H-ISAC Hacking Healthcare blog 6-25-19
HHS on Health IT, Hospital Spam Calls, Cybersecurity Workforce Guide for Healthcare Sector, and European Council’s Cybersecurity Agenda
**UPDATE NOTE**
Quick update following one of our recent stories: As a result of recent sensationalized media reporting on responsible vulnerability disclosure by medical device manufacturers, the Health-ISAC Medical Device Security Information Sharing Council (MDSISC) will develop a media kit for members and press. The whitepaper will explain the coordinated vulnerability disclosure process and how the ICS-CERT advisories are a good thing. The kit can be used to educate the press so they report accurately when a MDM discloses responsibly and encourage H-ISAC members to be transparent by publishing notices on their website and to be ready to respond with a reactionary press statement if needed.
H-ISAC is currently seeking volunteers interested in working on a small group of both MDMs and HDOs to assist with the development of this media response kit. Please send an email to contact@h-isac.org with your intent to participate.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
TLP White
In this edition of Hacking Healthcare, we discuss a Department of Health and Human Services (“HHS”) take on the negative implications of overly burdensome technology in the healthcare space. We then describe the perils associated with robocalls aimed at hospitals and healthcare institutions. Next we consider some useful tips for recruiting and retaining skilled healthcare cybersecurity staff. Finally, we examine the European Council’s recent announcement of a new framework designed to deter bad actors and respond to attacks.
Welcome back to Hacking Healthcare.
Hot Links –
1. According to HHS, Sometimes Less is More When it Comes to Health IT.
Last week, HHS Executive Director of Digital Service Shannon Sartin indicated that she and her agency are taking a tempered, thoughtful approach to technology in healthcare. In a discussion about new health IT projects that HHS and the Centers for Medicare and Medicaid Services (“CMS”) have been working on, Executive Director Sartin articulated a desire to view technological advancements through the lens of how they can improve treatment for patients.[1] She also suggested that technology can sometimes overload healthcare providers with administrative responsibilities, thereby taking time and resources away from personalized patient care.[2] Her comments show that HHS is looking to find the sweet spot when it comes to technology in healthcare—enough to enhance efficiencies, but not too much for fear of bogging providers down with administrative tasks.
Despite these comments, HHS and CMS seem more focused on leveraging technological solutions than ever. For example, just last year CMS unveiled its Blue Button 2.0 application programming interface, which helps Medicare beneficiaries share data to improve medical research and connect their claims and health information to a number of health-focused services.[3] CMS also recently rolled out its Quality Payment Program interface, which was designed specifically with providers in mind to help facilitate payments and offer feedback about treatment.[4] It is clear that technology has a major role to play in healthcare, but HHS may have a point that too much tech can sometimes be more burdensome than helpful. The lesson here is that there is a balance to be struck when it comes to health IT, and providers and executives should think critically about when tech is useful and when it has diminishing returns.
2. Spam Calls and Hospitals: A Dangerous Mix.
From our “Who Can it be Now?” department, we bring you this: In the span of just two hours one morning in late April 2018, Tufts University Medical Center was bombarded with more than 4,500 robocalls from local area code phone numbers that crippled the hospital’s communications system.[5] Tufts tried to stop the calls by contacting its telecom carrier, but the carrier could not put an end to the onslaught. To make matters worse, many of the calls employed spoofing tactics, using numbers with local area codes to make it seem like they were coming from legitimate callers. Although consumers typically deal with robocalls to their cell phones and home phones on a fairly regular basis, when a hospital system is on the receiving end of this kind of spam, the interruption can exacerbate emergencies and lead to life or death scenarios. Providers cannot simply ignore the calls, because there is always a chance that a legitimate dialer could be on the other end.
Hospitals are well aware of the problems robocalls can cause. The issue is not a new one: anti-robocall rules were initiated after the enactment of the Telephone Consumer Protection Act almost two decades ago at least in part to prevent automated calls from interfering with important emergency lines.[6] And just recently the Federal Communications Commission (“FCC”) authorized new rules to enable carriers to block certain kinds of numbers that do not or cannot make outgoing calls.[7] The FCC hopes these new rules will help lessen the scourge of robocalls and provide some relief to critical organizations such as hospitals as well as consumers.
3. HPH SCC Publishes Tips for Finding and Retaining Talented Cybersecurity Staff.
The cybersecurity field continues to grow and create employment opportunities for individuals who are interested in healthcare and technology. However, from an organizational standpoint, it can sometimes be difficult to identify and keep capable cybersecurity staff. To assist healthcare organizations in finding and retaining efficient and skilled cybersecurity employees, the Healthcare and Public Health Sector Coordinating Council (“HPH SCC”) recently released a guide outlining tips for organizations to employ in their recruitment and human resources efforts.[8]
The toolkit, “Healthcare Industry Cybersecurity Workforce Guide: Recruiting and Retaining Skilled Cybersecurity Talent,” emphasizes four main areas for attracting and keeping skilled staff: (1) hiring students through internship and externship programs; (2) developing IT employees’ skills so they can take on cybersecurity responsibilities; (3) facilitating professional development programs for executive-track cybersecurity talent; and (4) outsourcing critical cyber functions that are not necessary to keep in-house.[9] Each of these tips presents its own set of advantages and challenges. For example, internship and externship programs can be useful for organizations looking to identify young talent, but they come with their own set of costs and require a considerable amount of planning and forethought to ensure everyone has a positive experience.
