The Maturity Paradigm

In healthcare we have an insatiable appetite to adopt new technology

Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

2023 Predictions

2023 predictions
As 2022 draws to a close, what can we learn from a year marked by Russia's invasion of Ukraine, crippling cyber and kinetic attacks against critical infrastructure not just in Ukraine but across the world, and a continued rise in cyber attacks and ransomware globally? A year in which Russia, China and Iran have all become victims of cyber attacks, perhaps reaping the seeds sown by each of them in the past. And a year which saw the costs of cyber-crime move well above its $6 trillion 2021 levels even though the year is not over yet and the full costs counted.

Can and should we extrapolate trends identified over the past year and claim that these trends will continue in their upward path, or is the cyber threat landscape more complicated than we generally assume it to be.

With both Russia and China, the two greatest perpetrators of cyber-crime, increasingly isolated from the rest of the world, and with growing domestic dissent in China, Iran and Russia, are geopolitical moves against autocrats likely to change the world's three most egregious offensive cyber actors?

2022

2022 - A Year in Reflection

In 2022 we saw a massive collapse and re-alignment of organized crime groups following the Russian invasion of Ukraine in February. Prior to the war, these groups consisting of perpetrators located right across the Commonwealth of Independent States (CIS) were united predominantly by their use of the Russian language. During the invasion, Ukrainian and other non-Russian members pulled out of many of these Russian led groups, and some even turned on their former gangs exposing their inner most secrets and the identities of leaders. This break up caused a dip in attacks in March and April and was further hampered by many global ISPs withdrawing from business in Russia. The result was a dramatic reduction in the Internet bandwidth into Russia for many of these groups to use.

Since the onset of war, many of the leaders of these crime gangs, who operate under the eye of the Russian Mafia, who in turn operate with impunity under the oligarchs and ultimately the Kremlin, have quit the profession, scared that Russia will collapse along with Putin’s protective umbrella. Many are worried that they might be identified, caught, and prosecuted. Most have taken their millions in ill-gotten gains and ran, going deep underground. This has left a power vacuum in Russian organized crime syndicates where young, fearless, and ruthless new leaders have taken over. This has led to reckless attacks including the targeting of healthcare providers. A ‘live today die tomorrow’, ‘get rich quick’ mentality now persists as many of those involved are scared of being conscripted by the Russian Army and being sent off to die in Ukraine. Some of these cybercriminals have even acted upon their disdain for the Putin dictatorship, by launching cyberattacks against the Kremlin itself, a very risky proposition indeed.

At the same time, the affiliates of many of these ransomware-as-a-service (RaaS) groups have gone rogue, distancing themselves from Russia and from RaaS providers. With re-alignment complete, the gloves have been taken off and affiliates are hunting freely by themselves and are prepared to take much higher risks than previously allowed. Again, this includes the targeting of healthcare and other national critical infrastructure industries.

Unsurprisingly this has piqued the attention of the FBI, Homeland Security, and other law enforcement groups. Its also one of the main reasons behind the recent FBI warning about one of these groups in particular, Daixin. This group is widely accredited with the September / October ransomware attack against Common Spirit Health, the second largest US healthcare provider. The attack impacted hundreds of provider facilities across most US states, denying timely care to millions of US citizens.

If we thought that the threat landscape was bad in 2021, 2022 has turned into the wild west with rogue gun-slingers on every corner and dead bodies mounting up on every street! For an easy target like healthcare, prospects don’t look good. With its collection of out-of-date weapons, no money to buy new tools, and very small ill-equipped teams, it stands almost no chance defending against an increasingly out-of-control and rabid gang of adversaries.

But the Russian and other CIS gangs aren’t the only things that healthcare needs to be concerned about. Increased offensive activity against providers has been seen coming from both China and Iran. With Iran recently appearing to side with Putinist forces. With threats of further sanctions from Europe and the USA, and rising internal revolt against the theocratic dictatorship that runs the country, Iranian forces are on the offensive. So too is China, and now that Xi has unchecked power over the CCP and the country for life, it is likely that China’s massive PLA cyber army will launch new offensives against western critical infrastructure providers, as China increasingly uses cyber weaponry against its perceived enemies.

Any healthcare CEOs that still have their heads buried in the sand, thinking that a cyberattack is unlikely to impact their hospitals, had better find a deep cave in which to hide, because the noise of collapse in 2023 will be omnipresent.

"We are seeing 2 to 3 ransomware attacks against US healthcare providers each and every day at the moment,” claimed Richard Staynings, Cylera's Chief Security Strategist in a recent interview. “That is not about to go down any time soon, so long as hospital boards and CEOs keep paying the ransoms. Instead of paying the criminals holding them to extortion, they need to invest properly in security and IT which is totally underfunded. This is especially so if you analyze the risks or compare the healthcare industry with other industries such as financial services. It’s somewhat analogous to crime victims paying protection money to the mafia, while refusing the properly fund the police or the FBI" he added.

Putting lipstick on a pig


"I wish that I had a more positive prediction for 2023 but that would be putting lipstick on the pig" claimed Staynings.

Are we doing a better job today of defending against attacks than we were a few years ago? Many cybersecurity leaders would say that we are but that the goal posts have moved. Some health systems have prioritized cybersecurity, but most have a long way to go. And that comes back to governance, leadership, and the prioritization of cybersecurity. Most cybersecurity leaders would agree that it's not where it needs to be right now.

Nor unfortunately is the level of cyber protection being provided by Homeland Security, the FBI and others. Governments are never quick to act but plainly, expecting small critical access facilities to protect themselves against highly sophisticated nation-state actors and organized crime syndicates is ridiculous.

As Staynings puts it, "it’s not even analogous to David and Goliath. It’s more akin to a lone Maasai warrior armed with a spear going up against an entire regiment armed with machine guns. The Maasai warrior stands almost no change at all!"

The rising threat of Offensive AI



Various forms of artificial intelligence (AI) look set to transform medicine and the delivery of healthcare services as more and more potential uses are recognized, while adoption rates for AI continue to climb.

