Maryland library breach, Weak Passwords Banned in Cali, Global Supply Chain Risk

Posted by: Julia Annaloro      Date: October 15, 2018

TLP White: We start with a breach impacting a Maryland library system. We also discuss a new law in California banning weak passwords. We conclude by shedding some light on global supply chain risks, including the ones that you did not see coming.

Welcome back to Hacking Healthcare:
 

Hot Links –

   

1. Virus Hits Maryland Library System.

Awareness around vulnerabilities and proper cyber hygiene are important to organizations of all shapes and sizes, including your local library. Those operating the library system in Anne Arundel County, Maryland are working to get it back online after a self-propagating Emotet banking Trojan infected around 600 staff and public library computers. Officials in Anne Arundel County have informed thousands of library customers who used the public computers that their data may have been compromised, and urged them to monitor their personal information for fraudulent activity. This is particularly important for those who used the library computers to access banking or social security information.
 
The library discovered the malware following reports from library staff that they were receiving an abnormal volume of spam to library accounts. Other symptoms included spontaneous computer reboots which spread to public computers. Once it was determined that the unusual activity was caused by malware, the computers were pulled from service. In response to the events, the library has since updated its malware scanning capabilities and is providing staff with training so that they can better recognize the warning signs of a digital threat.
 
The implications of an attack like this one on public computers quickly becomes personal. Individuals that used compromised devices must be cautious of potentially infecting their home networks and must monitor their credentials across a number of accounts. Library systems have to be particularly careful about monitoring systems, employing appropriate access controls, and keeping employees appropriately trained in order to limit system disruptions.
 

2. California Bans Weak Passwords.

From our “Hey, at least it’s something” department, we report on California recently passing a law that bans weak passwords in connected devices. The law demonstrates an attempt to bolster the security of Internet of Things (“IoT”) devices by strengthening authentication requirements.
 
The law provides that if a connected device can be authenticated outside of a local area network, it will be deemed to have reasonable security features if either: (1) the preprogrammed device password is unique to each device manufactured; or (2) if the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
 
When it comes to improving security outcomes, it is unclear whether using legislation to impose specific security requirements leads to more secure networks, or whether it is better to provide organizations with incentives in the way of tax breaks or other advantages to lure people into compliance.
 
Either way, weak authentication continues to be a major vulnerability, and by extension, stronger authentication mechanisms will continue to be an important component of improving the security of connected devices. Other states may also jump on the strong password bandwagon as the proliferation of IoT devices continues to grow.
 

3. Tiny Spy Chip (maybe?)

Big Supply Chain Problem (yes). This week it may have been difficult to miss headlines about the grain-of-rice-sized, data-stealing hardware believed to have been installed into Supermicro motherboards before the servers employing them were shipped off to several major US companies, including Apple, Amazon, and a telecommunications provider. The elaborate attack was reported to have been the result of individuals gaining access to multiple factories in China and manipulating factory employees to permit the installation of malicious hardware that gave attackers undetectable access to computer network data.
 
Bloomberg published a few articles breaking the story, explaining the compromise in greater detail. However, Apple, Amazon and others have all flatly denied that any of this actually happened and it doesn’t appear any physical evidence has actually been produced so far. Some may remember a few years ago when it was reported the National Security Agency was planting
 
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:
Hacking Healthcare 10.16.2018 TLP White

Name and Shame, Facebook 3rd Parties, NZ Digital Device Search

Posted by: Julia Annaloro      Date: October 09, 2018

TLP White: Name and shame tactics, Facebook breach and third-party apps, authentication,a new law in New Zealand permitting custom agents to search digital devices.

Hot Links –

 

1. Playing the Name and Shame Game.

The U.S. and other governments are playing the name and shame game, relying on this tactic to deter cybercriminals by attributing blame for attacks to specific nation states. Most recently, a U.S. government complaint alleges that a North Korean government-backed programmer executed the 2014 Sony hack and the “WannaCry” attacks. In 2016, Special Counsel Robert Mueller unsealed an indictment that charged a dozen spies believed to have been backed by the Russian government for interfering with the 2016 elections.

The UK is also pointing fingers, and recently blamed Russian military intelligence of several cyber attacks. The National Cyber Security Center takes the position that Russian’s Main Intelligence Directorate was responsible for four attacks, including hacking the 2016 Democratic Committee, the World Anti-Doping Agency, and the BadRabbit ransomware, in addition to attacking a UK-based television station.

Regardless of the effectiveness of the name and shame approach, these types of actions, along with imposing sanctions and serving indictments, are a form of self-regulation that only governments can do, and they should keep doing it.

