Vigilant Ops Wins Cybersecurity Challenge
CISA (Cybersecurity & Infrastructure Security Agency), the Department of Health and Human Services (HHS) and the Federal Bureau of Investigation (FBI) jointly released a cybersecurity advisory on October 28, 2020 warning of an imminent cybercrime threat to healthcare providers. Since the original release, the warning has been revised to include additional information. The advisory, Alert (AA20-302A) can be found here.
Authorities have claimed this to be one of the most significant cybersecurity threats “…we have ever seen in the United States.” This attack represents the latest salvo against hospitals which have been the hardest hit with ransomware attacks. In a ransomware attack, critical data is encrypted, rendering it not usable, until a ransom is paid. Most hospitals are eager to get back up and running, working hard to minimize the impact to patient care, so they are sometimes more likely to pay the ransom than other targeted businesses.
Cyber attacks targeting patient data systems, like Electronic Health Records, on average, cause 15 days of patient data system disruption. In some cases, clinicians were without system access for much longer. For example, the Universal Health Services attack, that we summarized and posted recently, left hospital crew without access to patient data for more than three weeks.
Cybercrime threat to healthcare providers, costs our healthcare system tens of millions of dollars annually. A typical ransom could be several hundred thousand dollars, while some have been more than $5 million.
We highly recommend reviewing the published alert as it contains technical details about the threat, as well as details about how the malware replicates, including which files to be on the lookout for and various attack techniques.
In addition to the publicly available resources, Vigilant Ops is here to help protect your deployed medical devices, and we are available for a free cybersecurity consultation anytime. Please reach out using any of the contact information below.
Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.
For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: inquiries@vigilant-ops.com
Paying ransomware hackers could run afoul of anti-money laundering regulations. The Financial Crimes Enforcement Network (FinCEN) issued an advisory that, depending on the circumstances, facilitating ransomware payments to cyber-criminals could constitute money transmission, thus violating anti-money laundering regulations. In addition, the Office of Foreign Assets Control (OFAC) issued an advisory that engaging in transactions, such as ransomware payments, with individuals or entities on their Specially Designated Nationals and Blocked Persons List is a sanctions violation and could result in civil penalties.
To be fair, OFAC does publish a list of sanctioned entities, and they advise victim organizations to check this list prior to paying any ransom. The challenge in this case is in the identification of the hacker organizations, whose identity is not usually known to the ransomware victims.
The two most common forms of ransomware attacks come in the forms of phishing emails and poorly secured Remote Desktop Protocol (RDP). The latter is especially troubling given the dramatic increase in remote workers and the resulting loss of secure control of the working environment.
It’s fairly well-known that third-party software component vulnerabilities, like RDP, play a big role in enabling ransomware attacks, but organizations can take some proactive steps to help decrease the likelihood that they will fall victim to such attacks by implementing or maintaining processes that monitor third-party components, their vulnerabilities and available security patches.
Requesting a Software Bill of Materials (SBOM) from vendors, which is a monitored list of third-party software components utilized in their product, will provide needed transparency and will make the task of monitoring product components much more efficient. Of course, end-user training is always recommended, given that human error is still a huge contributor in facilitating unwanted access to networks and systems.
Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.
For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: inquiries@vigilant-ops.com
Are you prepared for US cybersecurity legislation that could result in lawsuits and fines if not implemented according to prescription? Did you know that the 2019 National Defense Authorization Act chartered the US Cyberspace Solarium Commission (CSC) to define such cybersecurity policies and legislation? As a stakeholder in the healthcare industry, you should be aware of the CSC final report and the possible implications. This overview provides a brief summary of the report’s discussion of Software Bill of Materials (SBOMs) and the specific responsibilities of medical device manufacturers.
The final report from the CSC was made publicly available on March 11, 2020. The report is 182 pages in length and offers more than 80 recommendations to implement a “…strategic approach to defending the United States in cyberspace against cyberattacks of significant consequences.”
The Cyberspace Solarium Commission was tasked by the President and Congress to answer two questions:
The Cyberspace Solarium Commission advocated layered cyber deterrence to be achieved by:
Implementation of the layered cyber deterrence strategy is built upon six (6) policy pillars and more than eighty (80) recommendations. This summary will provide in-depth analysis of the specific pillar to enhance the security in the cyber ecosystem, which calls out the work being done with the Software Bill of Materials (SBOM). Here is a list of the pillars presented in the document, but please refer to the final report for details on all pillars and recommendations.1
6 Pillars of the CSC final report
Pillar 4 – Reshape the Cyber Ecosystem Toward Greater Security
“This pillar attempts to drive down vulnerability across the ecosystem by shifting the burden of security away from end users to owners, developers, and manufacturers who can more efficiently implement security solutions at the appropriate scale.”
Five Strategic Objectives of Pillar 4
Strategic Objective #1 – Incentivizing Greater Security in the Markets for Technology
Key Recommendations – 4.1, 4.2 and 4.7 are detailed below
4.1 Congress should establish and fund a National Cybersecurity Certification and Labeling Authority empowered to establish and manage a program for voluntary security certifications and labeling of information and communications technology products.
4.2 Congress should pass a law establishing that final goods assemblers of software, hardware, and firmware are liable for damages from incidents that exploit known and unpatched vulnerabilities.
4.3 Congress should establish a Bureau of Cyber Statistics charged with collecting and providing statistical data on cybersecurity and the cyber ecosystem to inform policymaking and government programs.
4.4 Congress should resource and direct the Department of Homeland Security to resource a federally funded research and development center to work with state-level regulators in developing certifications for cybersecurity insurance products.
