HIPAABreachCyber SecurityHealthcare ITInformation SecurityPodcast

ProactiveIT Ep 29 – Privacy vs. Health

By May 15, 2020 No Comments
Privacy vs. Health, Healthcare Breach Notifications for Non-HIPAA Apps, & the Most Exploited Vulnerabilities since 2016 FB

This is the ProactiveIT Podcast.  This Week: The latest in IT and Cyber Security news plus Privacy vs. Health, Healthcare Breach Notifications for Non-HIPAA Apps, & the Most Exploited Vulnerabilities since 2016

This is Episode 29  

Intro

 Hi Everyone and welcome to the Proactive IT Podcast.  Each week we talk about the latest in tech and cyber news, compliance, and more.  We also bring you real-world examples to learn from so that you can better protect your business and identity. 

This podcast is brought to you by Nwaj Tech – a client-focused & security-minded IT Consultant located in Central Connecticut.  You can find us at nwajtech.com.

 Thanks for listening to this podcast.  Show us some love on Apple or Google Podcasts.  Subscribe and leave us some positive feedback.  What are you waiting for?

Also, go join the Get HIPAA Compliance Facebook Group.  Search for Get HIPAA Compliance

Patch Tuesday Update:

Unpatched Oracle WebLogic Servers Vulnerable to CVE-2020-2883
SaltStack Patches Critical Vulnerabilities in Salt
Firefox 76 released with integrated data breach alerts
Microsoft releases May Office updates with fixes for auth issues
Instacart Patches Security Bug That Would Have Let Attackers Spoof SMS Messages
Google Releases Security Updates for Chrome 
Cisco Releases Security Updates for Multiple Products

New

VMware Publishes Workarounds for Vulnerabilities in vRealize Operations Manager

Adobe Releases Security Updates

May 2020 Patch Tuesday: Microsoft fixes 111 vulnerabilities, 13 Critical

Cyber Security News

Update on Cognizant

RIP: Microsoft to drop support for Windows 10 on 32-bit systems

DigitalOcean Data Leak Incident Exposed Some of Its Customers Data

Hacker group floods dark web with data stolen from 11 companies

REvil ransomware threatens to leak A-list celebrities’ legal docs

Thunderbolt flaws affect millions of computers – even locking unattended devices won’t help

Texas Courts hit by ransomware, network disabled to limit spread

WordPress plugin bugs can let hackers take over almost 1M sites

Maze ransomware fails to encrypt Pitney Bowes, steals files

Ransomware Hit ATM Giant Diebold Nixdorf

Healthcare giant Magellan Health hit by ransomware attack

US warns of Chinese hackers targeting COVID-19 research orgs

Topic 1:  FTC Seeks Comment on Breach Notification Rule for Health Data

Topic 2: US govt shares list of most exploited vulnerabilities since 2016

Topic 3:  Leaked NHS Docs Reveal Roadmap, Concerns Around Contact-Tracing App

Woman stalked by sandwich server via her COVID-19 contact tracing info

Utah Says No to Apple/Google COVID-19 Tracing; Debuts Startup App

HIPAA Corner: 

https://www.phe.gov/Preparedness/planning/405d/Documents/tech-vol1-508.pdf

Breaches

https://www.hipaajournal.com/category/hipaa-breach-news/

Transcription (Unedited)