Machine Learning (ML) has revolutionized clinical decision support over the past decade, as has AI enhancement of radiological images allowing the use of safer low-dose radiation scans. But AI no matter in which form, requires massive amounts of data for modelling, training, and for mining. While much of that data is de-identified, some cannot be, as training can sometimes require the aggregation of each patient's set of medical tests and records, thus the patient must be known to the AI, in order for it to learn and model correctly.

But healthcare data is valuable. Its valuable to hackers who can ransom it back to data custodians or sell that PII and PHI data on the darknet. Its valuable to nation states such as China for its own data modelling and AI training. Furthermore, medical data is highly regulated and so is subject to fines, punitive damages, restitution and corrective action plans when breached.

AI models are highly valuable and are now the modern day equivalent of the 1960s' 'race to the moon' between the US and USSR. Only the competitors today are the USA and the PRC. Consequently, China has been very aggressive in 'acquiring' whatever research it can to jump-start or enhance its own AI development programs. This has included insider theft by visiting professors and foreign students at western universities, and targeted cyberattacks from the outside. China's five year plan is to surpass the west in its AI capabilities - not just for medical applications but also for military-defence. So for both countries and others, AI is a strategic imperative. It is perhaps ironic that AI is now being used to bypass network defenses to steal .... AI training data among other things as will be explained shortly.

AI in Cybercrime

AI may become the future weapon of choice for cybercriminals. Its unique abilities to mutate as it learns about its environment and masquerade as a valid user and legitimate network traffic allows malware to go undetected across the network bypassing all of our existing cyber defensive tools. Even the best NIDS, AMP and XDR tools are rendered impotent by AI's stealthiness.

AI can be particularly adept when used in phishing attempts. AI understands context and can insert itself into existing email threads. By employing natural language processing to use similar language and writing style to users in a thread, it can trick other users into opening malware-laden attachments or to click on malicious links. Unless an organization has sandboxing in place for attachments and links to external websites, then AI based phishing will have a high margin of success. But things don't stop there.

Offensive AI has been used to weaponize existing malware Trojans. This includes the Emotet banking Trojan which was recently AI enabled. It can self-propagate to spread laterally across a network, and contains a password list to brute force its way into systems as it goes. Its highly extensible framework can be used for new modules for even more nefarious purposes including ransomware and other availability attacks. Regulation requires providers to protect the confidentiality, integrity and availability of protected health information and systems, but in healthcare availability is everything. When health IT and IoT systems go down so does a provider's ability to render care to patients in today's highly digital health system. This digital industry is now dependent upon its IT and IoT systems.


Offensive AI can also be used to execute integrity based attacks against healthcare. This is where the danger really lies. AI blends into the background and uses APT techniques to learn the dominant communication channels seamlessly merging in with routine activity to disguise itself amid the noise. AI can change medical records, altering diagnoses, changing blood types, or removing patient allergies, all without raising alarm.

It's one thing for physicians not to have access to medical records, but to have access to medical records which have had their data maliciously altered is another. It's also far more dangerous if the wrong treatment is then prescribed based upon that bad data. This becomes a major clinical risk and patient safety issue. It also denudes trust in the HIT and HIoT systems that clinicians rely upon, and may eventually lead to physicians questioning the data in front of them or having to second guess that information.
  • Can I trust a medical record?
  • Can I trust a medical device?
It also raises some major questions around medical liability.

A research study in 2019 at Ben-Gurion University of the Negev was able to compromise the integrity of a radiological image by inserting fake nodules into an image between the CT scanner and the PACS systems or by removing real nodules from a CT image by using Deep Learning (DL). The research wasn't purely theoretical either, but used a blind study to prove its thesis that radiologists could be fooled by AI altered images.


The study was able to trick three skilled radiologists into misdiagnosing conditions nearly every time using real CT lung scans, 70 of which were altered by their malware. In the case of scans with fabricated cancerous nodules, the radiologists diagnosed cancer 99 percent of the time. In cases where the malware removed real cancerous nodules from scans, the radiologists said those patients were healthy 94 percent of the time.

The implication of such a powerful tool if used maliciously is obviously huge, resulting in cancers remaining undiagnosed or patients being needlessly misled and perhaps operated on.

In the run up to the 2016 presidential election a hoarse sounding Hillary Clinton decided to share a recent CT image with the media to prove that she was suffering from pneumonia rather than long term health concerns such as cancer. Had her chest image been altered to indicate cancer its likely that she would have been forced to withdraw from the election. Either way, a American Presidential election could have been compromised and AI potentially used to alter its outcome. AI could thus become a powerful weapon for nefarious nation states to undermine democracy and wishing to destabilize a country. The same tools could also be used by radical domestic groups one day to change the outcome of an election.

Deepfakes

The rising capabilities and use of Deepfakes for Business Email Compromise (BEC) whether using audio or video, will render humans unable to differentiate between true and false, real and fake, legitimate and illegitimate. "Was that really the CEO I just had an interactive phone conversation with telling me to wire money overseas?"


But Deepfakes could be very dangerous from a national security perspective also, domestically and internationally. "Did the President really say that on TV?"

Compared to Ronald Reagan's 1984 hot mike gaffe about bombing Russia, a deepfake might be much more convincing and concerning as the majority of people would likely believe what they saw and heard. After all, much of the US population believe what they read on social media or on news sites that constantly fail fact-checking. But the US population is not alone in being easily led as we have seen in Russia, where most of the Russian population has been found to believe the state propaganda presented on TV about Putin's war against Nazis in Ukraine.

Cognitively, we are not prepared for deepfakes and are not preconditioned to critically evaluate what we see and hear in the same way that we may challenge a photo in a magazine that may have been photoshopped. AI obviously has massive and as-yet untapped PhyOps (psychological operations) capabilities for the CIA, FSB, MSS, and other clandestine agencies.

