TLP White: In this edition of Hacking Healthcare, we discuss a new HHS proposed rule that seeks to improve the security of electronic health information. We also break down a new HIMSS survey of information security professionals within various healthcare organizations and identify some emerging trends. We then dive into a website’s knee jerk response to a security researcher who tried to notify the site of vulnerabilities in its source code. Finally, we remind you of NIST’s rapidly progressing Privacy Framework, which the agency suggests will work in tandem with its recently published Cybersecurity Framework.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog.
Welcome back to Hacking Healthcare.
Hot Links –
1. HHS Publishes Proposed Rule to Update Electronic Health Information Regulations.
The U.S. Department of Health and Human Services (“HHS”) recently published a proposed rule to improve the interoperability of electronic health information (“EHI”).[1] HHS hopes to increase competition and innovation by pressuring healthcare providers to give patients secure access to health information and new tools to enhance choice in care and treatment. The agency released its 700+ page proposed rule intending to support “seamless and secure access, exchange, and use of electronic health information.”[2] HHS has invited interested parties to submit comments on the text of the rule by May 3, 2019.
One notable point about the regulation is that HHS’s proposed rule suggests organizations can block the transmission of EHI if an individual requesting access to EHI cannot prove their identity. Also, for the first time, HHS provides formal recommendations on multifactor authentication and encryption in the context of EHI. The regulation asks health IT module developers to voluntarily attest to whether their modules encrypt authentication credentials and whether the modules support multifactor authentication. HHS has indicated that they hope this voluntary attestation option will create incentives for vendors to implement multifactor authentication and encryption protocols to better protect EHI.
2. HIMSS Publishes 2019 Cybersecurity Survey.
In 2018 the Healthcare Information and Management Systems Society (“HIMSS”) conducted a survey of 166 information security leaders from a variety of healthcare organizations to learn about their experiences and practices.[3] The survey revealed a number of interesting insights touching on resource allocation to cybersecurity practices as well as common vectors of cyberattacks. For example, on a positive note, 38% of survey respondents indicated that their cybersecurity budgets increased by 5% or more last year. On the negative side, the report stated that 59% of respondents identified email as the most common initial point of compromise for healthcare organization security incidents, 18% of organizations surveyed do not conduct phishing tests, and 69% of respondents said they had at least some unsupported legacy systems in place.
At a broader level, the report also hypothesized that the positive strides in healthcare organization cybersecurity practices are tempered by a certain degree of complacency among information security leaders. For example, HIMSS stated that survey respondents may be overconfident in their abilities to remediate and mitigate security incidents. The report indicated that information security leaders have been “lulled” into thinking the issues they face are insubstantial and are only “somewhat” of a challenge.
3. Website Threatens Security Researcher After He Exposes Vulnerabilities.
Conservative website 63red Safe, a Yelp-like platform that connects individuals with businesses, recently threatened a security researcher who discovered vulnerabilities in the site.[4] Last Monday, a researcher revealed that the website founder’s username, password, and email address appears twice in the site’s source code. He also alerted the site to the fact that there are no authentication protocols for its APIs, thereby allowing anyone to spoof a user or retrieve details on any account holder. The researcher divulged all of this information in a Twitter thread. In response, the site founder allegedly contacted the FBI and claimed the researcher had attempted to access the site’s database servers. Calling the researcher’s actions “a politically motivated attack,” the site founder threatened to pursue the matter “to the utmost extent of the law.”[5]
While it can be alarming and unsettling to learn that your systems or platforms may be insecure, security researchers serve an important (and, oftentimes free) function in the cybersecurity universe. They detect vulnerabilities in online systems and report those vulnerabilities to administrators so they can be fixed. It is important, therefore, for both sides—the researcher and the affected platform/business—to engage with each other respectfully, calmly, and in a responsible manner. Ensuring that relationships between businesses and security researchers remain cordial and professional benefits all parties involved.
