H-ISAC Hacking Healthcare 12-8-2020

TLP White: This week, Hacking Healthcare briefly draws your attention to more great work going on at the National Institute of Standards and Technology (NIST) in the healthcare space. We then move to an analysis of the U.S. Government Accountability Office’s (GAO) new technology assessment report on AI in healthcare. It’s a comprehensive look at an emerging technology that holds considerable promise while posing significant challenges. Next, we update you on the concerning development that a sophisticated phishing campaign has been targeting the COVID-19 vaccine distribution supply chain. Finally, we wrap up with a rundown of TrickBot’s newest capability and why you might want to brush up on your awareness of this nasty piece of malware.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

1. NIST Cybersecurity Practice Guide SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem

This is a friendly reminder that the public comment period for NIST Cybersecurity Practice Guide SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem is set to close on December 18^th. For organizations interested in commenting, or for those looking to learn more, please visit the link below:

https://www.nccoe.nist.gov/projects/use-cases/health-it/telehealth

While NIST has many great people working on these projects, they need the expert input of practitioners and others who live the day-to-day realities of cybersecurity. If telehealth matters to you and your organization, we strongly encourage you to provide some feedback.

2. U.S. GAO Publishes Technology Assessment on AI in Healthcare

Earlier last month, the GAO released a 106-page paper entitled Technology Assessment – Artificial Intelligence in Health Care: Benefits and Challenges of Technologies to Augment Patient Care.[1] The document is an interesting collaboration between the GAO and the National Academy of Medicine designed to “explore AI in augmenting patient care both inside and outside traditional clinical settings, assess its implications, and identify key policy options available for optimizing its use.”[2]

While the full report is too lengthy and nuanced to summarize well in short form, below is a quick recap of its general topics and findings. Should any of the following sections spark your interest, we encourage you to take a read through the full document.

The report ultimately addresses three topics:[3]

1. 1. Current and emerging AI tools available for augmenting patient care and their potential benefits
2. 2. Challenges to the development and adoption of these tools
3. 3. Policy options to maximize benefits and mitigate challenges to the use of AI tools to augment patient care

The report finds five categories of clinical AI applications with promise to augment patient care, which are described as being in various stages of maturity from presently in partial use to decades from implementation:[4]

1. 1. Predicting health trajectories
2. 2. Recommending treatments
3. 3. Guiding surgical care
4. 4. Monitoring patients
5. 5. Supporting population health management

Furthermore, the report addresses how AI tools can improve patient care by lessening the administrative burden on caregivers and healthcare professionals, specifically in the categories of:[5]

1. 1. Recording digital clinical notes
2. 2. Optimizing operational processes
3. 3. Automating laborious tasks

Additionally, the report delves into the challenges to employing AI tools to augment patient care. These include:[6]

1. 1. Difficulties accessing sufficient high-quality data
2. 2. Bias in available data and the difficulty of addressing bias in data
3. 3. Scaling issues
4. 4. Limited transparency of many AI tools makes determining their effectiveness and safety difficult
5. 5. Greater dispersion of patient data due to AI tools makes securing that data more difficult
6. 6. A lack of established case law addressing AI tools makes healthcare providers hesitant to adopt them

Finally, the report also details six options for policymakers, which GAO broadly defines to include state and local governments, academic and research institutions, and industry. These options cover collaboration, data access, best practices, interdisciplinary education, oversight clarity, and the status quo.

Action & Analysis
**Membership required**           

3. Threat Actors Target Vaccine Distribution

It has been well publicized that malicious cyber actors have been targeting organizations involved in developing COVID-19 vaccines or conducting COVID-19 research. Various governmental authorities and private sector organizations from the United States, Canada, and the U.K. have published advisories over the past few months to emphasize this fact.[7] As COVID-19 research and vaccine development continues, it appears well-resourced threat actors are expanding the scope of their operations.

In a December 3^rd post, IBM security researchers outlined their discovery of a “global phishing campaign targeting organizations associated with a COVID-19 cold chain.”[8] As you might be able to surmise, the “cold chain” is “a component of the vaccine supply chain that ensures the safe preservation of vaccines in temperature-controlled environments during their storage and transportation.”[9] This means that as the development of COVID-19 vaccines has evolved past research and development and into transportation and delivery, cyber threat actors have decided to keep pace.

