Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity policy front,

The Wall Street Journal reports,
- “Insurers told a congressional hearing Thursday {June 27, 2024] that they need the flexibility to determine what they will and won’t cover under cyber policies, saying they are still trying to understand the risks associated with cyberattacks.
- “The House Committee on Homeland Security’s subcommittee on cybersecurity and infrastructure protection held the hearing to explore how cyber insurance is being used by critical-infrastructure operators, amid warnings of hacking efforts from China and Russia.
- “Insurers have tightened underwriting standards and raised premiums for cyber policies in recent years, spooked by an increase in losses starting in 2019 as cyberattacks spiked during the coronavirus pandemic. Many now require a raft of cybersecurity controls for organizations to qualify for coverage, such as multifactor authentication and network monitoring, and carriers have restricted what they will cover.

Cybersecurity Dive adds,
- “In an effort to qualify for cyber insurance three-quarters of companies have invested in cyber defense, according to a report released Wednesday by Sophos and Vanson Bourne.
- “These investments were either required to obtain coverage, helped organizations secure lower premiums or, in other cases, improved the coverage terms of their insurance plans. The research is based on a survey of 5,000 IT and cybersecurity leaders across 14 countries in the Americas, Asia Pacific and Europe, the Middle East and Africa.
- “Despite the investments, significant gaps remain between recovery costs and the coverage provided by insurance providers, Sophos found.”

The National Institute of Standards and Technology announced,
- “The U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) are excited to announce the return of the “Safeguarding Health Information: Building Assurance through HIPAA Security” conference for October 2024. After a 5-year absence, the conference is returning to Washington, D.C.
- “DATES: October 23–24, 2024
- “LOCATION: HHS Headquarters (Hubert H. Humphrey Building) in Washington, D.C. * * *
- “Registration will open later in the summer.“

Fedscoop tells us,
- “Chris DeRusha, the former federal chief information security officer and deputy national cyber director, is joining Google Cloud to lead the tech giant’s global public sector compliance work, according to a Tuesday press release.
- “DeRusha, who left the federal government last month after more than three years as the federal CISO, will lead the expansion of Google Cloud’s suite of artificial intelligence, cloud computing and security products within the public sector, both in the United States and abroad.”

From the cybersecurity vulnerabilities and breaches front,

Health IT Security tells us,
- “Third-party data breaches have been a top concern for healthcare cybersecurity leaders in recent years, following a string of high-profile cyberattacks across the healthcare supply chain.
- “Threat research from SecurityScorecard, a company that provides cybersecurity ratings for corporations, showed that 35% of third-party breaches that occurred in 2023 affected healthcare organizations, overtaking all other sectors.
- “SecurityScorecard analyzed the security ratings and historical breach data of the 500 largest US healthcare companies to glean insights into the sector’s top risk factors. Despite the perception that healthcare is behind other industries when it comes to cyber defense, healthcare organizations averaged a security score of 88.”

For example, Dark Reading points out,
- “A full 791,000 of patients have had their personal information compromised in a cyberattack that resulted in Lurie Children’s Hospital in Chicago taking its systems offline.
- “Cybercriminals accessed the children’s hospital’s systems, disrupting its patient portal, communications, and ability to access medical records.
- “In a data breach notification this week, the hospital cited the investigation as ongoing and said that the threat actors accessed the systems between Jan. 26 and 31, 2024.
- “Once the hospital went offline, it implemented standard response procedures, including its downtime procedures, though it has remained open throughout the duration of the investigation thus far.”

Health IT Security adds,
- “Geisinger began notifying upwards of one million individuals of a data breach that occurred in November 2023, when a former Nuance Communications employee accessed certain Geisinger patient information two days after being terminated. The individual has since been arrested and is facing federal charges.
- “Geisinger serves 1.2 million people across Pennsylvania in rural and urban care settings. Geisinger used Nuance, a Microsoft-owned company, for information technology services.”

