H-ISAC Hacking Healthcare 11-13-19

TLP White: In this edition of Hacking Healthcare, we explore insider threats and the various ways they can negatively impact organizations. First, we analyze how the convergence of geopolitics and insider threats have led GitLab to consider banning individuals of certain nationalities from critical positions. Next, we brief you on how an insider threat at Trend Micro led to tailored scam attacks against their customers. Finally, we examine the case of two Twitter employees charged with spying for the Saudi Arabian government.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

read more…

H-ISAC Hacking Healthcare 11-6-19

TLP White: In this edition of Hacking Healthcare, we lead off by providing you with a few important announcements from the National Institute of Standards and Technology (“NIST”).  We then discuss the use of a critical hospital technology and how it has led to public web-streaming of sensitive healthcare information. Next, we fill you in on the rise of attacks against managed service providers, and we explore what that means for small businesses and government entities. We then explore how a group of 15 technology companies are challenging a key assumption of the talent shortage in the cybersecurity workforce. Finally, we give you a brief update on how Norsk Hydro’s cyber insurance payout is fueling skepticism in the cyber insurance market.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

read more…

H-ISAC Hacking Healthcare 10-29-19

TLP White: In this edition of Hacking Healthcare we breakdown the United Kingdom’s National Cyber Security Centre’s annual review. Next, we examine the Department of Homeland Security’s push for U.S. federal agencies to implement vulnerability disclosure programs. Finally, we lament the discovery of another set of unsecured medical databases and what you should do when it comes to securing sensitive data in the cloud.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

read more…

H-ISAC Hacking Healthcare 10-22-19 Geopolitics Issue

TLP White: We’ve dedicated this edition of Hacking Healthcare to giving you a primer on some of the impacts geopolitical tensions can have on healthcare organizations, particularly in relation to technology and cybersecurity considerations. By outlining how geopolitics can lead to sanctions, impact third-party dependencies, create unanticipated competition, and increase the likelihood of cyberattacks and IP theft, we hope you will be better positioned to prepare and respond going forward.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

read more…

H-ISAC Hacking Healthcare 10-15-19

TLP White: In this edition of Hacking Healthcare, we begin by exploring major proposed changes to the Domain Name System—an Internet mainstay that maps IP addresses to website names. Next, we explore the possibility of the Department of Homeland Security gaining new subpoena powers. Finally, we wrap up with a quick briefing of the U.S. Food and Drug Administration’s Cybersecurity Bill of Materials and its potential shortcomings.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

read more…

H-ISAC Hacking Healthcare blog 10-8-19

TLP White: In this edition of Hacking Healthcare, we begin by reviewing the troubling news that 10 hospitals were impacted by ransomware last week. Next, we briefly explore why ransomware, despite constant presence in news headlines, is not as well understood as might be hoped. Finally, we examine a survey that strongly ties an organization’s cybersecurity maturity to favorable valuations in mergers and acquisitions.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

read more…

H-ISAC Hacking Healthcare 10-1-19

TLP White: In this edition of Hacking Healthcare we begin by catching up with the latest effort to establish global cyber norms. Next, we look at another high profile company whose woefully inadequate cybersecurity processes have landed it in hot water. Finally, we explore the implications of a recent D.C. circuit court opinion on data breach victims seeking redress.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

read more…

H-ISAC Hacking Healthcare 9-24-19

TLP White: In this edition of Hacking Healthcare we begin with a quick update on new NIST guidance that impacts the healthcare sector. Next, we look at how industry is beginning to recognize its role in the cyber staffing shortage. We then explore recent allegations that Australia concealed a Chinese attack on its political system. Finally, we examine CISA Director Chris Krebs’ denouncement of cyber scare tactics.

read more…

H-ISAC Hacking Healthcare 9-17-19

TLP White: In this privacy-focused edition of Hacking Healthcare we first highlight the release of the NIST Privacy Framework. We then explore the current state of the California Consumer Privacy Act (CCPA). Next, we brief you on industry’s push for federal privacy legislation. Lastly, we provide some insight into how Australia is approaching its own data privacy laws.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

 

1. NIST Privacy Framework Release.

Last week saw the release of the preliminary draft of the NIST Privacy Framework. The voluntary framework, which is billed as “A Tool for Improving Privacy through Enterprise Risk Management,” is modeled after the structure of the NIST Cybersecurity Framework. NIST hopes that the shared structure will help organizations see the Privacy Framework as a complement to that document.[1] The Privacy Framework has made steady progress since development began in October of 2018, and NIST is currently looking for comments to this preliminary draft. The NIST Privacy Framework can be found either through the NIST website or through the first link in the endnotes of this paper.

