Security News Survey – March 22, 2019

This week, we look at a cyberattack on a global manufacturer, three more healthcare data breaches, and the cybersecurity battle by lawmakers in Canada and the U.S.

It’s been another busy week across the world, and cybersecurity has been front-and-center. Let’s start with a quick look at the biggest headline of the week: a ransomware attack that brought down a massive global manufacturing company.

Major aluminum manufacturer crippled by ransomware attack

Norsk Hydro, one of the world’s largest aluminum producers, fell victim to a major cyberattack this week. According to an initial statement from the Norweigian manufacturer, it detected a ransomware infection originating in one of its U.S.-based plants around midnight on Tuesday, but the detection was too late. Norsk Hydro’s global network was taken offline immediately, with production and operations everywhere screeching to a near-complete halt. In most areas, the company turned to manual operations.

Norsk Hydro has been scrambling since Tuesday to get its operations back up and running. Unfortunately, the process has been slow, and Norsk Hydro isn’t willing to give an exact estimate of when business as usual will resume. At the time of writing this, the company is still only at half-capacity, with many units still shut down entirely to avoid further infection. So far, it’s been a painful saga to watch unfold—a sobering reminder of the damage a cyberattack can inflict.

Three more healthcare companies suffer data breaches

More than 270,000 patients using Zoll medical devices are being notified that their personal information—names, addresses, dates of birth, etc.—may have been compromised in a data breach. According to the company’s report to Health and Human Services (HHS), the breach occurred during a server migration conducted by a third-party service responsible for archiving Zoll’s email communication. No foul play has been reported as a result of the breach, but it has clearly been a wake-up call for the company. Zoll is conducting an internal investigation and reevaluating their third-party services for cybersecurity gaps.

In Vermont, 10 employee email accounts were compromised at Rutland Regional Medical Center late last year, affecting more than 72,000 patients. It appears the hacker may have been able to retrieve data including names, Social Security numbers (SSNs), dates of birth, medical record numbers, medical information, insurance information, and more. The company has been investigating the attack since December 2018, but patients only started receiving notifications at the end of last week.

Although the cause of the breach hasn’t been confirmed, these types of incidents are often a result of phishing, which is exactly what happened at Oregon’s Department of Human Services. A data breach of Oregon’s DHS was revealed this weak, with more than 350,000 patients potentially impacted by compromised email accounts. According to reports, nine employees fell victim to a phishing attack, allowing hackers access to nearly 2 million emails that contained patient information like names, addresses, dates of birth, SSNs, and more. Incidents like this continue to build the case for better security training for employees everywhere, including lessons on how to spot phishing emails.

Federal budget in Canada sets aside money for cybersecurity

The 2019 Canadian federal budget was proposed this week, with at least $348 million earmarked for cybersecurity. Initiatives include critical infrastructure protection via the Communications Security Establishment (CSE), cybersecurity awareness programs, improved information sharing between G7 nations, education about online disinformation, and more. The budget also includes specific line-items dedicated to protecting democracy and election integrity—an issue that is top of mind in the lead up to the federal election later this year.

U.S. lawmakers try again for IoT security standards

Senators from both sides of the aisle have introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019—the third attempt in recent years to create security standards for connected devices sold to the government. But instead of outlining a list of security recommendations, the bill taps the National Institute of Standards and Technology (NIST) to create guidelines that will set a cybersecurity baseline for these devices.

We’ve all seen the damage that can be done by compromised IoT devices, but it seems legislating to protect against such attacks isn’t clear-cut. Previous legislative attempts have failed due to widespread resistance among the device manufacturing industry, and there’s a virtual minefield of issues associated with creating language that is either too strict or too vague. This bill is hoping to find a middle ground, calling for NIST to set guidelines and review them every five years. So far, response to the bill isn’t promising, but we can only hope that it’s another step in the right direction. While the law wouldn’t set the standard for every device sold in the U.S., pursuing federal procurement can have a major influence on device standards for consumers, too. We’ll have to wait and see how this unfolds.