From the cybersecurity policy front —
- Ars Technica reports
- The Advanced Research Projects Agency for Health (Arpa-H), a research support agency within the United States Department of Health and Human Services, said today that it is launching an initiative to find and help fund the development of cybersecurity technologies that can specifically improve defenses for digital infrastructure in US health care. Dubbed the Digital Health Security project, also known as Digiheals, the effort will allow researchers and technologists to submit proposals beginning today through September 7 for cybersecurity tools geared specifically to healthcare systems, hospitals and clinics, and health-related devices.
- FedScoop tells us,
- Federal agencies got a reminder from the White House yesterday [August 16] of the need to firm up their cybersecurity in compliance with a Biden executive order.
- The National Security Advisor Jake Sullivan sent a memo to departments and agencies Wednesday morning “to ensure their cyber infrastructure is compliant with” a May 2021 cybersecurity executive order on improving U.S. agencies’ cyber defense, a National Security Council spokesperson said in an emailed statement.
- Per NextGov,
- “The White House is working to develop a 10-year modernization plan for federal civilian agencies as part of a broader effort to transition away from outdated information technology systems while bolstering the nation’s cyber posture, a top official said Tuesday.
- “Federal Chief Information Security Officer Chris DeRusha told Nextgov/FCW that replacing costly legacy IT systems with resilient and secure technologies has become a top priority for the administration following the release of the National Cybersecurity Strategy earlier this year.
- “We need a 10-year modernization plan for legacy IT,” DeRusha said at Nextgov/FCW’sIdentity Security Workshop. “Legacy IT modernization is the number one biggest rock that needs to get moved for us to be able to secure our systems.”
- NIST released a summary of public comments received on draft Special Publication 800-171 Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. FEHB claims data falls within the scope of this SP.
- “NIST is adjudicating the comments and preparing the final public draft (fpd) of SP 800-171r3. Concurrently, the team is developing the initial public draft of SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, which will provide assessment procedures for the SP 800-171r3 security requirements. NIST anticipates releasing SP 800-171r3 fpd and SP 800-171A ipd for public comment in Q1 of FY 2024 (October – December 2023) and looks forward to ongoing engagement with users during the comment period.”
- Per Cybersecurity Dive,
- Cyber authorities are working to mitigate threats to remote monitoring and management tools with assistance from the government and private sector.
- The defense plan from the Joint Cyber Defense Collaborative “addresses issues facing top-down exploitation of RMM software,” which present a growing risk to small- and medium-sized businesses, the Cybersecurity and Infrastructure Security Agency [CISA] said.
From the cybersecurity vulnerabilities and breaches front,
- The Health Sector Cybersecurity Coordination Center released a threat analysis of China-based threat actors.
- “This white paper outlines Chinese cyber threat actors who are known to target the U.S. public health and private health sector entities in cyberspace. The groups outlined within this document represent some of the most capable and deliberate threats to the U.S. healthcare sector, and should be treated with priority when designing and maintaining an appropriate risk posture for a health sector entity.”
- CISA added one more known exploited vulnerability to its catalog on August 16, 2023.
- Dark Reading reports
- “Hackers are on a spree of hijacking LinkedIn accounts, in some cases monetizing the attacks by demanding a small ransom from users to regain access and threatening permanent deletion.
- “Though LinkedIn, a subsidiary of Microsoft, has not yet commented publicly about the campaign, it has affected people worldwide over the last few weeks. Conversations on social media and Google searches indicate a “significant surge in the past 90 days” of account hacks on the professional-oriented social media platform, according to a recent report published by Cyberint.”
- Bloomberg Technology examines a larger email hack of Microsoft.
- “No one likes losing their keys. But after a single Microsoft Corp. key fell into the hands of Chinese hackers, it’s going to take more than changing the locks to restore its reputation.
- “The consumer signing key was used to forge authentication tokens — which are meant to verify a user’s identity — and access emails, including the accounts of Commerce Secretary Gina Raimondo and State Department officials, shortly before Secretary of State Antony Blinken traveled to China to meet President Xi Jinping in June.
- “The world’s largest software maker is now facing increasing criticism from computer security experts and government officials alike over the hack, among the more embarrassing breaches of US government networks since the so-called SolarWinds attack was disclosed in 2020. Russian state-sponsored hackers also abused Microsoft’s software as part of that attack.
- “Senator Ron Wyden, in a blistering letter last month about the lapse, called for multiple investigations. Shortly after, a US cybersecurity advisory panel opened a probe into the risks of cloud computing, and it is also looking at Microsoft’s role in the email hack.”
- Health IT Security brings us up to date on the hack that keeps on giving – the MoveIT transfer hack.
- Entities across the country are still feeling the effects of the MOVEit Transfer hack as more organizations report breaches stemming from the vulnerability.
- Earlier this week, the Colorado Department of Health Care Policy & Financing (HCPF), which operates Colorado’s Medicaid program, notified more than 4 million individuals of a breach that originated at IBM, which had used the MOVEit software on behalf of HCPF. IBM also notified the Missouri Department of Social Services of the same incident.
- MOVEit disclosed the vulnerability on May 31 and issued a patch on the same day.
From the cybersecurity defenses front,
- Cybersecurity Dive explains why
- “Security basics aren’t so basic — they’re hard; Lax security controls cause heavy damages, and security experts warn how unmet basics turn up, time and again, when things go wrong” and
- identifies
- AWS customers’ most common security mistake; All too often organizations are not doing least-privilege work with identity systems, AWS’ Mark Ryland told Cybersecurity Dive,” and
- discusses how to take advantage of sometimes disjointed threat intelligence.
- The Wall Street Journal reports
- “Hackers exploit the trust relationships between organizations and their third-party suppliers and vendors, resulting in potentially damaging targeted and untargeted attacks.
- “Understanding the organizations in a supply chain and critical dependencies is essential to reducing the risk, though some threats are nearly impossible to mitigate.
- “Multiple internal stakeholders working together with technology solutions and consultancy expertise can significantly reduce the risk of, or impact from, supply chain attacks[, e.g., the MoveIT transfer hack].”