This is the proactive IT podcast this week the latest in it in cybersecurity news, plus privacy versus health, healthcare breach notifications for non HIPAA apps and the most exploited vulnerabilities since 2016. This is Episode 29. Hi everyone and welcome to the productive it podcast each week we talk about the latest in tech and cyber news compliance and more. We also bring your real world examples to learn from so that you can better protect your business and your identity. This podcast is brought to By watch tech a client focused and security minded IT consultant located in Central Connecticut. You can find us at and watch tech comm that’s NW Aj tech.com. Alright, let’s jump into it. We got a lot to talk about this week along the lines of privacy and COPPA COVID-19. Not a lot of HIPAA breach news. So that’s good, I suppose. But before we jump into anything, of course, this week was also Patch Tuesday. Before we jump into Patch Tuesday, let’s talk about whether or not you’re going to comment like, share or review this podcast because if you do, we will. I don’t know. I guess I could think you live on the show. If you do. Just shoot me an email so I know you did it. And you can shoot the email to support at nwaz tech and wha tech. Go follow us on Facebook at unwashed tech and wha tech and if you’re in a HIPAA compliant business If you can join our Facebook group does centered around HIPAA compliance, it is get HIPAA compliance just search for get HIPAA compliance on Facebook. Now, as far as Patch Tuesday updates, we went over a bunch of updates that were released last week. So if you there’ll be in the show notes, but if you want to you can go back to listen to last week’s episode and get the update on all those patches to this week that was not as many but it is, of course Microsoft Patch Tuesday week. So we have First up we have VMware publishes workarounds for vulnerabilities in V realized operations manager. So not necessarily an update, as far as patching goes, but it is a workaround for a known vulnerability. Adobe did release security updates for Adobe Reader, Adobe Acrobat and for Adobe dng software development kit. So especially Acrobat and reader, get those updated, but if you’re also using Adobe dng software development Kitt patched that as well. And then Microsoft did release patches that addressed 111 vulnerabilities 13 of which were critical most of them centered around the usual suspects remote code execution. What do we got Microsoft Edge elevation privilege vulnerability that one is not as common but you have remote graphics components, remote code execution, color management, remote code execution vulnerability, Microsoft SharePoint Server remote code execution vulnerability, Microsoft SharePoint I’m sorry, scripting engine memory corruption vulnerabilities chakra scripting engine memory corruption vulnerability which we seem to see those every month. Media foundation memory corruption vulnerability, media foundation memory corruption vulnerability again, Visual Studio Code Python extension remote code execution vulnerability and that was the last one so we Did patch all of our client machines in our own machines this week? Already? No issues that we’ve seen. And of course you have the vulnerabilities the the patching from last week. So we’ve addressed all the patches we have in our environment so that you know, that includes browsers and Adobe and things like that. And we have not seen any issues. So make sure you take care of your patching. As AP as warranted, of course test and then push out. I have not seen any reports of problems either. So get it done. Okay, we have lots of news to share this week. going to start with an update from Cognizant, Cognizant, you may remember from last week they were hit with mais ransomware Tak cognitive being probably the world’s largest MSP and with earnings in the hundreds of millions every quarter, or Yeah, so we’ll get to the numbers in a moment. But anyway that were hit with Mays ransomware attack we know from previous episodes, that means typically exfiltrate the data first and then launches the ransomware. There has not been any indication that that has occurred here. But let’s let’s go with the update here. So Mays ransomware attack hit the MSP in IT consulting firm in late April. According to a first quarter earnings report statement, released May 7, the attack will impact cognizance, second quarter of 2020 revenue for obvious reasons and there may be an additional financial impact implications thereafter. So this is you know, there were a lot of ransomware attacks to report this week. But this is two Cool. Have any business when you hit hit with ransomware it’s not just pay ransom or restore your data from backups and be done with it. That’s not how it works. It doesn’t work that way. It’s going to cost you some money no matter what. So Cognizant in April 2020 disclose that the attack may impact company revenues. During a may 7 earnings call Cognizant CEO Brian Humphreys and CFO Karen McLachlan provided additional details about the attack mssp alert. I’m reading this from mssp alert By the way, has paraphrased the comments and company updates in these 10 points. So number one ransomware attack costs so far, the attack will cost cognisant about 50 to 70 million in lost revenue and, and margin for second quarter of 2020. Additionally, the company expects to incur certain legal consulting and other costs associated with the investigation, service restoration and remediation of breach so now you’re gonna have to deal with your clients who may have lost money, last had downtime and so forth to executive efforts. Cognizant mobilized its entire leadership team when the attack was discovered in April. The company also notify law enforcement agencies at that time. Three hundreds of customer communications and communications with clients were transparent from the start. The effort included hundreds of individual client calls with Cognizant security organization. Cyber experts and executive team along with to client conference calls in April for indicators of compromise. So Cognizant is proactively providing clients with indicators of compromise so that they can also do their own investigations. Five latest conference calls attack contained early in the week of May 4 Cognizant held a third conference call with customers could confirm that the attacks were contained. What that leaves a one to two week window where they may have been on the network and then we’d all know before that how long they were on the network. Six ransomware attacks ransomware attacks financial impact of ransomware attack will negatively impact Cognizant second quarter results for reasons First, the attack encrypted some of the IT consulting firms internal systems, effectively disabling them and Cognizant proactively took other systems offline to disruption impacted work from home enablement such as VDI, which is virtual desktops and the provisioning of work from home laptop second, some clients opted to suspend and cognizance access to their networks. For obvious reasons, again, billing was therefore impacted for a period of time yet to close the staffing those projects remain on cognizance books. So access to the networks because if ransomware is on cognizance network, it could jump in you know, we just talked about on the daily episode, we talked about the risk with RDP. And so this this is the risk now that you have some remote desktop protocol application running not necessarily Microsoft RDP, but windows RDP but something third party and