Cybersecurity Saturday

Cybersecurity

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • Cybersecurity Dive lets us know,
    • “Legislators slammed UnitedHealth Group CEO Andrew Witty over the cyberattack on subsidiary Change Healthcare at two Congressional hearings on Wednesday, raising concerns about the technology firm’s lack of cybersecurity and the potentially huge breach of Americans’ health data.”
  • The American Hospital News reports
    • “The Biden Administration April 30 released a memo announcing updated critical infrastructure protection requirements, which include the Cybersecurity & Infrastructure Security Agency acting as the National Coordinator for Security and Resilience, and heightening the importance of minimum security and resilience requirements within health care and other critical infrastructure sectors, consistent with the National Cybersecurity Strategy.”  
  • and
    • “The Cybersecurity and Infrastructure Security Agency May 3 extended the comment period to July 3 for the April 4 proposed rule that would implement cyber incident and ransom payment reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The rule would require critical infrastructure organizations, including hospitals and health systems, to report a covered cyber incident to the federal government within 72 hours and ransom payments within 24 hours, among other requirements.”
  • Cyberscoop adds.
    • “A draft rule for cyber incident reporting asks far too much of critical infrastructure entities and of the agency tasked with carrying out the law, trade groups representing the electric, telecommunications and finance sectors said during a House hearing Wednesday.
    • “The cyber incident reporting mandate is one of the Cybersecurity and Infrastructure Security Agency’s biggest forays into a regulatory role — and it is proving to be a thorny one. The 447-page draft rule, released in March, would require select critical infrastructure companies to report significant cyber incidents within 72 hours and any ransomware payments within 24 hours. The rule was established largely for the government to better understand the cyber landscape after multiple major cyberattacks — such as the SolarWinds espionage campaign — highlighted the fact that many attacks go unnoticed.
    • “Witnesses before the House Homeland Security’s cybersecurity subcommittee were largely in agreement that the rule is an important step for broader cyber awareness but also too broad, increasing the likelihood of CISA becoming overwhelmed by reports. Meanwhile, front-line defenders — particularly smaller organizations — could be hampered by trying to both file reports and deal with an attack. CISA will not be able to keep up with the amount of data due to the broad definition of cyber incidents and who should report, the witnesses argued.”
  • Health IT Security informs us,
    • “The Federal Trade Commission (FTC) finalized updates to its Health Breach Notification Rule (HBNR) with the goal of clarifying the rule’s applicability to health apps and other technologies that fall outside HIPAA’s purview.
    • “The FTC issued the HBNR more than a decade ago, when health apps were not as embedded into the US healthcare landscape as they are now. The HBNR requires vendors of personal health records (PHRs), PHR-related entities, and third-party service providers that are not subject to HIPAA to notify the FTC and impacted individuals in the event of a health data breach.”

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive tells us,
    • “A ransomware group accessed Change Healthcare’s systems with compromised credentials, UnitedHealth Group CEO Andrew Witty said in written testimony prepared for a Wednesday hearing before the House Energy and Commerce Committee Subcommittee on Oversight and Investigations
    • “On Feb. 12, the AlphV ransomware group used those compromised credentials to “remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops,” Witty said in his prepared remarks. “The portal did not have multifactor authentication.” 
    • “Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later,” Witty said.”
  • and
    • “The exploitation of vulnerabilities almost tripled as an initial access vector in 2023, fueled in part by the MOVEit breach, Verizon said in its Data Breach Investigations Report released Wednesday.
    • “Ransomware actors increasingly targeted zero-day vulnerabilities in IT systems, Verizon found. About a third of all breaches in 2023 included some type of extortion, and MOVEit involved Clop ransomware exploiting zero-day vulnerabilities in the file-transfer service.
    • T”he report shows 15% of breaches involved a third party, which includes data custodians, software vulnerabilities and direct or indirect supply chain issues, according to the report. This figure represented a 68% increase from the prior year, Verizon said.”
  • and
    • “Pro-Russia hacktivists are targeting operational technology systems in the water, energy and agricultural sectors by exploiting poor cyber hygiene techniques, the Cybersecurity and Infrastructure Security Agency warned Wednesday. CISA issued a joint fact sheet with the FBI, National Security Agency and multiple international agencies.”Pro-Russia hacktivists are targeting operational technology systems in the water, energy and agricultural sectors by exploiting poor cyber hygiene techniques, the Cybersecurity and Infrastructure Security Agency warned Wednesday. CISA issued a joint fact sheet with the FBI, National Security Agency and multiple international agencies.
    • “Threat groups are looking to compromise industrial control systems at small-scale operations in North America and Europe that are exposed to the internet and use default passwords or lack multifactor authentication, officials warned.
    • “The targeting thus far has involved unsophisticated techniques that target components like human-machine interfaces. The agencies urged providers to immediately change to more complex passwords and implement multifactor authentication.” 
  • SC Media offers five takeaways from the Verizon report.
  • Bleeping Computer tells us,
    • “The NSA and FBI warned that the APT43 North Korea-linked hacking group exploits weak email Domain-based Message Authentication Reporting and Conformance (DMARC) policies to mask spearphishing attacks.
    • “Together with the U.S. State Department, the two agencies cautioned that the attackers abuse misconfigured DMARC policies to send spoofed emails which appear to come from credible sources such as journalists, academics, and other experts in East Asian affairs.”
    • “The DPRK leverages these spearphishing campaigns to collect intelligence on geopolitical events, adversary foreign policy strategies, and any information affecting DPRK interests by gaining illicit access to targets’ private documents, research, and communications,” the NSA said.”
  • CISA added the following known exploited vulnerabilities to its catalog this week.
    • On April 30, CVE-2024-29988 Microsoft SmartScreen Prompt Security Feature Bypass Vulnerability, and
    • On May 1, CVE-2023-7028 GitLab Community and Enterprise Editions Improper Access Control Vulnerability.
  • Tech Republic adds, “Researchers from the University of Illinois Urbana-Champaign found that OpenAI’s GPT-4 is able to exploit 87% of a list of vulnerabilities when provided with their NIST descriptions.”

From the cybersecurity defenses front.

  • Here is a link to Dark Reading’s CISO Corner.
  • Security Week reports, “In the wake of a scathing US government report that condemned Microsoft’s weak cybersecurity practices and lax corporate culture, security chief Charlie Bell is pledging significant reforms and a strategic shift to prioritize security above all other product features.”
  • ISACA released its 2023 annual report. “Access ISACA’s annual report here.”
  • Mercer Consulting considers how to modernize HR data strategy to address cybersecurity risks.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI, Uncategorized

From the cybersecurity policy front,

  • Cybersecurity Dive reports,
    • “The U.S. government and its partners have slowed the swell of ransomware over the last three years, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said Wednesday at an event.
    • “But the cyclical and persistent threat ransomware poses requires new ways of thinking, Easterly said, speaking at the Institute for Security and Technology’s annual ransomware task force event. Defenders and stakeholders have to turn the lens to software and hardware vendors, according to Easterly.
    • “There’s a lot about the villains. There’s a lot about victims. We do not talk enough about vendors,” she said.
    • “The way we are going to actually drive down the number of attacks, and the number of successful attacks, is if we go upstream and ensure that technology that is deployed and delivered is in fact prioritized to be secure,” Easterly said. “Not features, not speed to market, not driving down costs, but secure.”
  • Here is a link to a related blog post from the CISA Director on this important topic.
  • Cyberscoop adds,
    • ‘The Cybersecurity and Infrastructure Security Agency’s vulnerability warning program has issued more than 2,000 alerts to date to organizations that are running software with vulnerabilities being exploited by ransomware gangs, the agency’s director, Jen Easterly, said Wednesday.
    • “Currently running in a pilot phase, the program is mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 and aims to reduce the number of ransomware attacks by getting the owners and operators of vulnerable systems to patch them before they can be infiltrated. 
    • “The warning pilot is focused on reducing the prevalence of ransomware by using our vulnerability scanning tools to let businesses know if they have vulnerabilities that need to be patched,” Easterly said at an event hosted by the Institute for Security and Technology.
    • “Easterly said that since the pilot was launched in January of last year, it has expanded to include CISA’s database of known exploited vulnerabilities as well as common misconfigurations that can be linked to ransomware attacks. 
    • “In a Thursday blog about the warning pilot, CISA found that of the more than 1,700 notifications of vulnerable devices in 2023, 49% were mitigated through either patching, taking offline, or through other measures. The blog also said organizations reduce cyber risk when using CISA’s free cyber hygiene vulnerability scanning service, which monitors the web for vulnerable devices.
    • “Organizations participating in this no-cost service typically reduce their risk and exposure by 40% within the first 12 months and most see improvements in the first 90 days,” CISA said.”

From the cyber vulnerabilities and breaches front,

  • Cybersecurity Dive tells us,
    • “UnitedHealth Group said [on April 22] it paid hackers a ransom in an attempt to protect patient information from disclosure after a cyberattack against its subsidiary Change Healthcare in Februarythe company confirmed to Healthcare Dive on Monday. 
    • “The healthcare behemoth also said patient data was compromised. UnitedHealth found files involved in the cyberattack containing protected health information or personally identifiable information that “could cover a substantial proportion of people in America,” according to a press release. 
    • “UnitedHealth also said 22 screenshots of allegedly stolen files, some containing patient health information, were posted on the dark web for about a week. The healthcare giant said it’s continuing to monitor the internet and the dark web for stolen data. * * *
    • “The company also said it would take on breach reporting and notification requirements for customers whose data may have been exposed in the attack — a big concern for provider groups.”
  • Tech Crunch reports,
    • “U.S. health conglomerate Kaiser is notifying millions of current and former members of a data breach after confirming it shared patients’ information with third-party advertisers, including Google, Microsoft and X (formerly Twitter).
    • “In a statement shared with TechCrunch, Kaiser said that it conducted an investigation that found “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.”
    • “Kaiser said that the data shared with advertisers includes member names and IP addresses, as well as information that could indicate if members were signed into a Kaiser Permanente account or service and how members “interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia.”
    • “Kaiser said it subsequently removed the tracking code from its websites and mobile apps. ***
    • “Kaiser spokesperson Diana Yee said that the organization would begin notifying 13.4 million affected current and former members and patients who accessed its websites and mobile apps. The notifications will start in May in all markets where Kaiser Permanente operates, the spokesperson said.
    • “The health giant also filed a legally required notice with the U.S. government on April 12 but made public on Thursday confirming that 13.4 million residents had information exposed.”
  • Help Net Security informs us,
    • “More organizations hit by ransomware gangs are starting to realize that it doesn’t pay to pay up: “In Q1 2024, the proportion of victims that chose to pay touched a new record low of 28%,” ransomware incident response firm Coveware has found.
    • “Victim organizations are increasingly able to withstand an encryption attack and restore operations without the need for a decryption key, they said, and the stolen data is often leaked or traded even after the victims have paid the ransom, which repeatedly proves that paying up is no guarantee.
    • “LockBit was found to still be holding the stolen data of victims that had paid a ransom, and we have also seen prior Hive victims that had paid the extortion, have their data posted on the Hunters International leak site (a reboot / rebrand of Hive),” the company said, noting that “future victims of data exfiltration extortion are getting more evidence daily that payments to suppress leaks have little efficacy in the short and long term.”

