H-ISAC Hacking Healthcare Blog 7-2-19
#ENISA’s upcoming #EU #cybersecurity certification framework, Iranian APT intensifies, #NIST #IoT report.
TLP White: In this edition of Hacking Healthcare, we discuss the European Union’s new official cybersecurity agency and their plans for a cyber certification scheme. We then check in on Iranian cyber escalation. Finally, we examine NIST’s new guidance on IoT security and how it should inform medical device development and implementation.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
Welcome back to Hacking Healthcare.
Hot Links –
1. ENISA Elevated and Cyber Certifications Coming.
ENISA, the European Union Agency for Network and Information and Security, has been elevated by the European Union (EU) to become their official permanent cybersecurity organization. Through a new mandate enshrined in the EU’s Cybersecurity Act, ENISA will rebrand to the European Union Agency for Cybersecurity (EUAC) and will take the reins on implementing a new cybersecurity certification framework for ICT digital products in the EU.[1] The new mandate should also be a huge boost to ENISA’s financial and human resources by adding 50% more staff and more than doubling the current budget, all which will be needed as they move to implement the certification scheme.[2],[3]
As for the certification scheme, Last January ENISA’s Executive Director, Udo Helmbrecht, outlined the importance of developing a certification model that supports the “ambition to create a single digital marketplace for Europe.”[4] An EU-wide framework is considered necessary by many to streamline the process of bringing new products to market while avoiding fragmentation and unwanted barriers to entry. The removal of barriers has been touted as very beneficial to small and medium businesses looking to expand without needing to spend extensive resources on various state level certifications.
However, the certification scheme is not compulsory, and its exact details have not yet been finalized. The intention is to create a scheme that specifies “a) the categories of products and services covered, b) the cybersecurity requirements, for example by reference to standards or technical specifications, c) the type of evaluation (e.g. self-assessment or third party evaluation), and d) the intended level of assurance (e.g. basic, substantial and/or high).”[5]
2. Iranian APT Intensifies Actions.
As tensions mount in the Middle East, Iran is not only being accused of physical attacks to oil tankers, but also of bolstering its cyber forces and proxies. A new report from Recorded Future states that Advanced Persistent Threat 33 (APT 33), also known as Elfin and Inskit, has substantially increased its supporting infrastructure to coincide with a rise in espionage and cyberattack activity.[6] This claim was echoed by Cybersecurity and Infrastructure Security Agency (CISA) Director Chris Krebs who stated that Iran’s recent increase in cyber activity went beyond the usual baseline and seemed “specifically directed.”[7] The report concludes with a few key takeaways.
First, Recorded Future was keen to point out that APT 33 and its associated groups continued to make widespread use of publicly available malware. In particular, researchers noted at least 19 variations of Random Access Trojans (RATs), all of which boost their effort to muddy the waters of attribution and allow large scale generic attacks rather than highly complex targeted ones.[8]
Secondly, Recorded Future noted that the majority of targets seemed to align with Iran’s general geopolitical goals. These included targeting Saudi Arabian organizations, and the aerospace, oil & gas, and defense industries. Lastly, Recorded Future suggested that network defenders should strongly consider blocking the IP addresses and domains listed in their report.
3. IoT Perspectives from Standards and Industry.
The race to embrace IoT has had the unfortunate effect of leaving standards bodies and experts little time to properly assess the technology, issue appropriate guidance on its implementation, and address security and risk management. However, this past week the National Institute of Standards and Technology (NIST) issued a new report entitled “Considerations for Managing Internet of Things Cybersecurity and Privacy Risks,” which is an attempt to fill that void.
The 34 page report was designed to “help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their individual IoT devices throughout the devices’ lifecycles”[9]. The document outlines “basic definitions and critical issues, such as the operational difference between privacy and security[…] It goes on to address large management considerations, including device access and management, and the dramatic difference between the security capabilities of IT hardware and IoT systems.”[10] NIST also made clear that this was only the introductory document of a series that will address issues in far more detail in future publications.
NIST’s guidance will certainly be helpful in the rapidly expanding medical device field where patient data and personal safety are of the utmost concern. In fact, several medical technology experts recently outlined to Healthcare IT News what they considered to be implementation best practices in medical devices. While a number of considerations including staff workflow and patient outcomes were listed, Ehren Powell, CIO at GE Healthcare, stressed the need to “ensure your vendor has a robust cybersecurity program around developing new products, and continues to modernize connectivity infrastructure.”[11] This sentiment was further acknowledged by Tim Mitchell, vertical sales manager, iHealthcare, at Advantech who stated that “unsecured, or poorly secured medical devices put patients and healthcare providers at risk if those devices are hacked, posing a threat to PHI.”[12]
Congress –
Tuesday, June 2nd:
-No relevant hearings
Wednesday, June 3rd:
-No relevant hearings
Thursday, June 4th:
-No relevant hearings
International Hearings/Meetings –
EU – No relevant hearings.
