HIPAA Survival Guide Newsletter February, 2020

A Short History of Cyber War and Why it Matters

 
Introduction
 
If you are a Compliance Officer ("CO") you must care about cybersecurity and cyber warfare; 
that's all there is to it. Compliance and cybersecurity are joined at the hip, they can't be separated. Like peanut butter and jelly. 
 
OK. So what? Why does history matter? Because that short-lived history will astound you with events that are still applicable today as a daily lived experience for thousands of healthcare enterprises and their business associates. This history doesn't begin in 1983 but that was the groundbreaking year President Ronald Reagan watched War Games [1] (the movie). He was so intrigued by the narrative that in a White House Briefing on a different classified topic, he stopped the discussion and asked the Joint Chiefs ("JC") and others in attendance if anyone had seen what was portrayed in the movie War Games and could it really happen? The group was speechless. First, they hadn't seen the movie because it just came out and second, they thought the Prez was being a little "nutty" since he had recently announced his "Star Wars" policy. One of the chiefs had someone in mind who could provide a quick answer to the question, and the answer came back (paraphrasing), "Mr. President, it's even worse than you think!" But despite the fact the group was astounded by the answer, they likely gave very little credence to it. Nothing changed. Why? Because generals are always fighting that last war.
 
Four Star (****) Generals don't appear to have any interest in the geeky nonsense. If there are cyber-targets, they would rather just bomb them into nothingness; problem solved. Well not quite. Because if you decimate the enemy you lose the opportunity to penetrate their networks in the same way they have penetrated ours. It's an offensive "opportunity cost." You don't know what you don't know. Fortunately for the USA, there were some real believers at the National Security Agency ("NSA") (i.e. you know, the agency that for sure does NOT listen to communications between Americans), and some career officers that were the best and brightest in cryptology, deciphering, and electronic espionage. They were committed to showing the DOD, JC, and the President just how easily we could be hacked. Should new defense systems require re-design, updates, testing, and implementation? What's this new problem called? Cybercrimes, Cyber War, Cybernetics, Cyber Threats? In 1994 it was ultimately named Cyber Security. With this recognition, the nation began moving from Signals Intelligence (SIGINT) to the cyber age (i.e. all intelligence taking a digital form).
 
So, how do we protect critical infrastructures like Telecommunications, Electrical Power, Oil and Gas, Banking and Finance, Transportation, Water Supply, Emergency Services, and Continuation of Government in an emergency? These components mostly relied on networks and/or computers and could be impacted by cyber threats. But then, the big question in our mind is Where is Healthcare on the list? Healthcare must be considered a key component of the national infrastructure deserving protection. Electronic Medical Records and healthcare devices are also prone to hackers, especially when they provide interoperability and sharing of patient data across the Internet. Furthermore, that information not only consists of patient medical records, but also credit cards, insurance accounts, Medicare and Medicaid billing data, and provider Fee-for-Service records. It is likely that omitting the healthcare industry from the initial "critical infrastructure list" was an oversight. Clearly, it is a critical infrastructure. Witness the trouble that could be created by adversaries if the CDC's computers were hacked-right in the middle of dealing with a potential emerging pandemic threat, one analogous to what we are facing at this very moment.
 
Interestingly, an NSA project to bring down the telephone grid in several large cities was authorized as a cybersecurity study called "Eligible Receiver." This project's purpose was a demonstration of how to bring down power grids and 911 emergency communication lines for 8 cities: Los Angeles, Chicago, Detroit, Norfolk, St. Louis, Colorado Springs, Tampa, Fayetteville and the island of Oahu, Hawaii. Although this project impacted the delivery of healthcare services to needy people, it's actual purpose was to pressure political leaders into removing certain sanctions that negatively impacted Cyber Security Teams and their research on cyber threats. To make matters even more explicit, the NSA took it a step forward and successfully launched a similar attack on the military's telephone, fax, and computer networks. 
 
Eligible Receiver consisted of a group of NSA analysts who attacked systems that the DOD and JC thought were impenetrable. The NSA thought they could do it in four days. It took one day! Many defense computers weren't protected with a password; others were protected by gimpy passwords, like ABCDE or 12345. In one case, a team member simply called the office and said he needed to reset all passwords for security reasons; he got a password without hesitation. After successfully penetrating many computers, the team left notes; "Kilroy was here." But then they did more, they intercepted communications, deleted files, and sent false emails. This is the ultimate goal of Cyberwarfare; "disrupt the norm, confuse the parties, and have them believe false information!"[2] 
What might happen in traditional wartimes?
 
Eligible Receiver demonstrated that the DOD was completely unprepared for cyberwarfare, yet progress continued to be SLOW. In 1997 the President's Commission on Critical Infrastructure Protection released a report that stated, "We must learn to negotiate a new geography, where borders are irrelevant and distances meaningless, where an enemy may be able to harm the vital systems we depend on without confronting our military power."[3] 
 
With this statement, military operations began to focus on cyber threats as weapons of mass disruption! In 2009 a dedicated Cyber Command was established having a budget that went from $2.7 billion to $7+ billion in its first three years.

