TLP White – In this edition of Hacking Healthcare, we explore the potential to update one of the landmark bills in healthcare. Then, we examine the case of a Hungarian white hat and the risks of being an ethical hacker. Finally, we detail how ransomware is evolving, and how that change could require a rethink in policy.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog.
Welcome back to Hacking Healthcare.
Hot Links –
1. Time to Overhaul HIPAA?
It’s no secret that the rapid pace of technological advancement often makes even prudent legislation obsolete after a relatively short period of time. The Health Insurance Portability and Accountability Act (“HIPAA”), lauded as a landmark in health privacy law, is now over 20 years old and is beginning to show its age. So what could new health data legislation look like? And why now?
The answers to both of those questions may be partially revealed by discussion around the newly introduced American Data Dissemination Act of 2019, or ADD Act.[1] Introduced in mid-January by Senator Marco Rubio (R-FL), the bill is seen by many as a way of imposing a singular federal data privacy standard on internet services providers that would take precedence over the current patchwork of state and sector specific laws.[2] This could be a welcomed change as organizations struggle to deal with an ever evolving data privacy legal landscape where legislative changes in one state can affect operations across the rest.
Another major consideration for new legislation is the emergence of technologies that house health data but are not fully contemplated by HIPAA. Social media apps, wearable health trackers, connected medical devices, and other new technologies that create health-related data points can be tracked, sold, and used to create profiles of individuals. The executive branch has also taken an increased interest in this area recently, as the Food and Drug Administration has published multiple guidance papers on recommended data security and privacy practices for connected medical devices.[3]
There are no easy answers for this issue. However, legislators appear to be reopening the conversation around how protected and private our personal data should be, which could have implications for HIPAA as well as companies who deal in health information.
2. The Dangers of Ethical Hacking.
The nascent trend of companies adopting vulnerability disclosure policies in an effort to clarify the uncertainties of vulnerability reporting will not help an ethical hacker apprehended in Hungary. An ethical hacker reported a security vulnerability in Magyar Telekom’s IT systems in April of last year, but despite making official contact with the company for collaboration, no formal agreement was reached.[4] The ethical hacker continued to probe Magyar Telekom’s systems, where he reportedly found a particularly severe vulnerability. However, in the process of this secondary probe, Magyar Telekom’s security teams detected his intrusion into their system and the company subsequently brought charges that could subject him to 8 years of prison time.[5]
The Hungarian Civil Liberties Union (“HCLU”) is currently defending the white hat hacker on the basis that ethical hacking serves as a benefit for all of society.[6] According to Bleeping Computer, the HCLU has a history of defending ethical hackers in recent years and their expertise will be needed in this ongoing trial.[7]
The case illustrates the uncertain legal climate in which ethical hackers are forced to operate until policies and norms on reporting vulnerabilities are more mainstream. While there will be skepticism around well-intentioned “attacks” from white hats, the growing awareness of vulnerability disclosure policies and the successes of high profile bug bounty programs may encourage progress on the issue.
3. Paying Ransomware.
The traditional stance of experts in cybersecurity and law has been to not negotiate with cyber criminals employing ransomware. The arguments for taking a hardline on this issue are logical and numerous, including the fact that paying a party off does not guarantee that decryption keys will be provided to recover data. Also, there is always the potential for attackers to raise the price of the ransom once it’s been signaled that there is something valuable at stake, the possibility of being re-targeted, and the increased incentive for this type of activity to continue if a ransom is paid out.
However, a panel at the Legalweek conference in New York was among the latest to delve into nuances that need to be considered when targeted by ransomware attacks. One of the panelists, Mark Knepshield from insurer McGriff, Seibels and Williams, reasoned that paying out a small amount was likely to be the easiest solution.[8] Matthew Todd, a principal consultant at Full Scope Consulting, noted that the evidence rich environment of these attacks often allows for corporate security teams and attorneys to recognize the likelihood of recovering their information and make case by case decisions.[9]
Furthermore, recent changes to the method of ransomware deployment, the type of business targeted, and the professionalism of cybercriminals may dictate serious reconsideration of the hardline model. Cybercriminals appear to be more targeted in their ransomware attacks, looking for businesses likely to have the funds to pay out.[10] Once these higher profile targets are recognized, infiltrated, and data of particular value has been found, the criminals may wait for a product launch, industry event, or end of sales quarter to spring their attack. All of this is to say that these new targeted attacks appear to be influenced more by maximizing the probability of a payout rather than maximizing disruption of systems.[11]
Congress –
Tuesday, February 5th:
–Hearings to examine how primary care affects health care costs and outcomes. (Senate – Health, Education, Labor, and Pensions Committee)
–Hearings to examine an implementation update on the Department of Veterans Affairs’ electronic health record modernization. (Senate – Appropriations – Subcommittee on Military Construction and Veterans Affairs, and Related Agencies)
Wednesday, February 6th:
–No relevant hearings.
Thursday, February 7th:
–No relevant hearings.
International Hearings/Meetings –
EU – No relevant hearings.