maybe that makes sense. Clients vulnerable. Seven work from home issues are now largely have now largely been addressed. Eight regaining customer trust. Customer network trust Cognizant has meaningfully progressed in addressing the concerns of clients that have suspended our your our access to the networks. We expect to substantially complete this by the end of the month on preset nine financial impact timing most of the ransomware attacks impact on revenue margin will occur in the second quarter however, ongoing remediation costs will continue throughout this subsequent quarters. Cognizant plans to disclose the financial impact on a quarter but quarterly basis to ensure visibility and in 10. Lessons Learned Cognizant is applying lessons learned applying learnings from the attack to further harden its network. First quarter of 2020 Cognizant revenue was 4.2 billion up 2.8% a year ago quarter including a negative 50 basis points impact from the exit of certain content services businesses and then income was 367 million Compared to 441 million a year ago, so Cognizant is taking a big financial hit. And we have not seen the all the fallout from that yet. But Tom will continue to update as we get more information. On bleeping computers reporting that Microsoft will drop support for Windows 10 on 32 bit systems shouldn’t really come as a surprise, nor should you be using 32 bit systems at this point, you’re just not getting the full benefit of using any not just Microsoft Windows 10. But any operating system if you’re using a 32 bit system, you can’t use the memory like you can with a 64 bit system and the other resources that are available because of 64 bit system, you’re really not getting the full benefit So Microsoft will stop supporting windows 1032 bit in the near future. Hacker News reported Digital Ocean data leak incident exposed some of its customer data. Digital Ocean one of the biggest modern web hosting platforms recently hit with a concerning data leak incident that exposed some of his customer data to unknown and unauthorized third parties. Though the hosting company has not yet publicly released a statement it did. It did start warning affected customers of the scope of the breach via an email. According to a breach notification email that affected customers received the data leak happened due to negligence where digital Digital Ocean unintentionally left an internal document accessible to the internet without requiring any password. Now Digital Ocean is a competitor to Microsoft Azure and Amazon AWS. You know those those being the big players in the game. Then you have Google Cloud Platform and Alibaba. Digital Ocean is in there, but not quite as big. The document contained this document contain your email address and or account name, the name you give your account at signup, as well as some data about your account that may have included droplet account bandwidth usage, some support or sales, communication notes and the amount you paid during 2018. The company said in a warning email, the end they did include a screenshot of the email here. So what’s the concern? The concern is now they have enough information to potentially fish customers or past customers of Digital Ocean. So if you are a Digital Ocean client, make sure you if you get this letter, make sure you read it, understand it and make sure you’re aware that you could now potentially be fished or be compromised in some other manner because of it. hacker group floods dark web with data stolen from 11 companies. So they’re, like I said, there’s been a lot of random ransomware and data leaks this week. So this hacker group hacking group has started the floated dark web hacking marketplace with databases containing a combined total of 73.2 million user records. Over 1111 different companies. And so here are the list of the companies there’s total total pedia home Chef mineka. minted style share. g komen. I’m not sure what that is as ggu m i am mindful Star Tribune chapbooks The Chronicle of Higher Education in Zoosk, and then we we know, there was I think we reported last week a large Indian Education platform that was compromised in the datastore unit Academy here it is 30 to 22 million unit Academy user records are also on the dark web, as well. Hi, bleeping computer also reports revolution. Somewhere threatens to leak a list celebrities legal docs so rants, sort of leukemia. ransomware group threatens to release hundreds of gigabytes of legal documents from a prominent entertainment and a law firm that counts dozens of international stars as their clients and we’re talking big names here. So they grab data. As soon as leukemia and me’s and some others do exfiltrated the data in hit them with ransomware This is a law firm in New York City. I’m looking for the name of the New York of the law firm Grubman Shire, Musa lists and saxes GSM law, which is based in New York and represents dozens of heavyweight artists. So some of the clients that they have on their list on their roster, I should say, Madonna, Lady Gaga, elton john Robert De Niro, Nicki Minaj. Chris Brown, assure you to Timberland, Rick Ross and many others. Now, there is a screenshot of some of the data They claim to have so as you can see the hierarchy of the folder structure here and I see things like Lady Gaga Madonna, Priyanka Chopra, you to Kathy savate, Mary J. Blige, Nicki Minaj. Run DMC, you have another one for you, too. So, you can imagine Bruce Springsteen that Midler you can imagine the concern here, but they they still don’t Okay, me too. People behind Sodano KB claimed to have all of this information and are threatening to release the list to the dark web. Legal docs That is, if of course their ransom demands are not met. Thunderbolt on CD net thunder and Thunderbolt flaw affects millions of computers even locking unattended devices won’t help so Thunderbolt type of connection on Men are on all Macs after 2011 and some Windows computers and Linux computers as well. So Microsoft says this sufficiently was sufficiently concerned about the vulnerability of Thunderbolt three to direct media access attacks that it opted against including it on the Surface devices. But some of the Microsoft OEMs still added Thunderbolt and all Apple Mac computer since 2011 include Thunderbolt and there are also some Linux computers that have it as well. So the vulnerability is called Thunder spy. And while all Thunderbolt equipped computers are vulnerable to fulness by Intel, which develops Thunderbolt technology says the attacks were mitigated at the operating system level with kernel DMA protection but this technology is limited to computer sold since 2018. So if you have a computer between 2011 and 2019 with Thunderbolt, you may You may be exposed. Even if your computer is put to sleep or or locked, you are still vulnerable is the point of this vulnerability. So there is a little bit of back and forth between Ruttenberg who identified the vulnerability with Thunderbolt. Two thunders by and Intel as to whether or not the vulnerability is legitimate. with Intel saying that they developed Thunderbolt three which includes a policy management feature called security levels that lets Admins use cryptographic authentication to whitelist PCIe connections to to approve peripherals but Ruttenberg contends that Thunder spy completely breaks Intel security levels because Thunderbolt suffers from inadequate firmware verification, weak device authentication use of under unauthenticated device metadata and is vulnerable to version downgrade attacks. So I don’t use