Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity policy front,

Cybersecurity Dive tells us,
- “An HHS agency revealed a new cybersecurity program Monday [May 20, 2024,] that aims to better safeguard hospitals as the healthcare sector faces increasing cyber threats that can derail patient care.
- “The initiative, which comes out of the Advanced Research Projects Agency for Health, will invest more than $50 million to build a software suite that could automatically scan model hospital environments for vulnerabilities that could be exploited by hackers and quickly develop and deploy fixes.
- “The project seeks to help hospitals keep their vast array of internet-connected devices up to date, preventing attacks and subsequent technology outages that can last for weeks and threaten patient safety.”

American Hospital News adds,
- “The Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program will proactively evaluate potential vulnerabilities by probing for weaknesses in software. When it detects a threat, a patch could be automatically developed, tested and deployed with minimal interruption to hospital devices.
- “We applaud HHS’ recognition of the unique challenges and systemic nature of vulnerability management in health care,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “The research which will be empowered through the ARPA-H funding will yield technical solutions which should be applied strategically to help secure the entire sector. It is clear, health care is a critical infrastructure sector, which must not be left to defend itself on its own through uncoordinated and uneven capabilities. Continuing ransomware attacks on the health care sector represent an urgent national security, public health and safety issue. The UPGRADE program is an innovative and welcomed ‘whole of nation’ approach, which will combine the expertise of the health care sector and government experts.”

Cybersecurity Dive informs us,
- Providers are still looking for clarification on whether they’ll have to report or notify patients about data breaches stemming from the cyberattack against Change Healthcare earlier this year.
- In a letter sent to HHS Secretary Xavier Becerra Monday [May 20, 2024], more than 50 organizations — including the American Medical Association, the College of Healthcare Information Management Executives and the American Health Information Management Association— urged the federal government to publicly confirm that Change could manage data breach reporting and notification requirements, since the technology firm and major claims processor experienced the breach.
- UnitedHealth Group, Change’s parent company, has previously said it would handle reporting for customers whose data may have been exposed — which could be a huge swath of Americans.

Bloomberg Law reports,
- “Companies working with the US government may be required to start protecting their data and technology from attacks by quantum computers as soon as July.
- “The National Institute for Standards and Technology, part of the Department of Commerce, will in July stipulate three types of encryption algorithms the agency deems sufficient for protecting data from quantum computers, setting an internationally-recognized standard aimed at helping organizations manage evolving cybersecurity threats.
- “The rollout of the standards will kick off “the transition to the next generation of cryptography,” White House deputy national security adviser Anne Neuberger told Bloomberg in Cambridge, England on Tuesday [May 21, 2024]. Breaking encryption not only threatens “national security secrets” but also the way we secure the internet, online payments and bank transactions, she added.”

The National Institute of Standards and Technology (NIST), announced on May 20, 2024,
- This week, NIST released Special Publication 800-229, Fiscal Year (FY) 2023 Cybersecurity and Privacy Annual Report. This publication shares key highlights of our major cybersecurity and privacy accomplishments as we wrapped up our celebration of NIST’s 50 years of work in the cybersecurity arena.

From the cyber vulnerabilities and breaches front,

Cybersecurity Dive notes yesterday,
- “On the eve of Memorial Day weekend, threat researchers and incident response teams are quietly preparing for the risk of malicious activity when staffing is minimal and millions of workers will be on the road.
- “Critical industries have faced a series of threats from criminal ransomware gangs or nation-state actors for much of 2024, and the unofficial summer kickoff weekend is a prime opportunity for malicious attacks.
- “We see attacks and attempted intrusions every day,” Scott Algeier, executive director of the IT-ISAC, said via email.
- “While there is no specific threat information pointing to a Memorial Day event, “attackers are also aware of the calendar and know that security teams tend to operate with reduced staffing on weekends and holidays,” Algeier said.
- “While there is no specific threat information pointing to a Memorial Day event, “attackers are also aware of the calendar and know that security teams tend to operate with reduced staffing on weekends and holidays,” Algeier said.”

HHS’s Health Sector Cybersecurity Coordination Center (HC3) has issued its April 2024 cybersecurity vulnerability bulletin.
- In April 2024, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for April are from Palo Alto, Ivanti, Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, and Atlassian. A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available, or if it is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration given to the risk management posture of the organization.

HC3 also issued a useful PowerPoint presentation titled “Business Email Compromise (BEC) & Healthcare.”

The Cybersecurity Infrastructure Security Administration added the following new known exploited vulnerabilities to its catalog:
- May 20, 2024 —
  - CVE-2024-4947 Google Chromium V8 Type Confusion Vulnerability
  - CVE-2023-43208 NextGen Healthcare Mirth Connect Deserialization of Untrusted Data Vulnerability
- May 23, 2024 —
  - CVE-2020-17519 Apache Flink Improper Access Control Vulnerability

Dark Reading reports yesterday that “Google Discovers Fourth Zero-Day in Less Than a Month; The tech company has rolled out fixes for a type confusion vulnerability that has already been exploited by malicious actors.”

Cyberscoop adds
- “An aggressive, nebulous ring of young cybercriminals linked to a string of recent high-profile breaches is made up of approximately 1,000 people, a senior FBI official said Friday.
- “In remarks Friday at the cybercrime-focused Sleuthcon conference, Bryan Vorndran, assistant director of the FBI’s Cyber Division, described the group best known as Scattered Spider as a “very, very large, expansive, disbursed group of individuals,” many of whom don’t know each other directly.
- “Scattered Spider emanates from an online community known as “the Com.” The group is also tracked by cybersecurity firms as “0ktapus” or UNC3944, and Vorndran’s remarks provide the best number yet for the total size of the hacking crew.
- “Scattered Spider has breached a who’s-who of big-name companies, including the casino giant MGM Resorts and the identity management company Okta. Made up of mostly native English speakers in the United States and the United Kingdom, Scattered Spider is classified as a top three cybersecurity threat, alongside China and Russia’s foreign intelligence agency, Vorndran said.”

NPR brings us up to date on Ascension Healthcare’s recovery from its cyberattack.

From the cybersecurity defenses front,

Modern Healthcare lets us know
- A recent string of massive healthcare cybersecurity breaches has put data security leaders on edge.
- Health system cybersecurity executives are looking at their biggest points of weakness in the aftermath of large-scale breaches at St. Louis-based health system Ascension, UnitedHealth Group’s Change Healthcare and Chicago-based Lurie Children’s Hospital
- Recent incidents have shined a light on some of the most significant vulnerabilities at health systems. Here are four of the biggest, according to experts..
  - Lack of Shared Organizational Goals
  - Third party Vendor Risks
  - Multi-factor Authentication Misses
  - Slow Response Time

Similarly MedCity News points out,
- “During a fireside chat at MedCity News’ INVEST conference, Nitin Natarajan — deputy director at the Cybersecurity and Infrastructure Security Agency (CISA) — shared some key ideas that people need to understand about the current state of cybersecurity in the healthcare industry. For instance, he reminded us that things won’t get better overnight, and that cybersecurity requires an all-hands-on deck approach.”

TechTarget offer ten cybersecurity best practices and cybersecurity market trends from AI to post-quantum crypto.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog