From Capitol Hill, the Senate Homeland Security and Governmental Affairs Committee will hold a full Committee hearing to examine cybersecurity risks to the healthcare sector. The hearing will occur on Thursday, March 16, 2023, at 10 am.

Among the topics at the hearing will be a serious cybersecurity breach at DC Health Link which runs the DC health marketplace under the Affordable Care Act (“Act”). In the Affordable Care Act (“ACA”) Congress shifted its health benefits coverage for its members and senior staffers from FEHB to the ACA marketplace. Of note, Congress was directly hit in the OPM breach and this new one.

Axios explains

A hacker who uses the pseudonym “Denfur” is selling a database they claim includes stolen sensitive data from at least 55,000 customers of D.C.’s health insurance marketplace, including members of Congress and their staffs.

Driving the news: Congressional leaders started warning lawmakers on Wednesday about the breach at DC Health Link and suggested they freeze their credit while an investigation continues.

• DC Health Link, which confirmed the breach and dark web leaks in a statement, helps all city residents purchase health insurance, not just members of Congress.

What’s happening: Researchers at Check Point Research told Axios Thursday that a malicious hacker had posted the database for sale on the “biggest English-speaking dark web hacking forum.” The member claims the database includes sensitive data from thousands of customers, including Social Security numbers, birthdates and home addresses.

• Denfur is now selling the stolen database for just “a few dollars,” researchers noted. Denfur signed off the post with “Glory to Russia!”
• CyberScoop reports that a sample of the stolen data includes information about former defense officials and lobbyists, and the Associated Press reported it was able to authenticate data belonging to two victims in the set.
• Axios has seen the dark web post, which was still live as of Friday morning.

Cyberscoop adds,

A person using the moniker “IntelBroker” first posted the stolen data on March 6 to an online forum, where data breaches are publicized and data is either published for download or offered for sale. That post was subsequently pulled down, and “IntelBroker” is now listed permanently banned. 

Three days later, on March 9, a second user going by the name “Denfur” — whose signature on the site reads “Glory to Russia!” — posted what they claimed was the full database, along with a sample that includes 200 entries. The full dataset includes 67,565 unique entries and about 55,000 “unique people,” Denfur claimed. 

At about midday Thursday Denfur also claimed that “the intended target WAS U.S. Politicians and members of U.S. Government.” The quote appeared alongside a link to a news story about the incident quoting House of Representatives Chief Administrative Officer Catherine Szpindor as saying that the members of Congress were not the specific target of the attack.

From the cybersecurity risks / vulnerabilities front —

Tech Republic tells us,

CrowdStrike, a cybersecurity firm that tracks the activities of global threat actors, reported the largest increase in adversaries it has ever observed in one year —  identifying 33 new threat actors and a 95% increase in attacks on cloud architectures. Cases involving “cloud-conscious” actors nearly tripled from 2021.

“This growth indicates a larger trend of e-crime and nation-state actors adopting knowledge and tradecraft to increasingly exploit cloud environments,” said CrowdStrike in its 2023 Global Threat Report.

Besides the raft of new threat actors in the wilds that it pinpointed, CrowdStrike’s report also identified a surge in identity-based threats, cloud exploitations, nation-state espionage and attacks that re-weaponized previously patched vulnerabilities. * * *

Last week’s revelation of an attack on password manager LastPass, with 25 million users, says a lot about the difficulty of defending against data thieves entering either by social engineering or vulnerabilities not usually targeted by malware. The insurgency, the second attack against LastPass by the same actor, was possible because the attack targeted a vulnerability in media software on an employee’s home computer, releasing to the attackers a trove of unencrypted customer data.

The Cybersecurity and Infrastructure Security Agency (CISA) added three known exploited vulnerabilities to its catalog on March 7, 2023, and two more on March 10. Bleeping Computer provides its perspective here.

Tech Republic also highlights a cybersecurity report from the World Econonic Forum that is worth a gander.

From the ransomware front

Tech Republic informs us based on the CrowdStrike report that cybercriminals are shifting tactics from ransomware to data exfiltration and extortion like what happened at DC Health Link. “There was a 20% increase in the number of adversaries conducting data theft and extortion last year, by CrowdStrike’s reckoning.”

HHS’s Healthcare Sector Cybersecurity issued a threat alert on data exfiltration trends in the healthcare sector on March 9.

Here’s a link to Bleeping Computer’s The Week in Ransomware.

From the cybersecurity defenses front —

Health IT Security reports

HHS, through the Administration for Strategic Preparedness and Response (ASPR), and the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group released the Cybersecurity Framework Implementation Guide to help the healthcare sector manage cybersecurity risks amid an increasingly sophisticated threat landscape.

The guide aims to help healthcare organizations align their cyber programs with the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF). * * *

The publication is not intended to replace other cybersecurity programs or provide a roadmap to compliance, the guide states. Rather, the voluntary guidance can help healthcare organizations bolster their existing programs and ideally reduce risk by aligning the healthcare sector with NIST’s robust framework.  

Bank Info Security points out that “In addition to the new joint NIST cybersecurity framework toolkit, the Health Sector Coordinating Council and HHS are also close to completing an update of a joint 2019 publication, Health Industry Cybersecurity Practices.”

From the cybersecurity policy front —

The Wall Street Journal reports

The Biden administration said it would pursue laws to establish liability for software companies that sell technology that lacks cybersecurity protections, concluding that market forces alone aren’t sufficient to guard consumers and the nation.

Free markets and a reliance on voluntary security frameworks have imposed “inadequate costs” on companies that offer insecure products or services, according to a national cybersecurity strategy released Thursday. It says the administration would work with Congress and the private sector to create liability for software vendors, sketching out in broad terms what such legislation should entail. * * *

In addition to making a forceful call for expanded liability, the plan reiterates several top priorities that have frequently been listed by various senior cybersecurity officials in recent years, such as urging more collaboration and threat-intelligence sharing with the private sector, forging international partnerships to develop cyber norms, and modernizing federal technology. While much of it is consistent with the goals of past administrations, the focus on liability and mandates on critical infrastructure largely depart from President Biden’s predecessors.