Cybersecurity Dive further informs us,
- “Microsoft has notified additional enterprise customers this week that a password-spray campaign by the state-linked Midnight Blizzard threat group led to a compromise of their emails.
- “Microsoft also provided additional detail to other customers that were previously notified about the intrusions. Customers who received the notifications took to social media, as they feared they were being potentially phished. The new disclosures were first reported by Bloomberg.
- “This week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor, and we are providing the customers the email correspondence that was accessed by this actor,” the company said in an emailed statement. “This is increased detail for customers who have already been notified and also includes new notifications.”

HHS’s Health Sector Cybersecurity Coordination Center (HC3) issued a Threat Actor Profile on a Russian cyber threat group known as Seashell Blizzard.

Cybersecurity Dive relates,

“UPDATE: June 27, 2024: Progress Software upgraded the severity score of a MOVEit file-transfer service vulnerability, CVE-2024-5806, from a 7.4 to 9.1 on Tuesday. “A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue mentioned above if left unpatched,” the company said in the updated advisory. “While the patch distributed by Progress on June 11 successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk.”

HC3 issued a Sector Alert on the MOVEit vulnerability on June 27, and CISA advised yesterday
- “Progress Software released a security bulletin to address a vulnerability in MOVEit Transfer. A cyber threat actor could exploit this vulnerability to take control of an affected system.
- “Users and administrators are encouraged to review the following bulletin and apply the necessary updates:
  - “MOVEit Transfer Critical Security Alert Bulletin – June 2024 – (CVE-2024-5806)

CISA added three known exploited vulnerabilities to its catalog on June 26, 2024
- “CVE-2022-24816 GeoSolutionsGroup JAI-EXT Code Injection Vulnerability
- “CVE-2022-2586 Linux Kernel Use-After-Free Vulnerability
- “CVE-2020-13965 Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability”

The American Hospital Association News reports,
- “The Health Information Sharing and Analysis Center June 27 issued a threat bulletin alerting the health sector to active cyberthreats exploiting TeamViewer. H-ISAC recommends users review logs for any unusual remote desktop traffic. Threat actors have been observed leveraging remote access tools, H-ISAC said. The agency recommends users enable two-factor authentication and use the allowlist and blocklist to control who can connect to their devices, among other measures.”
and
- “The FBI and Department of Health and Human Services June 24 released an advisory about cyberthreat actors targeting health care organizations in attempts to steal payments. The agencies have recommended mitigation efforts to help reduce the likelihood of being impacted. Threat actors have been found to use phishing efforts to gain access to employees’ email accounts, and then pivoting to target login information related to the processing of reimbursement payments to insurance companies, Medicare or similar entities, the agencies wrote. In some instances, threat actors would call an organization’s information technology help desk posing as an employee of the organization to trigger a password reset for the employee’s account.
- “The AHA was initially made aware of this type of scheme in January, and HHS issued an advisory on similar threats in April.

Pharmacy Practice News calls attention to an
- “increasingly popular tool for hackers trying to sneak around information technology (IT) protections.
- “Smishing is a variant of phishing (the by now familiar practice of sending fraudulent emails to steal personal information). In this case, the attacker “uses a compelling text message to trick targeted recipients into clicking a link, which sends the attacker private information or downloads malicious programs to a smartphone,” the Department of Health and Human Services (HHS) explained in an August 2023 report. (The term comes from combining SMS, which refers generally to text messaging, with “phishing.”)
- “If you have ever received a text message insisting that a UPS package could not be delivered [and the FEHBlog has], or warning you that you’re in trouble with the IRS and urgently requesting that you click the embedded link, then you’ve been a target of attempted smishing. And if you think you’ve seen more of these messages lately, you’re not alone.

From the cybersecurity defenses front,

Cybersecurity Dive reports,
- “Cloud security is a top priority for organizations around the world, Thales found in a study released Tuesday. The report is based on a survey of 3,000 IT and security professionals from 18 different countries.
- “More than 2 in 5 respondents said they have had their cloud environments breached in the past, with 14% of respondents reporting a breach in the past year.
- “For nearly one-third of incidents, human error and misconfiguration are to blame. Respondents also cited the exploitation of known vulnerabilities in 28% of breaches and failure to use multifactor authentication in 17%.”

Here’s a link to Dark Reading’s CISO Corner.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog