This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00] This episode is brought to you by CrowdStrike. Protect your health system with CrowdStrike, a global security leader. CrowdStrike has redefined modern security with the world's most advanced cloud native platform for protecting critical areas of enterprise risk. Endpoints and cloud workloads. Identity, and data.
Powered by the CrowdStrike Security Cloud and world class AI, the CrowdStrike Falcon platform leverages real time indicators of attack, threat intelligence, insights on evolving adversary tradecraft, and enriched telemetry from across the enterprise to deliver hyper accurate detections, automated protection, and remediation.
All this, and elite threat hunting and prioritized awareness of vulnerabilities. CrowdStrike. Unified platform, one agent, complete protection.
Welcome to the year end 2024 episode of Unhack the [00:01:00] Podcast. I thought I'd end the year by sort of cross pollinating a couple of the shows that I do. We're going to quickly roll through some of the incredibly serious and sometimes hard to believe stories that I covered on one of my other shows, The Two Minute Drill.
So buckle up, this should be fun. It's a year's worth of news in just a few minutes. Here's some you might want to know about on Unhack the Podcast.
Turns out 2023 officially became the worst year ever for major health system breaches in the U. S. 2015 held that record for the longest time, but 2023, with 734 reported breaches, exposing over 135 million individual records, has taken the crown for the most protected health information exposed in a year.
Third parties, turns out, were involved in about 40 percent of the breaches reported, totaling about two thirds of all the records breached.
But about the time everybody got home from the LockBit takedown after parties, my signal and text messages [00:02:00] started to blow up with news of the cyber event going on with Optum and Change Healthcare. To their credit, they announced that once they became aware of the outside threat, they disconnected their systems.
But I also know that a lot of you disconnected from change health care to protect your organizations. And that action undoubtedly disrupted a bunch of business and clinical operations in your organizations. There's more news coming out slowly from OptumChange on what systems were affected, but you should probably expect that they won't want to put a lot into writing until they have this figured out.
So more to come on that story for sure.
The news from Change Healthcare appears to get more drama ish as reports start to flow, that perhaps there's been a ransomware payment made to the ransomware as a service affiliate partner of Black Cat AKA Alpha V, the cyber thugs responsible for the attack, and to make it even more complicated, it now appears that Black Cat themselves then stole all the Bitcoin from the affiliate's wallet [00:03:00] before shutting down their own servers.
Maybe as part of an exit scam. There's really no honor amongst thieves. And by the way, Change has no comment on these reports.
And finally, Florida Governor Ron DeSantis signed legislation last week prohibiting people under the age of 14 from having social media accounts. An attempt to one up Florida, the state of Colorado has just introduced a law that would ban anyone over the age of 50 from Facebook. If they fall for any of those hoax copy and paste scams, like the one where you copy and paste some text and it resets your system and you get all your friends back, or the one where you declare copyright ownership of your photographs so that Mark Zuckerberg can't steal them, stop doing that.
Scammers actually search for those text strings to find you and that helps them realize that you're a gullible target for their next meal, so just stop doing that. Oh, by the way, that last part's the only [00:04:00] part in this report that's really true. Happy April Fool's Day!
Warnings have been issued by the Health Sector Cyber Coordination Center about a social engineering campaign that targets IT help desks. Cyber criminals are leveraging stolen data they've purchased from the dark web to pose as legitimate healthcare organization employees. The stolen info allows them to answer the questions, the challenge questions.
that helpdesk asks as part of the process to reset passwords or enroll a new device for multi factor authentication. Once that's done, the criminal has access to the user's account, can do all kinds of nasty stuff like divert your payroll check to a different account, and a whole lot of other potential damage to the organization itself.
Let's start with a very brief update on the Ascension ransomware attack. The health system is still mostly offline, but they say they're working hard to recover systems. Everyone seems pretty tight lipped on the details beyond those I've talked to you about in the past couple of two [00:05:00] minute drills, so like you, for now, I'm mostly watching the updates as they're posted at ascension.
org.
And finally, researchers at Cornell University were able to build a project team of GPT 4 bots to autonomously hack websites and networks. They optimized the LLM agents, subdividing their work with one of the agents acting as the project manager, while others did more specialized or complex tasks. When a task became too complicated, the project manager was able to spawn additional agents on its own.
Using real world zero day vulnerabilities as part of the test, the new collection of agents was 4. 5 times more efficient at building an exploit for a zero day than any one GPT working alone. So, we got that going for us.
To say it was another crazy weekend is probably a massive understatement. On Friday morning last week, we all started getting calls, including me, [00:06:00] asking What the hell is going on? Because millions of machines all over the world were showing the blue screen of death, and they seemed to be unfixable. It turns out that CrowdStrike had issued something called a content update to the CrowdStrike sensor that crashed the Windows machines all over the world.
8. 5 million of them. Nearly any industry running a modern Windows machine and CrowdStrike was affected.
