H-ISAC Hacking Healthcare 8-6-19 - Health-ISAC - Health Information Sharing and Analysis Center

TLP White: In this edition of Hacking Healthcare, we take a look at the ever-growing world of cyber insurance. We then reinforce the need to pay attention to the basics of cyber security (again). Finally, we look at how the adoption of new healthcare technologies is coming into conflict with data privacy and security concerns.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

Hot Links –

1. Cyber Insurance is Still Finding its Feet.

The ever-increasing awareness of cyber threats has led many to embrace cyber insurance as a way to mitigate the potential fallout of a data breach or other materially damaging incident. It’s easy to see why with the astronomical costs often associated with ransomware attacks and data breach remediation. However, you might find that it’s becoming increasingly more difficult to be cyber insured.

The problem is that unlike natural disasters or car crashes, cyber incidents are far more unpredictable and nebulous to conceptualize.[1] For example, building a basic but workable model to determine natural disaster insurance is relatively straightforward. You can start by determining the geographic location covered, then gather historical information on weather patterns and natural disaster occurrence, factor in the cost of the property being insured, and you’re done. It’s not perfect, but the wealth of available information provides a rough model that can be refined. Modeling cyber risk is proving to be far more difficult. Without accurate information on who has been targeted, who is doing the targeting, when parties were targeted, why they were targeted, or how to apply various changing regulatory requirements, it’s difficult to build a model which insurers and the insured can feel confident.

Additionally, those who purchased cyber insurance and were unlucky enough to need it are finding that their insurers are not as eager to pay out as they might have assumed. Numerous law suits are now underway because an insurer has refused to pay out over complaints that the policy doesn’t cover certain categories of attack. Zurich Insurance, for example, is claiming they are not accountable to Mondelez because the NotPetya attack they suffered was a result of an international conflict and therefore not covered under the “war exclusion” clause.[2]^,[3]

2. Back to Basics.

CISOs of any industry will tell you that the list of potential threats to their systems and data is innumerable. State actors deploying zero days and cyber criminals buying up countless new malware packages on the black market is enough to keep anyone up at night. However, it’s important to remember that despite the rational fears of sophisticated malware and advanced persistent threats, having a good grasp of the basics is still the key to securing your networks.

The Verizon Data Breach Investigations Report backs this assertion up with hard numbers. The 2019 report cites 32% of breaches involve phishing, 33% involve some form of social attack, and 29% involved the use of stolen credentials.[4] Additionally, the report states that phishing and the use of stolen credentials are the number one and two threat action varieties in breaches.[5] The reason these are the most prevalent attack types, and the reason why 94% of malware delivery is through email, is because the human element is almost always the weakest link in a security system.[6]

HIMSS Director of Privacy and Security Lee Kim echoed this sentiment in an exchange with Healthcare IT News. She stated that phishing is likely to remain the go to for malicious actors, and that despite the growth in sophisticated malware focus needs to be put on training.[7] She elaborated that “users of all levels need to be regularly trained on how to detect phishing attempts (whether via SMS, web, email, etc.). Phishing still remains the primary mode of compromise.”[8]

While staying abreast of the latest cybersecurity threats and mitigations is prudent, it’s important to remember to not neglect the basics. Training your staff on basic cyber hygiene, implementing incentives to report suspicious emails, and increasing overall awareness of cyber threats continues to be the foundation that the rest of your work sits upon.

3. New Healthcare Technologies Bring Up Old Concerns.

A new mobile phone app for healthcare providers is showing significant promise in helping to quickly diagnose a potentially fatal kidney condition. The application is being hailed by doctors as one of the first examples of an application that functioned in real time with easily interpretable results. The lead nurse at London’s Royal Free Hospital says much of its success is down to “[fitting] the way we work.”[9]

The system has significantly sped up the process of identifying and alerting healthcare providers to the presence of acute kidney injury from hours to minutes.[10] This ability to rapidly diagnose has been deemed “potentially lifesaving” by a kidney specialist at Royal Free.[11] They claim that any technology that helps to quickly put patient information in the right hands is incredibly beneficial.

The app was developed by Royal Free in partnership with Google-owned DeepMind. These two came under fire in 2017 when the Information Commission accused them of not adequately protecting patient data of 1.6 million people.[12] While the Information Commission has since given them a passing mark, the tension between employing new technologies with the potential to save lives and the need to maintain the security and privacy of patient data will continue.