Apple Watch 4, Crypto Crackdown, Multi-state HIPAA Lawsuit

TLP White: This week we start by discussing a new software update from Apple that allows some smart watch owners to undergo electrocardiogram scans and heart rate monitoring at the touch of a button.  We then turn to the Department of Treasury’s effort to crack down on hackers by prohibiting ransomware payments to particular cryptocurrency addresses.  We’ll look at Australia, who decided they know best about encryption, and we will end by taking a deeper dive into a health information data incident that has caused a number of states to join forces by bringing a HIPAA lawsuit against the breached company.

Welcome back to Hacking Healthcare.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion from the health sector perspective, become a member of H-ISAC and receive the TLP Amber version. 

Hot Links –

1. The Holidays Are Here and So Are New Health-Focused Wearables.

Apple recently released a software update to watchOS that enables electrocardiogram and irregular heart rate notification features for its Apple Watch Series 4 devices.[1]  The electrocardiogram attribute can be accessed by merely touching a finger to the device’s “digital crown” and waiting approximately thirty seconds for the watch to perform its scan.  The watch also monitors users’ heart rates intermittently and sends notifications to users if an anomaly is detected.[2]  While these new offerings in no way serve as a substitute for regular visits to your cardiologist, they do provide consumers with an interesting new way to interact with their heart health.  Consumer wearables offering health-related features and information access have risen in popularity in recent years, as devices such as smart watches, fitness trackers, and other more sophisticated health monitors have reinvigorated consumers’ interest in their own health statistics.[3]

 

Accessing health data through wearable devices brings up the usual questions and problems with respect to cybersecurity in the IoT.  As wearables that process health information continue to gain traction, their security becomes even more important because the amount, type, and quality of data they process is more robust and detailed.  As a result, device manufacturers have appropriately turned their attention to cybersecurity, and security vendors are working to implement privileged user controls, application whitelisting, and other security features to help mitigate vulnerabilities and prevent data loss.[4]

 

2. Department of Treasury Outlaws Certain SamSam Ransomware Payments by Prohibiting Transactions with Two Cryptocurrency Accounts.

In late November, the Department of Justice (“DOJ”) unsealed a grand jury indictment against two Iranian hackers who allegedly orchestrated the SamSam ransomware attacks.[5]  We’ve reported on these attacks before, as healthcare corporations make up approximately 25% of the victims of the SamSam attacks overall.[6]  In tandem with the DOJ’s release of its indictment against the hackers, the Department of Treasury’s Office of Foreign Assets Control (“OFAC”) published the hackers’ cryptocurrency addresses and stated that U.S. individuals and companies are barred from conducting any transactions with them.[7]  OFAC included the hackers’ digital cryptocurrency addresses in the identifying information it published for them on its Specially Designated Nationals and Blocked Persons list (“SDN list”).[8]

 

OFAC’s statement serves as the first time the agency has publicly attributed cryptocurrency addresses to individuals involved in converting cryptocurrency ransomware payments into generally accepted currency.[9]  Ultimately, this means that U.S. individuals or corporations who have suffered at the hands of the SamSam ransomware attacks may no longer make cryptocurrency payments to at least some of the hackers at the helm in an effort to regain control of their computing systems and recover lost data.  Furthermore, individuals and corporations infected with ransomware going forward must make a point to check OFAC’s SDN list to ensure that any payments they make are not going to prohibited parties or outlawed crypto accounts.

3. Australia Passes New Law to Thwart Strong Encryption.

From our “Didn’t we just talk about this last week?” department, we bring you a newly passed measure by the Australian parliament that seemingly represents a victory for law enforcement and government proponents of weakening encryption. The new law passed on Thursday would require that companies be able to present encrypted communications and data to the relevant authorities through a warrant process. Failure to adhere to the new law would punish companies up to $10 million and individuals up to $50,000. The passage of the bill represents the first tangible outcome of an anti-encryption policy that Ars Technica reports goes back at least as far as June last year.

 

Critics of the newly passed legislation were quick to reaffirm that it remains impossible to weaken encryption for law enforcement without simultaneously weakening it for everyone else. Among the dissenters, Apple was vocal in its disapproval citing “It would be wrong to weaken security for millions of law-abiding customers in order to investigate the very few who pose a threat.”

 

The law has also generated confusion over what some perceive to be a vague loophole in its wording. It is stated in the document that it must not require a communications provider to “implement or build systemic weakness, or systemic vulnerabilities” or to prevent a provider “from rectifying systemic weakness, or systemic vulnerability”. What this means in practice is unknown at this time. Conventional wisdom suggests that the measure is likely to be amended, but time will tell.

 

We’ll no doubt be back to talk about this in the very near future.

 4. States Band Together to Sue Electronic Health Records Vendor for HIPAA Security Rule Violations.

State Attorneys General from twelve jurisdictions have linked up to sue an electronic health records (“EHR”) vendor for alleged HIPAA violations that arose out of a 2015 data breach.  Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Wisconsin are named as the plaintiff states in the suit.[1]  Among other HIPAA related claims, the states allege that the EHR failed to comply with the HIPAA security rule, which requires covered entities to maintain appropriate administrative, technical, and physical safeguards to secure electronic protected health information.[2]  Along with HIPAA violations, the states claim that the EHR vendor ran afoul of state unfair and deceptive practices laws, personal information protection laws, and breach notification statutes.[3]  This is the first time that multiple states have joined forces to sue a private company for a data breach that implicates electronic protected health information.