The strategy also emphasizes the need for persistent use of offensive cyber capabilities, such as those housed at the U.S. Cyber Command, to disrupt and dismantle cyber threats to the U.S. The strategy’s language effectively endorses steps taken during the Trump administration to allow the military to be more active with offensive cyber weapons. Mr. Biden’s strategy replaces one issued by former President Donald Trump in 2018.

Security experts and former officials said establishing liability for software manufacturers was the most significant—if hardest to achieve—element of the strategy.

Security Week offers insider observations on the new strategy.

Here are links to the White House’s fact sheet and an informative report from Health IT Security.

The document is divided into five pillars, representing key focus areas: defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future, and forge international partnerships to pursue shared goals.

Each pillar has significant implications for critical infrastructure entities, including those in the healthcare sector. Namely, the National Cybersecurity Strategy highlights the need to further prioritize Internet of Things (IoT) device security and to transfer some cyber responsibilities away from software users and onto vendors.

“We must make fundamental changes to the underlying dynamics of the digital ecosystem, shifting the advantage to its defenders and perpetually frustrating the forces that would threaten it,” the document states.

“Our goal is a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.”

Cybersecurity Dive discusses the path to implementing this strategy.

From the cyber breaches front, Security Week points out four recent healthcare sector data breaches.

From the cyber vulnerabilities front —

Cybersecurity Dive informs us

• Nearly one-third of companies lost money following a phishing attack in 2022, Proofpoint research found. 
• The 76% year-over-year increase in phishing attacks resulting in a wire transfer or invoice fraud reflects threat actors’ resolve to narrow their scope and steal money more quickly, according to Proofpoint’s annual State of the Phish report released Tuesday.
• “We saw a significant jump in the direct financial loss,” said Sara Pan, team manager of product marketing at Proofpoint. “What that really implies is that we’re seeing attackers being more impatient and really wanting to claim their trophy right after a successful phishing attack.”

• The Cybersecurity and Infrastructure Agency (CISA) added one more known exploited vulnerability to its catalog.

From the ransomware front —

• Bank Info Security reports on an FBI report on ransomware attacks against critical infrastructure in 2022.

• Bank Info Security adds,
  • Based on known ransomware attacks, security researchers say the volume of such attacks seems to have remained constant in recent years. Ransomware incident response firm Coveware and cryptocurrency intelligence firm Chainalysis last month reported that blockchain analysis revealed a notable decline of 40% in the dollar volume of ransom being paid to criminals.
  • Coveware ascribed the decline directly to the FBI, which has “subtly but effectively shifted strategy from pursuing just arrests to putting a focus on helping victims, and imposing costs to the economic levers that make cybercrime so profitable.” Making a particular impact, Coveware says, is FBI agents quickly landing on-site to assist, including by helping senior executives and boards of directors understand their options.

• The FBI and CISA issued an alert on Royal Ransomware.
  • Today [March 2, 2023], the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint Cybersecurity Advisory (CSA) #StopRansomware: Royal Ransomware to provide network defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. FBI investigations identified these TTPs and IOCs as recently as January 2023.
  • Royal ransomware attacks have spread across numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education.
  • CISA encourages network defenders to review the CSA and to apply the included mitigations. See StopRansomware.gov for additional guidance on ransomware protection, detection, and response.

• The Bleeping Computer’s Week in Ransomware is back!

From the cyber defense front —

CISA announced

Today [February 28, 2023], CISA released a Cybersecurity Advisory, CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks. This advisory describes a red team assessment of a large critical infrastructure organization with a mature cyber posture. CISA is releasing this Cybersecurity Advisory (CSA) detailing the red team’s tactics, techniques, and procedures (TTPs) and key findings to provide network defenders proactive steps to reduce the threat of similar activity from malicious cyber actors. 
  
As detailed in the advisory, the CISA red team obtained persistent access to the organization’s network, moved laterally across multiple geographically separated sites, and gained access to systems adjacent to the organization’s sensitive business systems. This cybersecurity advisory highlights the importance of early detection and continual monitoring of cyber assets.  
  
CISA encourages critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to ensure security processes and procedures are up to date, effective, and enable timely detection and early mitigation of malicious activity.

Cybersecurity Dive observes

• The Cybersecurity and Infrastructure Security Agency is urging critical infrastructure providers to harden their defenses and enable phishing resistant multifactor authentication, after conducting a red team assessment of a large organization over a three-month period in 2022.
• During the voluntary assessment, a CISA red team was able to gain access to workstations at separate geographic locations using spearphishing emails. The red team leveraged that access to move laterally around the network, gaining root access to multiple workstations adjacent to specialized servers. 
• The organization largely failed to detect multiple actions by the red team, including lateral movement, persistence and command and control activity. However, the use of strong service account passwords and MFA prevented the red team from accessing a sensitive business system.

The American Hospital Association adds,

“This highly detailed and technical report is an excellent guide to help implement specific cybersecurity tools that will help detect a cyberattack in the early stages and significantly reduce its spread and impact,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “The ‘red team’ or penetration test used a common combination of voice and email social engineering techniques to gain trust of the end users and compromise their credentials, which reaffirms government and AHA cybersecurity guidance that relatively low-cost basics such as establishing phishing-resistant multi-factor authentication are essential to reduce cyber risk. I would strongly encourage hospitals and health systems to explore the possibility of leveraging CISA’s authority and capacity to provide free technical assistance, including red team penetration testing.” 

Also, an ISACA expert explains why “LastPass Hack Highlights Importance of Applicable Acceptable Use Policies.”

From the cybersecurity policy front —

Federal News Network tells us

Federal cybersecurity leaders are looking forward to a major update for the National Institute of Standards and Technology’s Cybersecurity Framework, as NIST aims to add new details on governance, supply chain risks and more to a document that guides the cybersecurity practices of many organizations.

NIST released the original framework in 2014 and last updated the document in 2018. It began gathering feedback on the shift to “CSF 2.0” through a request for information last February, and hosted an initial workshop on the new framework in June.

Last month, NIST published a concept paper laying out some of the initial planned changes. Comments on the paper are due March 3. NIST plans to have a draft of CSF 2.0 ready by this summer, before releasing a final version in early 2024.