4. NIST Privacy Framework Follows in the Footsteps of the Agency’s Already Published Cybersecurity Framework.
The National Institute for Standards and Technology (“NIST”) is gearing up to release a privacy framework that will counsel businesses on voluntary best practices to adopt to help bolster data privacy. The agency has reassured interested parties that its pending privacy framework will be interoperable with its already existing cybersecurity framework.[6] Some in the industry worried when NIST announced its intent to publish a privacy framework because they thought it might duplicate much of the work done by cybersecurity framework, thereby confusing users and creating inconsistent approaches to privacy and security. However, NIST has noted that the privacy framework will build on the cybersecurity framework and even adopt some of its structural underpinnings, such as the “five functions”—identify, protect, control, inform, and respond.[7] It will also adopt the organizational approach of functions, categories, subcategories, and informative references to guide users through the framework.
NIST has not yet published the privacy framework, but in late February, the agency put forth an outline of its proposed approach that has given the public some insight into its content.[8] The outline notes that the framework will be risk-based, outcome-based, voluntary, and non-prescriptive. In addition to the outline, NIST has also posted a summary analysis of the responses it received to its November 2018 request for information on the framework to its website.[9] NIST invites interested individuals and businesses to submit feedback on the outline and other working draft documents to privacyframework@nist.gov before the agency releases a final version of the framework.[10]
Congress –
Tuesday, March 19th:
–No relevant hearings.
Wednesday, March 20th:
–No relevant hearings.
Thursday, March 21st:
–No relevant hearings.
International Hearings/Meetings –
EU – No relevant hearings.
Conferences, Webinars, and Summits –
–DMARC Demystefied – H-ISAC Radio – Webinar (3/18/19) Podcast in H-ISAC Member Portal
<https://h-isac.org/hisacevents/dmarc-step-by-step/>
–FIRST Symposium 2019 – London, UK (3/18/19-3/20/19)
<https://www.first.org/events/symposium/london2019/>
–HEALTH IT Summit (Midwest) – Cleveland, OH (3/19/19-3/20/19)
<https://h-isac.org/hisacevents/health-it-summit-cleveland-2019/>
–National Association of Rural Health Clinics Spring Institute – San Antonio, TX (3/20/19-3/22/19)
<https://h-isac.org/hisacevents/national-assoc-of-rural-health-clinics-spring-institute/>
–Networking Dinner with Philips and Valimail – Boston, MA (3/28/2019)
<https://h-isac.org/hisacevents/networking-dinner/>
–InfoSec World 2019 – Lake Buena Vista, FL (4/1/19-4/3/19)
<https://infosecworld.misti.com/>
–HSCC Joint Cybersecurity Working Group – San Diego, CA (4/3/19– 4/4/19)
<https://h-isac.org/hisacevents/hscc-joint-cybersecurity-working-group/>
–H-ISAC CYBER RX – IOMT Executive Symposium – Munich, Germany (4/15/2019–4/16/2019)
<https://h-isac.org/hisacevents/cyberrx-iomt-executive-symposium/>
–HEALTH IT Summit (Southern California) – San Diego, CA (4/23/19-4/24/19)
<https://h-isac.org/hisacevents/health-it-summit-southern-california-2019/>
–Peer Sharing ICS Security Workshop – Singapore (4/24/2019)
<https://event.boozallen.com/ICSWorkshopSingapore>
–H-ISAC Cybersecurity Workshop – Huntsville, AL (4/25/19)
<https://h-isac.org/hisacevents/h-isac-workshop-huntsville/>
–H-ISAC Medical Device Security Workshop – Burlington, VT (5/1/19)
<https://h-isac.org/hisacevents/h-isac-md-workshop-vt/>
–2019 NH-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>
–HEALTH IT Summit (Florida) – Wesley Chapel, FL (5/21/19-5/22/19)