From the cybersecurity defenses front,

  • Cybersecurity Dive lets us know,
    • “Global median dwell times — measured as the time that hackers remain undetected inside a targeted environment — have fallen to their lowest levels in more than a decade, according to the annual M-Trends report from Google Cloud’s Mandiant, released Tuesday. 
    • “Organizations were able to detect intrusions within a median of 10 days in 2023, compared with 16 days in 2022. Notably the largest improvements came in the Asia-Pacific region, where median dwell times fell to nine days in 2023, compared with 33 in 2022.  
    • :Zero-day vulnerabilities are a hot target for espionage actors as well as financially motivated threat groups. Zero-day usage rose 50% in 2023, compared with the prior year.”
  • and
    • “The majority of companies, 4 in 5, have suffered a cyberattack that wasn’t fully covered under their cyber insurance policy, according to an analysis by cyber risk quantification firm CYE.
    • “On average, each insurance gap left more than three-quarters of a breach uncovered, CYE said in a report released Wednesday. The research, which analyzed 101 breaches across various sectors, revealed an average of $27.3 million in uncovered losses per incident.
    • “This study underscores how many companies rely on cyber insurance to cover the losses incurred as a result of cyber incidents and are then taken by surprise when they find that their insurance only covers a small portion,” Nimrod Partush, vice president of data science at CYE, said in a press release.” 
  • Here is a link to Dark Reading’s latest CISO Corner.
  • SC Media considers whether the Change Healthcare case finally will make providers do a business impact analysis.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI, Uncategorized

From the cybersecurity policy front,

  • Cyberscoop informs us,
    • “FBI Director Christopher Wray warned Thursday that the threat posed by Chinese hacking operations to U.S. critical infrastructure has become more urgent, as intelligence agencies have said that groups like Volt Typhoon are preparing for the possibility of widespread disruptive actions as early as 2027.
    • “Wray said during a speech at Vanderbilt University that China has targeted dozens of oil pipeline entities since 2011, in some cases ignoring business and financial information entirely while stealing data on control and monitoring systems.
    • “More recently, Volt Typhoon has conducted broad targeting of American companies in the water, energy and telecommunications sectors, among others, which U.S. officials have described as “pre-positioning” for future attacks that could disrupt or halt systems responsible for critical services upon which Americans rely. Dragos, a private threat intelligence company that focuses on critical infrastructure, said in February that the group has also been observed targeting entities that provide satellite and emergency management services.
    • “The ultimate purpose of this activity is to give Beijing “the ability to physically wreak havoc on our critical infrastructure at a time of its choosing,” Wray said.”
  • The Hill reports,
    • “Artificial intelligence (AI) is making ransomware faster and easier to use as the online crime hits record levels, experts said at a House Financial Services subcommittee hearing Tuesday.”Artificial intelligence (AI) is making ransomware faster and easier to use as the online crime hits record levels, experts said at a House Financial Services subcommittee hearing Tuesday.
    • “We have tremendous concern about the future of AI and the direction it is allowing criminal actors to take, including more sophisticated deepfakes that ultimately form the first step in the chain of ransomware attacks,” said Megan Stifel, chief strategy officer at the Institute for Security and Technology.”
  • Cybersecurity Dive adds,
    • The Institute for Security and Technology’s Ransomware Task Force threw cold water on the need for a ransomware payment ban in a report released Wednesday.
    • The nonprofit Institute for Security and Technology rejects the viability of a ransom payment ban for multiple reasons, including: 
      • Concerns about a ban’s impact on ransom payment reporting by victims. 
      • The potential to drive more payments underground. 
      • And the unintended consequences and practicalities of critical infrastructure exemptions.
      • Rather than a ban, the RTF detailed 16 milestones it asserts would be “the most reasonable and effective approach to reducing payments.” 
    • “While a ban may be an easier policy lift than activities designed to drive preparedness, it will almost certainly create the wrong kind of impact,” the RTF co-chairs said via email. “The number of organizations making payments is declining, which suggests we’re on the right path.”
  • HHS’s Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules, continues to update its “Change Healthcare Cybersecurity Incident Frequently Asked Questions” website.
  • The U.S. Government Accountability Office released a report titled “Cybersecurity: Implementation of Executive Order Requirements is Essential to Address Key Actions.”
    • “In 2021, the President issued an executive order to help protect federal IT systems from cyberattacks. The order contains 55 leadership and oversight requirements. DHS’s Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, and the Office of Management and Budget are responsible for implementing them.
    • “These agencies have fully completed 49 of 55 requirements. Remaining requirements include improving software that is critical to the supply chain and ensuring that other agencies have sufficient resources to carry out the order.
    • “We recommended that these agencies implement the order’s remaining requirements.”
  • The Cybersecurity and Infrastructure Security Administration Agency (CISA) announced,
    • “CISA hosted the final round of the fifth annual President’s Cup Cybersecurity Competition this week and announced the winners today of the three competitions.
    • “The President’s Cup is a national competition designed to recognize the top federal cybersecurity talent. Three separate competitions take place during each President’s Cup; two Individuals tracks -– Track A which focuses on defensive work roles and tasks from the NICE Framework, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, and Track B which focuses on offensive work roles and tasks, and a Teams competition comprised of defensive and offensive challenges. The first rounds of the competition began earlier this year in January.
    • “This year’s winning team, known as Artificially Intelligent, was composed of members of the Department of Defense, U.S. Army, and the U.S. Air Force. Artificially Intelligent featured four members of last year’s winning teams, including one member who has been on every winning team since President’s Cup began five years ago. The winner of Individuals Track A was U.S. Army Major Nolan Miles, and the winner of the Individuals Track B was U.S. Marine Corps Staff Sergeant Michael Torres. SSG Torres also finished in second place of the Individuals Track A competition and is the first Individuals winner to repeat having won President’s Cup 3 Track A.”

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive reports,
    • “Palo Alto Networks and security researchers said a growing number of attackers are targeting a command injection vulnerability in the PAN-OS operating system, which powers the security vendor’s firewall products. 
    • “Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability,” the company’s Unit 42 threat intelligence team said in a Tuesday update on its original threat brief. The vendor hasn’t disclosed how many devices are actively exploited, but said it observed 20 additional IP addresses attempting to exploit CVE-2024-3400.
    • “Since releasing the initial advisory on Friday [April 12], the company expanded the range of PAN-OS versions that are impacted by the CVE and retracted a secondary mitigation action. “Disabling telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability,” the company said in an update.”
  • On April 18, HHS’s Health Sector Cybersecurity Coordination Center (HC3) issued an update on the Palo Alto Networks Firewalls (CVE-2024-3400).
    • On April 12, 2024, Palo Alto Networks issued a warning about CVE-2024-3400, a zero-day command injection vulnerability found in its firewalls operating PAN-OS v10.2, 11.0, and 11.1 with configurations for both GlobalProtect gateway and device telemetry enabled. There have been an increasing number of attacks observed against this vulnerability since its release. In the original advisory, it was believed that disabling device telemetry would work as an effective secondary mitigation, but the most recent update states that device telemetry does not need to be enabled for PAN-OS to be vulnerable to attacks. Hotfixes were also released starting on April 14, 2024. HC3 strongly encourages all organizations to review the updated security advisory and apply any mitigations to prevent serious damage from occurring to the Healthcare and Public Health (HPH) sector.
  • Per Cybersecurity Dive,
    • “The rapid adoption of artificial intelligence tools is potentially making them “highly valuable” targets for malicious cyber actors, the National Security Agency warned in a recent report.
    • “Bad actors looking to steal sensitive data or intellectual property may seek to “co-opt” an organization’s AI systems to achieve, according to the report. The NSA recommends organizations adopt defensive measures such as promoting a “security-aware” culture to minimize the risk of human error and ensuring the organization’s AI systems are hardened to avoid security gaps and vulnerabilities.
    • “AI brings unprecedented opportunity, but also can present opportunities for malicious activity,” NSA Cybersecurity Director Dave Luber said in a press release.”
  • Dark Reading adds,
    • “A slicker phishing lure and some basic malware was about all threat actors have been able to squeeze out of artificial intelligence (AI) and large language model (LLM) tools so far — but that’s about to change, according to a team of academics.
    • “Researchers at the University of Illinois Urbana-Champaign have demonstrated that by using GPT-4 they can automate the process of gathering threat advisories and exploiting vulnerabilities as soon as they are made public. In fact, GPT-4 was able to exploit 87% of vulnerabilities it was tested against, according to the research. Other models weren’t as effective.
    • “Although the AI technology is new, the report advises that in response, organizations should tighten up tried-and-true best security practices, particularly patching, to defend against automated exploits enabled by AI. Moving forward, as adversaries adopt more sophisticated AI and LLM tools, security teams might consider using the same technologies to defend their systems, the researchers added. The report pointed to automating malware analysis a promising use-case example.”
  • and
    • “An ongoing, highly sophisticated phishing campaign may have led some LastPass users to give up their all-important master passwords to hackers.
    • “Password managers store all of a user’s passwords — for Instagram, their job, and everything in between — in one place, protected by one “master” password. They unburden users from having to remember credentials for hundreds of accounts, and empower them to use more complicated, unique passwords for each account. On the other hand, if a threat actor gains access to the master password, they’ll have keys to every single one of the accounts within.
    • “Enter CryptoChameleon, a new, hands-on phishing kit of unparalleled realism. 
    • “CryptoChameleon attacks tend not to be so widespread, but they’re successful at a clip largely unseen across the cybercrime world, “which is why we typically see this targeting enterprises and other very high-value targets,” explains David Richardson, vice president of threat intelligence at Lookout, which first identified and reported the latest campaign to LastPass. “A password vault is a natural extension, because you’re obviously going to be able to monetize that at the end of the day.”
  • Healthcare IT Security lets us know,
    • “Healthcare organizations are 65% less likely to fully outsource their cybersecurity services than organizations in other sectors, Kroll researchers said in the new report, “The State of Cyber Defense: Diagnosing Cyber Threats in Healthcare.”
    • “Their research maps out the cybersecurity threat landscape the healthcare sector currently operates in, looking at detection and response, cyber threat intelligence and offensive security.
    • “The realities of healthcare IT’s complexities, “not to mention the extremely time-poor staff that need both maximum convenience and security from IT operations,” make it hard for the industry to protect itself, according to Devon Ackerman, Kroll’s global head of incident response and cyber risk.”