Conferences, Webinars, and Summits –
–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)
–Healthcare Cybersecurity Workshop – Dublin, Ireland (7/31/2019)
https://h-isac.org/hisacevents/healthcare-cybersecurity-workshop-dublin-ireland/
–H-ISAC Medical Device Security Workshop – Plymouth, MN (9/17/2019)
https://h-isac.org/hisacevents/h-isac-medical-device-security-workshop/
–HEALTH IT Summit (California) – Los Angeles, CA (9/19/19-9/20/19)
https://endeavor.swoogo.com/2019-LosAngeles-Health-IT-Summit
— Healthcare Cybersecurity Forum – Los Angeles, CA (9/20/2019)
https://endeavor.swoogo.com/2019-California-Cybersecurity-Forum
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)
https://h-isac.org/hisacevents/health-it-summit-northeast/
–Northeast Healthcare Cybersecurity Forum – Boston, MA (10/4/2019)
https://endeavor.swoogo.com/2019-Northeast-Cybersecurity-Forum
–2019 H-ISAC European Summit – Zurich, Switzerland (10/16/2019-10/17/2019)
https://h-isac.org/summits/european_summit/
–Health IT Summit (Midwest) – Minneapolis, MN (10/17/2019-10/18/2019)
https://endeavor.swoogo.com/2019-Minneapolis-Health-IT-Summit
–Healthcare Cybersecurity Forum (Midwest) – Minneapolis, MN (10/18/2019)
https://endeavor.swoogo.com/2019_Midwest_Cybersecurity_Forum
–Health IT Summit (Southwest) – Houston, TX (11/14/19-11/15/19)
https://endeavor.swoogo.com/2019-Dallas-Health-IT-Summit
–Southwest Healthcare Cybersecurity Forum (11/15/2019)
https://endeavor.swoogo.com/2019_Southwest_Cybersecurity_Forum
–Health IT Summit (Northwest) – Seattle, WA (11/19/19-11/20/19)
https://endeavor.swoogo.com/2019-PacificNorthwest-HITSummit
–Pacific Northwest Healthcare Cybersecurity Forum (11/20/2019)
https://endeavor.swoogo.com/2019_Pacific_Northwest_Cybersecurity_Forum
–2019 H-ISAC Fall Summit – San Diego, CA (12/2/19-12/6/19)
<https://www.loewshotels.com/coronado-bay-resort>
Sundries –
–Second US town pays up to ransomware hackers
https://www.bbc.com/news/technology-48770128
–Report: Code Responsible for Equifax Breach Downloaded 21 Million Times Last Year
https://www.nextgov.com/cybersecurity/2019/06/report-code-responsible-equifax-breach-downloaded-21-million-times-last-year/158042/
–Dominion National Discovers Breach 9 Years After it Happened
https://www.bleepingcomputer.com/news/security/dominion-national-discovers-breach-9-years-after-it-happened/
–New Linux Worm Attacks IoT Devices
https://www.darkreading.com/iot/new-linux-worm-attacks-iot-devices/d/d-id/1335065
–Health Insurance Open Marketing Database Exposes 5 Million Personal Records
https://www.bleepingcomputer.com/news/security/open-marketing-database-exposes-5-million-personal-records/
–Cleveland Clinic: AI could help personalize treatment for lung cancer patients
https://www.healthcareitnews.com/news/cleveland-clinic-ai-could-help-personalize-treatment-lung-cancer-patients
–Security firms demonstrate subdomain hijack exploit vs. EA/Origin
https://arstechnica.com/information-technology/2019/06/security-firms-demonstrate-subdomain-hijack-exploit-vs-eaorigin/
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://www.cso.com.au/article/663405/eu-gets-new-boss-rating-products-cybersecurity/
[2] https://ec.europa.eu/digital-single-market/en/news/cybersecurity-eu-cybersecurity-agency-and-eu-framework-cybersecurity-certification
[3] https://www.enisa.europa.eu/publications/ed-speeches/towards-a-new-role-and-mandate-for-enisa-and-ecsm
[4] https://www.enisa.europa.eu/publications/ed-speeches/towards-a-new-role-and-mandate-for-enisa-and-ecsm
[5] https://ec.europa.eu/digital-single-market/en/eu-cybersecurity-certification-framework
[6] https://www.recordedfuture.com/iranian-cyber-operations-infrastructure/
[7] https://arstechnica.com/tech-policy/2019/06/we-need-to-up-our-game-dhs-cybersecurity-director-on-iran-and-ransomware/
[8] https://www.recordedfuture.com/iranian-cyber-operations-infrastructure/
[9] https://www.nist.gov/publications/considerations-managing-internet-things-iot-cybersecurity-and-privacy-risks
[10] https://www.darkreading.com/iot/nist-issues-iot-risk-guidelines/d/d-id/1335080
[11] https://www.healthcareitnews.com/news/implementation-best-practices-giving-medical-devices-iot-special-attention
[12] ibid