A hospital President, after being hit by a cyber attack, said “We really did not anticipate the scope or the impact the attack had on our system and how far-reaching it was.”
This is just the beginning. Get prepared for more to come. Especially, with the success of the major SolarWinds infiltration. We knew things were getting worse weeks ago when we recorded this one. Where do we see things going?
In this episode:
Cyber Attacks Will Get Worse In 2021 – Ep 285
The HIPAA Boot Camp
Virtual Edition Feb 23-25, 2021
Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
[09:32] HIPAA specific information for real this week. Maybe some changes and definitely some notifications coming out.
What have we said about medical devices and security?
[11:46] GE puts default password in radiology devices, leaving healthcare networks exposed
Just wanna say come on man! Seriously! This is happening today and it isn’t easy to get it taken care of either. We just talked about all these images exposed from PACS systems a year ago. Now, we have easy access to the devices creating the images. What the what!!
If you have one of these devices you need to contact the vendor and tell them you want the passwords changed. Otherwise, it will be very vulnerable until GE rolls out patches which they haven’t committed to doing any time soon. Don’t forget this could be the device that allows an attacker to establish a beachhead in your network. The one device they can take control of and watch the traffic to analyze the network.
And so it begins
We were told healthcare was under attack. Just talked about it a few hundred times in the last 6 weeks. Now we are seeing the reports of the cases being announced to patients.
More than 1 million patients notified of hack involving Dental Care Alliance appear to be a huge one in the dental market. We keep telling everyone that this may be the least prepared segment of healthcare mostly because they either don’t believe they have issues or they just don’t care. It isn’t clear which one it is but what is clear is the number of dental breach cases started to spike last year and it sure doesn’t appear to be slowing down when you see 1 million patients being notified.
How much per DAY?
[09:15] Another sobering story comes out of the Univ of Vermont. Cyberattack cost UVM Medical Center $1.5 million a day. Yes that is per DAY not for the whole attack. They were hit with an attack in October but have not confirmed it was actually one of the Ryuk ransomware attacks. Those attacks were why we saw the big CISA/FBI/HHS announcement. Unfortunately, these guys were hit the day the announcement came out. OUCH!
They do mention that the FBI was involved in the investigation which most believe is very likely one of the Ryuk attacks but confirmation hasn’t been officially made.
This article provides some details from the President of the U of V Medical Center. He claimed that the 1.5 million number isn’t even covering everything.
That “back of the envelope” calculation doesn’t include the cost of getting the system back up and running.
They are still recovering services that aren’t fully operational yet. The systems are being brought back on line but that means they are still not back to normal because they are trying to fully recover the backlog of canceled appointments and loading in all those paper records. (Another point to make for those who say it is no big deal to just switch to paper. Somehow those records have to get back into the system once you get access restored.)
Here are some other important points revealed by the President in the interview. It was big and bad. When you call in the National Guard to help respond to a cyber attack that can not be good at all.
The hospital president had initially predicted it would take “days, not weeks” to restore the hospital systems. After the attack, the Federal Bureau of Investigation swooped in to investigate, as several other health systems around the country had fallen victim to similar attacks. Gov. Phil Scott deployed a National Guard unit to help clean and restore the hospital’s 5,000 workstations and laptops.
The hospital temporarily furloughed and reassigned more than 300 workers.
[00:00] This paragraph from the middle of the article was the one I think he should share with every person he can reach:
“If you told me more than a month [after the Oct. 28 attack], we still would have functions that weren’t normal, I would have bet you that you’d be wrong,” Leffler said. “We really did not anticipate the scope or the impact the attack had on our system and how far-reaching it was.”
Just as Erik Decker mentioned when we talked last week, what if this had happened to several medical centers and providers in one geographical region. This is the true big one in healthcare. If it were to happen at a COVID hotspot who knows how they could function much less recover.
Cyber Attacks Will Get Worse In 2021
Black Book Report: State of the Healthcare Cybersecurity Industry
[27:30] This is mostly about promoting vendors who are part of this program but the survey results are very interesting.
This survey report came out in Nov but there has been too much going on to cover it in detail in an episode yet. Here are the opening paragraphs in their press release about the report:
Seventy-three percent of health systems, hospital and physician organizations report their infrastructures are unprepared to respond. The survey results estimated 1500 healthcare providers are vulnerable to data breaches of 500 or more records, representing a three hundred percent increase over this year.