From the ransomware front,

  • SC Media reports,
    • “The Akira ransomware group netted itself $42 million in payments in the last year from over 250 organizations, according to a joint advisory released April 18 by four leading cybersecurity agencies across Europe and the United States. [Here is a link to CISA’s Stop Akira Ransomware sire.]
    • “The advisory, which said Akira was now attacking Linux machines as well as Windows, was posted by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, Europol’s European Cybercrime Center, and the National Cyber Security Centre in the Netherlands.
    • “CISA said the advisory’s main goal was to help organizations mitigate these attacks by disseminating known Akira ransomware tactics, techniques and procedures, as well as indicators of compromise identified through FBI investigations as recent as February 2024.
    • “Evolving from an initial focus on Windows systems to a Linux variant targeting VMware ESXi virtual machines, CISA said in August 2023 the double-extortion group started deploying the Rust-based code Megazord and Akira, written in C++, as well as Akira_v2, also Rust-based.”
  • and
    • “Has ransomware hit a ceiling? We doubt it, but the pause outlined in a new report on active adversaries tells us ransomware has either saturated the available targets or enterprise defenses are starting to bear fruit.
    • “In its active adversaries report for the first half of 2024, Sophos’ X-Ops team analyzed more than 150 incident response cases. Through such a large analysis, the report provides good insights into the current tactics, techniques and procedures attackers currently employ. This is useful for anyone trying to better defend their systems.
    • “Sophos concludes that, despite a pause in the rise of ransomware, organizations are failing to take the steps necessary to adequately defend themselves against the increase in attacks to come. * * *
    • “The report concludes that while the current threat landscape is relatively calm, defenders must urgently learn from previous mistakes and prioritize basic security practices. Failing to bolster defenses now will only ease attackers’ impending sieges as they continue sharpening their capabilities.”
  • TechTarget identifies the top 13 ransomware targets in 2024 and beyond.
  • Bleeping Computer’s the Week in Ransomware is back.

From the cybersecurity defenses front,

  • “Healthcare Dive spoke with two cyber experts — Phil Morris and Chad Peterson, both managing directors at cybersecurity firm NetSPI — about how healthcare organizations can recover from the attack and what they need to do to protect themselves going forward.”
    • “HEALTHCARE DIVE: A survey by the American Hospital Association found that 94% of respondents were financially impacted by the Change attack. Why were so many providers impacted by this breach?
    • PHIL MORRIS: The cyberattack at Change Healthcare is really like the Francis Scott Key Bridge incident in Baltimore. It’s at the nexus of a very complex ecosystem we call healthcare delivery and payment systems here in the U.S. They handle so many claims, [pharmacy benefit managers], imaging, analytics and revenue management.
    • “It’s really a weak spot in the resiliency of healthcare because we have such a profit-driven healthcare system, that bringing that organization down had a rippling effect across not just hospitals but also network providers, pharmacies and patients. The ripple effects of this will go out across the healthcare system for some time.
    • CHAD PETERSON: Unfortunately, it’s a case of too many eggs in one basket, and it was the major choke point for a lot of healthcare systems that do their processing through [Change Healthcare]. So what they did is they basically hit the most vulnerable area to have the greatest impact.”
  • Healthcare Dive also reports on how cybersecurity took center stage at the American Hospital Association conference held last week.
    • “The majority of healthcare attacks aren’t coming from domestic hackers, experts stressed.
    • “Almost all cyberattacks against hospitals, including life-threatening ransomware attacks, originate from criminal gangs based in non-cooperative foreign jurisdictions,” AHA’s Riggi said. “That’s a euphemism, folks, for Russia, China, North Korea and Iran.” 
  • On April 15, CISA issued joint guidance deploying AI systems securely.
  • Tech Target offers four tips on securing cybersecurity insurance this year.
  • An ISACA expert discusses “Evolving Threats to Cloud Computing Infrastructure and Suggested Countermeasures.”

Cybersecurity Saturday

David ErmerCybersecurity, Uncategorized

From the cybersecurity policy front,

  • Cybersecurity Dive reports,
    • “FBI Director Christopher Wray said state-linked threat groups are ramping up threat activity against the U.S., and pose a continued risk to key critical infrastructure sectors, in a speech Tuesday before the American Bar Association’s Standing Committee on Law and National Security
    • “Threat actors linked with the People’s Republic of China are continuing to build out offensive capabilities, setting up access to various sectors such as the water, energy and telecommunications industries, according to Wray. 
    • “We’re seeing hostile nation states become more aggressive in their efforts to steal our secrets and our innovation, target our critical infrastructure, export their aggression to our shores and front and center is China,” Wray said.”
  • and
    • “The [NIST] National Vulnerability Database is so overwhelmed with a steadily increasing number of software and hardware flaws that the National Institute of Standards and Technology, which maintains the common vulnerabilities and exposures repository, called for a slight pause to regroup and reprioritize its efforts.”The National Vulnerability Database is so overwhelmed with a steadily increasing number of software and hardware flaws that the National Institute of Standards and Technology, which maintains the common vulnerabilities and exposures repository, called for a slight pause to regroup and reprioritize its efforts.
    • “NIST scaled back the NVD program in mid-February, and is currently prioritizing analysis of the most significant or actively exploited vulnerabilities. The slowdown was precipitated by “an increase in software and, therefore, vulnerabilities, as well as a change in interagency support,” NIST said in the announcement.
    • The federal agency is seeking more support from within the government and reassigning staff as it assembles a public-private consortium to address long-term challenges and determine how to improve the NVD program. In the interim, the temporary delays in CVE analysis will result in less detailed analysis of vulnerabilities deemed non-urgent. * * *
  • and
    • “More than two dozen industry stakeholders, including the U.S. Chamber of Commerce, are seeking to extend the deadline to file comments on the Cyber Incident Reporting for Critical Infrastructure Act, according to a letter released Friday. The new deadline would be July 3 if the requested 30-day delay is granted. 
    • “The Cybersecurity and Infrastructure Security Agency issued the notice for CIRCIA, which will require critical infrastructure providers to report significant cyber incidents within 72 hours of discovery and report ransom payments within 24 hours. The notice was published Thursday in the Federal Register and currently has a June 3 deadline for public comments.
    • “The letter, signed by a range of industry groups including the American Bankers Association, National Retail Federation and American Petroleum Institute, is asking for additional time to absorb the complex set of regulations involved in reporting covered cyberattacks and breaches as well as reporting payments to federal authorities.”
  • NextGov relates,
    • “As intelligence agencies work to jettison Chinese cyberspies embedded in critical infrastructure and internet equipment throughout the U.S., a top cybersecurity CEO says that the hackers’ campaign is so robust and widespread that there will be victims targeted in the operation who won’t know they are impacted.
    • “To me, Volt Typhoon is the natural progression of great … Chinese cyberespionage,” said Kevin Mandia, CEO of Google cybersecurity subsidiary Mandiant, who spoke in an exclusive interview with Nextgov/FCW at the Google Cloud Next conference in Las Vegas.”
  • “DoD, GSA, and NASA recently established Federal Acquisition Regulation (FAR) part 40, Information Security and Supply Chain Security. The intent of this RFI is to solicit feedback from the general public on the scope and organization of FAR part 40.” Comments for this case are due by June 10, 2024. For information on how to comment, please visit the Federal eRulemaking portal.
  • Federal News Network lets us know,
    • “Sean Connelly, who has led many of the major federal cybersecurity initiatives over the last decade, is leaving federal service.
    • “Connelly, whose official title is senior cybersecurity architect and Trusted Internet Connections (TIC) program manager for the Cybersecurity and Infrastructure Security Agency, has been instrumental in everything from a major chunk of the lifecycle of the TIC program to the development and advancement of the concepts behind zero trust to the integration of these initiatives with others, including the Einstein and continuous diagnostics and mitigation (CDM) programs.
    • “Federal News Network has learned Connelly’s last day will be April 19. * * *
    • “Sources say Connelly will be joining Zscaler to work on zero trust from an international compliance perspective. He will help non-U.S. governments move toward a zero trust architecture based on the experience of the federal agencies.
    • “Connelly is now the second federal cyber executive to leave to join Zscaler in the last two weeks. Brian Conrad, the former acting director of the Federal Risk Authorization and Management Program (FedRAMP) joined the cyber company in early April to lead Zscaler’s international cloud security compliance program.”

From the cybersecurity vulnerabilities and breaches front,

  • Cyberscoop informs us,
    • “The Cybersecurity and Infrastructure Security Agency published an emergency directive Thursday in response to a Russian intelligence-linked hacking campaign that breached Microsoft, telling affected federal civilian agencies whose emails were stolen or passwords accessed to reset authentication credentials.
    • CISA’s directive comes in the week after CyberScoop first reported its existence.
    • “Microsoft and CISA have notified all federal agencies whose email correspondence with Microsoft was identified as exfiltrated by Midnight Blizzard,” the directive reads, referring to Microsoft’s name for the hacking group. “In addition, Microsoft has represented to CISA that for the subset of affected agencies whose exfiltrated emails contain authentication secrets, such as credentials or passwords, Microsoft will provide metadata for such emails to those agencies.
    • “Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” it continues.”
  • Cybersecurity Dive tells us,
    • “Ivanti Connect Secure devices were exploited and compromised by more threat groups than previously thought, Mandiant said in research released Thursday.
    • “Post-exploitation activity observed by Mandiant includes lateral movement with the aid of open-source tools and multiple custom malware families. 
    • “Mandiant said it observed “eight distinct clusters involved in the exploitation of one or more of” Ivanti’s vulnerabilities CVE-2023-46805CVE-2024-21887 and CVE-2024-21893, which the vendor first disclosed Jan. 10. This includes five China-linked espionage groups and three financially motivated attackers.”
  • Cyberscoop offers the reflections of Mandiant experts on this cybsercurity landscape.
  • Security Week lets us know,
    • Palo Alto Networks disclosed [a state-sponsored] vulnerability on Friday, warning that it was aware of limited in-the-wild exploitation and promising patches within the next two days.
    • “Tracked as CVE-2024-3400 (CVSS score of 10/10), the security defect is described as a command injection issue allowing unauthenticated attackers to execute arbitrary code on impacted firewalls, with root privileges.
    • “According to the vendor, all appliances running PAN-OS versions 10.2, 11.0, and 11.1 that have GlobalProtect gateway and device telemetry enabled are vulnerable. Other PAN-OS versions, cloud firewalls, Panorama appliances, and Prisma Access are not affected.”
  • CISA added new known exploited vulnerabilities to its catalog this week.
    • April 11, 2024
      • CVE-2024-3272 D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability
      • CVE-2024-3273 D-Link Multiple NAS Devices Command Injection Vulnerability
    • April 12, 2024
      • CVE-2024-3400 Palo Alto Networks PAN-OS Command Injection Vulnerability
    • FEHBlog note the CVE references are to the NIST National Vulnerability Database discussed above..
  • The HHS Health Sector Cybersecurity Coordination Center (HC3) posted its “March Vulnerabilities of Interest to the Health Sector.”
    • “In March 2024, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for March are from Ivanti, Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, and Atlassian. A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available, or if it is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration to the risk management posture of the organization.”

