H-ISAC Hacking Healthcare 5-6-2020
TLP White: In this edition of Hacking Healthcare, we begin by examining how COVID-19 led the United Kingdom’s (UK) National Health Service (NHS) to give the country’s intelligence and security agency emergency powers over its networks. We then brief you on a recent letter from Congressional lawmakers and discuss its illustration of the unique challenge of implementing digital contact tracing in the United States. Finally, we take a brief look at why foreign intelligence services are targeting parts of the healthcare sector, and when it might be expected to stop.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
Welcome back to Hacking Healthcare.
1. COVID-19’s Cyber Threat Leads to More GCHQ-NHS Cooperation.
It has been well documented that, even in the midst of COVID-19, malicious cyber actors continue to target the healthcare sector. These attacks appear to be perpetrated by both state and non-state actors and have targeted everything from hospitals and research labs to national health agencies and global health organizations.[i], [ii], [iii] In an effort to help ensure that these cyber-attacks do not inhibit the ability of the United Kingdom’s National Health Service to respond to COVID-19, Health Secretary Matt Hancock has employed emergency powers to give the Government Communications Headquarters (GCHQ) access to “information relating to the security of any network and information system held by or on behalf of the NHS or a public health body.”[iv]
The GCHQ is the UK’s national intelligence and security organization and is the organization that houses the UK’s National Cyber Security Centre (NCSC). By allowing GCHQ to review the cybersecurity of NHS’s networks and systems, NHS would likely receive feedback from the NCSC on which systems and networks may be at risk as well as how to improve cybersecurity more generally.
The NCSC has attempted to ease any concerns individuals may have over the cooperation of an intelligence organization and the NHS by reiterating that this new power does not allow them to receive patient data, and that the NCSC has no interest in acquiring it.[v] Furthermore, the emergency power, which stems from the NHS Act of 2006, will automatically expire on December 31st unless it is amended. While this particular effort may be justifiable and appears limited in scope, some NHS-GCHQ cooperation on COVID-19 efforts have received pushback.
For example, the NCSC’s involvement in the creation of the NHS’s centralized contact tracing application has sparked debate. Privacy advocates are wary of their involvement, worrying that a combination of centralization and mission creep will ultimately lead to unintended and dangerous uses of the data collected.[vi] However, some advocates do admit that the NCSC possesses the capabilities to improve the protection of data collected during the usage of the tracing app.[vii]
Analysis & Action
*H-ISAC Membership Required*
2. Lawmakers Want Answers on Contact Tracing Efforts.
Lawmakers in the United States House of Representatives wrote to Health and Human Services (HHS) Secretary Alex Azar last week to better understand the Trump Administration’s approach to contact tracing efforts. Specifically, they cited their concerns that a comprehensive nation-wide strategy is lacking, and that states have been left to forge ahead with digital contact tracing approaches that raise privacy, efficiency, and interoperability concerns.[viii]
The letter helps to illustrate a hurdle in the United States in rolling out a secure national digital contact tracing program. In other countries, the national government has simply opted in or out of creating a digital contact tracing program and has ultimately determined how one would be implemented. As the letter to Secretary Azar notes, in the absence of a clear federal strategy, states are beginning to take it upon themselves to investigate and develop contact tracing programs and related digital applications.[ix]
The House lawmakers highlighted that such an approach risks creating disjointed, inefficient efforts to track COVID-19 that lack interoperability and exacerbate privacy and security concerns.[x] Even if the Trump Administration does provide clear guidance and support for a nationwide contact tracing program, it may create multiple irreconcilable efforts if support comes after some states have poured resources into creating their own programs.
Those in the European Union (EU) may be able sympathize with this issue to an extent. The EU would undoubtably prefer a single, interoperable contact tracing scheme across its many member countries, but differences in opinions over privacy, security, and technical details are driving them apart.[xi] Germany, Italy, Austria and others appear keen on a effort put forward by Apple and Google that will ease privacy fears, while France, the United Kingdom, and Norway have leaned towards more centralized efforts.[xii] How this plays out in the EU may give us a glimpse of what the United States is in for without a coherent national strategy.
