“Hack Back” Bill, EU Agency for Cybersecurity and Coordinated Vulnerability Disclosure and the Media

TLP White: In this edition of Hacking Healthcare, we discuss a bill that would allow companies to hack their hackers back in order to protect networks and systems.  We then describe European Union privacy regulator ENISA’s new permanent mandate and cybersecurity certification standards.  Finally, we consider the stories the media tells us about medical device security and whether those popular tropes help to encourage good cybersecurity practices, such as CVD.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

 

Hot Links –

 

1. “Hack Back” Bill Introduced in the U.S. House of Representatives.

Representative Tom Graves (R-GA) has reintroduced a cyber-related bill in the U.S. House of Representatives that would allow businesses to operate outside of their networks to identify and attack their own hackers.[1]  This proposed legislation would effectively allow companies to use offensive cybersecurity tactics by “hacking back” their cyber attackers.

 

Existing federal law prohibits the practice of “hacking back” through the Computer Fraud and Abuse Act.  This statute proscribes the act of accessing computers without authorization.  But Rep. Graves believes companies need to have the ability to hack their attackers, because without such a capability there are limited resources for businesses to use to stop attacks.  Additionally, Rep. Graves has stated that the bill could help place guardrails around companies’ efforts to defend their systems in this manner.  He is of the belief that companies are already trying to protect their networks by hacking their hackers back, despite the current prohibition on the practice in federal law.

 

2. European Cybersecurity Regulator Gets a Permanent Mandate.

On March 12, 2019, members of the European Parliament adopted the Cybersecurity Act (the “Act”).[2]  This piece of legislation gives the European Union Agency for Network and Information Security (“ENISA”) permanent authority and establishes an EU-wide cybersecurity certification framework.  Pursuant to the Act, ENISA will become the EU Agency for Cybersecurity after the statute comes into force on June 27, 2019.[3]

 

The new certification framework set forth by the Act is meant to establish a baseline set of standards for European digital products and services.  The hope is that these standards and the certification process in general will help to improve cybersecurity practices in the European internal market.  The framework will be broadly applicable and therefore will impact medical device manufacturers and other internet-of-things (“IoT”) device creators operating in the healthcare space.  As a result, manufacturers should familiarize themselves with the certification framework and decide whether they should seek certification for their devices.

 

3. Coordinated Vulnerability Disclosure: Rhetoric vs. Reality.

Last week, news broke that researchers from a healthcare security firm had detected vulnerabilities in common hospital workstations used to dock infusion pumps.[4]  The vulnerability apparently could allow a hacker to disable the device, infect it with malware, or create false readings.[5]  Following typical industry practice, the researchers disclosed the vulnerabilities to the infusion pump device manufacturer and to federal regulators.  They then worked with the device manufacturer to develop and deploy a fix—in this case, a firmware update—to address the vulnerability and mitigate the threat.

 

Despite this seemingly successful progression of the coordinated vulnerability disclosure (“CVD”) process, media outlets have widely failed to report it as such, instead choosing to focus on “another reminder that security issues can exist in any device – particularly life-saving equipment in the medical space.”[6]  Other outlets highlighted perceived organizational failures by suggesting the finger should be pointed at hospitals themselves.[7]  This rhetoric, which seems keen on finding a culprit to blame for a medical device security vulnerability, missed an opportunity to highlight and applaud a cybersecurity success story that came in the form of CVD.

 

CVD is supposed to work this way.  In reality, collaboration between researchers and manufacturers to develop and deploy a vulnerability fix is the best case cybersecurity scenario in today’s world of imperfect technology.  Scare tactics that emphasize the hypothetical damage vulnerabilities could have caused are often counterproductive and miss the mark.  In our opinion, media should laud CVD success stories like this one rather than resort to fearmongering and conjecturing about the harms that could have been.

 

Congress

 

Tuesday, June 18th:

-No relevant hearings

 

Wednesday, June 19th:

-No relevant hearings

 

Thursday, June 20th:

-No relevant hearings

 

 

International Hearings/Meetings

 

            EU – No relevant hearings.