Thunderbolt. I can’t tell you. You know, I wouldn’t even I wouldn’t even I don’t even think I have any devices with Thunderbolt. So there’s that. bleeping computer reports Texas courts, Texas courts hit by ransomware network disable to limit spread. This was earlier in the week will actually last week a week ago today. The Texas core system was hit by ransomware on Friday night, may 8. And we’ve talked about this before where a lot of times ransomware attacks occur right before the weekend and right before a holiday. And that is to allow them more time to do damage. So this led to a branch network including websites and servers being disabled to block the malware from spreading to other systems. On Friday, May 8, Office of court administration the information technology provider for appellate courts, is state traditional agencies within the Texas judicial branch. identified a serious security event in the branch network, which was later determined to be ransomware attack. His statement published today on the site of Texas judicial branch says I didn’t see an update to this. So they were hit with a ransomware attack and took everything offline to prevent the spread of the attack. And, you know, Texas seems to be a popular target for ransomware attacks. It does not say who the ransomware attacker was. I’m not sure if it’s one of the ones that also exfiltrate data. We will I will see if I can find update for everybody. But remember last year, Texas was also hit 23 local governments and in if I’m not mistaken, that was done through open VPN, and maybe RDP. So, Texas again, popular target, kind of like Louisiana. bleeping computer also reported WordPress plugin bugs can let attackers take over almost 1 million sites. So this is The page builder WordPress plugin which is installed on more than 1 million sites. The vulnerabilities are cross site request forgery CSRF and deletes really, that leads to reflected cross site scripting attacks. And they affect all page builder versions up to an including two point 10 point 15. Attackers can exploit these security flaws by tricking WordPress site administrator into clicking specially crafted links or attachments and execute malicious code and browsers as well as forge requests on their behalf. The they are then able to inject malicious code. And I’m looking to see if there was an update to this but I can tell you that no millions of WordPress sites waiting for patches page builders development team updated to plug into two point 10 point 16 almost a week ago to fix the two security flaws and users are urged to patch their installations to avoid attacks so I should have included this on the on the patch report Patch Tuesday report but this is another WordPress vulnerability there have been quite a few of these over the last few weeks. And there was one last week that affected over a million websites so on bleeping computer Mays ransomware fails to encrypt, Pitney Bowes steals files so amaze ransomware got in and was able to exfiltrate some files, but they were they were unsuccessful in launching the ransomware attack of their the ransomware portion of their attacks so they did not encrypt anything. But they did get in and exfiltrate files this occurred on does not say when it happened but it’s it is recent. This was reported on May 11. So that would have been Monday and so probably over the weekend and They did have the wherewithal to prevent the encryption, but it looks like it sounds like the data leak, data was stolen, some data was stolen. It looks like they grabbed financial information, the names of their other directories in the screenshots. So there’s some screenshots here that you know may sent to say, hey, we’ve grabbed your information. So list of phones, customers and current employees, and I see a file files here for apps, eBay and PayPal, e commerce and finance final reporting forecast. So this looks like probably a network drive of some sort. So they did get the data. They did not encrypt anything they do. They failed in that respect. All right, we have a report from Krebs on security and I did not interestingly enough, I did not see this anywhere else. But a ransomware hit ATM giant Diebold. nixdorf Diebold nixdorf, a major provider of automatic teller machines and payment technology to banks and retailers. suffered a ransomware attack that disrupted some operations company says the hackers never touched the CTS or customer networks, and that the intrusion only affected its corporate network Canton, Ohio based Diebold is currently the largest ATM provider in the United States with an estimated 35% of the cash machine. Market worldwide to 35,000 employee company also produces point of sale systems and software used by many retailers according to Diebold on the evening of Saturday, April 25. So a weekend company security team discovered a non anomalous behavior on its corporate network suspecting a ransomware attack. Diebold said it immediately began disconnecting systems on a network to contain the spread of the malware. So it’s just told Krebs on security that dipoles response affected servers or services for over 100 of the company’s customers die boasted the company’s response to detected disrupts system that automates Field Service Technician requests, but the incident did not affect customer networks or the general public. Diebold has determined To spread it a malware has been contained I bought said in a written statement provided to Krebs on security incident did not affect ATMs, customer networks or the general public and its impact was not material to our business. Unfortunately, cybercrime is an ongoing challenge for all companies. Diebold nixdorf takes the security of our systems and customer service very seriously. Our leadership has connected personally with customers to make them aware of the situation and how we address it. So once again, another weekend ransom attack ransomware attack and this one was pro lock ransomware which when it comes to ransomware they’re not they’re clearly not one of the leaders but they are trying they are definitely trying so change was formerly known as porn pond locker. p p w. d locker is now called pro lock. We have a report us that the US warns of Chinese hackers targeting COVID-19 research or organizations This is coming from FBI and from Cisco. The threat actors affiliated to the People’s Republic of China are attempting to compromise and collect COVID-19 information from organizations in the US healthcare, pharmaceutical and research industry sectors. The ongoing attacks are currently investigated by the Federal Bureau of Investigation and the cybersecurity infrastructure security agency. As stated in a joint public service announcement that was published on May 13. China’s efforts to target these sectors pose a significant threat to our nation’s response to COVID-19. The FBI said this announcement is intended to raise awareness for silver institutions in the American public and provide resources and guidance for those who may be targeted. These actors have been observed attempting to identify and illicitly attain valuable intellectual property and public health data related to vaccines treatments and Testing from networks and personnel affiliated with the COVID-19. related research to potential death of this information jeopardizes the delivery of secure effective and efficient treatment options. So, this also comes on the heels of there was, I believe, a warning about North Korea, and also maybe one from Russia again. There was some vague warnings about the power grid