Conferences, Webinars, and Summits –
–H-ISAC EU Council Meeting and Workshop – London, UK (2/5/2019)
<https://h-isac.org/hisacevents/h-isac-cyberrx-biotech-pharma-workshop-london/>
–HCIP Fireside Chat Series (Webinar) (2/6/2019)
<https://meetingserver.hhs.gov/orion/joinmeeting.do?MTID=d301763a303e7c88b6b172892968afe9>
–HCIP Fireside Chat Series (Webinar) (2/8/2019)
<https://meetingserver.hhs.gov/orion/joinmeeting.do?MTID=d301763a303e7c88b6b172892968afe9>
–13th Seminar by Medical ITSecurity Forum – Tokyo, Japan (2/9/2019)
<https://h-isac.org/hisacevents/13th-seminar-by-medical-itsecurity-forum-tokyo-japan/>
–FIRST Symposium 2019 – London, UK (3/18/19-3/20/19)
<https://nhisac.org/events/nhisac-events/first-symposium-2019/>
–HEALTH IT Summit (Midwest) – Cleveland, OH (3/19/19-3/20/19)
<https://h-isac.org/hisacevents/health-it-summit-cleveland-2019/>
–National Association of Rural Health Clinics Spring Institute – San Antonio, TX (3/20/19-3/22/19)
<https://h-isac.org/hisacevents/national-assoc-of-rural-health-clinics-spring-institute/>
–HSCC Joint Cybersecurity Working Group – San Diego, CA (4/3/19– 4/4/19)
<https://h-isac.org/hisacevents/hscc-joint-cybersecurity-working-group/>
–H-ISAC Israel Showcase & Innovation – Tel Aviv, Israel (4/8/19-4/13/19)
<https://www.regonline.com/registration/Checkin.aspx?EventID=2551847>
–H-ISAC CYBER RX – IOMT Executive Symposium – Munich, Germany (4/15/2019–4/16/2019)
<https://h-isac.org/hisacevents/cyberrx-iomt-executive-symposium/>
–HEALTH IT Summit (Southern California) – San Diego, CA (4/23/19-4/24/19)
<https://h-isac.org/hisacevents/health-it-summit-southern-california-2019/>
–HEALTH IT Summit (Florida) – Wesley Chapel, FL (5/21/19-5/22/19)
<https://h-isac.org/hisacevents/health-it-summit-florida-2019/>
–2019 NH-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>
–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)
<https://h-isac.org/hisacevents/health-it-summit-southeast-2019/>
–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)
<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>
–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)
<https://h-isac.org/hisacevents/health-it-summit-rocky-mountain/>
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)
<https://h-isac.org/hisacevents/health-it-summit-northeast/>
–2019 NH-ISAC Fall Summit – San Diego, CA (12/2/19-2/6/19)
<https://www.loewshotels.com/coronado-bay-resort>
Sundries –
–Yahoo data breach payout blocked by judge
<https://www.bbc.com/news/technology-47044652>
–Facebook pays teens to install VPN that spies on them
<https://techcrunch.com/2019/01/29/facebook-project-atlas/>
–DHS releases emergency order to prevent DNS hijacking
<https://www.cyberscoop.com/dhs-dns-directive-government-shutdown/>
—FireEye: New APT goes after individual targets by hitting telecom, travel companies
<https://www.cyberscoop.com/apt39-fireeye-telecom-travel-comapnies-middle-east/>
—Apple disables group chat on FaceTime after discovery of bad bug
<https://www.cyberscoop.com/facetime-bug-group-chat-disabled-apple-ios-macos/>
–Tech startups are making security moves sooner. They don’t have much of a choice.
<https://www.cyberscoop.com/startups-cybersecurity-investments/>
—Japan Authorizes IoT Hacking
<https://www.darkreading.com/attacks-breaches/japan-authorizes-iot-hacking/d/d-id/1333745>
—SECURITY ISN’T ENOUGH. SILICON VALLEY NEEDS ‘ABUSABILITY’ TESTING
<https://www.wired.com/story/abusability-testing-ashkan-soltani/>
—THE PITFALLS OF FACEBOOK MERGING MESSENGER, INSTAGRAM, AND WHATSAPP CHATS
<https://www.wired.com/story/facebook-messenger-whatsapp-instagram-chat-combined-encryption-identity/>
—SECURITY NEWS THIS WEEK: PRIVACY WINS IN SIX FLAGS FINGERPRINTS RULING
<https://www.wired.com/story/six-flags-biometric-privacy-security-roundup/>
–Cheap Internet of Things gadgets betray you even after you toss them in the trash
<https://techcrunch.com/2019/01/30/cheap-internet-of-things-gadgets-betray-you-even-after-you-toss-them-in-the-trash/>
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://www.rubio.senate.gov/public/_cache/files/3859c1d4-fd09-47c1-afa1-c1684e2f8df9/A9470F75C36C8115D756746340CC1E55.american-data-dissemination-act.pdf
[2] https://www.theverge.com/2019/1/29/18197541/health-data-privacy-hipaa-policy-business-science
[3] https://www.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm
[4] https://www.bleepingcomputer.com/news/security/ethical-hacker-exposes-magyar-telekom-vulnerabilities-faces-8-years-in-jail/
[6] https://hungarytoday.hu/ethical-hacker-faces-8-years-in-prison-for-exposing-vulnerability-in-telekoms-system/
[7] https://www.bleepingcomputer.com/news/security/ethical-hacker-exposes-magyar-telekom-vulnerabilities-faces-8-years-in-jail/
[8] https://www.cyberscoop.com/ransomware-pay-hackers-worth-risk-lawyers/
[10] https://www.zdnet.com/article/ransomware-not-dead-just-getting-a-lot-sneakier/