According to the report, “this calculated operation started in September 2020” and “spanned across six countries” in both Europe and Asia.^[10] The individuals targeted were typically “executives in sales, procurement, information technology and finance positions, likely involved in company efforts to support a vaccine cold chain.”[11] IBM reports that attribution remains murky, but it has the characteristics of “nation-state tradecraft.”[12]

IBM’s researchers assessed that the likely purpose of this campaign was to harvest credentials for future use. Speculating further, they outlined how these credentials could be used to gain insights into “internal communications, as well as the process, methods and plans to distribute a COVID-19 vaccine” and “information regarding infrastructure that governments intend to use to distribute” it.[13]

Action & Analysis
**Membership required**

4. TrickBot Malware Adds Concerning New Capability

TrickBot, an insidious piece of malware first detected in 2016, has been a constant source of aggravation for organizations in a multitude of sectors. Known for repeatedly evolving to include new capabilities, TrickBot has turned from a banking trojan used to steal financial data to a “valuable enabler in all types of malware campaigns.”[14] More recently, TrickBot has been seen used in collaboration with Emotet to spread Ryuk ransomware.[15]  A new joint report by Eclypsium and Advintel raises significant concerns about TrickBot’s newest evolution. According to the 21-page report published late last week, TrickBot now possesses the ability to look for common vulnerabilities in a device’s UEFI/BIOS firmware.[16]

According to the report, this functionality could allow TrickBot users the ability to “read, write, or erase the UEFI/ BIOS firmware of a device.”[17] Furthermore, this does not appear to be speculation. The security researchers allege they have “uncovered TrickBot performing reconnaissance for firmware vulnerabilities,” and there is concern that organizations are already being targeted.[18]

This evolution marks a serious threat for organizations that find themselves victims of a Trickbot attack. The report notes how “UEFI level implants are powerful and stealthy,” and how “these threats can provide attackers with ongoing persistence even if a system is re-imaged or a hard drive is replaced” since UEFI/BIOS firmware is located on the motherboard.[19] However, the most concerning aspect of UEFI/BIOS exploitation is the possibility of “bricking” a device. In this case, corrupting or erasing the UEFI/BIOS could result in the targeted device becoming nothing more than an expensive paper weight.

Action & Analysis
**Membership required**

Congress –

Tuesday, December 8th:

– No relevant hearings

Wednesday, December 9th:

– Senate – Committee on Commerce, Science, and Transportation: Hearings to examine the invalidation of the European Union-United States Privacy Shield and the future of transatlantic data flows.

Thursday, December 10th:

– No relevant hearings

International Hearings/Meetings –

– No relevant hearings

EU –

Sundries –

The EU is making overtures about cybersecurity collaboration under Biden

https://www.cyberscoop.com/the-eu-is-making-overtures-about-cybersecurity-collaboration-under-biden/

Lightning does strike twice: If you get hacked once, you’ll probably be attacked again within a year

https://www.zdnet.com/article/lightning-does-strikes-twice-if-you-get-hacked-once-youll-probably-be-attacked-again-within-a-year/

Conferences, Webinars, and Summits –       

https://h-isac.org/tmp24/events/

Contact us: follow @HealthISAC, and email at contact@h-isac.org

[1] https://www.gao.gov/assets/720/710920.pdf

[2] https://www.gao.gov/assets/720/710920.pdf

[3] https://www.gao.gov/assets/720/710920.pdf

[4] https://www.gao.gov/assets/720/710920.pdf

[5] https://www.gao.gov/assets/720/710920.pdf

[6] https://www.gao.gov/assets/720/710920.pdf

[7] https://www.bbc.com/news/technology-53429506

[8] https://securityintelligence.com/posts/ibm-uncovers-global-phishing-covid-19-vaccine-cold-chain/

[9] https://securityintelligence.com/posts/ibm-uncovers-global-phishing-covid-19-vaccine-cold-chain/

[10] https://securityintelligence.com/posts/ibm-uncovers-global-phishing-covid-19-vaccine-cold-chain/

[11] https://securityintelligence.com/posts/ibm-uncovers-global-phishing-covid-19-vaccine-cold-chain/

[12] https://securityintelligence.com/posts/ibm-uncovers-global-phishing-covid-19-vaccine-cold-chain/

[13] https://securityintelligence.com/posts/ibm-uncovers-global-phishing-covid-19-vaccine-cold-chain/

[14] https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/#background

[15] https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/#background

[16] https://eclypsium.com/wp-content/uploads/2020/12/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf

[17] https://eclypsium.com/wp-content/uploads/2020/12/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf

[18] https://eclypsium.com/wp-content/uploads/2020/12/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf

[19] https://eclypsium.com/wp-content/uploads/2020/12/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf

• Related Resources & News
• Health-ISAC Hacking Healthcare 8-26-2024
• What is Threat Intelligence? A Comprehensive Overview
• Why Cybercriminals Target Healthcare Data and How Organisations Can Protect Themselves
• Federal Authorities Work to Boost Health-Care Cybersecurity
• Health-ISAC Hacking Healthcare 8-9-2024
• Health-ISAC Medical Device Blog – VEX
• Podcast: Health-ISAC Featured in Cyberwire Daily episode 2021
• Health-ISAC Hacking Healthcare 8-2-2024
• Protecting Healthcare Organizations with Human-Centric Email Security
• American Hospital Association and Health-ISAC Joint Threat Bulletin