H-ISAC Hacking Healthcare 11-19-19
TLP White: In this edition of Hacking Healthcare, we take a look at the recent news concerning Google’s project Nightingale. Then, keeping with big IT and healthcare, we examine Apple’s latest foray into healthcare research. Finally, we remind ourselves that the threat is real.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
Welcome back to Hacking Healthcare.
Google’s Healthcare Project Draws Scrutiny.
News of Google’s partnership with Ascension, one of the United States’ largest healthcare systems, has drawn intense public scrutiny and even a probe by the Department of Health and Human Services’ Office for Civil Rights (HHS OCR) for potential Health Insurance Portability and Accountability Act (HIPAA) violations. The project, which only came to light when a whistleblower contacted the Wall Street Journal, has allegedly allowed some 150 Google employees and 100 Ascension employees to access the personal information of tens of millions of Americans in 21 states without their knowledge.[i] The whistleblower has also dumped a number of documents that show Ascension employees harbored serious concerns over Google’s use of the collected personal health information and that questions over security were not responded to by Google.[ii]
While the secrecy of the project is in itself somewhat concerning, the actual details of the project are potentially worse. The Guardian reports that the data being transferred to Google is not being de-identified, contains full personal details, and may be accessed by Google staff, while the Wall Street Journal has reported that the data includes lab results, doctor’s diagnoses and hospitalization records. [iii], [iv]
Both Google and Ascension maintain that the project meets required privacy and security requirements, with Ascension stating, “All work related to Ascension’s engagement with Google is HIPAA compliant and underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling.”[v] Google’s insistence that their project meets all security and privacy requirements quickly received push back, with HHS OCR promising “to learn more information about this mass collection of individuals’ medical records to ensure that HIPAA protections were fully implemented,” while numerous lawmakers on both sides of the aisle expressed their concern over the project.[vi], [vii]
How Apple and Healthcare Tech Affects Health Research
Meanwhile…
Large-scale healthcare studies can provide invaluable information that is often needed to better understand ailments, create better treatments, and establish baselines of health within the general population. Major health studies, especially ongoing ones, are incredibly resource intensive and require enormous effort to find and keep willing participants. However, the explosion of healthcare apps, smartwatches, and fitness trackers into the United States’ $3.5 trillion-dollar healthcare market has drastically reduced the barrier to enormous amounts of health data.[viii]
This development has pulled big tech companies like Google and Apple directly into the medical research community. Apple is currently involved in a number of major studies using their applications, including a heart and movement study, a women’s health study, and a hearing study.[ix] The results have been astounding, with researchers at Stanford Medicine able to enroll over 400,000 participants in only eight months.[x] For all the benefit these studies may bring, there remains a significant concern over the security and privacy of the devices and applications, and of the usefulness of the studies themselves.
Not everyone is eager to believe Apple’s claim that their research apps meet federal standards for working with personal health information, including pseudonymizing the data for researchers.[xi] These reservations are reinforced when stories like Google’s project Nightingale make international headlines. This is to say nothing of the concerns that tech-centric healthcare exacerbates the gap between the socio-economically disadvantaged minorities that have been historically absent from many healthcare studies already.
Healthcare Attacks on the Rise
From our “Just in case you forgot” Department: According to Malwarebytes recently released report, “Cybercrime Tactics and Techniques Q3 2019: The State of Healthcare Cybersecurity,” there has been a “60% increase in threat detections at healthcare organizations by comparing all of 2018 against just the first three quarters of 2019.”[xii] Malwarebytes attributes much of that growth to Trojan malware, specifically Emotet and Trickbot, which has often been used as an attack vector for the delivery of ransomware. The report suggests that healthcare is often targeted for their “large databases of patients’ personally identifiable information, lack of sophisticated security model, and high number of endpoints and other devices connected to the network.”[xiii]
While the medical industry ranked 7th in the reports’ “top industries by detection,” well behind education, manufacturing, and retail, Malwarebytes expects the medical industry to move up the list by the end of the year if current trends continue apace. Among the report’s key takeaways was the geographic breakdown of the detections against US healthcare organizations. The West and Midwest regions combined for roughly 78% of all malware detections, whereas the Northeast represented only 7% and the South only 15% of detections.[xiv] Curiously, the attack profile for the northeast region differs significantly from the other three, with TrickBot not even in the top 5 most common threats. Malwarebytes did not attempt to explain the geographic differences, but it is an excellent reminder that global or national organizations must not simply aggregate threat intel and information sharing to produce monolithic approaches to cyber threats.