 

Conferences, Webinars, and Summits

–H-ISAC Healthcare Cybersecurity Workshop- Buffalo, NY (6/18/2019-6/19/2019)

<https://h-isac.org/hisacevents/h-isac-cybersecurity-workshop-buffalo-ny/>

–Healthcare Cybersecurity Workshop – London, UK (7/10/19)

<https://h-isac.org/hisacevents/workshop-london/>

–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)

<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>

–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)

Health IT Summit – Rocky Mountain

–Healthcare Cybersecurity Workshop – Dublin, Ireland (7/31/2019)

https://h-isac.org/hisacevents/healthcare-cybersecurity-workshop-dublin-ireland/

–H-ISAC Medical Device Security Workshop – Plymouth, MN (9/17/2019)

https://h-isac.org/hisacevents/h-isac-medical-device-security-workshop/

–HEALTH IT Summit (California) – Los Angeles, CA (9/19/19-9/20/19)

<https://endeavor.swoogo.com/2019-LosAngeles-Health-IT-Summit>

–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)

<https://h-isac.org/hisacevents/health-it-summit-northeast/>

–2019 H-ISAC European Summit – Zurich, Switzerland (10/16/2019-10/17/2019)

<https://h-isac.org/summits/european_summit/>

–HEALTH IT Summit (Southwest) – Houston, TX (11/14/19-11/15/19)

<https://endeavor.swoogo.com/2019-Dallas-Health-IT-Summit>

–Health IT Summit (Northwest) – Seattle, WA (11/19/19-11/20/19)

<https://endeavor.swoogo.com/2019-PacificNorthwest-HITSummit>

–2019 H-ISAC Fall Summit – San Diego, CA (12/2/19-12/6/19)

<https://www.loewshotels.com/coronado-bay-resort>

 

 

Sundries –

 

Huawei cancels MateBook laptop launch because of US export ban

<https://arstechnica.com/information-technology/2019/06/huawei-cancels-matebook-laptop-launch-because-of-us-export-ban/>

Suppliers Spotlighted After Breach of Border Agency Subcontractor

<https://www.darkreading.com/attacks-breaches/suppliers-spotlighted-after-breach-of-border-agency-subcontractor/d/d-id/1334936>

U.S. ramping up offensive cyber measures to stop economic attacks, Bolton says

<https://www.cyberscoop.com/john-bolton-offensive-cybersecurity-not-limited-election-security/>

Researchers use Rowhammer bit flips to steal 2048-bit crypto key

<https://arstechnica.com/information-technology/2019/06/researchers-use-rowhammer-bitflips-to-steal-2048-bit-crypto-key/>

Phishing attacks that bypass 2-factor authentication are now easier to execute

<https://www.csoonline.com/article/3399858/phishing-attacks-that-bypass-2-factor-authentication-are-now-easier-to-execute.html>

Why the Huawei ban is bad for security

<https://www.csoonline.com/article/3402038/why-the-huawei-ban-is-bad-for-security.html>

 

Contact us: follow @HealthISAC, and

[1] https://www.cyberscoop.com/hack-back-bill-tom-graves-offensive-cybersecurity/

[2] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2019.151.01.0015.01.ENG&toc=OJ:L:2019:151:TOC

[3] https://www.enisa.europa.eu/news/enisa-news/the-eu-cybersecurity-act-a-new-era-dawns-on-enisa

[4] https://www.cybermdx.com/news/cybermdx-research-team-discovers-2-major-medical-device-vulnerabilities

[5] https://www.cyberscoop.com/medical-infusion-pump-system-two-critical-bugs-researchers-say/

[6] https://techcrunch.com/2019/06/13/alaris-infusion-pump-security-flaws/?renderMode=ie11

[7] https://www.cyberscoop.com/medical-infusion-pump-system-two-critical-bugs-researchers-say/