TLP White: This week, Hacking Healthcare takes a look at how security researchers found serious vulnerabilities in a contact-tracing application used in the Philippines and highlights the role of coordinated vulnerability disclosure in remediating them. Next, we ponder what PayPal’s acceptance of cryptocurrency might mean for ransomware perpetrators and victims. Finally, we revisit the issue of attacks against COVID-19 related research and why healthcare organizations should be wary about expecting attacks to wind down.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
Welcome back to Hacking Healthcare.
1. COVID-19 Contact-Tracing App Vulnerability Highlights the Benefits of Coordinated Vulnerability Disclosure
In the quest for effective tools to help mitigate COVID-19’s spread and help kick start sluggish economies, digital contact-tracing applications have been touted as a potential gamechanger. As we have discussed previously, modernizing the well-established concept of contact-tracing by leveraging digital tools promised to allow healthcare agencies to quickly spot and contain potential outbreaks. However, privacy advocates have raised serious concerns about the security, privacy, and efficacy of such digital programs, often noting the potential for intentional misuse of collected information by governments and inherent conflicts between the goal of achieving quick deployment while also adequately testing data security capabilities.
Last week, commentators’ fears over what could happen if digital contact-tracing programs were insufficiently secured may have come to fruition. Multiple news sources reported that the Philippines’ COVID-KAYA, an app “for registered health workers only,” that “assists frontline responders” in sharing COVID-19 data was found to have multiple significant vulnerabilities.[1], [2] These vulnerabilities existed in both the web and mobile-based app and allowed for unauthorized access to healthcare worker data and potentially to patient data.[3]
Thankfully, the organization that brought the story to light, The Citizen Lab out of the University of Toronto, appears to have initiated a coordinated vulnerability disclosure plan upon discovery of the vulnerabilities back in August, and as of the end of October, the issues were confirmed to have been resolved.[4] It is unknown to what extent that information collected through the contact-tracing tool could have been compromised, but this story at least appears to have a happy ending.
Action & Analysis
**Membership required**
2. PayPal’s Acceptance of Cryptocurrency Has Ransomware Implications
In October, PayPal announced plans to begin to allow a limited subset of users to buy, sell, and hold cryptocurrency.[5] Since then, PayPal is now on the cusp of bringing this capability to all U.S.-based accounts, and will soon be adding cryptocurrency support to Venmo before expanding into other global markets.[6] While there remain those with doubts that cryptocurrencies will ever become a truly mainstream form of payment, integration into services like PayPal certainly won’t hurt their further adoption, and may be the first and only way many consumers and organizations interact with cryptocurrency. Doubts aside, this development does seem to be a logical evolution for payment processors, and it is likely PayPal won’t be the last. As is often the case, however, this evolution may be a double-edged sword—at least for some.
In theory, one effect of bringing cryptocurrency to mainstream payment processing is that it will likely make ransomware payments easier. That may sound like a good thing, and indeed it may be in some instances. For most organizations, the goal is to get systems back up and running as quickly as possible, and once a decision has been made to pay a ransom, the faster that can be done the better.
But there could be a downside. To date, the relative difficulty of obtaining cryptocurrency after getting hit by a ransomware attack has occasionally helped the victim by introducing delay. Walking victims through the process of acquiring and transferring cryptocurrency adds friction to the process for the malicious actors responsible, giving victims more time to assess their options. However, if the process of acquiring and transferring cryptocurrency is significantly streamlined in the future, it could end up harming ransomware victims by lowering the barrier to payment and increasing the incentive for bad actors to carry out such attacks.
Action & Analysis
**Membership required**
3. Microsoft Calls for Action as Malicious Actors Continue to Target the Healthcare Sector
In a blog post from last week, Microsoft sought to highlight continued cyberattacks against healthcare organizations working on COVID-19 related research and products, as well as more general attacks against the healthcare sector globally.[7] Their intent, beyond placing an additional spotlight on this important issue, was to urge governments to take action to curb the very real risk these attacks pose should they be allowed to continue.
The blog post begins with a breakdown of the flurry of major cyberattacks that have occurred against the healthcare industry in numerous countries over the past year, and follows that catalog with new details on some of the more recent attacks suffered by the sector. In particular, Microsoft called out nation-state threat groups from North Korea and Russia for carrying out numerous malicious efforts using a variety of tactics.[8]
In response to these acts, Microsoft has reiterated the need for “world leaders to unite around the security of our health care institutions and enforce the law against cyberattacks targeting those who endeavor to help us all,” citing similar calls to action, such as those from the CyberPeace Institute and International Committee of the Red Cross.[9] While they were keen to point out various products that could help secure the sector, the underlying message that governments need to be doing more to help alleviate this threat appeared clear.
Action & Analysis
**Membership required**
Congress –
Tuesday, November 17th:
– No relevant hearings
Wednesday, November 18th:
– No relevant hearings
Thursday, November 19th:
– No relevant hearings
International Hearings/Meetings –
– No relevant hearings
EU –
– No relevant hearings
Sundries –
DNS cache poisoning, the Internet attack from 2008, is back from the dead
Ransomware incidents in manufacturing grow as transparency, and attack options, increase
Conferences, Webinars, and Summits –
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://play.google.com/store/apps/details?id=org.who.COVIDKAYA&hl=en_US&gl=US
[2] https://threatpost.com/covid-19-data-leaked-healthcare-worker-info/161108/
[3] https://citizenlab.ca/2020/11/unmasked-covid-kaya-and-the-exposure-of-healthcare-worker-data-in-the-philippines/
[4] https://citizenlab.ca/2020/11/unmasked-covid-kaya-and-the-exposure-of-healthcare-worker-data-in-the-philippines/
[5] https://www.engadget.com/paypal-venmo-cryptocurrency-bitcoin-ethereum-litecoin-payments-143927447.html
[6] https://www.engadget.com/paypal-opens-cryptocurrency-all-us-accounts-210541778.html
[7] https://blogs.microsoft.com/on-the-issues/2020/11/13/health-care-cyberattacks-covid-19-paris-peace-forum/
[8] https://blogs.microsoft.com/on-the-issues/2020/11/13/health-care-cyberattacks-covid-19-paris-peace-forum/
[9] https://blogs.microsoft.com/on-the-issues/2020/11/13/health-care-cyberattacks-covid-19-paris-peace-forum/