HIPAA Cybersecurity Compliance - HIPAA Digital Security

June 21, 2021

The Cyber Rants Podcast

Episode #32 - Healthcare Cybersecurity

This week, the guys discuss considerations in cybersecurity for healthcare organizations. Despite some people thinking that healthcare organizations have a completely different set of circumstances than other organizations, they must meet HIPPA Cybersecurity Compliance. However, that is not the case for the most part. They discuss despite some different nuances, it's still vital for Healthcare organizations to be equipped in cybersecurity and protection, and the same rules and protocols for HIPPA Digital Security can still apply.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

Mike's Headlines:

Audi and Volkswagen Involved in a Massive Data Breach

Ransomware: Russia Told to Tackle Cyber Criminals Operating From Within Its Borders

Colonial Pipeline Cyberattack Proves a Single Password Isn't Enough

Unpatched Bugs Found Lurking in Provisioning Platform Used with Cisco UC

Critical Entities Targeted in Suspected Chinese Cyber Spying

Microsoft Gets Second Shot at Banning hiQ from Scraping LinkedIn User Data

Hackers Flood the Web with 100,000 Malicious Pages, Promising Professionals Free Business Forms, But Delivering Malware, Reports eSentire

Critical ThroughTek Flaw Opens Millions of Connected Cameras to Eavesdropping

The First Step: Initial Access Leads to Ransomware

Will “Data Poisoning” Be a Particularly Dangerous Type of Computer-Made Misinformation?

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly

embellished truths about corporate cyber security programs we're ranting we're raving and we're

telling you the stuff that nobody talks about on their fancy website and trade show giveaways

all to protect you from cyber criminals and now here's your hosts mike rotondo

zach fuller and lauro chavez hello and welcome to the cyber rants podcast

this is your co-host zach fuller joined by mike rotondo and lauro chavez and today

we are talking about health care and hipaa compliance and all the important things

that health care organizations should consider not all of them because we only have uh limited time

but we're going to get through as much as we can today but before we do that mike why don't you

kick us off with the news and you know strangely think zach there's no health care hack news this

week didn't find any but we're going to kick off with audi and volkswagen involved in a

massive data breach that's right if you've the volkswagen declared that 3.3 million customers

had their information exposed to the massive data briefs that happened after one of its vendors left

a cache of customer data unsecured on the internet uh so if you bought a volkswagen between or audi

between 2014 and 2019 or 2019 and 2021 you have potential for a data breach and all i can say

potential for a data breach and an oil leak for sure exactly yes and that may or may not

be environmentally safe so uh ransomware russia ransomware uh russia told to tackle

cyber criminals operating from within its borders so the united states and g7 i think you've all

heard there there you know met and talked and came out with other fancy policy statements

and then they made a statement to russia basically saying or western china basically

warning countries that allow ransomware groups to operate from the borders don't make any efforts to

deter their actions they will be held accountable for their lack of action warning comes from the

g7 and a joint statement published following g7 sub summit specifically calls out to russia to

do more when it comes to stopping cyber attacks and to identify disrupt and hold to account those

within its borders who conduct grants ware tax abuse virtual currency to launder ransom

and other crimes president biden also went so far as to give a list of 16 industries not to target

which i believe putin will see as a target list or basically say okay well we'll not hack these

16 will hack the other ones so basically it's the equivalent of stop or i'll say stop again russia

and china are shaking in their boots right now they're terrified i'm sure yeah it's successor

you know i mean if they're letting them operate on their borders i mean it's well it's cyber warfare

right yeah i mean it's it's really something we could unpack in a whole podcast episode but it

yeah i just it just it just seems fabulous to me but that's that's just me colonial pipeline cyber

attack proves a single password isn't enough and i've been saying this for a long time but darkseid

gang was able to acquire the password to a vpn account that was no longer in use yet remained

active the single factor authentication method granted the attackers access colonial's it network