There's a story in the Wall Street Journal about the prisoner hostage swap last week with the Russians. Interestingly, there were two Russians that were not part of the swap last week. They're still held in U. S. facilities. Now stick with me. The rest of this story is all going to come together. So as an interesting and kind of nerdy aside, ransomware group named Wizard Spider.
That name comes from cyber analysts who track various adversaries. Spider part of Wizard Spider's name comes from them being categorized as [00:07:00] a financially driven ransomware gang. The wizard part of the name Wizard Spider, comes from the ransomware tool. They prefer to use, in particular, a program called Trick Bott.
Well, one of those Russian prisoners. One of those prisoners not involved in the swap last week was convicted of developing that piece of ransomware, TrickBot, and that tool has been used extensively against U. S. hospitals and other businesses. By the way, the other Russian not included in the exchange was convicted of Bitcoin laundering, which is obviously the preferred tough to trace currency that's used by cyber thugs all over the world.
When Microsoft and Google announced they were giving away free stuff back in June as part of a cyber assistance program they'd been working on with the government, I know a lot of us were skeptical. Turns out, as of today, less than a quarter of all rural hospitals have taken advantage of the program.
Those programs continue to be open. I've not heard of an end [00:08:00] date. This kind of stuff is always worth exploring, but I think at least part of the challenge is that those small hospitals don't have the staff with enough hours in the day to evaluate those free programs, let alone implement and run the products that are being offered.
It's not a stuff problem I think we need to solve for. It's a human resource shortage problem that's actually holding up the show for many of these small hospitals. So my advice to the partners involved, offer a bunch of free services. Permanently, and I think you'll get some very thankful takers.
HIPAA, the Health Insurance Portability and Accountability Act of 1996, may be ready for yet another update. According to sources, we'll likely see a new proposed rule from HHS being issued for comment sometime this year. The update will be focused on the HIPAA security rule in an effort to strengthen and clarify those requirements in our ever changing [00:09:00] environment.
Of course, HIPAA was written into law in 1996, but it doesn't stand alone. It's been updated as part of the 2009 HITECH Act. And there's been case law over the years and new and updated regulations that are tied to the security rule. And all of that means that there's a lot of stuff to sort through to really understand both the spirit and the letter of the law.
and the associated regulations. The new proposed rule, and again, that'll be published for comment soon, will hopefully make the security rule easier to understand and interpret, hopefully.
Way back in 2010, I was at a conference and I met one of the folks from 23andMe, and they told me what they were doing and how I could find out all kinds of cool stuff about my health and my background through a simple test that I could do at home. And they gave me a coupon for a free test kit. So I did it, and I got my personalized reports, and it was pretty cool.
Pretty great insight. Actually, I'm way more Irish [00:10:00] than anyone in my family ever told me, which kind of explains now my affinity for St. Patrick's Day. Anyhow, I didn't really think much at the time about how my data would be used, all the ramifications of my DNA being used in studies, or how that DNA data in the wrong hands could turn out to be a real problem for me.
I'd given up a lot of privacy for a little information, probably not the smartest thing I've ever done, but I've done some pretty dumb stuff. So anyhow, two of the stories at thisweekhealth. com slash news are about problems at 23andMe and a similar British company called Atlas Biomed. It appears both are navigating some tough sailing from a business perspective.
Atlas Biomed customers have lost access to their online DNA profiles, And many customers are now worried about what happens to their private data if or when that company is sold. And 23andMe is on its own difficult path financially. Over the [00:11:00] past few years, the stock has sunk from being priced higher per share than Apple to now being on the verge of being delisted.
23andMe is worth just 2 percent of what it once was. But again, it's the sensitivity of the data that is the big concern for most of us and what happens to that data when times are tough for these kinds of companies.
Okay, today's episode is all about one problem, but there's a bunch of different stories from a bunch of different sources on it, and the story is one that I've talked about before, too. Salt Typhoon. Chinese hackers now appear to be in at least eight U. S. telecommunication carriers, and there seems to be no great way to get them out.
Those telecom firms and a couple of dozen other nations who are experiencing similar attacks are working together on the problem as it sprawls from one company to the next. The hackers have had access to private text and phone conversations [00:12:00] for an unknown number of Americans, including senior officials and political officials and business leaders.
But again, the scope of the attack is still very much a mystery. And since Nobody's been able to get these thugs out of their networks and everything's connected to everything else. And apparently now we're understanding that this problem has been going on for a couple of years. I'm hoping this isn't one of those things where to get rid of the bedbugs we have to burn the whole house down.
In the words of Fast Company writer Sam Becker, if you've ever wondered what it's like to be sucked into the plot of a Tom Clancy novel, Millions of Americans are getting a taste of it this week. Who knows when and if this ever gets resolved. It's a good time to do the right thing regardless when it comes to encryption.
This is obviously a developing story and I'll keep you posted.
Wow, that went fast. I hope you liked it. We'll be back in 2025 with our regular shows, an incredible lineup [00:13:00] of 229 project events, summits, and city tour dinners, and some stuff I can't really talk about right now. Thanks for joining me today. Stay a little paranoid. I'll see you next year.