December 1, 2022

Welcome to The Cybersecurity 202! Two developments of note in the coming days: First, we aren’t publishing Friday and will return Monday. Second, I’m about to take my first real (albeit relatively short) vacation since the pandemic began, so look for some guests who will helm the ship while I’m away.

Below: The judicial system has been very busy on data breaches of late, and federal agencies survey the midterm election threat picture. But first:

An IT security incident hits a ‘massive’ hospital chain, a sector where the risks are grave

The second-largest nonprofit U.S. hospital chain is dealing with a cybersecurity incident this week that affected facilities across the country, forcing ambulance diversions, system shutdowns and patient appointment rescheduling.

CommonSpirit Health isn’t yet providing specifics about what happened. The chain says it has 140 hospitals and more than 1,000 care sites in 21 states. Facilities in Iowa, Nebraska, Tennessee and Washington were among those enduring disruptions.

One expert called the incident an extraordinary one for the United States. Cybersecurity risks in the health-care sector can mean a potential threat to lives.

  • “The scope is perhaps unprecedented in terms of the health-care sector,” Brett Callow, a threat analyst at the cybersecurity company Emsisoft, told me. CommonSpirit, he said, is “absolutely massive.”

CommonSpirit Health on Tuesday published a statement on the incident, which emerged into public view Monday and began to get wider attention Wednesday.

  • “CommonSpirit Health is managing an IT security issue that is impacting some of our facilities. As a precautionary step, we have taken certain IT systems offline, which may include electronic health record (EHR) and other systems,” the original online statement read. “Our facilities are following existing protocols for system outages and taking steps to minimize the disruption.”

A revised statement Wednesday excluded some of those details.

The chain declined to comment further, but signs point to a ransomware attack, during which hackers encrypt victim systems and demand payment to unlock them. Tweeted security researcher Kevin Beaumont, head of security operations at Arcadia Group (“IR” stands for “incident response”):

Some ransomware gangs swore off attacking hospitals at the height of the pandemic, but Callow noted that ransomware affiliates who use their malware in exchange for handing over a share of profits haven’t shown such restraint.

Among the consequences of the CommonSpirit Health incident:

  • Besides taking some IT systems and records offline, CommonSpirit Health said “we have rescheduled some patient appointments.”
  • The Des Moines Register reported that MercyOne Des Moines Medical Center had diverted ambulances for “a short time.”
  • Multiple CHI Health facilities in Omaha were affected, the Omaha World-Herald reported.
  • CHI Memorial hospital in Chattanooga, Tenn., reported problems identical to the CommonSpirit Health statement, according to the Chattanoogan.
  • In Washington, St. Michael Medical Center delayed critical procedures — including a CT scan to check on a brain bleed — patients and families told the Kitsap Sun. In other parts of the state, health-care workers told the Tacoma News Tribune that “the disruption was having serious impact on normal functions such as charting, lab results reporting, history gathering, obtaining records on allergy information and more.”

“In general, these kinds of … attacks are happening at all different kinds of organizations in every different critical infrastructure sector,” Errol Weiss, chief security officer for the Health Information Sharing and Analysis Center, told me in an interview in which he was careful not to speak about CommonSpirit Health specifically. “But when they hit hospitals and impact patient care, it creates newsworthy events within the community, it starts to potentially impact people’s lives and people take notice.”

There have been a couple reports that cyberattacks on hospitals have cost lives.

  • A lawsuit that a woman filed against an Alabama hospital last year alleges that a ransomware attack led to the death of a 9-month-old child because of equipment that wasn’t working.
  • In 2020, a German hospital under ransomware attack turned away a patient who later died. Prosecutors looked at filing charges against the hackers, but ultimately concluded it wasn’t the decisive factor.

In perhaps the most sweeping hospital cyber incident outside the United States, the massive WannaCry ransomware attack that affected 150 countries hampered the U.K. health system. The 2017 incident disrupted 80 hospitals, led to the cancellation of 19,000 appointments and cost it more than $100 million.

Weiss said that typically when there’s a big incident affecting the health-care sector, his organization snaps into action.

“We’ve got a terrific network of health-care organizations actively sharing information with each other, including indicators of compromise and TTPs (tactics, techniques and procedures) from this kind of attack,” he said. “The whole idea is to be able to learn what’s happening from other organizations and use that information to better protect your information, or look to see if you’d be impacted by that attack.”

The American Hospital Association’s national adviser for cybersecurity and risk — who also took pains not to comment on CommonSpirit Health — said it’s important for hospitals to have a plan for when an attack happens.

