The Maturity Paradigm

In healthcare we have an insatiable appetite to adopt new technology

Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Ransomware Gang Demands $10m to restore French Hospital

The Center Hospitalier Sud Francilien (CHSF), a 1000-bed hospital located in Corbeil-Essonnes 28km SE from the center of Paris, has been virtually paralyzed by a cyberattack. Nearly all IT systems appear to have been taken off-line by a ransomware attack discovered on August 21, which has resulted in the medical center referring patients to other establishments and postponing appointments for surgeries. Non-critical services have had to be directed elsewhere, and staff are now working with limited resources.

"Each day we need to rewrite patients' medications, all the prescriptions, the discharge prescriptions," said Valerie Caudwell, the president of the medical commission of the CHSF hospital. "For the nurses, instead of putting in all the patients' data on the computer, they now need to file it manually from scratch."

Medical imaging has been particularly impacted resulting in all PACS and other imaging services currently being off-line. Many medical devices were highly susceptible to the cyber-attack and may have been at the core of the ransomware attack. Like most hospitals, patching of medical devices against known security vulnerabilities appears to have been lax, making them an easy target for hackers to establish a foothold on the medical network.

“Without security enclaving or segmentation of vulnerable medical devices, these systems wouldn’t have stood a chance,” claims Richard Staynings, Chief Security Strategist at healthcare security company Cylera. “It’s impractical or impossible to patch devices where manufacturers have not released a patch, so you really need to isolate high-risk systems as a form of compensating security control,” he added.

CHSF serves an area of 600,000 inhabitants, so any disruption in its operations can endanger the health, and even lives, of people in a medical emergency. Unlike a similar ransomware attack in 2020 against Düsseldorf University Hospital, where a 78 year old woman suffering from an aortic aneurysm died after being redirected to a different hospital 32km away, no deaths have been reported at CHSF.

The hospital has refused to pay a ransom demand of ten million dollars and is rebuilding its IT systems from scratch while restoring patient data from backup, a process which it expects to take many days.

Police specializing in cybercrime are investigating. Cyber-attacks targeting hospitals in France have been increasing recently, with 380 last year, a 70 percent rise from 2020.

"An investigation for intrusion into the computer system and for attempted extortion in an organized gang has been opened to the cybercrime section of the Paris prosecutor's office," a police source told Le Monde, also specifying that "the investigations were entrusted to the gendarmes of the Center fight against digital crime (C3N)".

While police and cybersecurity experts continue to investigate this attack, “the Tactics, Techniques, and Procedures (TTPs) indicate a LockBit 3.0 infection,” according to Jordan Rogers, head of cyber threat intelligence at Cylera. However, if LockBit 3.0 is responsible for the attack, it will violate the Ransomware as a Service (RaaS) program's rules, which prohibit affiliates from encrypting systems of healthcare providers.

At this time, the attribution to the particular threat group hasn't been confirmed yet, and LockBit 3.0's extortion site contains no entry for CHSF yet, so their involvement remains a hypothesis. Gang affiliates using this RaaS are known to operate primarily in Russia and Belarus. 


This article was first published here:


NHS 111 Services Held to Ransom by Cyber Attack

NHS 111 services are down for much of the UK following a cyber-attack Thursday morning against the infrastructure of software vendor 'Advanced'. The company's Adastra system is used by call handlers to dispatch ambulances, to book urgent care appointments, and for out of office hours emergency prescriptions. It’s Caresys software is used extensively across more than 1,000 care homes, while Carenotes, Crosscare and Staffplan are used extensively by providers. Advanced supplies software to NHS facilities and doctors nationally, including hospitals, doctors’ offices, care homes and mental health services, so disruption has been widespread.

The systems outage is causing significant delays as call handlers are forced to use other systems or to revert to paper. Emergency ambulance dispatch is taking priority it has been reported, meaning that everyone else has to wait. Meanwhile, applications managed by Advanced have been isolated to prevent lateral spread of malware to other NHS systems.

According to the Telegraph, the cyber-attack appears to have been conducted by an organized criminal ransomware group looking to shut down crucial systems rather than a hostile state-actor as had been originally feared. Healthcare and other critical national infrastructure services have been on high alert since the start of the war in Ukraine given heightened tensions with Moscow. The UK’s National Cyber Security Centre is working with the NHS as it attempts to recover systems from backups and restore services.

UK businesses have been warned about paying ransoms and incentivizing extortionists. According to the Telegraph last month, the head of the UK’s National Cyber Security Centre (NCSC) and the Information Commissioner warned businesses that they risked “incentivizing” attacks by cybercrime gangs by paying ransom demands.

According to Sky News, Advanced, said the issue was contained to "a small number of servers" representing 2% of its health and care infrastructure. Chief operating officer Simon Short added: "We continue to work with the NHS and health and care bodies as well as our technology and security partners, focused on recovery of all systems over the weekend and during the early part of next week."

