H-ISAC Hacking Healthcare blog 6-5-19
TLP White: In this edition of Hacking Healthcare, we examine a New York data breach bill that could have substantive effects for healthcare organizations. We then discuss NATO’s recent signaling that it will not rule out the use of offensive cybersecurity measures to protect member nations’ sensitive data. Finally, we discuss China’s response to the Huawei ban in the context of lessons companies in the healthcare industry can learn.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
Welcome back to Hacking Healthcare.
Hot Links –
1. New York Considers Substantive Data Security Requirements in Proposed Legislation.
New York legislators are considering passing the Stop Hacks and Improve Electronic Data Security Handling (“Shield”) Act. Unlike other state data security laws, the Shield Act would require more than mere “reasonable” measures to protect data. The Act requires companies to train employees in cybersecurity, conduct risk assessments, and put a dedicated employee in charge of the data security program within the organization.[1] The bill is expansive in scope, as it would cover any company that holds New York residents’ personal information.[2]
If passed, the bill will affect companies in the healthcare industry since everyone will have to bring their data security practices up to the standards in the law. At the very least, healthcare companies handling New Yorkers’ personal information will have to implement cybersecurity training, undertake regular risk assessments, and allot certain staffing resources to data security. We suggest closely monitoring the bill, New York S.B. 6933B, and consider how to best implement its provisions if it is to become law.
2. NATO Takes the Offense on Cybersecurity.
NATO has signaled that it will not rule out offensive cybersecurity tactics to achieve its overarching policy goals. Offensive cybersecurity measures employ proactive techniques to protect networks and systems against possible security threats. At a conference in London last week, NATO’s Secretary General Jens Soltenberg said the treaty organization is “not limited to respond in cyberspace when we are attacked in cyberspace.”[3] This new openness to affirmative action in the security arena came as a surprise to some, as NATO was originally created to be a defensive international alliance, not an offensive one.[4]
The underlying treaty document governing NATO gets its teeth from a provision that commits the parties to recognize an attack against another member as an attack against one’s own country. The treaty states the following in Article 5: “The parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all.”[5] Article 5 has been invoked only once in response to the 9/11 attacks in the United States. In this new era of cyber threats and offensive strategies for NATO, the meaning of Article 5 could expand and the frequency of its use could certainly grow.
3. Huawei Ban Prompts Chinese Response.
From our “We know we keeping talking about this, but it is important” department, we note that as trade tensions continue to rise between the U.S. and China, issues surrounding cybersecurity have been thrust into the spotlight. China indicated it will retaliate against U.S. companies in response to the decision to effectively ban Huawei.[6] In May, President Trump limited the company’s ability to sell hardware in the U.S. and buy parts from U.S. suppliers through an Executive Order on Securing the Information and Communications Technology and Services Supply Chain.[7] As an answer to the Huawei ban, China has stated “necessary measures” will be taken against certain “unreliable” companies it has yet to name.[8]
To some extent, Huawei is a pawn in a much larger trade-related dispute between the United States and China. However, the United States maintains that Huawei is a significant national security risk. Some have said that Huawei’s telecommunications infrastructure equipment could allow the Chinese government to infiltrate the U.S. telecom network. This risk is apparently substantial enough to prompt official action in the form of completely outlawing the company from the U.S.
Congress –
Tuesday, June 4th:
-Hearing: “Investing in America’s Health Care” (House – Committee on Energy and Commerce – Subcommittee on Health)
-Hearing: Mind the ‘Skills’ Gap: Apprenticeships and Training Programs (House – Committee on Small Business – Subcommittee on Innovation and Workforce Development)
Wednesday, June 5th:
-No relevant hearings
Thursday, June 6th:
-No relevant hearings
International Hearings/Meetings –
EU – No relevant hearings.
Conferences, Webinars, and Summits –
–HEALTH IT Summit (Mid-Atlantic) – Philadelphia, PA (6/3/19-6/4/19)
https://endeavor.swoogo.com/2019-Philadelphia-Health-IT-Summit
–Payer Risk discussion on H-ISAC Radio – Webinar (6/10/2019)
https://h-isac.org/hisacevents/payer-risk-discussion-on-h-isac-radio/
–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)
<https://h-isac.org/hisacevents/health-it-summit-southeast-2019/>
–H-ISAC Healthcare Cybersecurity Workshop- Buffalo, NY (6/18/2019-6/19/2019)
<https://h-isac.org/hisacevents/h-isac-cybersecurity-workshop-buffalo-ny/>
–Healthcare Cybersecurity Workshop – London, UK (7/10/19)
<https://h-isac.org/hisacevents/workshop-london/>
–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)
<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>
–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)
–Healthcare Cybersecurity Workshop – Dublin, Ireland (7/31/2019)
https://h-isac.org/hisacevents/healthcare-cybersecurity-workshop-dublin-ireland/
–HEALTH IT Summit (California) – Los Angeles, CA (9/19/19-9/20/19)
<https://endeavor.swoogo.com/2019-LosAngeles-Health-IT-Summit>
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)
<https://h-isac.org/hisacevents/health-it-summit-northeast/>
–2019 H-ISAC European Summit – Zurich, Switzerland (10/16/2019-10/17/2019)
<https://h-isac.org/summits/european_summit/>
–HEALTH IT Summit (Southwest) – Houston, TX (11/14/19-11/15/19)
<https://endeavor.swoogo.com/2019-Dallas-Health-IT-Summit>
–Health IT Summit (Northwest) – Seattle, WA (11/19/19-11/20/19)
<https://endeavor.swoogo.com/2019-PacificNorthwest-HITSummit>
–2019 H-ISAC Fall Summit – San Diego, CA (12/2/19-12/6/19)
<https://www.loewshotels.com/coronado-bay-resort>
Sundries –
—Emotet Botnet Behind Most Email-Based Threats in Q1 2019
—Deepfakes are getting better—but they’re still easy to spot
—To Fight Deepfakes, Researchers Built A Smarter Camera
<https://www.wired.com/story/detect-deepfakes-camera-watermark/>
—Chinese-linked APT10 has been active in the Philippines, researchers say
<https://www.cyberscoop.com/chinese-linked-apt10-has-been-active-in-the-philippines-researchers-say/>
—Stop demonizing encryption
<https://www.cyberscoop.com/encryption-whatsapp-andrea-little-limbago-virtru/>
—DHS assessment of foreign VPN apps finds security risk real, data lacking
<https://www.cyberscoop.com/dhs-mobile-vpn-apps-chris-krebs-ron-wyden/>
—With A Worm Looming, The Bluekeep Bug Isn’t Getting Patched Fast Enough
<https://www.wired.com/story/microsoft-bluekeep-patched-too-slow/>
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://www.cyberscoop.com/new-york-data-security-law-shield-act-gdpr/
[2] https://www.nysenate.gov/legislation/bills/2017/s6933
[3] https://www.nextgov.com/cybersecurity/2019/05/nato-getting-more-aggressive-offensive-cyber/157287/
[4] https://dod.defense.gov/News/Article/Article/1803445/a-short-history-of-nato/
[5] Id.
[6] https://www.theverge.com/2019/5/31/18647021/china-us-trade-war-trump-huawei-rare-earths-embargo-softbank-5g-snub
[7] https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain/
[8] https://www.bloomberg.com/news/articles/2019-05-31/china-to-set-up-unreliable-entity-list-after-u-s-huawei-ban