HHS Office of the Assistant Secretary for Preparedness and Response Issues Series of Cybersecurity Updates in Response to WannaCry Attack

In response to the WannaCry ransomware attack that infiltrated the computer systems of health care systems and other entities worldwide on or around May 12, 2017 (previously discussed here), HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR) issued a series of updates to provide consumers and potentially affected organizations with information on the attack and to detail HHS’ efforts to mitigate the harmful effects of the attack on government computer systems and health care organizations.

In five successive updates issued between May 13 and May 17, ASPR provided links to the most up-to-date information from the U.S. government on cyber threats (including from the US-CERT Cyber Awareness System, the FBI, HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC)), and solicited information on new attack vectors, as well as regarding any impact the attack may have had on patient care or supply chain distribution. Continue Reading

Take-Aways from WannaCry

We have read multiple reports on WannaCry and if you are reading this and don’t know what WannaCry is, Google it for the background story. The clear message is this is not the last major attack we will see, and future attacks will only get more sophisticated. It is being estimated that the cost associated with responding to WannaCry will exceed $4 billion.

Here are our take-aways that may be a useful summary for our readers:

  • The healthcare industry is particularly vulnerable to future attacks and should get prepared for them
  • Make cybersecurity a risk management priority in the organization
  • Implement patches as soon as they are pushed by product companies
  • Share cyber intrusion information with authorities to stave off attacks and the spread of attacks
  • Get that back-up plan up and running and TEST it
  • You get what you pay for if you buy pirated software—which is a crime
  • Pay attention to industry alerts as you receive them from the FBI and other governmental authorities
  • Consider purchasing appropriate cyber liability insurance to cover losses associated with cyber attacks, data breaches, ransomware and business interruption, and use a broker who is familiar with appropriate coverage
  • Check out the resources published by US-CERT and the Disaster Information Management Research Center on WannaCry
  • Get involved in the debate of whether the government should share known cyber vulnerabilities with companies—the debate is around whether government intelligence services should balance the use of vulnerabilities in software for espionage and cyber warfare with sharing their findings with technology companies so they can secure the flaw.

Continue Reading

ABA Issues Opinion on Use of Email for Lawyers

On May 11, 2017, The American Bar Association (ABA) updated its 1999 opinion regarding lawyers’ use of email for communication. Although many state bar associations have issued opinions on electronic communications and the use of cloud computing services, the ABA has now provided clear guidance for lawyers on their ethical responsibilities of competence, confidentiality and communication in an electronic age.

Formal Opinion 477, “Securing Communication of Protected Client Information,” which is considered a professional rule of conduct for attorneys, provides that attorneys must take “reasonable measures” to keep client information safe from cyber threats. This means that lawyers must implement basic and reasonable electronic security methods in communicating via email.

The text of the Preamble, which is the crux of the opinion, states: Continue Reading

DocuSign Breach Leads to Email Malware Campaign Requesting Wire Transfers

Electronic signature technology company DocuSign has admitted that it suffered a breach of one of its computer systems resulting in stolen data including customer and user email addresses. The breach has allowed the hackers to target DocuSign customers and users to send phishing emails requesting wire transfers. This is particularly concerning since so many companies use DocuSign for electronic signatures and employees may not be alert or wary of receiving an email from DocuSign requesting authority to transfer funds.

The malicious malware that customers receive have in the subject line “Completed: docusign.com—Wire Transfer Instructions for recipient-name Document Ready for Signature.” The emails include a link to a Word document that contains malware. The emails spoof and use the DocuSign branding in the header and body of the email.

Customers and users of DocuSign should alert their users of the malicious malware and to be vigilant regarding any emails allegedly sent to them by DocuSign. DocuSign has requested that any users who receive a suspicious email forward it to spam@docusign.com.

Employees associated with wire transfers in the organization should be alerted about this concerning malware campaign to protect against a successful intrusion and theft of funds.

Updated Drone Statistics in the Commercial Industry

The commercial drone market is booming. While estimates certainly vary, many research firms say that the worldwide market value will rise from $2 billion today to over $10 billion within the next 10 years. Similar to the GPS and Internet boom, drones are evolving beyond their military origin to become powerful business tools.

Goldman Sachs estimates that businesses and government will spend $13 billion on drones between now and 2020. And PricewaterhouseCoopers says that the effect of drone technologies on business models like that of the information technology revolution of the 1980s. It was in the 1980s when companies re-engineered their operations to transform the modern economy. TealGroup also points out that the production of non-military drones will jump from $2.6 billion today to $10.9 billion in 2025. Overall, this market could grow from $1.3 billion in 2016 to $11.2 billion in 2021.

