas. The breaches are going up. Liability providers can't keep up. I apologize if we're sounding like a broken record on some of these topics because we have talked about them, but it's just they're really kind of solidifying and crystallizing into increasingly more impactful risks than they ever have been before. So our job is to share that with you, let you know how the trends are moving, and so you can hopefully adapt that to your own knowledge in your own programs accordingly. 

Brian Selfridge: [00:27:19] All right. In other news, we'll get back to get away from breaches for a minute. We've been there for a while here this session. Nist National Institute of Standards and Technology hosted its first workshop in mid-August on Cybersecurity Framework 2.0. The CSF. For those that like to call it that. So this is an update to version of the CSF 1.1, which was released in 2018. So we're due for an overhaul. As we see all these things are changing. The threats are changing. So heading into the workshop, NIST issued a request for information asking commenters to answer questions about bringing the CSF up to speed on some emerging developments that were only partially covered in the first two versions, or not referenced at all in some cases. So there were over 7000 global attendees to the workshop is a virtual workshop that makes it a little easier. 7000 in person I think would be difficult. So the agenda covered six topics and I'll rattle those off for you. They talked about general discussion of what CSF 2.0 should look like, and talked about lessons learned from the development of profiles that are part of the framework. There were some international use of the framework and its alignment with non-US standards, which is we think of NIST as a predominantly US-based thing, but it really is getting leveraged all over the place as as it should.

Brian Selfridge: [00:28:35] It's a great framework. They talked about governance matters and the governance of the CSF. They talked about measurement and assessment and finally supply chain considerations. So there's your break from us talking about third-party risk. We talk about the supply chain. It's the same thing. All right. So we won't get into all the details that were covered. It's just a massive undertaking, 7000 people, all those topics. But here are a few interesting points I think that stood out to me and to us. There was a lot of discussion about how the CSF would best serve the industry by better aligning itself to pair with risk management frameworks and with some of the actual risk management measures that organizations use. The CSF does overlap with existing dedicated risk management frameworks, but many would say not to the extent that materially aids in the cybersecurity program regulation. So, you know, for a long time you had to kind of pick your cybersecurity standard of choice. Right. And there was a big sort of NIST versus HITRUST debate, even though HITRUST is a superset of NIST. And I'll get off my soapbox about that. They're not really they're complementary. But there's a perception that you have to kind of like pick is it NIST 883? Is the CSF, is it which frame ISO? What framework do you use? And then you sort of folks in our field got kind of religious about that, about which one was the best one and which one was most appropriate. 

Brian Selfridge: [00:29:52] And the reality is they're all good and they're all useful. So I think that's some of that discussion about how do we line these up better map them, I think is really important and allow us to take advantage of the work we've done on other frameworks, but also take advantage of the new guidance from the CSF and the updates on things like supply chain, for example, so that we don't have to wait for ISO to update their stuff or whatever. It was also noted in the workshop that NIST plans to update the NIST 855 special publication, which is the Performance Measurement Guide for Information Security, to align it with the CSF 2.0. This new one provides more useful control guidance for organizations that choose to use it. However, the consensus of the conference was that the framework has to maintain its flexibility regardless of the measurement attributes of the company. Version 2.0. You know, the concern is that if it leans too much toward hard requirements like you, thou shall do this, this, and that. Fewer industries and organizations are going to be able to customize it to make sure it fits their business. I think the classic kind of case with this is we always joke that NIST 833 was kind of the Department of Defense level Fort Knox Security program and had all this wonky language and all this stuff you specifically had to do. 

Brian Selfridge: [00:31:05] And that when you got into a healthcare provider setting, for example, it just wasn't feasible or appropriate or reasonable. And so you end up having to have individual organizations kind of make these decisions to just flat out not comply with it, but then they say they're complying with it, and that caused issues. So allowing the CSF to be a little bit more flexible is good. And that's a perennial discussion that happens in the regulatory space, too. Right. We talk about HIPAA and OCR. We always come back to, you know, how prescriptive does this stuff have to be versus how much flexibility should you leave organizations to choose? And I like for example, I like the way HITRUST is handled that where they are prescriptive. So I don't have to guess at how many characters the password policy should be. They'll tell you to that level. But there's the flexibility of sort of knowing you don't have to get every single control and HITRUST lined up in order to get certified. For example, you can get a 70%, 71% on your report card, so to speak, and still get certified. And that's an acknowledgment that there's some flexibility necessary there. So we're glad to see that in the next conversation. I'll give a few more updates on this NIST conference because I think there's just a lot to unpack here that's worth paying attention to. 

