#NSA #CybersecurityDirectorate #BugBounty #databreach #HSCC #GHIDRA #Google #Android #HackerOne
TLP White: In this edition of Hacking Healthcare, we take another look at training and retaining your cybersecurity workforce. We explore the NSA’s announcement of their new Cybersecurity Directorate. Next, we look at the growing business of bug bounties. Finally, we examine the high cost of data breaches in the healthcare industry.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
Welcome back to Hacking Healthcare.
Hot Links –
1. Healthcare & Public Health Sector Coordinating Council Publish Cybersecurity Workforce Guide.
Following up on last week’s Hacking Healthcare article that put a spotlight on upskilling the healthcare industry’s cyber workforce, the Healthcare & Public Health Sector Coordinating Council recently posted a 14-page analysis on the matter entitled “Healthcare Industry Cybersecurity Workforce Guide.” The guide is an excellent introduction to cybersecurity in the healthcare context, the myths and realities of recruiting and training cybersecurity staff, various strategies you can apply to improve and retain your workforce, and a wide variety of additional resources to fill the gaps and give further explanation.[1] The guide is freely available from the Healthcare & Public Health Sector’s website, and we encourage you to give it a read.
2. The NSA Turns its Attention to Securing the Country Against Cyberattacks.
Last Tuesday, NSA Director Gen. Nakasone publicly announced the intention for the newly created Cybersecurity Directorate (“Directorate”) to focus on protecting the country against cyber threats.[2] The Directorate, which is anticipated to be fully operational in October, will be headed by Anne Neuberger. Neuberger will bring a wealth of experience to the position after having served as a co-chief of the NSA’s “Russia Small Group,” which was tasked with dealing with Russian interference in U.S. elections.[3]
The Directorate has outlined a number of goals that should significantly improve the nation’s cybersecurity capabilities once it is fully staffed. These goals include improvements to the NSA website to make it an accessible source for cybersecurity vulnerability information, the posting of cybersecurity advisories, and the publishing of general research and reports.[4] Additionally, the NSA will promote its open-source cybersecurity tool, GHIDRA.
3. Big Business for Bug Bounties.
Whether you approve of bug bounties or not, leading companies in various industries are embracing the practice and increasing rewards for helping them find cybersecurity vulnerabilities in their systems and applications.
Most notably, Google recently doubled or tripled the maximum award for numerous bug bounty categories. Google’s recent bug bounty increases take the baseline reward for finding a vulnerability in their Web services, Chrome operating system, and Android software from $5,000 to $15,000.[5] Additionally, anyone clever enough to string together a series of exploits that would allow an attacker to execute code on a Chromebook could find themselves $150,000 richer by disclosing said vulnerabilities to the company.[6] Google’s adoption of bug bounties may not surprise too many people, but the practice is a growing trend based on the numbers.
Bugcrowd CTO Casey Ellis recently disclosed that the average bug bounty payout has increased by 83% since last year and that critical vulnerability rewards are averaging around $2,700. HackerOne tells a similar story, reporting that their user base of ethical hackers increased month over month during 2018 and collectively earned over $19 million in payouts.[7] Beyond the private sector, there has been increased interest in bug bounty programs from the federal government. DoD has worked in partnership with HackerOne to host five bug bounty programs to date, and their successful partnership has other agencies interested as well.[8]
4. When it Comes to Breach Costs, Healthcare Remains the Champ.
According to a Ponemon Institute report, the healthcare sector has won the distinction of being nine-time consecutive champion… of the industry with the highest breach cost spending and highest average breach cost. Ponemon not only calculated industry costs by including the legal, regulatory, and technical remediation required once breached, but also factored in the likely cost of reputational damage and lost trust.[9] But why does the healthcare sector have this dubious honor?
