Skip to main content

DNC ON HUAWEI & ZTE, NIST, FBI ON IOT

TLP White: We start with a DNC announcement regarding the use of Chinese telecom companies Huawei and ZTE and then dive into recently released guidance on healthcare mobile device security.  We conclude with an FBI PSA regarding IoT security and how to protect and defend against attacks.  Welcome back to Hacking Healthcare:


Hot Links –

  1. No Way Huawei. The Democratic National Committee (“DNC”) Chief Security Officer Bob Lord warned state parties and the DNC’s sister committees to steer clear of devices made by Chinese telecom companies Huawei and ZTE.[1]  In his email, Lord cautioned that devices made by these companies pose a security risk, and advised against using them even if the devices are provided for a low price or even free.  Lord’s sentiments are in line with those expressed by U.S. intelligence officials earlier this year.  During a February congressional hearing, U.S. intelligence officials recommended that Americans do not purchase Huawei or ZTE devices because they pose a security risk.  In his email to DNC candidates, Lord emphasized that the intelligence community does not make statements like this lightly, and asked candidates not to use the devices anywhere within their staff, neither for personal nor work-related use.

 

The DNC’s decision to ask candidates not to use a particular technology is emblematic of some interesting shifts in the private sector and related policy choices.  These types of decisions have the potential to have a broad impact on the Internet of Things (“IoT”) and technology supply-chain moving forward.

 

  1. NIST and NCCoE Publish Mobile Device Security Guide. The National Institute of Standards and Technology (“NIST”) in conjunction with the National Cybersecurity Center of Excellence (“NCCoE”) released a guide[2] titled, “Securing Electronic Health Records on Mobile Devices” in an effort to help healthcare providers improve healthcare mobile device security and ultimately protect personal health information (“PHI”) from unauthorized access and disclosure.[3]  The guide includes a modular, standards-based reference design which is intended to be used in whole or in part by IT professionals and security engineers.

 

As it is, the healthcare sector is already dealing with particularly high cybersecurity incident rates.  Adding mobile to the equation only complicates the matter by significantly increasing the attack surface. As a result, healthcare providers have expressed that mobile device security is a top concern with respect to mobile programs.[4]  Notwithstanding these concerns, a recent survey of healthcare IT professionals noted that 90% of respondents indicated that their institution either currently or has future plans to implement a mobile initiative, and roughly half of respondents indicated that within the next two years their organization planned to increase mobile device usage.

 

The guide acknowledges the trend towards increased use of mobile devices by healthcare providers and the increased risks that accompany the misuse, theft, modification, or unauthorized disclosure of health information, including penalties, loss of consumer trust, and patient care and safety.  In response to this reality, the guide demonstrates how health care providers can share patient information with caregivers who are using mobile devices in a way that is more secure while relying on open-source and commercially available tools and technologies.

 

  1. FBI PSA: Your IoT is a Target. On August 2, the Federal Bureau of Investigation (“FBI”) issued a public service announcement (“PSA”) warning healthcare organizations that IoT devices are increasingly targeted by cybercriminals.[5]  As we have discussed in previous newsletters, healthcare organizations are increasingly using IoT, but these capabilities are often accompanied by increased risks.  The FBI’s PSA notes that cyber actors actively search for and compromise vulnerable IoT devices for use as proxies or intermediaries for Internet requests to route malicious traffic for cyber-attacks and compute network exploitation.[6]

 

The PSA explains that “IoT proxy servers are attractive to malicious cyber actors because they provide a layer of anonymity by transmitting all Internet requests through the victim device’s IP address.  Devices in developed nations are particularly attractive targets because they allow access to many business websites that block traffic from suspicious or foreign IP addresses. Cyber actors use the compromised device’s IP address to engage in intrusion activities, making it difficult to filter regular traffic from malicious traffic.”[7]
 
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below:
Download

[1] https://www.cyberscoop.com/zte-huawei-dnc-warning-bob-lord/

[2] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-1.pdf

[3] https://healthitsecurity.com/news/nist-nccoe-publish-guide-on-healthcare-mobile-device-security

[4] https://healthitsecurity.com/news/mobile-device-security-worries-plague-healthcare-providers

[5] https://www.ic3.gov/media/2018/180802.aspx

[6] https://www.ic3.gov/media/2018/180802.aspx

[7] https://www.ic3.gov/media/2018/180802.aspx

This site is registered on Toolset.com as a development site.