From the ransomware front,

  • TechTarget notes,
    • “Sophos said the majority of cyberattacks it investigated in 2023 involved ransomware, while 90% of all incidents included abuse of remote desktop protocol.
    • “The security vendor published its Active Adversary Report of 2024 Wednesday that drew on data from more than 150 incident response (IR) investigations it conducted in 2023. Breaking down the data set, 88% of the investigations were derived from organizations with fewer than 1,000 employees, while 55% involved companies with 250 employees or fewer. Twenty-six sectors were represented, and manufacturing remained the No. 1 sector to engage the Sophos IR team for the fourth consecutive year.
    • “For the report, Sophos tracked attack types, initial access vectors and root causes, and found that trends have remained consistent for the past two years. While attackers frequently abuse remote desktop protocol (RDPs) and credential access to infiltrate a victim’s network, enterprises continue to leave RDPs exposed and often lack multifactor authentication (MFA) protocols.
    • “Sophos added that enterprises also fell short regarding sufficient log visibility, which can hinder IR investigations.”
  • WIRED reports,
    • “Since Monday [April 8, 2024], RansomHub, a relatively new ransomware group, has posted to its dark-web site that it has 4 terabytes of Change Healthcare’s stolen data, which it threatened to sell to the “highest bidder” if Change Healthcare didn’t pay an unspecified ransom. RansomHub tells WIRED it is not affiliated with AlphV and “can’t say” how much it’s demanding as a ransom payment. * * *
    • “RansomHub initially declined to publish or provide WIRED any sample data from that stolen trove to prove its claim. But on Friday, a representative for the group sent WIRED several screenshots of what appeared to be patient records and a data-sharing contract for United Healthcare, which owns Change Healthcare, and Emdeon, which acquired Change Healthcare in 2014 and later took its name.
    • “While WIRED could not fully confirm RansomHub’s claims, the samples suggest that this second extortion attempt against Change Healthcare may be more than an empty threat. “For anyone doubting that we have the data, and to anyone speculating the criticality and the sensitivity of the data, the images should be enough to show the magnitude and importance of the situation and clear the unrealistic and childish theories,” the RansomHub contact tells WIRED in an email.
    • “We are working with law enforcement and outside experts to investigate claims posted online to understand the extent of potentially impacted data,” Change Healthcare said in an email to WIRED. “Our investigation remains active and ongoing. There is no evidence of any new cyber incident at Change Healthcare.”

From the cybersecurity defenses front,

  • MedCity News discusses four lessons learned from the Change Health cyberattack.
  • According to Dark Reading,
    • The US Cybersecurity and Infrastructure Security Agency (CISA) has given organizations a new resource for analyzing suspicious and potentially malicious files, URLs, and IP addresses by making its Malware Next-Gen Analysis platform available to everyone earlier this week.
    • The question now is how organizations and security researchers will use the platform and what kind of new threat intelligence it will enable beyond what is available via VirusTotal and other malware analysis services.
    • The Malware Next-Gen platform uses dynamic and static analysis tools to analyze submitted samples and determine if they are malicious. It gives organizations a way to obtain timely and actionable information on new malware samples, such as the functionality and actions a string of code can execute on a victim system, CISA said. Such intelligence can be crucial to enterprise security teams for threat hunting and incident response purposes, the agency noted.
  • According to Cybersecurity Dive,
    • “CISOs and other management level cybersecurity executives are gaining more influence and importance as companies have begun to recognize the need for strong cyber governance and oversight, according to a report from Moody’s Ratings
    • “About 90% of cybersecurity managers now report to a top level company executive, compared with 62% in 2021. A higher percentage of these cybersecurity executives now report directly to company CEOs, according to the report, which is based on a survey of more than 2,000 organizations around the world that issue debt, including 1,100 in North America. 
    • “The role of the CISO has risen in seniority and visibility within organizations,” Steven Libretti, assistant VP and analyst at Moody’s Ratings, said via email. “This means more direct reporting lines from the cyber manager to the C-suite executives and more frequent cyber briefings to the CEO.”
    • “Moody’s identified a more regular cadence within organizations of CISOs and other cybersecurity managers providing updates to the C-suite and board of directors. About 40% of cyber managers conduct monthly meetings with their CEO, according to the report.” 

Tuesday Tidbits

David ErmerCDC, COVID-19, Cybersecurity, FDA, Medical / Rx research, Obesity, Rx coverage, U.S. Healthcare
Photo by Patrick Fore on Unsplash

From Washington, DC,

  • The American Hospital News reports,
    • “Health care leaders and other officials April 9 discussed challenges to rural health care access and potential solutions during an event in Washington, D.C. sponsored by the Coalition to Strengthen America’s Health Care: Protecting 24/7 Care. The AHA is a founding member of the Coalition, which recently rebranded to reflect its renewed focus to protect and strengthen patients’ access to 24/7 care. 
    • “Today’s event hosted by Punchbowl News involved discussions on a range of topics including access, the importance of telehealth, health care innovations and Medicare underpayment, among others. 
    • “You can watch a video of today’s event here. 
  • The Wall Street Journal lets us know,
    • “The U.S. Postal Service said Tuesday it is seeking to raise the price of a stamp by 5 cents, in what would be the fourth increase since the start of 2023. 
    • “The proposed price of 73 cents, up 7.4% from the current price of 68 cents, would still need to be approved by the Postal Regulatory Commission. 
    • “The last increase happened in January 2024, when the cost of a stamp rose from 66 cents to 68 cents. Before that, the agency hiked prices in July 2023 by 3 cents. * * *
    • “The new 5-cent increase would go into effect July 14, the Postal Service said. 
    • “The Postal Service said it also wants to raise prices for other services, including sending a letter outside the U.S., which would cost $1.65, up from $1.55. Mailing a postcard within the U.S. would cost 3 cents more at 56 cents. And sending metered letters, a service used by small businesses, would cost 5 cents more at 69 cents.”
  • MedTech Dive relates,
    • “The Department of Justice filed a consent decree of permanent injunction against Philips on Tuesday in response to the company’s ongoing recall of sleep apnea and respiratory devices.
    • “The settlement would restrict Philips from producing or selling new continuous positive airway pressure (CPAP) and bi-level positive airway pressure (BiPAP) machines and other devices in the U.S. until the company meets certain requirements. Philips also faces restrictions on exporting devices that are being provided to patients impacted by the recall “to help ensure remediation of U.S. patients is prioritized over export for commercial distribution.” 
    • “Philips is required to implement a recall remediation plan that the Food and Drug Administration must agree on, including providing patients with new or reworked devices, or a partial refund. Jeff Shuren, director of the FDA’s Center for Devices and Radiological Health, said in a Tuesday statement that the finalization of the decree is a “significant milestone.” 

From the public health and medical research front,

  • KFF notes,
    • “Rates of long COVID have begun to flatten. About 1 in 10 adults with COVID have reported having long COVID since rates fell in 2023, according to a KFF analysis of the latest data from the Centers for Disease Control and Prevention. If the rate continues to hold steady, new forms of prevention or treatment may be important to achieve future reductions in long COVID.
    • “As of March 2024, 7% of all adults (17 million people) reported that they have long COVID. Among the 60% of adults who reported ever having had COVID, roughly 3 in 10 reported having long COVID at some point and about 1 in 10 reported currently having it. The ongoing gap between the two long COVID rates indicates that people are continuing to recover, even as rates stabilize.”
  • US News and World Report informs us,
    • “Measles infections have continued to spread in pockets of the U.S., as the latest nationwide count shows the number of cases have now reached more than 100.
    • “A total of 113 cases have been reported across 17 states as of April 5, according to the most recent figures from the Centers for Disease Control and Prevention, nearly double the total of 58 that for all of 2023.
    • “So far, seven outbreaks have occurred – defined by the CDC as three or more related cases – up from four in 2023. More than 70% of all cases this year have been associated with an outbreak, and approximately half of patients are children under the age of five.
    • “More than 80% of measles infections are among those who are either unvaccinated or with an unknown vaccination status, according to the CDC, while 12% of cases are those who have received only one dose of the measles, mumps and rubella vaccine.
    • “Chicago has had the majority of U.S. cases, with 58 infections as of April 8, according to the most recent figures from the Chicago Department of Public Health.
    • “The majority of measles infections in Chicago have been tied to an outbreak at one of the city’s largest migrant shelters.
    • “In an update released on April 5, CDPH stated measles cases were decreasing in the city, with a total of five new cases reported during the week of March 31 through April 5, compared to 23 infections reported from March 24 through March 30.”
  • The Wall Street Journal reminds us,
    • The fight against dementia actually starts in your 40s.
    • Midlife, not your 70s or 80s, is when brain changes start to occur that can pave the way toward dementia, Alzheimer’s disease and cognitive decline later, according to a growing body of research. 
    • Intervening earlier to improve brain health—and studying the midlife brain more closely—might help people stay sharper in their later years, researchers say. Regular exercise, getting enough sleep and doing activities that keep your brain stimulated are all steps that can help you combat dementia later in life.
    • “Middle age is an opportune time to make lifestyle choices and obtain treatment that will bring an enormous return on investment in old age,” says Terrie Moffitt, a professor of psychology and neuroscience at Duke University.
    • More scientists are looking for clues in the midlife brain because efforts to target dementia in older people have largely failed, says Ahmad Hariri, a professor of psychology and neuroscience also at Duke.
  • Beckers Hospital Review points out,
    • “Surprise pregnancies may be an unexpected side effect experienced by women who use Ozempic or other GLP-1 medications, The Washington Post reported April 5.”Surprise pregnancies may be an unexpected side effect experienced by women who use Ozempic or other GLP-1 medications, The Washington Post reported April 5.
    • “Numerous social media platforms include posts and discussions about unplanned pregnancies while on Ozempic or similar drugs. Although the reports of a possible Ozempic “baby boom” are anecdotal, it is a phenomenon researchers and experts are watching closely. 
    • “Experts speculate that weight loss drugs may impact the absorption of contraceptives, causing birth control failures or that they can affect ovulation and fertility. Others say losing weight can improve chances of pregnancy.”
  • According to Fierce Healthcare,
    • “Supplemental benefits administrator Avesis and Elevance Health subsidiary Amerigroup Georgia have teamed up with Uber Health in a pilot project to tackle the state’s maternal health crisis.
    • “Utilizing community health partners like the Georgia Primary Care Association and federally qualified health centers (FQHCs), hundreds of Amerigroup’s Medicaid members in December 2022 started receiving two individualized nutritional counseling sessions, a scale and $300 of Uber Eats vouchers.
    • “Though the program’s results have not been shared yet, Avesis Senior Manager of Care Transformation Don Trainor said the program has had promising results so far.”
  • The AHA News tells us,
    • “Women with health-related social needs such as food insecurity, housing instability and lack of transportation were less likely to report receiving a mammogram in the past two years when surveyed in 2022, according to a report  released April 9 by the Centers for Disease Control and Prevention. About 66% of women aged 50-74 with at least three health-related social needs were up to date with their mammograms, compared with 83% of women with no health-related social needs. Mammography use also was lower among women without health insurance and a usual source of care.”  

From the U.S. healthcare business front,

  • United Health Group has refreshed its response to the cyberattack against Change Healthcare website.
  • Per Fierce Healthcare,
    • “Artificial intelligence categorization can help stem the flood of patient messages that would otherwise demand physicians’ expensive time, Kaiser Permanente researchers report.
    • “In a recently published JAMA Network Open research letter, members of the system’s research division and medical group outlined a strategy that used real-time natural language processing (NLP) algorithms to attach category labels to messages and then direct them to an appropriate respondent.
    • “The approach, they wrote, allowed 31.9% of the more than 4.7 million patient messages reviewed by program staff to be resolved before reaching the inbox of a specific physician. Instead, these messages were handed by a “regional team” made up of medical assistants or teleservice representatives, pharmacists and other doctors.”
  • and
    • “Consumers expect a simple and easy digital experience, and health plans have plenty of room to improve on that front, according to a new report.
    • “J.D. Power released its inaugural U.S. Health Insurance Experience Study on Tuesday, where it found that 42% of adults with insurance ran into issues using their plan’s website and/or mobile app in the past year.
    • “The study is based on responses from more than 5,500 people enrolled in the 14 largest Medicare Advantage (MA) plans and 15 largest commercial plans. It was conducted alongside Corporate Insight.”
  • Beckers Hospital Review names the “25 drugs at Mark Cuban’s online pharmacy with biggest cost reductions.”

