Congressman Wants Ransomware Attacks To Trigger Breach Notifications

Trailrunner7 quotes a report from On the Wire: A powerful California congressman is pushing the federal government to treat ransomware attacks on medical facilities as data breaches and require notifications of patients. The pressure is coming from Rep. Ted Lieu (D-Calif.) and follows comments from officials at the Department of Health and Human Services about the department's plan to issue guidance to health care organizations about ransomware attacks. The Office for Civil Rights section of HHS, which has responsibility for health information privacy, will provide guidance on how to handle ransomware attacks, and Lieu is eager to ensure that the guidance specifically addresses how ransomware attacks relate to data breach regulations. "I welcome the news of HHS providing guidance to health providers on a matter that threatens so many hospital IT systems. However, we need to make clear that ransomware is not the same as conventional breaches. The threat to patients from ransomware is typically due to the denial of access to their medical records and medical services. Not only could this be a threat to privacy, but it could result in medical complications and deaths if hospitals can't access patient information," Lieu said in a statement. He sent a letter to the deputy director for health information privacy in the Office of Civil Rights at HHS, Deven McGraw, asking him to instruct health organizations and providers to notify patients of an attack if it results in a denial of access to a medical record or a loss of functionality thats necessary to provide patient care. In the past, Lieu has called for a full congressional investigation into the aforementioned widespread flaw in global phone networks that allows hackers to track anyone's location and spy on their phone calls and text messages. He was also one of the first lawmakers to publicly express his pro-encryption view after a federal judge ordered Apple to help the FBI break into the San Bernardino shooter's iPhone, saying it effectively "forces private-sector companies like Apple to be used as an arm of law enforcement."

Re:

[lhowaf]

Hey, Lifelock is working - your post shows up as being from "Anonymous Coward!"

Recipe for disaster

[Andreas .]

This will only lead to even less reports of data breaches as the hospitals try to save face. Also, if something starts with "a powerful congressman", it is typically a bad, not thought through idea, that would've been better kept unmentioned.

Re:

[Anonymous Coward]

It has nothing to do with hospitals, they are provided systems by external mega-corps. They're the ones that will be shamed, and rightly so.

Re:

[Anonymous Coward]

It has nothing to do with hospitals, they are provided systems by external mega-corps. They're the ones that will be shamed, and rightly so.

This isn't true. If a breach occurs it is almost always because of an incompetent IT person and/or a person with authority over the IT person who demanded something be bypassed for convenience (such as password limits or expirations.) A properly configured network is typically able to block malware and ransomware before it every makes it to the point of being able to compromise a faulty node within a system. There are some rare exceptions but they are extraordinarily rare and come to light regardless of

Re:Recipe for disaster

[mysidia]

All ransomware compromises ARE malware compromises, Therefore, any files accessed on that computer during infection, Or data accessible to the operating system and programs running on a compromised computer need to be considered breached data.....

The same with any malware compromise where exfiltration could possibly have occured.

The standard of "We have no evidence proving that data was breached" needs to be specifically disallowed as a reason to not send a breach notification.

Re:Recipe for disaster

[DarkOx]

I agree. You can only assume the ransom ware is not doing anything other than for cash shake down to get the encryption keys.

The reality is someone had code execution on your stuff and access to files. Its a breach, I think this is pretty strait forward.

To suggest otherwise rates right up their with "kinetic military action"

Re:

[Anonymous Coward]

There is no reason to assume. All malware can be decompiled and analyzed to see what it does. If it simply encrypts data and prompts users to pay to get a key, great - no data was accessed and no HIPPA violation occurred. If it ex-filtrates data - well that is a different story and should trigger reporting (and already does). Just because some malware encrypted or deleted files you don't need to assume it did anything else. Find out what it did.

Re:

[DarkOx]

There is no reason to assume.

There is every reason to assume.

You don't know the ransomeware was the only payload, there could be something still there you don't know about.

You don't know that after the exfil job was completed the software did not self delete those parts of it.

You don't necessarily know how it got there, and if something else could be delivered the same way in the future.

Re:

[fuzzyfuzzyfungus]

The trouble is that one of the things malware can do is clean up after itself: exfiltration is much harder to hide from network logs(if the target actually has any); but unless you are hoping to remain undiscovered indefinitely, why wouldn't your exfiltration agent delete itself after its job is done?

Re:

[Fire_Wraith]

By your logic, if someone broke into my bank, but decided for whatever reason not to take anything in my deposit box (even though they could), my bank wouldn't have to tell me. Something doesn't have to be a HIPAA violation to be a data breach, or to trigger those rules.

