Category Archives: Healthcare

Healthcare related posts

Security News for the Week Ending October 22, 2021

State Acknowledges Data Breach After 10 Months

I guess better late than never. Finally, the State of Illinois is admitting to a data breach, sort of. Here is what they are now saying. Check the dates below. Notice who was among the last to know – the victims. Can the state be fined for breaking the law? We shall see.

Pursuant to the requirements of the Health Insurance Portability and Accountability Act, 45 CFR Sections 164.400-414, the Illinois Department of Healthcare and Family Services (HFS) and the Illinois Department of Human Services (IDHS) (collectively the Departments) in conjunction with the Illinois Department of Innovation and Technology (DoIT) are notifying the media of an incident within the State of Illinois Integrated Eligibility System (IES).

IES is the eligibility system of record for State-funded medical benefits programs, the Supplemental Nutrition Assistance Program (SNAP), and Temporary Assistance for Needy Families (TANF). On November 24, 2020, the State discovered an issue within IES. Upon investigation, the Departments discovered that household members who were once on a case and had their access removed could still see information even after they were no longer part of that case.

In response to this incident, on January 8, 2021, IES was updated to limit case access to only the head of household, and prior and other current household members no longer have access. To date, the Departments are unaware of any actual or attempted misuse of personal information as a result of the incident and the number of potentially affected individuals was limited.

The Departments notified the members of the Illinois General Assembly on July 29, 2021, the potentially affected individuals on September 9, 2021, and the Office of the Illinois Attorney General on September 10, 2021.

Tesco Launches First Checkout-Free Store in London

Following in line with companies like Amazon, retailers like Tesco in London are working on letting customers shop in their stores and not having to stop at the checkout line. This is done with a crazy number of cameras and sensors. My guess is that they are willing to take some losses in the short term to try and figure out the weak spots and how people plan to game the system, but this is surveillance to the the max. It requires that you have their app and they will automatically charge your credit card, which has to be on file. Me, I’m okay with the checkout line. Credit: Computing

Facebook Plans to Rebrand Itself

Okay, this is not really security related, but fun for Friday. Facebook, apparently, wants to rebrand itself. They have been quiet about this but will announce the new name at their annual conference this month. Note that they didn’t ask for suggestions; they probably would have gotten a bunch that referred to different body parts than people’s faces. But, this is kind of like what Google did with Alphabet a couple of years ago. Facebook as a company has lots of brands and it probably doesn’t make sense, any more, for the parent company to still be called Facebook. Credit: Computing

CISA Wants the 24 Hour Breach Reporting Law for Incidents

There are bills working their way through Congress right now that would make it mandatory that certain companies report breaches and some attacks within either 24 or 72 hours, depending on the bill. CISA is putting its weight behind 24 hours. This probably will include anything designated as critical infrastructure, which is a lot, and possibly some others. Stay tuned to see what passes. Companies would rather keep hacks secret, if possible, but if the bill passes and companies might be fined or executives go to jail, they will probably disclose. The disclosure would be to the government, probably, and not publicly. Credit: FCW

CISA Says Ransomware Targeted SCADA Systems of 3 US Water Treatment Plants

The FBI, CISA, EPA and NSA issued a joint alert saying that cyberattacks against water and wastewater treatment plants are up. They revealed that the industrial control system (ICS) or SCADA systems at three plants had been hit by ransomware and that the malware had been lurking inside for about a month before it launched the attacks. They target the outdated software and poorly configured hardware of these systems and it is a pretty easy attack. Drinking water is the primary target, they say. My guess is that they do that because poisoning people will create more chaos. Credit: Hack Read

Security News for the Week Ending August 20, 2021

Well That Seems Like a Bit Over the Top

A pharmacist in Illinois faces up to 120 years in prison for selling dozens of (I assume blank) Covid vaccine cards. The pharmacist sold 134 cards to 11 buyers for roughly $1276. He is being charged with theft of government property. That seems like a stretch, but maybe. Mostly they want to make a point that if you want a fake vaccine card, you should create them on Photoshop yourself. Yes, it will take you a few hours, but it isn’t very hard. That makes it harder for the feds to discover that you did that. And don’t brag about it on social media. Mind you, just because you do make it yourself doesn’t mean you aren’t breaking the law. Falsely using a government seal, for example, is crime, but it probably won’t get you 120 years, which is why the came up with this creative charge. Just doing a quick Google search, I found blank cards online, so I have no idea why anyone would buy one. Blank cards were also for sale on Amazon for a while – 10 for $12.99. Credit: Bleeping Computer

