From the cybersecurity policy front,
- Healthcare Dive informs us,
- “Lawmakers introduced a bill Thursday [September 26] that would set cybersecurity standards for healthcare organizations as the industry faces a wave of cyberattacks and data breaches.
- “The legislation, sponsored by Sens. Ron Wyden, D-Ore., and Mark Warner, D-Va., would direct the HHS to develop minimum cybersecurity standards for providers, health plans, claims clearinghouses and business associates. Enhanced cyber standards would apply to organizations that are deemed important to national security.” * * *
- “The bill requires the HHS to adopt minimum and enhanced cybersecurity measures that would apply to HIPAA-covered entities and their business associates.
- “Healthcare organizations would be required to conduct cybersecurity assessments and stress tests. The HHS would audit the data security of at least 20 companies per year to ensure compliance.
- “The legislation also seeks to increase civil penalties for organizations that fail to comply with security standards — including a proposed minimum fine of $250,000 for violations in willful neglect that go uncorrected.
- “The HHS would also be authorized to charge user fees to covered entities and business associates. Those fees would allow the agency to take on the increased oversight work, a challenge the HHS hasn’t been appropriately funded to manage, the senators wrote in a summary of the legislation.”
- Wow. It strikes the FEHBlog that at least parts of this bill, in not the whole tamale, could be enacted in the lame duck session of Congress at the end of this year. The bill has a variety of effective dates.
- Why? Beckers Health IT adds,
- “The financial fallout from recent data breaches in the healthcare industry continues to raise alarms as organizations grapple with the costs of cyberattacks and ensuing lawsuits.
- “Two incidents — the ransomware attack on St. Louis-based Ascension and a class-action lawsuit faced by Allentown, Pa.-based Lehigh Valley Health Network — highlight the impact of these breaches on health systems’ operations and bottom lines.”
- Cybersecurity Dive points out,
- “The U.S. has made significant progress improving its cybersecurity posture, implementing about 80% of the recommendations the Cyberspace Solarium Commission detailed in 2020, according to a report released Thursday [September 26]. But more work is still required to shore up additional efforts related to critical infrastructure and economic security.
- “Among the key remaining priorities is a push to identify the “minimum security burdens” of critical infrastructure entities that have a “disproportionate impact on U.S. national security,” the report said. The commission called on the next administration to detail intelligence and information-sharing benefits, alongside security burdens, to these “systemically important entities.”
- “The U.S. needs to develop an economic continuity plan that would operate as an incident response and resilience plan in case of a catastrophic cyber event or other crisis, the commission said. Federal authorities also need to codify a joint collective plan for sharing threat information between government, private industry and international intelligence partners.”
- Per a NIST press release,
- “Today [September 24], U.S. Secretary of Commerce Gina Raimondo announced that the Department of Commerce’s National Institute of Standards and Technology (NIST) has awarded $6 million to Carnegie Mellon University (CMU) to establish a joint center to support cooperative research and experimentation for the test and evaluation of modern AI capabilities and tools. The center will be housed on the Carnegie Mellon campus, in Pittsburgh.
- “Artificial intelligence is the defining technology of our generation, and at the Commerce Department we are committed to working with America’s world-class higher education institutions, like Carnegie Mellon University, to advance safe, secure and trustworthy development of AI,” Raimondo said. “I am excited to announce this NIST award of $6 million for Carnegie Mellon to boost research of AI systems and support a new generation of scientists and engineers that will help advance American innovation globally.”
From the CrowdStrike front
- Cybersecurity Dive offers five takeaways from a CrowdStrike official’s apologetic testimony before Congress last Thursday.
From the cyber breaches and vulnerabilities front,
- Cybersecurity Dive lets us know,
- “Security researchers are warning about critical vulnerabilities in the Common Unix Printing System used on Linux, which could allow a hacker to gain control over remote command execution when the flaws are chained together and a print job is separately launched by the user.