Re:

[mysidia]

There is no reason to assume. All malware can be decompiled and analyzed to see what it does.

No assuming it probably did is the correct action; to do otherwise is to take a biased position irrationally dismissing the real likelihood of many different things having occurred besides what you found.

Most of the reasons to think "everything that happened has been found" for a real-world system post breach; is along these lines, either:
(2) You were responsible for that system, or liability or reputation i

Re:

[Dishevel]

Well, awesome!
Let us ignore for the moment that you can not spell and take your argument to its logical conclusion.

Since we are not going to examine the system and just assume that they now have access to the files and report based on the assumption.
I propose that if a system is in any way connected to the outside world, that system should also be assumed to have been breached. Everyday. Now we no longer have to examine things or have evidence or anything.

BREACH! BREACH! BREACH!

The realit

Re:

[Anonymous Coward]

Yes, it's inconceivable that a program could encrypt many critical files on a system AND connect to port 80 on a random external server AND send a POST request.

Your IT experience may be nonzero, but it's apparently complex, because it looks from here like the imaginary component is much larger than the real component.

Re:

[Dishevel]

You think that these systems do not have any security in place.
You think that these systems are set up so that any random software can initiate connections to servers outside of the corporate network?
You truly believe that these systems are set up this way. That these rogue chunks of code are allowed to make whatever connections they want?

In a system like you describe, then you would have to assume that such a system is in fact compromised every sing day.
Again.
You have no knowledge of

Re:

[mysidia]

Your arrogance belies your true ignorance in security principles.....
It doesn't matter what external security systems you think are in place.

After you have found a breach so deep into your network, then obviously those systems all failed, otherwise you would not have had an intrusion incident on your hands.

then you would have to assume that such a system is in fact compromised every sing day.

When you have a network, no.... You don't initiate a breach response or treat it as an incident, as long a

Re:

[Dishevel]

Last time. Because I think that educating you is hopeless. Just because you can access and encrypt a network share and local files rarely means you have the type of access that can wipe logs and send info out.
If you do have that kind of access to a system like that, encrypting files and showing yourself would be fucking stupid. No one with that kind of pwn on your system would do that. Period.

Re:

[sjames]

OK, dumdum, I have ACTUALLY tested hospital networks and I know for a fact that any data that a process can read, it can exfiltrate. That is not a conjecture, it is an actual observation.

Get some real world experience and while you're at it, get some manners.

Re:

[mysidia]

The fact that ransomware was able to operate pretty much PROVES that yes it's possible the system makes arbitrary connections out to the internet. One of the first thing ransomware does is generate some key information which goes to their command and control center before files start getting encrypted.

Re:

[Dishevel]

And that will be logged by the router or gateway or any of the network devices you have set up to look for shady shit happening on your network.
Again
If you have none of that shit then you are compromised. Even if you do not have ransom ware alerting you to the fact.

Re:

[mysidia]

If you have none of that shit then you are compromised. Even if you do not have ransom ware alerting you to the fact.

No.... most people have none of that "shit", And it does not mean they are compromised.

You are confusing "Insecure" and "At risk" with "Known Incident", which is ridiculous and absurd.

Weak security and lack of detective controls is not the same as already being compromised, full stop.

Also, even if you have these things; it's not necessarily going to be logged.

There are ways of

Re:

[Dishevel]

It is much more difficult to wipe evidence of a hack like that in a secure system. Logging is usually only able to be edited or removed with server root access and even then many systems have remote log servers.

Re:

[Dishevel]

No.
What I assume is that they are HIPAA or PCI compliant.
And. That the person clicking on emails and browsing the web is not logged in as the server root or domain admin.
There is a world of difference between getting the ability to encrypt local files and having these credentials. Of course as I said earlier. If your HR person is clicking random emails and visiting websites while logged in as server root or domain admin,
Then you take the next step and do not even wait for ransomware. You are

Re:

[mysidia]

It is much more difficult to wipe evidence of a hack like that in a secure system.

Malware often circumvents logging mechanisms. The "cleanup" is the copy of itself to prevent analysis, not logging data. Doing a low-level read on a file and sending the compressed version of the data somewhere else over a DNS tunnel does not produce any log entries on a file server.

Re:

[Dishevel]

Copy is logged on the file server. Logins are logged on the file server. Sending is logged in your router, gateway, network devices. Again. There is a difference between saying I do not see proof of a pwn, and having proof that there was no pwn at that level.