Brian Selfridge: [00:32:11] So continuing along the risk management path, it looks like there was some interesting discussion on what we call control effectiveness. It was acknowledged that. Measurement of the effectiveness of the CSF versus the effectiveness of individual controls are very two different perspectives. However, the two levels of measurement are directly related to one another. So if any of you have ever tried to represent your own overall effectiveness in the classic NIST categories of identify, protect, detect, respond and recover by rolling up your individual security control scores at the more granular level, it can get really, really difficult to then paint a picture of how the program is doing overall that I think a lot of times it looks a lot more grim than is reality. You're going to see a lot of reds if you go control by control level, kind of that grass level roots ground up kind of view. So this is an important problem to solve, especially for larger, more complex organizations, you know, that need to kind of be able to roll this stuff up. So we know that speaking of the cyber insurance providers we mentioned earlier, they're using this CSF scoring and measurement of objectives to determine premiums in an inverse proportion. So, you know, this is an interesting take. I think it would be helpful in justifying the expenditure needed to develop and maintain a cybersecurity program if you had proper reporting in alignment with the CSF. 

Brian Selfridge: [00:33:30] But we need to figure out how we're going to do this overall. And I think these conversations, while I don't think the conference came away with a particular, you know, silver bullet answer to that complexity and that problem, but getting that discussion going and making sure at least that the CSF is amenable to some degree of roll up, I think is really important of the overall sort of posture. While we talked about supply chain and third-party risk, there was some interesting discussion on that front where they talked about in the current version of the CSF, we have that supply chain cybersecurity domain, if you will, an area that was added. It's unanimously agreed that it should stay in version 2.0. That's kind of funny. You like who all agrees not to deprecate this part of it. So I'm not sure how useful that particular takeaway was, but the CSF currently lumps together vendor's supply chain, software, supply chain, hardware, supply chain and supply chain providers, and others. So some contributors in the discussions thought that, hey, it might be good to break some of these out, right? Like you, your kind of hardware supply chain, for example, example is very different than your third-party risk management and data security kind of focus. So can we have some different standards here that really are a little bit more related to the specific areas that we're talking about, rather than trying to roll them up and be reflective of all the different types of, quote-unquote, supply chain risks that are out there? 

Brian Selfridge: [00:34:58] So this workshop was just an initial step in the process to develop version 2.0. So we're not done. The process historically takes a year a little bit more so until we I wouldn't expect to see a new version published until mid-2023 at the earliest and a lot of times it's probably even later than that. So get your ear to the ground on this one. If you want to have you have a say feel opinionated about NIST and CSF, you get involved. 7000 of your other colleagues did. Why not you? You too can gripe and complain. Now's the time to have that. And then once it's out there, stop griping and complaining and go. Go forth and. And build it and use it. So while we're talking about security standards, let's stick to that for a little bit. Our friends at HITRUST were recently selected for TEFKA security certification. Now, let me explain what all of that means. HITRUST again, a standards body. They put out the HITRUST cyber security framework. They come in a secured framework, I should say, all these CSIS get me messed up from time to time. So they have worked with TEFCA. TEFKA stands for the Trusted Exchange Framework and Common Agreement Program, and TVCA has selected the HITRUST risk-based two-year R2 certification. 