2. Third-Party Concerns Surround Latest Facebook Breach.

Following Facebook’s recent data breach, the company announced that it found no evidence that any of the 50 million user accounts impacted by the breach had been used to access apps using Facebook Login. Nonetheless, security experts caution that the breach could have permitted hackers to access third-party apps and websites by relying on the single Sign-On (“SSO”) feature API. This API lets users log in to websites using Facebook credentials and can be obtained using access tokens.

A professor commenting on Facebook’s investigation noted that although the results are encouraging, i.e. that there is no indication that apps have been accessed, the report lacks important information such as how long Facebook’s audit occurred and the implications for apps. There are continued risks for individuals that used Facebook SSO for other third-party apps.

Current SSO deployment practices are problematic for Facebook and other identity providers, exposing users to stealthy attacks. While SSO is appealing for developers focused on a seamless user experience, great risk comes with integrating applications with this API. The risks are especially high when integrating critical functions like authentication.

The Fast Identity Online (“FIDO”) Alliance is one solution that has emerged to the authentication challenges highlighted by the Facebook breach. The FIDO specifications and certifications enable an interoperable ecosystem of hardware, mobile, and biometrics-based authenticators that allow enterprises and service providers to deploy strong authentication solutions that reduce reliance on passwords and protect against phishing, man-in-the-middle and replay attacks using stolen passwords. Moving away from traditional password mechanisms can help limit large scale incidents whose impact is difficult to trace such as with the recent Facebook incident.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:

Hacking Healthcare 10.9.18 White

FDA on Digital Health, Twitter Bug Resolved, DHS on Supply Chain, Mid East Tech

Posted by: Julia Annaloro      Date: October 02, 2018

TLP White: FDA’s plans to advance innovation in digital health, a recently resolved bug on the Twitter platform, DHS’s effort to understand and mitigate supply chain risks and how the Middle East is integrating technology to solve healthcare challenges.  Welcome back to Hacking Healthcare:

 

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:

Hacking Healthcare 10.2.2018 TLP White

Data Breach Negligence Claim, Infected Websites, Data Storage Legislation

Posted by: Julia Annaloro      Date: September 25, 2018

TLP White: data breach negligence claim, infected websites in search engines results and proposed data storage legislation in India.
 
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:
Hacking Healthcare 9.25.2018 TLP White

Apple “ECG” watch, OIG on FDA MD cybersecurity

Posted by: Julia Annaloro      Date: September 18, 2018

TLP White: We start with discussion around the Apple watch’s new features and what it means to healthcare. We also look at the OIG’s recommendations for the FDA when reviewing medical devices before they hit the market. We conclude by shedding some light on how using AI to create synthetic brain cancer scans actually preserves privacy. Welcome back to Hacking Healthcare.
 
Authors note: In recognition of the H-ISAC’s increased focus on international healthcare, we will be adding additional information regarding policy and legislative hearings from around the world. We welcome any feedback on how to make this as useful as possible.

Hot Links –

 

1.  Apple Watch’s Medical Makeover.

Last week Apple revealed an upgraded Apple watch with new heart-monitoring and fall-detection capabilities. The new Apple watch contains electrodes and sensors that convert the watch into an electrocardiogram (“ECG”) with the capacity to measure a heart’s electrical activity and detect disorders and irregularities. These new utilities make the Apple watch seem more like a medical device than simply a timepiece, and reflect a larger trend among tech companies that are now dabbling in medical monitoring.

The U.S. Food and Drug Administration (“FDA”) seems to be optimistic about the watch’s potential, stating that the new features “may help millions of users identify health concerns more quickly.” The FDA approved marketing of the ECG app and irregular-rhythm notification on the watch on Tuesday, the day before Apple’s big reveal. The FDA’s approval came just a day after the Department of Health & Human Services Office of the Inspector General (“OIG”) released a report containing recommendations for the FDA regarding cybersecurity and the agency’s medical device review process.
 

2.  OIG Urges FDA to Further Integrate Cybersecurity in Medical Device Review.

As referenced above, the Department of Health and Human Services Office of the Inspector General (“OIG”) recently released a report following a study examining the U.S. Food and Drug Administration’s (“FDA”) review of cybersecurity in premarket submissions for networked medical devices. Currently, FDA reviews cybersecurity documentation in premarket submissions prior to allowing the device to be marketed. Using 2014 guidance on the content of premarket submissions and cybersecurity, FDA reviewers consider whether a device demonstrates known cybersecurity risks and threats in addition to reviewing any documentation provided by the device manufacturer that would describe the device’s cybersecurity risks, controls, and threats that the manufacturer has already considered.

Following the study, OIG recommended that FDA make better use of the presubmission meetings to address cybersecurity-related questions by including cybersecurity documentation as a criterion in FDA’s Refuse-To-Accept checklists. The FDA uses these checklists to screen submissions for completeness, and the checklists currently do not include checks for cybersecurity information. Additionally, OIG recommended that FDA include cybersecurity as an element in its Smart template, a tool that the FDA uses to guide reviews of submissions.