Another Day, Another Cryptocurrency Hack

Last week a hacker stole $600 million in cryptocurrency for fun … and then gave it back. This week hackers stole $97 million from the crypto exchange ‘Liquid’. This time it doesn’t appear to be a joke. The exchanges are getting better at freezing the money when this happens because the have so much experience at it. That is probably not a good thing. For the hackers, that is. Credit: Data Breach Today

Blackberry Says Older Versions of it’s QNX OS Vulnerable

Blackberry sells a real time operating system used in cars, medical equipment and other embedded equipment. This includes 175 million cars (this number doesn’t include the tens of millions of other devices which could have been bought pre-fix and are still in use in factories, warehouses and many other places). But the cars are older cars – Blackberry says that they fixed the bugs in 2012 – after denying for months that they existed. That likely (maybe) means that products that were DESIGNED after 2013 or 2014 are not vulnerable, but that could be a design date and not a manufacture date or sale date. Blackberry has released patches to manufacturers, but that doesn’t mean that patches have been installed. Credit: The Register

Ransomware 4.0? Maybe

First there was ransomware. Just encrypt your files and demand money. Then ransomware 2.0 – steal your data and demand money to get it back. Next came ransomware 3.0. With this generation, the hackers go directly to the businesses’ customers (one example was a psychotherapy practice where the hackers threatened to release the therapists’ notes if the patients didn’t pay up). Now comes version 4. With V4, the hackers offer employees of the intended victim a cut of the action if they release the ransomware into their employer’s network. Wow. This is getting out of hand. Credit: Brian Krebs

Security News for the Week Ending August 13, 2021

Android Trojan Hits 140 Countries, 10,000 Victims Via Social Media Hijack

Security company Zimperium says they have found a new trojan they call Flytrap that has been around since March and compromises users’ phones who side load apps from third party app stores. Once the malicious app is on the user’s phone, it uses that user’s social media credibility to infect other users. They say the infected apps are still available for download on third party app stores. Credit: ZDNet

NY Police Department Bought Surveillance Gear Out of a Secret Slush Fund

While the police might not like my term for it, the fund is secret and not subject to oversight by anyone. Since 2007, the city has spent over $150 million this way for mobile x-ray vans, Stingrays and other stuff. The documents that were released were heavily redacted although transparency groups are still trying to get more information. Last year the city passed a law after heavy pressure outlawing the practice, but there are still a lot of gaps in the available information. Credit: Wired

U of Kentucky Had a Bad Day

The University of Kentucky has an active security program. As part of that program they conduct periodic penetration tests. This is a good thing. What made it a bad day is that the pentesters discovered that they weren’t the first people to hack the University. In fact, in January 2021, hackers broke in and stole the entire database of over 350,000 users. How/why did they get in? Two clues. First the university says that the platform was developed in the early 2000’s – long before we were worrying much about hackers. Second, they said they are moving the servers, after the breach, to its centralized server system. This likely means that this system was a second class citizen and protected accordingly. Credit: The Record

Amazon Stepping Up Employee Surveillance Due to Fraud

Data theft, insider threats and imposters accessing customer data at Amazon has gotten so bad that Amazon is considering using keystroke monitoring software to help identify who the good guys are. Credit: Threatpost

Hospitals In Way Over Their Heads on IoT

Phillips and CyberMDX released a new report on the state of IoT in hospitals. They split the survey between hospitals with more than 1,000 beds and those with less. A third of the respondents had less than 10,000 devices, almost a third had less than 25,000 devices and another 20% worked for hospitals with less than 50,000 devices. While most of the hospitals had an idea of the number of the devices on their network, 15% of the mid sized and 13% of the large hospitals did not even know how many devices were on their network. Almost half of the respondents said their staffing for IoT and medical device security was inadequate. The rest just don’t know that it is inadequate. The rest of the article is even more depressing. Credit: ZDNet

GAO Says Insurers Limit Coverage in High Risk Areas

When insurance companies first started writing cyber risk insurance, it was unbelievably profitable. They were writing many policies and not processing many claims, so they were very happy.

