Data Breach Penalty Senate Bill, CT & MRI Manipulation Vulnerability, Amazon’s Alexa Health Data
TLP White: In this edition of Hacking Healthcare, we discuss a bill introduced in the Senate last week that seeks to enable criminal penalties for corporate executives following a data breach. We also break down a new malware variant developed by Israeli researchers to highlight the damage malicious code can wreak on healthcare systems and patient diagnoses. We then dive into Amazon Alexa, and its foray into healthcare information.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog.
Welcome back to Hacking Healthcare.
Hot Links –
1. Prison Time for Data Breaches?
A bill that was introduced on Wednesday, Sen. Elizabeth Warren (D-MA) put forth legislation that would make it easier to criminally charge executives of large corporations following a major data breach. Senate Bill 1010, the “Corporate Executive Accountability Act,” would amend Title 18 of the United States Code to provide a means to hold executives accountable for “negligently permitting or failing to prevent a violation of law,” which would include a data breach if it affects more than 1% of the population of the United States or of a single State. The proposed legislation would penalize offenders with a fine and up to one year in prison, with subsequent offenses increasing the prison time up to three years.
Because the bill would only apply to companies making more than $1 billion in revenue on an annual basis, it appears that it is tailored to holding industry giants more accountable for lax security postures and for policies that promote growth over privacy. However, how much traction the bill is likely to get is up for debate. With a Republican held Senate and no co-sponsors from that party, it may be more likely that the bill will serve as a marker for Sen. Warren’s policies on her presidential campaign instead of viable legislation that could become law in the current session.
2. Medical Malware Mirage.
This week, researchers in Israel have uncovered the frightening implications of malware infecting the medical industry. In an effort to showcase the glaring need for improvements to the cybersecurity of medical devices and to hospital systems, the researchers created malware that could infiltrate widely used CT and MRI equipment. The malware altered scans to make it appear as though they contained a malignant growth or made very real cancerous growths appear non-existent or harmless. Even more worrisome was the malware’s efficiency. The malicious code was so effective that trained radiologists could not distinguish the fakes from real scans and were fooled over 94% of the time.
While undermining trust in our medical system would certainly be a byproduct of such an attack, the researchers also highlighted the potential for targeted use of the malware. They envisioned the potential targeting of “a presidential candidate or other politicians to trick them into believing they have a serious illness and cause them to withdraw from a race to seek treatment.” Furthermore, the researchers noted that they are confident this kind malware could be adapted to all kinds of medical imaging, including blood clots, brain tumors, ligament injuries, and bone fractures.
3. Amazon’s Alexa Accepts Health Data.
Amazon made waves last week when it announced that Alexa-enabled devices are now capable of handling patient health information. The company has invited six health organizations to develop “voice skills” for Alexa that will work by transmitting health information from a company’s database or network directly to the patient. For example, a health technology company called Livongo will develop capabilities through Alexa for its diabetes program. Using Livongo’s “voice skill,” Alexa will be able to transmit blood sugar readings to patients verbally when they ask the device for this information. “This is a significant step for Amazon, as it means voice app developers who follow HIPAA guidelines can now create skills for Alexa.”
You might be wondering where HIPAA, the Health Insurance Portability and Accountability Act, fits into Amazon’s new health data project through Alexa. Generally speaking, HIPAA mandates that health information can only be exchanged between patients themselves and health organizations. Third parties typically cannot access this information absent patient consent. But Amazon believes it has found a way for organizations to transmit health information through Alexa while remaining HIPAA compliant.
Congress –
Tuesday, April 9th:
–No relevant hearings.
Wednesday, April 10th:
— No relevant hearings
Thursday, April 11th:
–No relevant hearings.
International Hearings/Meetings –
EU – No relevant hearings.