As these and other 'Offensive AI' tools develop and become more widespread, it is likely that cybersecurity practitioners will need to pivot towards greater use of 'Defensive AI' tools. Tools that can recognize an AI based attack and move quickly (far quicker than a human) to block such an attack. Indeed, it is likely that future AI-powered assaults will far outpace human response teams and that almost nano-second responses will be needed to prevent the almost pandemic spread of malware across the network.

According to Forrester's "Using AI for Evil' report, "Mainstream AI-powered hacking is just a matter of time."


RSNA 2022

The  author with Professor Benoit Desjardins at the RSNA Annual Conference this week in Chicago

Cybercrime against healthcare institutions has exploded in recent years. In 2021, more than 1 in 3 healthcare organizations reported being hit by ransomware.

The situation has been considerably worsened by the pandemic, which produced a triple threat for healthcare systems: a rapid expansion of internet-connected technologies and services causing an expanded attack surface, an increase in many types of cyberattacks, and fewer available resources to defend against cyberattacks.

Cybersecurity has become an important part of healthcare, and every radiology practice can easily become victim of a targeted cyber-attack. This was the subject of one of the opening education lectures of the recent RSNA (the Radiological Society of North America) conference in Chicago presented by Professor Benoit Desjardins, MD at Penn Medicine,  Associate Professor Shandon Wu, at University of Pittsburgh, and the author.



AI is now extensively used by both attackers (“Offensive AI”) and defenders (“Defensive AI”).  This four part lecture explored three forms of interaction between AI and cybersecurity that affect healthcare:

(1) Offensive AI: how cybercriminals are weaponizing artificial intelligence to improve their attacks against medical institutions, including how cyber-criminals are using AI to improve success of different types of attacks, such as phishing, scanning, and intrusions of medical centers.

(2) Defensive AI: how cyber-defense teams at medical centers are using artificial intelligence to supplement the limited capabilities of humans to detect and defend against cyberattacks, especially now that many of those cyberattacks are controlled by artificial intelligence.

(3) AI Model Safety: how cyber-threats can disrupt the integrity of medical images, and how this affects diagnosis by AI and humans, including an overview of the multiple ways in which data can be modified to fool AI algorithms.

(4) A panel discussion of the practical implications of AI for radiology practices.

AI is incredibly powerful and in a radiological imaging environment can mean the difference between early and timely diagnosis of cancers and other potentially life threatening conditions, or a medical condition not being discovered until it's too late. But Radiologists should be aware that AI models can be poisoned and corrupted, or used for nefarious purposes. If AI modelling and training is conducted safely and securely however, the benefits appear to far outweigh the risks.

For more details, please see my slides from the event on the growth of healthcare cybercrime and the issues of Offensive AI.

ISfTeH

Richard Staynings with Michele Griffith MD, President of ISfTeH
Richard Staynings with Michele Griffith MD, President of ISfTeH.

The 'International Society for Telemedicine & eHealth' held its annual conference in San Jose, CA today and the author was proud to be invited to speak on the subject of 'cybersecurity as an enabler of new remote medical services'. 
 
Remote patient services whether telehealth consults with a primary care physician, post operative recovery from home to free up needed hospital beds, or the right of patients to die in their own home (embodied in law in many jurisdictions now), requires a different approach to patient data protection, privacy and security. Indeed, many of the new services envisaged as part of improvements to patient care for the future, will require careful examination to ensure that these do not expose provider medical networks to undue risks. Personalized medicine looks set to transform patient well-being and intervention outcomes but if providers are to store and process patients' DNA then they need to do a much better job of protecting that information than they do protecting current personal health information. 
 
Regulation across multiple jurisdictions requires that the confidentiality (privacy) of electronic patient information (ePHI) be protected, yet from a risk perspective loss of confidentiality although still important, is minor compared to the loss of health data integrity (the changing of a medical record) or the loss of availability (patients unable to receive an X-ray or CT scan while in the Emergency Room). 
 
With multiple hospitals being attacked with ransomware every week today, the risks for providers are obviously great. Although the costs of loss (lost revenue) can be massive, (Scripps Health is reported to have lost $112.7 million in revenue following its ransomware attack in 2021), the impact to patients for protracted downtime caused by a cyber attack can be life threatening, impacting patient safety, morbidity and even mortality, as we have seen from some prior ransomware attacks. Cyber-criminal activity by extortionists is literally killing people. Cyber attacks against the 'availability' of health services can be devastating to patients in need of radiotherapy or chemotherapy when those services are denied them. The same is true for those in need of Emergency Care or those giving birth when health IT and IoT are unavailable and being held to ransom.
 
The conference heard that it is important to balance 'confidentiality', 'integrity' and 'availability' of health information that together form what is known as the CIA triad. It also heard that a more risk-based-approach is required if providers are to get in front of managing the proliferation of new AI and ML based technologies, clinical applications and medical devices.

A full copy of the author's deck can be found here.



 

Attendees, speakers and panelists came from all over the world and were drawn from many different medical disciplines and specialties.  This was the first international conference of the ISfTeH since COVID-19 locked down many countries and prevented international travel.

 

 

Are Your Vendors Introducing Risk?

Cyber risks in healthcare are not just confined to data centers, to nursing stations, or to the PHI data that flows back and forth between health insurers, HIEs, government agencies, and patients. The risk matrix is much bigger than that.

It includes thousands of suppliers, vendors, and partners that stretch across the globe. Everything from business process and IT outsourcers in India, to complex manufacturing supply chains for medical equipment in China, Brazil, Germany, Australia, and the UK can all fall under the umbrella of cyber risk susceptible access points.

Alarmingly, this risk matrix in healthcare also encompasses the company that provides hot meals to your patients, and food and coffee for the hospital cafeterias, as well as the pharmaceutical companies conducting clinical trials, and biomedical engineering companies providing prosthetics, or an implantable medical device (IMD) that leaves the hospital with a surviving patient. Anyone who has physical access to your sites, network access to your IT, or who processes your data, regardless if they ever see one of your patients or not, can introduce risk to your business.

