TLP White: In this edition of Hacking Healthcare, we discuss a Senator’s request for information about the cybersecurity capabilities of health focused federal agencies and industry groups. We also break down Vermont’s action against Russian and Chinese equipment. Finally, we discuss a report warning lenders of the impact of cyber risk on borrowers in particularly high-risk industries.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog.
Welcome back to Hacking Healthcare.
Hot Links –
1. Warner (D-VA) Asks Agencies and Industry About Cyber Readiness.
Last week Senator Mark Warner reached out to healthcare industry leaders and federal counterparts for information about their cybersecurity approaches and capabilities. The Senator penned letters to leaders at the Food and Drug Administration, Health and Human Services Department, Centers for Medicare and Medicaid Services, and National Institute of Standards and Health.[1] He also contacted insurance and healthcare organizations and other industry stakeholders, asking pointed questions in an effort to understand their technical abilities and level of cybersecurity awareness.[2]
The recent SamSam and WannaCry attacks acutely affected healthcare organizations[3] and Senator Warner’s request for information reflects the increased awareness and focus Congress is taking regarding healthcare systems’ vulnerability to cyberattacks . As we have often discussed, the nature of the information health systems collect and the industry’s reliance on connected technologies create the motive and opportunity for hackers to strike. Senator Warner’s letters indicated that he hopes to work with health entities in public-private partnerships to develop a national strategy to protect the healthcare industry from costly cyber threats and attacks.
2. Vermont Phases Out Foreign Equipment.
Taking its lead from earlier federal actions, Vermont CIO John Quinn has ordered the state government to inventory its hardware and software in order to phase out a list of products linked to the Russian and Chinese governments. This action impacts a number of firms, but will specifically target Kaspersky Labs, Huawei, and ZTE on the grounds that they are vulnerable to espionage operations and a threat to securing Vermont’s data.
The order immediately restricts any new purchases or renewals of products linked to the listed Russian and Chinese companies, requires a breakdown of possible products in use within 30 days, and requires a comprehensive phase-out plan within another 30 days.[4] How feasible that timeline is may be up for debate. On top of reviewing all hardware and software, Vermont will need to review around 360 IT contracts, and it is unclear how many resources the over two dozen affected agencies will have available to dedicate to this issue.[5]
Numerous other states have implemented similar plans far more subtly by adjusting standards and regulations.[6] The move by Vermont and other states to take proactive measures against Chinese and Russian products highlights the states’ ability to take independent actions on cybersecurity matters apart from federal policy. It also means that regardless of the federal government’s ultimate policy decision on companies like Huawei, ZTE, and Kaspersky Labs, damage to the credibility of those firms is already having a tangible effect.
3. Cyber Threat and Industries in Debt.
Last Thursday, credit rating service Moody’s highlighted how the four industries most likely to be the target of a cyberattack hold nearly $12 trillion in debt, and that lenders should consider the ramifications of a potential cyberattack when making loans to those sectors.[7] The four industries—banks, securities exchanges, investment firms, and hospital systems—were viewed as having the highest risk because of their reliance on technology and their interconnectedness. The credit rating service further outlined how they see data disclosure and disruption of business operations as the primary risk events that would have serious economic consequences.
While these four sectors were the only ones rated as having the highest risk, twenty other sectors holding another combined $12 trillion in debt were listed as either medium-high or high risk.[8] How lenders respond to this report will be worth watching, especially with the continued proliferation of malicious, sophisticated cyber actors.
Congress –
Tuesday, March 5th:
No relevant hearings.
Wednesday, March 6th:
No relevant hearings.
Thursday, March 7th:
No relevant hearings.
International Hearings/Meetings –
EU – No relevant hearings.
