Seattle healthcare provider facing lawsuit over exposure of 688,000 individuals’ PHI

Read More

The U.S. Internal Revenue Service (IRS) said Monday that taxpayers are no longer required to provide facial scans to create an account online at irs.gov. In lieu of providing biometric data, taxpayers can now opt for a live video interview with ID.me, the privately-held Virginia company that runs the agency’s identity proofing system. The IRS also said any biometric data already shared with ID.me would be permanently deleted over the next few weeks, and any biometric data provided for new signups will be destroyed after an account is created.

“Taxpayers will have the option of verifying their identity during a live, virtual interview with agents; no biometric data – including facial recognition – will be required if taxpayers choose to authenticate their identity through a virtual interview,” the IRS said in a Feb. 21 statement.

“Taxpayers will still have the option to verify their identity automatically through the use of biometric verification through ID.me’s self-assistance tool if they choose,” the IRS explained. “For taxpayers who select this option, new requirements are in place to ensure images provided by taxpayers are deleted for the account being created. Any existing biometric data from taxpayers who previously created an IRS Online Account that has already been collected will also be permanently deleted over the course of the next few weeks.”

In addition, the IRS said it planned to roll out Login.gov as an authentication tool for those seeking access to their tax records online. Login.gov is a single sign-on solution already used to access 200 websites run by 28 federal agencies.

“The General Services Administration is currently working with the IRS to achieve the security standards and scale required of Login.Gov, with the goal of moving toward introducing this option after the 2022 filing deadline,” the agency wrote.

The IRS first announced its partnership with ID.me in November, but the press release received little public attention. On Jan. 19, KrebsOnSecurity published the story IRS Will Soon Require Selfies for Online Access, detailing a rocky experience signing up for IRS access via ID.me.

That story went viral, and the ensuing media coverage forced the IRS to answer questions about why it was incentivizing the collection and storage of biometric data by a private company. On Feb. 7, the IRS announced its intention to transition away from requiring biometric data from taxpayers who wish to access their records at the agency’s website, but it left unanswered the question of what would happen with the facial recognition data already collected by ID.me on behalf of the IRS.

In a letter to the IRS this month, Senate Finance Committee Chairman Ron Wyden (D-Ore.) challenged the Treasury Department and IRS to reconsider the biometric requirements, saying login.gov is perfectly up to the task if given all of the resources and funding it deserves.

“Unfortunately, login.gov has not yet reached its full potential, in part because many agencies have flouted the Congressional mandate that they use it, and because successive Administrations have failed to prioritize digital identity,” Wyden wrote. “The cost of this inaction has been billions of dollars in fraud, which has in turn fueled a black market for stolen personal data, and enabled companies like ID.me to commercialize what should be a core government service.”

Read More

Fast-growing companies more likely to have suffered ten or more cybersecurity breaches

Read More

Software development platform GitHub has made its Advisory Database open to community contributions allowing anyone to contribute insight and intelligence on security vulnerabilities to help improve software supply chain security. The full contents of the database will also now be published to a new, freely accessible public repository under Creative Commons license. Experts say data sharing of this kind is key to improving the security of software supply chains and addressing software-related risks.

Security community to benefit from free and open data

Millions of developers and companies use GitHub to build, ship and maintain software. By making its Advisory Database publicly open to community contributions, the firm said security researchers, academics and enthusiasts will be able to provide, share and benefit from additional information and context to further the community’s understanding and awareness of security advisories.

To read this article in full, please click here

Read More

Global logistics company shuts down operations systems following cyber-attack

Read More

Missouri Governor Mike Parson made headlines last year when he vowed to criminally prosecute a journalist for reporting a security flaw in a state website that exposed personal information of more than 100,000 teachers. But Missouri prosecutors now say they will not pursue charges following revelations that the data had been exposed since 2011 — two years after responsibility for securing the state’s IT systems was centralized within Parson’s own Office of Administration.

In October 2021, St. Louis Post-Dispatch reporter Josh Renaud alerted Missouri education department officials that their website was exposing the Social Security numbers of more than 100,000 primary and secondary teachers in the state. Renaud found teachers’ SSNs were accessible in the HTML source code of some Missouri education department webpages.

After confirming that state IT officials had secured the exposed teacher data, the Post-Dispatch ran a story about their findings. Gov. Parson responded by holding a press conference in which he vowed his administration would seek to prosecute and investigate “the hackers” and anyone who aided the publication in its “attempt to embarrass the state and sell headlines for their news outlet.”

“The state is committed to bringing to justice anyone who hacked our systems or anyone who aided them to do so,” Parson said in October. “A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert or decode, so this was clearly a hack.”

Parson tasked the Missouri Highway Patrol to produce a report on their investigation into “the hackers.”  On Monday, Feb. 21, The Post-Dispatch published the 158-page report (PDF), which concluded after 175 hours of investigation that Renaud did nothing wrong and only accessed information that was publicly available.