Black Book Market Research LLC surveyed 2,464 security professionals from 705 provider
organizations to identify gaps, vulnerabilities and deficiencies that persist in keeping hospitals and physicians proverbial sitting ducks for data breaches and cyber-attacks. Ninety-six percent of IT professionals agreed with the sentiments that data attackers are outpacing their medical enterprises, holding providers at a disadvantage in responding to vulnerabilities.
What has COVID done to make it worse? We already know but the message is very clear it is as bad or worse than we thought it would be.
Healthcare cybersecurity has become more complicated as providers are forced to deal with the COVID-19 pandemic. Understaffed and underfunded IT security departments are scrambling to accommodate the surge in demand of remote services from patients and physicians while simultaneously responding to the surge in security risks. Black Book surveying found 90% of health systems and hospital employees who shifted to a work-at-Home assignment due to the pandemic, did not receive any updated guidelines or training on the increasing risk of accessing sensitive patient data compromising systems
A bit further down the story…..
82% of CIOs and CISOs in health systems in Q3 2020 agree that the dollars spent currently have not been allocated prior to their tenure effectively, often only spent after breaches, and without a full gap assessment of capabilities led by senior management outside of IT.
Here is the interesting part further down in the findings.
Only 14 percent of hospitals and six percent of physician organizations believe that a 2021 assessment of their cybersecurity will show improvement from 2020. Twenty-six percent of provider organizations believe their cybersecurity position has worsened, as compared to three percent in other industries, year-to-year.
A poll of 3,500 healthcare consumers that used medical or hospital services in the last eighteen months revealed 93% would leave their provider if their patient privacy was compromised in an attack that could have been prevented.
Now let’s talk about why it will be bad
[36:02] We told you all that stuff but we haven’t explained why it will get much worse. Even more so than these discussions because in none of these discussions did the world know that another major attack had taken place that will be a problem for years to come.
Years ago there were the Shadow Brokers who sold NSA hacking tools in 2016. Funny thing. We really can see how the cybersecurity world noticed an increase in successful attacks starting from that point forward. As if 2020 needed anything to make it create bigger cybersecurity problems, one of the leading security vendors, FireEye, announced that their penetration testing tools have been stolen from them in a cyber attack. The good news is these are not as scary to be in the hands of cybercriminals as the ones the NSA used. But, really, what do you expect will happen if you look at this honestly?
Good news is FireEye seems to be handling this in a very transparent manner telling everyone what happened, publishing information about the tools and how to mitigate their attacks. Of course, that means that every system in the world that could be attacked with those tools will have to have those fixes loaded to make these tools worthless.
Any guesses to the likelihood of even the majority of systems being patched against them even 3rd quarter 2021? Remember the Equifax attack was due to a patch not being loaded 4 months after it was released. That was a company so big it impacted millions of people around the world when they were breached.
No one knows what the attackers want or what they did to get the tools. All that has been said so far is that it was a nation-state attack. FireEye has a ton of government contracts as well as major businesses around the world.
In a Tuesday statement, CEO Kevin Mandia said: “We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them. Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use to minimize the potential impact of the theft of these tools.”
So, there you have it. They published 300 countermeasures so you can defend against these tools. Plus there has been a list supplied of 16 specific bug patches that should be loaded post haste.
FireEye Hack: Sizing Up the Impact
Following FireEye Hack, Ensure These 16 Bugs Are Patched
It will take time for the attackers to figure out the tools. That doesn’t happen overnight. But, nation-state attackers are very, very well funded. They have everything they need to move quickly if they really want to do so.
If you are in security it means you better use that time to take care of patches and countermeasures. Assuming anything where this is concerned is probably a really, really bad idea.
If you are not a cybersecurity expert, make sure you find one to look into the impact on your business specifically dealing with this case. It will take some time for everyone to get up to speed. But, if you aren’t even getting help to look into this….. Well….. remember what the Vermont dude said about never believing it would be this bad.
Buckle up people! The road that was pretty full of potholes may soon feel like we were riding on fresh paved streets compared to where we go in 2021.
That closes out our last episode for 2020. I am so happy to say that but after what we just discussed I am not sure I should be so excited. Here’s hoping 2020 is just a bad year, not the opening shot of a bad decade. Never mind, I didn’t say that, didn’t think that and shall never breathe those words again!
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