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • On April 4, the Cybersecurity and Infrastructure Security Agency (CISA) published its proposed Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements rule in the Federal Register. The public comment deadline is June 3, 2024.
  • Cybersecurity Dive summarizes what CISA wants to see in these CIRCIA reports.
  • Cybersecurity Dive reported on April 3,
    • “The state-linked intrusion on Microsoft Exchange Online that led to the theft of about 60,000 U.S. State Department emails last summer “was preventable and should never have occurred”, the Cyber Safety Review Board said Tuesday [April 2] in a report. 
    • “A series of operational and strategic decisions by Microsoft pointed to a corporate culture that deprioritized investments in enterprise security and rigorous risk management, despite the central role the company plays in the larger technology ecosystem, the report said. 
    • “The CSRB urged Microsoft to publicly share its plans to make fundamental, security focused reforms across the company and its suite of products. The board also recommended that all cloud services providers and government partners enact security-focused changes.
  • Cybersecurity Dive added on April 5,
    • “The Cybersecurity and Infrastructure Security Agency is working with Microsoft to investigate and mitigate Midnight Blizzard’s potential impacts on federal agencies. The Russia-linked threat group hacked into senior Microsoft executives’ accounts starting in late November and could pose a larger threat to federal agencies.
    • “As shared in our March 8 blog, as we discover secrets in our exfiltrated email we are working with our customers to help them investigate and mitigate any impacts,” a Microsoft spokesperson said Thursday via email. “This includes working with CISA on an emergency directive to provide guidance to government agencies.”
    • “CISA issued an emergency directive to federal agencies earlier this week on how to mitigate the potential threat from Midnight Blizzard, CyberScoop reported. But the agency has not yet made the directive public. 
    • “CISA officials did not comment on any directive, but confirmed to Cybersecurity Dive it’s working with Microsoft on how to respond to the threat.” 
  • Federal News Network lets us know,
    • “Amid the response to the Change Healthcare ransomware attack, the Department of Health and Human Services is aiming to better organize its healthcare cybersecurity resources and programs.
    • “HHS is creating a  “one-stop shop” for cyber at the department’s Administration for Strategic Preparedness and Response, according to Brian Mazanec, the deputy director for ASPR’s Office of Preparedness. ASPR leads U.S. health and medical preparedness for disasters and other public health emergencies.
    • “We’re really establishing ASPR as that one-stop shop to manage this information sharing across the department, with our partners in industry, with the interagency,” Mazanec said during a March 29 webinar hosted by the HHS-sponsored Regional Disaster Health Response System.”
  • The National Institutes of Standards and Technology announced,
    • “NIST is releasing the initial public draft of Special Publication (SP) 800-61r3 (Revision 3), Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile, for public comment. This publication seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities, as described by CSF 2.0. Doing so can help organizations prepare for incident responses, reduce the number and impact of incidents that occur, and improve the efficiency and effectiveness of their incident detection, response, and recovery activities.
    • The public comment period is open through May 20, 2024. See the publication detailsfor a copy of the draft and instructions for submitting comments.”
  • NIST also issued “a [draft] mapping between the security controls within NIST Special Publication 800-53 Revision 5 and the Cybersecurity Framework version 2.0.”
  • NextGov tells us,
    • “Camille Stewart Gloster, a cyber and technology attorney who has led the White House’s cybersecurity workforce and tech ecosystem strategies since taking up her role in August 2022, will step down Tuesday [April 4].
    • “She told Nextgov/FCW on the sidelines of an International Association of Privacy Professionals event in Washington, D.C. she had no plans as of yet for where she will be heading next.”

From the cyber vulnerabilities and breaches front,

  • HHS’s Health Sector Cybersecurity Coordination Center (HC3) informs us about “Social Engineering Attacks Targeting IT Help Desks in the Health Sector.”
    • “HC3 has recently observed threat actors employing advanced social engineering tactics to target IT help desks in the health sector and gain initial access to target organizations. In general, threat actors continue to evolve their tactics, techniques, and procedures (TTPs) to achieve their goals. HC3 recommends various mitigations outlined in this alert, which involve user awareness training, as well as policies and procedures for increased security for identity verification with help desk requests.”
    • More on this threat can be found on the American Hospital Association news site.
  • On April 4, 2024, CISA added two known exploited vulnerabilities to its catalog.

From the ransomware front,

  • Bleeping Computer’s The Week in Ransomware is back at long last.
  • Cyberscoop reports,
    • “Six weeks after executing an attack that crippled parts of the U.S. health care system, the cybercrime gang linked to the incident has picked up the pace of laundering the proceeds of an alleged ransom payment, even as the hackers implicated in the breach continue to maintain a low profile.  
    • “The ransomware group ALPHV claimed responsibility for the Feb. 21 attack on Change Healthcare, a payment processor that touches 1 in 3 American patient records. The attack on Change limited the ability of pharmacies and health care providers to receive payments and has placed severe strain on the U.S. health care system.
    • “Earlier this month, cybercrime researchers reported that a bitcoin wallet linked to previous ALPHV ransoms had received $22 million, fueling speculation that Change’s parent company, UnitedHealth Group, had ponied up a ransom payment.
    • “Now, ALPHV appears to be moving to further obscure the destination of those funds. 
    • “According to blockchain intelligence firm TRM Labs, funds have recently been moved from bitcoin wallets linked to other ransoms paid to ALPHV, with these funds transferred to multiple other addresses and through a mixer, a tool used to obfuscate transactions that can be tracked on a public ledger. 
    • “Over the last week or so we have seen increased laundering activity,” Ari Redbord, TRM Labs’s global head of policy, told CyberScoop in an email. On March 27, for instance, TRM Labs observed 50 bitcoin — approximately $3.5 million — “move from wallets associated with the group to a mixing service. In addition, between March 22nd & 27th, we saw multiple withdrawals by wallets associated with the ransomware group and sent to a global exchange.”
    • “The FBI declined to comment on the status of its investigation of the incident.” 

From the cyberdefenses front,

  • Cybersecurity Dive relates,
    • “[E[ven as Change [Healthcare] begins to restore its systems, cyberattacks are going to remain a challenge for the industry as healthcare digitizes, creating more potential vulnerabilities for cybercriminals to exploit, experts say. 
    • “The healthcare sector needs to learn from the wide-ranging impacts from the Change attack — and prepare for the next one.
    • “As an industry, there’s been a lot of advancement in cybersecurity, but we’re still pretty far behind where we need to be,” said Steve Cagle, CEO of healthcare cybersecurity firm Clearwater. “We need to face the reality that this is an issue that is here to stay for a long time.”
  • Health IT Security discusses “[h]ow can payers be prepared to manage third-party security incidents. Payers should implement vendor management programs, incident response plans, and training processes to prepare for third-party security incidents.”
  • Security Week points out,
    • “The US National Institute of Standards and Technology (NIST) this week announced  $3.6 million in grants to help address the cybersecurity skills shortage.
    • “As part of the project, 18 education and community organizations across 15 states will be granted roughly $200,000 each to educate future cybersecurity employees.
    • “The agreements will be overseen by NICE, a partnership between organizations in the government, education, and private sectors, which focuses on building cybersecurity workforce through education and training.
    • “The 18 selected organizations will build Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) cybersecurity education and workforce development projects aligned with the needs of local business and nonprofit organizations.”
  • Per Tech Target,
    • “Microsoft officially launched Copilot for Security on Monday [April 1], and while the generative AI tool might bolster security operations, enterprises could face implementation and integration challenges.
    • “The tech giant unveiled Copilot for Security, originally called Security Copilot, in March 2023 to assist security and IT teams with threat detection and response. Following a series of rollout stages for the generative AI (GenAI) tool, Microsoft added a pay-as-you-go pricing model and new capabilities, such as knowledge base integrations and multilanguage support.
    • “Vasu Jakkal, corporate vice president of security, compliance, identity and management at Microsoft, announced the launch in a blog post last month and emphasized that enterprises can use Copilot for Security as a standalone portal or embed the AI tool into existing security products.”
  • HHS’s 405(d) Program now offers a
    • “New Resource: Healthcare Threat Identification Poster!
    • “Cyber hygiene poster highlights threats exist at every level of your organization. Be aware of the threats that face your organization in order to protect PHI.”

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy front,

  • The Wall Street Journal reports,
    • “The U.S. Cybersecurity and Infrastructure Security Agency [CISA] on Wednesday [March 27, 2024] published long-awaited draft rules on how critical-infrastructure companies must report cyberattacks to the government.
    • “CISA developed the rules after President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law on March 15, 2022. Officials hope reports from companies in a range of industries will allow them to better spot attack patterns and determine tactics used by cybercriminals and nation-states to help improve defenses.
    • “Under the rules, companies that own and operate critical infrastructure would need to report significant cyberattacks within 72 hours and report ransom payments within 24 hours.  * * *
    • “The rules apply to any company owning or operating systems the U.S. government classifies as critical infrastructure, such as healthcare, energy, manufacturing and financial services. The rules will also apply to companies that don’t operate critical infrastructure, but whose systems may be vital to a particular sector, such as service providers.
    • “Reporting from a broad range of entities is necessary to provide adequate visibility of the cyber landscape across critical infrastructure sectors, which CIRCIA is meant to facilitate,” CISA said in its 447-page draft.
    • “There are exemptions for small organizations, with revenue and employee counts that qualify under the Small Business Administration’s criteria.” 
  • Here are a link to the CISA announcement and a link to the proposed rule.
  • Cyberscoop adds,
    • “While the rule is not expected to be finalized until 18 months from now or potentially later next year, comments are due 60 days after the proposal is officially published on April 4. One can be sure that the 16 different critical infrastructure sectors and their armies of lawyers will have much to say. The 447-page NOPR details a dizzying array of nuances for specific sectors and cyber incidents.
    • “For example, companies would only be required to report a distributed denial of service attack if it results in a service outage for an extended period. One that results in a “brief period of unavailability,” however, would not need to be reported.” * * *
    • “CISA expects the rules will cost industry and government combined around $2.6 billion between now and 2033 and anticipates receiving around 25,000 reports each year.
    • “Ranking member of the House Committee on Homeland Security Bennie Thompson, D-Mass., and Rep. Yvette Clark, D-N.Y., said in a joint statement that they’d like to see a reduction in compliance costs so that additional resources can be invested in security.” 
  • On March 28, 2024, the Defense Department released its “Defense Industrial Base Cybersecurity Strategy {which] plots a course for increased focus and collaboration between the Defense Department and the U.S. defense industrial base on cybersecurity initiatives amid what officials say are persistent cyberthreats.”