- “The vulnerabilities, listed as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177, can allow an attacker to replace IPP urls on a printer with a malicious version, giving them the ability to command capabilities on a system.
- “The vulnerabilities were initially assigned a score of 9.9, with the expectation of coordinated disclosure and later public notification by Oct. 6. However, the original research leaked on Thursday, and security researchers have since dialed back some of their initial fears, which compared the potential impact to Log4j and Heartbleed.”
- This week, the Cybersecurity and Infrastructure Security Administration added one known exploited vulnerability to its catalog on September 24, 2024,
- CVE-2024-7593. Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
- Cybersecurity Dive cautions,
- “A state-linked botnet linked to the Flax Typhoon threat group is actively targeting 66 security vulnerabilities for exploitation, researchers from VulnCheck said Monday. Last week the Five Eyes intelligence partners named the botnet in a global threat advisory.
- “However, researchers from VulnCheck warn that only 27 of the CVEs are listed in the Cybersecurity and Infrastructure Security Agency’s closely monitored catalog of known exploited vulnerabilities.
- “Researchers say the discrepancy between the actively targeted CVEs and the official CISA catalog highlights a longstanding backlog in identifying security threats that critical infrastructure providers, private companies and government agencies are up against.” * * *
- “NIST brought in an outside firm to help reduce the analysis backlog. A NIST spokesperson said the agency has made progress towards reducing the backlog, and an update on that progress is pending.”
From the ransomware front,
- Modern Healthcare tells us,
- The number of healthcare providers affected by ransomware attacks is steadily growing.
- More than two-thirds of healthcare providers reported a ransomware attack in the past year compared with 60% in 2023, according to a survey released Thursday from cybersecurity company Sophos. In 2021, only 34% of providers said they were affected by an attack.
- Bleeping Computer warns,
- “Microsoft warns that ransomware threat actor Storm-0501 has recently switched tactics and now targets hybrid cloud environments, expanding its strategy to compromise all victim assets.
- “The threat actor first emerged in 2021 as a ransomware affiliate for the Sabbath ransomware operation. Later they started to deploy file-encrypting malware from Hive, BlackCat, LockBit, and Hunters International gangs. Recently, they have been observed to deploy the Embargo ransomware.
- “Storm-0501’s recent attacks targeted hospitals, government, manufacturing, and transportation organizations, and law enforcement agencies in the United States.”
- PC World explains how to turn on Microsoft Windows’ built in ransomware protection.
From the cybersecurity defenses front,
- SC Media calls attention to “five ways to beef up network security and reduce data theft.”
- “Rethink access control
- “Raise the firewall game
- “Take incident response seriously
- “Tap into network visibility
- “Segment the network
- “These five approaches to network data security have been around for quite some time, yet they continue to mature and stay relevant because of new AI features that align with emerging challenges. Ultimately, the security team needs to choose and deploy the right combination of these tools that correlate with industry-specific risks facing the organization.”
- A Dark Reading commentator explains why “Managing Cyber-Risk Is No Different Than Managing Any Business Risk. A sound cyber-risk management strategy analyzes all the business impacts that may stem from an attack and estimates the related costs of mitigation versus the costs of not taking action.”
- Per a CISA press release,
- “Today [September 26], the Australian Signals Directorate Australian Cyber Security Centre (ASD ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), and other U.S. and international partners released the joint guide Detecting and Mitigating Active Directory Compromises. This guide informs organizations of recommended strategies to mitigate common techniques used by malicious actors to compromise Active Directory.
- “Active Directory is the most widely used authentication and authorization solution in enterprise information technology (IT) networks globally. Malicious actors routinely target Active Directory as part of efforts to compromise enterprise IT networks by escalating privileges and targeting the highest confidential user objects.
- “Responding to and recovering from malicious activity involving Active Directory can be consuming, costly, and disruptive. CISA encourages organizations review the guidance and implement the recommended mitigations to improve Active Directory security.”