and in turn its sensitive data this incident highlights several mistakes that are critical for

enterprises in order to avoid falling victim to similar attacks basically put into factor yeah put

it in and here's the thing is that there's not a framework out there right now that doesn't require

it at least for all administrative level technical controls right i mean so exactly and how about um

when someone leaves the company you actually deactivate their account including their password

novel idea i think like something i think you're onto something yeah bottle that up ict

enterprise insights did a survey 2021 that 60 of manufacturing companies are planning to increase

investment in cyber security which is promising however that still leaves another 40 percent that

haven't figured it out yet we call them victims yeah exactly maybe putin will reach out to them

in a special way unpatched bugs found working in provision platform used with the cisco uc

the acadian provisioning manager which is used as a third-party provisioning tool within cisco

unified communications environments has three high severity security vulnerabilities that

can be chained together to enable remote code execution with elevated privilege

privileges they are cve 2021-31579 cbe 2021-31580 and cve 2021-31581 and 82.

so look into that if you're using that critical entities targeted and suspected chinese cyber

were spying cyber estimates campaign blamed on china was more sweeping than previously known

uh respected suspected state-backed hackers exploiting a device meant to boost internet

security to penetrate the computers of critical us entities that's the hack of the pulse connect

secure networking devices it came up in april but its scope is only now starting to become clear

according to the associated press they have learned that hackers target telecommunication

telecommunications giant verizon the country's largest water agency in the new york subway system

among others so basically make sure that you're patching all of your stuff microsoft gets second

shot at banning high iq from scraping linked in user data this is an interesting thing and

it goes past the federal high q is basically a competitor to linkedin and i didn't know that

linkedin was owned by microsoft so but long story short the u.s supreme court has granted linkedin

another legal option to try to prevent high q labs from scraping public information from its

users profiles they've been fighting this for a while but it appears what this really is is that

it goes against the cfa computer fraud and abuse act and the the issue here that the supreme court

looked at is the ability for one person to do it versus bots to do it because there's a concern

about bot versus human and good bot versus bad bot for this type of activity so stay tuned for

that and we'll see if microsoft can crush someone else hackers flood the web with hundred thousand

malicious pages promising professionals free business forms but delivering malware reports this

isn't really interesting because we all and i t have at some point googled or safari or duck.goat

or whatever you want to use uh some kind of form that we need some kind of template for a policy

or a procedure or something of that nature well what's happening is these business professionals

are currently being lured to hacker-controlled websites hosted on google sites an inver

inadvertently installing a known emerging rat or remote access trojan the attack starts with a

potential victim performing a search for business forms such as invoices questionnaires and receipts

upon attempting to download the alleged document template users are redirected

unknowingly to a malicious website where the rat malware is hosted so basically you're downloading

your own by looking for forms that are already done so make your own forms yeah i use like i use

lycoses that's okay still yeah sure you know ask jeeves they're they're all good i ask you if i can

search lycos yeah there you go critical through tech flaw opens millions of connected cameras

to eavesdropping this is a fun one sis on tuesday issued an advisory regarding a critical software

supply chain flaw impacting through tech's software development kit that could be abused by

an adversary to gain improper access to audio and video streams like zoom successfully exploitation

successful exploitation of this vulnerability can permit unauthorized access to sensitive

information such as camera and audio video feeds through feeds through text point-to-point

ptp sdk is widely used by iot devices and with video surveillance or audio and video

transmissions capabilities such as ip cameras baby and pet monitoring cameras smart home appliances

and sensors to provide remote access to media content over the internet

they still have never one understood why someone needs to have an intelligent washer and dryer or

refrigerator but anyway that's beyond me if they would get the clothes and like put it in there

i would consider that intelligent and then and then fold them and put them back or hang them up

that would be awesome put creases in my in my shirts exactly and get the ironing done

properly that would be phenomenal but uh you know surfing the web off my washer and dryer