Brian Selfridge: [00:36:11] All of that gobbledygook means basically the traditional certification. HITRUST has released a couple of new products this year like their IE one certification that's a little looks and feels a little bit more like a SOC attestation. Just to give you some context on that, if you're not sure about all that rigmarole, you can go back and listen to prior episodes where we talk about HITRUST and Meditology services, put a bunch of webinars and materials around HITRUST certifications and what the different flavors are. Anyhow, Tvca selected the flagship HITRUST certification, the R2, as the first certification for organizations to prove that they comply with the TEFKA security requirements for their qualified health information network. Q Hen designation. Now again, I need to put some more background on this. TEFKA came out of the 21st Century Cures Act. Again, we've talked at some length in prior episodes on that, which is the national-level healthcare interoperability model put out by the Department of Health and Human Services. And oh, and see, this applies mostly to things. Organizations like healthcare information exchanges in any organization are going to be taking and shuffling healthcare data from healthcare providers to payers and other entities that are involved in kind of that whole health exchange model and leveraging the federal government's sort of incentive programs associated with those and the federal laws. 

Brian Selfridge: [00:37:27] So TVCA brings together public and private stakeholders to develop this exchange framework that includes common agreement for data exchange between health information networks. The move towards health information networks has been growing for years, right? I mean, this goes back, gosh, 20 years. We were building some of these early ones in the healthcare sector, and they're still evolving and maturing. But there's been a ton of challenges with interoperability. There's disagreement on regulatory requirements for data sharing, cybersecurity requirements and the like. So we're really looking for organizations like Tvca to provide some guidance on what is an appropriate standard of security. If left everyone to their own devices, we could end up with a lot of organizations that are sharing across these health information networks and health information exchanges that could be potentially sub-substandard to what we would expect and that would be the last place we want to see breaches because that's the aggregation of health information from so many organizations and that could be a major risk. So yes, an important advancement I think for us as an industry as Tvca gets involved, we also like that we're rallying behind HITRUST. There just there aren't that many options to choose from right to actually have third-party verified attestation that your cybersecurity programme and controls are up to speed. You can reference the Ksf or 883, but at some point you need to assess against. 

Brian Selfridge: [00:38:52] Otherwise anybody can say that we align with NIST, but that doesn't give me if I'm a security provider involved in the health information exchanges, that doesn't give me the warm and fuzzy feelings that you have all security in place but a certification like HITRUST R2 absolutely does let me know that you're doing all the right things and have made the investments to secure it. So we'll continue to report on this. This is an area it's very close to the work that we do here at Meditology Services Core Technology sort of are our organizations here relative to third-party assurance of these types of security controls. So we'll keep you posted if you are participating in TEKFA or Q Hines or his reach out to us, we've got a whole team that does nothing but secure those environments and we'd be glad to help you along with that. In other industry-standard news ISAC, which is health ISAC for those that aren't familiar with it, is the federal government entity that's a public-private partnership providing guidance for healthcare organizations. They released a white paper with guidance on this whole zero trust architecture in healthcare. Zero Trust is a tricky topic. There's a lot of debate about whether or not zero trust is more or less a buzzword that encompasses a lot of the right sort of standard cybersecurity, hygiene, and practices that we've been talking about forever and a day. 

Brian Selfridge: [00:40:15] Or is it something new that's really focused on something soundly unique? I kind of fall in the former category. I, I think there's a lot of focus in zero trust on least privilege approach to identity and access management that have been underlying theories for cybersecurity for years. But regardless of what you think about zero trust terminology, the paper is useful in the sense that it frames zero trust as kind of more of an identity centric concept rather than sort of a thing that you go after as this overarching model, the way that a cybersecurity framework like NIST or HITRUST might do the paper even goes as long as say, I'll quote it here. It says, Implementing a zero trust architecture is not as simple as going to one vendor and picking a solution off the shelf. There are several components that need to be integrated together to create a holistic zero-trust architecture. It goes into a little more detail on those components, which include identity access management, cloud security, gateway data security, network security, workload and application security, and device security. So there I'm glad that we're starting to narrow this discussion down a little bit of what Zero Trust means to at least ISAC or their members. And participants on the paper itself is is light. It's seven pages long. It's not a comprehensive zero-trust playbook. Now, NIST did put out a massive zero trust sort of document that I covered in a prior episode if you want to check that out. 

