In this edition of Hacking Healthcare, we begin by discussing a cyber liability insurer’s invocation of a not-so-obscure contractual exclusion to attempt to avoid paying out on an insured’s claim. Then, we turn to an alleged General Data Protection Regulation (“GDPR”) violation that resulted in the first ever GDPR fine imposed by a Portuguese data authority on a hospital system. Finally, we discuss a recent discovery made by a bug bounty and vulnerability researcher conglomerate which revealed that the resumes and personal data of over 200 million Chinese citizens had been exposed online.
Welcome back to Hacking Healthcare.
Hot Links –
Cyber Liability Insurer Cites “Warlike Action” Exclusion in Effort to Escape Payout.
Mondelez, a large food corporation that owns major brands such as Ritz and Nabisco, has brought a $100 million dollar lawsuit against its cyber liability insurer, Zurich Insurance Group (“Zurich”), for refusing to pay out on a claim related to the NotPetya ransomware attacks. The NotPetya attacks struck Mondelez and other global companies in 2017 and posed a unique and formidable threat due to their ability to corrupt data during the ransomware process. Mondelez has claimed that thousands of its servers and laptops were infected by NotPetya, and other losses resulted due to infiltrated user credentials and unfulfilled customer orders that ensued in the fall out of the attacks.
Zurich’s basis for refusing to honor Mondelez’ claim is that the insurance policy covered “physical loss or damage to electronic data, programs, or software,” but it exempted cyber-attacks that spread as “hostile or warlike action in time of peace or war.” In early 2018, the United States, United Kingdom, Canada, Australia, and New Zealand formally blamed Russia for the NotPetya attacks in what was later revealed to be a coordinated diplomatic action. This and a number of other public statements by world governments appear to be the crux of Zurich’s argument for refusing to pay out on Mondelez’ claim. Mondelez will argue that it is a non-military target that operated far from the location of any warfare, the accrued damage did not result in loss of life or injury, and the attacks did not constitute a military action intended for “coercion or conquest,” which are the subjects the war exclusion was allegedly intended to address.
GDPR Fine Issued Against Portugal-Based Hospital.
A Portuguese data protection authority, the Comissão Nacional de Protecção de Dados (“CNDP”), recently fined a Portuguese hospital €400,000 for failing to abide by the GDPR’s terms. Specifically, the CNDP has claimed that Centro Hospitalar Barreiro Montijo failed to: (1) implement appropriate technical and organizational safeguards to guard patient data; (2) minimize data in order to limit access to sensitive health information; and (3) ensure the confidentiality, integrity, and availability of medical systems and services. The hospital intends to challenge the charge, arguing in part that the CNDP has not yet been formally given the authority to enforce the GDPR and that the IT system at the center of the CNDP’s claims was provided to the hospital by the Portuguese government itself.
On top of the fact that this is the first ever GDPR fine levied on a Portuguese hospital and the first ever GDPR fine doled out by the CNDP, the fine was the result of a newspaper exposé instead of a formal complaint submitted to the CNDP. Whether the fine and the CNDP’s reasoning can withstand the hospital’s challenge is yet to be seen. However, this action shows that European data protection authorities are not timid when it comes to enforcing the GDPR, and data protection authorities in general are aware of the importance of robust and organized GDPR compliance plans.
200 Million Chinese Citizens’ Resumes (and Personal Information) Exposed Online.
White hat hackers from the bug bounty and research firm HackenProof discovered over 200 million Chinese citizens’ resumes had been exposed online. Detailed information such as individuals’ names, phone numbers, email addresses, educational histories, political affiliations, and other personal details were made openly available via a MongoDB database cloud server on the Internet. Researchers believe that the data trove was compiled by a third party who “scraped” a number of Chinese job search sites to assemble the job-seekers’ personal information.
Sensitive and personal information can oftentimes become available through avenues that would not be immediately obvious. In this case, sensitive information was collected from a number of online job portals where unsuspecting people willfully submitted resumes containing personal data. This occurrence stresses the reality that data classification and management efforts are exceedingly important in the current climate. Companies need to carefully consider and have a plan for all potential threats in order to most effectively work to avoid damaging breaches of personal information.
Tuesday, January 15:
–No relevant hearings.
Wednesday, January 16:
–No relevant hearings.
Thursday, January 17:
–No relevant hearings.
International Hearings/Meetings –
EU – No relevant hearings.
Conferences, Webinars, and Summits –
–Medical Device Security 101 Conference – Orlando, FL (1/21/19-1/22/19) <https://nhisac.org/events/nhisac-events/medical-device-security-101-conference/>
–FIRST Symposium 2019 – London, UK (3/18/19-3/20/19)
–HEALTH IT Summit (Midwest) – Cleveland, OH (3/19/19-3/20/19)
–National Association of Rural Health Clinics Spring Institute – San Antonio, TX (3/20/19-3/22/19)
–HSCC Joint Cybersecurity Working Group – San Diego, CA (4/3/19 – 4/4/19)
–H-ISAC CYBER RX – IOMT Executive Symposium – Munich, Germany (4/15/2019 – 4/16/2019)
–HEALTH IT Summit (Southern California) – San Diego, CA (4/23/19-4/24/19)
–HEALTH IT Summit (Florida) – Wesley Chapel (5/21/19-5/22/19)
–2019 NH-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>
–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)
–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)
–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)
—CARRIERS SWORE THEY’D STOP SELLING LOCATION DATA. WILL THEY EVER?