From the cyber-vulnerabilities and breaches front,

  • Per Security Week,
    • “While 2023 was a difficult year for cybersecurity teams, 2024 is likely to be worse. In just the first two months of 2024, threat intelligence firm Flashpoint has logged dramatic increases in all major threat indicators.
    • “By Flashpoint’s numbers, there were 6,077 recorded data breaches in 2023, with attackers accessing more than 17 billion personal records (up 34.5% on 2022’s figures). In the first two months of 2024, this increased by 429% over the first two months of 2023. * * *
    • “Despite the large numbers involved, one attack and one attacker stood out during 2023: the MOVEit attacks (leveraging CVE 2023-34362), and the LockBit ransomware group. The MOVEit attacks account for 19.3% of all reported 2023 attacks. LockBit claimed 1.049 victims, around 20% of all known ransomware attacks in 2023.”
  • Cybersecurity Dive tells us,
    • “Threat actors used phishing links or attacks in 71% of all security incidents in 2023, according to ReliaQuest’s Annual Cyber-Threat Report released Tuesday.
    • “Most of the tactics, techniques and procedures threat actors used last year to achieve initial access to a compromised environment were linked to user interaction or error, the report said. “This indicates attackers overwhelmingly gained initial access by exploiting the trust and vulnerability of unsuspecting individuals.”
    • “Phishing remains the most common route threat actors use to achieve initial access, accounting for 70% of all initial access related incidents last year, ReliaQuest said.”
  • Earlier this month, HHS’s Health sector Cybersecurity Coordination Center (HC3) posted the following two PowerPoints:
    • Credential Harvesting and Mitigations
      • “Cyberattacks against healthcare facilities can involve credential harvesting, which may lead to a disruption of operations. Credential harvesting, also known as credential stealing or credential phishing, is a technique that cybercriminals can use to obtain sensitive login credentials like usernames, passwords, and personal information. These credentials operate as the gateway to an individual’s digital identity, and can grant access to various types of information, such as online accounts and health data. The methods employed for credential harvesting are diverse, ranging from sophisticated phishing emails to fake websites and social engineering tactics.”
    • Defense and Mitigations from E-mail Bombing
      • E-mail bombing, also known as mail bomb or letter bomb attacks, occur when a botnet (a single actor or group of actors) flood an e-mail address or server with hundreds to thousands of e-mail messages. They are a type of Denial of Service (DoS) attack that allows attackers to bury legitimate transaction and security messages in an unsuspecting inbox by rendering the victim’s mailbox useless. By overloading a victim’s inbox, attackers hope that a victim will miss important e-mails like account sign-in attempts, updates to contact information, financial transaction details, or online order confirmations.
      • This type of attack is of particular importance to the Healthcare and Public Health (HPH) sector. In 2016, unknown assailants launched a massive cyber attack aimed at flooding thousands of targeted “dot-gov” (.gov) e-mail inboxes with subscription requests, rendering many unusable for days.
      • E-mail bombs are not only an inconvenience to the victim, but to everyone using that particular server. When an e-mail server is impacted by a DDoS, it can downgrade network performance and potentially lead to direct business downtime. This Sector Alert provides an overview of types of e-mail bomb techniques, as well as defenses and mitigations for targets of this type of attack.
  • Bleeping Computer adds that “Google’s Threat Analysis Group (TAG) and Google subsidiary Mandiant said they’ve observed a significant increase in the number of zero-day vulnerabilities exploited in attacks in 2023, many of them linked to spyware vendors and their clients.”

From the Change Healthcare situation front,.

  • HealthIT Security let us know on March 29.
    • “In a March 27th update, UnitedHealth Group said it had begun the process of determining whether any patient data was stolen during the cyberattack. UHG engaged a vendor to conduct a review of data that is “likely” to contain personally identifiable information and claims data. At this time, it is too soon to say with certainty the content of the data that the threat actor accessed.
    • “This is taking time because Change Healthcare’s own systems were impacted by the event and difficult to access, so it was not safe to immediately pull data directly from the Change systems,” UHG stated. “We recently obtained a dataset that is safe for us to access and analyze. Because of the mounting and decompression procedures needed as a first step, we have only recently reached a position to begin analyzing the data.”
    • “To date, UHG had not seen evidence of any data being published on the web.
    • “In other news, the US Department of State is offering a reward of up to $10 million for information or identification of ALPHV/BlackCat threat actors, who previously claimed responsibility for the Change Healthcare cyberattack.” 

From the ransomware front,

  • Beckers Hospital Review notes,
    • “A ransomware group that specializes in “double extortion” has claimed responsibility for a cyberattack on an Oklahoma hospital, HIPAA Journal reported.
    • “The Bian Lian hacking gang posted Lindsay (Okla.) Municipal Hospital to its data leak site and said the stolen data would be uploaded soon, according to the March 25 story.
    • “The hackers’ “double extortion” forte means they steal data then require ransom payments to both release the information and decrypt any encrypted files, the news outlet reported. HHS has warned that Bian Lian is targeting healthcare providers because of the group’s financial motivations.”

From the cybersecurity defenses front,

  • Cybersecurity Dive informed us on March 26, 2024,
    • “The Cybersecurity and Infrastructure Security Agency and FBI urged software manufacturers to take steps to eliminate SQL injection vulnerabilities in an alert issued Monday
    • “CISA and the FBI are asking leadership at software manufacturers to launch formal reviews of their code to find out whether they are susceptible to SQL injection compromises. If found, the agencies are asking the companies to take immediate steps to eliminate these defects from existing and future software.  
    • “The agencies cited the role SQL injection defects played in the widespread attacks linked to MOVEit file transfer software, which impacted thousands of organizations in 2023.”
  • The Wall Street Journal reports,
    • “Companies from the U.S. telecommunications, financial services and power sectors held a joint cybersecurity exercise with government agencies this week to test how their defenses held up against real attacks. [The report is dated March 29, 2024.)
    • “Security staff from AT&TLumen Technologies, Southern Co., Mastercard and Southern California Edison pitted defensive and offensive teams, known as blue and red teams, against each other on Wednesday and Thursday in Washington, D.C. * * *
    • “This week’s Tri-Sector Cyber Defense Exercise was an expanded version of a similar event held two years ago. While in the previous event individual teams from each participating company competed against each other, this year’s program drew staff from each participant into combined teams to learn from each other’s techniques. Those teams then assaulted and blocked attacks from fictitious entities in the various represented sectors, using the same tools and technology as they would in reality.”
  • and
    • “Cybersecurity leaders struggle to communicate with executives and boards of directors and often paint an overly positive image of their companies’ security, according to a new survey of C-suite executives. 
    • “With new regulations that require companies to disclose more details about cybersecurity, around half of those polled see an immediate need to improve security leaders’ communication skills. 
    • “Thirty-one percent of top executives said they believe their companies’ chief information security officers paint a more optimistic picture than reality, according to a new survey from communications advisory firm FTI Consulting * * *
    • “Executives want CISOs to improve how they communicate about cyber risks. The FTI survey found that 98% of executives support more funding for such training, and 45% said it is an immediate need.” 

Monday Roundup

David ErmerCybersecurity, Federal employment benefits, Medicare, Mental health care, Rx coverage, U.S. Healthcare
Photo by Sven Read on Unsplash

From Washington, DC,

  • STAT News reminds us,
    • “The public will soon find out whether the federal government is willing to meet the health insurance industry’s demands and deposit more money into the bank accounts of next year’s Medicare Advantage plans.
    • “Budget officials within the Biden administration started reviewing final payment regulations for 2025 Medicare Advantage plans last week after more than 42,000 public comments rolled into the federal government’s inbox. Those rules will come out no later than April 1.
  • Becker’s Hospital CFO Report adds,
    • “Onerous” authorization requirements and high denial rates have health systems considering whether to drop Medicare Advantage plans, according to a report from the Healthcare Financial Management Association and Eliciting Insights. 
    • “HFMA Health System CFO Pain Points Study 2024” is based on a survey of 135 health system CFOs conducted in January. 
    • According to the report, 16% of health systems are planning to stop accepting one or more Medicare Advantage plans in the next two years. Another 45% said they are considering the same but have not made a final decision.
    • Health systems have been increasingly pushing back on Medicare Advantage. Chris Van Gorder, president and CEO of San Diego-based Scripps Health, told Becker’s last year that “it’s becoming a game of delay, deny and not pay.” Scripps terminated Medicare Advantage contracts effective Jan. 1 for its integrated medical groups. The medical groups, Scripps Clinic and Scripps Coastal, employ more than 1,000 physicians, including advanced practitioners. Mr. Van Gorder said the health system was facing an annual loss of $75 million on MA contracts.  
    • “Providers are going to have to get out of full-risk capitation because it just doesn’t work — we’re the bottom of the food chain, and the food chain is not being fed,” he said.
    • Despite tensions with some health systems, the Medicare Advantage program had a 95% quality satisfaction rating among enrolled members in 2023.
  • The FEHBlog notes that MA plans are subject to the Affordable Care Act’s medical loss ratio. The medical loss ration encourages health plans to make payments to providers.
  • FedSmith lets us know,
    • The Federal Salary Council (FSC) recently proposed adding about 15,000 federal employees to existing locality pay areas for 2025 from the “Rest of the U.S.” Being added to a locality pay area usually results in higher pay for impacted employees.
    • FSC is recommending the Pay Agent add Wyandot County, OH, to the Columbus, OH, locality pay area and Yuma County, AZ, to the Phoenix, AZ, locality pay area. These recommendations do not create new locality pay areas. In this case, they are adding employees to existing pay areas using various techniques to reduce employees in the “Rest of the U.S.” and add more to higher-paying locality pay areas.
    • A proposal from the Federal Salary Council does not mean a decision to make these additions is finalized. The recommendations have to be approved by the President’s Pay Agent. That approval usually follows, although not necessarily in the recommended time frame. Once the Pay Agent decides to move ahead, the Office of Personnel Management has to issue a proposed change in the Federal Register and a final decision in the Federal Register a few months later.
  • Reg Jones, writing in Fedweek, discusses “Survivor Annuity Benefits for Children of Deceased Federal Employees and Retirees.”
  • KFF discusses Medicare spending on GLP-1 drugs, like Ozempic, to treat diabetes.
    • “Gross spending on Ozempic alone increased from $2.6 billion in 2021 to $4.6 billion in 2022, pushing it to 6th place among the top-selling drugs in Medicare Part D that year, up from 10th place the year before.  
    • “The fact that covering GLP-1s under Medicare Part D for authorized uses is already making a mark on total Part D program spending could be a sign of even higher spending to come as Part D plans are now able to cover Wegovy for its heart health benefits, and if new uses for GLP-1s are approved.”
  • CNBC adds,
    • “Americans can’t seem to get enough of weight loss drugs despite their limited insurance coverage and roughly $1,000 monthly price tags before discounts. 
    • “But some patients are willing to pay more out of pocket for those treatments than others — and it’s strongly correlated to their annual income.
    • “That’s according to a recent survey from Evercore ISI that focused on GLP-1s, which include Novo Nordisk’s weight loss injection Wegovy and diabetes counterpart Ozempic.