During a Wednesday workshop hosted by the standards agency, CISA Director Jen Easterly applauded NIST’s work to update the framework. She reiterated a recent push from CISA for the technology community to focus on “product safety and “the idea that software and hardware must be secure by design and secure by default,” adding that NIST’s work on the framework is an important element in that endeavor.

Federal News Network adds

The Social Security Administration is getting $23.3 million from the Technology Modernization Fund to implement multifactor authentication across its internal systems, part of a trio of recent TMF awards focused on cybersecurity and reliability.

The TMF announced three new investments today for SSA, the Treasury Department and the U.S. Agency for Global Media (USAGM).

USAGM is getting $6.2 million from the TMF to implement a zero trust architecture across its global network. * * * Other agencies to receive zero trust architecture funding from the TMF, include USAID, the Office of Personnel Management, the Education Department, and the General Services Administration.

Cyberscoop informs us

The U.S. government is stepping up its effort to combat threats from foreign technology investments, data acquisition and cyberattacks with a new collaboration between the Departments of Justice and Commerce, Deputy Attorney General Lisa Monaco said Thursday.

Speaking at the Chatham House in London as part of a conversation on disruptive technologies by nation states and malign actors, Monaco announced the “Disruptive Technology Strike Force,” to fight the ability of autocrats seeking “tactical advantage through the acquisition, use, and abuse of disruptive technology, innovations that are fueling the next generation of military and national security capabilities.”

Venture Beat identifies five cybersecurity trends for 2023:

• Credential phishing remains the hackers’ go-to;

• Omnichannel cyberattacks increase risks;

• Cyber insurance coverage requirements grow;

• AI’s role in threat protection matures, and

• Cybersecurity must be flexible to meet threats.

Speaking of cyber insurance, the Advisory Council of Employee Welfare and Pension Plans issued a report on Cybersecurity Insurance and Employee Benefit Plans.

From the cyber threats front —

• The Health and Human Services Office for Civil Rights shared “two Reports to Congress for 2021, on 
  • HIPAA Privacy, Security, and
  • Breach Notification Rule Compliance Breaches of Unsecured Protected Health Information.
• These reports, delivered to Congress today, may benefit regulated entities to assist in their HIPAA compliance efforts. The reports also share steps OCR took to investigate complaints, breach reports, and compliance reviews regarding potential HIPAA rule violations.  The reports include important data on the numbers of HIPAA cases investigated, areas of noncompliance, and insights into trends such as cybersecurity readiness.”  

• The Cybersecurity and Infrastructure Security Agency added four known exploited vulnerabilities to its catalog on February 14, 2023, and one more on February 16, 2023. Bleeping Computer discusses February 14, 2023, additions.

• The Healthcare Sector Cybersecurity Coordination Center produced a Healthcare Sector DDoS Guide:

• “Distributed Denial of Service (DDoS) attacks have the potential to deny healthcare organizations and providers access to vital resources that can have a detrimental impact on the ability to provide care. In healthcare, disruptions due to a cyber-attack may interrupt business continuity by keeping patients or healthcare personnel from accessing critical healthcare assets such as electronic health records, software-based medical equipment, and websites to coordinate critical tasks. (See HC3 Analyst Note titled: Pro- Russian Hacktivist Group ‘Killnet’ Threat to HPH Sector). Link can be found here.
• “Threat actors utilize DDoS attacks due to the cost-effectiveness and relatively low resources and technical skills needed to deploy this type of attack as a hacker doesn’t have to install any code on a victim’s server. Moreover, DDoS attacks are getting more sophisticated and complex while getting easier and cheaper to perpetrate as cyber criminals take advantage of the sheer number of insecure internet-connected devices. (Analyst Comment: It is strongly recommended by cybersecurity institutions, like the National Institute of Standards and Technology, that organizations effectively manage the cybersecurity and privacy risks associated with Internet-of-Things (IoT)). (See NIST Report (NISTIR) – 8228). Link can be found here.”

Health IT Security discusses this guide here.

• Ars Technica reports

One of the biggest hospital chains in the US said hackers obtained protected health information for 1 million patients after exploiting a vulnerability in an enterprise software product called GoAnywhere.

Community Health Systems of Franklin, Tennessee, said in a filing with the Securities and Exchange Commission on Monday that the attack targeted GoAnywhere MFT, a managed file transfer product Fortra licenses to large organizations. The filing said that an ongoing investigation has so far revealed that the hack likely affected 1 million individuals. The compromised data included protected health information as defined by the Health Insurance Portability and Accountability Act, as well as patients’ personal information.

From the cybersecurity defenses front —

• Cyberscoop fills us in on the benefits of proactive cyber threat protection.

• Venture Beat explains how to use blockchain to prevent data breaches.

• The Wall Street Journal discusses “How Companies Can Minimize the Cybersecurity Risk From Their Tech Vendors.”
  • Set up a rigorous review process when hiring vendors; 
  • Spell out expectations in vendor agreements, including how data will be shared;
  • Hire internal assessors to regularly brief directors on vendor cybersecurity programs and vulnerabilities;
  • Carefully guard access to company data from the vendors, and 
  • Empower the chief information security officer and bring security expertise to boards.

From the cybersecurity policy front, Cybersecurity Dive informs us

National Cyber Director Chris Inglis will retire from his position Feb. 15, ending a more than four decade career in national security. 

Kemba Walden, principal deputy national cyber director and a former legal executive at Microsoft, will become acting director until Biden names a nominee for the post. The NCD post requires Senate confirmation. 

From the cyber vulnerabilities front —

• The Health Sector Cybersecurity Coordination Center (HC3) issued a PowerPoint presentation titled “2022 Healthcare Cybersecurity Year in Review and a 2023 Look-Ahead.”

• HC3 also released its January 2023 Cybersecurity Vulnerability Bulletin.

• The Cybersecurity and Infrastructure Agency (CISA) added three known exploited vulnerabilities to its catalog.

• The Government Accountability Office produced a report titled “Challenges in Protecting Cyber Critical Infrastructure.”

