CISA, UK’s NHS on PHI messaging, More Spectre Meltdown
TLP White: This week we start by addressing a new cybersecurity-focused agency within the Department of Homeland Security (“DHS”). We also examine new guidelines published by the United Kingdom’s primary health authority regarding medical professionals’ use of messaging applications. We then discuss similar challenges facing both European and U.S.-based healthcare IT executives, and we end by shedding some light on the continuing problems posed by this year’s Spectre and Meltdown cyber-attacks.
Welcome back to Hacking Healthcare.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion from the health sector perspective, become a member of H-ISAC and receive the TLP Amber version.
Hot Links –
- New Federal Agency Under DHS Umbrella Strengthens Inter-Agency Coordination on Cybersecurity. Last Monday, the House of Representatives unanimously approved legislation to create a new cybersecurity-focused agency within DHS.[1] This Cybersecurity and Infrastructure Agency Act (“CISA Act”) was blessed by the Senate last month and has been signed by the President.
The new agency created by the CISA Act will rebrand DHS’s National Protection and Programs Directorate (“NPPD”). The new name (“Cybersecurity and Infrastructure Agency”) hopes to bring the NPPD a more clear and streamlined focus on cybersecurity and protection of critical infrastructure. The agency’s current mission is to work with state, local, and tribal governments to coordinate cohesive responses to security threats. Legislators hope that this new organization will be able to tighten up security vulnerabilities within the intelligence agency ecosystem, enable DHS to recruit new tech talent, and allow DHS to better coordinate with agencies across the federal government.
- Messaging Applications and Patient Data: A Common, Risky Practice. A scathing report by clinical messaging platform provider CommonTime has prompted the United Kingdom (“UK”) to curb medical professionals’ use of consumer messaging applications to share patient information.[2] CommonTime’s report found that 48% of UK health entities that are regulated by the country’s National Health Service (“NHS”) had no privacy policies in place to govern clinicians’ use of third-party instant messengers such as Facebook Messenger and WhatsApp.[3] This report came on the heels of NHS’s February announcement that every single NHS trust had failed a government cybersecurity audit.[4] As a result, the CommonTime report has reignited questions about health organizations’ data privacy and security management practices. A perceived lack of oversight has prompted the NHS to publish guidelines to encourage third party messaging applications to have specific security mechanisms in order to allow clinicians to use them to share patient information.[5]
The United States Centers for Medicare and Medicaid Services (“CMS”) adopted a similar stance with respect to medical professionals’ texting habits around this time last year.[6] In November 2017, CMS published a Survey and Certification Letter to make it known that texting patient orders is prohibited by the agency. The letter also stated that texting patient healthcare information to other members of a given health management team may be done only through a secure platform or message provider. SMS messages, which both CMS and NHS consider to be insecure, is not the proper medium by which members of a health care team should communicate vital patient health information.
- Similar Challenges Confront European and U.S. Healthcare IT Executives. A HIMSS Analytic Survey has highlighted similar difficulties facing both U.S. and European healthcare IT executives.[7] In addition to experiencing comparable challenges, last week’s HIMSS Analytic Survey said that healthcare IT business sectors in both continents have set their sights on similar goals. Recruiting new IT talent, increasing patients’ control over their own data, and shoring up cybersecurity controls are among a number of top priorities that European and U.S.-based healthcare IT executives share.
In addition to sharing the same goals, European and U.S. health IT groups share the same challenges. Both have struggled to grapple with the same kinds of hacks and overall frustrations in the cyber arena. One key finding of the HIMSS Analytic survey was that European health IT business sectors have not received enough money or resources to fund necessary improvements in health IT. Some researchers believe that to combat these funding challenges for health IT, companies need to move toward a shared care model. Many also agree that an increased focus on cybersecurity will be necessary as the Internet of Things and connected medical devices continue to grow in popularity and efficacy.
- Additional Variants of Spectre and Meltdown Attacks Have Researchers Sounding the Alarm. The Spectre and Meltdown attacks that surfaced earlier this year have proven to be even more dynamic and troublesome than they first appeared. Researchers have discovered at least seven new transient execution variants in the Spectre and Meltdown families that have the potential to disrupt systems just as the first Spectre and Meltdown attacks did.[8] These seven new transient execution attacks include two Meltdown variants and five Spectre mistraining strategies.
