TLP White: In this edition of Hacking Healthcare, we begin with a notice from the FDA looking for nominations for the Patient Engagement Advisory Committee. Next, we examine the results of a KPMG report on how artificial intelligence (“AI”) is viewed by various industries. We then brief you on a ransomware lawsuit where the plaintiffs appear to be seeking payment over alleged harm rather than actual harm. Finally, we explore how scammers and malicious actors are making use of the coronavirus to infect their victims.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

 

1. Notice: FDA, HHS Request for Nominations of individuals and Industry Organizations for the Patient Engagement Advisory Committee [1]

The Committee provides advice on issues related to medical devices, device regulation, and patient use. Issues include agency guidance and policies, clinical trial or registry design, patient preference study design, benefit-risk determinations, device labeling and more. Areas of needed expertise include Cybersecurity, Communication of Benefit and Risk Information to Patients; Medical Device Labeling, and Digital Health Technology/Artificial Intelligence.

 

Additional information and submission instructions can be found on the federal register or on the FDA’s website.

 

2. How the Healthcare Sector Views AI:

As artificial intelligence continues to rapidly integrate into the components and processes of every industry, opinions sometimes diverge on its impacts. A recent study by KPMG explored how various industries view AI, focusing on overall benefit, employee preparedness, and adoption efforts. The healthcare industry stood out in its belief that AI will have transformative effects on the sector.

KPMG found that 90% of healthcare insiders believe that AI will improve patient experiences.[2] They believed that diagnostics, electronic health records management, and robotic tasks were the three areas most likely to benefit.[3] However, that same group is almost evenly split on whether AI was more hype than reality, with 52% leaning towards hype. This split was more favorable to AI than in the retail and transportation sectors, where over 64% of insiders were more skeptical. To some extent, concerns over “hype” are about confusion over what AI is, as the term gets thrown about in marketing pretty loosely by a wide range of companies. Nevertheless, the confluence of data with machine learning represents a great deal of opportunity.  As such, it is worth noting that additional findings show that 69% of healthcare insiders wish their organizations were more aggressively pursuing AI adoption.[4]

 

3.  A Lawsuit Against Hospitals for Alleged Harm:

Earlier last week in the S. District Court for the District of Puerto Rico, a class action lawsuit was filed against two Puerto Rican hospitals alleging that the plaintiffs “suffered significant injuries and damages” as the result of a “security breach [that] compromised the full names, addresses, dates of birth, gender, financial information, and social security numbers.”[5] However, the twist in this suit is that it is not yet clear if any patient data was ever stolen and exposed.[6]

The suit stems from a ransomware attack that took place in February 2019. Reports state that there was no evidence to suggest that any patient data was exfiltrated or exposed and the hospitals have reiterated that this is still the case. This complaint doesn’t claim that the plaintiffs have evidence that their data was exposed, but instead focuses on the immediate cost of credit monitoring and related services, as well as the potential for future harm that may be tied to any data stolen in the attack. Furthermore, the plaintiffs allege that the hospitals did not take appropriate actions to protect data, even going so far as to claim that “they allowed hackers to obtain it.”[7]

 

4. The Coronavirus’s Cyber Strain.

As we discussed in our last edition, the economic impact of the coronavirus continues to grow. The interconnected nature of modern trade and commerce means that regardless of geographic proximity, businesses of all sizes and industries can expect some negative effects. In the rush to gather information to better map supply chain vulnerabilities and ascertain short term mitigations, malicious actors have spotted an opportunity.

It appears that scammers working from Eastern Europe and Russia have begun campaigns targeting sectors like transportation and manufacturing with emails promising in-depth analysis or important notes on how the coronavirus may affect their sector.[8],[9]The emails contain an attachment that they claim provides further important information, but actually contains malware designed to steal data.[10] It is interesting to note that this malware exploits a vulnerability that is over two years old, which once again helps to drive home the importance of timely patching.

 

Congress

 

Tuesday, February 18th:

– No relevant hearings

 

Wednesday, February 19th:

– No relevant hearings

 

Thursday, February 20th:

– No relevant hearings

 

International Hearings/Meetings

 

EU –

 

Tuesday, February 18th

European Parliament – Committee on Environment, Public Health and Food Safety

 

 