From the ransomware front —

CISA announced on February 8

CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory, ESXiArgs Ransomware Virtual Machine Recovery Guidance. This advisory describes the ongoing ransomware campaign known as “ESXiArgs.” Malicious cyber actors may be exploiting known vulnerabilities in unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access to ESXi servers and deploy ESXiArgs ransomware. The ransomware encrypts configuration files on ESXi servers, potentially rendering virtual machines unusable.

As detailed in the advisory, CISA has created and released an ESXiArgs recovery script at https://github.com/cisagov/ESXiArgs-Recover. CISA and FBI encourage organizations that have fallen victim to ESXiArgs ransomware to consider using the script to attempt to recover their files.

Here’s a Cybersecurity Dive report on this topic.

CISA announced on February 9

CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and Republic of Korea’s Defense Security Agency and National Intelligence Service have released a joint Cybersecurity Advisory (CSA), Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities, to provide information on ransomware activity used by North Korean state-sponsored cyber to target various critical infrastructure sectors, especially Healthcare and Public Health (HPH) Sector organizations.

The authoring agencies urge network defenders to examine their current cybersecurity posture and apply the recommended mitigations in this joint CSA, which include:

• Train users to recognize and report phishing attempts.
• Enable and enforce phishing-resistant multifactor authentication. 
• Install and regularly update antivirus and antimalware software on all hosts. 

See Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities for ransomware actor’s tactics, techniques, and procedures, indicators of compromise, and recommended mitigations. Additionally, review StopRansomware.gov for more guidance on ransomware protection, detection, and response.

Bleeping Computer tells us

Royal Ransomware is the latest ransomware operation to add support for encrypting Linux devices to its most recent malware variants, specifically targeting VMware ESXi virtual machines.

BleepingComputer has been reporting on similar Linux ransomware encryptors released by multiple other gangs, including Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.

The new Linux Royal Ransomware variant was discovered by Will Thomas of the Equinix Threat Analysis Center (ETAC), and is executed using the command line.

Cyberscoop considers whether “After the Hive takedown, could the LockBit ransomware crew be the next to fall?”

Here is a link to Bleeping Computers The Week in Ransomware.

From the cyber defenses front —

• Health IT Security relates, “Duo, Imprivata, and Medigate by Claroty, were among the variety of vendors that achieved “Best in KLAS” status in the newly released 2023 Best in KLAS: Software & Services report.”

• The Wall Street Journal offers its quarterly cybersecurity insurance update.

• ZDNet reports, “Reddit was hit with a phishing attack. How it responded is a lesson for everyone. A quick and transparent response shows that there’s a correct way to respond to cybersecurity incidents.”

• An ISACA expert asks, “How does one fix people?” and answers, “Through governance, processes and planning. Governance, processes and planning are all essential components of effective cybersecurity management.”

From the cybersecurity front, Health IT Security interviewed Senator Mark Warner (D Va) “about the healthcare cybersecurity challenges discussed in his recent policy options paper and how he plans to address them.”

The healthcare sector will likely remain an enticing target for threat actors in the coming years, but a more streamlined approach to tackling cyber risk at the federal level is urgently needed. Warner shed light on this issue by first addressing the current patchwork of cyber leadership within the federal government.

“There are four different cabinet secretaries and sixteen different federal agencies that touch on healthcare,” Warner pointed out.

Even within HHS, agencies such as the Office for Civil Rights (OCR), the Office of the National Coordinator for Health Information Technology (ONC), and the Health Sector Cybersecurity Coordination Center (HC3) all have varying levels of oversight and expertise.

The question now, Warner explained, is “how do you put somebody in charge, or at least in charge of coordinating, so that you can take a holistic approach?”

This role would ideally help HHS “speak with one voice regarding cybersecurity in [healthcare],” the policy options paper stated, facilitating communication and collaboration between HHS and other entities such as the Cybersecurity and Infrastructure Security Agency (CISA).

Interesting.

From a cybersecurity vulnerabilities front,

Cybersecurity Dive informs us

The rising threat of flawed software will get even worse, as common vulnerabilities and exposures (CVEs) will average more than 1,900 per month, according to a report released Wednesday by insurance provider Coalition.

The monthly total will include 270 high-severity and 155 critical vulnerabilities, which often give attackers the ability to remotely take control of computer systems.

The San Francisco-based company said 94% of organizations scanned in 2022 had at least one unencrypted service that was exposed to the internet.

and

A total of 98% of organizations worldwide have integrations with at least one third-party vendor that has been breached in the last two years, according to a report released Wednesday from SecurityScorecard and the Cyentia Institute. 

Third-party vendors are five times more likely to exhibit poor security, the report found. Half of organizations have indirect links to at least 200 fourth-party vendors that have suffered prior breaches. 

The information services sector maintained on average 25 vendor relationships, which is the largest number of any sector and more than double the overall average of third-party vendors, which was 10. Healthcare averaged 15.5 vendors and the financial services industry averaged the lowest number, with 6.5. * * *

A separate report from Black Kite shows attacks on 63 vendor organizations during 2022 impacted almost 300 companies. On average, there were 4.7 impacted companies per vendor in 2022, compared with 2.5 per vendor in 2021. 

The most common vector of these attacks was unauthorized network access, accounting for 40% of the incidents, according to Black Kite. 

While the exact method of access is not usually disclosed or immediately known, unauthorized network access often is due to phishing, stolen credentials or vulnerabilities in access control, according to Bob Maley, CSO at Black Kite.

On a related note, an ISACA expert considers trends in cyberattacks.

Looking deeper into the crystal ball, Security Week discusses

The arrival of cryptanalytically-relevant quantum computers (CRQCs) that will herald the cryptopocalypse will be much sooner – possibly less than a decade. 

At that point our existing PKI-protected data will become accessible as plaintext to anybody; and the ‘harvest now, decrypt later’ process will be complete. This is known as the cryptopocalypse. It is important to note that all PKI-encrypted data that has already been harvested by adversaries is already lost. We can do nothing about the past; we can only attempt to protect the future.

Beckers Health IT informed us on February 1, 2023:

More U.S. hospitals and health systems have reported that their websites went down this week after a cyberattack that Russian hacking group Killnet claimed responsibility for.