The Ponemon report notes that the highly regulated nature of the healthcare sector helps impose considerable costs. Additionally, the healthcare sector has historically had among the highest rates of abnormal customer turnover following a breach compared to other industries like retail and entertainment.[10] This turnover helps to exacerbate the long-term cost of a breach. This is notable because only about two thirds of the total costs related to a breach occur during the first year, and healthcare’s 2nd and 3rd year follow on costs are also among some of the highest.[11]
Congress –
Tuesday, July 30th:
-No relevant hearings
Wednesday, July 31st:
-No relevant hearings
Thursday, August 1st:
-No relevant hearings
International Hearings/Meetings –
EU – No Relevant Hearings
Conferences, Webinars, and Summits –
http://www.q1productions.com/device-cybersecurity/
–Healthcare Cybersecurity Workshop – Dublin, Ireland (7/31/2019)
https://h-isac.org/hisacevents/healthcare-cybersecurity-workshop-dublin-ireland
— Expo Health – Boston, MA (7/31/2019-8/2/2019)
https://www.expo.health/events/2019-expo-health
–H-ISAC Medical Device Security Workshop – Plymouth, MN (9/17/2019)
https://h-isac.org/hisacevents/h-isac-medical-device-security-workshop/
–HEALTH IT Summit (California) – Los Angeles, CA (9/19/2019-9/20/2019)
https://endeavor.swoogo.com/2019-LosAngeles-Health-IT-Summit
— Healthcare Cybersecurity Forum – Los Angeles, CA (9/20/2019)
https://endeavor.swoogo.com/2019-California-Cybersecurity-Forum
Peer Sharing ICS Security Workshop (New Jersey) – Bridgewater, NJ (9/24/2019-9/26/2019)
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/2019-10/4/2019)
https://h-isac.org/hisacevents/health-it-summit-northeast/
–Northeast Healthcare Cybersecurity Forum – Boston, MA (10/4/2019)
https://endeavor.swoogo.com/2019-Northeast-Cybersecurity-Forum
–2019 H-ISAC European Summit – Zurich, Switzerland (10/16/2019-10/17/2019)
https://h-isac.org/summits/european_summit/
–Health IT Summit (Midwest) – Minneapolis, MN (10/17/2019-10/18/2019)
https://endeavor.swoogo.com/2019-Minneapolis-Health-IT-Summit
–Healthcare Cybersecurity Forum (Midwest) – Minneapolis, MN (10/18/2019)
https://endeavor.swoogo.com/2019_Midwest_Cybersecurity_Forum
–Health IT Summit (Southwest) – Houston, TX (11/14/2019-11/15/2019)
https://endeavor.swoogo.com/2019-Dallas-Health-IT-Summit
–Southwest Healthcare Cybersecurity Forum – Dallas, TX(11/15/2019)
https://endeavor.swoogo.com/2019_Southwest_Cybersecurity_Forum
–Health IT Summit (Northwest) – Seattle, WA (11/19/2019-11/20/2019)
https://endeavor.swoogo.com/2019-PacificNorthwest-HITSummit
–Pacific Northwest Healthcare Cybersecurity Forum – Seattle, WA (11/20/2019)
https://endeavor.swoogo.com/2019_Pacific_Northwest_Cybersecurity_Forum
–2019 H-ISAC Fall Summit – San Diego, CA (12/2/19-12/6/2019)
<https://www.loewshotels.com/coronado-bay-resort>
Sundries –
–Ping An’s AI-powered CDSS ‘AskBob’ being trialed in Singapore
–‘We have to hit the problem the way it hits us’: How the FBI tracks a range of hacking threats
https://www.cyberscoop.com/fbi-cyberthreats-iran-china-russia-north-korea/
–Teenage hackers are offered a second chance under European experiment
https://www.cyberscoop.com/teenage-hackers-police-britain-netherlands/
–Equifax expected to settle breach investigations for $700 million
https://www.cyberscoop.com/equifax-breach-settlement-700-million/
–Adware Is the Malware You Should Actually Worry About
https://www.wired.com/story/adware-most-common-malware/?verso=true
–Streaming Service Suffers 13-Day DDoS Siege by IoT Botnet
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://healthsectorcouncil.org/wp-content/uploads/2019/06/Healthcare-Industry-Cybersecurity-Workforce-Guide-1.pdf
[2] https://www.cnn.com/2019/07/23/politics/nsa-cybersecurity-directorate/index.html
[3] https://www.cyberscoop.com/nsa-russia-small-group-cyber-command/
[4] https://www.cyberscoop.com/nsa-cybersecurity-directorate/
[5] https://www.darkreading.com/vulnerabilities—threats/bug-bounties-continue-to-rise-as-google-boosts-its-payouts/d/d-id/1335322
[6] https://www.darkreading.com/vulnerabilities—threats/bug-bounties-continue-to-rise-as-google-boosts-its-payouts/d/d-id/1335322
[7] https://www.hackerone.com/sites/default/files/2019-03/the-2019-hacker-report_0.pdf
[8] https://www.hackerone.com/press-release/us-department-defense-kicks-fifth-bug-bounty-challenge-hackerone
[9] https://healthitsecurity.com/news/data-breaches-cost-healthcare-6.5m-or-429-per-patient-record
[10] 2018 Cost of a Data Breach: Global Review: Ponemon.
[11] https://newsroom.ibm.com/2019-07-23-IBM-Study-Shows-Data-Breach-Costs-on-the-Rise-Financial-Impact-Felt-for-Years