Brian Selfridge: [00:41:41] And that is in the weeds, I'll tell you. But all good stuff and all good things that we should be doing. But this is probably worth check out the high-tech report if you want to see if you get anything out of it. There's really five key takeaways that they highlight in their report. The one is they define zero trust. That helps. I mentioned the buzzy ness of the term. They talk about how zero trust fits into the high-tech framework for managing identities. So that's sort of tying back to existing health ISAC guidance. They talk about core tenets of zero trust and the implication for healthcare organizations, healthcare-specific challenges with zero trust and then steps to beginning to implement zero trust. So I'm still not convinced that Zero Trust is a place to spend a whole lot of energy, if you by all means, if you have mastered HITRUST, CSF or CSF or both, and you feel like your maturity of those controls, is that a consistently strong level? So maybe a level four or above on a prisma NIST prisma scale of five, it's just a common maturity rating. If you feel like you're up there in that four out of five or you really have things under control, I think by all means start digging into this stuff. 

Brian Selfridge: [00:42:52] But if you don't have the basics down, I wouldn't spend a whole lot of energy personally if I'm a CSO, sort of looking at all the Zero Trust documentation coming out on the kind of looking to over overhaul your program to reflect a zero trust architecture. That said, I'm not dismissive of it. I think I think you should read these things and look through these reports and see if there are core nuggets of implementation, guidance, and things that you could take back and put into play in your environment. I think that is tremendously valuable. And like it or not, Zero Trust is the talk of the day. We'll see if it has staying power, but certainly the federal government is sort of rallying behind it. So I think that's why we see it from NIST and we see it from other areas. So definitely worth reading up on this and see what you can take away from it. Now while we are talking about the federal government, I think we should stick with that as a theme for now. The Health Sector Cybersecurity Coordination Center c. C. C. I always forget how many C's there are, but there are HD three sometimes. Maybe that will help me. They issued an analyst brief on the challenges that healthcare is experiencing with cloud security. So that's another one we didn't touch on. 

Brian Selfridge: [00:44:03] How do we get through this? Far into the conversation, we talked about third-party risk lot. When you talk about cloud security, which is an important kind of subsector of that in a lot of ways. So the feds, I was like, we call them the feds. The feds are becoming like this conglomerate of a lot of different organizations. Right? With the CSA, we have CISA, we have the FBI, the NSA, everybody is sort of rallying around. But anywho they say that's my second who of this episode. And I don't think I've said that as many times this year. So you're welcome. For that annoying phrase. They talk about the top cloud security threats being phishing schemes to steal cloud credentials, cloud hijacking involving cybersecurity criminals taking over in accounts. So that's not good. Shadow i.t. Which is included the sanctioned use of public cloud services by employees. That's how they define it. But I think we all have a sense of what shadow it is. It's, it's unmanaged it being done outside the visibility of your cybersecurity teams and your IT functions largely. They also talk about the lack of cloud visibility, such as blind spots that result in a failure to alert on security incidents. And then finally and I think the most important one is misconfigurations, including unrestricted inbound outbound ports, unsecure application programming, interface keys, disabled monitoring or logging features, and leaving the Internet control messaging protocol open ICMP.

