TLP White: In this edition of Hacking Healthcare, we catch up on the still developing Bulgarian data breach affecting the country’s entire population. Next, we look at how Massachusetts is trying to close the skills gap for tech savvy personnel. Finally, we examine cybersecurity overconfidence in the healthcare sector.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
Welcome back to Hacking Healthcare.
Hot Links –
1. Bulgaria Burgled.
Last Monday, citizens of Bulgaria were shocked and dismayed at the revelation that a data breach of the country’s tax agency had resulted in the compromise of sensitive information for over five million citizens. This data breach of essentially the entire adult population of Bulgaria involved names, postal addresses, personal financial records, healthcare spending habits and more.[1] In total, the hacker claiming responsibility stated he extracted over 21 gigabytes of data.[2]
At least one of the alleged hackers was taken into custody following a forensic investigation. Twenty-year-old Kristian Boykov, a government contractor and cybersecurity expert at TAD Group, initially faced upwards of eight years in prison for his role in the breach.[3] His crime has now been downgraded from a “crime against critical infrastructure” to a “crime against information systems.”[4] This downgrade in charge also brings a lighter potential sentence with it. If he is found guilty, his new maximum sentence would be just three years.[5]
The fallout of the breach, beyond the millions of Bulgarian citizens now at risk due to their confidential records being in the wild, is a potential fine of twenty million Euros for lax security.[6] While the Bulgarian Prime Minister was quick to play up the intellect and technical savvy of the hacker, some cybersecurity experts with knowledge of the breach have expressed the view that the attack was relatively simple.[7] These experts seem to concur with the culprit’s statement that the government’s cybersecurity capabilities were “a parody.”[8]
2. Upskilling in the Healthcare Sector.
We are all well aware that finding and retaining quality technical and security personnel is a challenge. Public and private organizations are aggressively competing for the available workforce which makes it difficult for industries like healthcare to secure skilled personnel able to operate and maintain the IT systems and advanced medical technologies that providers want to adopt. So, what is the best way to tackle this fundamental issue? Massachusetts believes the answer lies in the creation of pilots to upskill entry level healthcare workers.
A report from the Massachusetts Commission on Digital Innovation and Lifelong Learning appears to be the catalyst for a handful of partnerships and grants worth up to $200,000 each.[9] The report stated in its recommendations that “healthcare, information technology and advanced manufacturing are among the most vital employment sectors for Massachusetts’ future prosperity.”[10] The report continued by stating that healthcare, IT, and advanced manufacturing should be prioritized in any “meaningful effort to align lifelong learning opportunities with employer needs.”[11]
While still in the planning phase, the programs being developed will target employees within the healthcare sector that want a path to career advancement and skilled training but lack any practical and affordable way forward. There is hope that successfully upskilling these workers will not only help fill the needed technology gaps but will also create recruiting appeal to those who value opportunities for career advancement.
3. Is There Cybersecurity Overconfidence in the Healthcare Sector?
A recent survey by LexisNexis Risk Solutions appears to give some credence to this proposition. The survey of 100 participants from healthcare organizations found that most have a high level of confidence in their security practices despite the rudimentary nature of many of them.
The survey noted that 58% of those polled believed their portal security was above average or superior to those of their competitors, despite the fact that roughly 93% use usernames and passwords to control access to patient information.[12] Of further concern was the recognition that 40% of survey participants still use knowledge-based authentication, and less than two thirds use multi-factor authentication. Finally, roughly two thirds of those surveyed said their resource allocation for improved identity management will either remain stagnant or decrease.[13]
The report wraps up with three conclusions from this data. First, the confidence survey respondents have in their cybersecurity controls seems misplaced. Traditional knowledge-based verification is simply not up to par these days. Second, multi-factor authentication is an absolute baseline security measure that organizations should strive to implement. Lastly, while frictionless experiences for patients is a priority, it shouldn’t (and doesn’t have to) be at the expense of security. The report recommends layered controls that allow relatively easy access to records, but require increased authentication controls for data transfers and payments.
In our experience, overconfidence comes from a combination of not fully understanding the danger and wandering attention after nothing bad happens for an extended period. This can manifest in organizations that have yet to internalize the same sort of risk management thinking that they apply in other parts of their business or personal lives to managing cybersecurity.
