TLP White: This week, Hacking Healthcare looks at the U.S. Cybersecurity and Infrastructure Security Agency’s (“CISA”) announcement of a new strategy to protect Industrial Control Systems (“ICS”) in critical infrastructure sectors from cyberattack. Next, we break down recent threat research that illustrates just how quickly misconfigured databases in cloud environments can be found and exploited by malicious actors, but why that shouldn’t dissuade healthcare organizations from implementing them. Lastly, we look at a project backed by the U.S. National Science Foundation (“NSF”) to secure patient data related to COVID-19 research and explore its implications.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
Welcome back to Hacking Healthcare.
1. CISA Commits to New ICS Security Strategy.
Last week, CISA’s Director Chris Krebs announced a new strategy to protect ICS in critical infrastructure sectors from cyberattacks.[1] The new strategy emphasizes using data analytics, providing improved training, and deploying new technological solutions.[2] Krebs elaborated by saying, “We’re going to develop deep data capabilities to analyze and deliver information the community can use to disrupt the ICS kill chain.”[3] The announcement came during a virtual meeting of the ICS Joint Working Group (“ICSJWG”), which is a public-private, collaborative, information sharing effort centered around securing and reducing risks to ICS.[4]
This isn’t the only recent development on ICS cybersecurity to come from CISA. A little less than a month ago, CISA, The Department of Energy (“DOE”), and the U.K.’s National Cyber Security Centre (“NCSC”) released a joint document entitled Recommended Cybersecurity Practices for Industrial Control Systems.[5] The two-page info-graphic cleanly and succinctly outlines various cybersecurity considerations, risks, impacts, and proactive steps for ICS owners and operators to improve their cybersecurity readiness.
For those not as familiar with ICS, it is a broad term that covers a range of control systems that are typically found in industrial sectors and critical infrastructure. As the U.S. National Institute of Standards and Technology (“NIST”) points out, “These control systems are vital to the operation of the U.S. critical infrastructures that are often highly interconnected and mutually dependent systems.”[6] Within the healthcare sector, ICS can be found in various manufacturing, chemical, and pharmaceutical processes.
Analysis & Action
* H-ISAC Membership required *
2. How Quickly Are Misconfigured Databases Compromised?
It isn’t uncommon to see news stories about security researchers that come across unsecured databases filled with sensitive personal or business information. Oftentimes, it can take days or weeks for the researchers to contact such an unsecured database’s owners in order to secure it. While most of the time these unsecured databases are a product of accidental misconfigurations, just how fast could they be compromised by malicious actors if left unsecured? As it turns out, very quickly, according to research from Comparitech.
From May 11th to May 22nd, Comparitech constructed a dummy database on a cloud server and left it unsecured. Comparitech was interested in finding out exactly how long you might have to fix something like a misconfiguration error before sensitive data has likely been viewed, stolen, or modified.[7] Despite the vastness of the Internet, and the potential for a relatively nondescript database to be passed over, Comparitech reports that the first unauthorized request came only 8 hours and 35 minutes after the fake database was deployed.[8]
Over the next 11 days, Comparitech recorded 175 unauthorized requests from IP addresses in numerous countries including the U.S., Romania, China, and the Netherlands.[9] It is noteworthy that the database was not initially indexed on popular search engines like Shodan until the 16th of May. Upon being indexed, the database received the first of its single-day record of 22 unauthorized requests within 1 minute of being listed.[10] Furthermore, a week after the research had concluded, the database was attacked, its contents deleted, and a ransom message was left.
Action & Analysis
* H-ISAC Membership required *
3. NSF Funds Tool to Aid in Protecting Patient Data Used for Research.
Under normal circumstances, the healthcare sector’s vigilant approach to protecting patient data may irritate those who feel that unnecessarily strong privacy and security protections hamper their ability to conduct medical research. In an age where everyone is keen to point to the transformative powers of big data, cloud computing resources, and interoperability, tension exists between the various stakeholders involved in the research process over how to ensure that patient data is treated with the privacy and security it requires. This tension has been heightened during a global pandemic where making data more available for research or for sharing could potentially deliver significant advancements in our understanding of COVID-19.
In an attempt to address part of this problem, The NSF has awarded $200,000 in grant funding to computer scientists at the University of Texas at Dallas and Vanderbilt University Medical Center.[11] The goal is to create “an open-source software tool to help policymakers and health care providers make [decisions regarding how much information health providers can disclose to researchers without violating patient privacy].”[12] The combined University of Texas and Vanderbilt team is “[focusing] on the risks of an individual being identified when patient data is released for research purposes,” and endeavors to be more comprehensive in the characteristics that are evaluated than those that are examined under existing tools.[13]
Action & Analysis
* H-ISAC Membership required *
Congress –
Tuesday, June 16th:
– No relevant hearings
Wednesday, June 17th:
– Senate – Committee on Health, Education, Labor, and Pensions: Hearings to examine telehealth, focusing on lessons learned from the COVID-19 pandemic.
Thursday, June 18th:
– Senate – Committee on Foreign Relations: Hearings to examine COVID-19 and international pandemic preparedness, prevention, and response.