<https://h-isac.org/hisacevents/health-it-summit-florida-2019/>
–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)
<https://h-isac.org/hisacevents/health-it-summit-southeast-2019/>
–H-ISAC Healthcare Cybersecurity Workshop- Buffalo, NY (6/18/2019)
<https://h-isac.org/hisacevents/h-isac-cybersecurity-workshop-buffalo-ny/>
–Healthcare Cybersecurity Workshop – London, UK (7/10/19)
<https://h-isac.org/hisacevents/workshop-london/>
–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)
<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>
–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)
<https://h-isac.org/hisacevents/health-it-summit-rocky-mountain/>
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)
<https://h-isac.org/hisacevents/health-it-summit-northeast/>
–2019 NH-ISAC Fall Summit – San Diego, CA (12/2/19-2/6/19)
<https://www.loewshotels.com/coronado-bay-resort>
Sundries –
—United States: Bipartisan Legislation to Improve Cybersecurity of Internet-of-Things Devices Introduced in Senate & House
<https://www.marketwatch.com/press-release/united-states-bipartisan-legislation-to-improve-cybersecurity-of-internet-of-things-devices-introduced-in-senate-amp-house-2019-03-13>
—Senators want to know when they’ve been hacked
<https://www.cnet.com/news/senators-want-to-know-when-congress-has-been-hacked/#ftag=CAD590a51e>
—Security and tech advice for pharma looking to move to the cloud
<https://www.healthcareitnews.com/news/security-and-tech-advice-pharma-looking-move-cloud>
—North Korean Hackers Behind $571M Crypto Heists Says UN Report
<https://www.bleepingcomputer.com/news/security/north-korean-hackers-behind-571m-crypto-heists-says-un-report/>
—Backdoor discovered in Swiss voting system would have allowed hackers to alter votes
<https://www.cyberscoop.com/swiss-voting-system-flaw-encryption/>
—Microsoft patches two zero-days exploited by FruityArmor, SandCat hacking groups
<https://www.cyberscoop.com/microsoft-zero-days-exploited-fruityarmor-sandcat/?
—A world of hurt after GoDaddy, Apple, and Google misissue >1 million certificates
<https://arstechnica.com/information-technology/2019/03/godaddy-apple-and-google-goof-results-in-1-million-misissued-certificates/>
—IBM trained facial recognition using Flickr images
<https://www.axios.com/ibm-facial-recognition-flickr-images-fdda210e-bd53-4c97-931d-d2c9618b23d9.html>
—Lawmakers Revive Bill to Secure Agencies’ Connected Devices
<https://www.nextgov.com/cybersecurity/2019/03/lawmakers-revive-bill-secure-agencies-connected-devices/155497/>
—EHRs have ‘taken us astray,’ but AI could fix healthcare in a ‘meaningful and positive way
<https://www.healthcareitnews.com/news/eric-topol-ehrs-have-taken-us-astray-ai-could-fix-healthcare-meaningful-and-positive-way>
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://www.govinfo.gov/content/pkg/FR-2019-03-04/pdf/2019-02224.pdf
[2] https://www.healthit.gov/topic/laws-regulation-and-policy/notice-proposed-rulemaking-improve-interoperability-health
[3] https://www.himss.org/sites/himssorg/files/u132196/2019_HIMSS_Cybersecurity_Survey_Final_Report.pdf
[4] https://arstechnica.com/information-technology/2019/03/yelp-but-for-maga-turns-red-over-security-disclosure-threatens-researcher/
[5] https://medium.com/@63red/63red-statement-on-security-1ecdcef20307
[6] https://insidecybersecurity.com/daily-briefs/nist-officials-upcoming-privacy-framework-will-align-cyber-framework
[7] https://threatpost.com/rsa-nist-privacy-framework/142577/
[8] https://www.nist.gov/sites/default/files/documents/2019/02/27/outline_privacy_framework_2.27.19.pdf
[9] https://www.nist.gov/sites/default/files/documents/2019/02/27/rfi_response_analysis_privacyframework_
2.27.19.pdf
[10] https://www.nist.gov/privacy-framework/working-drafts