not a priority first step initial access leads to ransomware surprise surprise ransomware attacks

still use email but not in the way you might think ransomware operators often buy access

from independent cyber criminals groups who infiltrate major targets and then sell access

to ransomware actors for a slice of the ill-gotten gains that's kind of what our evil does uh cyber

criminal threat groups already distributing banking male where other trojans may also become

part of a ransomware affiliate network the result is a robust and lucrative criminal ecosystem in

which different individuals and organizations increasingly specialize it specialize to the

tune of greater profits for all except of course victims this is a really good one to read out of

proof point i highly recommend that you look at the website and and take a look at this last one

is that will data poisoning be a particularly dangerous type of computer-made misinformation

we all heard the screams of fake news fake news misinformation and that sort of thing

uh turns out that they're actually experimenting um with different kind of tools of creating

fake information to mislead cyber security professionals that they may make so they

would make changes based on the data provided to them um and sort of trick them to allow

hackers to get a leg up um this is kind of interesting kind of a little bit dangerous so

um be really careful where you're taking your guidance from um and that's it for the headlines

laurel awesome mike thanks for that so this week with exploitation really only have one good one

to talk about but it um it involves a piece of software solution company called unified

total connect and they're essentially a small business unified office as a

small business solutions provider they you know claim to do stuff for restaurant services dental

hospitality healthcare business auto service and agricultural and they have got a pretty nasty sql

injection um to the unified office of weight business solution that was put out on the on

the downloadable sites so if you've got unified office total connect and you're still on 1.0 make

sure you go back to the vendor and get an upgrade to that and um yeah if it's not exploitable is

it really vulnerable i don't know it's a good question zach what are we talking about today

well we're going to talk about healthcare but before we do we're going to take a quick break

and be right back want even more cyber rants be sure to subscribe to the cyber rants podcast

get your copy of our best-selling book cyber rants on amazon today this podcast is brought to

you by silent sector a firm dedicated to building world-class cyber security programs for mid-market

and emerging companies across the us silent sector also provides industry-leading penetration tests

and cyber risk assessments visit silentsector.com and contact us today and we're back let's talk

about healthcare so this is a big topic to unpack but i want to start by saying and we'll see where

the conversation goes i do want to start by saying there are a lot of people out there

that say that healthcare cybersecurity is completely different and unique and it's a

different animal and all that i wanted to start by saying it's not right okay the fundamentals

still apply you still need to follow a framework you still need to get risk assessments and pen

testing understand your environment right there are compliance requirements so the fundamentals

still exist but there are some nuances to it right so it's not it's not that you're in a completely

different boat if you're in the health care industry not the case at all but cyber security

is critical right because uh with all this stuff going on um things like covid for example

cyber criminals are taking advantage of that and they're seeing the health care

industry as a critical piece of our uh of our nation's backbone which it is

and they're exploiting it as much as possible you know they know these organizations are strapped

thin they got a lot going on especially in today's environment so um they are taking full advantage

and ransomware is prevalent in healthcare um and uh organizations are really starting to

wake up i think and realize that hey we got to do everything we can to keep operations going so

from there it dives into well what do or you know it starts with what do healthcare organizations

need to do you know i mean the fundamentals everything we talk about on this podcast and

various episodes but you know i for us it's always well you have to start with risk assessment and

testing understand where you are um and you have to do that before you know to know how to improve

right so i mean in my mind that's always step number one um do you have any other thoughts

well i think i think some of the nuances that you you talked about that kind of separate the health

care industry from from other industries are i see i see kind of two places where

that that's you know factual in one place is that they get a lot of pre-engineered devices

so a lot of the equipment that's being used for lab work and for you know on-prem medical work

are devices that are created by companies that'll put a you know it's a you know a pump or whatever

it is right that it does but it's controlled by an operating system that you know can link to other

other types of things and so those are kind of embedded and pre-engineered and then delivered and

