TLP White: In this edition of Hacking Healthcare, we discuss the long-accepted organizational security practice of periodic password expiration. We then describe the Department of Health and Human Service’s new efforts to collaborate with other agencies and operationalize information sharing efforts to find new security solutions. Finally, we consider Russia and Iran’s plans to build a closed Internet, allegedly with the goal of enhancing cybersecurity.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
Welcome back to Hacking Healthcare.
Hot Links –
1. Periodic Password Expiration – Useful or Unnecessary?
Echoing the opinion of many in the cybersecurity world, last week a Microsoft employee openly described periodic password expiration as an “ancient and obsolete” security feature.[1] In a blog post, the IT professional noted that Microsoft will be removing the password expiration feature from its configuration baseline settings. The announcement sheds light on the utility of a security practice that many employees and even C-suite executives have accepted as a normal part of everyday working life.
The problems with periodic password expiration appear to be numerous: it encourages the creation and use of redundant passwords (p@$$word!1 vs. p@$$word!2), assumes a password will be hacked and stolen within a set time frame, and leaves room for employees to forget new passwords.[2] As a result of these realities and others, a number of organizations are changing their thoughts about required password resets every 30, 60, or 90 days. Some are moving to two-factor authentication as a better way to secure credentials for access to protected networks and systems.
2. New HHS CIO Brings Collaborative Mindset.
In keeping with the authentication theme, we turn our attention to Jose Arrieta, the new Chief Information Officer at the U.S. Department of Health and Human Services (“HHS”), who is “working with other agencies to pilot new programs around different budding technologies.”[3] Specifically, HHS is lending its distributed network to the Defense Information Systems Agency to pilot a new authentication method that makes use of smartphones and wearable devices. This collaborative approach, Arrieta hopes, will spur innovation and encourage the private sector to develop authentication capabilities and technologies. Arrieta assumed his position at the end of May, never having held a CIO role before. He previously served as HHS’s Associate Deputy Assistant Secretary for Acquisition, a role in the agency’s Office of Grants and Acquisition Policy.[4]
Government agency coordination to pilot security solutions is innovative in and of itself. The effort speaks to the value of mutually beneficial information sharing and cooperation. It supports the idea that collaboration—whether through formal ISAC arrangements, pilot programs, or another form of information exchange—can go a long way towards spurring innovative and useful security solutions.
3. Global Internet Fragmentation Places Cybersecurity at Odds with Open Access.
News outlets have long reported that Russia and Iran are developing domestic Internets that would keep their infrastructures completely separate from the public Internet as we know it.[5] While these countries’ aims of closing their citizens off to the open Internet resemble the efforts of countries like China, Russia and Iran are taking a different approach to execute this goal. China has mainly elected to use filtering mechanisms to control what citizens can and cannot access on the World Wide Web. But China’s Great Firewall is vulnerable to VPN circumvention and other technological solutions to get around its controls. Russia and Iran’s plans, on the other hand, would alter global network architecture in a way that would completely isolate their Internets from ours.
By creating their own Internets, Russia and Iran will be able to control their citizens’ ability to access content.[6] However, these countries dispute the idea that censorship is the reason for their efforts. They instead cite cybersecurity and a need to protect their citizens, networks, and systems as the reasons for their efforts in building closed Internets. By doing so, Russia and Iran pit cybersecurity concerns against the values of an egalitarian and open Internet.
Congress –
Tuesday, June 11th:
-Hearing to examine data brokers and the impact on financial data privacy, credit, insurance, employment, and housing (Senate Committee on Banking, Housing and Urban Affairs).[7]
Wednesday, June 12th:
-Hearings to examine competitive implications of vertical consolidation in the healthcare industry (Senate Judiciary Subcommittee on Antitrust, Competition Policy, and Consumer Rights).[8]
Thursday, June 13th:
-No relevant hearings
International Hearings/Meetings –
EU – No relevant hearings.