 

2. The California Consumer Privacy Act.

Certain businesses and industry representatives advocated for important amendments to the California Consumer Privacy Act (CCPA) to make the law more workable for businesses and more privacy protective for consumers before California’s legislators headed home on Friday, September 13th.  Ultimately, five amendments were passed before the legislature adjourned and will now go to California Governor Gavin Newsom to sign or veto by October 13th.  The California legislature advanced AB 25, AB 874, AB 1146, AB 1355, and AB 1564 to amend the CCPA.  Barring some exceptional circumstances, the CCPA will become operative on January 1, 2020 as amended and will become enforceable either on July 1, 2020 or 6 months after the California Attorney General’s publication of final rules interpreting the law, whichever comes first.

The amendments make a number of changes to the law including a temporary employee data exemption, a clarification on the private right of action, a revision of the definition of “publicly available information”, and a dozen or so others.  The amendment that failed to pass, AB 846, would have restricted the use of personal information businesses collect through loyalty programs.  Overall, the amendments the legislature advanced are not industry-centric and anti-consumerist, and they will primarily help to clarify and improve some parts of the CCPA for both consumers and industry.

 

3. Industry Looks to Congress for Federal Privacy Legislation.

On September 10th, the Business Roundtable drafted a letter to Congress imploring them to create a comprehensive federal consumer data privacy law to counter the ever growing patchwork of state laws.[2] The letter was signed by the CEOs of 51 major companies.  Among the 51 signatories were Amazon, AT&T, Dell, IBM, State Farm, Visa, and Qualcomm.

The letter briefly outlined how the lack of a comprehensive federal privacy bill will lead to confusion among consumers and hurt the competitiveness of businesses operating within the United States.  Additionally, the letter emphasized that a clearly defined federal regulation was a necessity to ensuring stability and innovation.  In closing, the Business Roundtable referenced their Framework for Consumer Privacy Legislation as a “detailed roadmap” for Congress to follow.[3]

The Business Roundtable’s efforts reflect a larger trend in industry of concern over competing and potentially conflicting state standards when it comes to data privacy.  Industry generally hopes that preemptive federal legislation is coming and they have a vested interest in procuring such legislation so they do not have to potentially comply with up to 50 state privacy laws in the event of unauthorized data exposure.  In addition, consumers have an interest in a single federal privacy standard so they can benefit from businesses’ compliance with clear rules that are not dependent on geography or overly complex privacy policies.  But the longer a federal policy takes, the longer industry will have to contend with the growing patchwork of state laws.  With the 2020 election year rapidly approaching, there will be limited bandwidth for Congress to engage in a thoughtful and prolonged debate over data privacy, but this is likely an issue they will have to take under consideration sooner rather than later.

 

5. Australia Backtracks on Consent.

The United States is not the only country currently attempting to navigate issues surrounding data privacy.  A new development out of Australia represents a blow to privacy advocates who have demanded that consent be a requirement of any new national privacy legislation.  A recently published Discussion Paper, which focuses on the government’s efforts to modernize its laws on public sector data, outlines the Australian government’s new position.  The paper backtracks on the government’s previously expressed views concerning consent from only a year ago.  The government’s revision is being framed as taking what they call a “nuanced” position on the matter.[4]

The Australian government cited their concern that requiring consent for the collection of public sector data would skew data collected for policy research and public programs, ultimately creating biased data sets that would lead to ineffectual polices and public programs. They have instead opted for “placing the responsibility on Data Custodians and Accredited Users to safely and respectfully share personal information where reasonably required for a legitimate objective.”[5]  It is unclear if the revision on consent will become final as there is at least one more round of public engagement before any bill is introduced into Parliament.[6]

 

Congress

 

Tuesday, September 17th:

-No relevant hearings

 

Wednesday, September 18th:

-No relevant hearings

 

Thursday, September 19th:

-No relevant hearings

 

 

International Hearings/Meetings

 

EU – None this week

 

 

Conferences, Webinars, and Summits

–H-ISAC Medical Device Security Workshop – Plymouth, MN (9/17/2019)

https://h-isac.org/hisacevents/h-isac-medical-device-security-workshop/

— Health and Real Estate Webinar: Shared Cyber and Physical Challenges – Webinar (9/19/2019)

https://h-isac.org/hisacevents/health-and-real-estate-webinar-shared-cyber-and-physical-challenges/

–HEALTH IT Summit (California) – Los Angeles, CA (9/19/2019-9/20/2019)

https://endeavor.swoogo.com/2019-LosAngeles-Health-IT-Summit

–Healthcare Cybersecurity Forum – Los Angeles, CA (9/20/2019)

https://endeavor.swoogo.com/2019-California-Cybersecurity-Forum

–2019 Alabama Healthcare Fraud Summit – Birmingham, AL (9/20/2019)

https://h-isac.org/hisacevents/2019-alabama-healthcare-fraud-summit/

Peer Sharing ICS Security Workshop (New Jersey) – Bridgewater, NJ (9/24/2019-9/26/2019)

http://www.cvent.com/events/booz-allen-h-isac-ics-security-meeting/event-summary-0509f405bb88492793c8361529c88c79.aspx