so a lot of them aren't connected to the networks right they're kind of a standalone device that

you know someone would use in a room or someone who's in a lab and so that's one of the nuances

i i believe that you know kind of separates that industry and then the other one is really they're

they're maintaining a lot of vital information on humans in regards to like bio weaponry

and stuff like that genetic data and that type of information right i think they have a lot of that

and then of course you know i think just um in general being that the industry that it is right

i mean it's a it's a it's a critical industry and as we saw in code like you said zach when when the

hospital's taking advantage of you know the people that are sick and the people that need that care

they feel that even worse right um there's actually a hacker group out there and i think

it is our evil that says that you cannot use our software to attack a health care agency that's i

mean it's an interesting point because at least they're trying to pretend to have a soul when

it comes to stuff like that this is a complete inside to what lauro was saying but i mean there

is a lot of stuff out there and the other one is prosthesis there was a large uh research company

out here that was doing a lot of prosthesis work that just got torn apart by chinese hackers so

there's a lot of concerns out there um but there's one important safety tip i want to give to all

healthcare organizations that might be learning that if the people presenting you with a proposal

for working with you can't spell hipaa correctly walk away that's great it's like eight p's it's

like eight ps and four a's right is that what it is three eyes yeah excellent point it does happen

yeah that's what we we see a lot of you know hipaa compliance a lot of organizations

regardless of what they are from medical laboratories to facilities to um med medtech

like software as a service type companies uh when they reach out you know of course

hipaa compliance is important so you have your phi right protected health information

that's critical and that's generally the number one concern but i think you're right when you say

that you know there's uh like genetic data um different types of biological information that

are much higher demand even than phi especially from nation state threat actors um some of them

of which or some of which were earlier uh are mentioned earlier in the podcast you know so

those types of data that's that's a whole nother level of security but

i think most organizations are are primarily concerned with phi and so they're looking at hipaa

compliance they're considering requirements like high trust and that sort of thing but i think it

goes back to the fundamentals because of the iot devices and the devices within a healthcare

environment a lot of which are deprecated right because they can't well a lot of them

yeah they're i mean it's it's um it's it's unfortunate but there's just no way to keep

keep a lot of those systems um current right so there's good there that's i think that's always

going to be the case so understanding how to segment the environment and and

um remove those from the basically from public access is one thing but i think

there's a whole other realm and the um and just the sheer number of people that are accessing

especially in healthcare facilities that are accessing devices that's a whole other

can of worms so to speak when it comes to policies procedures standards staff awareness training

all of that so you know i guess when if if we start with looking at you know how does a health

care organization know where they stand um there are you know a variety of considerations there are

risk assessments pen testing uh physical intrusion testing right understanding the physical layer

um of your uh environment or physical security of your environment i should say

and yeah because i think just yeah not not to jump in here but with that with that physical intrusion

piece if you're you know that's a good note if you know if you're out there and you're listening to

this and you're asking yourself how do i know if i need you know a physical assessment as part of my

you know annual hipaa penetration tests and other things that you might do if you're holding genetic

data or you have laboratory work i think it's a it's a very important thing uh because you know

like you know exactly my talk about those those devices that they're they're they're certified

right so from a vendor manufacturer is going to maintain a x-ray device whatever it is it's going

to be the software is going to run on a certain version of windows usually right or something

else right ubuntu or whatever and they're going to certify that software to that version they're

going to package that up and it's you know cool little equipment with its buttons and all that

kind of stuff and they're going to roll it out to to the shops and this is going to be like okay

you know this this widget that runs on this version of software and you know all you need

to do is plug it in and so there's a lot of those are like that and how do you care

and feed for that and like you said how do you how do you properly segment those so that they

if if they're susceptible to physical intrusion because a lot of those thumb drives and you know

a lot of the bluetooth and those types of capabilities are still active on a lot of

that system um and so it's super important that that's a segmentation but yeah please continue i