However, drones in the commercial industry face some hurdles–safety, privacy, and insurance coverage. But assuming that those hurdles are cleared, analysts say that drones will be most highly utilized in the construction, agriculture, insurance, energy, infrastructure inspection, security, mining, turnkey services, telecommunications, real estate and package delivery. Beyond that, many other industries will be revolutionized by drones. Drones can do jobs faster, safer and less expensively. The big move that must happen before we will see an increase in drone use in these industries is regulatory changes–most importantly beyond visual line of sight operations. And that’s where the Unmanned Aircraft System Traffic Management network (which is currently being developed by NASA) will come into play. For now, we know the number of drones in the sky will increase and the dollars behind those drones will exponentially grow.

Privacy Tip #88 – The Challenge of Keeping Up with Patches

Over the past week, many clients and individuals have asked me why some companies and health care facilities were devastated by the WannaCry ransomware, and why others made it through the weekend without a blink of an eye.

Simplistically, it is because those who pay attention to security patches that they receive from technology vendors for their products (like Microsoft in this case), are protecting their network better than those who can’t get to them. And those thieves (primarily in China) who bought pirated software got their just deserves for stealing the software and therefore, not receiving the patch from Microsoft. Continue Reading

Brooks Brothers Reports Payment Card Data Breach

A lawyer’s nightmare: retailer Brooks Brothers announced late last week that it has become the newest retailer to suffer a payment card data breach.

According to Brooks Brothers, which is calling it a “data incident”, payment card information from certain locations of Brooks Brothers and Brooks Brothers outlets in the United States and Puerto Rico were compromised between April 4, 2016, and March 1, 2017.  The information compromised included name, card number, and security code. No debit cards were affected, nor were any airport locations affected.

The locations affected are listed on Brooks Brothers’ website. Unfortunately, like many lawyers, I shop at Brooks Brothers and was no doubt affected. There was no information provided to consumers about whether our payment cards will be reissued. This means our cards can be used, so if you shop at Brooks Brothers, check your credit card account closely and let your bank know if you see anything suspicious.

Fourth Circuit Vacates $12M FCRA Class Action Judgment Against Experian

On May 11, 2017, the Fourth Circuit Court of Appeals vacated a $12 million judgment against Experian Information Solutions, Inc. (“Experian”) in a class action against the credit reporting bureau alleging violations of the Fair Credit Reporting Act (“FCRA”). Relying on the standard set forth by the U.S. Supreme Court in Spokeo, Inc. v. Robins, the circuit court held the named plaintiff lacked constitutional standing because he suffered no “concrete” injury from the alleged statutory violation.

The claims in the lawsuit involved the FCRA requirement that credit reporting agencies must, upon request, clearly and accurately disclose to a consumer the “sources of the information” in the consumer’s file at the time of the request. 15 U.S.C. § 1681g(a)(2). As part of a background check in connection with obtaining security clearance, the lead plaintiff, Michael Dreher, obtained a series of credit reports from Experian which listed a delinquent credit card account identified as Advanta associated with his name. Unbeknownst to Dreher, Advanta has been closed since 2010 and a company named CardWorks had been appointed as a servicer for the company  acquiring Advanta’s receivables. Continue Reading

Misconfigured Backup Server Exposes 7,000+ Medical Records

A misconfigured backup server hosted by medical records technology vendor iHealth Solutions resulted in exposure of over 7,000 medical records, some containing sensitive information. The records, involving patients seen at Bronx-Lebanon Hospital Center in New York, New York, between 2014 – 2017, include patients’ names, addresses, HIV status, mental health diagnoses and addiction histories, as well as sexual assault and domestic violence reports. The leak was discovered by a team of researchers at MacKeeper Security Research Center, who were conducting a routine internet sweep. It is not clear how long the records were exposed. According to reports, there is no indication that the information has been used inappropriately.

NIST Releases Draft Cybersecurity Guidance for Wireless Infusion Pumps

The National Institute of Standards and Technology (NIST) announced this week that it has issued draft cybersecurity guidance for hospitals to consider when using infusion pumps, particularly since infusion pumps are no longer standalone devices and many are now wireless. This increases the risk of cybersecurity threats that could potentially compromise personal information if the device is hacked, or hinder the functionality of the device. The wireless connection of medical devices is referred to as the Internet of Medical Things (IoMT).

After performing a risk analysis of wireless infusion pumps, NIST developed draft guidelines that focus on hospitals’ analysis of the devices and in particular, using technology to protect access to the devices. It then developed an example implementation that hospitals can use to implement “standards-based, commercially available cybersecurity technologies to better protect the infusion pump ecosystem, including patient information and drug library dosing limits.”

According to NIST, “Ultimately, we show how biomedical networking and cybersecurity engineers and IT professionals can securely configure and deploy wireless infusion pumps to reduce cybersecurity risk.”

NIST is seeking comment on the draft Guidelines through July 7, 2017.