From the cybersecurity policy front,
- Cybersecurity Dive reports,
- “The Biden administration plans to pursue a liability framework to hold the software industry accountable for insecure software, according to administration officials and documents released by the Office of the National Cyber Director this week.
- “Federal officials said they have taken steps toward a long-stated goal of shifting the security burden away from technology users and onto the industry.
- “The administration wants to pursue a plan to create incentives that will help enable long-term investment in cybersecurity and resilience, Nick Leiserson, assistant national cyber director for cyber policy and programs, said during a panel Monday [May 6] at the RSA Conference in San Francisco.
- “Leiserson cautioned the objective was not to create a liability framework for the purposes of opening up the software industry to lawsuits.
- “That’s not the point,” Leiserson said during the panel discussion. “The point is to secure investments in secure software development.”
- and
- “The Biden administration plans to launch aggressive actions to enhance cyber resilience across key critical infrastructure sectors, including the healthcare and water sectors, which were the targets of significant threat activity in recent months, according to a report released Tuesday by the Office of the National Cyber Director.
- “The U.S. wants to speed the flow of intelligence sharing and facilitate closer cooperation with the private sector. The administration also plans to enhance its ability to proactively disrupt threat activity and take down malicious actors.
- “We are in the midst of a fundamental transformation in our nation’s cybersecurity,” National Cyber Director Harry Coker Jr., said in a statement. “We have made progress in realizing an affirmative vision for a safe, prosperous and equitable digital future, but the threats we face remain daunting.”
- In that regard, Govinfosecurity adds,
- “As the Department of Health and Human Services works on a proposed update to the HIPAA Security Rule this year, regulators are also ratcheting up enforcement efforts – including resuming long-dormant HITECH Act HIPAA audits, said Melanie Fontes Rainer, director of HHS’ Office for Civil Rights. * * *
- “HHS OCR plans by the end of the year to publish a proposed update to the HIPAA Security Rule to better reflect the evolution of technology and healthcare delivery that’s occurred over the last two decades since the regulations were first issued, she said.
- “The beauty of the HIPAA Security Rule is that it’s 20 years old – it is technology-neutral, and it’s scalable. So we’re still able to use it and enforce the law vigorously,” she said in a video interview with Information Security Media Group.
- “But at the same time, “the downside of the HIPAA Security Rule is that it’s 20 years old and doesn’t reflect how we receive healthcare today,” she adds. “That’s why we’re taking a look at it to make sure we’re building into it practices – like end-to-end encryption – and things like that.”
- Cyberscoop reports,
- The U.S. and British governments on Tuesday [May 7] identified Dmitry Yuryevich Khoroshev as the leader, developer and administrator of the LockBit ransomware operation, one of the most prolific and profitable cybercriminal syndicates in recent years.
- Khoroshev, a Russian national, has been LockBit’s main administrator and developer since at least September 2019 continuing through the present, U.S. federal prosecutors said in an indictment unsealed Tuesday. Since its inception, LockBit has been used in attacks against more than 2,500 targets in at least 120 countries, leading to at least $500 million in ransom payments to Khoroshev and his affiliates and “billions of dollars in broader losses, such as revenue, incident response, and recovery,” the Department of Justice said in a statement.
- Dark Reading points out that at the RSA Conference “CISA courted the private sector to get behind CIRCIA Reporting Rules. New regulations will require the private sector to turn over incident data to CISA within three days or face enforcement. Here’s how the agency is presenting this as a benefit to the entire private sector.”
From the cyber breaches and vulnerabilities front,
- Cyberscoop reports,
- Ascension, a health care system with 140 hospitals in 19 states and Washington, D.C., and tens of thousands of employees and affiliated providers, detected a “cyber security event” Wednesday [May 8] that has caused a “disruption to clinical operations,” the company said.
- Major impacts to medical services have been reported in multiple states, including Kansas, Florida and Michigan, including some patients being diverted to other hospitals and lack of access to digital records.
- “We have to write everything on paper,” one physician in Michigan told the Detroit Free Press. “It’s like the 1980s or 1990s.”
- Dark Reading adds,
- “The provider has temporarily paused non-emergency medical procedures and appointments, and some hospitals are diverting emergency medical services. Patients were advised to bring relevant medical information to appointments due to system limitations.
- “We are actively supporting our ministries as they continue to provide safe, patient care with established downtime protocols and procedures,” a company statement said. “It is expected that we will be utilizing downtime procedures for some time.”
- “The organization has tapped incident response help from Mandiant for investigation and remediation efforts. It is unknown if any patient data was exposed in the attack.
- “We are working to fully investigate what information, if any, may have been affected by the situation,” Ascension said. “Should we determine that any sensitive information was affected, we will notify and support those individuals in accordance with all relevant regulatory and legal guidelines.”
- Cybersecurity Dive tells us,
- “The FBI and Cybersecurity and Infrastructure Security Agency urged software companies to eliminate directory traversal vulnerabilities from their products, citing a rise in attacks against critical industries, including hospitals and school operations, in a secure by design alert released Thursday.
- “The agencies are seeking industry action following two recent campaigns where threat groups engaged in extensive exploitation activity. The agencies referenced a path traversal vulnerability in ConnectWise ScreenConnect, listed as CVE-2024-1708, and a vulnerability in the file upload functionality of Cisco AppDynamics Controller, listed as CVE-2024-20345.
- “In total, directory traversal or path traversal vulnerabilities were identified in 55 different cases listed on CISA’s Known Exploited Vulnerabilities catalog, according to the alert.”
From the ransomware front,
- American Hospital Association News informs us,
- “The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Department of Health and Human Services, and Multi-State Information Sharing and Analysis Center May 10 released a joint cybersecurity advisory to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the health care and public health sector.”
- Bleeping Computer’s The Week in Ransomware is back this week.
- SC Media and HelpNetSecurity offer their observations on the state of the ransomware attacks and defenses.
From the cybersecurity defenses front,
- Cybersecurity Dive calls attention to the fact that “Officials see a real change in Microsoft’s security plans: financial accountability. CISA Director Jen Easterly pointed to Microsoft’s decision to link security to executive compensation as a meaningful signal of its priorities.”
- Tech Target offers “five tips for building a cybersecurity culture at your company.”
- Dark Reading considers the future path of CISOs while the ISACA Blog notes “A Better Path Forward for AI By Addressing Training, Governance and Risk Gaps.”
- Finally, SC Media dives into the cybersecurity insurance market.