From the cybersecurity policy front,
- Federal News Network tells us,
- “The Biden administration, having struggled in some cases to set cybersecurity requirements for critical infrastructure, sees a new plan for minimum cyber standards coming together by early 2025.
- “That’s according to Caitlin Durkovich, special assistant to the president and deputy homeland security advisor for resilience and response. During an event on Thursday hosted by the ICS Village, Durkovich spoke about the Biden administration’s efforts to implement a recently signed national security memorandum on critical infrastructure security.
- “One of the reasons that we pushed so hard to make sure this NSM was signed out when it was, was so we had some runway to drive the implementation,” Durkovich said. “The president essentially signed it 270 days until the end of his first term. We wanted that first term to be able to implement the majority of actions.”
- The Wall Street Journal reports,
- “The U.S. Department of Health and Human Services doesn’t want to get caught flat-footed by the next healthcare hack.
- “The agency is leading work to create a map of the cybersecurity risks inherent in having a single technology supplier dominate a particular aspect of the market, a threat known as a single point of failure. The concern comes after a cyberattack on UnitedHealth Group’s Change Healthcare unit early this year produced cascading effects on health claims, freezing millions of dollars in payments. The repercussions took care providers, regulators and lawmakers by surprise.”
- Yesterday, HHS added the following guidance to its Change Healthcare cyberattack FAQs:
- “Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.
- “Only one entity – which could be the covered entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS, and where applicable the media.
- “If covered entities work with Change Healthcare to perform the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, they would not have additional HIPAA breach notification obligations.
- “The new and updated FAQs on the Change Healthcare Cybersecurity Incident may be viewed at: https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html.”
From the cyber vulnerabilities and breaches front,
- The Cybersecurity and Infrastructure Security Agency (CISA) added the following known exploited vulnerabilities to its catalog this week:
- May 28, 2024 — CVE-2024-5274 Google Chromium V8 Type Confusion Vulnerability
- May 29, 2024 — CVE-2024-4978 Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability
- May 30, 2024 — CVE-2024-24919 Check Point Quantum Security Gateways Information Disclosure Vulnerability and CVE-2024-1086 Linux Kernel Use-After-Free Vulnerability
- Cybersecurity Dive adds,
- The National Institute of Standards and Technology expects to clear the towering backlog of unanalyzed vulnerabilities in the National Vulnerability Database by the end of September, the agency said in a Wednesday update.
- NIST scaled back its activities on the NVD program in mid-February following a change in interagency funding support and a staggering deluge of CVE disclosures. The agency reported an all-time high of 33,137 vulnerabilities last year, according to Flashpoint research.
- To help clear the logjam, the agency awarded a cybersecurity analysis and email support contract to Maryland-based Analygence for $865,657 to support the processing of incoming vulnerabilities for the NVD, according to USAspending.gov. “We expect to begin performance the week of June 3,” Analygence COO Tom Peitler said via email.
- HHS’s Health Sector Cybersecurity Coordination Center posted a “Healthcare Sector DDoS Guide.”
- “A Distributed-Denial-of-Service (DDoS) attack is a type of cyber attack in which an attacker uses multiple systems, often referred to as a botnet, to send a high volume of traffic or requests to a targeted network or system, overwhelming it and making it unavailable to legitimate users. With the number of attacks increasing every year, they can come at any time, impact any part of a website’s operations or resources, and lead to massive amounts of service interruptions and huge financial losses. In the health and public health (HPH) sector, they have the potential to deny healthcare organizations and providers access to vital resources that can have detrimental impact on the ability to provide care.
- “Disruptions due to a cyber attack may interrupt business continuity by keeping patients or healthcare personnel from accessing critical healthcare assets such as electronic health records, software based medical equipment, and websites to coordinate critical tasks. As such, this comprehensive DDoS guide is intended for target healthcare audiences to understand what DDoS attacks are; what causes them; types of DDoS attacks with timely, relevant examples; and mitigations and defenses against a potential attack.”
From the ransomware front,
- Beckers Hospital Review lets us know,
- “Most attacks on U.S. healthcare are coming from Russia, ABC affiliate KGTV reported May 28.
- “John Riggi, national advisor for cybersecurity and risk at the American Hospital Association, told the publication that ransomware attacks targeting hospitals have increased by more than 300%, with most of these attacks coming from Russia.
- “The Russian government refuses to cooperate with U.S. law enforcement on these issues, therefore providing them safe harbor,” he told the news outlet.
- “Mr. Riggi noted that ransomware gangs have also been identified operating in China, North Korea and Iran.
- “The hacking groups most actively targeting healthcare as of April 2024 were LockBit, BlackCat/ALPHV and BianLian, according to HHS’ Health Sector Cybersecurity Coordination Center, or HC3.”
- CSO adds,
- “Two weeks ago, the UK National Crime Agency and the US Department of Justice announced unmasked the Russian national alleged to be the creator and administrator of the LockBit ransomware program.
- “Now, cybersecurity company NCC Group reports that for the first time in eight months, LockBit has also been overtaken by Play as the world’s top ransomware gang, with 32 attacks in April compared to LockBit’s 23 attacks.”
- Bloomberg informs us,
- “It’s time to formally stop ransom payments.
- “That’s the argument that a top cybercrime researcher — one who until recently staunchly opposed such a ban — made to scores of threat intelligence experts who gathered last week in a darkened basement ballroom at a hotel not far from the US Capitol.
- “Banning ransom payments is an extreme step but it also might be the least bad option available to us,” Allan Liska, a threat analyst at the cyber firm Recorded Future, told the crowd. * * *
- “On stage, Liska said he’s aware of the counter arguments: A ban won’t work to stop attacks, and blocking companies paying ransoms will do them harm. But, he said, what companies are doing now hasn’t stopped attacks either. While blocking payments might hurt some companies, so do the breaches themselves, he said.
- “Afterwards, Liska told me he was “dragged kicking and screaming” into opposing ransom payments. The unrelenting pace of attacks last year convinced him that it was time to take a radical step.
- “It’s not because I think it’s a good idea. It’s because, right now, nothing else has worked and we need to do something,” he said. “I don’t know what else it could possibly be.”
From the cyber defenses front,
- Cyberscoop relates,
- “A coalition of international law enforcement agencies carried out what they said was the “largest ever” operation to counter botnet and dropper malware by taking down or disrupting more than 100 servers, seizing 2,000 domains and identifying nearly 70 million euros earned by one of the main suspects in the case.
- “Officials with Europol announced early Thursday that “Operation Endgame” targeted droppers — malware used to get other malware onto a system — used extensively to facilitate a range of consequential cybercrimes, including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot.
- “As part of the operation, authorities made one arrest in Armenia and three in Ukraine, and eight suspects linked to the activities and wanted by Germany will be added to Europe’s Most Wanted list, Europol said in its statement.”
- Modern Healthcare reports,
- “Healthcare’s cybersecurity challenges have shined a light on how the industry has failed to protect patient data by not dedicating enough resources to address the problem.
- “Health systems and insurers are dealing with the aftermath of the industry’s latest large-scale ransomware attacks on St. Louis-based Ascension, UnitedHealth Group’s Change Healthcare and Chicago-based Lurie Children’s Hospital, among others. Conversations are happening over whether organizations should be bringing in outside consultants or hiring more employees, executives say.
- “Do we have enough people? Do we need consulting help to accelerate resiliency projects and testing? Those are the conversations going on right now,” said James Case, chief information security officer at Jacksonville, Florida-based Baptist Health. “The current climate is causing us to bubble those conversations to the top, and whether we should get help one way or another.”
- Here’s a link to Dark Reading’s CISO Corner.