In this episode we talk about malware gone crazy with malware posing as Coronavirus information, Maze ransomware hackers taking things public, and more. We also talk with Andrew Hicks, Vice President of Risk Management at Frazier & Deeter about the how’s and why’s HITRUST certification doesn’t have to be a daunting process.
Here’s the full transcript of this episode.
Olena Heu: And welcome to another episode of the HIPAA Critical Podcast. I’m Olena Heu and joining me, Rick Kuwahara.
Rick Kuwahara: Hey Olena.
Olena: We’ve got a stacked show for you today, lots going on. We’re gonna recap what’s in the news, who’s winning, who’s failing, and of course some predictions for you. So Rick, what can you tell us about what’s happening right now?
Rick: Well, I think what everybody is paying attention to right now is the Coronavirus and what’s happening in China.
And there’s a lot of news around that and unfortunately when there’s a crisis, there’s bad actors, bad people trying to capitalize on it and that’s what we’re finding right now.
There’s actually news that there are hackers who are using malware posing as health information about the Coronavirus outbreak to infect devices. This was first found in China, but it’s going out to different countries.
And what they’ve found was on their social networking platform WeChat, that there was someone who was sending out suspicious files. And so if someone clicks on it, it downloads malware to the device and then, it lets the hacker control the device and get information out of it.
Unfortunately, it’s not contained just to WeChat. There’s been multiple phishing campaigns sent to emails where the email is posing that there’s information about the Coronavirus or click on this link to find out how you can prevent from being infected and when people click on those attachments or links, then it downloads malware to the computer.
And it lets hackers access the computers and take control of it, where they can download sensitive information that’s on there or even use the computer itself as sort of a botnet to take control of other computers. And it’s just a really, really unfortunate thing that’s happening.
When people are getting these emails from people, it’s just like any other email that you’re getting, always be suspicious of any link that you see, before you actually click on it.
Olena: Interesting, because I would think it’s counterintuitive to click on or download something that says Coronavirus right now, as much as you’re trying not to contract something.
Rick: Yeah true, but when there’s fear there, there’s people trying to take advantage of that.
Olena: And obviously, if you don’t know the source of something that’s sent to you, don’t open it, don’t download it, just be aware. And what else is happening in the news that you can tell us about?
Rick: Well, something else that we talked about a couple episodes ago, was the Maze ransomware attacks that have been happening. The FBI issued a report an alert about Maze and we talked about that a couple of episodes ago.
Well, it happens that now, the hackers using the Maze ransomware are actually posting the stolen health data online.
In November, the Maze hacking group threatened to publicly release stolen data to extort money from the organizations that they had hacked. And so, typically, when ransomware hackers aren’t trying to access data or anything, they’re just trying to lock down your system and hold that for ransom for you to pay up.
However, the Maze hackers actually infect the system, lock it down, and then take the data, and then they are threatening to post it online if you don’t pay them the ransom.
And so what we’re seeing now is that data actually being published. One of the largest medical data postings appears to be from New Jersey’s Medical Diagnostic Laboratories or MD Lab.
The Maze hacker’s website claims that it encrypted 231 workstations during the attack, and when MD Lab refused to pay the demand, the hackers published a bunch of it to force negotiations with MD Lab to try and say, “Okay here’s a little bit of it that’s online. Now, we’ll post the rest if you don’t pay us.”
Olena: Just in case, you were gonna try to call their bluff, they’re saying, “Nope.”
Rick: Right, exactly. It’s just another layer that’s being added on to the ransomware attacks that have been happening.
There’s about 29 companies that’s listed on the Maze website as organizations that have not paid them. Those are companies where potentially the data that these hackers have stolen could get posted online.
Olena: And do they happen to know how much data was stolen?
Rick: Well, in the case of MD Lab, there’s a estimate of about 100 gigabytes of data was stolen. And they have published just like 10% of that.
Olena: Crazy and obviously a lot to learn from this situation. What do you recommend?
Rick: I mean, as always, I’ve said… Similar things, what we’ve said before is you wanna be sure that your systems are updated and patched, especially for a lot of these organizations, older and healthcare organizations where they have legacy systems that they’re using.
A lot of times there’s… It’s easy for gaps to be in there so making sure that that’s properly patched up and to just look for signs of compromise. You have to assume that someone will get past your firewall.
Have the right policies, programs, procedures in place that you can identify if something has happened so that you can stop it right away.