Analysis & Action
*H-ISAC Membership Required*
3. National Spy Agencies Seek COVID-19 Vaccine Research.
According to the director of the United States’ National Counterintelligence and Security Center, foreign intelligence agencies are using their cyber capabilities to access data related to COVID-19 vaccine research.[xiii]
Warnings over this type of activity, corroborated by the FBI and intelligence sources within the UK and Canada, indicate that it has been occurring since March in some cases.[xiv] Furthermore, healthcare organizations that proudly state they are working on a COVID-19 vaccine or treatment aren’t doing themselves any favors. According to FBI Deputy Assistant Director Tonya Ugoretz, those healthcare organizations that are publicly identified as being involved in COVID-19 research appear to mark themselves for targeting.[xv]
The incentive for stealing COVID-19 research is substantial. Any data that could be used to create a COVID-19 vaccine would almost certainly provide prestige and a political boost to the government that announced it. Furthermore, while a vaccine would almost certainly be immediately shared, whichever country manages it first will likely get a leg up on its regional or global partners in economic recovery.
Analysis & Action
*H-ISAC Membership Required*
Congress –
Tuesday, May 5th:
– No relevant hearings
Wednesday, May 6th:
– No relevant hearings
Thursday, May 7th:
– No relevant hearings
International Hearings/Meetings –
– No relevant hearings
EU –
Tuesday, May 12th:
-European Parliament – Environment, Public Health, and Food Safety meeting
Conferences, Webinars, and Summits –
–Cybersecurity for the 21st Century by IronNet – Webinar (5/14/2020)
https://h-isac.org/hisacevents/byironnet/
–H-ISAC Monthly Member Threat Briefing – Webinar (5/26/2020)
https://h-isac.org/hisacevents/h-isac-monthly-member-threat-briefing-8/
–H-ISAC Security Workshop – Frederick, MD (6/9/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-frederick-md/
–AAMI Exchange – New Orleans, LA (6/12/2020-6/15/2020)
https://h-isac.org/hisacevents/aami-exchange/
–H-ISAC Security Workshop – Lisbon, Portugal (6/17/2020) (POSTPONED)
https://h-isac.org/hisacevents/h-isac-security-workshop-lisbon-portugal/
–H-ISAC Security Workshop – Buffalo, NY (6/23/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-buffalo-ny-2/
–H-ISAC 2020 Spring Summit – Singapore (6/23/2020-6/25/2020)
/summits/
H-ISAC Monthly Member Threat Briefing – Webinar (6/30/2020)
https://h-isac.org/hisacevents/h-isac-monthly-member-threat-briefing-9/
–Healthcare Cybersecurity Forum – Mid-Atlantic – Philadelphia, PA (7/17/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/426497
–Healthcare Cybersecurity Forum – Rocky Mountain – Denver, CO (7/20/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/426499
–Healthcare Cybersecurity Forum – Southeast – Nashville, TN (9/9/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/426517
–H-ISAC Security Workshop – Greenwood Village, CO (9/16/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-greenwood-villiage-co/
–Healthcare Cybersecurity Forum – Northeast – Boston, MA (9/22/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/427126
–H-ISAC Cyber Threat Intel Training – Titusville, FL (9/22/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-titusville-fl/
–H-ISAC Security Workshop – Forchheim, Germany
https://h-isac.org/hisacevents/h-isac-security-workshop-forchheim-germany/
–Summit on Security & Third Party Risk – National Harbor, MD (9/28/2020-9/30/2020)
GRF Summit on Security & Third Party Risk Digital Series
–Healthcare Cybersecurity Forum – Texas – Houston, TX (10/8/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/428840
–CYSEC 2020 – Dubrovnik, Croatia (10/27/2020 – 10/28/2020)
https://h-isac.org/hisacevents/cysec-2020-croatia/
–H-ISAC Security Workshop – Mounds View, MN (10/27/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-buffalo-ny/
–Healthcare Cybersecurity Forum – Pacific Northwest – Seattle, WA (10/28/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/428886
–H-ISAC Security Workshop – Seattle, WA – (10/29/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-seattle-wa-2/
–Healthcare Cybersecurity Forum – California – Los Angeles, CA (11/12/2020)
–H-ISAC Security Workshop – Paris, France (11/18/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-paris-france/
Sundries –
–How Cybercriminals are Weathering COVID-19
https://krebsonsecurity.com/2020/04/how-cybercriminals-are-weathering-covid-19/
–COVID-19 Remote Work Causes Spike in Brute-Force RDP Cyberattacks
https://healthitsecurity.com/news/covid-19-remote-work-causes-spike-in-brute-force-rdp-cyberattacks
–Citing hacking threats, Trump limits foreign-sourced equipment in U.S. electric sector
https://www.cyberscoop.com/executive-order-bulk-power-system-hacking-threats/
–How well can algorithms recognize your masked face?