–Summit on Security and Third-Party Risk – Leesburg, VA (9/30/2019-10/2/2019)

https://grfederation.org/summit/2019/overview

— Healthcare Cybersecurity: The Current Diagnosis & How to Cure Pain Points – Webinar (10/1/2019)

https://h-isac.org/hisacevents/healthcare-cybersecurity-the-current-diagnosis-how-to-cure-pain-points/

–HEALTH IT Summit (Northeast) – Boston, MA (10/3/2019-10/4/2019)

https://h-isac.org/hisacevents/health-it-summit-northeast/

–Northeast Healthcare Cybersecurity Forum – Boston, MA (10/4/2019)

https://endeavor.swoogo.com/2019-Northeast-Cybersecurity-Forum

–H-ISAC Grand Rounds Webinar Series #1: Cost Effective Threat Intel – Webinar (10/9/2019)

https://h-isac.org/hisacevents/h-isac-grand-rounds-webinar-series-1-cost-effective-threat-intel/

–2019 H-ISAC European Summit – Zurich, Switzerland (10/16/2019-10/17/2019)

https://h-isac.org/summits/european_summit/

–Health IT Summit (Midwest) – Minneapolis, MN (10/17/2019-10/18/2019)

https://endeavor.swoogo.com/2019-Minneapolis-Health-IT-Summit

–Healthcare Cybersecurity Forum (Midwest) – Minneapolis, MN (10/18/2019)

https://endeavor.swoogo.com/2019_Midwest_Cybersecurity_Forum

–CHIME Healthcare CIO Boot Camp – Phoenix, AZ (11/6/2019-11/9/2019)

https://h-isac.org/hisacevents/chime-healthcare-cio-boot-camp/

–Health IT Summit (Southwest) – Houston, TX (11/14/2019-11/15/2019)

https://endeavor.swoogo.com/2019-Dallas-Health-IT-Summit

–Southwest Healthcare Cybersecurity Forum – Dallas, TX(11/15/2019)

https://endeavor.swoogo.com/2019_Southwest_Cybersecurity_Forum

–Health IT Summit (Northwest) – Seattle, WA (11/19/2019-11/20/2019)

https://endeavor.swoogo.com/2019-PacificNorthwest-HITSummit

–Pacific Northwest Healthcare Cybersecurity Forum – Seattle, WA (11/20/2019)

https://endeavor.swoogo.com/2019_Pacific_Northwest_Cybersecurity_Forum

–2019 H-ISAC Fall Summit – San Diego, CA (12/2/19-12/6/2019)

<https://www.loewshotels.com/coronado-bay-resort>

 

 

Sundries –

 

–New NetCAT Attack Can Leak Sensitive Data From Intel CPUs

https://www.bleepingcomputer.com/news/security/new-netcat-attack-can-leak-sensitive-data-from-intel-cpus/

–6 biggest healthcare security threats for 2020

https://www.csoonline.com/article/3262187/5-biggest-healthcare-security-threats-for-2018.html

–Apple continues health push with three new medical studies

https://arstechnica.com/gadgets/2019/09/apple-continues-health-push-with-three-new-medical-studies/

–Consumer Technology Association publishes new health data privacy guidelines

https://www.healthcareitnews.com/news/consumer-technology-association-publishes-new-health-data-privacy-guidelines

 

Contact us: follow @HealthISAC, and email at contact@h-isac.org

[1] https://www.nist.gov/sites/default/files/documents/2019/09/09/nist_privacy_framework_preliminary_draft.pdf

[2] https://s3.amazonaws.com/brt.org/BRT-CEOLetteronPrivacy-2.pdf

[3] https://s3.amazonaws.com/brt.org/privacy_report_PDF_005.pdf

[4] https://www.datacommissioner.gov.au/sites/default/files/2019-09/Data%20Sharing%20and%20Release%20Legislative%20Reforms%20Discussion%20Paper%20-%20Accessibility.pdf

[5] https://www.datacommissioner.gov.au/sites/default/files/2019-09/Data%20Sharing%20and%20Release%20Legislative%20Reforms%20Discussion%20Paper%20-%20Accessibility.pdf

[6]

H-ISAC Hacking Healthcare 9-10-19

TLP White: This edition of Hacking Healthcare will explore the topic of cyber insurance. We will briefly discuss what cyber insurance is, what it may or may not cover, why cyber insurance lacks standardization, and what growing pains this industry is working through.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

read more…