And then, of course, training their staff is always a big thing, because a lot of those times ransomware gets in through phishing attacks and that has a human element to it where it’s going to someone’s inbox and someone needs to be able to recognize, “Hey, this is fishy. I’m not gonna click on it at all.”
Training your staff and having a good backup and recovery process is gonna be key as well.
Olena: I don’t ever recall any kind of training when it came to email back in the day. Definitely good to heed the warnings.
Rick: Yeah, for sure. And it’s something that I think every organization, not just healthcare, but everybody’s going to have to make sure that their staff is trained on.
Olena: Definitely. Alright, well, we’re gonna talk now about good news, those that are winning this week.
Rick: Yeah, and some good news out at New Jersey, not all bad news with MD Lab, but the Governor Phil Murphy signed a regional health hub program into law a couple of weeks ago.
The legislation, basically names a few health centers as regional health hubs in New Jersey. These health hubs are gonna take the place of the accountable care organizations or ACOs, but they are going to have the same goal of helping improve health outcomes of those on Medicaid, so often, the most vulnerable populations.
The goal is under the new model, each hub is gonna serve as a local expert and conduit for state health priorities. It’s going to be able to decentralize a little bit and hopefully move faster and be more useful out on the regions that they’re helping.
Olena: Why is this latest news important?
Rick: It’s important because it’s hard to mobilize and work across wide areas with big populations. For New Jersey, this regional health hub model can help involve the community better, and it could definitely serve as a model for other states to emulate.
Olena: That’s exactly what I was thinking as well, that they could be a leader in showcasing this as a model of what the potential could be.
Rick: Okay, and in other news, something else that’s exciting that’s going on out on the West Coast is the University of California San Francisco’s accelerator launched a program to help improve digital health access.
They call it SOLVE Health Tech, and it’s from UCSF’s health equity accelerator.
And they began a research project to identify and eliminate barriers preventing the underserved populations from accessing healthcare because it doesn’t matter if you have all these awesome digital health access apps, whatever it is, if the people you’re trying to serve can’t actually get to it.
They have partnered with AppliedVR, which is a company that’s developing virtual reality-based therapeutics, and they are gonna interview healthcare providers about the best ways to integrate VR and other digital health tools into systems with large Medicaid populations, which as you just talked about are a lot of times those underserved populations.
They’re going to share their findings with AppliedVR to try and solve the issues of how do you get these digital health solutions to be used and accessed by all these different populations.
Especially where there’s not everybody has access to the internet, or the technology like a smartphone, we take it for granted for ourselves, but not everybody can rely on it.
How do we get these solutions into the hands of people so that they can have better care and access to everything that the health technology has to offer?
Olena: That’s great and very insightful because, yes, not everybody has technology in the palm of their hand like us at this moment, and so that’s wonderful.
Rick: Yeah, and I think that it’s great to see continuous of trend of more health systems getting involved and helping to lead innovation, trying to solve problems in a unique way. That’s really great.
Olena: Beautiful, SOLVE. Alright, we’ve talked about those that are winning and now we’re gonna discuss who’s failing. And of course, there are some things that we can take away from the failures. What you got?
Rick: Yeah, the first one up is an incident where malware destroyed data of 30,000 patients.
This incident happened with the Texas-based Fondren Orthopedic Group, and they started notifying people that their data was destroyed after a malware incident back in November.
Basically, it looks like data was accessed by a hacker and some of the patient records were destroyed. Thankfully, they say there’s no evidence that any of the data was actually extracted by the hacker, but it did destroy the medical records that include things like patient names, your diagnosis, treatment, health insurance data.
A lot of sensitive and important information was destroyed, but I guess if there’s a silver lining, it’s that at least none of it was actually taken.
Olena: It’s just they won’t have an opportunity to retrieve medical history for some?
Rick: Yeah, for some it looks like their data, you can almost think of it like back in the days of paper medical records, if there’s a fire and something happens, there’s no retrieving it.
They didn’t outline whether that malware impacted backups. There could be cases where maybe they can find an old backup of the medical history or something, but it’s unclear right now.
We just know that over 30,000 patients did have their patient data affected.
Olena: Okay, good to know. And what else can you tell us, as far as failures to report?
Rick: Well, we got one more that we’re going to run over real quick. And it’s from VillageCareMAX and VillageCare Rehabilitative and Nursing Center.