 

Dismaying Numbers in The Data

A vendor vulnerability index research report released by Bomgar showed that breaches occurring from third parties account for two-thirds of the total number of reported cyber breaches. The study found that only 46% of US companies said they know the number of log-ins that could be attributed to vendors, and that less than 50% enforce policies around third party access. Furthermore, 69% of respondents said they definitely or possibly suffered a security breach accomplished through vendor access in the past year.

Lets not forget that the Target breach of 40 million credit cards and 70 million customer records was caused by the weak security of one of Target's HVAC vendors. It cost Target over $300 million and the jobs of everyone on the leadership team as well as lasting damage to the store's reputation. In addition, it resulted in two expensive class-action suits, one by customers and one by investors peeved at the loss of Target's stock price following the incident.

The consensus by security professionals is that the risk posed by third parties is not only substantial, but it is increasing each and every year. Gartner stated in its June 2017 Magic Quadrant for IT Vendor Risk Management that by 2020, 75% of Fortune Global 500 companies will treat vendor risk management as a board-level initiative to mitigate brand and reputation risk.

So why is it then, that health system CEOs are focused on other things? It could be that the healthcare industry has too many challenges, and third party vendor risk management (TPVRM) is just further down the list. It could also be the fact that very few healthcare delivery organizations feature in the prestigious Fortune 500 list, or it could just be that healthcare CCOs, CROs and CISOs, just haven't got the message across to their CEO yet. Either way they must prioritize their risk management strategies or they could suffer irreparable damage. 

 

This post was first published by the author here
Image Credit: Cristofer Maximilian unsplash


Mitigating NHS Cyber Risks


The UK National Health System is about to start connecting many of its medical devices to the healthcare network as part of its latest efficiency drive, but what does this mean for the cybersecurity of medical networks and to patient safety? Richard Staynings, examines medical devices, their expected lifespan, risks and support by manufacturers and explores what solutions are available to providers like the NHS to reduce cybersecurity risks.

 

 

Open the PDF in a separate page or view the full copy of Health Business Magazine and browse to Richard's article on pages 82 to 83.


Gulf Critical Infrastructure: Protecting What Matters Most

Richard Staynings with Padam Kafle, Head Of Information Technology & Automation, Aster Hospitals, UAE, Nada Chehab, Director of Clinical Education, American Hospital Dubai, Dr Mustafa Hasan Qurban Ph.D, CIO of King Fahd Military Medical Complex, Saudi Arabia, Ahmad Yahya, CIO, American Hospital Dubai, & Himanshu Puri, CIO, Kings College Hospital London UAE.


Protecting GCC critical infrastructure industries from increasingly frequent and ever more devastating cyber-attacks is a concern for many of us. But when attackers focus their attention on medical systems that keep people alive, then it becomes a major concern for every GCC national government and a matter of national security.

Growing digital interoperability of health information technology has combined with a massive increase in connected medical devices and a rising popularity of medical wearables, to greatly expand the potential attack surface. Highly valuable PHI, PII, clinical research, and innovative new procedures has made the theft of healthcare data very lucrative for both cyber criminals and pariah nation states. 

The criticality of national critical industries including healthcare has also made the industry a popular target for ransomware cyber-extortion gangs as well as proxies for pariah nation states wishing to coerce or to send a less than diplomatic message to the peoples and governments of nations that refuse to back totalitarian autocracy and global power plays. 

2021 set new record highs for global healthcare data breaches. An increase of 32% over 2020. But the risk is not just data theft, extortion and other attacks against systems availability are now a major risk to patient safety. In 2021, governments worldwide saw a 1,885% increase in ransomware attacks, and the health care industry faced a 755% increase in ransomware attacks. The threats are plainly increasing but are we adopting the right approach to cyber defence?


Richard Staynings gives the opening keynote to a packed house of technology senior executives from across the GCC region at the Shangri-La in Dubai.

This was the subject to my opening keynote address to the CIO Middle East Conference in Dubai today where I had the pleasure to address the region's top executives technology and security leaders including a healthcare panel with Padam Kafle, Head Of Information Technology & Automation, Aster Hospitals, UAE, Nada Chehab, Director of Clinical Education, American Hospital Dubai, Dr. Mustafa Hasan Qurban Ph.D, CIO of King Fahd Military Medical Complex Saudi Arabia, Ahmad Yahya, CIO, American Hospital Dubai, & Himanshu Puri, CIO, Kings College Hospital London UAE.

Balancing patient-centric care and privacy protection with new cybersecurity risks is a new concept to much of the Gulf, but risks are a growing concern and a major distraction from improving patient care and outcomes which help to drive improvements in population health.



Richard Staynings with Salwa Hawath from Misor UAE, Gary Sorrentino, Global CIO Zoom, and catching up with Himanshu Puri CIO of Kings College Hospital London UAE after their healthcare panel together.


Ransomware Gang Demands $10m to restore French Hospital

The Center Hospitalier Sud Francilien (CHSF), a 1000-bed hospital located in Corbeil-Essonnes 28km SE from the center of Paris, has been virtually paralyzed by a cyberattack. Nearly all IT systems appear to have been taken off-line by a ransomware attack discovered on August 21, which has resulted in the medical center referring patients to other establishments and postponing appointments for surgeries. Non-critical services have had to be directed elsewhere, and staff are now working with limited resources.

"Each day we need to rewrite patients' medications, all the prescriptions, the discharge prescriptions," said Valerie Caudwell, the president of the medical commission of the CHSF hospital. "For the nurses, instead of putting in all the patients' data on the computer, they now need to file it manually from scratch."

Medical imaging has been particularly impacted resulting in all PACS and other imaging services currently being off-line. Many medical devices were highly susceptible to the cyber-attack and may have been at the core of the ransomware attack. Like most hospitals, patching of medical devices against known security vulnerabilities appears to have been lax, making them an easy target for hackers to establish a foothold on the medical network.

“Without security enclaving or segmentation of vulnerable medical devices, these systems wouldn’t have stood a chance,” claims Richard Staynings, Chief Security Strategist at healthcare security company Cylera. “It’s impractical or impossible to patch devices where manufacturers have not released a patch, so you really need to isolate high-risk systems as a form of compensating security control,” he added.

