H-ISAC Report: Hacking Healthcare - TLP White, September 2, 2020
This week, Hacking Healthcare begins with an examination of Health and Human Services’ (HHS) Office of Civil Rights’ (OCR) release of their summer cybersecurity newsletter, which makes the case that implementation of an information technology (IT) asset inventory can aid HIPAA compliance. Next, we brief you on the recent charges levied against ex-Uber Chief Security Officer (CSO) Joe Sullivan for his role in covering up a 2016 data breach and consider what the healthcare sector could do to disincentivize such behavior. Lastly, we breakdown an insider threat attack with a happy ending and consider what organizations can do to mitigate such attacks.
Welcome back to Hacking Healthcare.
1. OCR Pitches IT Asset Inventory as Benefit to HIPAA Compliance. On August 25th, OCR released their Summer 2020 Cybersecurity Newsletter. In it, OCR noted that a common aspect in many of their investigations is an organization’s lack of visibility into where electronic protected health information (ePHI) is stored. This lack of insight creates impediments to organizations looking to assess their enterprise-wide risk when it comes to HIPAA Security Rule compliance. In OCR’s view, organizations should seriously consider creating and maintaining an “up-to-date, information technology (IT) asset inventory” to gain better visibility into where ePHI is stored, which will improve their ability to remain HIPAA compliant and avoid penalties.[1]
What is an IT Asset Inventory?
Within their newsletter, OCR defines IT asset inventory as “a comprehensive listing of an organization’s IT assets with corresponding descriptive information,” which may be scoped to include hardware, software, and data.[2] While an IT asset inventory can be scoped only to include hardware, software, and data that relates to ePHI, OCR notes there are significant benefits for those that scope it to include the entirety of an organization’s assets. For those looking for more specifics, the NIST Cybersecurity Framework’s Identify function dedicates an entire category to asset management, complete with informative references to well-known international standards.
How Would I Implement an IT Asset Inventory?
While this process can be conducted manually using in house solutions tailored exactly to your organization’s specifications, there are numerous IT asset management solutions on the market that can be evaluated to fit the specific needs of healthcare entities. As OCR notes, these dedicated solutions can often include helpful features such as “automated discovery and update processes for asset and inventory management.”[3]
Action & Analysis
**Membership required**
2. US Department of Justice (DOJ) Charges CSO Over Breach Concealment. In 2016, Uber, the well-known transportation company, suffered a major breach that compromised data on millions of their users. However, despite the significance of the breach, Uber declined to disclose the incident for a year. The story behind the long delay, and the resulting fallout, should act as a cautionary tale for any organization that decides against honoring their obligations to report breaches to the relevant authorities.
Uber described the 2016 breach by stating, “two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service,” which granted them access to “Some personal information of 57 million Uber users around the world, including “The names and driver’s license numbers of around 600,000 drivers in the United States.”[4] The only problem was that this statement occurred on November 2017, a year after the breach had occurred.
As the DOJ explains it, it turns out that the reason for the delay and the eventual Federal Bureau of Investigation (FBI) investigation was that Uber’s then CSO, Joe Sullivan, coordinated an attempt to “withhold and conceal from the FTC both the hack itself and the fact that the data breach had resulted in the hackers obtaining millions of records associated with Uber’s users and drivers.[5] Sullivan’s actions include what has been described by US Attorney for the Northern District of California David Anderson as “an illegal hush money [payment]” to the hackers disguised as a bug bounty payment.[6] Uber was forced to pay $148 million in a 2018 settlement, and this past week, Sullivan has been charged with obstruction of justice and misprision of a felony, all of could lead to a combined 8 years of prison.[7]
Action & Analysis
**Membership required**
3. Russian Attempt to Compromise Tesla Foiled by Insider Action. Last week, a new DOJ report outlined what appears to be an audacious Russian attempt to compromise Tesla’s computer network this summer. Fortunately, the alleged plan was thwarted by the actions of an insider who dutifully alerted authorities and set in motion an arrest. While ultimately resulting in a positive outcome for Tesla, the story highlights one of the many tactics used by malicious cyber actors and reiterates just how important employees are to an organization’s cybersecurity.
On August 25th, DOJ posted a press release entitled Russian National Arrested for Conspiracy to Introduce Malware into a Nevada Company's Computer Network which broadly outlined the alleged criminal plan.[8] In mid-July, Egor Igorevich Kriuchkov, a Russian National, attempted to “recruit an employee of a company to introduce malware” into a company’s network.[9] The company is question was Tesla, and the goal of the malware was to extract data and hold it for ransom.[10] Interestingly, Kriuchkov actually made his way to the United States in order to recruit the insider and discuss the operation in person. The chosen recruit, who is reportedly a Russian speaking non-US citizen, was likely earmarked well in advance.[11]
Luckily, the insider dutifully reported this malicious approach to the company and the FBI was promptly involved. Over the next few weeks, with FBI guidance, the insider collected valuable information on the Russian operation, including their infrastructure, processes, and procedures, as well as details that helped the FBI identify the individuals involved. Kriuchkov has since been arrested and is awaiting trial.