Congress –
Tuesday, July 23rd:
-No relevant hearings
Wednesday, July 24th:
-No relevant hearings
Thursday, July 25th:
-No relevant hearings
International Hearings/Meetings –
EU –
Tuesday, July 23rd:
European Parliament – Committee on Environment, Public Health and Food Safety
Conferences, Webinars, and Summits –
–4th Annual Medical Device Cybersecurity Risk Mitigation Conference – Arlington, VA (7/23/2019-7/24/2019)
http://www.q1productions.com/device-cybersecurity/
–Healthcare Cybersecurity Workshop – Dublin, Ireland (7/31/2019)
https://h-isac.org/hisacevents/healthcare-cybersecurity-workshop-dublin-ireland
— Expo Health – Boston, MA (7/31/2019-8/2/2019)
https://www.expo.health/events/2019-expo-health
–H-ISAC Medical Device Security Workshop – Plymouth, MN (9/17/2019)
https://h-isac.org/hisacevents/h-isac-medical-device-security-workshop/
–HEALTH IT Summit (California) – Los Angeles, CA (9/19/2019-9/20/2019)
https://endeavor.swoogo.com/2019-LosAngeles-Health-IT-Summit
— Healthcare Cybersecurity Forum – Los Angeles, CA (9/20/2019)
https://endeavor.swoogo.com/2019-California-Cybersecurity-Forum
–Peer Sharing ICS Security Workshop (New Jersey) – Bridgewater, NJ (9/24/2019-9/26/2019)
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/2019-10/4/2019)
https://h-isac.org/hisacevents/health-it-summit-northeast/
–Northeast Healthcare Cybersecurity Forum – Boston, MA (10/4/2019)
https://endeavor.swoogo.com/2019-Northeast-Cybersecurity-Forum
–2019 H-ISAC European Summit – Zurich, Switzerland (10/16/2019-10/17/2019)
https://h-isac.org/summits/european_summit/
–Health IT Summit (Midwest) – Minneapolis, MN (10/17/2019-10/18/2019)
https://endeavor.swoogo.com/2019-Minneapolis-Health-IT-Summit
–Healthcare Cybersecurity Forum (Midwest) – Minneapolis, MN (10/18/2019)
https://endeavor.swoogo.com/2019_Midwest_Cybersecurity_Forum
–Health IT Summit (Southwest) – Houston, TX (11/14/2019-11/15/2019)
https://endeavor.swoogo.com/2019-Dallas-Health-IT-Summit
–Southwest Healthcare Cybersecurity Forum (11/15/2019)
https://endeavor.swoogo.com/2019_Southwest_Cybersecurity_Forum
–Health IT Summit (Northwest) – Seattle, WA (11/19/2019-11/20/2019)
https://endeavor.swoogo.com/2019-PacificNorthwest-HITSummit
–Pacific Northwest Healthcare Cybersecurity Forum (11/20/2019)
https://endeavor.swoogo.com/2019_Pacific_Northwest_Cybersecurity_Forum
–2019 H-ISAC Fall Summit – San Diego, CA (12/2/19-12/6/2019)
https://www.loewshotels.com/coronado-bay-resort
Sundries –
–These Hackers Made An App That Kills To Prove A Point
https://www.wired.com/story/medtronic-insulin-pump-hack-app/
–This firmware flaw was bad enough, but then researchers looked at the supply chain
https://www.cyberscoop.com/lenovo-firmware-flaw-eclypsium-research/
–Criminals made off with $301 million per month last year via business email compromise scams
https://www.cyberscoop.com/business-email-compromise-bec-fincen-report-2019/
–A new website explains data breach risk
https://www.csoonline.com/article/3402985/a-new-website-explains-data-breach-risk.html
–Office 365 declared illegal in German schools due to privacy risks
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://www.bbc.com/news/technology-49015511
[2] https://www.cyberscoop.com/bulgaria-hack-financial-data/
[3] https://www.cyberscoop.com/bulgaria-hacking-suspect-worked-government-cybersecurity-tax-agency-breach/
[4] https://www.npr.org/2019/07/21/743912780/man-accused-of-hacking-bulgarias-tax-agency-is-released-and-given-lesser-charges
[5] https://www.npr.org/2019/07/21/743912780/man-accused-of-hacking-bulgarias-tax-agency-is-released-and-given-lesser-charges
[6] https://www.bbc.com/news/technology-49015511
[7] https://www.theguardian.com/world/2019/jul/18/wizard-hacker-charged-after-financial-records-of-nearly-every-bulgarian-exposed
[8] https://www.cyberscoop.com/bulgaria-hacking-suspect-worked-government-cybersecurity-tax-agency-breach/
[9] https://www.healthcareitnews.com/news/massachusetts-fund-pilots-expanding-digital-training-entry-level-healthcare-workers
[10] http://commcorp.org/wp-content/uploads/2018/04/DILLCommissionReport.pdf
[11] http://commcorp.org/wp-content/uploads/2018/04/DILLCommissionReport.pdf
[12] https://risk.lexisnexis.com/insights-resources/research/the-state-of-patient-identity-management
[13] https://risk.lexisnexis.com/insights-resources/research/the-state-of-patient-identity-management