Becker’s reported Jan. 31 on 17 hospitals and health systems that were affected. These six organizations were also reportedly hit, according to news reports and tech company BetterCyber:

1. Banner Health (Phoenix)

2. Boulder City (Nev.) Hospital

3. CHA Hollywood Presbyterian Medical Center (Los Angeles)

4. ChristianaCare (Newark, Del.)

5. Presbyterian Healthcare Services (Albuquerque, N.M.)

6. University of Iowa Health Care (Iowa City)

On January 30, 2023, the Heath Sector Cybersecurity Coordination Center (HC3) released an analyst note on this threat. The next day, HC3 issued a sector alert about “Multiple Vulnerabilities in OpenEMR Electronic Health Records System.”

Three vulnerabilities were identified in an older version of OpenEMR, a popular electronic health records system, which can allow for a cyberattacker to access sensitive information and even compromise the entire system. The prevalence of ransomware attacks and data breaches impacting the health sector make these vulnerabilities especially important. These vulnerabilities were fixed in newer versions of OpeEMR, and therefore upgrading to the most recent version will fully patch them.

On a related note, Cyberscoop points out, “ChatGPT isn’t a malware-writing savant, and much of the hype around it obscures just how much expertise is required to output quality code.”

From the cyber breach front, last Thursday, the HHS Office for Civil Rights announced a HIPAA Security Rule alleged violation settlement with Banner Health,

a nonprofit health system headquartered in Phoenix, Arizona, to resolve a data breach resulting from a hacking incident by a threat actor in 2016 which disclosed the protected health information of 2.81 million consumers.  The settlement is regarding the Health Insurance Portability and Accountability Act (HIPAA) Security Rule which works to help protect health information and data from cybersecurity attacks.  The potential violations specifically include: the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, failure to implement an authentication process to safeguard its electronic protected health information, and failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.  As a result, Banner Health paid $1,250,000 to OCR and agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information.

From the ransomware front, all the FEHBlog has this week (do we really need more?) is Bleeping Computer’s The Week in Ransomware.

While the week started slowly, it turned into a big ransomware mess, with attacks striking a big blow at businesses running VMware ESXi servers.

The attacks started Friday morning, with threat actors targeting unpatched VMware ESXi servers with a new ransomware variant dubbed ESXiArgs.

The attacks were fast and widespread, with admins worldwide soon reporting that they were encrypted in this new campaign.

What makes this attack so devastating is that many companies operate much of their server infrastructure on VMware ESXi, allowing the encryption of one device to encrypt multiple servers simultaneously.

The good news is that some admins have been able to recover their servers by rebuilding disks from flat files, but some have reported being unable to do so as those files were also encrypted.

We also saw new research released this week, with Microsoft warning that over a hundred threat actors deploying ransomware and LockBit deciding to create a new decryptor based on Conti.

Finally, REsecurity released a report on the new Nevada ransomware-as-a-service recruiting and gearing up for future attacks.

From the cybersecurity policy front, Cybersecurity Dive tells us

The public-private cybersecurity supergroup, the Joint Cyber Defense Collaborative, is turning its attention to a 2023 agenda that will address risks to vulnerable industries and sensitive elements of civil society.

JCDC will assess risk in energy and water infrastructure sectors alongside the use of open-source software in industrial control systems, the group revealed Thursday. 

It also wants to increase cybersecurity and reduce risk for small- and medium-sized critical infrastructure providers. JCDC will collaborate with managed service providers, managed security service providers and remote monitoring and management as part of the effort.

FedScoop reports

The National Institutes of Standards and Technology intends to release version 2.0 of its Cybersecurity Framework in the coming years, and this week, the agency teased some of the “potential significant updates” that may land in that new framework.

On Thursday [January 24, 2023], NIST published a concept paper outlining significant changes to the Cybersecurity Framework and opening them to public feedback over the next several weeks. 

The framework is a voluntary guide to help organizations in all sectors to better understand, manage, reduce, and communicate cybersecurity risks. It is used widely, along with NIST’s Risk Management Framework, by federal agencies to plan their own cybersecurity approaches.

Of the proposed changes in the concept paper, the most notable are broadening the scope of the framework beyond critical infrastructure use cases to better include other organizations like small businesses and higher education institutions; including more guidance for implementation; and emphasizing the importance of cybersecurity governance and cybersecurity supply chain risk management, among others.

and

The National Institutes of Standards and Technology has issued the first version of its Artificial Intelligence Risk Management Framework that federal agency leaders and lawmakers hope will govern use of the technology.

The Department of Commerce agency Thursday released the initial document, which it emphasized will continue to evolve as the department receives further input from industry and the scientific research community.

Publication of the document comes as the use of AI technology receives increased public attention with the launch of new mainstream tools including Chat-GPT.

In the framework document, NIST sets out four key functions that it says are key to building responsible AI systems: govern, map, measure and manage.

Nextgov informs us

The Office of Personnel Management plans to launch a federal cyber workforce dashboard to provide agencies with a better tool to address workforce needs, according to a demo of the proposed dashboard held during a National Institute of Standards and Technology webinar on Tuesday [January 24, 2023].

An OPM spokesperson told Nextgov the cyber workforce data dashboard is a new tool that will have two versions: a public version looking at governmentwide data and an agency-specific version—where each agency will have a more granular view—to help support their workforce needs. The spokesperson added that OPM has been showing the dashboard to cyber workforce community stakeholders, such as the Office of the National Cyber Director and the Office of Management and Budget.

This past week has been Data Privacy Week. Spiceworks explains how to convert Data Privacy Week to Data Privacy Year. Security provides thoughts and advice from data security leaders. For example

Corey Nachreiner, Chief Security Officer at WatchGuard Technologies:

“Data Privacy Day provides a yearly reminder that data privacy and data security are inextricably linked. Even as laws around the world increasingly recognize the rights of individuals to control how information about them is collected, used and stored, they are also putting greater responsibility on companies for being good stewards of that data and holding them accountable when they aren’t. But protecting data from malicious actors is everyone’s responsibility.”

