Supply chain cyber threats are happening so often they keep showing up in the news. The list keeps growing every month. So much is still slowly being learned about the SolarWinds attack it is getting hard to keep up. Now we have water systems and more healthcare breaches trickling in. It’s time for us to talk about what these supply chain attacks mean to the rest of us.
In this episode:
Supply Chain Cyber Threats Getting Real – Ep 293
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The HIPAA Boot Camp
Virtual Edition Aug 17-19, 2021
Great idea! Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
[05:09] There are several HIPAA specific things to discuss today. First, a listener question where we screwed the pooch, so to speak, then a client question and finally yet another patient right of access settlement was announced.News Story Question
Found a question we totally missed – I am so very sorry.
Anonymous asks:
Can I file a complaint with OCR if I am not a patient but live in the same state as with this doctor? Complaint would be not properly advising the patients with the COVID risk per CDC, Oregon Health Authority, and National Institute of Allergy and Infectious Diseases.
Oregon doctor and staff refuse to wear masks during pandemic, calling Covid ‘common cold’
There are two answers to this question.
- You can file a complaint with OCR anonymously from anywhere about anything. If you see a news story that you are concerned about remember they watch the news too. Send it to them if you feel so inclined just in case they miss it. You can do that on the HHS OCR Civil Rights Complaint portal.
- This particular story is probably not a case that falls under privacy rights but more likely the state medical board. You can access a list of those from the Federation of State Medical Boards: FSMB | Contact a State Medical Board.
Complaint to BBB Question
[10:13] We had a client call with an interesting one this past week.A patient filed a complaint with the Better Business Bureau. Our client immediately called us when the BBB contacted them wanting to investigate the claim.
Don’t we need the patient to sign an authorization to work with the BBB investigators?
You know I was so very proud they stopped and immediately reached out to us. The answer is a very strong YES. The BBB has a form for it on their website. BBB Authorization for Release of Health Information
A side note here: A lot of people would just assume the BBB would know that beforehand and send it to the patient before contacting you, but clearly they do not. They also don’t protect you from violating HIPAA.
OCR Settles Fifteenth Investigation in HIPAA Right of Access Initiative
[13:59] Yet another settlement has been announced. This is the first one under Acting OCR Director Robinsue Frohboese. This one was with Renown Health in Nevada. Again, with it taking months to get patient records directed where they wanted in the format asked for by the patient. A patient request made in January 2019 wasn’t fully provided until Dec 27, 2019. Apparently, some records were provided but not all records. There isn’t a lot of detail in here, but a year is way too long to wait to get your records.The directors quote keeps driving home the same message about these cases:
What’s going to happen when it gets shortened to 15 days? Assuming it actually does.
Renown is paying $75,000 plus a 2 year CAP to make sure they have their ducks in a row with patient access rights.
Supply Chain Cyber Threats Getting Real
[20:46] There has been so much news in our little world in the last week or so. It is hard to pick what to talk about. Breach notifications are rolling out now that the 60 day clock is expiring since the Nov and Dec attacks hitting healthcare targets. Then there is data apparently from some of those attacks being dumped on the web, more ransomware and then new from the water supply hack. Other than pointing out that you are not supposed to wait 60 days to notify us we have to pass on most of that because of the water supply story.We have to talk about this supply chain topic now. First, the SolarWinds story keeps expanding. Then, we hear there may be even another hacker group breaching SolarWinds besides the first one. Apparently, the entire country was hit due to this attack. Intelligence groups say it was Russia but that isn’t the big deal here. It is the fact it was so widespread because it happened deep in the supply chain. Now, we hear that the water supply was almost poisoned via an attack in the Tampa area just before the Super Bowl. Really. This is getting real now. If you aren’t paying attention to these, it is time to look this way.
SolarWinds Breaches Massive Supply Chain
[22:48] SolarWinds was very sophisticated and complex in how it worked. But, it was prolific in its success and attack surface achievements. The vendor of your vendor’s vendor kind of complexity is what happened there. Massive damage potential that we may never fully understand. For the latest updates on what we know call SUNSPOT, SUNBURST and SUPERNOVA check out the site SolarWinds is updating. Security Advisory FAQKrebs on Security ran a recent article about the breach with the heading SolarWinds: What Hit Us Could Hit Others and they aren’t playing around when they say it. Now, they see how successful it can be. Do you think all the other bad actors will sit back and applaud? No. They will try to outdo them.
