TLP White: In this edition of Hacking Healthcare, we discuss the UK’s recent decision to allow Huawei to construct portions of the country’s 5G network infrastructure.  We then break down a new vulnerability affecting the peer-to-peer connectivity of internet-of-things (“IoT”) devices.  Finally, we dive into healthcare organizations’ cyber-readiness and the unique challenges facing them in the form of legacy systems, strict regulatory requirements, and a lack of network segmentation.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog.

Welcome back to Hacking Healthcare.

Hot Links –

1. UK Gives Huawei an Entry Point.

Last week news outlets reported that the UK will allow Huawei to participate in building infrastructure for the nation’s 5G network, albeit on a limited basis.  Huawei, a Chinese telecom equipment company alleged to operate as an arm of the Chinese government, has been granted the ability to supply certain “non-core” hardware to UK cellular phone manufacturers.[1]  After news of the decision leaked to the press, Chinese Ambassador to the UK Liu Xiaoming condemned political pressure against the choice, imploring Britain to make “the right decision independently based on its national interests and in line with its need.”[2]  The Chinese ambassador’s statement is generally understood to refer to UK allies, such as the United States and Australia, who have publicly expressed interest in minimizing Huawei’s ability to contribute to 5G network infrastructure.

As we have discussed previously, 5G network security is a hot button issue in part because of how powerful the technology is projected to be.  Some analysts suggest that 5G could be up to 100 times faster than 4G, which could allow for super-sophisticated IoT devices along with other impressive technological advancements.[3]  The potential for the technology suggests 5G will be ubiquitous, so vulnerabilities in the network could be devastating.

 

2. New Vulnerability Exposes Millions of Smart IoT Devices.

Researcher Paul Marrapese recently reported a vulnerability in a peer-to-peer communications software called iLinkP2P.  The software, which is installed in millions of IoT devices around the world (such as security cameras, Webcams, baby monitors, smart doorbells, and digital video recorders), has a significant security issue that can expose the devices’ owners and users to eavesdropping, credential theft, and remote compromise at the hands of hackers.[4]

To discover the vulnerability, Marrapese built a proof-of concept attack that took advantage of the devices’ “heartbeat” features.  After being connected to a network, iLinkP2P-enabled devices regularly send a “heartbeat” ping to the network servers.  The researcher discovered that knowing a valid device’s UID alone could allow an attacker to issue fake “heartbeats” to the network, overtaking those issued by the actual device.[5]  Attackers could then obtain a user’s credentials to a device, enabling them to overtake it and co-opt it for their own use.

 

3. Healthcare IT Security Falls Short of Expectations.

Recently published cybersecurity reports have highlighted healthcare systems’ lack of cyber-readiness.[6]  Vectra Research’s 2019 Spotlight Report on Healthcare concluded that “healthcare’s legacy infrastructure of unmanaged devices exposes a vulnerable attack surface.”[7]  In addition, CynergisTek’s 2019 Annual Report noted that healthcare organizations on average have implemented less than half of federal agencies’ recommended cybersecurity compliance practices.[8]  Legacy systems, organizational impediments, and regulatory misalignment have created heightened obstacles for healthcare systems to overcome in order to catch up in the cybersecurity arena.

One of the primary cybersecurity issues in the healthcare sector is that many health system networks are unsegmented; this means that most computers on the network maintain the same permissions and abilities to access data maintained on servers.  The dearth of firewall technologies and carefully apportioned security permissions create vulnerable points of entry for hackers and nefarious actors to exploit.[9]

 

Congress

 

Tuesday, April 30th:

–No relevant hearings.

 

Wednesday, May 1st:

–No relevant hearings.

 

Thursday, May 2nd:

–No relevant hearings.

 

 

International Hearings/Meetings

             EU – No relevant hearings.