Emails later obtained by the Post-Dispatch showed that the FBI told state cybersecurity officials that there was “not an actual network intrusion” and the state database was “misconfigured.” The emails also revealed the proposed message when education department leaders initially prepared to respond in October:

“We are grateful to the member of the media who brought this to the state’s attention,” was the proposed quote attributed to the state’s education commissioner before Parson began shooting the messenger.

The Missouri Highway Patrol report includes an interview with Mallory McGowin, the chief communications officer for the state’s Department of Elementary and Secondary Education (DESE). McGowin told police the website weakness actually exposed 576,000 teacher Social Security numbers, and the data would have been publicly exposed for a decade.

McGowin also said the DESE’s website was developed and maintained by the Office of Administration’s Information Technology Services Division (ITSD) — which the governor’s office controls directly.

“I asked Mrs. McGowin if I was correct in saying the website was for DESE but it was maintained by ITSD, and she indicated that was correct,” the Highway Patrol investigator wrote. “I asked her if the ITSD was within the Office of Administration, or if DESE had their on-information technology section, and she indicated it was within the Office of Administration. She stated in 2009, policy was changed to move all information technology services to the Office of Administration.”

The report was a vindication for Renaud and for University of Missouri-St. Louis professor Shaji Khan, who helped the Post-Dispatch verify that the security flaw existed. Khan was also a target of Parson’s vow to prosecute “the hackers.” Khan’s attorney Elad Gross told the publication his client was not being charged, and that “state officials committed all of the wrongdoing here.”

“They failed to follow basic security procedures for years, failed to protect teachers’ Social Security numbers, and failed to take responsibility, instead choosing to instigate a baseless investigation into two Missourians who did the right thing and reported the problem,” Gross told The Post-Dispatch. “We thank the Missouri State Highway Patrol and the Cole County Prosecutor’s Office for their diligent work on a case that never should have been sent to them.”

Read More

Owners of Asustor NAS drives have woken up to discover that data they believed was safe and sound on their network storage devices has instead been encrypted by ransomware, and that cybercriminals are demanding over $1000.

Read more in my article on the Hot for Security blog.

Read More

The US National Cyber Director Chris Inglis wrote an essay outlining a new social contract for the cyber age:

The United States needs a new social contract for the digital age — one that meaningfully alters the relationship between public and private sectors and proposes a new set of obligations for each. Such a shift is momentous but not without precedent. From the Pure Food and Drug Act of 1906 to the Clean Air Act of 1963 and the public-private revolution in airline safety in the 1990s, the United States has made important adjustments following profound changes in the economy and technology.

A similarly innovative shift in the cyber-realm will likely require an intense process of development and iteration. Still, its contours are already clear: the private sector must prioritize long-term investments in a digital ecosystem that equitably distributes the burden of cyberdefense. Government, in turn, must provide more timely and comprehensive threat information while simultaneously treating industry as a vital partner. Finally, both the public and private sectors must commit to moving toward true collaboration — contributing resources, attention, expertise, and people toward institutions designed to prevent, counter, and recover from cyber-incidents.

The devil is in the details, of course, but he’s 100% right when he writes that the market cannot solve this: that the incentives are all wrong. While he never actually uses the word “regulation,” the future he postulates won’t be possible without it. Regulation is how society aligns market incentives with its own values. He also leaves out the NSA — whose effectiveness rests on all of these global insecurities — and the FBI, whose incessant push for encryption backdoors goes against his vision of increased cybersecurity. I’m not sure how he’s going to get them on board. Or the surveillance capitalists, for that matter. A lot of what he wants will require reining in that particular business model.

Good essay — worth reading in full.

Read More

Encryption can keep bad actors from peeking at critical data, but it can also allow them to hide malicious activity from network defenders. That’s why LiveAction, a network visibility company, has introduced ThreatEye NV, a platform that gives SecOps teams powerful tools to find threats and anomalies in encrypted traffic.

“In 2014, about 30% of traffic was encrypted. Now it’s 80% to 90%. By the end of 2025, it will be almost all traffic,” says LiveAction Director of Product Marketing Thomas Pore. “For a network defender, this creates a problem. If you’re unable to get visibility into these encrypted tunnels and connections, how can you identify threats?”

To read this article in full, please click here

Read More

Healthcare in digital transformation

As healthcare organizations digitally transform themselves to better serve a post-pandemic world, the prevailing goal in the past year has been for them to safely extend health services beyond clinical walls. Be it to power everything from pop-up clinics to telemedicine, this is driving the healthcare technology stack out to the edge. And to keep patient care confidential and compliant no matter where data flows, the heavier reliance on edge computing is pushing healthcare organizations to transform their cybersecurity controls and practices in lockstep with innovation.   

These were the themes illustrated in this year’s healthcare breakout of the 2022 core AT&T Cybersecurity Insights Report:Securing the Edge. Released this week, AT&T Cybersecurity Insights Report: Securing the Edge-A Focus on Healthcare details the use cases, the risks, the challenges, and the opportunities for healthcare organizations as they work to secure their organizations—from core to edge–in the coming year. 