Conferences, Webinars, and Summits –
–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)
<https://h-isac.org/hisacevents/health-it-summit-southeast-2019/>
–H-ISAC Healthcare Cybersecurity Workshop- Buffalo, NY (6/18/2019-6/19/2019)
<https://h-isac.org/hisacevents/h-isac-cybersecurity-workshop-buffalo-ny/>
–Healthcare Cybersecurity Workshop – London, UK (7/10/19)
<https://h-isac.org/hisacevents/workshop-london/>
–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)
<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>
–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)
–Healthcare Cybersecurity Workshop – Dublin, Ireland (7/31/2019)
https://h-isac.org/hisacevents/healthcare-cybersecurity-workshop-dublin-ireland/
–HEALTH IT Summit (California) – Los Angeles, CA (9/19/19-9/20/19)
<https://endeavor.swoogo.com/2019-LosAngeles-Health-IT-Summit>
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)
<https://h-isac.org/hisacevents/health-it-summit-northeast/>
–2019 H-ISAC European Summit – Zurich, Switzerland (10/16/2019-10/17/2019)
<https://h-isac.org/summits/european_summit/>
–HEALTH IT Summit (Southwest) – Houston, TX (11/14/19-11/15/19)
<https://endeavor.swoogo.com/2019-Dallas-Health-IT-Summit>
–Health IT Summit (Northwest) – Seattle, WA (11/19/19-11/20/19)
<https://endeavor.swoogo.com/2019-PacificNorthwest-HITSummit>
–2019 H-ISAC Fall Summit – San Diego, CA (12/2/19-12/6/19)
<https://www.loewshotels.com/coronado-bay-resort>
Sundries –
–The GCHQ’s Vulnerabilities Equities Process
https://www.lawfareblog.com/gchqs-vulnerabilities-equities-process
–Vietnam Rises as Cyberthreat
https://www.darkreading.com/attacks-breaches/vietnam-rises-as-cyberthreat-/d/d-id/1334890
–Google’s Triada backdoor demonstrates vulnerabilities in the mobile supply chain
https://www.cyberscoop.com/android-backdoor-triada-mobile-supply-chain/
–Huawei signs deal with Russian telecoms firm to develop 5G
https://www.bbc.com/news/business-48537643
–State Department proposes new $20.8 million cybersecurity bureau
https://www.cyberscoop.com/state-department-proposes-new-20-8-million-cybersecurity-bureau/
–House bill would boost CISA funding by $335 million
https://www.cyberscoop.com/house-bill-boost-cisa-funding-335-million/
–2.8 Billion US Consumer Records Lost in 2018
–LabCorp: 7.7 Million Consumers Hit in Collections Firm Breach
https://krebsonsecurity.com/2019/06/labcorp-7-7m-consumers-hit-in-collections-firm-breach/
–Adware Hidden in Android Apps Downloaded More Than 440 Million Times
–Google, Facebook, Apple, Amazon face US anti-trust probe
https://www.bbc.com/news/technology-48513328
–Warnings of world-wide worm attacks are the real deal, new exploit shows
–Facebook stops apps being pre-installed on Huawei phones
https://www.bbc.com/news/technology-48555153
–Researchers uncover new MuddyWater targeting of government, telecommunications entities
https://www.cyberscoop.com/muddywater-tajikstan-clearsky/
–Millions of machines affected by command execution flaw in Exim mail server
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://blogs.technet.microsoft.com/secguide/2019/05/23/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903/
[2] https://arstechnica.com/information-technology/2019/06/microsoft-says-mandatory-password-changing-is-ancient-and-obsolete/
[3] https://www.nextgov.com/emerging-tech/2019/06/new-cio-wants-make-hhs-be-testbed-budding-tech/157515/
[4] https://www.fedscoop.com/jose-arrieta-new-hhs-cio/
[5] https://www.wired.com/story/russia-and-iran-plan-to-fundamentally-isolate-the-internet/
[6] https://www.wired.com/story/russia-internet-disconnect-what-happens/
[7] https://www.banking.senate.gov/hearings/data-brokers-and-the-impact-on-financial-data-privacy-credit-insurance-employment-and-housing
[8] https://www.judiciary.senate.gov/meetings/your-doctor/pharmacist/insurer-will-see-you-now-competitive-implications-of-vertical-consolidation-in-the-healthcare-industry