electric grid for the US and for Canada and Canada was a Canadian electric or energy company was hit with a ransomware attack last week. So there appears to be an uptick in threats from that part of the world. And I suspect we’ll see even more targeted COVID-19 research in response organizations are advised to take defensive measures to block potential attacks. Assume that that press attention affiliating your organization with COVID-19 related research will lead to an increased interest in cyber activity. If your name is in the news, then they will Probably look at that and say, hey, let’s try. Patch all systems for critical vulnerabilities prioritizing timely patching for known vulnerabilities of internet connected servers and software processing internet data. Actively scan web applications for unauthorized access modification or anomalous activities. And let’s add to that. Well, we’ll get to in a moment approve credential requirements and require multi factor authentication, and identify suspend access of users exhibiting unusual activity and with that, I identify and suspend access of people no longer with the company or people that change departments. And that is going to do it for the news. So we will move on to our hot topics. All right, so first up This was on health IT security comm FCC FTC seeks comment on Breach Notification rule for health data and this is applying to third party applications not through EHR, IRS or covered entities, stakeholders are being asked to provide comments on the FTC Breach Notification rule, which requires vendors not covered by HIPAA to inform consumers and FTC of breaches within 60 days. The Federal Trade Commission is seeking comment from industry stakeholders on breach notification requirements for entities that collect personally identifiable health information but aren’t covered by HIPAA regulations, as noted by a host of others in the past, including the Department of Health and Human Services, third party apps chosen by patients are not typically covered by HIPAA, the only ones that are covered by HIPAA, not third party applications that would be through EHR vendors. So like follow my health is through all scripts, I believe instead The FTC Breach Notification rule enacted in 2009 requires vendors and related entities not covered by privacy regulations to inform individuals, the FTC and the media and in some cases of breaches. of unsecured personally identifiable health data. HIPAA an FTC Breach Notification rule requires notifications to occur within 60 days of discovering the breach, and if more than 500 individuals, the FTC must be notified within 10 days, which is a little more strict than HHS, the HIPAA rules. The rule certain rule created certain protections for personal health records, or PHR electronic records of identifiable health information that can be drawn from multiple sources and are managed, shared and controlled by or primarily for the individual FTC officials explained. Specifically, the Recovery Act recognized that vendors of personal health records and PHR related entities were collecting Consumers health information. But we’re not subject to the privacy and security requirements of HIPAA that continued. The rule requires these entities in their third party party, third party service providers to provide notification of any breach of unsecured, individually identifiable, identifiable health information. FTC is currently reviewing its health Breach Notification rule, as part of an overall periodic review to ensure the agency keeps pace with the changes in the economy, technology and business models. Reviews typically occur every 10 years, and includes standard questions around the effectiveness and, and potential benefits. The FTC is also reviewing whether the rules self should be retained, changed or eliminated and request the stakeholders to provide comment on key issues posed by the rule, such as whether it has resulted in under notification over notification or an efficient level of notification. industry leaders can also provide feedback on whether there is a need to notify to modify the rule to reflect the legal economic and technological changes as well as whether the time is requirements in breach reporting methods are adequate for the FTC is asking for insights into possible conflicts between rule and state, local and or federal regulations. FTC is also seeking insights into enforcement implications raised by direct to consumer technologies and services such as mobile health apps, virtual assistance and platform health tools along with potential ways. The rule should address developments in healthcare products or services tied to COVID-19 say like contact tracing apps, which we’re going to talk about shortly. Stakeholders were also asked whether they feel there’s a continuing need for specific provisions of the rule as well as needed benefits for consumers and evidence to support those asserted benefits. The FCC also requested insights on potentially significant costs imposed on consumers caused by the rule. Notably, the agency would also like feedback into whether the rule benefits or hinders their harmonization of the rule with HIPAA as well as if the rule indeed accomplishes the recovery x goal. advancing the use of health information technology while strengthening the privacy and security protections for health information, industry stakeholders will have 90 days to review the request for comment. And that is posted on the Federal Register. Now, a few things first of all, 10 years is a long time in the tech world. So 10 years ago, we didn’t have all these mobile health applications that we have now. And we’re not just talking about things like, like follow my heart, even though that is not a third party app, but something similar, where a patient can request information transferred to that application, but we’re talking about things like um, like, My Fitness Pal or your smartwatch that tracks your heart rate and things like that. Those are third party applications that do track health information and could conceivably lead to a data breach that would include health information for a person, they would not be covered under HIPAA because they’re not a covered entity, and they’re not a business associate. So they would not be covered under HIPAA. And that’s where the FTC steps in. A lot has changed in 10 years. So there’s definitely a need for changes to the rules around this. Also, there was a point here that I wanted to address. And that is the COVID-19 tracing apps. We’re going to talk about that in a moment. But we don’t really know 100% what that looks like yet. And I think there will be issues when it comes to privacy with these things. Google has been trying to get their hands and I think even Apple to an extent has been trying to get their hands on healthcare data for a long time. For obvious reasons. The reasons are in the healthcare is a business that’s never going to go away. And in fact, in some ways it will probably grow. They want to remain relevant and remain finally Eventually secure. These are massive organizations that have access to things that most organizations don’t have access to. So they want more. So it’ll be interesting to see how that develops, how this rule develops. And I think we’re going to see that this may, at some point tie into some of the data breach rules, data breach laws, data breach laws, we’re starting to see like ccpa in California and the shield law in New York and things like that. So I’m 90 days to review this was posted earlier this week. If you want to