TLP White: In this edition of Hacking Healthcare, we examine a potentially revolutionary development in AI-aided cancer detection technology. We then break down a concerning cybersecurity trend in the Asia-Pacific region. We also explore the startling revelation that several major antivirus companies have been breached. Finally, we consider a new update regarding accountability in the Anthem breach.
We hope that you are attending the H-ISAC Spring Summit! I will be there for a couple of days and welcome anyone who would like to say hello and offer your thoughts on our newsletter. As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog.
Welcome back to Hacking Healthcare.
Hot Links –
1, AI Predicts Future Cancer Development.
Authors note: Hacking Healthcare spends a great deal of time talking about risks across a wide range of technology and policy areas, including with AI. While those risks are real, it is important not to lose sight of the great innovations that are taking place and why they matter. Not counting some kinds of skin cancer, breast cancer in the United States is:
- The most common cancer in women, no matter your race or ethnicity.
- The most common cause of death from cancer among Hispanic women.
- The second most common cause of death from cancer among white, black, Asian/Pacific Islander, and American Indian/Alaska Native women.[1]
We promise to get back to the risks of AI in the future, but for today, we offer this:
From our “Not all News is Bad” department, we remind everyone that catching cancer early is key when it comes to ensuring the best possible outcomes, and while there have been significant advancements in imaging technologies that diagnose the disease, a new AI advancement may fundamentally change screening and treatment. Last week, a team from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) working in conjunction with Massachusetts General Hospital (MGH) released news that their deep learning AI model has the potential to radically improve breast cancer diagnoses by accurately predicting the future development of breast cancer by up to an astounding five years in advance.[2]
The deep learning program was trained on data from over 60,000 MGH patients by analyzing over 90,000 mammograms.[3] The sheer amount of data the program sifted through enabled a repetitive learning process that identified subtle patterns in breast tissue that would eventually grow into cancer. These subtle differences are hard enough to detect even before accounting for the wide variability in women’s breast tissue, which has made traditional models less accurate than what might be hoped for.[4]
One of the authors of the report hopes that this new AI model may revolutionize the way we approach cancer screening by transitioning from a one-size-fits-all approach to a more personalized risk-based approach.[5] This may prove especially true for minorities. The report acknowledges that early models for cancer screening were primarily based on the data from white populations and do not account for certain genetic differences that can impact cancer development.
2. Asia-Pacific Organizations Fail to Prioritize Cybersecurity.
A new study from Frost & Sullivan highlights a severe lack of cybersecurity concern from Asia-Pacific organizations. According to the study, 83% of organizations do not spend time considering the cybersecurity aspects of their digital transformation projects, especially as they relate to cloud adoption.[6] The study found that while nearly 70% of organizations have adopted cloud computing, the majority believe that security responsibilities lie with the cloud service provider.[7]
The study appears to show that organizations in the Asia Pacific region are quick adopters of emerging technologies, but their lack of cybersecurity maturity and failure to implement a security by design philosophy serves as an impediment to successful implementation. This fact is epitomized by the statistic that 83% of organizations did not consider cybersecurity until after their digital transformation projects had already begun.[8]
From a more general perspective, the Frost & Sullivan study helps to outline the delicate balance that all organizations must strike between reaping the potential benefits of the early adoption of new technologies and taking a more measured, methodical approach. The plethora of new technologies like cloud, IoT, and AI offer myriad opportunities, but they have also created significant new threat vectors and vulnerabilities that must be understood to fully take advantage of them.
3. Antivirus Companies Hacked.
Last Thursday, Advanced Intelligence reported that three unnamed U.S. antivirus companies had been breached and access to their source code and networks was being actively sold online. The validity of such a serious claim was further backed up by samples that have been made available by Fxmsp, the group responsible.
Fxmsp is a known entity in the security community and traditionally has targeted multinationals and governments, making nearly a million in profits by selling access to the data acquired through their breaches.[9] Advanced Intelligence noted in their report that the group first announced their access to these companies’ data back in March and set an asking price of over $300,000 for it.[10] This data includes “code for antivirus agents, analytic code based on machine learning, and “security plug-ins” for Web browsers.”[11]
4. Charges Related to The Anthem Breach.
The breach of health insurer Anthem sent shockwaves through the news in 2015. However, despite the outrage over the massive amount of data stolen, around 78 million records, no charges were brought and attribution of the attack was muddled.[12] Many suspected it was the work of a Chinese espionage campaign, but the U.S. government declined to take a conclusive stance. That changed last week when the DOJ unsealed a four-count indictment against two Chinese nationals for the Anthem breach and three other unnamed U.S. businesses.[13]
It is highly unlikely that hackers charged will ever see a courtroom or be sentenced, but the public naming and shaming may serve as a cautious poke at the Chinese government in a time of heightened tensions between the two nations. These tensions may explain why any mention of the potential motives behind the attack, or any allegation that the attacks were directed by the Chinese government, are notably absent from the indictment. It remains to be seen how the Chinese government will react to the indictment, but a denial of responsibility and questions about the legitimacy of the attribution seem likely given similar actions in the past.