Brian Selfridge: [00:45:31] So those that aren't super tech nerds like me and others, ICMP is the base protocol behind Ping. So if you're trying to have one machine, talk to another and just see if it's still alive and you send a little ping message and leaving that open as a problem. I remember a case this was years ago of a sophisticated attack where a bank was hacked and the attackers had secretly almost like think of like a Trojan horse. They in each little ping packet that says like, hey, are you alive? They encoded a little bit of code that when assembled on the other end of the the computer, the recipient computers or the victim computers would actually run malware that stole information and stole a bunch of money from some big banks. And so that that's fascinating to me that that type of attack and I think that that goes back to like you can't really be lax about any protocol and like oh, it's only pinging. What can they do? Well, attackers, you know, know that you leave those open and let everything ping everything else for good networking reasons. But it's sort of these types of attacks that are showing us that not only on our hosted systems but on cloud configurations, we could end up with these types of attacks happening. And I really like that specific list of misconfigurations around interface keys and monitoring and logging features. So definitely do take a look at the HSC3 alerts and those specific areas. They recommend you focus on your cloud environment because it's just what we talked about the IBM Ponemon report last time and the cloud Misconfigurations being like the top breach source root cause. So definitely lots of reasons to pay attention to this now. Hc3 also makes some practical recommendations for best practices to implement using cloud services. So they talk about so how to fix the problem. Use a cloud service provider that encrypts data. So that should be kind of obvious, but got to say it use conduct routine compliance audits. If you're not doing cloud security audits, if you're thinking that, oh, it's just it's outsourced to the vendors and the vendors use the cloud or it's somebody else's problem that's a problem for you. Make sure you're doing those audits, audits of your third parties, audits of your cloud implementations, your configurations. That's something that Meditology is doing a ton of these days is these sort of implementation validation audits where we're assessing and seeing like, hey, did you set all the flags the right way? If you didn't, that's that's a big problem. And it's arguably nobody's fault but your own. But anyway, audits help you identify that stuff. They also see three also says implement a zero trust model. Here we are back to the feds and there's zero trustworthiness, establish and enforce security policies and set up preferred privacy settings. 

Brian Selfridge: [00:48:10] They talk about using multifactor authentication. We talked about that, maintaining cloud visibility, installing operating system updates and avoiding use of public wi-fi. That's a really interesting one to call out in their sort of top list, but that's it. I mean, people can sniff the networks if you're at Starbucks and you're hitting up your cloud environment and logging in, there's people can sit and listen in on that and potentially capture some credentials and other stuff. So that's an interesting one. And they said make sure you understand cloud compliance requirements and regulations. Boy, that's a. Easier said than done, isn't it? But we'll help you with that, right? That's what we're here for. All right. That's enough on that one. Just a couple more updates for you here before we round out our busy, busy round-up update. On August 22 of this year, the FBI issued a press release warning those employed in the healthcare industry of scammers that are impersonating law enforcement or government officials in attempts to extort money or steal personally identifiable information. I'll say it ain't so. They're pretending to be FBI and OCR and be careful about that one. So this is what they quoted as saying in the alert from the FBI scammers as part of a large criminal network research, background information of their intended targets through a medical practices website or social media, and supplement this information with information found on common social media websites such as Facebook, Instagram, LinkedIn, etc.

Brian Selfridge: [00:49:31] to make themselves appear legitimate, scammers will often spoof authentic phone numbers and names and use fake credentials of well-known government and law enforcement agencies to notify the intended target that they were subpoenaed to provide expert witness testimony in a criminal or civil court case. I find that kind of interesting. I'll pause the quote there because I actually do that work for OCR is expert witness testimony and there's not many people that do that. So don't, don't, don't be. And the way that you get engaged to do that work is not through an email or someone saying, hey, you're super smart, why don't you come to be an expert? It's a lot harder than that and a lot more complicated. And by the way, contracting with the federal government is no easy matter and would be done with so far more red tape than just clicking yes. On an email or whatever. So anyway, let me continue the quote. They say the healthcare profession is professionals notified since they did not appear in court that they are in violation of a subpoena and have been held in contempt. An arrest warrant has been issued for that man. So, you know, it's sort of it sort of feels so wrong that, you know, all these things we train our end users on about like, hey, if it sounds urgent, if it sounds really interesting, it sounds really important and critical and you're getting it through an email or a phone number or a phone call, like it's probably not legit if it's the first you're hearing about it. 