comment on it, it is available on the federal federal register that is regulations.gov you can go there and comment on it. The second thing we’re going to share today, US government shares list of most exploited vulnerabilities since 2016. This is on bleeping computer. US government cyber security agencies and specialists today have released list of Top 10 routinely exploited security vulnerabilities between 2016 and 2019. This was shared on Tuesday, cyber security and infrastructure security agency which assists the Federal Bureau of Investigation and the broader US government issued the a 20 dash 133 A alert through the National Cyber awareness system to make it easier for organizations from the public and private sector to prioritize patching in their environments. The public and private sectors should could degrade some foreign cyber threats to us interest through an increased effort to patch their systems and implement program to keep system patching up to date now, so what does that mean? It means that the US government has recognized that North Korea, China, Russia and some other countries, some other nation states may be trying to exploit these vulnerabilities that exist. And some of these vulnerabilities go back years. And so they recognize that also there are businesses in the private and public sector that have the vulnerabilities still, a concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries operational tradecraft and forced them to develop or acquire exploits that are more costly in western law widely effective and probably harder to deal with. Based on US government’s analysis of cyber attacks, abusing security vulnerabilities threat actors have most often exploited bugs in Microsoft’s object linking and embedding only OLED technology with the Apache struts web framework being the second most reported exploited technology of the top 10 to three vulnerabilities used most frequently across state sponsored cyber attacks from China, Iran, North Korea and Russia are CVE 20 1711 A to 2017 0199 2012 0158. Now the first set of numbers on these CVE are the year so this one goes back. That last one goes back to 2012. So that is eight years old. So says all three of these vulnerabilities related to Microsoft’s LTE technology over Chinese hackers have frequently exploited CVE 2012 10158, starting with December 2018, showing that organizations have failed to patch it, and that the malicious actors will continue abusing such flaws as long as they’re not fixed. In 2020. Cisco says that attackers have been hard at work exploiting unpatched security Citrix VPN, which was CVE 2019 11510 and pull secure VPN 2019 19781. So these are both last year. And pulse secure VPN is a big problem because even if you’ve patched it, and they’ve already, if they’ve already compromised it, they’ve already on your network and they’re already still able to continue to exploit other vulnerabilities in your network after them and so now that more people are working from home, that’s an even bigger issue. So here is the top 10 routinely exploited security flaws since 2016. So I want to start with the CVE 2012 0158. The Associated malware was trying to exploit the exploit. The vulnerability is found in various versions of Microsoft Office and Microsoft SQL Server and so forth. So it’s Microsoft products, which are routinely routinely have patches available to them. That is not getting pitch, not getting patched sorry. I just tried to combine patch and fixed so but we have vulnerabilities going back to 2012 2015 2017 1819. You know, 19 not being that long ago, but still so these are the list of the Top 20 Top 10. vulnerabilities are linked to this article. And the associated malware you so you have loci form book apone verite fins by Leighton bot Dried x we already mentioned Jack’s boss, China chopper dog call internal synergy and eternal blue you remember you may remember eternal blue from wanna cry Tosh LIFFE on warrior and kitty. The eternal blue compromised versions of Windows Vista, Windows seven. And those are still out there. I just saw recently somebody I know where the Windows version of Windows seven still running. So they’re still out there. They’re still out there and that’s a problem because you’re vulnerable. So check out that article on bleeping computer.com, the 10 most exploited vulnerabilities in the last four years. And if you if you’re guilty of any of those, get them taken care of. All right. The last thing we’re going to talk about in our hot news for today is the contract contact tracing applications that are developed or worked been worked on. I have three separate articles that show a concern for privacy in reality so the first one was reported on threat post leaked NHS docs revealed roadmap concerns around contact tracing app. So NHS is UK National Health Service. They were storing to haven’t developed an app yet they were storing information in Google Docs. That information was leaked. So a COVID-19 contact tracing app to be rolled out by the UK National Health Service has been thrust into the spotlight thanks to sensitive documents being leaked via public Google Drive link. contact tracing has emerged as a top idea for dealing with the Coronavirus pandemic and is considered by many to be an important step towards reopening economies worldwide. However, with several initiatives underway to use mobile phone apps to carry out privacy concerns have come to the forefront. The NHS app is no exception with details tractors concerned about how the information it collects could be used to leaked NHS NHS documents reported by wired showed that the officials behind initiatives are also concerned specifically around about how unverified information could be used. So this particular post raises a couple of concerns. One is how is the information going to be used, right? So if I decide to opt in, and in the US anyway, it’s going to be you can opt in, you don’t have to, you’re not being forced to do it. But you can opt into doing it. So if you do have symptoms, you put the information into the app. In the US, this is how they’re planning to do it. You put your information into the app, it’s supposed to be anonymous. And if you are, if it is determined that you had COVID-19 then that is updated. And now that anybody now anybody who’s opted in to this will be notified that they have come into close contact with you And then there’s there’s some guidelines around what’s considered close contact. Right. So the concern, one is, is my privacy secure is my privacy? Is there a potential for privacy issues within the application? And in the US, Android, Google, and Apple are planning to do this at the operating system level, meaning they will, they won’t be a third party app eventually. Right now, there are companies working on third party apps, and we’re going to talk about that shortly. One of them in Utah. But what are the potential repercussions to my privacy and health information being put into an application that by the way works with Bluetooth which has several vulnerabilities. So that’s number one. Number two, what happens if I want to be funny and I upload the wrong informations Um, I am sick and I put that I’m not sick or I’m not sick and I put that I am sick to cause fear. So that’s another concern that I don’t know how they can address that. Because it’s supposed to be anonymous, so I can, if it is anonymous, I could put whatever information I wanted, and nobody will know it’s me, theoretically. So already in UK, somebody got a hold of publicly, a link that was public on Google