Sunday, June 02, 2019
The ADHA Comes Clean At Last - They Have A Potential End-Point Security Problem With The My Health Record.
A few days the ADHA issued a briefing on Ransomware:
The guts of the contents were as follows:
Ransomware is a type of malicious software that denies access to computers and files and demands that affected organisations make a payment to regain access to their information. CryptoLocker is a particularly virulent and widely known form of ransomware that encrypts all files located within the infected computer, its shared network drives, and any attached storage.
A ransomware attack on a healthcare organisation can potentially cause significant reputational damage, clinical safety risks, financial harm, and impact to continuity of business operations. Any network connected system could be affected, such as: desktop computers; clinical, personnel or financial information systems; databases containing digital health records; or medical devices.
Ransomware, which has become increasingly common within the health sector, may pose a significant risk to the security and privacy of individual health information and impede organisations’ ability to deliver healthcare services. Depending on the access obtained, an attacker could also read, modify, export or publicly release digital health records.
The comparative prevalence of ransomware in the health sector was highlighted in the Office of the Australian Information Commissioner’s Notifiable Data Breaches Quarterly Statistics Report for the period October to December 2018. The percentage of ransomware-related data breaches reported for the health sector was twice that of other organisation types. It is vital that organisations in the health sector understand their risks and are prepared to prevent and respond to ransomware attacks.
1. Given that organisations in the health sector have professional and legal obligations to protect health information, it is important that accountable senior managers understand how the risk posed by ransomware is being managed within their organisation and determine if the risk mitigations are acceptable. Suggested questions to ask your ICT team include:
· Have existing security controls within the organisation been reviewed in light of the risk posed by ransomware? If so, what was the outcome? What is the level of risk and is it acceptable?
· How are backups of critical systems managed and secured? Will this approach prevent backups being compromised by ransomware? When was the backup process last tested and what was the outcome?
· What approach is taken to ensure known security vulnerabilities are addressed? Are there additional mitigation strategies that should be implemented, such as those outlined in the Australian Digital Health Agency’s publication ‘Patching: Protecting healthcare information by updating systems and software’?
· Does the ICT team need additional support or resources to better manage and mitigate the organisation’s risks? Are there additional mitigation strategies that should be implemented, such as those listed in the companion document, Preventing and recovering from ransomware - a briefing for IT Professionals?
2. Ideally, the risks posed by ransomware and other malware should be managed as part of a comprehensive information security framework or in accordance with an appropriate information security standard. There are a number of information security frameworks and standards, which organisations in the health sector can use to improve the security and resilience of their digital health systems and help meet their professional and legal obligations to protect health information.
3. If your organisation doesn’t have the resources or expertise to assess its risks or to implement adequate security measures, it is recommended that you seek professional advice from a reputable IT service provider or information security consultant.
4. If ransomware does compromise your organisational systems, please note the following:
· Paying attackers is not recommended as this will encourage further attacks and does not guarantee that organisations will be able to recover affected files or avoid a data breach. It is suggested that you seek legal advice if paying the ransom is considered necessary.
· Government agencies and businesses covered by the Privacy Act 1988 (Cth) will need to report individual health information breaches under the Notifiable Data Breaches Scheme. Refer to advice from the Office of the Australian Information Commissioner (OAIC) for details.
· If systems used to access or update the My Health Record system are compromised, it is possible that the security or integrity of the My Health Record system has also been compromised. For any event or situation where there is a suspected or actual data breach relating to the My Health Record system, organisations are required to notify the Australian Digital Health Agency, (the System Operator) and the OAIC.
Here is the link to the .pdf.
Before commenting on the comments above it is important to realise this a live threat.
A report from Armis found that two years after WannaCry, healthcare and manufacturing organizations are still being impacted due to unpatched, legacy devices.
May 30, 2019 - More than two years since the WannaCry attack wreaked havoc across the world, the malware is still impacting devices with 40 percent of healthcare organizations suffering a WannaCry attack in the past six months, according to a report from Armis, a security firm.
WannaCry is a ransomware cryptoworm that struck on May 12, 2017, infecting 300,000 computers globally in just a few short days. The hackers leveraged the EternalBlue exploit developed by the NSA, leaked a few months before the attack. While Microsoft released a patch for vulnerable systems months before the attack, many organizations did not apply it.
As a result, the exploit allowed the virus to proliferate, claiming the UK National Health Service as one of the hardest hit victims. A researcher found a killswitch that prevented the malware from spreading, which stopped the cyberattack in four days.
Lots more here:
Two things strike me about this document:
1. We know from a recent audit in Victoria health organisations are pretty hopeless at security:
May 29, 2019 — 2.34pm
Victoria’s Auditor-General successfully hacked into the IT systems of some of the state's biggest hospitals and accessed sensitive patient data, exposing serious cybersecurity weaknesses in the health sector.
Patient data was accessed by government auditors who used basic hacking tools to breach security systems at the Royal Children’s Hospital, the Royal Victorian Eye and Ear Hospital, Barwon Health and sections of the Department of Health and Human Services.
The audit has exposed poor cybersecurity systems among Victorian health service providers, including agencies with weak passwords that can easily be hacked and even one that used default account names and passwords set by manufacturers, which can be found on the internet, to protect patients’ personal data.
In many cases, hospital cybersecurity systems were undermined by poor staff training. Staff were found to be vulnerable to common “social engineering” techniques that cyber criminals use, such as phishing and tailgating into corporate areas where servers are located.
Auditor-General Andrew Greaves wrote in a report tabled in state parliament on Wednesday that all four health services he audited were vulnerable to attacks that could steal or alter patient information.
Lots more here and in the weekly summary:
2. The ADHA admits the are risks to the myHR from infected systems that are connected to the myHR.
One wonders where the effective plan is to really mitigate the risk to the myHR or are we seeing a head in the sand approach. Having all these endpoints connected to a central server was never a great idea. This risk shows how unwise it was – and the ADHA admit they know it.
Posted by Dr David G More MB PhD at Sunday, June 02, 2019