Their managed care plan members are being notified that their data was potentially breached after a security incident back on December 30th. This one comes through good old-fashioned email where the most of the breaches happen.
An employee received a suspicious email from someone pretending to be a member of their executive team asking for information related to plan members.
This is often called Business Email Compromise, sometimes called display name spoofing, but basically the employee saw an email in their inbox where from had the name of someone from their executive team.
So they thought, “Okay this is legitimate. This is my boss. I’ll give you the information.”
It was only later that the employee notified leadership that, “Wait, it wasn’t actually from that executive.”
They launched an investigation and they did find out that the compromised data that was sent out was in fact to a hacker and it included names and Medicaid numbers.
The VCMAX, as they’re reviewing their policies and everything, but right now they’re just notifying patients and have… All these people have to start monitoring their identity. See if there’s gonna be any fraud that occurs.
Olena: Interesting. What do you do if you get an email and it looks like it’s from a source that you recognize?
Rick: It goes back to don’t just check the name, check the actual email address because a lot of emails that come into your inbox now, especially like the iPhone, if you’re on your mobile device it’s even worse, you’ll just see who it’s from, and that someone’s name, and that’s the display name.
And that name can be anything, but when you look at the actual email address, you take that one extra step to look at the email address, you can often see that it’ll be from some malicious or fake email.
Olena: Some fake one. Mm-hmm.
Rick: Yeah. It can even be like if I’m sending something as… If a hacker is trying to spoof me and then instead of coming from @paubox.com, even though it’ll have my name on the email, it’ll just say it could be from fake email @gmail.com or something like that.
One is always look for the email address, not just the name of the person, make sure the email address is correct.
And two, you can use software such as Paubox Email Suite Plus, where we have ExecProtect which actually stops those spoofs from actually getting to the inbox by verifying legitimate emails in the first place.
Those are two ways that you can kinda go about it, but definitely training is always gonna be one ’cause something’s gonna slip through. Hackers are moving fast, as fast as we are.
Olena: That’s true.
Rick: You’ve got to always be alert.
Olena: Alright, well, Rick, as our Chief Marketing Officer, you had the opportunity to sit down with Andrew Hicks, Vice President of Risk Management at Frazier & Deeter.
Frazier & Deeter is one of the nation’s fastest-growing accounting and advisory firms serving the evolving needs of clients from startups through Global Fortune 500 companies.
Rick: Building off your experience, your deep experience you’ve had with assessments and healthcare, HITRUST has really become a big signal in healthcare that an organization takes its security posture seriously. Why do you think that is?
Andrew Hicks: I’ve been doing HITRUST for for eight years, and I kind of coined phrase, I think I’ve coined it, with I can get behind anything I believe in, and HITRUST is an organization that… They established themselves about, what 15-16 years ago, with the number one goal is to increase or boost cybersecurity awareness and the overall control of organizations around the PHI.
Now, that scope has expanded out to other industries and other data classifications, but by and large what they’re doing is great for us as individuals, our data’s out there, but it’s great from an organizational perspective because it is a dynamic framework.
It’s scalable. It’s all the things they say it’s gonna be and that it is.
And so from an organizational perspective, what I like about it is is it truly enhances your cybersecurity program, and serves as the foundation.
It allows you to basically measure your overall cybersecurity posture and really make decisions around where you’re gonna invest as an organization to drive greater enhancements to your cybersecurity program.
Rick: Great. I know that when we were telling people that Paubox was going through HITRUST, we got a lot of sympathy because it seems such a daunting process, and it really was for us when we were first approaching it, but I like that you don’t think that it really has to be daunting.
Can you share a little bit more about why you think that is?
Andrew: Yeah, Rick, this is what really, really gets me excited. My mission is in life, early from this chapter of my life is one word, and that word is simplification.
Whether it’s HITRUST, whether HIPAA, whether it’s FedRAMP, whatever it is, I know the market extremely well. I know what organizations go through and all of these regulatory regulations that are out there and the cybersecurity challenges when you start talking about assessments, it does not need to be as archaic and confusing as what it is.
My purpose here is really to stand up a couple of lines of service and what I’m doing is taking the customer side.
What the customer experience has been traditionally, all of those pain points going through the process, and then building a methodology off of that, so it’s 100% with the customer in mind.
And then secondly, and somewhat selfishly, it’s with our assessor team in mind because there’s a lot of attrition. There’s a lot of burnout from all of these and various types of assessments.