CHSF serves an area of 600,000 inhabitants, so any disruption in its operations can endanger the health, and even lives, of people in a medical emergency. Unlike a similar ransomware attack in 2020 against Düsseldorf University Hospital, where a 78 year old woman suffering from an aortic aneurysm died after being redirected to a different hospital 32km away, no deaths have been reported at CHSF.

The hospital has refused to pay a ransom demand of ten million dollars and is rebuilding its IT systems from scratch while restoring patient data from backup, a process which it expects to take many days.

Police specializing in cybercrime are investigating. Cyber-attacks targeting hospitals in France have been increasing recently, with 380 last year, a 70 percent rise from 2020.

"An investigation for intrusion into the computer system and for attempted extortion in an organized gang has been opened to the cybercrime section of the Paris prosecutor's office," a police source told Le Monde, also specifying that "the investigations were entrusted to the gendarmes of the Center fight against digital crime (C3N)".

While police and cybersecurity experts continue to investigate this attack, “the Tactics, Techniques, and Procedures (TTPs) indicate a LockBit 3.0 infection,” according to Jordan Rogers, head of cyber threat intelligence at Cylera. However, if LockBit 3.0 is responsible for the attack, it will violate the Ransomware as a Service (RaaS) program's rules, which prohibit affiliates from encrypting systems of healthcare providers.

At this time, the attribution to the particular threat group hasn't been confirmed yet, and LockBit 3.0's extortion site contains no entry for CHSF yet, so their involvement remains a hypothesis. Gang affiliates using this RaaS are known to operate primarily in Russia and Belarus. 


This article was first published here:


NHS 111 Services Held to Ransom by Cyber Attack

NHS 111 services are down for much of the UK following a cyber-attack Thursday morning against the infrastructure of software vendor 'Advanced'. The company's Adastra system is used by call handlers to dispatch ambulances, to book urgent care appointments, and for out of office hours emergency prescriptions. It’s Caresys software is used extensively across more than 1,000 care homes, while Carenotes, Crosscare and Staffplan are used extensively by providers. Advanced supplies software to NHS facilities and doctors nationally, including hospitals, doctors’ offices, care homes and mental health services, so disruption has been widespread.

The systems outage is causing significant delays as call handlers are forced to use other systems or to revert to paper. Emergency ambulance dispatch is taking priority it has been reported, meaning that everyone else has to wait. Meanwhile, applications managed by Advanced have been isolated to prevent lateral spread of malware to other NHS systems.

According to the Telegraph, the cyber-attack appears to have been conducted by an organized criminal ransomware group looking to shut down crucial systems rather than a hostile state-actor as had been originally feared. Healthcare and other critical national infrastructure services have been on high alert since the start of the war in Ukraine given heightened tensions with Moscow. The UK’s National Cyber Security Centre is working with the NHS as it attempts to recover systems from backups and restore services.

UK businesses have been warned about paying ransoms and incentivizing extortionists. According to the Telegraph last month, the head of the UK’s National Cyber Security Centre (NCSC) and the Information Commissioner warned businesses that they risked “incentivizing” attacks by cybercrime gangs by paying ransom demands.

According to Sky News, Advanced, said the issue was contained to "a small number of servers" representing 2% of its health and care infrastructure. Chief operating officer Simon Short added: "We continue to work with the NHS and health and care bodies as well as our technology and security partners, focused on recovery of all systems over the weekend and during the early part of next week."

This latest cyber-attack against the NHS is an unwelcome test of its resiliency and preparedness for various outages including cyber-extortion. As a critical infrastructure industry, the NHS is a target for pariah nation state attack, although in this case evidence appears to suggest that the attack was orchestrated by a Russian criminal gang. Given the known close working relationship between the Russian government and the country’s organized crime gangs, the Kremlin may not be entirely off the hook in this case. A forensic investigation of the cyberattack will take time and a positive attribution of the attackers may be many months away.


NSH 111 services previously known as ‘NHS Direct’ is used for non-emergency Urgent Care services and puts callers in touch with highly trained advisers supported by healthcare professionals. It was designed to reduce the call volume on the UK’s 999 Emergency services (similar to the US’s 911 call system) for non-critical healthcare issues, or to force patients to have to wait several days for an appointment with their general practitioner / primary care provider. The free 111 service is widely used and can be accessed by anyone dialing the number from within the UK.

Advanced is owned by Vista Equity Partners and BC Partners.

Meta sued for violating patient privacy

Facebook’s parent company Meta is facing two proposed class-action lawsuits for using the Meta Pixel tracking tool on health system websites to target ads.

This is not the first time that Meta-Facebook has been dragged through the courts and sued for a breach of privacy. In this case the problem stems from the company’s wholesale vacuuming up of all kinds of metadata whenever a user visits a web page containing its Pixel tracker functionality.

Pixel is contained in a few lines of JavaScript code and is found widely embedded into various web applications. It appears unlikely that the providers using these web applications were aware of the code contained in their portal pages, or that highly confidential HIPAA protected information is being sent to and used by Meta-Facebook without patients' express written permission being obtained. This is especially so because Meta is not a duly authorized HIPAA Business Associate, a requirement before HIPAA Covered Entities (CE) can share protected health information with a third party, nor is Meta a HIPAA CEin its own right. Based upon recent research, it’s probable that hundreds of healthcare portals contain the Meta Pixel code unbeknownst to most providers and that millions of patients could be affected.


The big question is whether Meta Corporation failed to realize that it was illegally being sent PHI data from Pixel, as it continued to monetize this data to sell directed advertising to unsuspecting patients. This point may become a pivotal argument in pending lawsuits and any regulatory enforcement actions. Based upon previous privacy violations, Meta-Facebook is supposed to have implemented business tools to identify sensitive health data and to filter this out from its advertising revenue generating systems. 