Generally speaking, Spectre and Meltdown attacks similarly engage in speculative execution that allows for information to leak from systems’ protected areas. However, the specific workings of the Spectre and Meltdown attacks function somewhat differently. Spectre attacks allow processors to make predictions about the way a given branch will develop and speculatively execute on the basis of those predictions. Then, after discovering its prediction was erroneous, the processor undoes its speculative actions and disturbs memory as it backtracks. This memory disturbance allows for protected information to leak from the system and allows hackers to gain access to forbidden areas. Meltdown attacks, by contrast, enable processors to access protected memory systems and perform speculative execution based on the information held in those protected memory systems. After a processor realizes that a given memory system is protected, it attempts to undo the speculative execution it engaged. As the processor attempts to backtrack, it creates small inaccuracies in the memory cache that can be exploited and used by hackers to access data that should otherwise be unreadable.
Some of the seven new Spectre and Meltdown variants discovered by researchers can be mitigated by already existing defenses and patches. However, others cannot be remedied by available techniques, so new research will be necessary to ensure the safety of vulnerable software systems. This new research will likely take a broader view of the Spectre and Meltdown attacks, and it will attempt to refrain from constructing ad hoc, specialized fixes that only address particular problems. As the discovery of these new variants has shown, researchers will need to examine the most common and available exploitations of the Spectre and Meltdown attacks to bolster defenses to the widest swath of potential future hacks.
Congress –
Tuesday, November 20:
–No relevant hearings.
Wednesday, November 21:
–No relevant hearings.
Thursday, November 22:
–No relevant hearings.
International Hearings/Meetings –
EU – No relevant hearings.
Conferences, Webinars, and Summits –
–Medical Device Security 101 Conference – Orlando, FL (1/21/19-1/22/19) <https://nhisac.org/events/nhisac-events/medical-device-security-101-conference/>
–2018 NH-ISAC Fall “Never Stand Alone” Summit – San Antonio, TX (11/26-30) https://nhisac.org/summits/2018-fall-summit/
–H-ISAC Radio discussion live at the Fall Summit: IAM and Portable Identity. Look for participation link in Member list server. – San Antonio, TX (11/28/18 at 10:25 am UTC)
–FIRST Symposium 2019 – London, UK (3/18/19)
–FIRST Symposium 2019 – London, UK (3/18/19)
<https://nhisac.org/events/nhisac-events/first-symposium-2019/>
–2019 NH-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>
Sundries –
—NIST Leads the Way on “Smart Grid Interoperability and Cybersecurity” as well as “Smart and Secure Cities”
<https://www.lexology.com/library/detail.aspx?g=407acd10-edf4-4f99-a07d-23104c7bacad>
—Wireless throttling: Senators ask four major carriers about video slowdowns
<https://arstechnica.com/tech-policy/2018/11/wireless-throttling-senators-ask-four-major-carriers-about-video-slowdowns/>
—Imminent Bitcoin Cash schism triggers cryptocurrency selloff
<https://arstechnica.com/tech-policy/2018/11/bitcoin-plunges-12-percent-reaching-lowest-value-in-a-year/>
—The US Office of Personnel Management Systems Are Still Insecure
<https://www.bleepingcomputer.com/news/security/the-us-office-of-personnel-management-systems-are-still-insecure/>
—Pentagon, DHS agree to framework for joint cyberdefense
<https://www.cyberscoop.com/pentagon-dhs-agree-framework-joint-cyber-defense/>
—Cloud, China, Generic Malware Top Security Concerns for 2019
<https://www.darkreading.com/risk/cloud-china-generic-malware-top-security-concerns-for-2019/d/d-id/1333283?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple>
–‘Mylobot’ botnet now downloading second-stage malware meant to siphon data
<https://www.cyberscoop.com/mylobot-botnet-now-downloading-second-stage-malware-meant-to-siphon-data/>
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://healthitsecurity.com/news/homeland-security-gains-cybersecurity-agency-with-new-legislation
[2] https://healthitsecurity.com/news/uk-nhs-releases-guidance-on-instant-messaging-apps-in-healthcare
[3] http://www.commontime.com/expertise/press-releases/im-addendum
[4] https://www.theguardian.com/technology/2018/feb/05/every-nhs-trust-tested-for-cyber-security-has-failed-officials-admit
[5] https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/information-governance-alliance-iga/information-governance-resources/information-governance-and-technology-resources
[6] https://www.hipaajournal.com/cms-text-messages-in-healthcare/
[7] himss-analytics-annual-european-ehealth-survey-2018
[8] https://arxiv.org/abs/1811.05441
CISA, Facebook, FDA, HC3, HHS, HIMSS, NHS, PHI, Third Party Risk, UK