– House – Permanent Select Committee on Intelligence: Hearing on Emerging Trends in Online Foreign Influence Operations: Social Media, COVID-19, and Election Security
International Hearings/Meetings –
– No relevant hearings
EU –
Conferences, Webinars, and Summits –
— Practical Posture Testing & Remediation for A Remote Workforce by Safebreach – Webinar (6/16/2020)
https://h-isac.org/hisacevents/safebreach-navi-webinar/
–How Authentication Attacks Threaten your Healthcare Environment by Qomplx – Webinar (6/17/2020)
https://h-isac.org/hisacevents/authentication-attacks-qomplx/
–CISO Roundtable – Unprecedented Times by Forescout – Webinar (6/18/2020)
https://h-isac.org/hisacevents/ciso-roundtable-unprecedented-times-forescout/
–Insider Risk: Balancing Technology, Behavior and Data by Booz Allen Hamilton – webinar (6/23/2020)
— Securing the IoT Threat in Healthcare by Palo Alto Networks – Webinar (6/24/2020)
https://h-isac.org/hisacevents/palo-alto-networks-navigator-webinar/
— GRF Summit Digital Series – The Ultimate Incident Response Readiness Exercise: Are you remotely ready? – Webinar (6/25/2020)
H-ISAC Monthly Member Threat Briefing – Webinar (6/30/2020)
https://h-isac.org/hisacevents/h-isac-monthly-member-threat-briefing-9/
–Healthcare Cybersecurity Forum – Mid-Atlantic – Philadelphia, PA (7/17/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/426497
–Healthcare Cybersecurity Forum – Rocky Mountain – Denver, CO (7/20/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/426499
–H-ISAC Virtual Security Workshop – Virtual (7/29/2020)
https://h-isac.org/hisacevents/nz-virtual-workshop/
–Healthcare Cybersecurity Forum – Southeast – Nashville, TN (9/9/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/426517
–Healthcare Cybersecurity Forum – Northeast – Boston, MA (9/22/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/427126
–H-ISAC Cyber Threat Intel Training – Titusville, FL (9/22/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-titusville-fl/
–H-ISAC Security Workshop – Forchheim, Germany
https://h-isac.org/hisacevents/h-isac-security-workshop-forchheim-germany/
–Summit on Security & Third Party Risk – National Harbor, MD (9/28/2020-9/30/2020)
GRF Summit on Security & Third Party Risk Digital Series
–Healthcare Cybersecurity Forum – Texas – Houston, TX (10/8/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/428840
–CYSEC 2020 – Dubrovnik, Croatia (10/27/2020 – 10/28/2020)
https://h-isac.org/hisacevents/cysec-2020-croatia/
–H-ISAC Security Workshop – Mounds View, MN (10/27/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-buffalo-ny/
–Healthcare Cybersecurity Forum – Pacific Northwest – Seattle, WA (10/28/2020)
https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/428886
–H-ISAC Security Workshop – Seattle, WA – (10/29/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-seattle-wa-2/
–Healthcare Cybersecurity Forum – California – Los Angeles, CA (11/12/2020)
–H-ISAC Security Workshop – Paris, France (11/18/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-paris-france/
Sundries –
–Plundering of crypto keys from ultrasecure SGX sends Intel scrambling again
–Hackers breached A1 Telekom, Austria’s largest ISP
https://www.zdnet.com/article/hackers-breached-a1-telekom-austrias-largest-isp/
–Computer network ‘disruption’ forces Honda to cancel some production
https://www.cyberscoop.com/honda-ransomware-snake-ekans/
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://www.cyberscoop.com/dhs-cisa-industrial-control-system-security-strategy/
[2] https://www.cyberscoop.com/dhs-cisa-industrial-control-system-security-strategy/
[3] https://www.cyberscoop.com/dhs-cisa-industrial-control-system-security-strategy/
[4] https://www.us-cert.gov/ics/Industrial-Control-Systems-Joint-Working-Group-ICSJWG
[5]https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf
[6] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
[7] https://www.comparitech.com/blog/information-security/unsecured-database-honeypot/
[8] https://www.comparitech.com/blog/information-security/unsecured-database-honeypot/
[9] https://www.comparitech.com/blog/information-security/unsecured-database-honeypot/
[10] https://www.comparitech.com/blog/information-security/unsecured-database-honeypot/
[11] https://www.healthcareitnews.com/news/nsf-funds-software-safeguard-patient-data-during-covid-19-research
[12] https://www.utdallas.edu/news/science-technology/patient-privacy-covid-19-2020/
[13] https://www.utdallas.edu/news/science-technology/patient-privacy-covid-19-2020/
- Related Resources & News
- Leveraging ISO 81001-5-1 Amid Medical Device Procurement
- Mitigating risk as healthcare supply chain attacks prevail
- Enhancing Cybersecurity in Rural Hospitals
- Health-ISAC Hacking Healthcare 11-15-2024
- Cyber Incident Response: Playbook for Medical Product Makers
- Feds Warn of Godzilla Webshell Threats to Health Sector
- Trump’s Return: Impact on Health Sector Cyber, HIPAA Regs
- Health-ISAC Hacking Healthcare 11-7-2024
- Protecting the Healthcare Supply Chain Against Russian Ransomware Attacks
- All hospitals should be concerned about cyberattacks. Here’s why