Over the last few years customers discovered that it did not make any sense to buy insurance and not make a claim when a bad event happened. That started making insurance companies nervous. Events like SolarWinds only makes things worse.

Last fall, as part of the National Defense Authorization Act, the GAO was chartered to survey the cyber insurance landscape.

The GAO interviewed folks at the Treasury, industry trade associations, a large cyber insurance provider and others to understand the landscape and come up with some suggestions on what to do.

The first thing the GAO discovered is that the number of people who decided to be “self insured” has gone down a lot. Their report says that the percentage of insurance clients opting for cyber coverage rose from 26% in 2016 to 47% in 2020. No one likes writing a check for a million dollars out of their own checkbook. That is good because it increases the risk pool.

But cyber is different than many other coverages. It is not local. If there is a fire in one city it does not cause claims in another. But with cyber, attacks are not geographically constrained.

With an increase in claims, insurers responded.

For example, they reduced coverage limits to healthcare and education, two sectors that had finally decided that insurance was not optional. The healthcare sector saw one of the largest increases in demand between 2016 and 2020.

Recently, underwriting capacity has contracted, especially in high risk sectors such as healthcare, education and public entities. Brokers say this is due to the fact that insurers are worried that these sectors are not prepared to repel attacks. As a result, they are declining to write coverage or charging higher premiums.

In fact, the GAO says, underwriters are increasing scrutiny everywhere and for some that could mean that cyber risk coverage may become unaffordable. When underwriters review a company’s cyber risk program, they may decide that it is not strong enough and the risk of providing coverage is too high.

Policies are also becoming more clear about what is covered or, more importantly, what is not covered. That means that customers need to read those policies way more carefully than they have in the past. Insurance underwriters are unlikely to say “although we covered ‘x’ last year, we are not going to cover ‘x’ this year”. It is more like “see if you can figure out what we removed from the policy this time”. And, oh yeah, your premium is going up.

Part of this is due to the insurance underwriters’ inability to predict risk. When it comes to, say, fire insurance, underwriters have a couple hundred years of data to use to predict with and, if anything, buildings are becoming safer. When it comes to cyber, realistically, underwriters have 5-10 years worth of relevant data and the risk factor is anything but safer.

Another factor is the new rule by Treasury that paying ransoms could land you a 20 year all-expenses-paid vacation in a federal “crossbar hotel”. Insurance companies tend to pay the ransom as the least expensive way to fix their problem. If they can’t do that, costs – and risk – go up.

The industry says that they need more incident data. The bad news is that more data will likely show more previously unreported events, making underwriters even more nervous.

What does that mean to you and me? It means that it may be harder to find coverage, the underwriting process may be more invasive, the premiums may be higher and the coverage may be more restrictive. Plan for it.

Finally, if your broker is not an expert in cyber coverage, you may not get the best advice. A broker who writes a couple of policies every now and then is not going to spend the time to learn enough to give you the best advice.

Credit: Health IT Security

Could America’s Healthcare Suffer Similar Fate to Ireland’s

About ten days ago Ireland’s healthcare system was forced to shut down its computers due to a ransomware attack. Ireland’s health minister said the attack was having a severe impact on the health and social services.

In today’s healthcare world, having doctors and hospitals run without computers means no patient charts and a very labor intensive process to take care of emergencies. Many healthcare visits get cancelled.

BBC is reporting that there were actually two separate attacks. Because they have to figure out how deep the hackers burrowed into the network, it will take a while to recover. That will also depend on how good their backups are and how well they have planned for a situation like this. It also depends on how quickly they were able to contain it so that maybe, not every computer was infected.

The system has some 2,000 software applications to rebuild and as of a couple of days ago, some appointments are still being cancelled.

Unlike the Colonial Pipeline company or CNA insurance, Ireland says they are not paying the hackers. That might be an indication that after Not Petya, they started taking security more seriously and have better disaster recovery and business continuity plans.

