From the cyberpolicy front, Cyberscoop reports
Federal cyber officials will formally ask industry leaders “in the next couple of days” to help shape the regulatory structure for cybersecurity incident reporting, Jen Easterly, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said Wednesday.
The incident reporting framework follows the new law that President Biden signed in March requiring that critical infrastructure owners and operators to report major cyberattacks to CISA within 72 hours and ransomware attacks within 24 hours.
CISA has said that it will use the reports to rapidly deploy resources to victims under attack and share information with network defenders. Easterly, who spent four years working on cyber defense at Morgan Stanley prior to coming to CISA, emphasized that she wants to work with industry to create a smart regulatory apparatus that doesn’t create problems for the private sector.
“This will finally allow us a much better understanding what’s going on across the ecosystem,” Easterly said at the Billington Cybersecurity Summit in Washington. “We don’t want to burden industry and we don’t want to burden the federal government with noise either.”
Easterly said that after CISA issues a request for information from the private sector, she intends to also host several listening sessions with industry to ensure the rule-making process is “consultative.”
From the cyberbreach front —
Health IT Security reports
Healthcare data breaches are continuing to impact the healthcare sector at alarming rates, even as more organizations adopt updated security solutions in an attempt to keep pace with the influx of new cyber threats.
The healthcare sector suffered about 337 breaches in the first half of 2022 alone, according to Fortified Health Security’s mid-year report. More than 19 million records were implicated in healthcare data breaches in the first six months of the year.
What’s more, IBM’s annual “Cost of a Data Breach” report showed that the average cost of a healthcare data breach is now $10.1 million per incident, signifying a 9.4 percent increase from its 2021 report.
Cyberscoop adds
Nearly 90% of information technology professionals working in health care said their facilities suffered a cyberattack in the past year, according to a report out Thursday from the research organization Ponemon Institute.
Many of them said the attacks, which averaged 43 at various types of health care organizations including hospitals and insurance providers, increasingly affected patient care.
More than 600 IT and IT security practitioners responded to the survey sponsored by the cybersecurity firm Proofpoint. The report comes amid frequent warnings from federal cybersecurity officials about ransomware and other cyberattacks on health care organizations.
Fifty-three percent of the respondents said their organization had experienced at least one ransomware incident over the past two years, while a third said they’d suffered between two and five. Nine percent of respondents said their organizations suffered six to 10 incidents.
The findings mark an increase from a year ago when Ponemon conducted a similar survey commissioned by cybersecurity firm Censinet. That survey found that just over 40% of respondents suffered a ransomware attack in the previous year.
From the cybervulnerability front —
This past week, HHS’s Health Sector Cybersecurity Coordination Council (HC3) released its August 2022 Cybersecurity Vulnerability Bulletin and a PowerPoint presentation about emerging technology and security implications for the health sector.
Security Week adds “Security researchers with AT&T Alien Labs are warning of a new piece of malware that can take full control of infected Linux systems, including Internet of Things (IoT) devices. Dubbed Shikitega, the threat is delivered as part of a multi-stage infection chain, where each step is responsible for a part of the payload and fetches and executes the next module.”
From the ransomware front —
Cybersecurity Dive reports
Barely one in five organizations consider their organization as prepared as possible for a potential ransomware attack, according to a survey of 400 IT leaders and professionals involved in their company’s cybersecurity strategy. Almost 15% said they are very or somewhat unprepared for an attack.
The majority of respondents said they spend less than five hours per week on ransomware preparedness. Almost one-third invest less than an hour per week on the matter.
Organizations’ perceived state of preparedness and time spent bolstering defenses against ransomware stands out considering how many have already been hit. More than four out of 10 respondents said they’ve had a ransomware attack that resulted in infiltration or data encryption.
Here’s a link to the latest Bleeping Computer’s Week in Ransomware for your reading pleasure.
In cybersecurity leadership news —
- Cybersecurity Dive discusses “Today’s top cybersecurity concerns and what comes next; CISOs are up against talent shortages and retention concerns amid an increasingly sophisticated threat landscape.
- The Wall Street Journal reflects on “Why Companies Need to Think About Cyber Resilience, Not Just Cybersecurity; Cyber resilience concedes that breaches are inevitable, and it makes minimizing risk or loss in the event of an attack the end goal.”