Researchers at cybersecurity firm AlienVault have discovered a computer virus of North Korean origin which infects and hijacks computers in order to mine Monero, a private digital currency which styles itself as “secure, private and untraceable.” Cryptocurrency mining is the resource-intensive process by which computers or “miners” running specific software verify cryptocurrency transactions. In exchange for their computing power, miners are given small amounts of cryptocurrency. In the case of North Korean’s Monero malware, the virus installs mining software on infected computers unbeknownst to their owners or users. The software then secretly mines Monero and sends mining rewards back to a server located at Kim II Sung University in Pyongyang. Researchers are unsure how many computers may be affected. Continue Reading
Our experience last year is consistent with the conclusion of a new report issued by Cryptonite in its 2017 Health Care Cyber Research Report—that the number of hacking events targeted at health care entities involving ransomware increased a whopping 89% from 2016.
The report analyzed the self-reporting database of the Office for Civil Rights (OCR) which requires covered entities to report data breaches. The number cited by Cryptonite may in fact be lower than reality as pursuant to the Health Information Technology for Economic and Clinical Health Act, covered entities have until March 1, 2018, to report breaches of records that involve less than 500 individuals, so additional reporting is forthcoming.
The report notes that there were 140 IT/hacking events reported to the OCR in 2017, which was 24 percent more than the 113 reported in 2016. This is up from 57 reported in 2015 and 35 in 2014. Those numbers alone show that the health care industry continues to be a target.
Six of the largest IT/hacking incidents reported to the OCR in 2017 involved ransomware. According to the report, the number of reported major IT/hacking events attributed to ransomware by health care entities was 36 in 2017-up from 19 in 2016 which corresponds to an 89% increase from 2016 to 2017.
Health care entities continue to be targeted and attacked with ransomware and 2018 does not bode well for a decrease in these attacks.
This week, the world learned of widespread and serious vulnerabilities in most central processing units (CPU). CPUs manage the instructions received from the hardware and software running on a computer. The vulnerabilities, named Meltdown and Spectre, affect virtually every computer existing today, in particular those with Intel, Advanced Micro Devices, Inc. (AMD), Nvidia and Arm Holdings (ARM) processors.
Spectre and Meltdown essentially permit unauthorized access to an operating system’s secure and secret kernel memory, which often contains highly sensitive data, such as passwords, secret keys and other credentials as well as personal photos and emails. Generally, any personal or desktop computer, laptop, cloud system, mobile device, tablet or other computing device that uses these processors is vulnerable. In addition, Intel processors are used in a wide array of products, from personal computers to medical equipment. For a detailed technical description of how the vulnerabilities can be exploited, see https://googleprojectzero.blogspot.gr/2018/01/reading-privileged-memory-with-side.html
Initially, the Software Engineering Institute (SEI), a U.S.-government funded body operated by Carnegie Mellon University for the U.S. Department of Defense researching cybersecurity problems recommended replacing the vulnerable processor hardware in order to remove the threat. However, SEI subsequently amended its advice to say that software solutions should be pursued and quickly downloaded to mitigate against the vulnerabilities. Software solutions, patches and workarounds may not resolve the vulnerability and may actually affect system performance, but at this time they are the only known feasible measure to mitigate these vulnerabilities.
A bit of good news is that The European Union Agency for Network and Information Security (ENISA), which advices on cybersecurity matters for the EU reports that at this time, there are no known documented exploitations of these vulnerabilities. See https://www.enisa.europa.eu/publications/info-notes/meltdown-and-spectre-critical-processor-vulnerabilities
We previously reported that U.S. Customs and Border Patrol (CBP) has been stopping U.S. citizens at the borders of the United States and demanding passwords for access to mobile devices [view related post]. According to CBP, 19,051 mobile devices were searched at the border in 2016, which increased to 30,200 in 2017. All of these searches were performed without a showing of probable cause and a warrant.
In conducting searches of electronic devices, the CBP was using a policy adopted in 2009 which allowed CBP officers to search electronic media in the same manner as briefcases, backpacks, and notebook and did not require any suspicion of illegal activity by the individual.