 

Congress –

 

Tuesday, December 11:

— Hearing on Transparency & Accountability: Examining Google and its Data Collection, Use, and Filtering Practices (House Committee on the Judiciary).[4]

— Hearing on Implementing the 21st Century Cures Act: An Update from the Office of the National Coordinator (House Committee on Energy and Commerce Subcommittee on Health).[5]

–Hearing on RAY BAUM’S Act: A Bipartisan Foundation for Bridging the Digital Divide (House Committee on Energy and Commerce Subcommittee on Communications and Technology).[6]

 

Wednesday, December 12:

–Hearing on Examining the Availability of SAFE Kits at Hospitals in the United States (House Committee on Energy and Commerce Subcommittee on Oversight and Investigations).[7]

 

Thursday, December 13^th:

–Hearing on “Exploring Alternatives to Fetal Tissue Research” (House Committee on Oversight and Government Reform Subcommittee on Government Operations and Subcommittee on Healthcare, Benefits, and Administrative Rules).[8]

–Hearing to examine S.3545, to amend title XVIII of the Social Security Act to improve home health payment reforms under the Medicare program (Senate Committee on Energy and Natural Resources Subcommittee on National Parks).[9]

 

International Hearings/Meetings –

 

            EU –

Thursday, December 13^th:

Hearing on “Assessing the impact of digital transformation of health services” (European Commission Expert Panel on Effective Ways of Investing in Health).[10]

 

Conferences, Webinars, and Summits –

 

–Medical Device Security 101 Conference – Orlando, FL (1/21/19-1/22/19) <https://nhisac.org/events/nhisac-events/medical-device-security-101-conference/>

–FIRST Symposium 2019 – London, UK (3/18/19-3/20/19)

<https://nhisac.org/events/nhisac-events/first-symposium-2019/>

–2019 NH-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>

 

Sundries –

—Marriott breach spurs new privacy law push

<https://thehill.com/policy/cybersecurity/419753-marriott-breach-spurs-new-privacy-law-push>

—Security firm releases new tool to fight cyber threats to critical infrastructure

<https://thehill.com/policy/cybersecurity/419833-security-firm-releases-new-tool-to-fight-cyber-threats-to-critical>

—Facebook Exposes Nonprofits to Donors-and Hackers

<https://www.wired.com/story/nonprofits-facebook-get-hacked-need-help/>

—Why, in 2018, is Microsoft adding security questions to Windows 10?

<https://arstechnica.com/information-technology/2018/12/what-was-the-name-of-your-first-exploit-win-10-security-questions-open-backdoor/>

—Hackers breach Quora.com and steal password data for 100 million users

<https://arstechnica.com/information-technology/2018/12/quora-says-hackers-stole-password-data-and-other-details-for-100-million-users/>

—Mastercard and Microsoft say they’re developing a universal identity management solution

< https://www.cyberscoop.com/identity-management-microsoft-mastercard-partnership/>

 

 

Contact us: follow @HealthISAC, and email at contact@h-isac.org

[1] http://src.bna.com/DFG

[2] https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

[3] https://healthitsecurity.com/news/12-states-sue-business-associate-for-2015-health-data-breach

[4] https://docs.house.gov/Committee/Calendar/ByEvent.aspx?EventID=108776

[5] https://docs.house.gov/Committee/Calendar/ByEvent.aspx?EventID=108790

[6] https://docs.house.gov/Committee/Calendar/ByEvent.aspx?EventID=108785

[7] https://docs.house.gov/Committee/Calendar/ByEvent.aspx?EventID=108782

[8] https://docs.house.gov/Committee/Calendar/ByEvent.aspx?EventID=108783

[9] https://www.senate.gov/committees/hearings_meetings.htm

[10] https://ec.europa.eu/health/expert_panel/events_en

[1] https://www.theverge.com/2018/12/6/18128209/apple-watch-electrocardiogram-ecg-irregular-heart-rate-features-available-health-monitor

[2] https://www.apple.com/newsroom/2018/12/ecg-app-and-irregular-heart-rhythm-notification-available-today-on-apple-watch/

[3] https://www.accenture.com/t20180306T103559Z__w__/us-en/_acnmedia/PDF-71/accenture-health-2018-consumer-survey-digital-health.pdf

[4] https://www.forbes.com/sites/danielnewman/2018/07/31/five-iot-predictions-for-2019/#6e424e636edd

[5] https://www.bleepingcomputer.com/news/security/making-a-ransomware-payment-it-may-now-violate-us-sanctions/

[6] https://healthitsecurity.com/news/healthcare-makes-up-one-quarter-of-samsam-ransomware-attacks

[7] https://home.treasury.gov/news/press-releases/sm556

[8] https://www.treasury.gov/resource-center/sanctions/SDN-List/Pages/default.aspx

[9] https://bitcoinmagazine.com/articles/first-us-treasury-makes-bitcoin-addresses-focal-point-sanctions/Apple Watch 4,