 

Conferences, Webinars, and Summits

–H-ISAC Medical Device Security Workshop – Burlington, VT (5/1/19)

<https://h-isac.org/hisacevents/h-isac-md-workshop-vt/>

–2019 NH-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>

–HEALTH IT Summit (Florida) – Wesley Chapel, FL (5/21/19-5/22/19)

<https://h-isac.org/hisacevents/health-it-summit-florida-2019/>

–HEALTH IT Summit (Mid-Atlantic) – Philadelphia, PA (6/3/19-6/4/19)

<https://endeavor.swoogo.com/2019-Philadelphia-Health-IT-Summit>

–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)

<https://h-isac.org/hisacevents/health-it-summit-southeast-2019/>

–H-ISAC Healthcare Cybersecurity Workshop- Buffalo, NY (6/18/2019-6/19/2019)

<https://h-isac.org/hisacevents/h-isac-cybersecurity-workshop-buffalo-ny/>

–Healthcare Cybersecurity Workshop – London, UK (7/10/19)

<https://h-isac.org/hisacevents/workshop-london/>

–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)

<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>

–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)

<https://h-isac.org/hisacevents/health-it-summit-rocky-mountain/>

–HEALTH IT Summit (California) – Los Angeles, CA (9/19/19-9/20/19)

<https://endeavor.swoogo.com/2019-LosAngeles-Health-IT-Summit>

–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)

<https://h-isac.org/hisacevents/health-it-summit-northeast/>

–HEALTH IT Summit (Southwest) – Houston, TX (11/14/19-11/15/19)

<https://endeavor.swoogo.com/2019-Dallas-Health-IT-Summit>

–Health IT Summit (Northwest) – Seattle, WA (11/19/19-11/20/19)

<https://endeavor.swoogo.com/2019-PacificNorthwest-HITSummit>

–2019 NH-ISAC Fall Summit – San Diego, CA (12/2/19-2/6/19)

<https://www.loewshotels.com/coronado-bay-resort>

 

 

Sundries –

 

–Someone is spoofing big bank IP addresses – possibly to embarrass security vendors

<https://www.cyberscoop.com/spoofed-bank-ip-address-greynoise-andrew-morris-bank-of-america/>

–Embassies targeted in ongoing spearphishing campaign that weaponized Microsoft Excel files

<https://www.cyberscoop.com/microsoft-excel-check-point-technologies-russia/>

–Patient PII exposed in leak of Pennsylvania-based rehab center records

<https://www.cyberscoop.com/healthcare-records-leak-levittown-pa-steps-to-recovery/>

–Regulations, Insider Threat Handicap Healthcare IT Security

<https://www.darkreading.com/vulnerabilities—threats/regulations-insider-threat-handicap-healthcare-it-security/d/d-id/1334528>

–Bug in French government’s WhatsApp replacement let anyone join Élysée chats

<https://arstechnica.com/information-technology/2019/04/french-governments-secure-chat-app-left-door-open-to-outsiders/>

–Supply Chain Hackers Snuck Malware Into Videogames

<https://www.wired.com/story/supply-chain-hackers-videogames-asus-ccleaner/>

–Over 500% Increase in Ransomware Attacks Against Businesses

<https://www.bleepingcomputer.com/news/security/over-500-percent-increase-in-ransomware-attacks-against-businesses/>

–Cybercrime’s Total Earnings Skyrocketed to $2.7 Billion Says the FBI

<https://www.bleepingcomputer.com/news/security/cybercrimes-total-earnings-skyrocketed-to-27-billion-says-the-fbi/>

–Russians Will Soon Lose Uncensored Access to the Internet

<https://www.nextgov.com/policy/2019/04/russians-will-soon-lose-uncensored-access-internet/156543/>

–The Sim Swap Fix That The U.S. Isn’t Using

<https://www.wired.com/story/sim-swap-fix-carriers-banks/>

 

 

Contact us: follow @HealthISAC, and email at contact@h-isac.org

[1] https://www.theguardian.com/technology/2019/apr/24/may-to-ban-huawei-from-supplying-core-parts-of-uk-5g-network

[2] https://www.politico.eu/article/beijing-tells-uk-to-resist-external-pressure-on-huawei/

[3] https://www.newyorker.com/news/annals-of-communications/the-terrifying-potential-of-the-5g-network

[4] https://krebsonsecurity.com/2019/04/p2p-weakness-exposes-millions-of-iot-devices/

[5] Id.

[6] https://www.vectra.ai/download/spotlight-report-on-healthcare-2019; https://insights.cynergistek.com/reports/2019-healthcare-cybersecurity-privacy-report?utm_content=home_banner&utm_campaign=2019_report

[7] https://www.vectra.ai/download/spotlight-report-on-healthcare-2019

[8] https://insights.cynergistek.com/reports/2019-healthcare-cybersecurity-privacy-report?utm_content=home_banner&utm_campaign=2019_report

[9] https://www.healthcaredive.com/news/industry-groups-seek-cybersecurity-safe-harbor/551901/