The CBP recently updated its previous policy to allow CBP officers to conduct a basic search of an electronic device by requesting the individual to allow access to it and if needed, to bypass encryption or a password to gain access to it. If they have a reasonable suspicion of illegal activity or national security concerns, they may perform an advanced search, which gives them access to the device, and to review, copy or analyze the contents of it.
Privacy advocates state that CBP should not be allowed to search a device without probable cause and a warrant.
In a ten page letter that previews the Financial Industry Regulatory Authority’s (FINRA) priorities for 2018, initial coin offerings (ICOs) and transactions involving cryptocurrencies. This follows previous warnings by both the Securities and Exchange Commission (SEC) and FINRA about the risks associated with investing in ICOs and virtual currencies, including Bitcoin. SEC Chairman Jay Clayton and commissioners Kara Stein and Michael Piwowar issued a statement applauding the North American Securities Administrators Association’s reminder to investors that sellers of securities must follow laws applicable to them. According to the SEC statement, “Unfortunately it is clear that many promoters of ICOs and others participating in the cryptocurrency-related investment markets are not following these laws…the SEC and state securities regulators are pursuing violations, but we again caution you that, if you lose money, there is a substantial risk that our efforts will not result in a recovery of your investment.”
FINRA noted in its paper that it will continue to evaluate the cybersecurity programs of regulated entities to confirm that the firms are protecting investors’ personal and sensitive information from internal and external threats and that they are adequately preparing for and responding to cyber-attacks.
The risk associated with ICOs was further magnified this week when defendants in a case brought by the SEC in New York alleged that the Court did not have personal jurisdiction over them because they reside in Quebec and that they took measures to exclude U.S. citizens from the ICO. The SEC claims that the couple masterminded a fraudulent ICO that raised $15 million from investors. The offering was of a blockchain-based cryptocurrency “PlexCoin” which was sold through PayPal, Square and Stripe. The defendants allege that the use of U.S. payment services does not subject them to the jurisdiction of the Court.
The SEC alleges that over 1,500 investors in the U.S. were duped by the defendants and the ICO.
Stanford Medical Center (Stanford) is pursuing a new concept in the health care world—blood delivery to hospitals by drones. Currently, Stanford is seeking the Federal Aviation Administration’s (FAA) approval for this type of delivery, which it hopes to receive, since Stanford believes such delivery will help to save lives. Regardless of the traffic on the roadways, a drone can make a 2.5 mile flight from Stanford Blood Center to the medical center in less than five minutes, and for critical patients with a critical need for blood, that five minute drone flight might be the difference between living and dying. The blood center has partnered with drone manufacturer, Matternet and the City of Palo Alto to ask for permission from the FAA to launch a pilot program. Matternet Founder and CEO, Andreas Raptopoulos, said, “The two key things that you have to prove to the FAA is that you’re not going to harm people on the ground or increase the risk of other people using the airspace.” Matternet has also designed this delivery drone with a parachute that will deploy if the drone fails in any way which would prevent it from hurtling to the ground and limit the chance of injury to people below. Both Matternet and Stanford see a future where most hospitals are connected by a network of drones that can deliver life-saving supplies in record time.
While it may seem counter-intuitive, airports might just be one of the safest places for drones to fly; that is, with the caveat that drone flight in the unregulated airspace around the airports is clearly not safe and not permitted. Otherwise, drones can serve as a powerful tool to improve the safety, efficiency and cost-effectiveness of U.S. airport operations in years ahead. How? Well, drones can execute critical tasks such as foreign object debris inspections, security flyovers, fuselage inspections, wildlife detection (or deterrence) and more. The Federal Aviation Administration (FAA) already works with U.S. airports and tower personnel to ground planes and put airports on lock down to carry out critical tasks (e.g., de-icing or debris removal). If the FAA shuts down operations at an airport, drones can certainly help carry out some of these tasks with the help of trained, monitored and authorized drone operators. And, as technology continues to evolve, drones may offer even greater potential to U.S. airports. For example, a drone with advanced debris-detection sensors might be able to execute debris removal with much greater accuracy in less time than multiple employees with multiple vehicles; a drone with night vision technology could spot a trespasser on airport property and record the evidence for later use. This will be yet another area to watch as drones see more and more uses across more and more industries.