Action & Analysis
**Membership required*
Congress –
Tuesday, September 1st:
- No relevant hearings
Wednesday, September 2nd:
- No relevant hearings
Thursday, September 3rd:
- No relevant hearings
International Hearings/Meetings –
- No relevant hearings
EU –
Wednesday, September 2nd:
- Committee on the Environment, Public Health and Food Safety meeting
Thursday, September 3rd:
- Committee on the Environment, Public Health and Food Safety meeting
Sundries –
Survey: Nearly 3 in 4 Americans Want More Government Oversight on Data Privacy
NIST Calls for Standards to Improve Forensic Capabilities in the Cloud
Search Engines May Expose Patient Health Information, ACR warns
https://healthitsecurity.com/news/search-engines-may-expose-patient-health-information-acr-warns
Contact us: follow @HealthISAC, and email at contact@h-isac.org
Conferences, Webinars, and Summits –
-- STOP HEMORRHAGING DATA: MINIMIZE THIRD-PARTY RISK IN HEALTHCARE BY RISKRECON – Webinar (9/1/2020)
--Healthcare Cybersecurity Forum – Southeast – Webinar (9/9/2020)
https://endeavor.swoogo.com/Southeast_Virtual_Healthcare_Innovation_Cybersecurity_Forum
-- H-ISAC Virtual Threat Hunting Workshop sponsored by RiskIQ – Webinar (9/9/2020)
https://h-isac.org/hisacevents/h-isac-threat-hunting-workshop-sponsored-by-riskiq-members-only/
--H-ISAC European Council Webinar Series – Webinar (9/10/2020)
https://h-isac.org/hisacevents/h-isac-european-council-webinar-series-2/
--How to Stay ahead of Maze and WastedLocker Ransomware by SafeBreach – Webinar (9/16/2020)
https://h-isac.org/hisacevents/how-to-stay-ahead-of-maze-and-wastelocker-ransomware-by-safebreach/
--Cybersecurity Resilience in the World of COVID-19 – Webinar (9/18/2020)
https://h-isac.org/hisacevents/cybersecurity-resilience-in-the-world-of-covid-19/
-- ENISA Trust Services Forum - CA Day 2020 - Schloßplatz Berlin, Germany (9/22/2020)
https://h-isac.org/hisacevents/enisa-trust-services-forum-ca-day-2020/
--Healthcare Cybersecurity Forum – Northeast – Webinar (9/22/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/427126
--H-ISAC Cyber Threat Intel Training - Titusville, FL (9/22/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-titusville-fl/
--H-ISAC Security Workshop - Virtual (9/23/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-forchheim-germany/
--Summit on Security & Third Party Risk – National Harbor, MD (9/28/2020-9/30/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/428840
--H-ISAC Monthly Member Threat Briefing – Webinar (9/29/2020)
https://h-isac.org/hisacevents/h-isac-monthly-member-threat-briefing-12/
-- The MedTech Conference – Virtual (10/5/2020)
https://h-isac.org/hisacevents/the-medtech-conference-toronto/
-- Healthcare Cybersecurity Forum – Houston, TX (10/8/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/428840
-- NCHICA AMC Security & Privacy Conference - Durham, North Carolina (10/21/2020-10/22/2020)
https://h-isac.org/hisacevents/nchica-amc-security-privacy-conference/
-- 2020 H-ISAC European Summit - Santpoort-Noord, Netherlands (10/20/2020-10/22/2020)
https://h-isac.org/summits/european-2020-summit/
--CYSEC 2020 – Dubrovnik, Croatia (10/27/2020 – 10/28/2020)
https://h-isac.org/hisacevents/cysec-2020-croatia/
--Healthcare Cybersecurity Forum - Pacific Northwest – Seattle, WA (10/28/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/428886
--H-ISAC VIRTUAL MEDICAL DEVICE SECURITY WORKSHOP – Webinar (10/29/2020)
https://h-isac.org/hisacevents/h-isac-virtual-medical-device-security-workshop/
--H-ISAC Security Workshop - Seattle, WA – (10/29/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-seattle-wa-2/
--Healthcare Cybersecurity Forum – California – Los Angeles, CA (11/12/2020)
https://h-isac.org/hisacevents/healthcare-cybersecurity-forum-california-2/
--H-ISAC Security Workshop - Paris, France (11/18/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-paris-france/
--H-ISAC Fall Summit - Phoenix, AZ (11/30/2020-12/4/2020)
https://h-isac.org/summits/fall-summit-2020/
-- H-ISAC Security Workshop - Prague, Czech Republic (12/8/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-prague/
-- 2021 APAC Summit – Singapore (3/23/2021-3/25/2021)
[1] https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-summer-2020/index.html
[2] https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-summer-2020/index.html
[3] https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-summer-2020/index.html
[4] https://www.uber.com/newsroom/2016-data-incident/
[5] https://www.justice.gov/usao-ndca/press-release/file/1306781/download
[6] https://www.zdnet.com/article/former-uber-cso-charged-for-2016-hack-cover-up/
[7] https://www.zdnet.com/article/former-uber-cso-charged-for-2016-hack-cover-up/
[8] https://www.justice.gov/opa/pr/russian-national-arrested-conspiracy-introduce-malware-nevada-companys-computer-network
[9] https://www.justice.gov/opa/pr/russian-national-arrested-conspiracy-introduce-malware-nevada-companys-computer-network
[10] https://news.clearancejobs.com/2020/08/26/company-insider-works-with-fbi-to-turn-the-tables-on-russias-million-dollar-attempt-to-hijack-the-network/
[11] https://news.clearancejobs.com/2020/08/26/company-insider-works-with-fbi-to-turn-the-tables-on-russias-million-dollar-attempt-to-hijack-the-network/