In what will likely be a double blow, the collected data was not just innocuous de-identified medical information. “The data Meta received reportedly contained medical symptoms & conditions, prescription information, doctors’ names, IP addresses, and other data defined as HIPAA identifiers. It would therefore be relatively easy to reverse engineer this PHI data to determine the patient identity. It all comes down to the number of data points held in the Meta advertising database,” claimed Richard Staynings, Chief Security Strategist with Cylera. “This could end up being labeled as a massive breach of highly sensitive and confidential regulated HIPAA data.”


In addition to the recently announced class action it seems likely that the Office of Civil Rights (OCR), the enforcement division of Health and Human Services (HHS) is spinning up a task force to investigate this breach and will be assigning a large team to examine potential violation of  HIPAA, the 1996 federal Health Insurance Portability and Accountability Act.

Not only does Meta Corporation likely face HIPAA regulatory concerns, but it also seems likely that various states Attorney Generals (AGs) will be looking very carefully to determine if the Pixel code is present in their jurisdictions on web pages where there is an expected right of privacy. This is especially so on healthcare portals. Finally, it also seems likely that OCR and AGs will be looking carefully at healthcare providers to examine their policies, standards, procedures and guidelines around due-diligence for acceptance of web application technologies and enabled functionality.


“This is an extreme example of exactly how far the tentacles of Big Tech reach into what we think of as a protected data space,” said Nicholson Price, a University of Michigan law professor who studies big data and health care. “I think this is creepy, problematic, and potentially illegal” from the hospitals’ point of view.


In 2019, the Federal Trade Commission (FTC) imposed a $5 billion penalty on Facebook and required it to submit to new restrictions and requirements to hold the company accountable for its data privacy decisions. This included the promised use of a sensitivity filtering mechanism.
 


Systemic Problem

Many of these privacy issues stem from a fundamental imbalance between the rights of individuals in the United States to remain anonymous and their data kept private, versus the rights of large corporations to collect and mine data for profit. This is a balance that has been addressed in Europe through GDPR - the 2016 General Data Protection Regulation which has quickly become a global standard for Privacy outside of the United States.
 
The federal nature of the US however has resulted in 50 very different and separate state privacy regulations that make it hard to enforce privacy standards for individuals given so much cross-state commerce. Attempts by the federal government to catch up to other OECD nations with a revised national privacy act have met with opposition from some states concerned that a federal law will dumb down their existing provisions, while other state representatives oppose the imposition of something similar to GDPR which they regard as an undue constraint on businesses. 
 
The latest in a long line of attempts to update US privacy laws is currently working its way through congress. It remains to be seen whether the highly fractured nature of US law making results in national privacy changes or goes the way of prior attempts.

 
 

Challenges for UK Life Sciences


The Challenges for UK Life Sciences Companies

Excerpted from Business Innovations Magazine UK May 2022

How Concerned Should we be about a Russian State Cyberattack against the US?


Russia’s invasion of Ukraine appears to be bogged down if the reports coming out of the country are to be believed. Indeed troops around Kyiv are currently reported to be withdrawing back to Belarus to regroup and re-arm. The surgical Blitzkrieg to take over the country and replace its elected leaders with Putin-friendly surrogates has failed, and now Russia has been forced to re-evaluate its military objectives and to focus on liberating Donbas and Luhansk from Ukraine and the Ukrainian people who live there. The area is one of many across the former Soviet Union seeded by Stalin with Russian diaspora after annihilating much of the indigenous population in one of many genocidal purges of opponents. In this case, it was a mass purge of Ukrainians.
 
Indeed the Holodomor (Ukrainian: Голодомо́Ñ€) in which 4 million Ukrainians were purposely starved to death by Stalin between 1932 and 1933 in order to suppress Ukrainian desires for independence, is perhaps one of the reasons why Ukraine has been so vociferous in its defense against Russian invasion.
 

An Invasion Falling Apart

But as casualties mount, and in particular the deaths of a large number of Russian General Officers, Putin’s hold over the military and therefore political power, looks to be increasingly tenuous. Reports in the media of tanks being driven over commanding officers by unhappy starving soldiers who were misled and lied to by their leadership, poorly trained and led troops shooting unarmed civilians indiscriminately, and a growing realization by Russian troops that they are pawns in an illegitimate conflict with neighbors most of whom speak their own language, is drawing into question the abilities of the Russian military and its leadership.
 
As the Russian body bag count continues to rise and a growing number of funerals are announced back home in Russia of all kinds of senior military officers, so the public will increasingly be aware of the costs of Putin’s folly. The closure of most foreign stores, the inability to fly anywhere as planes are grounded, and a Ruble which has structurally lost 40% of its value since February will be sure to reinforce concerns that Putin is engaged in a conflict much bigger than he has led on.

 

But military power is not all that Putin can muster in his battle with the west. As President, Putin has at his disposal the considerable state cyber forces of the Russian FSB and GRU. These are groups with no shortage of highly destructive cyber weapons, many of which have been used against Ukraine since 2015, and some of which date to the cyber-attacks against Georgia, Estonia, Azerbaijan, and Chechnya,  all the way back to the 1990s. 
 
Putin also has access to the considerable forces of Russian organized cybercrime in return for historically turning a blind eye to their lucrative criminal activities. Indeed, some investigators have concluded an even tighter more collaborative relationship between the Russian President and mob bosses. Putin in other words, has many options open to him for direct and indirect cyber-attacks, though few would believe any claims in current times that Russian organized crime totally operates outside of the influence of Putin and the Kremlin.
 

Russia and Cyberwarfare

The west has in fact been in an ongoing cyberwar with Russia since the turn of the millennium when Russian gangs realized that they could operate their craft of cyber theft and extortion with total impunity from within the bounds of the Russian Federation. Putin and the almost ineffective forces of Russian law enforcement simply turned a blind eye to the gangs and their activities. Perhaps the reported back-handers to police officers helped. Perhaps the sheer power of these gangs was enough to intimidate law enforcement officers. Either way, the illicit foreign exchange inflows of untraceable cryptocurrency continues to boost the struggling Russian economy.