Congress –
Tuesday, May 14th:
–No relevant hearings
Wednesday, May 15th:
–No relevant hearings
Thursday, May 16th:
–No relevant hearings.
International Hearings/Meetings –
EU – No relevant hearings.
Conferences, Webinars, and Summits –
–HEALTH IT Summit (Florida) – Wesley Chapel, FL (5/21/19-5/22/19)
<https://h-isac.org/hisacevents/health-it-summit-florida-2019/>
–HEALTH IT Summit (Mid-Atlantic) – Philadelphia, PA (6/3/19-6/4/19)
<https://endeavor.swoogo.com/2019-Philadelphia-Health-IT-Summit>
–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)
<https://h-isac.org/hisacevents/health-it-summit-southeast-2019/>
–H-ISAC Healthcare Cybersecurity Workshop- Buffalo, NY (6/18/2019-6/19/2019)
<https://h-isac.org/hisacevents/h-isac-cybersecurity-workshop-buffalo-ny/>
–Healthcare Cybersecurity Workshop – London, UK (7/10/19)
<https://h-isac.org/hisacevents/workshop-london/>
–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)
<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>
–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)
<https://h-isac.org/hisacevents/health-it-summit-rocky-mountain/>
–HEALTH IT Summit (California) – Los Angeles, CA (9/19/19-9/20/19)
<https://endeavor.swoogo.com/2019-LosAngeles-Health-IT-Summit>
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)
–2019 H-ISAC European Summit – Zurich, Switzerland (10/16/2019-10/17/2019)
< https://h-isac.org/summits/european_summit/>
–HEALTH IT Summit (Southwest) – Houston, TX (11/14/19-11/15/19)
<https://endeavor.swoogo.com/2019-Dallas-Health-IT-Summit>
–Health IT Summit (Northwest) – Seattle, WA (11/19/19-11/20/19)
https://endeavor.swoogo.com/2019-PacificNorthwest-HITSummit
–2019 H-ISAC Fall Summit – San Diego, CA (12/2/19-2/6/19)
<https://www.loewshotels.com/coronado-bay-resort>
Sundries –
–Financial crime outpaces espionage as top motivation for data breaches, Verizon report finds
–Alleged FIN7 hacking director Andrii Kolpakov set to be extradited to the U.S.
–Over 275 Million Records Exposed by Unsecured MongoDB Database
https://www.bleepingcomputer.com/news/security/over-275-million-records-exposed-by-unsecured-mongodb-database/
–Limit How Long Google Keeps Your Data With This Overdue Setting
https://www.wired.com/story/google-auto-delete-data-privacy-setting/
–Back Brief: Hackers Stole $40 Million From Binance Cryptocurrency Exchange
https://www.wired.com/story/hack-binance-cryptocurrency-exchange/
— Nine Charged in Alleged SIM Swapping Ring
https://krebsonsecurity.com/2019/05/nine-charged-in-alleged-sim-swapping-ring/
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://www.cdc.gov/cancer/breast/statistics/index.htm
[2] http://news.mit.edu/2019/using-ai-predict-breast-cancer-and-personalize-care-0507
[3] ibid
[4] https://www.healthcareitnews.com/news/north-america/mit-ai-platform-beats-existing-models-predicting-cancer-risk
[5] ibid
[6] https://www.crn.in/excellence-awards/2018-winners/enterprise-security/two-thirds-of-asia-pacific-organizations-say-failure-to-prioritize-cybersecurity-hampering-digital-transformation-journey/
[7] ibid
[8] ibid
[9] https://arstechnica.com/information-technology/2019/05/hackers-breached-3-us-antivirus-companies-researchers-reveal/
[10] ibid
[11] ibid
[12] https://www.wired.com/story/anthem-hack-indictment-china/
[13] https://www.justice.gov/opa/pr/member-sophisticated-china-based-hacking-group-indicted-series-computer-intrusions-including