Last Month in Security Episode 006: Chaunda Dallas – Healthcare Security from the Frontlines

In this edition of the Halcyon video/podcast series Last Month in Security, host Anthony M. Freed and panelists Ben Carr and Ryan Golden are joined by Chaunda Dallas, MSIT, who went from emergency room nurse to healthcare cybersecurity specialist on her journey to safeguard patients and their most sensitive data.

First off, we take a look at a Microsoft advisory regarding an affiliate attacker dubbed Vanilla Tempest Leveraging who was observed utilizing the JScript Gootloader malware to drop INC ransomware.

GootLoader is typically spread via SEO poisoning waterhole attacks by a threat actor tracked as Storm-0494, and Vanilla Tempest is assessed to be associated with Vice Society, which has not been very active recently. They have been observed dropping BlackCat, Quantum Locker, Zeppelin, and Rhysida payloads previously.

Then we dive into some post-event regulatory and legal actions which significantly benefit from hindsight, of course. It’s a much different perspective looking back at chain of events than when making decisions in real time pre-event or during an attack.

So, does that make these critical assessments just Monday morning armchair quarterbacking after the fact? Well, the SEC recently dismissed much of SolarWinds case for this very reason.

The SEC had claimed that SolarWinds' website over-stated their compliance with government standards in implementing strong password protections and following a secure software development protocol, insisting that internal conversations uncovered in the investigation suggested otherwise.  

The judge in the case disagreed, stating the regulations in question were for financial controls, not security controls. Subsequently, most of the case against SolarWinds and their CISO were dismissed.

Three other cases (very different) from last month also call into question whether it is fair to deeply scrutinize security decisions well after the fact with all information post-event in hand.

Case one involved Enzo Biochem, a biotech company was ordered to pay $4.5 million to the attorneys general of New York, New Jersey, and Connecticut following a 2023 ransomware attack that compromised the data of over 2.4 million people.

Key failings included poor password management, lack of multi-factor authentication (MFA), and the failure to encrypt sensitive data on all systems. The attackers gained access using shared credentials, one of which hadn't been updated in a decade. Clearly there were egregious lapses in security here – not a best effort.

Case 2 involved attackers accessing Lehigh Valley Health Network (LVHN) and deploying ransomware after exfiltrating healthcare data. The brunt of the enforcement actions involved the attackers leaking sensitive images of breast cancer patients.

A class-action lawsuit, filed in March 2023, accused LVHN of failing to safeguard patient data, although there was no indication of poor security practices as we saw with Enzo Biochem, so for the sake of discussion we assumed that none had occurred.

As security pros, we know a determined attacker with enough resources will eventually succeed – so is any and every organization that handles sensitive data basically facing default judgements when they get popped?

Case 3 involved over 2.7 billion records being exfiltrated in an attack on a company called National Public Data, where the information eventually found its way to a hacking forum. The breach resulted in a class action lawsuit against National Public Data for failing to protect this sensitive information.

What is interesting about this case is the fact that the information that was compromised had been scraped from public sources by National Public Data, which aggregates and sells the data for background checks and other purposes.

First of all, we all agreed that most everyone’s personally identifiable information has been exposed in a breach by now – we have all received at least one if not many breach notifications and offers for free credit monitoring, yada yada.

So, we discuss whether an org can face regulatory or legal action if the data in question was already exposed in other attacks, or if the data was scraped from public-facing sources and aggregated, as in this case.

Finally, we discuss a Chainalsysis report that revealed that ransomware attacks are “firmly on track for the worst year on record.” A record $1 billion in ransoms was paid in 2023‍, according to their previous report.

But it looks like the crisis has deepened in 2024, with over $459 million extorted in the first half of the year alone. This marks a $10 million increase from the previous year, signaling a worsening trend.

The fact is punctuated by reports that the Dark Angels ransomware gang recently netted a record $75M ransom payment. But is the problem even bigger? Previously we talked about FBI infiltrating the Hive ransomware gang a few years ago and estimating only 20% of attacks are reported.

It’s hard to say, because private companies don’t have to report anything unless they are subject to regulations or have contractual obligations to report. And what about emerging trend where not just victim company’s extorted, but also third parties and even individuals?

Anthony Freed offered a dire prediction where he can see ransomware operators could move to a monthly subscription model for individual victims who have had very sensitive data compromised, where they are required to pay an ongoing fee to assure their personal/private PII/PHI is not made public.  

Ooof. That would be truly mafia style – just keep the tributes coming...

About Our Guest:

Chaunda Dallas, MSIT, is a Healthcare Cybersecurity Specialist and Sports Technology Enthusiast dedicated to safeguarding patient data and driving innovation in healthcare and sports technology.  

With over twenty years of hands-on experience in healthcare, including emergency medicine, Chaunda has seen firsthand the critical role of technology in patient care and the vulnerabilities exposed during system downtime, which motivated her transition into the cybersecurity field.  

As an educator and current Ph.D. student, Chaunda is committed to enhancing knowledge and improving the security and effectiveness of emerging technologies. Her expertise bridges the gap between healthcare and technology.  

Chaunda actively mentors aspiring cybersecurity professionals through Women in Cybersecurity (WiCyS) as a Technical Mentor and is an active member and volunteer with BlackGirlsHack (BGH) and The Diana Initiative (TDI).  

Chaunda has contributed to several research projects on healthcare information technology and data protection during her master's degree studies, including Detection of Heart Disease Using Mobile Health Technology, The Use of Healthcare Information Technology in Ambulatory Surgical Centers, and The Adoption, Issues, and Challenges of Wearable Healthcare Technology for the Elderly.

Your Hosts:

Anthony M. Freed, Halcyon Director of Research and Communications: Freed is a strategic communications leader, award-winning writer, publisher and podcast producer who was previously a freelance security journalist leading headline-making investigations that included the Symantec NAV source code leak, the mass compromise of US government agency account credentials, the denial-of-service attack that took down WikiLeaks, and more. Freed is also the principal researcher who produces the quarterly Halcyon report Power Rankings: Ransomware Malicious Quartile - Inside Data Extortion Attacks.  

Ben Carr, Halcyon Advisory CISO: Carr is a Security & Risk Executive and recognized thought leader with more than 25 years of results driven experience in developing and executing security strategies. Carr has served in global leadership roles at advanced technology, high risk, and rapid growth companies such as Ericsson (Cradlepoint), Qualys, Aristocrat, Tenable, Visa and Nokia. Ben has served as a member of the Board of Directors for organizations such as IT-ISAC and NTXPKUA. He is an advisor for Noname Security and Syn Ventures and has previously served on Advisory boards for Living Security, TruStar, Mimecast, Qualys, and Accuvant.  

Ryan Golden, Halcyon Chief Marketing Officer: Golden has a strong background in marketing and leadership roles across the security industry and vast experience in building successful brands, as demonstrated by his role as VP of Design & Creative at Cylance, Inc., where he led the disruptive Cylance brand from pre-revenue to a $1.4B acquisition By BlackBerry. Golden is a technical CMO with deep experience in defending organizations against ransomware operations and other advanced attack scenarios, and also served as the Vice President of Marketing at ShiftLeft, Inc.

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.