The first drone passenger flight (test flight that is) is set for 2018 in London. These passenger drones (also known as vertical take-off and landing aircraft—VTOLs) could cut the travel time from the Charing Cross train station to Heathrow airport to only 12 minutes from 40 minutes. Martin Warner, serial entrepreneur, inventor, and owner of Autonomous Flight has performed a few flights without passengers in its Y6S drone, and is set to run further tests using sandbags to adjust for human weight sometime this summer. The Y6S has a maximum speed of 70 mph and can fly at an altitude of up to 1,500 feet. The Y6S is powered by a lithium-ion battery and can travel within an 80-mile range. However, much like the U.S. and the Federal Aviation Administration (FAA), drone flights in London are regulated by the Civil Aviation Authority and there are rules for all aspects of flying drones. Warner says that those rules don’t necessarily extend to VTOLs. Regulations for these type of flights are currently under discussion by regulators and the VTOL sector is likely to be the ‘new gold rush’ in transportation and aviation.
We all learned the hard way how important patching vulnerabilities are when a major data breach occurred during 2017 that exposed the personal information of 80% of U.S. adults that was reportedly avoidable with a patch.
The biggest news in 2018 about patching is that to respond to the Spectre and Meltdown flaws [view related post], and a zero-day vulnerability in Microsoft Office, Microsoft issued 14 security updates this week.
It is being reported that computers using AMD chips are having difficulty pushing the patch issued by Microsoft and Microsoft has stated that it is suspending the patches for computers running AMD chips as they are having difficulty rebooting following the fix. Microsoft is presently working with AMD to find a suitable update. So if you have a computer using an AMD chipset, you will have to wait for a patch to be issued in the near future.
For the rest of us, the Microsoft patches issued this week (as well as all security updates received from manufacturers) are extremely important and following the recommendation of Microsoft and other manufacturers in pushing their patches is something to consider.
Covered entities, including employer sponsored health plans, should brace for audits and enforcement of the Privacy, Security, and Breach Notification rules by the Department of Health & Human Service Office of Civil Rights (OCR) following OCR’s recent announcement of a large HIPAA settlement last month on the heels of its release of the preliminary results from Phase 2 of the HIPAA Audit Program.
Preliminary results from Phase 2 suggest that compliance with the HIPAA Privacy, Security and Breach Notification standards is largely “inadequate,” with over 94 percent of the covered entities failing to demonstrate appropriate risk management plans. A subsequent $2.3 million settlement with a covered entity highlights the importance for covered entities and their business associates to comply with HIPAA’s organizational, risk assessment, privacy and security, and other requirements.
As OCR continues to issue additional guidance as well as supplement this guidance through information shared in settlement agreements, covered entities may wish to take note of the following themes:
1. Implement a Risk Management Plan and Conduct Risk Assessments on a Regular Basis. Failure to implement a risk management plan and conduct regular risk assessments was one of the biggest HIPAA compliance points of failure in the OCR pilot audit program. Such programs are important to determine risk levels and assess the susceptibility of the covered entity to data breaches of electronically stored PHI.
2. Review Business Associate Agreements (BAA). Although there was an increase in awareness of the requirement that covered entities enter into BAAs with their subcontractors since the passage of the HIPAA Omnibus Rule in 2013, covered entities continue to fail to lay out PHI protective measures in the BAA. In order to survive an audit, the covered entity must be able to produce copies of all of its BAAs.
3. Train Employees. Lack of workforce training can lead to data breaches and other HIPAA compliance issues. A proper HIPAA training program for newly hired employees as well as annual training is ideal, and should be company and industry specific. Covered entities conducting such training should be sure to maintain copies of the training materials, and document attendance.
4. Report Breaches in a Timely Manner. Covered entities should maintain clear policies and procedures to ensure that breaches are reported in a timely manner within HIPAA’s notification timeframes.
While the particulars of each of OCR settlement varies, all send a very clear message that OCR expects covered entities to comply with HIPAA and is offering guidance to aid them in that process.