Cybersecurity Saturday

From the cybersecurity policy front,

  • Healthcare Dive reports,
    • “The HHS released [on December 6] a working paper this week that outlines its strategy to support cybersecurity in healthcare, including proposing hospital cybersecurity requirements through Medicare and Medicaid and beginning to update the HIPAA rule.
    • “The paper details steps to improve resilience among healthcare organizations, like establishing voluntary cybersecurity goals for the sector, working with Congress to receive new authority and funding, and adding goals into existing regulations and programs.
    • “The strategy comes as healthcare organizations face growing threats of cyberattacks that jeopardize patient safety and privacy. The HHS’ Office for Civil Rights found a 93% increase in large breaches reported from 2018 to 2022, and a 278% increase in large breaches involving ransomware.  * * *
    • “Money and voluntary goals alone won’t drive enough change, the department said. The HHS’ third step focuses on proposing to add healthcare-specific cybersecurity goals into existing regulations, which will inform future standards.
    • “The CMS will propose new cybersecurity requirements for hospitals through Medicare and Medicaid and the HHS’ OCR will begin to update the HIPAA Security Rule in the spring to include new standards. [Reginfo.gov tells us the proposed rule is expected to be released in September 2024.]
    • “The American Hospital Association CEO Rick Pollack said the trade and lobbying group welcomes more federal expertise and funding to protect the sector from cyberattacks, but it can’t support mandatory requirements.
    • “Many recent cyberattacks against hospitals have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks,” Pollack said in a statement. “Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cyber crime and would be counterproductive to our shared goal of preventing cyberattacks.”
  • Cyberscoop tells us,
    • “Addressing computer security vulnerabilities by quickly finding and patching flaws is a fundamentally broken model in need of being overhauled, Eric Goldstein, a top cybersecurity official at the Cybersecurity and Infrastructure Security Agency, said Friday.
    • “To say that our solution to cybersecurity is at least in part, patch faster, fix faster, that is a failed model,” Goldstein said at an event held by the nonprofit International Information System Security Certification Consortium. “It is a model that does not account for the capability and the acceleration of the adversaries who we’re up against.”
    • “Goldstein, the executive assistant director for cybersecurity at CISA, argued that delivering broad gains in computer security requires a “philosophical shift” that puts a smaller burden on school districts, water utilities, and small businesses to maintain secure systems, and asks more of the large companies to provide secure software and hardware.
    • “If you’re a school district, a water utility, a small business, you’re fundamentally not going to repeatedly succeed over time against the malicious actors that we are trying to manage every day,” Goldstein said.”
  • The Department of Health and Human Services Office of Civil Rights announced,
    • “a settlement with Lafourche Medical Group, a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronic protected health information of approximately 34,862 individuals. Phishing is a type of cybersecurity attack used to trick individuals into disclosing sensitive information via electronic communication, such as email, by impersonating a trustworthy source. This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) Rules. HIPAA is the federal law that protects the privacy and security of health information. 
    • “Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information,” said OCR Director Melanie Fontes Rainer. “It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks. * * *
    • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/lafourche-medical-group/index.html
  • The Federal Bureau of Investigation announced,
    • “The Securities and Exchange Commission’s new requirements for companies to disclose material cybersecurity incidents take effect on December 18, 2023. The FBI, in coordination with the Department of Justice, is providing guidance on how victims can request disclosure delays for national security or public safety reasons.
    • “You can click on the buttons at the bottom of this page to read guidance on requesting a delay and providing necessary information to the FBI, to view the SEC Rule, and to read the FBI’s Policy Notice about how victim requests are processed.  
    • “The FBI recommends all publicly traded companies establish a relationship with the cyber squad at their local FBI field office. The FBI also strongly encourages companies to contact the FBI soon after a cyber incident is discovered. This early outreach allows the FBI to familiarize itself with the facts and circumstances of an incident before the company makes a materiality determination. If the victim of a cyber intrusion engages with the FBI, that doesn’t trigger materiality. However, it could assist with the FBI’s review if the company determines that a cyber incident is material and seeks a disclosure delay. 
    • Please note that delay requests won’t be processed unless they are made immediately upon a company’s determination of materiality.”
  • The National Institute of Standards and Technology released an updated
    • The NIST Cybersecurity and Privacy Reference Tool (CPRT) [which] provides a way to browse, view mappings, and download reference data from select NIST cybersecurity and privacy standards, guidelines, and Frameworks– all in standardized data formats (you can currently pick from XLSX or JSON). These tabular datasets will make it easier for users of NIST guidance to identify, locate, compare, and customize content without needing to review hundreds of pages of narrative within publications.