Drive that had some information in regards to the application being developed in the UK. But let’s take it a step further now. Now we have a woman in New Zealand who was being stalked after going to subway subway restaurant, and she put her information on the I guess they’re in there they have to write down contact details, including name email. Address, physical address and I think phone number. And she did this and then started getting essentially stalked by an employee a subway. So now that’s part two of the problems. So this here’s another another example of Privacy Information. private information being leaked to someone who probably should not have had it. So why this is, I compare this to I used to see my doctor used to keep a clipboard in the waiting area, you would come in, you would put your name, the reason you were there and who you were, who you were there to see in a clipboard sat at the front desk for the whole world to see. And so this is the same thing essentially, right? I’m writing down my name, email addresses, phone number and physical address and anybody else can see it, including employees, but also other customers can see it potentially. So if you’re If this is just like a mailing list you’re putting your name on, which is what it kind of sounds like then now you have other people seeing your name, address, phone number and physical address, name, address, email address in physical, you know, get a right name, address, and email address and phone number. And potentially the whole world sees it. That it you know, that could be cause for concern. Absolutely right. And this was a woman. And she even goes on to state that if she did live alone, she doesn’t that she she lives with several roommates it sounds like, but if she did live alone, then she could feel even more uneasy about what happened. And then this also opens up things like spear phishing, using social engineering, different forms of social engineering. There’s a lot of different little cyber activity cyber crime items that can be committed, because this information is now somewhat publicly available. And then we have another article, this one on threat posts about a company called healthy together an application called healthy together being developed out of Salt Lake City or out of Utah. They’re saying no to Apple and Google COVID-19 tracing, I get that, but they’re going to go with a third party app, which, in my opinion, is probably less secure than using Google or Apple. So healthy together app uses a raft of location data, including GPS cell tower triangulation, and Bluetooth. Again, Bluetooth being having several vulnerabilities to pinpoint users and Id Coronavirus hotspots. I just give you an example of Bluetooth and how it works. I one of my children’s activities. They’re one of their teachers. Try To connect her phone to Bluetooth speakers, and every time she tries, it attempts to connect to my phone. And I deny it because I’m not a bad person. But if I had accepted it, I now conceivably have access to everything on her phone. Who knows what’s on that phone, right? That’s how Bluetooth works. And if you’re in close, close proximity to something like that, it’s not hard to grab Bluetooth information off of another device. And we’ve seen it already with Tesla, their cars. We’ve seen it already with their entertainment systems. We’ve seen it with other phones. We’ve seen it with Bluetooth devices when you rent a car. If you don’t remove your phone’s information from the Bluetooth connection then you I mean, even if you do you might you might be at risk. And I’ve rented cars where I’ve seen five or six other phone information still there. After being rented after being Return. Now. We have Utah wanted to use this application from. It’s called healthy together. It’s called. And it’s from a startup company called 20 holdings. And they had already developed a social application that lets users see who’s around see who’s down and hang out in so I guess that’s their their tagline. In other words, the company specializes in Nebula enabling physical in person connections. It’s perhaps no surprise that 20 is Coronavirus app for Utah uses a raft of location data including GPS cell tower triangulation, and Bluetooth to pinpoint users. Now, that quote, that to me is cause for concern privacy concerns like what why do you? Why would you want that information out there? I get the reasoning behind it. So don’t get me wrong. I understand. We want to slowed the progress of COVID-19 down. And from the information I’ve seen in the last few days, it sounds like we’re already on that. But so just to give you an idea of how it works, so Jeff and Sarah are two individuals. This is as an example, this is not real people, Jeff and Sarah, two individuals in this example who don’t know each other, but they both have the app on their phones, old outlet. And so both phones are emitting Bluetooth and GPS signals all good said. So all good being the Chief Strategy Officer at 20. Through that data, we can identify whether or not two people have spent some time together from their contact, tracers can swing into action making calls and contacted ineffective and exposed persons, other contexts. So do you can see where I hope you can see where that could be a concern. A big privacy concern Again, I get the idea behind it. I don’t know that it’s worth the privacy concerns. Let’s educate the population. Let’s tell everybody, hey, this is what, what the symptoms are, this is what you need to be Look out, this is how you need to protect yourself, this is what you need to do. And then let’s let it go from there. I think what what you’re going to see is this technology somehow will get abused, whether it’s the company creating an application, and even say, where some people within the organization will have access to that data. Or somebody finding a vulnerability and utilizing it or somebody using false information. So there’s too much potential damage that can occur from an application like that. They’re probably going to move forward with it, to be honest with you. So Google and Apple and maybe some other companies and other countries are already doing In this so my concern is privacy. All right, so we’re gonna continue with our HIPAA education we started a few weeks ago around cybersecurity practices for small healthcare organizations. This is according to the 405 D. project to improve cybersecurity and healthcare organizations. And this week, we’re going to talk about asset asset management, management, asset management. So, what are we doing to secure our assets our servers, our computers, our healthcare equipment, and so forth. Organizations manage it assets using processes, referred to collectively as it asset managers. ITM is critical to ensuring that the appropriate cyber hygiene controls are maintained across all assets in your organization. ITSM processes should be implemented for all endpoints, all endpoints, there’s always that one breach where all we didn’t think that was needed. servers and networking equipment. ITSM processes enable organizations to understand their devices, and the best options to secure them. The practices described in this section may be used to support many of the practices described in other sections of this volume. So let’s talk what we have here. First of all, you need to do an inventory. And again, this is all based on the NIST cybersecurity framework framework, NIST cybersecurity framework. It completely inaccurate inventory of IT assets in your organization facilitates the