HIPAA

[tomhath]

A data breach is bad. But trying to cover it up is a serious crime, I really doubt hospitals would take that chance.

Re:

[mlw4428]

Are you suggesting that hospitals would not follow the law, if this change was made? If that's the case then literally no laws are ever going to be feasible, because there's nothing that forces people to obey them. Rape, murder, theft, and pedophilia laws are all uselss then, correct?

Probably for the best

[Anonymous Coward]

Ransomware isn't the only thing dropped onto a system in most attacks. And we can't bank on ransomware not ex-filtrating a couple of encrypted documents along the way.

If the ransomware hit, what other breaches occurred that they weren't aware of?

Terrorists

[SeattleLawGuy]

These people are basically terrorists--they are threatening the lives and well-being of millions of innocent American Civilians. Let's make them a national security priority.

We have fought wars over less.

Re:

[Lumpy]

I completely agree. Senators and Hospital administrators are a threat to america.

Re:

[Jiro]

Terrorism is doing those things for political purposes. If their motive is money, it isn't terrorism.

Holding someone hostage during a bank robbery poses the threat of their death, but we don't call it terrorism.

Re:

[SeattleLawGuy]

Terrorism is doing those things for political purposes. If their motive is money, it isn't terrorism.

Holding someone hostage during a bank robbery poses the threat of their death, but we don't call it terrorism.

There has been a lot of debate about the meaning of terrorism over the years; you are right that the lack of a clear political motive suggests this does not fit into most of those definitions. However, I would submit that an asymmetric attack made by people out of uniform deliberately threatening the lives of a large number of civilians should be considered a terrorist attack and should be treated like one.

They aren't already?

[Richard_at_work]

I thought a "breach" was "someone gained unauthorised access to data, typically a persons private data"?

Or has it magically been watered down to "its only a breach if the data has been proven to have made its way off the premises"?

If the data has been accessed by unauthorised persons, there is no way to be 100% certain that it hasn't made it off premise, so yes, ransomware should be classed as a breach and notifications should be issued! It certainly indicates that the data was not truly secure in the first place, at the very least!

Re:

[Anonymous Coward]

In the past companies hid breaches to prevent them from becoming public, it was a PR issue so most people assumed breaches were rare. Nowadays it probably makes more sense to flip things around and assume every datastore has been compromised. Especially the ones that were built on top of Microsoft Windows infrastructure because of the number of attack vectors available towards that particular OS. Given its proprietary nature it's impossible to build a secure system on top of Microsoft's offerings.

Second

Re:

[cdrudge]

It certainly indicates that the data was not truly secure in the first place, at the very least!

Not necessarily. PHI data may have been encrypted when stored on disk. Ransomware infection re-encrypts data making it unusable for it's intended purpose, but PHI data, even if it managed to leak out, is still protected.

Another scenario which is probably much more likely is PHI is kept on a secured server. Client computer becomes infected. PHI was never compromised. Does that still trigger a notification?

Re:They aren't already?

[Fencepost]

Another scenario which is probably much more likely is PHI is kept on a secured server. Client computer becomes infected. PHI was never compromised. Does that still trigger a notification?

Precisely this. I'll use 3 examples from current clients.

• First client uses a vendor-hosted EMR system that they access via RDP connection to the vendor servers. There's literally almost nothing on their local network anymore except their timeclock software and web browsers. Even document scans go directly from the scanner to the remote using TSScan or the like. If someone infects a machine on their local network, does it trigger a breach notification?
• Second client (actually several) uses a mixture of local desktops and terminal services, but everything patient-related is done within the EMR client software, which cleans up after itself when closed. The only patient data that might be on desktops is anything cached locally by the EMR package during that session. The items most likely to be troublesome would be EOB PDFs received from insurance companies, which are accessible from billing user logins. Does a desktop ransomware infection trigger a breach notification?
• Third client migrated to a fully-hosted browser-based EMR package and again saves very little locally - everything's "in the cloud" for them except incidental office documents. Does a local PC infection trigger a breach?

We've been fairly fortunate in what customers ended up infected with and have actually arranged things so there's very little impact if customer end-users end up infecting a local desktop via streaming a radio station or the like, but if customers have to report breaches for infections even on systems that don't have patient data stored or accessible that's going to turn into a real headache.