Other key takeaways included the observations that vulnerabilities in third-party vendor software was the top attack method to penetrate a healthcare organization’s network, that the cost of a healthcare breach both financially and with regard to patient wellbeing is far higher than other industries, and that the rise of internet connected devices within the medical field poses a huge potential for risk if not properly secured.[xv] Few of the final conclusions of the report will come as a surprise to CISOs in this space as the report found that security teams need more resources, staff need more training, and new technology needs to be carefully integrated to preserve security.
Congress –
Tuesday, November 19th:
– No relevant hearings
Wednesday, November 20th:
– No relevant hearings
Thursday, November 21st:
– No relevant hearings
International Hearings/Meetings –
EU – No relevant hearings
Conferences, Webinars, and Summits –
–Health IT Summit (Northwest) – Seattle, WA (11/19/2019-11/20/2019)
https://endeavor.swoogo.com/2019-PacificNorthwest-HITSummit
–Pacific Northwest Healthcare Cybersecurity Forum – Seattle, WA (11/20/2019)
https://endeavor.swoogo.com/2019_Pacific_Northwest_Cybersecurity_Forum
Cyber Security & Data Protection Summit 2019 – London, UK (11/20/2019)
https://cybersecuritysummit.co.uk/
–2019 H-ISAC Fall Summit – San Diego, CA (12/2/19-12/6/2019)
https://h-isac.org/summits/fall-summit-2019/
–H-ISAC Security Workshop – London, UK (2/5/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-2/
–Global Cyber Security in Healthcare & Pharma Summit – London, UK
http://www.global-engage.com/event/cybsec-health-summit/
–H-ISAC Analysts Security Workshop – Titusville, FL (3/4/2020)
https://h-isac.org/hisacevents/h-isac-analysts-security-workshop-titusville-fl/
–H-ISAC Security Workshop – Cambridge, MA (4/7/2020)
https://h-isac.org/hisacevents/h-isac-security-workshop-cambridge-ma/
Sundries –
–US-CERT Warns of Remotely Exploitable Bugs in Medical Devices
–Intel Failed to Fix a Hackable Chip Flaw Despite a Year of Warnings
https://www.wired.com/story/intel-mds-attack-taa/
–Breach affecting 1 million was caught only after hacker maxed out target’s storage
–The NHS wants more data about your health – and your smartphone could be the answer
Contact us: follow @HealthISAC, and email at contact@h-isac.or
[i] https://www.dailymail.co.uk/news/article-7690909/Anonymous-whistleblower-reveals-concerns-Googles-Project-Nightingale.html
[ii] https://www.theguardian.com/technology/2019/nov/12/google-medical-data-project-nightingale-secret-transfer-us-health-information
[iii] https://www.theguardian.com/technology/2019/nov/12/google-medical-data-project-nightingale-secret-transfer-us-health-information
[iv] https://www.wsj.com/articles/google-s-secret-project-nightingale-gathers-personal-health-data-on-millions-of-americans-11573496790
[v] https://www.ascension.org/News/News-Articles/2019/11/11/19/51/Ascension-and-Google-working-together-on-healthcare-transformation
[vi] https://www.wsj.com/articles/senators-urge-scrutiny-of-health-data-deals-including-google-project-11573597883?mod=article_inline
[vii] https://www.wsj.com/articles/behind-googles-project-nightingale-a-health-data-gold-mine-of-50-million-patients-11573571867
[viii] https://www.nytimes.com/2019/11/14/technology/apple-harvard-health-studies.html
[ix] https://www.apple.com/newsroom/2019/09/apple-announces-three-groundbreaking-health-studies/
[x] https://www.nytimes.com/2019/11/14/technology/apple-harvard-health-studies.html
[xi] https://www.nytimes.com/2019/11/14/technology/apple-harvard-health-studies.html
[xii] https://resources.malwarebytes.com/files/2019/11/191028-MWB-CTNT_2019_Healthcare_FINAL.pdf
[xiii] https://resources.malwarebytes.com/files/2019/11/191028-MWB-CTNT_2019_Healthcare_FINAL.pdf
[xiv] https://resources.malwarebytes.com/files/2019/11/191028-MWB-CTNT_2019_Healthcare_FINAL.pdf
[xv] https://resources.malwarebytes.com/files/2019/11/191028-MWB-CTNT_2019_Healthcare_FINAL.pdf