From the public health and medical research front,

  • The American Medical Association advises its members about measles, now at 64 cases, and tells patient what doctors wish they knew about vasectomies.
  • Medscape shares five things to know about Adult Respiratory Syncytial Virus (RSV) Infection.
  • The Washington Post features a Consumer Reports article on maintaining kidney health. “Hydration and exercise are just two of the keys to reducing the risk of kidney disease.”
  • The Society for Human Resource Management offers nine mental health questions for employee engagement surveys.
  • CNN reports,
    • “Drugmaker Eli Lilly warned this week that two of its formulations of insulin would be temporarily out of stock through the beginning of April, citing a “brief delay in manufacturing.”
    • “The 10-milliliter vials of Humalog and insulin lispro injection will be in short supply at wholesalers and some pharmacies, Lilly said in a statement posted online Wednesday [March 20]. The company said that prefilled pen versions of those medicines are still available in the US and that it continues to manufacture the 10-milliliter vials “and will ship them as soon as we can.”

From the U.S. healthcare business front,

  • The Wall Street Journal relates,
    • “Hospitals are adding billions of dollars in facility fees to medical bills for routine care in outpatient centers they own. Once an annoyance, the fees are now pervasive, and in some places they are becoming nearly impossible to avoid, data compiled for The Wall Street Journal show. The fees are spreading as hospitals press on with acquisitions, snapping up medical groups and tacking on the additional charges. 
    • “The fees raise prices by hundreds of dollars for widely used and standard medical care, including colonoscopies, mammograms and heart screening. 
    •  “Hospitals say facility fees help offset the extra costs that they incur to meet federal regulations. “It’s not as simple as same services, across-the-board,” said Jason Kleinman, director of federal relations for the American Hospital Association.” * * *
    • “Lawmakers and Congress have proposed limiting fees covered by Medicare, which advisers to the federal insurer have unanimously recommended. Under a bill passed by the House in December, Medicare would no longer pay hospital facility fees for chemotherapy and other drugs infused by doctors in clinics off a hospital campus, saving about $3.7 billion over 10 years. 
    • “The American Hospital Association opposes limiting the fees, saying restrictions would cut revenue to hospitals already squeezed financially by high labor costs and inflation.”   
  • Beckers Hospital CFO Report adds,
    • “Kaufman Hall’s latest “National Hospital Flash Report,” which is based on data from more than 1,300 hospitals, outlined three key areas that separate high-performing hospitals’ and low-performing hospitals when it comes to their operating performances: 
      • Outpatient revenue. In general, hospitals with higher and accelerating outpatient revenue are more profitable.
      • Contract labor. Hospitals that quickly reduced their percentage of contract labor demonstrate improved operating profitability. In addition, hospitals that aggressively marched down contract labor costs were correlated to rising wage rates for full-time staff. Rising wage rates appeared to attract and retain full-time staff, which has allowed those hospitals to decrease contract labor more quickly, all of which has led to increased profitability, according to the report. 
      • Average length of stay. A lower average length of stay corresponded with improved profitability. Hospitals that hyper-focused on patient throughput — which has led to appropriate and prompt patient discharge — have also proven this to be a solid financial strategy, according to the report.”
    • “Hospitals on the other end of the scale continue to struggle, with the poorest financially performing hospitals reporting negative margins from -4% to -19%, according to Kaufman Hall. Continuation of this level of performance is unsustainable and makes it impossible to reinvestment in community care.” 
  • Per BioPharma Dive,
    • “Novo Nordisk will pay as much as $1 billion to acquire RNA drug developer Cardior and its experimental treatment for heart failure, the companies announced Monday
    • “Cardior’s treatment, dubbed CDR132L, is currently being tested in a mid-stage study involving 280 people with heart failure who previously experienced a heart attack. Results are expected by September, according to a U.S. clinical trial database.
    • “In addition to that study, Novo said it plans to start another Phase 2 trial in heart failure patients whose heart muscle has become thick and stiff, also known as cardiac hypertrophy. Novo, which will pay an undisclosed upfront payment to Cardior per deal terms, expects the acquisition to close in the second quarter.”
  • and
    • “Abbvie is expanding its pipeline of inflammatory disease drugs, announcing Monday a small deal to acquire biotechnology company Landos Biopharma.
    • “Per the deal, Abbvie will buy Landos for $20.42 per share, or about $138 million. Abbvie has also agreed to pay a so-called contingent value right worth $11.14 per share, or another $75 million, if certain milestones are met. The upfront price represents a premium of about 155% to the closing price Friday of Landos stock.
    • “Landos is currently running a mid-stage trial of its lead drug, dubbed NX-13, in ulcerative colitis. Abbvie is also interested in NX-13’s potential in Crohn’s disease.”
  • Per Healthcare Dive,
    • “Change Healthcare said its largest claims clearinghouses would come back online over the weekend, more than a month after a cyberattack at the technology firm disrupted the healthcare sector. 
    • “More than $14 billion in charges have been prepared for processing, according to an update from parent company UnitedHealth Group on Friday. Change’s electronic payments platform has also been restored, and the company is working on payer implementations.”

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • Cyberscoop tells us,
    • “A bill proposed Friday in the Senate would allow health care providers who suffer cyberattacks to qualify for advanced and accelerated payments through government programs so long as they and their vendors met minimum cybersecurity standards.
    • “The legislation from Sen. Mark Warner, D-Va., comes a month after the ransomware attack that targeted Change Healthcare — a payment processor whose technology touches 1 in 3 American patient records — crippled the health industry and the ability for many health care facilities to bill insurance companies and receive payments.”
  • Healthcare Dive informs us,
    • “In a Thursday letter to the HHS’ Office for Civil Rights, hospital lobbying organizations sought to clarify who may need to provide data breach notifications to patients following the cyberattack on UnitedHealth’s Change Healthcare: the hospitals that contracted with Change, or the organization directly attacked. 
    • “The letter, penned by counsels for the American Hospital Association and the Federation of American Hospitals, said the onus should be on UnitedHealth and Change alone to report a breach, should one be found. 
    • “Requiring hospitals to also issue breach notifications could result in patients receiving duplicate notifications, leading to unnecessary “public confusion, misunderstandings and added stress,” the letter warned.”
  • The HIPAA privacy and security rules permit a covered entity health provider or health plan to treat healthcare claims clearinghouse as a fellow covered entity or a business associate. The article suggests that healthcare providers at least are treating Change Healthcare as a business associate. Of course, when Change Healthcare is provided services other than clearinghouse services to a healthcare provider or a health plan Change Healthcare would be acting as a business associate.
  • Speaking of which, a colleague shared with the FEHBlog with this PowerPoint presentation of the HHS Office for Civil Rights Updates & 2024 Priorities presented at HIPAA Summit 41 on Feb. 27, 2024.
  • Nextgov reports,
    • The federal government’s HR shop is pitching a legislative proposal to give federal agencies new authorities and flexibilities in how they hire and pay cybersecurity workers to members of Congress, but so far no member has stepped up to sponsor the bill.
    • The package is meant to allow agencies across the government to increase pay for in-demand cyber talent, as they look to recruit in a tight market. The Office of Personnel Management developed the proposal with the Office of Management and Budget and the Office of the National Cyber Director. 
    • The proposal is geared at solving the cyber workforce problem across the government so that hiring officials don’t have to seek agency-specific authorities to bring on such talent, OPM says. 
  • The Cybersecurity and Infrastructure Security (CISA) announced on March 18, 2024,
    • “the availability of the Repository for Software Attestation and Artifacts that software producers who partner with the federal government can use to upload software attestation forms and relevant artifacts. Last week, CISA and the Office of Management and Budget (OMB) announced the secure software development attestation form, which enables software producers serving the federal government to attest to implementation of specific security practices.  
    • “Software integrity is key to protecting federal systems from malicious cyber actors seeking to disrupt our nation’s critical functions. This new repository will help federal agencies employ software from producers that attest to using sound secure development practices.”  

From the Change Healthcare situation front,

  • United Healthcare Group offered a timeline for “key” product restoration on its Change Healthcare cyberattack website on March 22, 2024.

From the cyber vulnerabilites and breaches front,

  • HHS’s Healthcare Sector Cybersecurity Coordination Center (HC3) released its report about February 2024 vulnerabilities of interest to the health sector on March 19, 2024.
    • “In February 2024, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for February are from Ivanti, ConnectWise, Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, and Atlassian.
    • “A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available or if it is publicly disclosed.
    • “HC3 recommends patching all vulnerabilities, with special consideration given to the risk management posture of the organization.”
  • Cybersecurity Dive notes,
    • “Threat actors are going after broadly deployed enterprise software and network infrastructure, exploiting vulnerabilities in file-transfer services and VPNs at a significantly higher rate, according to Recorded Future’s annual threat analysis report.
    • “The number of high-risk vulnerabilities exploited in attacks against enterprise software and network infrastructure approximately tripled from 2022 to 2023, analysts in the cybersecurity company’s threat research division Insikt Group said in the Thursday report. 
    • “Analysts warned that businesses’ ongoing efforts to increase virtualization and migrate workloads to the cloud are narrowing the supply chain of vendors they rely on, introducing new security risks to the enterprise environment.”
  • and
    • Security researchers are warning about a novel variant of the AcidRain wiper, which was used to disrupt satellite communications during Russia’s invasion of Ukraine, according to a blog post released Thursday by SentinelLabs
    • The discovery of the new variant, dubbed AcidPour, coincides with the disruption of multiple telecom networks in Ukraine, which have been offline since March 13.
    • The AcidPour variant has capabilities beyond that of AcidRain, raising fears that embedded devices are at risk, including IoT, networking, large storage and even industrial control systems devices running Linux x86 distributions, according to SentinelLabs.
  • On March 21, 2024, “CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an updated joint guide, Understanding and Responding to Distributed Denial-Of-Service Attacks, to address the specific needs and challenges faced by organizations in defending against DDoS attacks. The guidance now includes detailed insight into three different types of DDoS techniques: 
    • “Volumetric, attacks aiming to consume available bandwidth. 
    • “Protocol, attacks which exploit vulnerabilities in network protocols. 
    • Application, attacks targeting vulnerabilities in specific applications or running services.” 
  • Dark Reading lets us know, “Apple has released iOS 17.4.1, its latest security update, just weeks after releasing iOS 17.4, but is being intentionally vague about details surrounding the new release.” Keep your Apple devices updated.

From the cybersecurity defenses front,

  • Tech Target discusses continuity / disaster planning best practices.
  • Forbes interviews Tomer Weingarten, the founder and CEO of SentinelOne.
    • “Traditional cyber defense tools and tactics have increasingly fallen short in the face of sophisticated digital threats. This pivotal realization has spearheaded a dramatic shift towards AI-driven defense strategies, marking a significant departure from the conventional paradigms of cybersecurity.
    • “Central to this transformation is [Tomer Weingarten’s] pioneering work * * *. Artificial intelligence and generative AI are pervasive now, but SentinelOne is a company that has been at the forefront of integrating AI into cybersecurity from its inception.”