Conferences, Webinars, and Summits –
–H-ISAC Member Only Webinar – How Policy Architecture Can Improve Cybersecurity (4/11/19)
<https://h-isac.org/hisacevents/policy-architecture/>
–H-ISAC CYBER RX – IOMT Executive Symposium – Munich, Germany (4/15/2019–4/16/2019)
https://h-isac.org/hisacevents/cyberrx-iomt-executive-symposium/
–H-ISAC Radio discussion on Global Privacy – Link is in Member Portal (4/15/2019 12pm ET)
–HEALTH IT Summit (Southern California) – San Diego, CA (4/23/19-4/24/19)
<https://h-isac.org/hisacevents/health-it-summit-southern-california-2019/>
–Peer Sharing ICS Security Workshop – Singapore (4/24/2019)
<https://event.boozallen.com/ICSWorkshopSingapore>
–H-ISAC Cybersecurity Workshop – Huntsville, AL (4/25/19)
<https://h-isac.org/hisacevents/h-isac-workshop-huntsville/>
–H-ISAC Medical Device Security Workshop – Burlington, VT (5/1/19)
<https://h-isac.org/hisacevents/h-isac-md-workshop-vt/>
–2019 NH-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>
–HEALTH IT Summit (Florida) – Wesley Chapel, FL (5/21/19-5/22/19)
<https://h-isac.org/hisacevents/health-it-summit-florida-2019/>
–HEALTH IT Summit (Mid-Atlantic) – Philadelphia, PA (6/3/19-6/4/19)
<https://endeavor.swoogo.com/2019-Philadelphia-Health-IT-Summit>
–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)
<https://h-isac.org/hisacevents/health-it-summit-southeast-2019/>
–H-ISAC Healthcare Cybersecurity Workshop- Buffalo, NY (6/18/2019)
<https://h-isac.org/hisacevents/h-isac-cybersecurity-workshop-buffalo-ny/>
–Healthcare Cybersecurity Workshop – London, UK (7/10/19)
<https://h-isac.org/hisacevents/workshop-london/>
–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)
<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>
–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)
<https://h-isac.org/hisacevents/health-it-summit-rocky-mountain/>
–HEALTH IT Summit (California) – Los Angeles, CA (9/19/19-9/20/19)
<https://endeavor.swoogo.com/2019-LosAngeles-Health-IT-Summit>
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)
<https://h-isac.org/hisacevents/health-it-summit-northeast/>
–HEALTH IT Summit (Southwest) – Houston, TX (11/14/19-11/15/19)
<https://endeavor.swoogo.com/2019-Dallas-Health-IT-Summit>
–Health IT Summit (Northwest) – Seattle, WA (11/19/19-11/20/19)
<https://endeavor.swoogo.com/2019-PacificNorthwest-HITSummit>
–2019 NH-ISAC Fall Summit – San Diego, CA (12/2/19-2/6/19)
<https://www.loewshotels.com/coronado-bay-resort>
Sundries –
–Dozens of Credit Card Info Skimming Scripts Infect Thousands of Sites
<https://www.bleepingcomputer.com/news/security/dozens-of-credit-card-info-skimming-scripts-infect-thousands-of-sites/>
–Inspector general finds deficiencies in how FBI tells companies they’ve been breached
<https://www.cyberscoop.com/fbi-inspector-general-breach-notification-report/>
–How DHS is following the Pentagon’s plan for internal cybersecurity
<https://www.cyberscoop.com/dhs-cybersecurity-shared-services-dod-cssp-model/>
–Insider Attacks More Common, Harder to Detect After Cloud Migration
<https://www.bleepingcomputer.com/news/security/insider-attacks-more-common—harder-to-detect-after-cloud-migration/>
–Georgia Tech Data Breach Exposes Info for 1.3 Million People
<https://www.bleepingcomputer.com/news/security/georgia-tech-data-breach-exposes-info-for-13-million-people/>
–Huawei and Managing 5G Risk
<https://www.lawfareblog.com/huawei-and-managing-5g-risk>
–German drug giant Bayer breached by Chinese hacking group Wicked Panda: report
<https://www.cyberscoop.com/bayer-breached-china-wicked-panda/>
–Microsoft Study: Large Manufacturing Companies in Asia Pacific Could Lose US $10.7 million Due to a Cyberattack
<https://www.businessinsider.sg/large-manufacturing-companies-in-asia-pacific-could-lose-us10-7-million-due-to-a-cyberattack/>
Contact us: follow @HealthISAC, and email at contact@h-isac.org
Amazon, Cyber Vulnerability, Data Breach, HIPAA, Medical Device Security