https://arstechnica.com/tech-policy/2020/05/how-well-can-algorithms-recognize-your-masked-face/
Contact us: follow @HealthISAC,
[i] https://securityboulevard.com/2020/04/fbi-warns-of-major-spike-in-cyber-attacks/
[ii] https://www.who.int/news-room/detail/23-04-2020-who-reports-fivefold-increase-in-cyber-attacks-urges-vigilance
[iii] https://www.reuters.com/article/us-czech-cyber/prague-airport-says-thwarted-several-cyber-attacks-hospitals-also-targeted-idUSKBN2200GW
[iv]https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/879049/Security_of_NHS_and_Public_Health_Services_Digital_Systems__Coronavirus__Directions_2020.pdf
[v] https://www.hsj.co.uk/technology-and-innovation/hancock-grants-gchq-powers-over-nhs-it-systems/7027528.article
[vi] https://thecyberwire.com/stories/d2c4f4e3e511425e87b4714c68e44e2e/contact-tracing-and-exposure-notification-a-look-at-the-underworld
[vii] https://thecyberwire.com/stories/d2c4f4e3e511425e87b4714c68e44e2e/contact-tracing-and-exposure-notification-a-look-at-the-underworld
[viii]https://energycommerce.house.gov/sites/democrats.energycommerce.house.gov/files/documents/HHS.2020.4.30.pdf
[ix] https://www.nga.org/wp-content/uploads/NGA-Report.pdf
[x]https://energycommerce.house.gov/sites/democrats.energycommerce.house.gov/files/documents/HHS.2020.4.30.pdf
[xi] https://www.ft.com/content/10f87eb3-87f9-46ea-88ab-8706adefe72d
[xii] https://www.ft.com/content/10f87eb3-87f9-46ea-88ab-8706adefe72d
[xiii] https://www.bbc.com/news/technology-52490432
[xiv] https://www.bbc.com/news/technology-52490432
[xv] https://www.reuters.com/article/us-health-coronavirus-cyber/fbi-official-says-foreign-hackers-have-targeted-covid-19-research-idUSKBN21Y3GL
- Related Resources & News
- 2024 Newsletter – November
- How Healthcare Facilities Can Prepare for All Types of Emergencies
- Health-ISAC Hacking Healthcare 10-24-2024
- UnHack (the Podcast): Generating Cyber Resilience Through Collaboration with Errol Weiss
- Newfangled and Fastest-Growing Phishing Cyberattacks: Updated Guide for Healthcare Leaders
- Health-ISAC Hacking Healthcare 10-15-2024
- Health-ISAC Welcomes Booz Allen Hamilton to the Ambassador Program
- Health-ISAC Hacking Healthcare 10-9-2024
- Monthly Newsletter – October 2024
- Health ISAC leads effort to transform SBOM information sharing under CISA-facilitated community work