Follow ISA on LinkedIn to get notified of the latest cybersecurity news.
Digital Transformation and Cybersecurity in Healthcare
This is Digital Health Week in Canada, so the theme of this week’s cyber news round-up is healthcare and the medical sector. News and resources for DHW 2020 are available on the Access 2022 and Digital Health Canada websites.
Digital transformation in the healthcare sector is creating an ever-expanding cyber threat landscape. Get your free and confidential security ratings snapshot report today and see how you benchmark against your peers in twenty major cybersecurity risk categories.
As an added incentive, ISA can also review the security ratings report with you to investigate any cyber risks in your organization, and deliver a clear and compelling action plan to implement improvements and strengthen your cybersecurity posture.
Cybersecurity journal releases proposal on global health security framework
The International Journal of Cybersecurity Intelligence and Cybercrime has released a research paper that “discusses and proposes the inclusion of a cyber or security risk assessment section during the course of public health initiatives involving the use of information and communication computer technology.” Using the NIST Cybersecurity Framework (CSF) as a foundation, the paper outlines a recommended approach for conducting a risk assessment in an era of heightened security awareness and concern in the healthcare industry. Though it remains an outline, the paper provides interesting insights on process and procedure that can be mapped to organizations in the healthcare, medical, and pharma sectors.
The IJCIC is affiliated with the Center for Cybercrime Investigation & Cybersecurity (CIC) in Boston. The paper appears in the Volume 3, Issue 2 (2020) of the journal.
IoT Business News lists “most hackable” medical devices
IoT Business News, an online news reference site specializing in M2M and IoT technology, has released their list of the four devices that are “most susceptible to cybersecurity breaches” in use in hospitals today. Wireless infusion pumps (which can dispense medical fluids without an in-person visit from medical personnel), surgically implanted devices, smartpens used by healthcare providers, and vital signs monitors comprised the list. Hackers could disable or corrupt the data collected or shared by any of these devices, potentially leading to serious consequences for the patient – and legal repercussions for the healthcare facility.
The article recommends the use of VPNs to help shield the IoT devices from attack, since the devices themselves often cannot be “hardened” sufficiently to provide adequate security.
Texas Hospital shuts down services after cyber attack
Hendrick Health, based in Abilene, Texas, is among the latest healthcare organizations to suffer a cyber attack. According to a posting on their website, “[On November 9], our information technology department became aware of a network security threat at Hendrick Medical Center (main campus) and some Hendrick clinics. To fully address the issue, we have shut down Hendrick IT networks. Our primary goal is to maintain patient safety while administering downtime procedures.”
The medical centre’s in-patient services remain open, but for the past week, patients have been directed to “the most appropriate campus for their care”. According to local officials, some out-patient services – including therapies and doctors’ visits – are also being re-scheduled until services can be resumed.
As the outage enters its second week, Hendrick Health continues to work around the clock to diagnose, address, and resolve the issue, while co-ordinating “with industry experts and law enforcement to address the issue to get our networks back up and running”.
Microsoft issues call for plea for healthcare defense
In their “Microsoft on the Issues” official corporate blog, Microsoft issued a call for global co-operation in defending against cyber threats against the health sector. Tom Burt, Corporate Vice-President, Customer Security & Trust, mused that this time in history will be remembered for two pandemics – COVID-19 and the scourge of cyber crime.
Describing the attacks as “unconscionable”, Burt outlined the key players in the current cybersecurity crisis affecting healthcare – criminal organizations originating in Russia (Strontium) and North Korea (Zinc and Cerium), as well as the primary targets of hospitals, leading pharmaceutical companies and vaccine researchers around the globe. The criminal actions are drawing attention and resources away from life-saving efforts and research, and have famously been attributed to the death of a German woman whose critical care was delayed by a cyber attack.
Burt announced that on November 13, “Microsoft’s president Brad Smith is participating in the Paris Peace Forum where he will urge governments to do more. Microsoft is calling on the world’s leaders to affirm that international law protects health care facilities and to take action to enforce the law. We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate – or even facilitate – within their borders. This is criminal activity that cannot be tolerated.”
Burt also reminded healthcare organizations about Microsoft’s threat notification service “AccountGuard”, which has been made freely available to organizations working on COVID-19 care and research. He reported that 195 organizations have enrolled in the service, and that some 1.7 million email addresses are now under the system’s protection.
Delaware’s Division of Public Health discloses data breach
Not all breaches are due external threats: on November 15, public health officials in the state capital of Dover announced that user error resulted in the August disclosure of personal data relating to up 10,000 people who had been tested for COVID-19.
On at least two occasions, unencrypted data including COVID-19 test results, names, dates of birth, and phone numbers was sent by a temporary staff member to an unauthorized user. Fortunately in this case, the unauthorized user recognized the sensitivity of the data, reported the breach, and deleted the emails.
Though the incidents occurred in August, and the disclosure was reportedly discovered in mid-September, formal letter-mail notifications to the individuals involved is not starting until at least November 16.
The state has reported the breach to federal authorities, and has set up a call centre for individuals concerned that their data may have been affected.
More bad legal news for LifeLabs after 2019 data breach
LifeLabs, the medical lab diagnostic services company that experienced the largest data breach in Canadian history, is facing multiple class action suits in Ontario and British Columbia. A recent B.C. ruling has made the litigation even more complicated for the company.
On November 6, Madam Justice Nitya Iyer from the B.C. Supreme Court declined to stop two B.C. suits against after the Ontario Supreme Court awarded carriage on Ontario suits to just one of three competing groups of class action law firms. There remain nine proposed actions in B.C. and four in Ontario.
In the judge’s view, despite the same root cause of action, the parallel class actions are not duplicates of one another. She wrote, “Although I appreciate that the multiple carriage motions are inefficient, this must be balanced against the interests of putative B.C. class members to have their best interests considered by a B.C. court.”
LifeLabs’ computer systems were breached in October 2019, though an announcement about the breach was not made until mid-December that year. Data affecting up to 15 million patients – primarily in Ontario and B.C. – was compromised. The data was reportedly stored unencrypted on corporate systems, and included lab test results, national health card numbers, and personally identifiable information including names, dates of birth, home addresses and email addresses. Even login and password credentials were reportedly disclosed in the breach.
LifeLabs’ President & CEO Charles Brown said the company retrieved the compromised data by making a ransom payment.
An investigation in 2020 found that the company had failed to implement “reasonable safeguards” to protect patients’ personal health information, which violated B.C.’s personal information protection law, Ontario’s health privacy law and the Personal Health Information Protection Act. The results of the investigation also found that LifeLabs failed to have adequate technology security procedures and policies, and – to make matters worse – collected more personal information than necessary, exacerbating the impact of the breach.
“LifeLabs’ failure to properly protect the personal health information of British Columbians and Canadians is unacceptable,” BC information and privacy commissioner Michael McEvoy said in a statement in June 2020. “LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss and reputational harm.”
Information and Privacy Commissioner of Ontario, Brian Beamish – who is retiring at the end of 2020 – said “the breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks” at the time.
After months of public relations incidents (security and confidentiality issues with the complimentary credit monitoring offered by LifeLabs, class actions exceeding C$1.14 billion, and public squabbles with privacy commissioners over the details of the breach, etc.), this latest twist adds to the cautionary tale about the importance of securing sensitive personal health data.