 

The connection between Russian organized crime syndicates and the Kremlin in recent months looks to be a lot less deniable, with evidence suggesting that crime gangs are acting on instruction from the Kremlin and perhaps maybe receiving payment for the acquisition of intelligence gained in their attacks. Take for example the SolarWinds Orion attack, which was attributed to ‘Nobelium’, a group reportedly being directed by the Russian intelligence to infiltrate US federal agencies, while another Russian cybercrime group, ‘DarkSide’, was busy at the exact same time with a high profile and distracting ransomware attack against the Colonial Pipeline cutting off fuel supplies to the southeast of the entire United States.
 

Is Putin likely to respond to increasing western military support of Ukraine?

So far at least, Putin appears to have held back his arsenal of cyber weapons. Supposition is that Putin is concerned that any massive cyber-attack against the west would be sure to result in a powerful response from the west against Russian critical infrastructure including the power grid. It would then be almost impossible for Putin to continue to dupe the Russian people with propaganda stories of an almost insignificant special military operation to rid Ukraine of Nazis. The cat would be out of the bag regardless of whether conscript bodies are returned to their mothers or not, and Putin would be facing enemies from within as well as abroad. It was the unpopularity of the wars in Georgia and Chechnya back home that forced a Russian withdrawal, and the unpopularity of the war in Afghanistan that eventually bankrupted and lead to the collapse of the Soviet Union before it.
 
Indeed, this is perhaps what Putin fears most – a popular uprising against his rule by the very lumpenproletariat he claims to represent. So far however, the Kremlin propaganda machine still appears to be working well and Putin can claim wide-scale popular support at home from the babushkas that believe everything they are told by the state media outlets.

 

While Russia may have some devastating cyber weapons up its sleeve, the NSA is widely regarded to have bigger more devastating cyber weaponry in is arsenal. These include weapons able to effectively take Russia back to the nineteenth century and presumably include the capability to turn off Russia’s power grid, its water, oil, and gas systems, its flight control systems, transportation, and a heap of other critical infrastructure. This would deny Russians, and the Russian war machine with the ability to operate at anything other than at minimal levels and could wreak havoc on military resupply and other logistics.
 
The NSA is not alone however, other Five Eyes nations are thought to have comparable cyber capabilities and would no doubt respond as a group if attacked by Russia. The EU is thought to also have some offensive cyber capabilities, while Israel, less involved in the support of Ukraine against Russian invasion, would likely join in to support the USA and its other allies, despite its current free pass from Russia to attack Hezbollah terrorists operating inside Syria in return for staying neutral. Israel is thought to have some very nasty tricks up its sleeves and based upon its past performance, is less inclined to hold back if ever attacked.
 
So with cyber armies lined up against each other, perhaps we have reached the modern day equivalent of Mutually Assured Destruction (MAD). This was a principle that ensured the global peace between totalitarian east and liberal democratic west, around the use of nuclear weapons from the late nineteen forties to the present day. Given the impact to all of us of an all-out cyberwar between Russia and the west, let’s hope that MAD will keep the cyber weapons firmly locked up.

 

Can Healthcare Tackle IoT, Medical Device Security Challenges?

Join SCMedia Editor Jessica Davis and Cylera's Chief Security Strategist Richard Staynings for a FireSide Chat at VIVE2022 -  the new CHIME / HLTH conference in Miami Beach FL, as they explore the challenges of medical device security.




Could Russia orchestrate cyberattacks against the west?

As concerns rise about the likelihood of increased cyberattacks against the west by Russian cyber forces, so the west is attempting to ready itself. Both the UK and US governments have this week issued warnings to citizens of the rising threats of an attack and urged increased diligence.

Many consider a cyber attack almost inevitable given continuing western military support for Ukrainian defense, a growing army of hackers joining forces with Anonymous that have very successfully and daringly taken down or defaced critical Russian web sites including that of the Kremlin, and a proclivity by Putin to use grey or hybrid warfare against those who dare to challenge his supreme authority.

So far however, all we have seen is the usual ransomware and other criminal cyber-extortion activities of Russia's extensive criminal underworld of organized crime syndicates. A proxy army in waiting that Putin can rely upon to act on his instructions, and one that he can claim any involvement with and plausible deniability when their activities are discovered.

Indeed, Putin is now a master of subterfuge being trained by the Soviet KGB in the art of spy craft and disinformation. Putin has very conveniently turned a blind eye to the criminal activities of Russia's organized crime syndicates for many decades, in part because of their usefulness and in part perhaps because of the reported illicit financial and other support Putin receives from these groups.

But should the west be worried and what steps should westerners take to shore up their own cyber defenses? These are questions that were posed by Stephen and Ellie on the UK's GB News Breakfast show this morning.




Impact of the Russian Invasion of Ukraine

The Russian military invasion of Ukraine has unified the free world against acts of aggression by dictators and autocrats who threaten the territorial integrity of their neighbors. 

After years of bullying, threats and intimidation by Putin and Kremlin against what it regards as one of its vassal states, Russian troops were ordered across the Ukrainian border on Thursday February 24th, 2022. This resulted in almost immediate global financial and trade sanctions by the west and the isolation of the Russian economy. This included a closure of the skies to Russian airlines and other aircraft across Europe, Canada and America and the freezing of Russian state and Oligarch assets all around the world and the sequester of many Russian Oligarch assets including some multi-million dollar luxury yachts. It also included agreement to supply defensive weapons to Ukrainian forces from NATO countries and as far away as Australia.

But concerns have risen sharply that such tacit support of Ukraine against Russia could result in cyber attacks against the west and in particular the United States by Russia's considerable arsenal of GRU and FSB cyber weapons, or the letting lose of Russian organized crime syndicates to launch their own cyber attacks.

In the light of such concerns, University of Denver University, College faculty leaders agreed to come together this evening to examine the impact of the Russian invasion of Ukraine. They were joined by other Colorado academics from Colorado State University and the University of Colorado. 