think you're right with the whole you have to do everything you do for any other framework right

yeah you know we've we've actually heard it's kind of scary because when you know

medical devices are incredibly expensive uh the organizations rely on them for

their operations and patients lives in a lot of cases and security seems to be the the last

thing on a lot of people's minds when it comes to that now we've actually heard the ceo of a

prominent medical device company that has devices in hospitals and facilities all over the world

flat out say oh i don't care what happens with these once they're delivered our job is to get

them out the door and into the facilities yeah that was horrible that was horrible i don't know

when we say yeah this is this so this stuff's not made up this is the reality is these devices they

are going to be um decorated so i think you know getting putting a lot of emphasis on um ongoing

penetration testing like we talked about physical intrusion testing that's going to be critical

because you have to keep constant a constant eye on the environment and on those vulnerabilities

that exist um through all these types of devices so it's it's a it's a big load to carry but it's

one of those things that um especially medical facilities that have you know more complex

infrastructure than most businesses uh just need to do i don't i don't see a way required

yeah there's there's not a way around it and i think that most hospitals and medical facilities

tend to run really lean on it because they don't see that as a requirement they see it as

making sure the computers are running so you can run notes and you can do that kind of stuff

they forget or don't figure out a way to properly provision the devices that need to be provisioned

um do you put these devices in active directory that are running x-ray machines or do you do how

do you how do you actually deal with them and i think they're overlooked a lot of time because

it's all the vendors managing it vendor isn't always managing it properly and it certainly

can be deprecated we've seen that many times it always it usually always is and you know there's a

there's an interesting evolution that happens with technology systems and businesses right

you know they start out you know this this thing that you know needs to be done and then

you know people come and go and make changes and leadership has different um you know ideas of what

needs to be done so you have this kind of evolving thing that has had lots of hands on it i call it

like an ongoing painting you know everybody gets a gets a chance to to paint something on the

on the canvas and so what you end up with was you know a leader that comes in that typically

has a keen eye and an understanding of you know the need for cyber security but he's inherited

he or she's inherited a you know kind of a again you know kind of a a put together

a put together evolved sort of painting and how do you finish it how do you make it you know it's

supposed to be a castle or it's supposed to be a sunset or supposed to be you know birds in a tree

how do you make it that from the scribbles and scratches that have been there before and that

i think that's really part of the magic of you know you know using these frameworks and and and

leveraging your your capability in the business to to kind of see that transformation happen

um so you know you you have to you kind of have to you can see that perspective that

they're kind of stuck right i mean they have these systems that and like you said mike we've

we've dealt directly with vendors we've tried to help them and they've shut us down because

they don't they literally didn't care it's a terrible thing to think about right that's

going into our health care systems but um you know that physical intrusion piece is you know i think

necessary and real quick um but back me up where did that happen mike where that um those those

um vagrants were breaking into the hospital and stealing equipment they put like on they put on

like scrubs and they went in there and just stole a whole bunch of equipment and tried to pawn it

oh yeah there was california somewhere but yeah i know i know what you're talking about but i can't

think of the exact location but yeah i think it was california somewhere yeah better reason

for physical pin testing to you know test your guard staff reaction and all that kind of stuff

well yeah i mean you think about anybody that that has you know enough that can

walk into confidently into a building carrying a clipboard or wearing a brown uniform carrying a

you know brown box or uh you know scrubs with a you know stethoscope and can walk into one

of these buildings if they do it confidently enough and most people aren't going to question

it's the scary part that physical peace is very critical so i mean you really need to have that

and it's it's an important piece of something that we do and it's something that we need to be doing

more people need to be doing a lot you know rather than going lean people need to be you

know fattening up their i.t staffs and really taking a look and i would love one day to walk

in and see a new cio go we're going to strip everything down and go to green fields we're

going to build a parallel environment it's going to be secure i realize we can't take everything

down now but we're going to move everything to this new environment once it's built properly