4.5 The National Cybersecurity Certification and Labeling Authority, in consultation with the National Institute of Standards and Technology, the Office of Management and Budget, and the Department of Homeland Security, should develop a cloud security certification.
4.6 Congress should direct the US government to develop and implement an information and communications technology industrial base strategy to ensure more trusted supply chains and the availability of critical information and communications technologies.
4.7 Congress should pass a national data security and privacy protection law establishing and standardizing requirements for the collection, retention, and sharing of user data.
4.1 Congress should establish and fund a National Cybersecurity Certification and Labeling Authority empowered to establish and manage a program for voluntary security certifications and labeling of information and communications technology products.
Security standards and best practices can be employed more effectively, and certifications and labels can be used as a product differentiator for developers. The following are recommended:
Product component lists, like the SBOM mentioned above, are being adopted as an industry security document in healthcare because they provide transparency into deployed device risk. For a more detailed discussion of Software Bill Of Materials, and how they support responsive patching programs, please see our article – The Impact of COVID-19 on Medical Device Cybersecurity.
4.1.1 Enabling Recommendation – Create or Designate Critical Technology Security Centers
Provide the US government with the capacity to test the security of critical technologies and, when appropriate, assist in identifying vulnerabilities, developing mitigation techniques with relevant original equipment manufacturers
4.1.2 Enabling Recommendation – Expand and Support the National Institute of Standards and Technology (NIST) Security Work
Congress should increase funding in support of NIST’s work on cybersecurity. Specifically, NIST should be appropriately resourced to:
4.2 Congress should pass a law establishing that final goods assemblers of software, hardware, and firmware are liable for damages from incidents that exploit known and unpatched vulnerabilities.
Definitions
Final Goods Assembler – the entity that is most responsible for the placement of a product or service into the stream of commerce. In the case of medical devices, this could be assumed to be the medical device manufacturer.
Known Vulnerability – vulnerabilities disclosed through public sources such as the National Vulnerability Database (NVD) and Common Vulnerabilities and Exposures (CVE) program, reported to the hardware/software developer by a third party, and discovered by the hardware/software developer themselves.
Vulnerability Disclosure and Retention – final goods assemblers, as well as software and hardware component developers, establish a process for vulnerability reporting, retain records documenting when a vulnerability was made known or discovered by the company, and maintain a vulnerability disclosure and patching policy that conforms to the requirements set out under this regulation.
4.2.1 Establish Liability for Final Goods Assemblers – Legislative Summary
Private Right of Action
Standard of Care – final goods assembler
4.7 Congress should pass a national data security and privacy protection law establishing and standardizing requirements for the collection, retention, and sharing of user data.
Conclusion
The CSC final report is a call to action to the US government. Through the various strategic recommendations, the Commission is urging the United States Congress to act quickly and pass supportive legislative measures enabling private rights of action by end users harmed in cyber incidents. For medical device manufacturers, the CSC final report is also a call to action. It’s clear that the demands to provide concise, transparent information and timely responses to cyber incidents will continue to increase. Providing security documentation such as the SBOM (Software Bill of Materials) will be an expectation, and product insecurity will not be tolerated. Medical device manufacturers would be wise to begin preparing now for these sweeping reforms.
The InSight Platform uses advanced techniques to interrogate medical devices and automatically generate bills of materials. Using artificial intelligence and machine learning, the InSight Platform continuously monitors for vulnerabilities in discovered device components, enabling device manufacturers to respond proactively to the latest discovered threats.
Ken Zalevsky
CEO, Vigilant Ops
Former Head of Medical Device Cybersecurity, Bayer
Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.
For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: inquiries@vigilant-ops.com
What if you found out there was a way to interrogate medical devices and automatically generate cybersecurity bill of materials (CBOM)? Although you may initially miss the manual effort, you and fellow MDMs can now use artificial intelligence to begin automatically generating, maintaining, and monitoring medical device SBOMs/CBOMs.
The Solution
Utilizing the cloud, the Vigilant Ops InSight platform introduces a solution for generating, updating, and monitoring device software bills of materials. The InSight CBOM Generator automatically detects the Operating System of the medical device and executes the appropriate commands to interrogate the device and inventory all of the software components.
How It Works
Your Biggest Pain Points Solved
The general consensus is that the Cybersecurity Bill of Materials (CBOM) is a valuable document that can help improve healthcare security, but it comes at a cost. And, if you are not utilizing a tool to help automate the CBOM generation process, then that cost is substantially higher.
The Stats
As a medical device manufacturer, the FDA is clear that you “are responsible for remaining vigilant about identifying risks and hazards associated with your medical devices, including risks related to cybersecurity.”
According to Health IT Security, 70% of medical devices have vulnerable software components, and with an average of 40 new CVEs being received daily at the National Vulnerability Database, disaster is looming. It is evident that the manual CBOM process can’t keep up, challenging even the most tenured security experts, without the introduction of CBOM monitoring and automation.
Why You Cannot Afford To Go Without The Vigilant Ops CBOM Generator
CBOMs are all about managing medical device cybersecurity risk and providing actionable insight in order to create a safer, more secure healthcare environment. The use of a cloud-based platform to securely generate and maintain CBOMs is a vigilant and efficient way to enable compliance, improve organizational awareness, and implement a proactive approach to medical device security within your organization.
Ken Zalevsky
CEO, Vigilant Ops
Former Head of Medical Device Cybersecurity, Bayer
Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.
For more information about Vigilant Ops or the InSight Platform, please visit our website at www.vigilant-ops.com
Or drop us an email at: inquiries@vigilant-ops.com