Join moderator Arianna Nowakowski and panelists Jack Buffington, Eric Fattor, and Richard Staynings as they adeptly navigate complex topics pertaining to the short-term and long-term consequences on security, supply chain, media, and globalization.





Cotswold Radio - The need to secure healthcare IoT


Securing Healthcare and the growing complexity of interoperable health IT / IoT systems and medical devices. Richard Staynings discusses this with James Cunningham, CEO of Core To Cloud, based in Cirencester, Engalnd, and Tony Dale host of the evening Cotswolds Radio broadcast.

Listen to a recording of the live broadcast below:




 

Russia ready to launch cyber attacks on the West in retaliation for economic sanctions

Western governments and companies need to be on a “heightened state of preparedness” for the “high probability” of cyber attacks, as economic sanctions on Russia begin to bite, a senior cyber security expert has told GB News. And it is expected Russia will soon step up its campaign against the West with cyber attacks.

Critical national infrastructure and the banking sector could be the main targets of any attack ordered by Vladimir Putin, according to Richard Staynings, chief security strategist at cyber security firm, Cylera.

He said: “I would say there's a fairly high probability, based upon the types of hybrid warfare that Putin and the Kremlin have executed in the past, that cyber attacks will be launched in this conflict.

“In Chechnya in the 90s, Russia launched its cyber weapons against opposing forces. We've seen it in Georgia and South Ossetia. We've seen it in other parts of the World, where Russia has wanted to extend its influence and to coerce and to bully its neighbours or adversaries.

“I think it's a weapon that's being held in reserve right now, but we certainly need to be on a heightened level of preparedness.

“That means we need to make sure that systems are patched. We need to make sure that we've got adequate cyber defences in place to protect our businesses, our schools and universities, our hospitals our power and oil systems and other critical infrastructure across the country.”

Experts warn although the threat from cyber warfare can seem quite abstract, it has potential real world consequences.

Recent attacks on the health service caused significant disruption. The multiple computerised systems within the West’s aviation sector are also vulnerable to attack.
Cyber security teams are already on high alert. Executives at some of the West’s leading banks and financial institutions have expressed their concern about the possibility of Russian attacks on the banking system in retaliation for being kicked out of the Swift international payments system.

Apart from an attack on some of Ukraine’s critical systems in the initial stages of the invasion, there has been no concerted effort by Russia to attack Western infrastructure in recent weeks, according to security sources.

The leadership in Moscow knows that any cyber attack on the West will be met with a significant response from Western Governments, whose offensive cyber capabilities have been significantly enhanced in recent years.

But if Vladimir Putin decides to give the go ahead for technological attacks, he can also utilise a network of organised criminal gangs to hep him out, according to Professor Ciaran Martin, from the University of Oxford.

Professor Martin, who is the former head of the the UK’s National Cyber Security Centre, said that any Russian cyber attack would come on multiple fronts.

“As well as being one of the most formidable cyber powers in terms of government capabilities, Russia also has the largest concentration by far of serious organised cyber criminals on the planet.” He said.

“In 2021, we saw those criminals disrupt petrol supplies in America, healthcare in Ireland, schools in England, food retail in Sweden, the list goes on.

None of that individually is catastrophic. But if the Russian state were to unleash its ransomware capabilities, its cyber criminal capabilities, while not catastrophic, that could get pretty unpleasant.

Although the West’s computer systems are better protected these days, there are still inherent weaknesses and vulnerabilities that adversaries could seek to exploit, according to Richard Staynings.

“There are certainly still weaknesses in the system.” He said.

“Much has been done to shore up a lot of the critical infrastructure across the UK, particularly the NHS since the WannaCry ransomware attack in 2017.

“A lot of older systems have been replaced and we have new regulations that are forcing NHS trusts and NHS digital to move forward in that space.

“The data security protection tool-kit for example is driving enhancements around IOT medical devices which are inherently vulnerable in our health system today and that is forcing health systems to improve their capabilities.

“But there are still gaps in the fabric, there are still chinks in the armour that we need to be aware exist and we need to take precautions in order to ensure that perpetrators can't get through that armour.”

For now, as Russia concentrates on conventional warfare, it is already fighting off multiple attacks from Western computer hackers, who have turned away from their traditional targets of big business and governments at home, focussing their disruptive talents on Moscow instead.

 

Reproduced from GB News. Original post 18 March 2022. https://www.gbnews.uk/news/russia-ready-to-launch-cyber-attacks-on-the-west-in-retaliation-for-economic-sanctions/250614


Ditial Health Rewired - Smart Health In Practice


Digital Health Rewired was full of highly informative presentations and discussions across many areas of healthcare, but perhaps most forward thinking were 2 days of sessions under the banner of Smart Health in Practice at the Smart Health Stage at the front of the show.

I was proud the share the stage with 4 'greats' in the space of smart health innovation: Declan Hadley UK&I Lead for Cisco, Andy Callow, CDIO at University Hospitals of Northamptonshire, Stephen Dobson, CIO at Lancashire Teaching Hospitals, and Matt Dugdale, Head of Clinical & Digital Innovation, North West Ambulance Service NHS Trust. 

Our discussions focused around a presentation provided by Matt on how the North West Ambulance Service team has transformed its ambulances and offices to become 'Smart' using new smart technology to improve efficiency and the patient experience at the same time. 

Smart hospitals are just one of many changes occurring across NHS trusts, as discrete HIT and HIoT digital systems are integrated and made interoperable by advanced new technology from Cisco, Cylera and others. But as these changes are implemented, we run the risk of gap being created between functional IT and secure IT unless cybersecurity is included from the outset. With a growing number of systems and discrete devices now 'connected' to hospital networks, patient safety and cybersecurity have become major areas of concern.

With warnings by the government to batten down the hatches across critical infrastructure industries like healthcare in the light of rising threat of cyber attack from Russia, keeping patients safe and health IT / IoT systems up and running will be a major challenge if we are to avoid another WannaCry.


My thanks also to a great audience which continued to ask questions off-stage well after our allotted time had gone and almost into the next session.