3.  AI Application in Healthcare That Actually Preserves Privacy.

 
The trouble with rare medical conditions is, well, they are rare. Of course this makes it difficult for medical professionals to have enough data readily available so that they can detect abnormalities as early as possible. AI researchers from Nvidia teamed up with the Mayo Clinic and the MGH & BWH Center for Clinical Data Science to understand how to use generative adversarial networks (“GANS”) to create synthetic brain MRI images. GANS essentially are comprised of two AI systems: one that creates images and another that works to differentiate between synthetic and real images. The result is that the two networks are trained such that the discriminatory system is unable to distinguish between real images and synthesized images.

This type of machine learning opens the medical field up to a much larger dataset for all types of conditions, including those that are especially rare. The beauty of it is that once the dataset is created, it can be accessed and shared broadly without running into the types of patient privacy concerns associated with traditional data collection. Researchers are actively exploring other ways to apply machine learning to medical research, and we can expect even more innovative applications to come.
 
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:

Hacking Healthcare 9.18.2018 TLP White

Australia’s Consumer Data Right, NIST, Encryption

Posted by: Julia Annaloro      Date: September 11, 2018

TLP White: Australia and the development of a Consumer Data Right, NIST’s plans to create a privacy framework, and the 2018 Five Country Ministerial.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:

Hacking Healthcare 9.11.2018 TLP White

Cyber Extortion, CVE program, CA Privacy Bill

Posted by: Julia Annaloro      Date: September 05, 2018

TLP White: Cyber extortion, Common Vulnerabilities and Exposures, and California privacy legislation.
 

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:

Hacking Healthcare 9.05.2018 TLP White

Compelled Decryption, Mirai “Sora”, Apache Struts

Posted by: Julia Annaloro      Date: August 29, 2018

TLP White: Louisiana decryption case and potential repercussions of compelled decryption in the healthcare industry, a resurgence of the Mirai malware, the Apache Struts vulnerability and the multi-stakeholder coordinated vulnerability disclosure process.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:

Hacking Healthcare 8.28.2018 TLP White

Chinese Cyber-Recon, PPD-20 Nixed, Medicaid Gaps

Posted by: Julia Annaloro      Date: August 21, 2018

TLP White: Chinese hackers attempt trade advantage, President Trump’s move towards a more offensive cyber strategy, and security gaps in Maryland’s Medicaid Management Information System.  Welcome back to Hacking Healthcare:

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:

Hacking Healthcare 8.21.18 White

DHS, Blockchain/Breach, Breach Barometer

Posted by: Julia Annaloro      Date: August 14, 2018

TLP White:  We start with an announcement from the Department of Homeland Security about the formation of a National Risk Management Center.  We also address some amendments to Ohio law which have implications for Blockchain and data breaches.  We conclude with discussing a recent data breach and the role that employees play in those statistics.  Welcome back to Hacking Healthcare:

 

Hot Links –

  1. DHS Announces National Risk Management Center. From our “Where were you when…?” department, we look at the recent Department of Homeland Security (“DHS”) National Cybersecurity Summit. The summit brought together a few hundred people from government and industry to listen to leaders discuss the importance of cybersecurity to the nation and to their world.

 

The words “collaborate”, “coordinate”, “public/private”, and “partnership” were in full force during the day long summit. If you have spent any time working for or with the government, you may be forgiven for thinking that these words are code for “we don’t really know what we want to do, but working together is better than not. Right?” And in truth, while lots of smart people are committed to making a difference, details were a bit light. DHS did announce a new federal risk management initiative, created to help coordinate risk management efforts among government and industry.[1]  The fact sheet published by DHS explains that as part of the initiative, there will be a new National Risk Management Center (“Center”) housed within DHS.[2]

 

According to DHS, the Center “will create a cross-cutting risk management approach between the private sector and government to improve the defense of our nation’s critical infrastructure.”  DHS has identified three mission areas for the Center: (1) identify, assess, and prioritize risks to national critical functions; (2) collaborate on the development of risk management strategies and approaches to manage risks to national critical functions; and (3) coordinate integrated cross-sector risk management activities.  It is encouraging that there is activity in this space, and we are supportive of DHS and its mission to coordinate and facilitate risk management approaches between the public and private sector.

[1] https://www.dhs.gov/news/2018/08/01/dhs-hosts-successful-first-ever-national-cybersecurity-summit

[2] https://www.dhs.gov/sites/default/files/publications/18_0731_cyber-summit-national-risk-management-fact-sheet.pdf

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:
Hacking Healthcare 8.014.2018 TLP White