Re:

[tlhIngan]

First client uses a vendor-hosted EMR system that they access via RDP connection to the vendor servers. There's literally almost nothing on their local network anymore except their timeclock software and web browsers. Even document scans go directly from the scanner to the remote using TSScan or the like. If someone infects a machine on their local network, does it trigger a breach notification?

No, because no patient data ever hit the local PC.

Second client (actually several) uses a mixture of local desktop

Re:

[mysidia]

I thought a "breach" was "someone gained unauthorised access to data, typically a persons private data"?

After a breach, they will use some bullshit excuse like: "We have not found evidence that any customers' data has been downloaded by the intruder."

And if they did find evidence, the breach notification goes out only to the customers they found specific evidence of the attacker downloading.

Re:

[Alwin Henseler]

If the data has been accessed by unauthorised persons, there is no way to be 100% certain that it hasn't made it off premise (..)

There is: if the system(s) in question are air-gapped, or on a LAN that has no external network connections. Malware (ransomware included) could still make its way onto such systems. Let's say through an infected USB stick.

For real-world scenarios that's mostly a hypothetical case I suspect. While in theory that USB stick could compromise an air-gapped system, retrieve sensitive data, and then upload that data when it (later) gets plugged into another machine that does have internet access, that's more a

It's a fine line...

[CeasedCaring]

Ransomware or NSL?

Re:

[CeasedCaring]

NSL == National Security Letter.

They should make ransomware illegal

[Anonymous Coward]

That would put a stop to it.

How about money for REAL ITSEC?

[Lumpy]

Then let's cover the fact that IT should have more power and Say than administration or the doctors. If John in IT says no you cant have your ipad on the network then its FUCKING NO!

What is needed is HIPPA regs appended so that the guys in charge of the hospital making the most money are PERSONALLY RESPONSIBLE for any data breaches or attacks. If this is done suddenly IT will be allowed to do their job and isolate critical systems from easy attack vectors.

Re:

[Anonymous Coward]

That's not the sum of IT's job. If the system is unusable they are not doing their job. Face it, IT sucks most of the time: "Just use this unwieldy password, we can't be arsed to implement security that is both more secure as well as easier and fast to use." That's the reality of IT, not some bullshit about not being allowed to lock all computers in a safe.

Re:

[jon3k]

If John in IT says no you cant have your ipad on the network then its FUCKING NO!

No iPads but plenty of Microsoft Windows workstations? In a post about ransomware? That's the worst example in history. I wish I could replace every single Windows PC with an iPad. We'd never have another malware infection again.

What is needed is HIPPA regs appended so that the guys in charge of the hospital making the most money are PERSONALLY RESPONSIBLE for any data breaches or attacks. If this is done suddenly IT will be allowed to do their job and isolate critical systems from easy attack vectors.

Won't stop a nurse from giving her password to someone else. What you do is hold the clinician accountable, which is exactly what HITECH [hhs.gov] does.

Re:

[Grishnakh]

it's the recent history where all the doctors in many hospitals saw the latest tech shiny and forced their IT departments to allow and support them on the network. It's only after this power play is completed that the clinicians realize that iPads are very poor devices for interfacing with medical records and aren't good for many other work related tasks either.

Huh? I'm an Apple-hater, but I'll happily admit that iPads simply do not have the level of problems with malware that Windows PCs do. The entire r

Re:

[jon3k]

iPads are phenomenal devices for healthcare. It's like being able to hold every paper chart in the building in your hand.

There's also the whole screenshot problem, where iOS presents an old screenshot of an application on launch to hide the true application start time; this means that there could be a MR in the screenshot cache even though policy dictates there shouldn't be any medical records stored locally.

iOS devices are all encrypted with AES256 and we require them to have passcodes. As soon as the device is lost we remotely wipe it via MDM.

https://www.apple.com/business... [apple.com]

Every iOS device has a dedicated AES 256 crypto engine built into the DMA path between the flash storage and main system memory, making file encryption highly efficient.

There's not a nice way to say this: you have no idea what you're talking about and clearly do not work in healthcare or know anything about the management of iOS devices, especially in the enterprise.

I Agree With The Naysayers

[kackle]

And, we will start to get such notices from these thousand-computer hospitals so often, that we won't even pay attention to them anymore, especially since there's nothing we can do about it.

How come I smell the price of an aspirin going up? Thanks again, congress.

A powerful California congressman?

[Anonymous Coward]

Shouldn't all congressmen (and congresswomen?) all have the same power?

Let's rename "data breach" to ...

[Ihlosi]

.. 'involuntary backup'.