From the cyber vulnerabilities front —

Cybersecurity Dive reports

Malicious actors are using remote management and monitoring software to launch phishing attacks against federal employees, authorities warned Wednesday. 

The Cybersecurity and Infrastructure Security Agency, National Security Agency and Multi-State Information Sharing and Analysis Center said since June 2022 cybercriminals have sent help desk themed phishing emails to civilian executive branch agency staff using their personal and government email addresses. 

The lure aims to get the targeted workers to link to malicious domains in order to steal money from the targeted victims. However, authorities warn the same tactics could be used by APT actors in order to gain persistence within a network. 

Health IT Security also offers an article on this topic.

Fortune Magazine alerts us,

As tech transformations—for example a business unit built around A.I. or a new app geared toward personalized customer experience—have picked up steam in recent years, so have cyber risks and data privacy concerns.

But when organizations look internally for risk mitigation and compliance with data privacy laws, there’s a lack of qualified people to do so, according to a new report by ISACA, a professional IT governance association. Both technical privacy and legal/compliance teams are understaffed, enterprise privacy budgets are underfunded, and there are skills gaps. The findings are based on a global survey of 1,890 data privacy professionals who hold positions in IT, audit, compliance, and risk management, for example.

Health IT Security reports that “UCHealth and UCLA Health Report Healthcare Data Breaches
The healthcare data breach at UCHealth stemmed from a third-party vendor, and the UCLA Health breach was tied to the organization’s use of analytics tools.”

The Cybersecurity and Infrastructure Security Agency added known exploited vulnerabilities to its catalog — here and here.

Health IT Security adds

Ransomware remained a primary healthcare cyberattack tactic in Q4 2022, BlackBerry noted in its new Global Threat Intelligence Report. BlackBerry’s Threat Research and Intelligence team leveraged data collected by its own security solutions between September 1 and November 30, 2022, along with information from public and private intelligence sources.  

Throughout the 90-day period, researchers observed threat actors using a variety of tactics, from downloaders to ransomware, infostealers, and remote access Trojans (RATs). For the healthcare sector in particular, ransomware “still poses the biggest threat,” the report indicated.

From the ransomware front, The Wall Street Journal reports

U.S. authorities seized the servers of the notorious Hive ransomware group after entering its networks and capturing keys to decrypt its software, the Justice Department said Thursday, calling its effort a “21st-century cyber stakeout.”

The group linked to Hive ransomware is widely seen by authorities and cybersecurity experts as one of the most prolific and dangerous cybercriminal actors in recent years. It has been linked to attacks on more than 1,500 victims including hospitals and schools—and has extorted more than $100 million in ransom payments, the Justice Department said.

Bravo. Bleeping Computer’s The Week in Ransomware focuses on this important development.

Yesterday [January 26, 2023], an international law enforcement operation seized the Tor websites for the Hive ransomware operation and disclosed that they had secretly hacked the organization’s servers in July 2022.

For the past six months, the police have monitored their communications, intercepted decryption keys, and helped victims with free decryptors.

While no arrests were made, this was a massive blow to a prominent player in this cybercrime space while preventing $100 million in ransom payments.

Here’s the Justice Department’s press release.

Furthermore, an ISACA expert writes about common misconceptions about ransomware.

From the cyber defense front, the Wall Street Journal provides advice on assessing the likelihood of a ‘Catastrophic” cyber attack, and Security Week explains how to end to password dependency.

From the cyberpolicy front —

Cyberscoop reports

The Government Accountability Office said Thursday that U.S. federal departments have implemented just 40% of the cybersecurity recommendations the watchdog agency has issued since 2010.

The lethargic pace in which government agencies put in place cybersecurity precautions and best practices underlines the need for the Biden administration to “urgently” release a comprehensive national cybersecurity strategy with effective oversight, the GAO said in its report.

The GAO said that the updated national cybersecurity strategy, which the administration is reportedly planning to release soon, should address key “desirable characteristics of national strategies” such as performance measures that was missing in President Trump’s 2018 cybersecurity strategy.

“We stressed that moving forward, the incoming administration needed to either update the existing strategy and plan or develop a new comprehensive strategy that addresses those characteristics,” the report noted. 

The GAO noted that only about 145 of its 335 recommendations have been put in place. The agency recommended such actions establishing the national cyber director and the General Service Administration updating their security plans.

The Cybersecurity and Infrastructure Security Agency released a report on 2022 year in review. Health IT Security examines the CISA report from the standpoint of the healthcare sector.

The FEHBlog noticed that two Federal Acquisition Regulation proposed rules that he has been tracking are now pending review at OMB’s Office of Information and Regulatory Affairs.

DOD/GSA/NASA (FAR)

AGENCY: FAR RIN: 9000-AO34 Status: Pending Review
TITLE: Federal Acquisition Regulation (FAR); FAR Case 2021-017, Cyber Threat and Incident Reporting and Information Sharing
STAGE: Proposed Rule ECONOMICALLY SIGNIFICANT: Yes
RECEIVED DATE: 12/19/2022 LEGAL DEADLINE: None

AGENCY: FAR RIN: 9000-AO35 Status: Pending Review
TITLE: Federal Acquisition Regulation (FAR); FAR Case 2021-019, Standardizing Cybersecurity Requirements for Unclassified Information Systems
STAGE: Proposed Rule ECONOMICALLY SIGNIFICANT: No
RECEIVED DATE: 12/19/2022 LEGAL DEADLINE: None

Should these regulations clear OIRA review, then the next step will be published in the Federal Register.

From the cyberbreach front,

Cybersecurity Dive reports

T-Mobile on Thursday said a threat actor accessed personal data on about 37 million current customers in an intrusion that went undetected since late November.

The wireless network operator identified the malicious activity on Jan. 5 and during a subsequent investigation determined the unauthorized access began on or around Nov. 25, the company said in a filing with the Securities and Exchange Commission.

T-Mobile said it was able to trace the source of the malicious activity to an application programming interface and stop it with the help of cybersecurity consultants. 

This incident marks the eighth publicly acknowledged data breach at T-Mobile since 2018, including a massive data breach in August 2021 that exposed personal data of at least 76.6 million people.

