NIST Projects, HHS Cyber Guide, Australia EWN Hacked

TLP White
This week we start with a discussion of two National Institute of Standards and Technology (“NIST”) projects that directly address cybersecurity weaknesses in existing healthcare processes. We then turn to a new four volume Department of Health and Human Services (“HHS”) publication that serves as a voluntary, best practices guide for healthcare entities of all sizes to use to improve their organizational approaches to cybersecurity. We end by describing a recent hack into an Australian early warning network system, emphasizing the need for increased protection of vulnerable communication networks everywhere.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog.

Welcome back to Hacking Healthcare.

Hot Links –

1. NIST NCCoE Projects Prioritize Health Data Security.

NIST’s National Cybersecurity Center of Excellence (“NCCoE”) recently reported two developments relating to healthcare and cybersecurity. First, the center’s Healthcare Project Team announced its selection of thirteen technology vendors that will collaborate with NCCoE on the “Securing Picture Archiving and Communications System” project.[1] According to NCCoE, the Picture Archiving and Communications System (“PACS”) is ubiquitous in hospitals, and healthcare providers use the system to transfer, display, store, and process medical images.[2] The technology vendor collaborators will work with NCCoE to integrate their tools and services into NCCoE’s healthcare lab so that the team can develop a solution to secure PACS. The project aims to identify a sensible way to secure PACS by engaging in a risk assessment, using the NIST Cybersecurity Framework,[3] and creating a practice guide that will list the steps necessary to implement the chosen security solution based on standards and best practices.

Second, NCCoE announced the closing of the comment period for its Telehealth Remote Patient Monitoring (“TRPM”) project. The project aims to develop a cybersecurity practice guide for securing the telehealth remote patient monitoring system.[4] Similarly to the PACS project, this TRPM project will engage NCCoE to perform a risk assessment, apply the NIST Cybersecurity Framework, and collaborate with industry and public sector partners to identify a workable solution. Now that NCCoE has closed the comment period and has settled on a defined scope and approach for this project, the real work in the next phase of the project can formally begin.

2. HHS Releases User-Friendly Cyber Guidance for Healthcare Industry.

Just before the New Year, HHS published a four-volume guide on cybersecurity best practices for the healthcare industry.[5] The impetus for the guide was the Cybersecurity Act of 2015, which required the federal government to develop practical, cost-effective cybersecurity guidelines for the healthcare sector. HHS’s new publication is tailored to organizations of all sizes and levels of cybersecurity maturity.[6] Its main goal is to make cybersecurity practices more familiar to stakeholders in the healthcare space by leveraging common approaches such as the NIST Cybersecurity Framework to identify key threats and set forth experts’ “best thinking” on how to efficiently manage enterprise cyber risk.[7]

The most compelling and unique facets of the guide are its focus on adoptability and interoperability with already existing cybersecurity frameworks. With the average cost of a healthcare data breach reaching approximately $2.2 million,[8] healthcare organizations have an acute need for understandable guidance that works well with existing approaches. HHS astutely identified a real problem in mid- to small-sized organizations’ ability to implement cybersecurity best practices. The new guide seeks to rectify this problem, and it adopts the language and approach of other useful cyber frameworks in doing so. It’s important to note that industry had a direct hand in the development of this guidance through the participation of the Health Sector Coordinating Council. The collaboration between public and private sector organizations and experts has been, and will continue to be, essential for success. We expect this new guide will have a much greater impact and reach due to involvement of the private sector, its focus on ease of use, and harmonization with cybersecurity guidance that already exists in the marketplace.

3. Hacker Compromises Australian Early Warning Network.

Last Saturday, thousands of Queensland residents became the target of a hacker’s spam attack that made use of Queensland’s Early Warning Network (“EWN”). The hacker obtained the credentials of authorized personnel and used the EWN service, which normally provides emergency warnings and updates for natural disasters and incident response by text, email, and landline, to send alerts warning that the network had been hacked and that residents’ personal data was at risk.[9] It is unclear at this time how the attacker managed to obtain authorized credentials and why the hacker chose to disseminate the message that was sent. The false warning included hyperlinks that appeared to direct traffic to a EWN support page where residents could unsubscribe to the service.[10] Local police and the Australian Cyber Security Centre are involved in an ongoing investigation of the incident.

Aeeris, the company that provides the EWN service, confirmed that incident was quickly identified and addressed, and that the system has since been operating normally.

The links in the messages were later judged to not have been malicious, and authorities confirmed that no personal information was compromised.[11] However, this hack is illustrative of the vulnerabilities that exist in large-scale communications networks.

Congress –

Tuesday, January 8:

–No relevant hearings.

Wednesday, January 9:

–No relevant hearings.

Thursday, January 10:

–No relevant hearings.

International Hearings/Meetings –

EU – No relevant hearings.