and i don't think it'll ever happen but it's a little dream of mine i think it is well get

a physical pen test i mean you know it's a lot easier for you know one of us to walk in um in a

confidence you know kind of manner and you know plug in a thumb drive to one of your computers

even even most times more often than not your your computers and your man trap are available to to us

um or to attackers right um typically anywhere you go yeah absolutely we leverage wireless as well

um to lure to lure people away right um you know there's a there's a difference between

using your wireless infrastructure to actually ingress your infrastructure and and get you know

you know get get activities there versus luring personnel away from your authorized architecture

on ours to snoop right so there's there's a different method of attack that you can use

for that for that type of um you know technology if you're if you're using wireless you're in your

hospital so i certainly we certainly recommend that right i mean we certainly see the benefit

and we've demon we've been able to demonstrate i think the benefit to all of those those types

of activities but um it's so much easier to carry a physical thumb drive right into an organization

and just plug it in knowing that most systems are in their network and you know if you've got

a rubber ducky or a bash bunny or anything else you've got some basic python skills you can do

some really really really bodacious things with um yeah i said that i was watching bill and ted's

excellent adventure it's a good word good word hey mike you do a lot of work in the hipaa

compliance realm what what's your advice to companies to ensure they're hipaa compliant

and they're ensure they're operationalizing it to maintain that compliance continuously

i would say hire silence sector to help you out with that well of course that's that's insane

honestly i mean it you do needs to operationalize it and then you need to integrate it and you

start with building or starting we'll start really find a framework right so hip is going to be a

piece of your framework but hipaa is a derivative in this so start with nist and start hardening

the system from there and then integrate that into bring your people online uh to work on this stuff

you can find multiple crosswalks where you can see where the critical hipaa pieces marry up to

the missed pieces but really a lot of times what we see is it kind of sounds a staff right i mean

you got two it people supporting 500 users and they're trying to be compliant and they're trying

to be you know secure in the system and priorities fall we see a lot of people just writing the paper

so they can say i've got all these hipaa policies and then you ask them and they say i

have no idea what it says but we've got a hipaa policy so um yes definitely operationalize it

start gathering evidence prove it's done and just truly be committed to actually doing it

and stop you know chasing the next flashy thing that comes along um build your foundation which is

going to be hit by a mist and then go from there i think it's like we say over and over a lot of

a lot of organizations will chase one compliance requirement to the next rather than starting with

a foundational framework like miss cia miss csf or 853 or something like that to build

a more robust holistic program and then go from there but yeah again those so those fundamentals

remain the same in healthcare and you know hipaa compliance again is focused on protected health

information it's not a holistic framework by any means um high trust gets some notability in the um

in the healthcare world it is a pay to play game i you know for most people that if they don't have

customers demanding high trust compliance and and audits and such uh nist csf and hipaa are

going to be great and just you know stick with those run with them and if you're in the med tech

space software as a service system integrator for healthcare or something like that of course

the hipaa compliance all of that's going to likely apply to you as well so make sure that you're

you're speaking their language and and following a good framework getting your pen tests all the

fundamental activities that need to occur and with that any final words of wisdom before we jump off

here don't don't limit scope make sure that you do the whole thing buy it all off right you may

not be able to do it all at once can't shoot all at once but you can certainly start because if

you focus on a certain amount um the rest all the security possibly their wings and it's still going

to cost you risk so scope it all out just make sure that your security vendor can spell hippo

wells three piece four a's 3b that's right that's right well thank you for joining us everyone

uh if you'd like the podcast subscribe let us know reach out let us know what you

want us to talk about topics of interest linkedin or on our website are great places and by the way

the news articles the links to those articles are on the website silentsector.com and you go to the

podcast page and you can find the episodes and such there so thanks for joining us and we will

see you next week

Episode #32 - Healthcare Cybersecurity

Send Us Your Questions & Rants!

Categories

Archives

Transcript