From the cybersecurity vulnerabilities and breaches front,

  • The HHS health sector Cybersecurity Coordination Center (HC3) issued its November report on vulnerabilities of interest to the health sector.
    • “In November 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for November are from Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, Atlassian, Becton, Dickinson (BD) and Company, and ownCloud. A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available, or if it is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration to the risk management posture of the organization.”
  • The Cybersecurity and Infrastructure Security Agency added two known exploited vulnerabilities to its catalog on December 4, four more on December 5 and another two on December 7.
  • HC3 posted a white paper on ownCloud vulnerability.
    • “The ownCloud platform allows organizations to store, synchronize, and share files and other content, as well as collaborate and consolidate work processes. This platform is known to be deployed across the U.S. health sector, among other industries. The nature of this platform provides cyber-attackers with a target that can potentially provide access to sensitive health information, as well as a staging point for further attacks. Three vulnerabilities were recently identified in certain versions of ownCloud, the most egregious of which is known to be under active attack. HC3 recommends healthcare organizations running ownCloud identify vulnerable instances and prioritize implementation of the mitigation steps in this document.”
  • HC3 also posted a PowerPoint about Open Source Software risks in the health sector.
  • Federal News Network informs us,
    • “The Cybersecurity and Infrastructure Security Agency is reminding agencies and the public to patch known cyber vulnerabilities after a federal agency was hacked earlier this year by threat actors leveraging a bug in outdated software.
    • “In a cyber advisory issued this week, CISA said unidentified threat actors exploited a vulnerability in older versions of Adobe ColdFusion software to gain access to the network of a federal civilian executive branch agency. The specific agency was not identifie
    • “Analysis of the agency’s network logs confirmed the compromise of “at least two public-facing servers” within the agency’s environment between June and July of this year.
    • “Both servers were running outdated versions of software which are vulnerable to various [Common Vulnerabilities and Exposures],” CISA said in the advisory.”
  • Per Cybersecurity Dive,
    • “Cyberattacks and data breaches are exposing personal data at an ever-growing rate, according to an Apple-commissioned study conducted by Stuart Madnick, professor of IT at Massachusetts Institute of Technology, published Thursday.
    • “More than 2.6 billion personal records were compromised in 2021 and 2022, and the number of records breached jumped 36% in 2022 to 1.5 billion, the report said.
    • “Data breaches at U.S. organizations are at an all-time high, up 20% in the first nine months of 2023 compared to all of last year, the study found.”
  • and
    • “Two years after the historic disclosure of a critical zero-day vulnerability in the Apache Log4j library sent organizations racing to contain the damage, nearly 2 in 5 applications are still using vulnerable versions, according to a report released Thursday from Veracode
    • “The report found nearly one-third of applications are running Log4j2 1.2.x, which reached end-of-life status in August 2015 and no longer receives patch updates. Another 2.8% of applications are still using versions vulnerable to the actual Log4Shell vulnerability.
    • “Veracode found 3.8% of applications are using Log4j2 2.17.0, which was patched against Log4Shell, but contains CVE-2021-44832, another high severity, remote code execution vulnerability.”
  • The Wall Street Journal reports,
    • “The recent breach of  23andMe user accounts shows a simple yet powerful truth about data security: Don’t reuse passwords, people.
    • “The DNA test-kit company on Monday reported a hacker accessed 14,000 accounts because of password reuse, exposing information belonging to approximately 6.9 million people. The 23andMe computer network wasn’t breached and wasn’t the source of these compromised credentials, a company spokesman said in a statement. The company first disclosed the incident in October and has been investigating since then.
    • “The passwords used to break into these accounts had most likely been stolen from other websites. Because they were reused, they also worked on 23andMe, security experts say. The type of attack is known as credential stuffing, and it puts 23andMe in the company of other major businesses who have fallen victim to the cybercrime trend, including NetflixNintendoZoom and PayPal
    • “It isn’t uncommon to see credential stuffing used to compromise thousands of accounts, but with 23andMe, the data in question is unusual, said Ryan McGeehan, owner of R10N Security, a cybersecurity consulting firm. 
    • “The issue here is that 23andMe is a social site that also has healthcare information,” he said. “And both of these increase the risk of exposure of the data, and the value of the data itself.” 

From the ransomware front,

  • The Hacker News explains ransomware as a service. (Note: The Week in Ransomware was not published this week.)

From the cybersecurity defenses front,

  • Security Boulevard offers 2024 predictions for cybersecurity.
  • An ISACA experts explains how to create a health security culture.
  • Medriva discusses the cybersecurity steps that the Cleveland Clinic has taken.