—A YUBIKEY FOR IOS WILL SOON FREE YOUR IPHONE FROM PASSWORDS
—HOW HEALTH CARE DATA AND LAX RULES HELP CHINA PROSPER IN AI
—Kaspersky blew whistle on NSA hacking tool hoarder
—Hot new trading site leaked oodles of user data, including login tokens <https://arstechnica.com/information-technology/2019/01/hot-new-trading-site-leaked-oodles-of-user-data-including-login-tokens/>
—Tim Cook points at new services and health-tech propelling Apple’s future <https://arstechnica.com/gadgets/2019/01/tim-cook-points-at-new-services-and-health-tech-propelling-apples-future/>
—Hyatt Launches Public Bug Bounty Program on HackerOne <https://www.bleepingcomputer.com/news/security/hyatt-launches-public-bug-bounty-program-on-hackerone/>
—CryptoMix Ransomware Exploits Sick Children to Coerce Payments <https://www.bleepingcomputer.com/news/security/cryptomix-ransomware-exploits-sick-children-to-coerce-payments/>
—Americans resigned to cyberattacks on infrastructure, elections, survey finds <https://www.cyberscoop.com/americans-resigned-to-cyberattacks-on-infrastructure-elections-survey-finds/>
—Security Concerns Limit Remote Work Opportunities
—NCSC Launches Nation-State Cyber Threat Protection Program for Businesses <https://www.darkreading.com/vulnerabilities—threats/ncsc-launches-nation-state-cyber-threat-protection-program-for-businesses/d/d-id/1333615?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple>
Contact us: follow @HealthISAC, and email at
 https://www.hipaaguide.net/portuguese-hospital-the-first-to-pay-e400000-as-gdpr-violation-fine/; https://iapp.org/news/a/first-gdpr-fine-in-portugal-issued-against-hospital-for-three-violations/
This week we start with a discussion of two National Institute of Standards and Technology (“NIST”) projects that directly address cybersecurity weaknesses in existing healthcare processes. We then turn to a new four volume Department of Health and Human Services (“HHS”) publication that serves as a voluntary, best practices guide for healthcare entities of all sizes to use to improve their organizational approaches to cybersecurity. We end by describing a recent hack into an Australian early warning network system, emphasizing the need for increased protection of vulnerable communication networks everywhere.
In this New Year edition of Hacking Healthcare, we look ahead to a number of regulatory shifts on the horizon for international cybersecurity and data privacy. Specifically, we examine the approaches Australia, India, the European Union (“EU”), and the United States (“US”) have signaled they will take to cybersecurity and privacy in 2019. We summarize these countries’ proposed frameworks, map the rapidly changing cybersecurity and privacy landscape, distill some themes and recurring issues, and predict trends and outcomes for the New Year.
This week we start by looking at a phishing technique used by Iranian hackers to circumvent two-factor SMS authentication protections. We then turn to the Marriott data breach and regulators’ claims that China is to blame for the hack, and we discuss a recent Pennsylvania case that could have lasting implications on employers’ efforts to protect employee data. We end by adding some color to last week’s summary of Australia’s Assistance and Access law, a piece of legislation that allows government agencies to access previously unreachable digital communications in order to assist law enforcement efforts.
TLP White: This week we start by discussing a new software update from Apple that allows some smart watch owners to undergo electrocardiogram scans and heart rate monitoring at the touch of a button. We then turn to the Department of Treasury’s effort to crack down on hackers by prohibiting ransomware payments to particular cryptocurrency addresses. We’ll look at Australia, who decided they know best about encryption, and we will end by taking a deeper dive into a health information data incident that has caused a number of states to join forces by bringing a HIPAA lawsuit against the breached company.
TLP White: This week we start by discussing the not entirely far-fetched proposition that bots have First Amendment rights. We also consider a new private sector guide for fighting botnets that aims to shore up technology companies’ cybersecurity protections. We then turn to the British government’s push to move prescription services online by funding NHS trusts’ e-prescription implementation. We end by returning, again, to the issue of encryption and its potential to interfere with legitimate law enforcement efforts.
FL Court Says Data Breach not “Personal Injury,” Senate Privacy Bill, Chinese Huawei and Healthcare Most Vulnerable Sector
Authors Note: Greetings from the H-ISAC Summit in San Antonio! I will be around all week and looking forward to meeting as many of you as I can and attending the great sessions. I welcome any and all feedback on how Hacking Healthcare can be better, so if you are here and see me, please stop and say hello.
This week we start by recapping a Florida federal court’s interpretation of an insured’s commercial general liability policy in the context of a data breach. We also discuss the Consumer Data Privacy Act of 2018, privacy legislation that has been offered up for discussion by Sen. Ron Wyden (D-OR) in the Senate. We then turn to the US government’s effort to keep its allies from using a Chinese brand of telecommunications equipment due the equipment’s cybersecurity vulnerabilities. We end by taking a deeper dive into foreign hacks on healthcare systems.
TLP White: This week we start by addressing a new cybersecurity-focused agency within the Department of Homeland Security (“DHS”). We also examine new guidelines published by the United Kingdom’s primary health authority regarding medical professionals’ use of messaging applications. We then discuss similar challenges facing both European and U.S.-based healthcare IT executives, and we end by shedding some light on the continuing problems posed by this year’s Spectre and Meltdown cyber-attacks.
TLP White: This week we start by examining FDA’s recent release of an open source app that aims to help healthcare delivery organizations better collect patient data. We also discuss NTIA’s effort to encourage software component transparency and open communication between healthcare entities. We end by shedding some light on a possible new push to pass federal privacy legislation in the United States.
TLP White: This week we start by examining the impact of the EU’s General Data Protection Regulation (GDPR) and U.S. companies’ initial responses to the law. We also discuss new vulnerabilities that have been discovered in Bluetooth-enabled devices. We end by shedding some light on ever-worsening threats of Chinese hacking and conclude that the problem has escalated in some new and alarming ways.