From the cybersecurity policy front,
- Cybersecurity Dive reports on a speech that the National Cyber Director (NCD) Harry Coker gave on February 7. He urged private sector cooperation to counter nation state cyber threats. Specifically,
- “The Office of the NCD is working on several key initiatives that are part of the Biden administration’s national cybersecurity strategy:
- “Officials are consulting with academic and legal experts to explore a variety of tactics to hold manufacturers accountable when they rush insecure products to market. Officials will be reaching out to industry for additional feedback.
- “The office is reaching out to interagency partners in an effort to harmonize a number of wide ranging cyber rules and regulations so companies are not overwhelmed by compliance burdens.
- “The administration is working to build a more diverse and robust cybersecurity workforce, as the industry still has about a half million vacant job opportunities and there is a desperate need to attract qualified workers.
- “Coker also highlighted an upcoming white paper on efforts to develop the use of memory-safe languages and improve software measurability.
- “Memory safety has become a major focus, as many issues related to critical vulnerabilities are due to the use of unsafe coding.
- “Exploitation of the CitrixBleed vulnerability in late 2023 was linked to the use of unsafe programming languages.”
- “The Office of the NCD is working on several key initiatives that are part of the Biden administration’s national cybersecurity strategy:
- Also on Wednesday, the Cybersecurity and Infrastructure Security Agency [CISA] posted a joint agency advisory about the “People’s Republic of China State-Sponsored Hacking of U.S. Critical Infrastructure.”
- Cybersecurity Dive also interviewed Ty Greenhalgh who is an HHS cybersecurity “ambassador” to the healthcare sector, about “what to expect from federal cybersecurity guidance in healthcare.” For example,
- Q. “What are the next steps as far as the cybersecurity goals and what HIPAA standards the HHS could implement going forward?”
- A. “I think they’re going to quickly open up the HIPAA Security Rule and revise it to include these HPH CPGs and talk more about vulnerability management as a practice and not just a compliance checklist. So in doing that, HHS will then be able to go through the rulemaking process and ferret out what the language really looks like from a regulation perspective. Hospitals can start figuring out how they’re going to embrace these HPH CPGs.
- The first move is to reinforce that these will become requirements. And what the regulations look like around that as they go to Congress and try to get money or determine whether they’re going to use their Medicare reimbursement to incentivize either through reduction or increase. So I think it’s open up HIPAA, include HPH CPGs, start figuring out what that regulation is going to look like, what the requirements are actually going to be, as they’re simultaneously trying to find funding to make this more palatable.”
- Similarly, Fedscoop reports,
- “CISA has proven to be a critical partner and resource over the past five years for federal cybersecurity. But as CISA enters the second half of its first decade, the cyber agency and its Joint Cyber Defense Collaborative should focus on better governmentwide coordination and tougher security standards, a panel of federal IT officials said this week.
- “During a Center for Strategic & International Studies panel discussion, tech leaders from the Treasury Department and the Department of Veterans Affairs detailed the ways in which they’re pleased with and frustrated by CISA, expressing an overarching sentiment that while the agency has been helpful, there’s room for improvement as it matures.
- “We need really common operating standards to which we are aggressively held, versus this sort of voluntary, participative notion — ‘get in touch with us when you need it’ kind of thing,” said Jeff King, Treasury’s principal deputy chief information officer.
- “Amber Pearson, deputy chief information security officer at the Department of Veterans Affairs, largely agreed, noting that she’d like to see “more expansion from CISA” when it comes to “those key areas.”
From the cybersecurity vulnerabilities and breaches front,
- HHS’s Health Sector Cybersecurity Coordination Center (HC3) issued its compendium of “January Vulnerabilities of Interest to the Health Sector.”
- “In January 2024, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for January are from Ivanti, Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, Atlassian, and Jenkins.
- “A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available, or if it is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration to the risk management posture of the organization.”
- CISA added another known exploited vulnerability (Google Chromium V8 Type Confusion Vulnerability) to its catalog on February 6 and another (Fortinet FortiOS Out-of-Bound Write Vulnerability)on February 9.
- Cybersecurity Dive reported on Tuesday,
- “Ivanti Connect Secure and Ivanti Policy Secure Gateways are facing renewed exploitation, days after the company release a patch for two zero-days vulnerabilities that were under active exploitation. Ivanti disclosed two new vulnerabilities when it released the patch, which addresses all known issues.
- “At this point exploitation is widespread with every exposed Ivanti Connect Secure VPN instance hit,” Piotr Kijewski, CEO of the Shadowserver Foundation, said via email. Specific details on the attackers were not immediately known, but the attacks include reverse shell setup attempts and config dumping.”
- More information on the Ivanti problem is available from Tech Crunch.
- Dark Reading told us yesterday,
- “Researchers have discovered a new backdoor targeting macOS that appears to have ties to an infamous ransomware family that historically targets Windows systems.
- “Researchers at Bitdefender say the so-called Trojan.MAC.RustDoor is likely linked to BlackCat/ALPHV. The newly discovered backdoor is written in Rust coding language and impersonates an update for Visual Studio code editor.
- “Bitdefender in its advisory said there have been multiple variants of the new backdoor, and that it has been in action for at least three months.”
- Two cybersecurity breach settlements were announced last week.
- Health IT Security informs us that “US Fertility (USF) reached a $5.75 million settlement [in a consolidated class action pending in the Maryland federal court] to resolve allegations of negligence following a 2020 ransomware attack and data breach that impacted nearly 900,000 individuals. USF provides IT platforms and services to a network of more than 200 physicians across 100 clinic locations and more than two dozen IVF laboratories.”
- and
- HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million HHS Office for Civil Rights Settlement with Montefiore Medical Center resolves multiple potential HIPAA Security Rule Violations.
From the ransomware front,
- Cybersecurity Dive reports,
- “Ransomware attacks inflicted more financial damage and hit more companies last year than ever before, according to Unit 42 and Chanalysis research.
- “Victim organizations paid a collective $1.1 billion in ransom demands in 2023, the largest amount ever recorded, Chainalysis said in a Wednesday report on financially-motivated criminal activity in cryptocurrency exchanges.
- “Threat actors named and publicly threatened almost 4,000 victim organizations on their dark web leak sites last year, a 49% increase over 2022, Palo Alto Networks’ Unit 42 said Monday in a ransomware retrospective report.”
- Physician Practice pointed out yesterday,
- Federal cybersecurity experts are warning health care information technology experts about a new threat that has become significant in less than a year.
- Akira ransomware was first identified in May 2023 and has claimed at least 81 victims, according to the Health Sector Cybersecurity Coordination Center (HC3) in the U.S. Department of Health and Human Services. Akira “has demonstrated aggressive and capable targeting of the U.S. health sector in its short lifespan,” said the HC3 analyst note published this week.
From the cybersecurity defenses front,
- Health IT Security notes,
- “KLAS Research recognized several leading security and privacy vendors as Best in KLAS winners for 2024. The 2024 Best in KLAS software and services winners were designated based on information collected from more than 26,000 evaluations collected over the past year from more than 5,000 healthcare organizations.
- “The Best in KLAS designation recognizes “software and services companies who excel in helping healthcare professionals improve patient care” and “signifies to the healthcare IT industry the commitment and partnership that the top vendors should provide,” KLAS stated.”
- Tech Republic offers cybersecurity defense ideas related to “a botnet created by Volt Typhoon, a group of attackers sponsored by the Chinese government.”