An NSA report leaked to a US media outlet indicates that Russian intelligence agents hacked computers belonging to a voting systems manufacturer just weeks before the November 2016 presidential election. The stolen information is believed to have been used in a spear phishing campaign. A government contractor has been arrested in connection with the leak.

 

Editor's Note

[Stephen Northcutt]

Read more in:

- http://thehill.com: Russians hacked US voting systems maker just before election
- http://thehill.com: Gov't contractor charged with leaking classified info to media
- https://www.wired.com: Feds Charge NSA Contractor Accused of Exposing Russian Hacking

The US Supreme Court will hear arguments in a case regarding the need for a warrant to use cell-site data to track a suspect's location. The case, Carpenter v. United States, No. 16-402, involves data held by a mobile phone company. The question is whether police are required to obtain a warrant to access mobile phone location histories. Police currently have access to the information without the need for a warrant through the third-party doctrine, which allows police to demand information from companies if the information is considered a normal business record.

 

- https://www.nytimes.com: Supreme Court Agrees to Hear Cellphone Tracking Case
- https://arstechnica.com: Supreme Court agrees to rule if cops need warrant for cell-site data
- https://www.cnet.com: Supreme Court to hear case on tracking phone location data

WikiLeaks has published information about a purported CIA cybertool that can infect computers through file servers. Known as Pandemic, the tool can be used to turn Windows file servers into machines that distribute whatever malware the attacker wants to use. When a computer that the tool wants to infect tries to access a file on the server, the computer is served a malicious version of that file.

 

- https://arstechnica.com: WikiLeaks says CIA's "Pandemic" turns servers into infectious Patient Zero
- https://www.bleepingcomputer.com: CIA Malware Can Switch Clean Files With Malware When You Download Them via SMB

The US Department of Health and Human Services Health Care Industry Cybersecurity Task Force has released its first report to US legislators. The report underscores the point that digital vulnerabilities are threats not only to information but also to patients' safety. It calls for the government and private sector healthcare entities to work together on six imperatives that include defining leadership, governance, and expectations for healthcare cybersecurity; increasing the resilience and security of medical devices and IT; and identifying ways to protect research and development and intellectual property from theft.

 

Editor's Note

[John Pescatore]
A solid set of recommendations but a lot of focus on new frameworks, regulations, etc. vs. overcoming obstacles that caused decades of talk about and spending on security and privacy around personal health information and medical equipment with very little actual progress. While the Critical Security Controls were not specifically cited, good to see basic security hygiene concepts sprinkled across the higher priority recommendations.

[William Hugh Murray]
Legislation is difficult; HIPAA is the example. Few laws were better intended; few have had such perverse effects. Health data duplication has increased, much of it still on paper. "Portability" is a joke, privacy and security breaches routine, use of IT sparse, expensive, ineffective and despised by the service providers. After twenty years we still wait patiently for any of its promises to be met. IT "modernization" may be necessary but it will be difficult under the law and far from a solution to all the problems.

Read more in:
- http://thehill.com: Federal task force: Here's how to fix healthcare cybersecurity
- http://fifthdomain.com: HHS Cyber Task Force wants better partnerships, stronger federal leadership
- https://www.phe.gov: Health Care Industry Cybersecurity Task Force (PDF)

The US Department of Veterans Affairs is moving from its legacy electronic health record (EHR) system to a commercial, off-the-shelf product that is also used by Defense Department (DoD). The VA will drop its Veterans Information Systems and Technology Architecture (VistA) and switch to the MHS Genesis HER system. The move means that military personnel's EHRs can move with then from DoD to VA once they retire from the military. The VA's system will have additional capabilities so it can interact smoothly with its healthcare partners around the country.

 

Editor's Note

[Lee Neely]
The VA plan calls for participation from clinicians, read customization, and the 2018 budget calls for a $218M cut to IT spending, which, in combination can cause a project like this to fail. Management of the scope and adequate budget are crucial for success and should be planned before they start. I worry the VA is not considering the migration effort nor the resources required to run in parallel until the cutover completes.

Read more in:
- https://federalnewsradio.com: Shulkin announces new direction for VA electronic health record
- http://thehill.com: VA to use same electronic health record system as military

The EternalBlue exploit that was used in the WannaCry ransomware attacks is now being used to distribute the Nitol backdoor and Gh0stRAT malware. The exploit takes advantage of a flaw in the Windows Server Message Block (SMB) networking protocol.

 

 

At its Developers Conference this week, Apple said that the newest version of its safari browser will automatically block autoplay. Another new feature, intelligent tracking prevention, will block websites from tracking users' browser data, which means users will no longer see searches conducted on one site appear as advertisements on another.

 

- https://www.cnet.com: Safari will automatically block those annoying autoplay videos
- https://www.recode.net: WWDC 2017: Everything important Apple announced at its big event

According to a report from the US Government Accountability Office (GAO), the Federal Deposit Insurance Corporation (FDIC) needs to do more to improve its information security controls. The report also notes that while the FDIC has implemented "numerous information security controls intended to protect its key financial systems," there are still concerns regarding access controls and the isolation of its financial systems from the rest of its network.

 

- https://fcw.com: FDIC dinged again for inadequate infosec
- http://www.gao.gov: FDIC Needs to Improve Controls over Financial Systems and Information (PDF)

The US Department of Health and Human Services (HHS) Office of Inspector General (OIG) has submitted its semi-annual report to Congress. Among OIG's findings: HHS "faces challenges to protect the privacy and security of the data it collects and maintains."

 

- http://www.nextgov.com: Health Data Security Tops HHS' List of Challenges
- https://oig.hhs.gov: Semiannual Report to Congress: October 1, 2016 to March 31, 2017 (PDF)

According to data obtained from the UK's Information Commissioner's Office (ICO), 43 percent of breaches reported between January 2014 and December 2016 affected the healthcare sector. While healthcare had the highest percentage of reported breaches, other sectors are seeing greater increases in the number of breaches reported. Across all sectors, more breaches were caused by human error than by external cyber threats.

 

- http://www.theregister.co.uk: Healthcare tops UK data breach chart - but it's not what you're thinking