From Capitol Hill, Health IT Security reports
Senators Bill Cassidy (R-LA) and Jacky Rosen (D-NV) introduced the bipartisan Healthcare Cybersecurity Act (S. 3904), shortly after President Biden warned all critical infrastructure sectors to harden their cyber defenses to safeguard against potential Russian cyberattacks. * * *
The act aims to strengthen healthcare cybersecurity by partnering the Cybersecurity and Infrastructure Security Agency (CISA) with HHS. Specifically, the act would require CISA and HHS to enter into an agreement, as defined by CISA, that would improve cybersecurity in the healthcare and public health sector.
If passed, CISA will work with information sharing organizations and analysis centers to create resources specific to the healthcare sector and to promote threat sharing. The act also supports training efforts for private sector healthcare experts. CISA would be responsible for educating healthcare asset owners and operators on the cybersecurity risks within the sector and ways to manage those risks.
The act also mandated that CISA conduct a thorough study on the cybersecurity risks facing the healthcare sector. The study would explore strategies for securing medical devices and electronic health records, and how data breaches impact patient care.
The Senate Homeland Security and Governmental Affairs Committee held a business meeting on March 30, at which the Committee favorably reported an amended version of S. 3904 (Item 18). This action suggests that the bill has legislative legs. The FEHBlog will keep an eye on it.
Nextgov identifies six cybersecurity takeaways from the President’s proposed FY 2023 budget that was delivered to Capitol Hill last Monday.
In cybersecurity news, CISA announced yesterday
the start of National Supply Chain Integrity Month. CISA in partnership with the Office of the Director of National Intelligence (ODNI) and other government and industry partners is promoting a call to action for a unified effort by organizations across the country to strengthen information and communications technology (ICT) supply chain.
CISA’s themes for each week include:
Week 1: Power in Partnership – Fortify The Chain!
Week 2: No Shortages of Threats – Educate to Mitigate
Week 3: Question, Confirm, and Trust – Be Supplier Smart
Week 4: Plan for the Future – Anticipate Change
Resources include those developed by the ICT SCRM Task Force, a public-private partnership that embodies the Agency’s collective approach to enhancing supply chain resilience.
Check out our webpage weekly for resources, a social media toolkit, videos, and the latest news: CISA.gov/supply-chain-integrity-month.
The HHS Cybersecurity Program informs us
The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy are aware of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices, often through unchanged default usernames and passwords. In recent years, UPS vendors have added an Internet of Things (IoT) capability, and UPSs are routinely attached to networks for power monitoring, routine maintenance, and/or convenience.
CISA Insight – Mitigating Attacks Against Uninterruptible Power Supply Devices
Health IT Security reports
H-ISAC and Booz Allen Hamilton released a report and survey outlining the top cyber threats concerning healthcare executives in today’s sophisticated cyber threat landscape.
H-ISAC surveyed cybersecurity, IT, and non-IT executives and found no significant differences between the disciplines when the experts were asked to rank the top five greatest cybersecurity concerns facing their organizations in 2021 and 2022.
Ransomware deployment was the top-rated concern, followed by phishing and spear-phishing, third-party breaches, data breaches, and insider threats.
Medical Economics tells us, “The Confidentiality Coalition and the Workgroup for Electronic Data Interchange sent a letter to the Commerce and HHS Secretaries outlining their concerns with allowing unregulated third-party apps to get access to patient health information.”
From the ransomware front —
Cybersecurity Dive alerts us
The average ransomware payment to cybercriminals surged 78% last year to $541,010, fueled in part by the rapid spread of ransomware as a service (RaaS) business models that reduce barriers to entry for cyber extortionists, Palo Alto Networks said.
Ransomware attacks “show no signs of slowing down,” according to Ryan Olson, vice president of threat intelligence at Palo Alto Networks. “The long-term effects of these ransomware attacks can be devastating, going beyond the actual cost of the ransom to include a number of ancillary costs associated with downtime, remediation and disruptions to business,” the company said in a report.
Ransomware criminals last year targeted companies in the Americas in 60% of their attacks and demanded on average $2.2 million from their victims, a 144% increase compared with 2020, Palo Alto Networks said.
GCN reports
Ransomware encrypts faster than organizations can respond, making it unlikely that they can prevent a total loss of data from an attack, according to a new study.
The research by SURGe, Splunk’s new cybersecurity research arm, found that the median ransomware variant can encrypt 98,561 files totaling almost 54 gigabytes in 42 minutes and 52 seconds.
“Forty-three minutes is an extremely limited window of opportunity for mitigation, especially considering that the average time to detect compromise is three days, as the Mandiant M-Trends report found,” according to “An Empirically Comparative Analysis of Ransomware Binaries,” which Splunk published March 23.
As usual, here is a link to Bleeping Computer’s The Week in Ransomware.
From the cyberdefense front, CIS identifies best practices for regulatory compliance.
Speaking of regulatory compliance, HHS’s Office for Civil Rights announced four HIPAA Privacy Rule enforcement actions last week.