And so finding harmony with a methodology that makes sense, that simplifies the process, these engagements, they don’t need to cost $100,000-$200,000 plus, it’s just it should bringing better tools, better process to the overall assessment life cycle.
Rick: Okay, great, and how do you really… You mentioned bringing tools to the table, maybe you can talk a little bit more about how exactly you simplify assessments, but still being comprehensive.
Andrew: Yeah, I’ll say just knowing, again, the assessor community out there. It is not uncommon for assessors to hand over whatever we wanna call ’em, PBCs, ERLs, RFIs, it’s the request list.
And in the HITRUST space, that list can be 300-400-500 items, so very specific asks.
And looking for a way or building a way to number one, collect that data in a much more efficient manner, but also reducing the asking and finding, being intelligent in terms of instead of asking for five various specific things, wording that in a way where I can ask for one thing and reduce the overall number of asks.
I think that the intake of documentation and evidence, that process needs to be greatly simplified.
Right now, it’s very painful for an assessor to book a conference room and sit across from a control owner for hours and hours and hours and onto the next control owner and then onto the next control owner.
There’s a lot of time and that information, it has to be collected, but how we collect that, is it the best use of our time to sit face-to-face and go through everything or are there better ways to collect that information? That’s another area we’re investing heavily in.
And then the other thing I would say is, typically assessors, they work on Excel.
We’re not doing Excel at all. That is the opposite of simplification.
What we’re doing is looking at ways to streamline the process. Instead of looking at 500 rows or 500 requirements, we’re looking at a subset of that because we’ve harmonized the frame, that there are ways to take a very robust framework like NIST-800 53 or HITRUST or whatever it is, ISO, and harmonizing that down around key topics and asking more precise questions that get better answers and that extrapolate those results back out to the greater number of requirements.
That’s a couple of examples, two to three examples of things that we’re looking and investing heavily in but the madness around how engagements and assessments are performed today, that is a huge, quite honestly, it’s a disservice in the assessor community and the consulting community back to organizations because there’s a lot of ways to improve and streamline there. And still, and hold the integrity of the engagement and the quality.
Rick: Right well that’s great. I know that sounds all fantastic from the organization’s side, the side being assessed. And it sounds like too, that’s a great scalable way, not just for the initial assessment, but as you go through your annual or biannual reviews.
Andrew: Absolutely, yeah. Well, one thing I do a lot of encouraging our customers to do is don’t treat an assessment as a point in time, fully embrace whatever you’re doing, adopt it as your framework, and look at ways to do continuous monitoring.
The assessment shouldn’t just… It shouldn’t be a you-got-caught-with-your-hand-in-the-cookie-jar moment, it should be, “Hey we’ve already prepared for this because we’ve been managing our controls for the last 10 months since the last engagement.”
It shouldn’t be this massive list every single year. It should be broken out into bits and pieces throughout the year so you’re actively managing. And quite honestly, it’s making your cybersecurity program much more dynamic than if you’re just treating it as an assessment.
Rick: Yeah, that’s fantastic, and I look forward to hearing how you guys are coming along with that and really pushing that assessor industry forward.
Olena: And for more information and to read the full interview, you can visit our website paubox.com, That’s P-A-U-B-O-X.com. Thank you, Rick, for that insightful interview.
Now, can you share with us some of your predictions as we continue to move forward in 2020?
Rick: Sure. One prediction that we think is going to happen is there’s going to be more internet of things devices that are gonna be used this year for healthcare.
And we saw that at all the big conferences that happened the beginning of the year, CES, the JP Morgan Week that just happened in San Francisco, and the HIMSS which is coming up in March.
There’s a lot of emphasis on a rise in consumer-focused technologies to engage patients and help health outcomes. Those are those apps. It could be devices that are used during treatment.
That’s all great. And anything we can do to help out health outcomes is awesome, but what that also does is it increases the attack surface that hackers can go after.
There’s going to definitely be a spike in breaches later this year, as a lot of these things get pushed out and hackers start poking and trying to find the holes in it. We’ll see a few more of those type of breaches later on in the year.
And again, it just goes back to any time you introduce a new piece of technology, you’re introducing a new risk, so making sure that we’re always looking at security, at design when we’re trying to be innovative, but definitely something to keep an eye out for, especially for consumers.
Olena: Amen to that. Alright, well, thanks for joining us on this latest edition of HIPAA Critical, the Paubox podcast. And thanks for tuning in.
Rick: Thank you.