Short Chronological History of Key Events

  • 1952 Establishment of the National Security Agency (NSA) America's largest secret Intelligence Agency.
  • 1980 Computers for the masses.
  • 1984 Reagan's National Policy on Telecommunications and Automated Information Systems Security.
  • 1990 Evolution and widespread use of the Internet with a new focus on electronic medical records. 
  • 1990 Air Force Cryptology Support Center established.
  • 1995 Critical infrastructure Working Group created. 
  • 1996 HIPAA becomes law.
  • 1996 Two kinds of threats to Critical Infrastructure identified: Physical and Cyber.
  • 2009 Creation of a dedicated Cyber Command. 

Still, Progress has Remained Painfully SLOW

Why is progress SLOW? Because most generals still prefer to drop bombs. I guess it's the macho thing to do. Furthermore, all of us have biases in favor of what we know works, rather than having to grok a heavy topic like cybersecurity. There are many Compliance Officers in healthcare that prefer to remain in the dark for that same reason. Ignorance is bliss until a breach occurs. It's not a question of if, but when one will occur. That's when all those things you have not been paying attention to will be available to all relevant stakeholders: (1) the executive management team; (2) the board (assuming you have one); (3) your colleagues; and perhaps (4) the offices of HHS and State Attorney Generals. 
 
Remember that willful neglect fines start at $50K and max out at $1.5M for identical violations. However, if you are in willful neglect of 10 distinct violations you could max out your civil monetary penalties (just for willful neglect) at over $10M. This does NOT include the cost of notifying patients when (not if) you have a Breach. The Ponemon Institute, which has been conducting Breach cost studies for nearly a decade now, states that in Healthcare it costs $400.00 per record/patient to notify. Say you had a small Breach of 10K records. You do the math. It is going to ruin your day and perhaps your career. Unfortunately, many Healthcare Compliance Officers believe that they have HIPAA wired. There are a few that do; most do not. 
 
The latter have no idea of the unknown unknowns. The smart ones, like the rest of us that struggle with complex topics, are willing to embark on a lifetime adventure of continuous education. The others, including us if we stop learning, will become roadkill on the info highway. Nothing personal. Simply the manifestation of Darwinian capitalism in a global economy. There is always someone coming after your job. You can bank on that! As we discussed earlier, the generals are always fighting that last war. It's the nature of the business they're in. They are students of military history; however, no amount of history is going to help you when your adversaries are rapidly inventing the future of cyber warfare as we speak. 
 
The Healthcare industry is especially vulnerable, a fact that the bad guys (organized crime, enemy nation-states, and enterprising hackers to name a few) are aware of. The Healthcare industry is SOFT compared to, for example, banks and financial services industries. Moreover, even the latter is NOT as prepared as they should be. Why are we not better informed about the current vulnerable state of affairs? Because for obvious reasons, including the fact that we are at war, it is not wise to broadcast your vulnerabilities to your enemies via public discussions. Many in Healthcare believe that an attack (ransomware, DDOS, etc.) won't happen to them. That's the stuff that happens to other people. And it turns out, it has been happening to other people in Healthcare A LOT. So much so that HHS is now starting to pay attention to small as well as large Breaches; even those that don't reach 500 records (a ridiculously low number to start with) that places your organization on the HHS Wall of Shame.

SCADA Systems

Hospitals generally do not have supervisory control and data acquisition systems ("SCADA") per se, because the latter is a term that is usually associated with production plants of all kinds, including but not limited to oil refineries and nuclear power plants. However, hospitals have thousands of electronic devices, now networked, that collect information on patients 24/7 365 and are ALL potential vectors for an intrusion. Imagine what would happen if an adversary were to shut down a Hospital's grid and it didn't have a redundant power supply. People would die. It turns out that we don't have to imagine this scenario, it happened during Katrina and recently in Venezuela when its grid was down for three weeks. Ah, does anyone believe that Venezuela's grid remained down for three weeks by accident? If you do, then you haven't been paying attention. Nation-states must test their cyber warfare offensive capabilities somewhere. Remember it was Americans, together with the Israelis that launched Stuxnet against an Iranian nuclear power plant in 2007, bringing it down to its knees. Enough said.

HIPAA

In 1996 President Clinton signed the Health Insurance Portability and Accountability Act ("HIPAA") and it became law. HIPAA included provisions to simplify administration and protect patient data confidentiality (i.e. the Privacy Rule) and included cybersecurity protections in the form of the Security Rule. The law did not go completely into effect until circa 2005. It was not taken seriously by the healthcare industry until the Breach Notification Rule was introduced in 2009 as part of the HITECH Act. Therefore, the industry writ large has arguably only been paying serious attention to cybersecurity for about a decade. Although significant progress has been made amongst the largest covered entities and business associates, progress has not been as widespread for the remainder of the industry, which in terms of numbers means the vast majority of covered entities and business associates who remain incapable of protecting the PHI they have been charged with protecting. That status has begun to change incrementally, but not apace of what the bad guys are capable of launching. This needs to change. Understanding a short history of cyber warfare is a small step in the right direction; necessary but not sufficient. The industry must do better. Lives, not just data, are at stake.


1  Lawrence Lasker and Walter Parkes, 1990: "WarGames"
2  Fred Kaplan, Dark Territory: The Secret History of Cyber War
3  Ibid
 
Signup for our FREE Newsletter here.