Conferences, Webinars, and Summits –

–Medical Device Security 101 Conference – Orlando, FL (1/21/19-1/22/19) <https://nhisac.org/events/nhisac-events/medical-device-security-101-conference/>

–FIRST Symposium 2019 – London, UK (3/18/19-3/20/19)

<https://nhisac.org/events/nhisac-events/first-symposium-2019/>

–HEALTH IT Summit (Midwest) – Cleveland, OH (3/19/19-3/20/19)

<https://h-isac.org/hisacevents/health-it-summit-cleveland-2019/>

–National Association of Rural Health Clinics Spring Institute – San Antonio, TX (3/20/19-3/22/19)

<https://h-isac.org/hisacevents/national-assoc-of-rural-health-clinics-spring-institute/>

–HSCC Joint Cybersecurity Working Group – San Diego, CA (4/3/19 – 4/4/19)
<https://h-isac.org/hisacevents/hscc-joint-cybersecurity-working-group/>

–H-ISAC CYBER RX – IOMT Executive Symposium – Munich, Germany (4/15/2019 – 4/16/2019)

<https://h-isac.org/hisacevents/cyberrx-iomt-executive-symposium/>

–HEALTH IT Summit (Southern California) – San Diego, CA (4/23/19-4/24/19)

<https://h-isac.org/hisacevents/health-it-summit-southern-california-2019/>

–HEALTH IT Summit (Florida) – Wesley Chapel (5/21/19-5/22/19)

<https://h-isac.org/hisacevents/health-it-summit-florida-2019/>

–2019 NH-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>

–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)

<https://h-isac.org/hisacevents/health-it-summit-southeast-2019/>

–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)

<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>

–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)

<https://h-isac.org/hisacevents/health-it-summit-rocky-mountain/>

–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)

<https://h-isac.org/hisacevents/health-it-summit-northeast/>

Sundries –

–Court Dismisses Lawsuit Against Google’s Facial Recognition Tech

<https://www.bleepingcomputer.com/news/google/court-dismisses-lawsuit-against-googles-facial-recognition-tech/>

–Cyberattack Halts Publication for US Newspapers

<https://www.darkreading.com/perimeter/cyberattack-halts-publication-for-us-newspapers/d/d-id/1333575?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple>

–Sources: Critical cyber efforts will soon feel the pinch from shutdown

<https://insidecybersecurity.com/daily-news/sources-critical-cyber-efforts-will-soon-feel-pinch-shutdown>

–Machine learning can offer new tools, fresh insights for the humanities

<https://arstechnica.com/science/2019/01/machine-learning-can-offer-new-tools-fresh-insights-for-the-humanities/>

–Apple stock plummets 8% on news of grim Q1 2019 outlook

<https://arstechnica.com/gadgets/2019/01/apple-stock-plummets-8-on-news-of-grim-q1-2019-outlook/>

–New Android Malware Combines Info-Stealing and Phishing Features

<https://www.bleepingcomputer.com/news/security/new-android-malware-combines-info-stealing-and-phishing-features/>

–Democrats’ massive House bill to include election security measures

<https://www.cyberscoop.com/election-security-house-bill-2019-for-the-people-act/>

–THE ELITE INTEL TEAM STILL FIGHTING MELTDOWN AND SPECTRE

<https://www.wired.com/story/intel-meltdown-spectre-storm/>

–TOR IS EASIER THAN EVER. TIME TO GIVE IT A TRY

<https://www.wired.com/story/tor-anonymity-easier-than-ever/>

Contact us: follow @HealthISAC, and email at contact@h-isac.org

[1] The thirteen vendors are: Cisco, Clearwater Compliance, DigiCert, ForeScout, Hyland, Iron Mountain, Philips, Symnatec, TDi Technologies, Tempered Networks, Tripwire, Virta Labs, and Zingbox.

[2] https://www.nccoe.nist.gov/sites/default/files/library/project-descriptions/hit-pacs-project-description-final.pdf

[3] https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf

[4] https://www.nccoe.nist.gov/sites/default/files/library/project-descriptions/hit-th-project-description-draft.pdf

[5] https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf

[6] https://www.inforisktoday.com/hhs-publishes-guide-to-cybersecurity-best-practices-a-11912

[7] https://www.cyberscoop.com/hhs-cybersecurity-guidelines-health-sector-coordinating-council/

[8] https://www.healthcareitnews.com/news/hhs-releases-voluntary-cybersecurity-guidance

[9] https://www.bleepingcomputer.com/news/security/hacker-uses-australian-early-warning-network-to-send-spam-alerts/

[10] https://www.qt.com.au/news/warning-network-hacked-residents-urged-to-delete-m/3615654/

[11] https://securityaffairs.co/wordpress/79583/hacking/early-warning-network-hacked.html