H-ISAC Hacking Healthcare 8-27-19 - Health-ISAC - Health Information Sharing and Analysis Center

TLP White: In this edition of Hacking Healthcare, we continue the discussion on biometric data by looking at an Australian wrongful dismissal case. We then brief you on the curious plight of a healthcare organization’s stolen domain. Next, we explore the possible ramifications of a Georgia Supreme Court case on data breach compensation. Finally, we look at two new cases of supply chain attack on the open source community.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

Hot Links –

1. Fingerprint Refusal Leads to Firing (and maybe a little redemption).

Continuing the discussion on biometric data from last week, an Australian court recently ruled in favor of an individual who had been fired after refusing to provide biometric data to his employer. The individual’s dismissal from a lumber manufacturer stemmed from his refusal to provide his fingerprint to the company’s new log in system. He cited his concerns over the storage of his biometric data and the potential for unknown entities to trade or acquire the data which could be used indefinitely.[i]

Jeremy Lee first filed suit on the basis that he owns his biometric data and is within his rights to refuse to provide them to anyone under Australia’s privacy laws. While his initial suit was dismissed by the Australian Fair Work Commission, upon appeal the Commission ruled in his favor. The Commission stated that they “[accepted] Mr. Lee’s submission that once biometric information is digitized, it may be very difficult to contain its use by third parties, including for commercial purposes.”[ii]

While the ruling does not change any laws in Australia, it has ignited a debate about the use and limits of biometric data within that country. Privacy advocates will no doubt be appreciative that the Commission accurately highlighted the risks associated with the handing over of such personal information. The reality of keeping biometric data secure indefinitely seems implausible and the long term ramifications are far from being fully appreciated. Biometrics is an area ripe for further analysis and discussion due to comprehensive regulation and legislation still needing time to mature. The current fluidity of this issue represents an opportunity for the healthcare sector to help influence it before it becomes more settled. Of course, this case took on some additional meaning given the exposure of biometric data which we discussed last week and we will continue to watch this issue closely.

2. Healthcare Domain Stolen.

In an unusual bit of malicious internet activity, Sonoma Valley Hospital has been forced to migrate to a new internet domain after having their prized “svh.com” stolen by malevolent actors. The domain had been in possession of Sonoma Valley Hospital since 1996, and their registration was not due for renewal until 2021, but at the beginning of this month the domain was apparently hijacked in such a way that Sonoma Valley Hospital believed retrieval of the domain was impossible.[iii]

The organization’s data was not compromised, but the fallout is significant. Financially, the hospital will have to purchase rebranded materials including letterhead and business cards, and it will have also lost potential patients who had difficulty contacting the organization during the transition to their new domain.[iv] Additionally, there is potential for reputational damage, and the loss of their domain attached emails hindered both internal and external communications.[v]

3. Georgia Supreme Court Hears Data Breach Damages Claim.

A consequential case is currently being heard in Georgia’s Supreme Court regarding compensation for data breach victims. Three individuals who were victims of a 2016 breach of a healthcare clinic have brought a lawsuit seeking damages from the clinic for current and potential expenses relating to various anti-fraud protections and credit monitoring services they have used, and for the inconvenience of time spent having to implement credit freezes.[vi] The verdict could have significant ramifications within a state that has been hit numerous times recently.

The case stems from a 2016 data breach of the Athens Orthopedic clinic perpetrated by someone calling themselves the “Dark Overlord”. The breach exposed data that included “names, addresses, Social Security numbers, date of birth and telephone numbers” and it ultimately affected an estimated 200,000 patients.[vii] The clinic refused to pay the ransom demanded by the hacker and informed its patients that they should apply for anti-fraud protection and credit monitoring. However, Athens Orthopedic apparently did not offer to help pay any of the costs associated with the steps they recommended.

The three plaintiffs argue that their data was stolen, offered up on the dark web, and now represented a lingering threat and financial burden. Athens Orthopedic has been less than willing to offer financial assistance to date and insist that legal definitions of injury do not cover the costs of the preventative steps the plaintiffs had taken and that future potential harm could not be considered under current Georgia law.[viii]

4. Open Source Software Supply Chains Exposed.

Two new backdoors were found last week that may affect millions. First, a backdoor into the Webmin administration tool allowed for an attacker to execute commands with root privileges. Webmin had their development server compromised which then allowed for the distribution of a backdoor which was downloaded more than 900,000 times.[ix] Some versions of the compromised tool had the backdoor initiated by default, while other versions became active if admins made changes to certain settings.[x]

In an effort to better grasp the scale of the attack, a Shodan search cited by Ars Technica showed tens of thousands of servers recently running versions of Webmin that could be compromised.[xi] Furthermore, threat intelligence from Bad Packets reported that there are currently malicious actors exploiting this backdoor.[xii]

The second backdoor was found in 11 libraries within RubyGems. The backdoor is alleged to allow attackers to remotely execute commands and upload sensitive data. At this time it is not clear how the libraries were infected, but thankfully the number of downloads does not seem to exceed 3,600.[xiii]