H-ISAC Hacking Healthcare 9-24-19 - Health-ISAC - Health Information Sharing and Analysis Center

TLP White: In this edition of Hacking Healthcare we begin with a quick update on new NIST guidance that impacts the healthcare sector. Next, we look at how industry is beginning to recognize its role in the cyber staffing shortage. We then explore recent allegations that Australia concealed a Chinese attack on its political system. Finally, we examine CISA Director Chris Krebs’ denouncement of cyber scare tactics.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

1. New NIST Draft Guidance.

Last week, the NCCoE at NIST released the NIST Cybersecurity Practice Guide, SP 1800-24, Securing Picture Archiving and Communication System. This draft comes as part of a proposed NIST project to “provide guidance on securing the Picture Archiving and Communication System (PACS) ecosystem in Healthcare Delivery Organizations (HDOs).”[1] NIST is currently requesting feedback on the draft and public comments are due by November 18^th, 2019. (Link)

Given the recent revelation of millions of patient medical images being found unsecured online[2], it is clear that this is an area that needs attention. We encourage everyone to have a look at this draft document, provide your feedback, and take a second look at how you are securing this information if it is part of your business.

2. How Industry Contributes to Cyber Staffing Shortages.

It’s been well publicized that the cybersecurity field has been dealing with a staffing shortage for years. The often cited projections that the world will be 2-3 million cyber professionals short, with roughly 500k of those vacant positions in the United States, appear to increase with each passing reassessment.[3]^,[4] The causes of this shortage have been attributed to a number of plausible factors, including: a lack of training and educational opportunities; the natural lag time between the rapid growth of technology and the reorientation of market forces incentivizing cyber-related careers; and a vicious cycle of overworked security professionals burning out due to the shortage and thus reinforcing the shortage. However, there is growing recognition of the role that industry plays in contributing to the staffing shortage.

While inadequate pay is a systemic issue, misaligned expectations often exacerbate it. A recent Forrester report emphasized that many organizations demand or expect qualified cybersecurity candidates with impressive educational and work experience but appear unable to recognize, or unwilling to pay, the actual value of an individual with those qualifications and skills.[5] Misaligned expectations go beyond just salary range issues. A common lament among CISOs is that their organizations do not fully appreciate the vital nature of their role. This oversight often leads to a lack of CISO integration in high level decision making within companies and a lack of necessary investment in security resources. These factors contribute to high CISO turnover and a negative reputation toward related positions in the industry.[6]^,[7]

Luckily, there may be untapped solutions for industry to investigate. The Forrester report outlines how small and medium sized companies that don’t typically have the resources to keep up with major multinationals have turned to a number of creative solutions when it comes to cybersecurity staffing. One tactic is to try and offset any lack of financial competitiveness with quality of life perks such as increased paid leave, flexible hours, and remote work.[8] Some organizations are also exploring overlooked communities in an attempt to find untapped talent and unique skill sets that seem well suited for security work. For example, Gamestop, a video game and electronics retailer, has started work with a nonprofit that specializes in training individuals with autism to engage in security monitoring with the hope that their abilities to recognize patterns will be an asset.[9]

3. Australian General Election Hack Should Raise Alarms.

Within the United States, the 2016 presidential election and its aftermath brought awareness to the threats of foreign interference with the electoral process. While that issue has unfortunately become politicized in the United States, the actual threat remains very real and resurfaced last May in Australia. A recent Reuters report cites five unnamed sources to confirm that Australian intelligence has pinned a hack of Australia’s parliament and its three largest political parties on China.[10]

The report states that the Australian Signals Directorate came to the attribution conclusion in March but ultimately decided not to make any public statement implicating China over fears that it may negatively impact trade relations.[11] In the wake of the hack being made public, the Australian government has not said if they have taken the issue up privately with China, and China has denied orchestrating the hack. China stresses that they themselves are often the victims of cyber attacks and that conclusive proof linking the Chinese state or Chinese proxy actors is lacking in this case. Security researchers who have noted similarities in the code and method of the attack have their doubts about China’s denial of responsibility.[12] Furthermore, the Reuters report comes just months after a massive hack of Australian National University that compromised “up to 19 years’ worth of personal data” was also attributed to China.[13]

4. CISA Wants to End Scare Tactics.

The cybersecurity community has often found itself trapped between trying to responsibly educate the public about the dangers of hackers and other digital threats on one side, and fear mongering in order to bring awareness to cyber issues and sell products and services on the other side. The prevalence of articles decrying the practice of selling fear as ineffective, dishonest, and harmful to the cybersecurity industry’s reputation has been growing recently, and there is a new high profile addition to those in this camp in DHS CISA Director Chris Krebs.

Last week, at the annual CISA Cybersecurity Summit, Chris Krebs reiterated the need to “extend our capabilities to float all boats” and to continue bringing in those on the outside of the cybersecurity community, while refraining from exaggerating the nature of cyber threats.[14] Krebs is quoted as saying that “we’ve got to be more straightforward, more measured, more reasonable.”[15] Krebs went on to acknowledge that while serious threats do exist, fear mongering around topics such as election cybersecurity can do unintended harm, like driving down voter confidence in the electoral system.

Congress –

Tuesday, September 24th:

– Artificial Intelligence and the Future of Work (House – Committee on Science, Space, and Technology – Subcommittee on Research and Technology)

Wednesday, September 25th:

– Investments in Medical Research at Five Institutes and Centers of the National Institutes of Health (House – Committee on Appropriations – Subcommittee on the Departments of Labor, Health and Human Services, Education, and Related Agencies)

Thursday, September 26th:

-No relevant hearings