Just to understand, this is the only safe way to recover from an attack – they are having experts build a completely new, separate network and rebuilding systems on that network. That is a huge amount of work. Some of these systems have been in use since the 1980s, so likely their security model is a bit old.

Could this happen in the U.S.?

Well, probably not, but maybe.

One thing that is different between the U.S. healthcare system and the healthcare system in Ireland is that in Ireland there is basically one healthcare system for the entire country. In the U.S. there are probably millions of separate healthcare systems – from individual doctors, to clinics, to private hospitals to public ones. Each one uses their own healthcare system.

BUT, there are common weaknesses. Many medical facilities have outsourced their systems to one of a few big providers. While these providers likely spend a lot of effort trying to protect their systems, they are a common weakness.

Going back to 2015, Epic, one of those shared health records systems, said that their software contained the records on 54% of Americans and 2.5% of patients worldwide. While they have a lot of competitors and even Epic doesn’t house all of those records in one system, that would be the one place to attack if you wanted to maximize the harm. Likely both Epic and the feds realize this.

So could an attack like what we saw in Ireland happen in the U.S.? It seems that is definitely possible. Hundreds of hospitals in the U.S. have already been hit by ransomware attacks and likely thousands of other medical practices have too – just more quietly.

Unfortunately, this is likely to get worse before it gets better.

What can help is getting better prepared. That is what, likely, allowed Ireland to flip hackers the bird.

It is also, likely, what forced CNA insurance to pay a $40 million ransom. Ransom demands are getting higher, so assume that whatever people paid last year is obsolete this year.

Are you prepared? Or you hoping that you are lucky? Luck is not a strategy.

Credit: Metacurity, BBC, WSJ

Vaccine Passports

Talk about a political football, oh my.

Florida has passed a law outlawing them. Not sure that Florida is a bastion of privacy – just wants to stick it to certain folks.

But, if some other state or other company requires it, the law is meaningless. Lets say, just making something up, that New York requires a vaccine passport to enter. Joe gets on a plane in Florida and when he arrives in New York, they say “Passport please”. Joe doesn’t have one and complains that Florida law makes that illegal. Joe now gets to get back on the plane and return to Florida. Foreign countries are unlikely to be moved by such a law in Florida.

But some lawyers are saying that even in Florida, such a law may be unenforceable – kind of an illegal law. I guess we have to wait for the courts to decide that one.

But one company has decided to capitalize on this.

CLEAR, the company that runs the fast lane at airports for folks that pay hundreds of dollars a year to go to the front of the line, has created a vaccine passport app. I don’t *think* there is a cost to the user for this one. That probably would not be popular. Businesses, on the other hand, are likely fair game.

Currently 60 stadiums and venues are deploying the CLEAR app, including the New York Mets and the San Francisco Giants. You can use paper proof, but the motivation is that CLEAR is faster.

It seems likely that CLEAR will store your data, probably including every time you use the app.

Privacy advocates are rightfully concerned about this.

United Airlines is already using the app in their LA to Hawaii flights since Hawaii has requirements for vaccines and/or negative tests.

Excelsior pass is New York’s version of CLEAR. Built by IBM and only for New York residents, it is another competitor in what is going to be a crowded field.

Several European countries have built apps for access to transportation, gyms and even restaurants.

To use the CLEAR app, you take a picture of your drivers license and upload it with a selfie. They then connect to hundreds of labs to look for results. Not sure what happens if your name is not in one of those databases.

I am sure that these apps are unhackable. That is certainly a valid concern, depending on how much data they keep.

This battle is far from over. It is not clear how it is going to turn out. On the other hand, you might be right, but still get your butt shoved back in an airplane seat to go home — at your cost — instead of starting your vacation, so you do have to consider whether that is a battle that you are willing to fight.

Also remember that getting in the face of airline personnel, border agents and police can get you thrown into jail, particularly in some foreign countries, but even in the U.S. This week an airline passenger on a Miami to New York flight had to be zip-tied by an off-duty copy after she assaulted a flight crew member. The passenger said that the cops weren’t going to do anything, just before they zip-tied her into her seat. She was arrested when the plane landed in New York and is being charged with several felonies. Credit: Yahoo

Credit: Cybernews and MSNBC