implementation of optimal security controls as inventory can be conducted and maintained using a well designed spreadsheet the following question should be captured for each device. So you should capture AI asset ID primary key hostname purchase order operating system, Media Access Control address that’s the MAC address that MAC address is assigned to any piece of hardware that connects to a network IP address deployed to who is deployed to user last logged on which you know that’s that’s kind of ongoing but purchase date cost and physical location now the user logged on can be last logged on can be monitored. So you can you can continually track that. Most important probably asset IDs, operating system MAC addresses IP addresses, and who was deployed to especially with the current work from home environment, procurement. And with that, once you have established your ITM spreadsheet it is important to record each new it asset as it is acquired. This requires establishing standard operating procedures for procurement. Generally, it is advisable to assign the responsibility of collecting information on new assets to the purchaser within your organization. And then decommissioning which is probably the most important piece, right? It assets that are no longer functional or required, well, maybe not the most important but it’s close to inventory. Required should be decommissioned in accordance with your organization’s procedures. small organizations often contact contract with an outside service provider specializing in secure destruction processes. Such providers can ensure that all data especially sensitive data, are properly removed from a device before it is turned over to other parties. Additionally, your standard operating procedures should ensure that your record decommissioning of each device if you use a service provider to decommission or destroy devices, record the certificate certification of destruction so there was never a question about what happened to it. What is mitigated by this These activities so you have ransomware attacks, loss of, or theft of equipment or data insider accidental or intentional data loss and attacks against connected medical devices that may affect patient safety. Asset Management is important because things walk away and we see it time and time again. They walk away, and they didn’t the healthcare provider realizes, hey, that wasn’t encrypted. And now you have a problem because now you have potentially thousands or even in some cases, millions of healthcare records. Now, just out there, no idea what is going to come of it. You know, we saw a HIPAA breach a few weeks ago, I think, where some hard drives went just went missing. The hard drives were not encrypted. Now. There was From the healthcare provider was that you need a specialized software to be able to see the information on those hard drives. But let me tell you a software is not hard to come by that so that response is not to me is not a good response. The hard drives non encrypted is a problem the hard drives being able to walk away as easily as they did. They were in a locked room, but the person who took them out of the locker room didn’t realize the room was supposed to be locked thought it was just because it was time of the day they walked out, never to be seen again. It doesn’t take much to get required software to view healthcare records. And if so, if that’s the intention of the Deaf, maybe it’s not the intention. Maybe the intention is Hey, I just found some hard drives I could use. But if that is the intention, then it’s not going to be hard to get that information if it’s not encrypted. So Asset Management know where they are. tracked them use barcodes or use a barcode reader you can get you could put a bar reader on a smartphone and print labels off with a barcode without any printer. Really, there’s printers out there that can do that. So put a barcode on the device, scan it, you’re done with it. Well, if you can believe this, we only have one. HIPAA breach to report this week. Fortune 500 company Magellan health has announced that it experienced a ransomware attack in April that resulted in encryption of files and theft of some employee information. The ransomware attack was detected by Magellan health on April 11. When files were encrypted on a systems the investigation into the attack revealed the attacker had gained access to its systems following a response to a spear phishing email sent on April 6, the attacker had fooled the employee by impersonating a client of Magellan health, Magellan health engaged in cyber security from mandiant to assist with the investigation into the breach, which revealed the attacker had gained access to a corporate server that contained employee information and exfiltrated, a subset of that data. Prior to the encryption of files. The attacker also downloaded malware that was used to steal logon credentials. The data stolen by the hacker related to current employees, and including names addresses, employee ID numbers, and W two and 1099 information which included taxpayer IDs, and social security numbers. a limited number of usernames and passwords were also stolen in the attack. Magellan health is unaware of any attempts to use that data but has advised affected individuals to be alert to the possibility of identity theft and misuse of their data. affected individuals have been offered a complimentary three year membership to experience identity works identity theft, detection and resolution service Magellan health is working closely with law enforcement is and is aggressively investigating the breach and steps have already been taken to improve security to prevent similar breaches in the future. Of course, it is currently unclear how many of the individuals have been affected by the breach the ransomware attack comes just a few months after the company discover some of its subsidiaries suffered phishing attacks. Magellan RX management Magellan healthcare and national imaging associates were all affected. announcements about the breaches were made in September and November of 2019. With the phishing attacks following I’m sorry, with the phishing attacks, allowing unauthorized individuals to gain access to employee email accounts in July of 2019. The emails into compromised accounts contain the protected health information of 55,637 members. So this goes back to last July. It’s conceivable that the two are tied together, right. So they got some information from that attack back in July of last year and then used it to fish Someone else this year, because it says spear phishing email. Spear Phishing means that was somebody that was targeted in the organization. So it’s conceivable that the information from last year’s attack was used in this year’s attack. And that’s why you have to be careful with that information. And that’s why you have to teach your employees how to recognize phishing attacks. And that’s why you have to set up multi factor authentication. So it sounds like Magellan which is a fortune 500 company is not not taking that information seriously. And then, of course, you always have these information where these responses where they say, you know, they’re aggressively investigating and they’re taking steps to improve security to prevent a similar incident, but hey, just happened 10 months ago, so alright, that is going to do it for the product by T podcast. Until next week, stay healthy, stay safe and stay secure.

Transcribed by https://otter.ai

Scott Gombar

Author Scott Gombar

More posts by Scott Gombar

Leave a Reply