4. European Council Prioritizes Cybersecurity.
The European Council (“Council”) recently announced a five year strategic agenda that sets a series of goals and priorities for the European Union (“EU”). The strategic agenda, which was unveiled on June 20, 2019, prioritizes “protecting citizens and freedoms” as one of its key aims.[10] The agenda also explicitly incorporates “protecting our societies from malicious cyber activities, hybrid threats and disinformation” within its set of goals.[11]
The Council views cybersecurity as paramount to protecting citizens’ rights and freedoms—so much so that it established a framework in May that allows it to impose sanctions to deter and respond to cyberattacks against EU member states, the EU as a whole, third-party states, and international organizations.[12] “Restrictive measures include a ban on persons travelling to the EU, and an asset freeze on persons and entities. In addition, EU persons and entities are forbidden from making funds available to those listed.”[13]
Congress –
Tuesday, June 25th:
-No relevant hearings
Wednesday, June 26th:
Artificial Intelligence: Societal and Ethical Implications (House – Committee on Science, Space, and Technology)
Thursday, June 27th:
-No relevant hearings
International Hearings/Meetings –
EU – No relevant hearings.
Conferences, Webinars, and Summits –
–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)
<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>
–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)
–Healthcare Cybersecurity Workshop – Dublin, Ireland (7/31/2019)
https://h-isac.org/hisacevents/healthcare-cybersecurity-workshop-dublin-ireland/
–H-ISAC Medical Device Security Workshop – Plymouth, MN (9/17/2019)
https://h-isac.org/hisacevents/h-isac-medical-device-security-workshop/
–HEALTH IT Summit (California) – Los Angeles, CA (9/19/19-9/20/19)
<https://endeavor.swoogo.com/2019-LosAngeles-Health-IT-Summit>
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)
<https://h-isac.org/hisacevents/health-it-summit-northeast/>
–2019 H-ISAC European Summit – Zurich, Switzerland (10/16/2019-10/17/2019)
<https://h-isac.org/summits/european_summit/>
–HEALTH IT Summit (Southwest) – Houston, TX (11/14/19-11/15/19)
<https://endeavor.swoogo.com/2019-Dallas-Health-IT-Summit>
–Health IT Summit (Northwest) – Seattle, WA (11/19/19-11/20/19)
<https://endeavor.swoogo.com/2019-PacificNorthwest-HITSummit>
–2019 H-ISAC Fall Summit – San Diego, CA (12/2/19-12/6/19)
<https://www.loewshotels.com/coronado-bay-resort>
Sundries –
–Raspberry Pi used to steal data from NASA lab
https://www.bbc.com/news/technology-48743043
–What happens when one APT hijacks another’s infrastructure
https://www.cyberscoop.com/oilrig-turla-symantec-apt-infrastructure/
–A tale of two cities: Why ransomware will just get worse
–Presidential warnings ‘easy’ to spoof
https://www.bbc.com/news/technology-48743045
–Dell quietly patched a security vulnerability that affected millions of users
https://www.cyberscoop.com/dell-supportassist-patch-security-vulnerability-microsoft-windows/
–White House Updates National Artificial Intelligence Strategy
–Security News This Week: Hackers Used Two Firefox Zero Days To Hit A Crypto Exchange
https://www.wired.com/story/firefox-vulnerability-coinbase-ransomware-border-hack/
–Iranian Hackers Launch A New Us-Targeted Campaign As Tensions Mount
https://www.wired.com/story/iran-hackers-us-phishing-tensions/
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://www.nextgov.com/it-modernization/2019/06/more-health-it-isnt-always-better-says-hhs-digital-service-director/157790/
[2] Id.
[3] https://bluebutton.cms.gov/
[4] https://qpp.cms.gov/
[5] https://www.washingtonpost.com/technology/2019/06/17/robocalls-are-overwhelming-hospitals-patients-threatening-new-kind-health-crisis/?utm_term=.b12c54818f55
[6] https://www.fcc.gov/news-events/podcast/robocalls
[7] https://www.fcc.gov/document/fcc-adopts-rules-help-block-illegal-robocalls
[8] https://www.idigitalhealth.com/news/how-health-systems-can-develop-retain-cybersecurity-staff
[9] https://healthsectorcouncil.org/workforce-guide/
[10] Id.
[11] https://www.consilium.europa.eu/en/eu-strategic-agenda-2019-2024/
[12] https://www.consilium.europa.eu/en/press/press-releases/2019/05/17/cyber-attacks-council-is-now-able-to-impose-sanctions/?utm_source=facebook.com&utm_campaign=2019-06-EUCO&utm_content=cybersanctions-clip
[13] Id.