Healthcare use cases driving edge momentum

Survey data from the 2022 AT&T Cybersecurity Insight Report found that 74% of healthcare organizations globally are planning, have partially, or have fully implemented edge use cases.

The confluence of events stemming from the pandemic accelerated healthcare edge computing, driving edge momentum across a number of non-traditional clinical settings. For example, virtual care services surged during the pandemic, as they are convenient for consumers and help reduce healthcare costs by providing care in settings such as patients’ homes. Unsurprisingly, analysis of report results showed that among the 43% of organizations that say they’re at the mature stage of deploying to the edge, consumer virtual care is the leading use case.

Meantime, hospital at home use cases are rapidly driving planning and proofs of concept in that mid-stage of edge adoption. Edge computing capabilities such as the processing of data where it is consumed or produced, along with lower latency provided by 5G architectures, will enable other use cases such as tele-emergency medical services and autonomous mobile robots and drones in hospitals to learn from the pioneering healthcare edge computing use cases identified in this report.

As a part of the analysis in this year’s report, survey respondents were asked about the perceived risk of most prevalent industry edge use cases—including self assessment of likelihood of compromise and impact of compromise. Healthcare use cases had the lowest perceived risk among all six industries broken out by the report. This could indicate that the experiences wrought by the transformative pivots during the pandemic, as well as healthcare’s response to increasing cyberattacks—particularly ransomware attacks—in recent years has helped speed up cybersecurity maturity of late.

When it comes specifically to the most common edge use case of virtual care, it has an average perceived risk across all edge cases, but it also has the highest perceived impact from an attack.

Healthcare infrastructure is hybrid heavy

The survey from the 2022 core AT&T Cybersecurity Insight Report showed that the hybrid approach is dominating architectures for edge networks and security controls across all industries. Healthcare very much follows this broader trend, as healthcare organizations exhibit an almost 50-50 split between those whose security and network roadmaps combine cybersecurity and network functions in the cloud through frameworks such as secure access service edge (SASE) and Zero Trust and those that do so with on-premises tools such as traditional network and security appliances.

One thing that is clear is that healthcare risks are increasingly clustering around edge and cloud assets. The study shows that while for most other industries ransomware attacks are the number one concern, healthcare sees two other attack vectors as top-of-mind ahead of ransomware:  the potential for attacks against servers or data at the network edge and attacks against associated cloud workloads. The study found:

63.8% of healthcare organizations ranked attacks against server/data at the network edge as cyber threats of highest concern to them
63.4% of healthcare organizations said attacks against associated cloud workloads were some of the riskiest future attacks against them

Legacy cyber controls demand healthcare balancing act

Healthcare respondents rank intrusion and threat detection, multi-factor authentication, data encryption at rest, and endpoint and device monitoring as the most efficient and effective security controls at their disposal.

Legacy cybersecurity controls—those with traditional on-premises architectures–still remain at the backbone of healthcare cybersecurity at many organizations. The study found that:

45.7% of healthcare organizations plan to combine cybersecurity and network functions on-premises
37.4% of them will implement cybersecurity with multiple cybersecurity-only functions on-premises
22% will implement cybersecurity utilizing single-function cybersecurity functions on-premises

Given the attention and concern over cloud computing attacks, this heavy emphasis on legacy on-premises cyber controls might come as a surprise. But data from the survey across all industries shows that much on-premises infrastructure remains so for a myriad of reasons, including:

legacy infrastructure that is not yet ready to be retired,
concerns about data residency or regulatory issues, or
lingering prejudices against cloud usage in certain high-risk use cases.

This dynamic, combined with accelerating edge deployments means that healthcare organizations will need to balance network and security controls with flexible architectures that can ensure security in the most complex hybrid scenarios.

Healthcare cybersecurity investments aligned with shared responsibility models

One of the heartening thematic threads that wove itself across the body of healthcare data collected for the 2022 AT&T Cybersecurity Insight Report was the fact that healthcare organizations are leading with a security-first mindset when it comes to technology innovation. As hospitals had to open up remote testing sites, remote clinics, telemedicine functions and more during the pandemic, leadership increasingly understood how important security was to enabling business success.

Our study shows that some 44% of healthcare organizations are going to spend somewhere between 11% to 20% of their overall edge use case spend directly to security. That’s a significant investment and it indicates a progress in mindset compared to our studies in previous iterations of this report. The 2021 AT&T Cybersecurity Insights Report focused heavily on the growing importance of shared responsibility models in the age of edge compute, as responsibilities are spread across cloud service providers, 5G carriers, and enterprises. In 2021, survey data revealed many organizations were planning only to use 1% of their total project budgets for security in the planning phase. The results here clearly show that organizations are recognizing they’ll need to invest more to safeguard digital assets all the way to the edge.

Read More