Brian Selfridge: [00:50:44] And this applies to us, we're actually getting targeted. She's as are it's not just for cybersecurity professionals, but this is healthcare workers in general who I think are potentially liable to fall for some of these attacks because they sound super scary. The notification from the FBI goes on to explain that victims will be told they'll pay a fine or be held in contempt of court or have their medical license revoked. So. Right. So all the scary stuff. Right. And attacks seem to vary in these types of payment requested everything from prepaid cards. There's your red flag and wire transfers to cash sent via mail and cryptocurrencies. I kind of want to get one of these alerts that says, hey, you, you need X. You didn't show up for your expert witness testimony. Therefore, send me cash in an envelope in the mail, too, to avoid the fine. I just, you know, I'm not sure who does that, but some of the other methods seem, I guess, more plausible. So the release from the FBI provides tips to protect yourself. They say be aware that law enforcement or government officials will never contact individuals by telephone or demand any kind of payment or request by legitimate investigations or legal actions are done in person or by official letters, request credentials to verify identity. 

Brian Selfridge: [00:51:59] So if they, you know, flash the badge at you, let's be careful about that. I was like those old cop shows where they just they come up to the door and flash the badge and everybody says lets them write in. That's sort of this is the virtual equivalent of that. Understand that no real law enforcement or government official will request payments via prepaid cards or cryptocurrency. Hopefully, you kind of knew that if you're a listener to this already, I never give PII to anyone without validating the person is who they say they are. So man. So obviously you guys get this right. Nothing. Nothing too surprising. But you should be aware that these calls and attacks are happening and notify and update your security awareness program so that your staff knows, especially that your workforce is aware, that they're targeting healthcare specifically. And that may be enough for some folks say, well, they did say healthcare. They did look up something specifically about me on my LinkedIn and they know what department I meant. Like, you just got to be careful about this stuff. They're getting sophisticated, so keep an eye out for that. Let your folks know and hopefully, make this not worth the while of the attackers to be successful using that method. All right. The last update that we're going to cover today is one that we just simply couldn't pass up. 

Brian Selfridge: [00:53:08] HSC3 Healthcare Cybersecurity Coordination Center. I'll never remember what it stands for, but they warned on August 29th that a Russian cybercriminal group known as Evil Corp posed a significant threat to the US healthcare sectors. Now I have to comment on Evil Corp. There was always this question about when we kind of started in healthcare, cybersecurity or cybersecurity in general, like who? I think we're the good guys and there are some bad guys out there. The fact that there's a group called Evil Corp makes it so easy to know that we're the good guys. Absolutely have to be. They're not even trying the bad guys aren't even trying to pretend to not be bad guys. They're just this is like an old movie or something or Dr. Evil or something. That's exactly what he would call his company. Anyway, any who I'll do third just for good measure here. Evil Corp first emerged in 2009 and is behind the development and operations of some of the most powerful malware and ransomware variants used in the current threat landscape, according to HC three. They say the group has infected computers and harvested login credentials from hundreds of banks and financial institutions in more than 40 countries, stealing over $100 million. Evil Corp. I still chuckle every time I hear it. Uses a relationship. Uses relationships with other cybercriminal groups and the Russian government to gain access to other malware and ransomware variants such as Trickbot, Emotet, and Ryuk. 

Brian Selfridge: [00:54:27] You guys will remember those from our extensive coverage of the Russian attack on healthcare, the Russian cyber war stuff. So this is not new. Evil Corp is partnering up with all those players to be even more evil. These variants are known to prolifically target the healthcare sector, says HC three. The group has repeatedly modified their tactics to evade US government actions and thwart them. It's not surprising they're given the Russian correlation and HC three alert warns that the defense and mitigation recommendations are impractical so long as the group continues to customize its tactics. So. So let's get together and stop Evil Corp if we can do nothing else. Let's just focus on that and then we can all ride off into the sunset and it will be a problem solved and the movie will be over and we can all go back to easy lives with no cyber attacks. It's not going to be that easy. But in the meantime, let's keep an eye on what these bad guys are up to and try to thwart them at every turn. Superheroes that we are. So that's been quite a lengthy, lengthy episode. Appreciate you guys. Stick it in for it. 

Brian Selfridge: [00:55:32] And that's all for this episode of The CyberPHIx healthcare security roundup. We hope this has been informative for you. We'd love to hear from you. If you want to talk about any of this, just reach out to us at [email protected]. That's all we have for this week and it's quite a lot, but so long. And thank you for everything you do to keep our healthcare systems and organizations safe.