Conferences, Webinars, and Summits –
–H-ISAC Member Meet-Up at RSA Conference – TBD (3/6/19)
<https://h-isac.org/events/>
–FIRST Symposium 2019 – London, UK (3/18/19-3/20/19)
<https://nhisac.org/events/nhisac-events/first-symposium-2019/>
–DMARC Demystified for Members – Webinar (3/18/19)
<https://h-isac.org/hisacevents/dmarc-step-by-step/>
–HEALTH IT Summit (Midwest) – Cleveland, OH (3/19/19-3/20/19)
<https://h-isac.org/hisacevents/health-it-summit-cleveland-2019/>
–National Association of Rural Health Clinics Spring Institute – San Antonio, TX (3/20/19-3/22/19)
<https://h-isac.org/hisacevents/national-assoc-of-rural-health-clinics-spring-institute/>
–InfoSec World 2019 – Lake Buena Vista, FL (4/1/19-4/3/19)
<https://infosecworld.misti.com/>
–HSCC Joint Cybersecurity Working Group – San Diego, CA (4/3/19– 4/4/19)
<https://h-isac.org/hisacevents/hscc-joint-cybersecurity-working-group/>
–H-ISAC Israel Showcase & Innovation – Tel Aviv, Israel (4/8/19-4/13/19)
<https://www.regonline.com/registration/Checkin.aspx?EventID=2551847>
–H-ISAC CYBER RX – IOMT Executive Symposium – Munich, Germany (4/15/2019–4/16/2019)
<https://h-isac.org/hisacevents/cyberrx-iomt-executive-symposium/>
–HEALTH IT Summit (Southern California) – San Diego, CA (4/23/19-4/24/19)
<https://h-isac.org/hisacevents/health-it-summit-southern-california-2019/>
–Peer Sharing ICS Security Workshop – Singapore (4/24/2019)
<https://event.boozallen.com/ICSWorkshopSingapore>
–H-ISAC Cybersecurity Workshop – Huntsville, AL (4/25/19)
<https://h-isac.org/hisacevents/h-isac-workshop-huntsville/>
–2019 NH-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>
–HEALTH IT Summit (Florida) – Wesley Chapel, FL (5/21/19-5/22/19)
<https://h-isac.org/hisacevents/health-it-summit-florida-2019/>
–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)
<https://h-isac.org/hisacevents/health-it-summit-southeast-2019/>
–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)
<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>
–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)
<https://h-isac.org/hisacevents/health-it-summit-rocky-mountain/>
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)
<https://h-isac.org/hisacevents/health-it-summit-northeast/>
–2019 NH-ISAC Fall Summit – San Diego, CA (12/2/19-2/6/19)
<https://www.loewshotels.com/coronado-bay-resort>
Sundries –
—Security Clearance Delays Are Hurting the Pentagon’s Tech Workforce
—NSA’s Joyce outlines how U.S. can disrupt and deter foreign hacking
<https://www.cyberscoop.com/rob-joyce-nsa-disrupt-foreign-hacking/>
—The Security Clearance Process Is About to Get Its Biggest Overhaul in 50 Years
<https://www.nextgov.com/cio-briefing/2019/02/security-clearance-process-about-get-its-biggest-overhaul-50-years/155229/>
—A researcher made an elite hacking tool out of the info in the Vault 7 leak
<https://www.cyberscoop.com/vault-7-operation-overwatch-cia-hacking-tools-rsa-conference/>
—‘Thunderclap’ collection of hardware vulnerabilities affects Mac, Windows, Linux systems
<https://www.cyberscoop.com/thunderclap-vulnerabilities-mac-windows-linux/>
—Report: US Cyber Command took Russian trolls offline during midterms
—Twenty minutes into the future with OpenAI’s Deep Fake Text AI
—Supermicro hardware weaknesses let researchers backdoor an IBM cloud server
—Christy McCormick gets second term heading election security body
—FTC ruling sees Musical.ly (TikTok) fined $5.7M for violating children’s privacy law, app updated with age gate
—The Anatomy of a Lazy Phish
<https://www.darkreading.com/application-security/the-anatomy-of-a-lazy-phish/a/d-id/1333879>
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://www.nextgov.com/cybersecurity/2019/02/senator-agencies-what-are-you-doing-secure-health-tech/155123/
[2] https://www.nextgov.com/cybersecurity/2019/02/senator-seeks-input-health-care-cyber-strategy/155075/
[3] https://www.cyberscoop.com/samsam-ransomware-hit-67-organizations-2018-researchers-say/
[4] https://statescoop.com/vermont-cio-orders-purge-of-kaspersky-huawei-and-zte-products/
[5] Ibid
[6] Ibid
[7] https://www.law360.com/cybersecurity-privacy/articles/1133926?utm_source=rss&utm_medium=rss&utm_campaign=section
[8] Ibid