The investigation is ongoing, but T-Mobile said there is no evidence its systems or network were breached during the incident.

From the cyber vulnerabilities front —

Cybersecurity Dive reports

• Potential cyber incidents and business interruption remained the two leading worldwide corporate risk concerns for the second year in a row, according to a report published Tuesday by Allianz Group’s corporate insurance unit, Allianz Global Corporate & Specialty. 
• Both cyber and business interruptions were the top concerns among 34% of respondents in the annual Allianz Risk Barometer. The study measured the responses of 2,712 risk management experts in 94 countries and territories, including CEOs, risk managers, brokers and other insurance experts. 
• Respondents were concerned about a range of potential incidents, from ransomware to data breaches and IT outages. The report noted ransomware remains a frequent threat and cited IBM data showing the average cost of a data breach hit a record of $4.35 million, with the cost expected to surpass $5 million this year.

Health IT Security tells us

Cloud security concerns settled into the number five spot on ECRI’s list of “Top 10 Health Technology Hazards for 2023,” a report that the organization has released annually for the past 16 years. ECRI is a nonprofit organization that focuses on healthcare technology and safety.

The organization’s annual health tech hazards list is compiled by a team of clinicians, healthcare management experts, and biomedical engineers. Last year, ECRI identified cyberattacks as the number one health tech hazard.

CISA added one more known exploited vulnerability to its catalog.

The Healthcare Sector Cybersecurity Coordination Center issues three reports this week:

• Healthcare Cybersecurity Bulletin for Q4 2022 “Ransomware attacks, data breaches, and often both together, continued to be prevalent attacks against the health sector,” the bulletin notes. “Ransomware operators continued to evolve their techniques and weapons for increasing extortion pressure and maximizing their payday. Vulnerabilities in software and hardware platforms, some ubiquitous and some specific to healthcare, continued to keep the attack surface of healthcare organizations wide open. Managed service provider compromise continued to be a significant threat to the health sector, as did supply chain compromise.”

• December Vulnerabilities of Interest to the Health Sector “In December 2022, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for this month are from Microsoft, Google/Android, Apple, Intel, Cisco, SAP, Citrix, VMWare, and Fortinet.”

• Artificial Intelligence and Its Current Potential to Aid in Malware Development Artificial intelligence (AI) has now evolved to a point where it can be effectively used by threat actors to develop malware and phishing lures. While the use of AI is still very limited and requires a sophisticated
  user to make it effective, once this technology becomes more user-friendly, there will be a major paradigm shift in the development of malware. One of the key factors making AI particularly dangerous for the healthcare sector is the ability of a threat actor to use AI to easily and quickly customize attacks against the healthcare sector.

In this regard CSO offers a feature on how ChatGPT changes the phishing game. “The Microsoft-backed free chatbot is improving fast and can not only write emails, essays but can also code. ChatGPT is also polyglot and that could facilitate and increase exponentially phishing attacks.” Wonderful.

From the ransomware front —

• An ISACA expert explains why ransomware looms large on the third party risk landscape. “As adoption of cloud datacenters and software as a service grows, so does reliance on complex and global supply chains that introduce a multitude of potential vulnerabilities that can be exploited by cybercriminals. In this blog post, we will explore some key strategies for identifying and mitigating supply chain risks, with a special emphasis on ransomware risks in the supply chain.”

• Bleeping Computer’s The Week in Ransomware covers several ransomware topics this week.

• In Cybersecurity Dive, a ransomware negotiator shares three tips for victim organizations.

• Dark Reading adds “in another sign that the tide may be finally turning against ransomware actors, ransom payments declined substantially in 2022 as more victims refused to pay their attackers — for a variety of reasons.”

From the cyber defenses front, Tech Republic explains that while the cybersecurity implications of ChatGPT are vast, especially for email exploits, putting up guardrails, flagging elements of phishing emails that it doesn’t touch and using it to train itself could help boost defense. Ah, a double edged sword.

While Congress did enact a nationwide data breach law for healthcare organizations, including FEHB plans, Cyberscoop reports that last month’s data breach affecting password manager LastPass “exposes how US breach notification laws can leave consumers in the lurch.”

The U.S. famously does not have a federal privacy law — something that might determine the rights of consumers to know their personal data has been stolen. What it has instead are 50 different state laws governing breach notification. When a company realizes its systems have been breached and data inappropriately accessed, it must examine the affected users state by state and determine whether the data stolen and belonging to them qualifies for notification under each user’s state data-breach notification regime. 

“It’s really messy,” says Chris Frascella, who studies consumer privacy at the Electronic Privacy Information Center, a nonprofit research group. “What you’re required to report in Alabama may not be something that you have to report in Connecticut.”

Against this backdrop, policymakers in Washington are attempting to step up their breach notification requirements, but these efforts are at an early stage.

As mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022, the owners and operators of critical infrastructure will soon have to report cyber incidents and ransomware payments to the Department of Homeland Security. DHS is currently in the process of writing rules governing these disclosures, but it is important to note that these requirements are focused on critical infrastructure, rather than consumer goods. 

Over at the Securities and Exchange Commission, policymakers have proposed requiring publicly traded companies to report in public filings breaches considered to be material to investors — but what amounts to a “material” breach is a matter of some debate. 

The Federal Trade Commission is also stepping up its efforts to push companies to implement better security practices and do a better job of notifying consumers when they are affected by a data breach.

Congress can fix this problem.

Cybersecurity Dive tells us

The consistent increase in annual cybercrime damages is not sustainable, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency said Thursday at CES in Las Vegas.

Cybercrime damages cost organization $6 trillion last year, she said. They are projected to reach $8 trillion this year and $10.5 trillion in 2025.

“We cannot accept that 10 years from now it’s going to be the same or worse than where we are now,” Easterly said. “The critical infrastructure that Americans rely on every day … is underpinned by a technology base and that technology base was created effectively in an insecure way.”

This won’t change until priorities and incentives are realigned, she said.

Change starts with a recognition that cybersecurity is a fundamental safety issue, according to Easterly.

“We’ve somehow accepted that the incentives in technology are all aligned toward cost, capability, performance, speed to market, and not safety,” she said.