Conferences, Webinars, and Summits

–H-ISAC Member Meet-Up at RSA Conference – San Francisco, CA (2/25/2020)

https://h-isac.org/hisacevents/h-isac-member-meet-up-at-rsa-conference-2/

–H-ISAC Analysts Security Workshop – Titusville, FL (3/4/2020)

https://h-isac.org/hisacevents/h-isac-analysts-security-workshop-titusville-fl/

–H-ISAC Member Meet-Up at HIMSS Global Conference – Location TBA (3/11/2020)

https://h-isac.org/hisacevents/h-isac-member-meet-up-at-himss/

— Smart IoT – London – ExCeL London, UK (3/11/2020)

https://www.smartiotlondon.com/

–H-ISAC Security Workshop – Chennai, India (3/27/2020)

https://h-isac.org/hisacevents/h-isac-security-workshop-india/

–H-ISAC Monthly Member Threat Briefing – Webinar (3/31/2020)

https://h-isac.org/hisacevents/h-isac-monthly-member-threat-briefing-6/

–2020 APAC Summit – Singapore (3/31/2020-4/2/2020)

https://h-isac.org/summits/apac-summit-2020/

–H-ISAC Security Workshop – Cambridge, MA (4/7/2020)

https://h-isac.org/hisacevents/h-isac-security-workshop-cambridge-ma/

–H-ISAC Security Workshop – Atlanta, GA (4/13/2020)

https://h-isac.org/hisacevents/h-isac-security-workshop-atlanta/

–Healthcare Cybersecurity Forum – Mid-Atlantic – Philadelphia, PA (4/20/2020)

https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/426497

–H-ISAC 2020 Spring Summit – Singapore (3/31/2020-4/2/2020)

https://h-isac.org/summits/apac-summit-2020/

–H-ISAC Security Workshop – Frederick, MD (6/9/2020)

https://h-isac.org/hisacevents/h-isac-security-workshop-frederick-md/

–AAMI Exchange – New Orleans, LA (6/12/2020-6/15/2020)

https://h-isac.org/hisacevents/aami-exchange/

–Healthcare Cybersecurity Forum – Rocky Mountain – Denver, CO (7/20/2020)

https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/426499

–Healthcare Cybersecurity Forum – Southeast – Nashville, TN (9/9/2020)

https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/426517

–Healthcare Cybersecurity Forum – Northeast – Boston, MA (9/22/2020)

https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/427126

–Summit on Security & Third Party Risk – National Harbor, MD (9/28/2020-9/30/2020)

https://h-isac.org/hisacevents/summit-on-security-third-party-risk/

–Healthcare Cybersecurity Forum – Texas – Houston, TX (10/8/2020)

https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/428840

–Healthcare Cybersecurity Forum – Pacific Northwest – Seattle, WA (10/28/2020)

https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/428886

–Healthcare Cybersecurity Forum – California – Los Angeles, CA (11/12/2020)

https://h-isac.org/hisacevents/healthcare-cybersecurity-forum-california-2/

 

 

Sundries –

 

–FDA, MITRE offer tips for med device cybersecurity

https://www.healthcareitnews.com/news/fda-mitre-offer-tips-med-device-cybersecurity

 

–PKI mismanagement leaves healthcare organizations vulnerable

https://www.healthcareitnews.com/news/pki-mismanagement-leaves-healthcare-organizations-vulnerable

 

–U.S. Charges 4 Chinese Military Officers in 2017 Equifax Hack

https://krebsonsecurity.com/2020/02/u-s-charges-4-chinese-military-officers-in-2017-equifax-hack/

 

–One of the most destructive botnets can now spread to nearby Wi-Fi networks

https://arstechnica.com/information-technology/2020/02/one-of-the-most-destructive-botnets-can-now-spread-to-nearby-wi-fi-networks/

 

 

Contact us: follow @HealthISAC, and email at contact@h-isac.org

[1] https://www.federalregister.gov/documents/2020/02/13/2020-02872/request-for-nominations-of-individuals-and-industry-organizations-for-the-patient-engagement

[2] https://advisory.kpmg.us/content/dam/advisory/en/pdfs/2020/living-in-ai-world.pdf

[3] https://advisory.kpmg.us/content/dam/advisory/en/pdfs/2020/living-in-ai-world.pdf

[4] https://advisory.kpmg.us/content/dam/advisory/en/pdfs/2020/living-in-ai-world.pdf

[5] https://www.classaction.org/media/quintero-et-al-v-metro-santurce-inc-et-al.pdf

[6] https://www.cyberscoop.com/hospital-pavia-class-action-lawsuit-ransomware/

[7] https://www.classaction.org/media/quintero-et-al-v-metro-santurce-inc-et-al.pdf

[8] https://www.cyberscoop.com/coronavirus-phishing-emails-proofpoint-research/

[9] https://www.proofpoint.com/us/corporate-blog/post/coronavirus-themed-attacks-target-global-shipping-concerns

[10] https://www.cyberscoop.com/coronavirus-phishing-emails-proofpoint-research/