This latest cyber-attack against the NHS is an unwelcome test of its resiliency and preparedness for various outages including cyber-extortion. As a critical infrastructure industry, the NHS is a target for pariah nation state attack, although in this case evidence appears to suggest that the attack was orchestrated by a Russian criminal gang. Given the known close working relationship between the Russian government and the country’s organized crime gangs, the Kremlin may not be entirely off the hook in this case. A forensic investigation of the cyberattack will take time and a positive attribution of the attackers may be many months away.


NSH 111 services previously known as ‘NHS Direct’ is used for non-emergency Urgent Care services and puts callers in touch with highly trained advisers supported by healthcare professionals. It was designed to reduce the call volume on the UK’s 999 Emergency services (similar to the US’s 911 call system) for non-critical healthcare issues, or to force patients to have to wait several days for an appointment with their general practitioner / primary care provider. The free 111 service is widely used and can be accessed by anyone dialing the number from within the UK.

Advanced is owned by Vista Equity Partners and BC Partners.

Meta sued for violating patient privacy

Facebook’s parent company Meta is facing two proposed class-action lawsuits for using the Meta Pixel tracking tool on health system websites to target ads.

This is not the first time that Meta-Facebook has been dragged through the courts and sued for a breach of privacy. In this case the problem stems from the company’s wholesale vacuuming up of all kinds of metadata whenever a user visits a web page containing its Pixel tracker functionality.

Pixel is contained in a few lines of JavaScript code and is found widely embedded into various web applications. It appears unlikely that the providers using these web applications were aware of the code contained in their portal pages, or that highly confidential HIPAA protected information is being sent to and used by Meta-Facebook without patients' express written permission being obtained. This is especially so because Meta is not a duly authorized HIPAA Business Associate, a requirement before HIPAA Covered Entities (CE) can share protected health information with a third party, nor is Meta a HIPAA CEin its own right. Based upon recent research, it’s probable that hundreds of healthcare portals contain the Meta Pixel code unbeknownst to most providers and that millions of patients could be affected.


The big question is whether Meta Corporation failed to realize that it was illegally being sent PHI data from Pixel, as it continued to monetize this data to sell directed advertising to unsuspecting patients. This point may become a pivotal argument in pending lawsuits and any regulatory enforcement actions. Based upon previous privacy violations, Meta-Facebook is supposed to have implemented business tools to identify sensitive health data and to filter this out from its advertising revenue generating systems. 


In what will likely be a double blow, the collected data was not just innocuous de-identified medical information. “The data Meta received reportedly contained medical symptoms & conditions, prescription information, doctors’ names, IP addresses, and other data defined as HIPAA identifiers. It would therefore be relatively easy to reverse engineer this PHI data to determine the patient identity. It all comes down to the number of data points held in the Meta advertising database,” claimed Richard Staynings, Chief Security Strategist with Cylera. “This could end up being labeled as a massive breach of highly sensitive and confidential regulated HIPAA data.”


In addition to the recently announced class action it seems likely that the Office of Civil Rights (OCR), the enforcement division of Health and Human Services (HHS) is spinning up a task force to investigate this breach and will be assigning a large team to examine potential violation of  HIPAA, the 1996 federal Health Insurance Portability and Accountability Act.

Not only does Meta Corporation likely face HIPAA regulatory concerns, but it also seems likely that various states Attorney Generals (AGs) will be looking very carefully to determine if the Pixel code is present in their jurisdictions on web pages where there is an expected right of privacy. This is especially so on healthcare portals. Finally, it also seems likely that OCR and AGs will be looking carefully at healthcare providers to examine their policies, standards, procedures and guidelines around due-diligence for acceptance of web application technologies and enabled functionality.


“This is an extreme example of exactly how far the tentacles of Big Tech reach into what we think of as a protected data space,” said Nicholson Price, a University of Michigan law professor who studies big data and health care. “I think this is creepy, problematic, and potentially illegal” from the hospitals’ point of view.


In 2019, the Federal Trade Commission (FTC) imposed a $5 billion penalty on Facebook and required it to submit to new restrictions and requirements to hold the company accountable for its data privacy decisions. This included the promised use of a sensitivity filtering mechanism.
 


Systemic Problem

Many of these privacy issues stem from a fundamental imbalance between the rights of individuals in the United States to remain anonymous and their data kept private, versus the rights of large corporations to collect and mine data for profit. This is a balance that has been addressed in Europe through GDPR - the 2016 General Data Protection Regulation which has quickly become a global standard for Privacy outside of the United States.
 
The federal nature of the US however has resulted in 50 very different and separate state privacy regulations that make it hard to enforce privacy standards for individuals given so much cross-state commerce. Attempts by the federal government to catch up to other OECD nations with a revised national privacy act have met with opposition from some states concerned that a federal law will dumb down their existing provisions, while other state representatives oppose the imposition of something similar to GDPR which they regard as an undue constraint on businesses. 
 
The latest in a long line of attempts to update US privacy laws is currently working its way through congress. It remains to be seen whether the highly fractured nature of US law making results in national privacy changes or goes the way of prior attempts.