Companies are automatically blamed when they’ve been breached or didn’t patch a vulnerability that resulted in an attack, but that sole blame misses the broader challenge and questions everyone should be asking of technology vendors, according to Easterly.

“Why did that software have so many vulnerabilities in it that it has to be constantly patched every week? Why did that software have a vulnerability that caused such a damaging breach?” she said.

Organizations are relying on technology that short shrifts security.

“We can’t just let technology off the hook,” Easterly said.

Good point, Ms. Easterly

From the cyber vulnerabilities front,

Cybersecurity Dive informs us

• “For the second consecutive year, disputes over cybersecurity and data represent the greatest global risk to organizations, according to a report from Baker McKenzie. 
• “The majority, 3 in 5, of senior legal and risk officers name cybersecurity and data as presenting the greatest risk to organizations, according to the firm’s 2023 Global Disputes Survey, which is based on responses from 600 legal and risk officers at organizations in the U.S., U.K., Singapore and Brazil with annual revenue of at least $500 million. 
• “Cybersecurity concerns are becoming more frequent and they represent a range of challenges for companies, including the risk of financial, operational and reputational damage, according to the survey.”

Cybersecurity Dive also points out

The Cybersecurity and Infrastructure Security Agency added a Microsoft Exchange Server flaw linked to the Play ransomware attack on Rackspaceto its catalog of known exploited vulnerabilities Tuesday [January 10]. 

The escalation of privilege vulnerability, listed as CVE-2022-41080, was linked to the Dec. 2 ransomware attack that disrupted email access for thousands of Hosted Exchange customers at Rackspace. 

CrowdStrike disclosed an attack method using CVE-2022-41080 and CVE-2022-41082 that achieves remote code execution via Outlook Web Access.  * * *

CISA also added CVE-2023-21674, which is a Microsoft Windows advanced local procedure call (ALPC) to its catalog. The escalation of privilege vulnerability happens when Windows improperly handles calls to ALPC, allowing an attacker to escalate privileges from sandboxed execution inside Chromium to kernel execution, according to researchers at Automox. 

Here’s a link to the CISA catalog for your ease of reference.

FYI, the Wall Street Journal reports, that “Biden administration officials and cybersecurity experts said the Federal Aviation Administration’s system outage on Wednesday didn’t appear the result of a cyberattack.”

From the ransomware front,

Security Weeks relates, “Security researchers at Microsoft are flagging ransomware attacks on Apple’s flagship macOS operating system, warning that financially motivated cybercriminals are abusing legitimate macOS functionalities to exploit vulnerabilities, evade defenses, or coerce users to infect their devices.”

The Health Sector Cybersecurity Coordination Center issued an analysis of “Royal & BlackCat Ransomware: The Threat to the Health Sector.”

Bleeping Computer’s The Week in Ransomware tells us

New research on ransomware was also disclosed, or discovered, with various reports listed below:

• A technical report from Rapid 7 on the Hive Ransomware.
• The Cuba Ransomware operation exploits the Microsoft Exchange OWASSRF flaw.
• The Lorenz ransomware group is planting backdoors for initial access months later.

CISA now requires federal agencies to patch the OWASSRF flaw by the end of January due to its active exploitation by both the Cuba and Play ransomware operations.

From the cyber defense front,

• The Wall Street Journal reports, “Cloud-infrastructure company Cloudflare Inc. announced Wednesday new email security capabilities aimed at helping businesses defend against phishing, malware and other cyberattacks commonly targeting corporate email accounts.”

• Health IT Security informs us, “More than 20 healthcare leaders have come together to form the Health 3rd Party Trust (Health3PT) Initiative and Council, aimed at introducing new standards, automated workflows, and assurance models to the third-party risk management (TRPM) conversation.”

• Following up on Ms. Easterly’s comments on cyber safety, Federal News Network notes that “CISA and the Department of Homeland Security’s Science and Technology Directorate, for instance, are sketching out projects to dig into the use of open source software in critical infrastructure sectors, Allan Friedman, CISA senior advisor and strategist, said at a Jan. 10 event at the Center for Strategic and International Studies sponsored by GitHub.”

Happy New Year! Cybersecurity Dive offers viewpoints of “six security experts on what cyber threats they expect in 2023. In sum
Organizations will keep a close eye on geopolitical tension and supply chain attacks. But at the core, the biggest threats are built on mistakes.”

Becker’s Health IT provides the viewpoints of healthcare cybersecurity experts on what’s in store for 2023.

Security Week discusses five stories that shaped cybersecurity in 2022.

From the ransomware front —

The Healthsector Cybersecurity Coordination Center released an analyst note on CLOP ransomware last Wednesday:

Clop operates under the Ransomware-as-service (RaaS) model, and it was first observed in 2019. Clop was a highly used ransomware in the market and typically targeted organizations with a revenue of $5 million U.S. Dollars (USD) or higher. Since its appearance, HC3 is aware of attacks on the Health and Public Health (HPH) sector. The HPH sector has been recognized as being a highly targeted industry for the Clop ransomware.

Health IT Security provides a related article.

Bleeping Computer’s The Week in Ransomware reports

BitDefender and law enforcement released a free decryptor for the MegaCortex ransomware.  Any victims who saved their encrypted files in the hopes of a decryptor being released can recover their files for free.

From the cyber defense front —

• Health Tech informs us about “Tips for health systems on managing legacy systems to strengthen security bolstering; basic security can help protect legacy systems as healthcare organizations make strides to modernize infrastructure.”

• ISACA posted articles about the relationship between “high IP address IQ” and strong cybersecurity and the new emergent CISO.

• The National Institute of Standards and Technology informs us

The Zero Trust Architecture (ZTA) team at NIST’s National Cybersecurity Center of Excellence (NCCoE) has published the second version of volumes A-D and the first version of volume E of a preliminary draft practice guide titled “Implementing a Zero Trust Architecture” and is seeking the public’s comments on their contents. This guide summarizes how the NCCoE and its collaborators are using commercially available technology to build interoperable, open standards-based ZTA example implementations that align to the concepts and principles in NIST Special Publication (SP) 800-207, Zero Trust Architecture.