So many people have no idea until it happens to them. Then, many of them blame someone else. SolarWinds, at least so far, seems to be as transparent as possible and working with authorities to clean up the mess as best they can.
Don’t forget utilities are in your supply chain
[34:21] This water supply thing could have been pulled off by anyone that wanted to try. Really Anyone. Completely ridiculous details already coming out.“The incident took place Friday when an operator noticed the intrusion and watched the hacker access the system remotely. The hacker adjusted the level of sodium hydroxide to more than 100 times its normal levels, according to Pinellas County Sheriff Bob Gualtieri. The operator immediately reduced the level back. At no time was there a significant adverse effect to the city’s water supply, and the public was never in danger.”
The sheriff’s other statement shows just how many people do not understand the problems we know are out there.
Gualtieri said the potential danger of an attack like this should prompt a discussion about remote access to software, adding that he’d never seen an attack like this. “This is a new one for us,” the sheriff said.
In another article from the local Tampa Bay Times we learned that the attacker was in there twice on Friday.
Someone tried to poison Oldsmar’s water supply during hack, sheriff says
A plant operator was monitoring the system at about 8 a.m. Friday and noticed that someone briefly accessed it. He didn’t find this unusual, Gualtieri said, because his supervisor remotely accessed the system regularly.
But at about 1:30 p.m. the same day, Gualtieri said, someone accessed the system again. This time, he said, the operator watched as someone took control of the mouse, directed it to the software that controls water treatment, worked inside it for three to five minutes and increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million. The attacker left the system, Gualtieri said, and the operator immediately changed the concentration back to 100 parts per million.
[44:36] According to the nerd news stories we follow, this thing exposed a bunch of basic issues. The site used all Windows 7 computers, no significant firewall in place, no segmentation of the industrial control systems from that network and apparently a lot of password sharing going on. We learned that when an advisory was issued by the state of Massachusetts Cybersecurity Advisory for Public Water Suppliers. Clearly they used Teamviewer and had it pretty much open to anyone that had known the credentials. No 2FA, no VPN, just login. The old OS didn’t cause it although there may be something going on there. Teamviewer problems didn’t cause it. There were just no reasonable precautions taken to protect access from outsiders.CISA has issued an alert: Compromise of U.S. Water Treatment Facility that includes explanations about what is wrong with the set up along with what should be done to fix them.
These small facilities are not really that different from a lot of small businesses we see. No money has been consistently invested in maintaining technology for years. This was one of the better quotes that really nailed the bigger problem here, though.
Chris Krebs, the former director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, wrote on Wednesday that the Oldsmar hack highlights how dire the challenge is.
“Unfortunately, that water treatment facility is the rule rather than the exception,” Krebs wrote in a column for The Hill. “When an organization is struggling to make payroll and to keep systems on a generation of technology created in the last decade, even the basics in cybersecurity often are out of reach.”
What to consider with supply chain
[49:57] Review your plans and do better vetting of your supply chain because you know this stuff exists.Be aware that this could happen. How would it impact your business if the water supply is poisoned?
One last thing
[55:18] Another announcement this week that probably isn’t getting enough attention is the Great Suspender story. The supply chain issues can be so tiny and this shows us exactly what that means. A very simple Chrome extension that has been removed this week from the store because it introduced tracking and malicious code to infect nearly 2 MILLION users.This thing had been out there for years and many people found it helpful. What had happened was…. The original developer sold it to someone else. The new owners made these changes to the code and never published the updates as is the custom with these things.
So many developers have politely nodded their heads when I tell them they need to be addressing the use of open source and third party software within their apps. Security should be built into the approval, review and audit process for them too.
Just to tie it all together here at the end. Chrome, Apple, Mozilla, Adobe, and others released recent security updates. Microsoft had the lowest number of patches in Jan they have had in a year. They didn’t have a parade about it though. They released a statement that Emotet may be down but don’t expect it to be out. We all know the criminals have their own DR plans now. Our plan is for what to do when they attack. Theirs is for what to do if we manage to shut them down but not arrest them. They always come back just using new names with new methods to avoid detection.
Keep patching folks and hope they are all good patches!
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