“In general terms, what we advise our members, should they become victim of a cyberattack which disrupts hospital functions and/or clinical care: Their downtime procedures need to be in effect that would compensate for lack for access to electronic health records and other medical technology that may become unavailable,” John Riggi told me. 

Outside of that, the health-care sector needs help from law enforcement to track down and punish culprits,  something Riggi said the government in general and FBI specifically have committed to doing.

Former Uber security chief convicted over 2016 breach

A federal jury on Wednesday found Uber’s former chief security officer, Joe Sullivan, guilty of obstructing justice and actively hiding a felony after authorizing payments to hackers behind a 2016 breach of the ride-sharing service.

“The verdict ended a dramatic case that pitted Sullivan, a prominent security expert who was an early prosecutor of cybercrimes for the San Francisco U.S. attorney’s office, against his former government office. In between prosecuting hackers and being prosecuted, Sullivan served as the top security executive at Facebook, Uber and Cloudflare,” The Post’s Joseph Menn reports.

It also came as a surprise to many security professionals. The judge didn’t set a date for Sullivan’s sentencing.

No prison for Seattle hacker behind historic Capital One data breach

A former Seattle tech worker convicted of several charges stemming from a massive attack of Capital One bank and more than 30 other companies was sentenced Wednesday to time served and five years probation, Seattle Times’s Renata Geraldo reports. 

Paige Thompson, who went by the handle “erratic” online, was arrested in July 2019 after she downloaded personal data from more than 100 million Capital One users, racking up more than $250 million in damages. She remained jailed until November of that year.

At the sentencing hearing, U.S. District Judge Robert Lasnik said additional time in prison would be particularly difficult for Thompson because of her well-documented mental health issues and transgender status. 

U.S. Attorney Nick Brown said he was “very disappointed” with the sentencing decision, adding that his office had asked the court to impose a seven-year sentence against the former Amazon software engineer behind one of the largest data breaches in U.S. history. “This is not what justice looks like,” Brown said in a statement. 

Thompson previously argued that she had never misused the data she had obtained. Rather, that she was attempting to collect a bounty for spotting vulnerabilities in the systems of the companies she hacked.  In 2020, Capital One agreed to pay $80 million to settle federal bank regulators’ claims that it lacked security measures it needed to protect customers’ information. The company also later reached a $190 million settlement with affected customers. 

Election software company CEO arrested

Authorities have arrested  Eugene Yu, the founder of the Michigan election software company Konnech,  on suspicion of stealing the personal information of hundreds of Los Angeles County poll workers, the Associated Press reports. 

Konnech stored data on servers in China, in violation of requirements to keep information collected under contract in the United States, prosecutors allege. The company denied the charges.

“We are continuing to ascertain the details of what we believe to be Mr. Yu’s wrongful detention by LA County authorities,” Konnech said in a statement. “Any LA County poll worker data that Konnech may have possessed was provided to it by LA County, and therefore could not have been ‘stolen’ as suggested.”

Election deniers who had besieged the company rejoiced, but prosecutors said Yu’s actions didn’t affect election results.

Senior officials ‘confident’ U.S. voting systems could thwart malicious cyberattacks

With less than a month to go before the midterm elections, the FBI and the Cybersecurity and Infrastructure Security Agency are confident that any attempts to manipulate votes would be identified and stopped ahead of any large-scale disruptions. 

“Given the extensive safeguards in place and distributed nature of election infrastructure, the FBI and CISA continue to assess that attempts to manipulate votes at scale would be difficult to conduct undetected,” the agencies said in a joint announcement Wednesday. 

The agencies added that, as far as they know, there’s never been a successful hack against any election in the United States that has prevented someone from casting a ballot or compromised the integrity of their vote. 

While the agencies expressed confidence that U.S. voting systems are safe and secure, senior government officials warned earlier this week that there is, and has been, a concerted effort by foreign adversaries from countries like China, Russia and Iran to seize on Americans’ doubts about the election system itself. “In particular, we are concerned malicious cyber actors could seek to spread or amplify false or exaggerated claims of compromise to election infrastructure,” an FBI official said at a briefing, per Voice of America’s Jeff Seldin. 

White House seeks advice on cyber workforce development (Nextgov)

Russian-speaking hackers knock US state government websites offline | CNN Politics (CNN)

Popular censorship circumvention tools face fresh blockade by China (TechCrunch)

How one group of ‘fellas’ is winning the meme war in support of Ukraine (CyberScoop)

Lloyd’s of London investigates possible cyber attack (Reuters)

  • The FS-ISAC holds its FinCyber Today summit in Scottsdale, Ariz., from Oct. 10 through Oct. 12.

Thanks for reading. See you next week.

Source link