Thursday Miscellany

David ErmerAHRQ, CDC, CMS, Congress, Cybersecurity, Electronic health records, FDA, HSA, Medical / Rx research, Medicare, Mental health care, NCQA, U.S. Healthcare
Photo by Josh Mills on Unsplash

From Washington, DC,

  • Roll Call reports,
    • “Lawmakers released a more than $1.2 trillion, six-bill appropriations package early Thursday morning, less than 48 hours ahead of a Friday night deadline for this second and final wrapup measure for the fiscal year that began Oct. 1. 
    • “Both parties were touting “wins” in the package well before unveiling the massive 1,012-page bill, which had already won President Joe Biden’s blessing and pledge to sign it “immediately.” That, plus the lure of a two-week recess, should help get the package over the finish line, though it seems likely to slip past the 11:59 p.m. Friday cutoff for the current stopgap spending law.
    • “But lawmakers weren’t really sweating the prospect of a weekend funding lapse, given its limited impact on government operations — especially with Friday’s expected House passage likely to be a strong signal of congressional intent to keep the lights on.”
  • The bill includes appropriations for OPM (pages 247 – 250) and its Inspector General (page 250) plus the three now standard appropriations measures:
    • A prohibition against imposing full Cost Accounting Standards coverage on FEHB carriers. Division B, Section 611, page 268.
    • The Hyde amendment limiting FEHB coverage of abortions to cases “where the life of the mother would be endangered if the fetus were carried to term, or the pregnancy is the result of an act of rape or incest.” Division B, Section 613 and 614, pages 268 – 269.
    • A contraceptive prescription drug coverage mandate with conscience protections for FEHB plans and healthcare providers. Division B, Section 726, page 298.
  • The American Hospital Association News discusses HHS appropriations, which also are included in this bill.
    • “The House may vote on the measure Friday, with Senate action expected over the weekend. A short government shutdown may occur over the weekend, depending how long it takes both chambers to pass the measure and for President Biden to sign it into law.” 
  • Govexec points out “the nine biggest agency and program reforms in the final FY24 spending package.”
  • The Wall Street Journal scoops,
    • “Some Medicare members could get help paying for the popular new weight-loss drug Wegovy—as long as they have a history of heart disease and are using it to prevent recurring heart attacks and strokes.
    • “Medicare Part D drug-benefit plans—which are administered by private insurers—may cover anti-obesity medications if the drugs receive approval for an additional use that is considered medically accepted under federal law, the Centers for Medicare and Medicaid Services told The Wall Street Journal on Thursday. * * *
    • “Some Medicare members could get help paying for the popular new weight-loss drug Wegovy—as long as they have a history of heart disease and are using it to prevent recurring heart attacks and strokes.
    • “Medicare Part D drug-benefit plans—which are administered by private insurers—may cover anti-obesity medications if the drugs receive approval for an additional use that is considered medically accepted under federal law, the Centers for Medicare and Medicaid Services told The Wall Street Journal on Thursday.”
  • STAT News adds,
    • “Early data regarding the use of GLP-1 medications like Ozempic and Wegovy to treat addiction is “very, very, exciting,” Nora Volkow, the director of the National Institute on Drug Abuse, said Thursday.
    • “But even as she expressed enthusiasm for the new drugs’ potential, Volkow criticized pharmaceutical companies for neglecting a moral imperative to develop new addiction treatments — but acknowledged that the health system more broadly doesn’t incentivize drug companies to treat the U.S. drug crisis with urgency.”
  • The U.S. Preventive Services Task Force finalized its research plan for re-evaluating its September 2019 recommendations on the topic of medications to reduce the risk of breast cancer.
  • Beckers Health IT interviews Alexandra Mugge, chief health informatics officer at CMS, about the agency’s efforts “to expedite prior authorizations, through digitization and better data exchange, saving the healthcare industry $15 billion over a decade — in the hopes of one day having the decisions made instantaneously, right in the EHR.”

From the Food and Drug Administration front,

  • Per a press release,
    • “Today, the U.S. Food and Drug Administration approved Duvyzat (givinostat) oral medication for the treatment of Duchenne Muscular Dystrophy (DMD) in patients six years of age and older. Duvyzat is the first nonsteroidal drug approved to treat patients with all genetic variants of DMD. It is a histone deacetylase (HDAC) inhibitor that works by targeting pathogenic processes to reduce inflammation and loss of muscle.
    • “DMD denies the opportunity for a healthy life to the children it affects. The FDA is committed to advancing the development of new therapies for DMD,” said Emily Freilich, M.D., director of the Division of Neurology 1, Office of Neuroscience in the FDA’s Center for Drug Evaluation and Research. “This approval provides another treatment option to help reduce the burden of this progressive, devastating disease for individuals impacted by DMD regardless of genetic mutation.”
  • MedTech Dive informs us,
    • Johnson & Johnson subsidiary Abiomed recalled its Impella left sided blood pumps for risk that the devices could perforate the heart during a procedure. The recall began on Dec. 27 with Abiomed updating its instructions for use.
    • The Food and Drug Administration identified the recall as a Class I event, the most serious type of recall, in a Thursday notice. The agency has received 129 reports of serious injuries, including 49 deaths, related to the problem. 
    • Abiomed’s Impella heart pumps, which are used to support the heart during procedures or during cardiogenic shock, were the subject of four Class I recalls last year, including the latest recall. The company also received an FDA warning letter for quality problems with Impella and software used in the device that had not been authorized by the agency.

From the public health and medical research front,

  • The CDC shares with us,
    • Data from the National Vital Statistics System
      • Life expectancy for the U.S. population in 2022 was 77.5 years, an increase of 1.1 years from 2021.
      • The age-adjusted death rate decreased by 9.2% from 879.7 deaths per 100,000 standard population in 2021 to 798.8 in 2022.
      • Age-specific death rates increased from 2021 to 2022 for age groups 1–4 and 5–14 years and decreased for all age groups 15 years and older.
      • The 10 leading causes of death in 2022 remained the same as in 2021, although some causes changed ranks. Heart disease and cancer remained the top 2 leading causes in 2022.
      • The infant mortality rate was 560.4 infant deaths per 100,000 live births in 2022, an increase of 3.1% from the rate in 2021 (543.6).
  • STAT News adds,
    • “The U.S. recorded 107,941 drug overdose deaths in 2022, according to a new federal report — a total that marks an all-time record but also shows signs that the country’s overdose rate may finally be leveling off after years of steady increase.
    • “The 2022 total marks only a slight increase from the drug death toll of 106,699 the year before, according to the Centers for Disease Control and Prevention. The flattening of drug death rates could provide a rare glimmer of hope amid the bleak U.S. drug crisis, which has seen overdose rates rise inexorably for the past two decades and especially during the Covid-19 pandemic.
    • “A large majority of those deaths were driven by the potent synthetic opioid fentanyl. Since emerging in the drug supply in the mid-2010s, fentanyl has increasingly come to dominate the U.S. illicit drug market. Even as fentanyl deaths have skyrocketed, the share of deaths involving other opioids — like heroin, methadone, and prescription painkillers — has decreased.”
  • The Washington Post reports,
    • “After once losing hope because of end-stage kidney disease, a 62-year-old man is now the first living person to receive a genetically edited kidney from a pig, according to doctors at Massachusetts General Hospital who performed the landmark surgery Saturday.
    • “Richard Slayman, whom doctors praised for his courage, is doing well after the four-hour surgery and is expected to be discharged from the Boston hospital soon, officials said.
    • “The advance, which builds on decades of work, gives hope to the hundreds of thousands of Americans who depend on dialysis machines to do the work of their failing kidneys. Each day, 17 Americans die awaiting a kidney transplant, a problem further complicated by unequal access given to Black and other patients. Doctors expressed hope that using pigs to vastly increase the supply of kidneys might correct the inequity.”
  • The Wall Street Journal lets us know,
    • “A new class of anticoagulant drugs on the horizon is taking fresh aim at one of cardiology’s toughest challenges: how to prevent blood clots that cause heart attacks and strokes, without leaving patients at risk of bleeding.
    • “At least a half-dozen experimental blood thinners are in development that inhibit a protein called factor XI, one of several blood factors that regulate how the body forms clots. * * *
    • “Any factor XI agent that reaches the market would likely represent an important advance over drugs called factor Xa inhibitors, a blockbuster class of medicines dominated by Eliquis and Xarelto. Since they were approved just over a decade ago, these drugs have supplanted warfarin as the standard-of-care anticoagulant to prevent stroke in patients with the heart-rhythm disorder atrial fibrillation as well as other indications.”
  • HealthDay informs us,
    • “About 1 in every 10 U.S. children ages 5 to 17 has been diagnosed with attention deficit hyperactivity disorder (ADHD), according to the latest government statistics.
    • “The data from the National Health Interview Survey covers the years 2020 through 2022 and came from in-person or phone interviews involving a representative sample of American homes.
    • “It found that 11.3% of school-age children have been diagnosed with ADHD, with boys more likely to have this diagnosis (14.5%) than girls (8%), according to report authors Cynthia Reuben and Nazik Elgaddal, of the National Center for Health Statistics (NCHS).
    • “ADHD is diagnosed more often among white children (13.4%) than Black youngsters (10.8%) or Hispanic (8.9%) kids, the survey also showed. 
    • “Family income seemed to matter, too:  As income levels rose, the rate of child ADHD diagnoses declined.”
  • WTW, an actuarial consulting firm, offers insights on hepatitis C, HPV vaccine and value based insurance design.

From the U.S. healthcare business front,

  • STAT News reports,
    • “The last decade has seen billions of dollars flow into digital health companies that promise to improve outcomes for the 38 million Americans living with type 2 diabetes. Their products aren’t cheap, but in the long term, they pitch to health plans and employers that these digital tools will help cut health care costs by preventing serious complications like amputation and kidney failure.
    • A systematic review by the Peterson Health Technology Institute found, though, that digital tools used to manage diabetes with the help of finger-stick blood glucose readings don’t result in clinically meaningful improvements over standard care. As a result, they don’t reduce health care spending — they drive it up.
    • “Most of the solutions in this category do not deliver clinical benefits that justify their cost,” Caroline Pearson, executive director of the institute, told STAT. Despite finding that some populations may benefit, the report concludes that current evidence doesn’t support broader adoption for most products.”
  • Plan Sponsor notes,
    • “In the face of rising health care expenditures and out-of-pocket spending, average health savings account balances have also steadily increased since the COVID-19 pandemic, according to new data from the Employee Benefit Research Institute.
    • “The average HSA balance rose to $4,418 at the end of 2022 from $2,711 at the start of the year, the most recent data available in EBRI’s database, given that participants can still contribute to 2023 HSAs until taxes are due in April.
    • “Jake Spiegel, a research associate at EBRI, says he sees this trend continuing in 2023 and into the start of 2024 as well.
    • “EBRI’s analysis revealed two predominant factors associated with higher average account balances. The first was that age is strongly associated with higher HSA balances: the older the accountholder, the higher the average balance.”
  • Beckers Hospital Review lets us know,
    • “Change Healthcare said it has reinstated Amazon cloud services for two of its platforms a month into a cyberattack against the company.
    • “The UnitedHealth Group and Optum subsidiary said March 20 it restored Amazon Web Services from backups for Assurance, a claims and remittance management program, and claims clearinghouse Relay Exchange. Change said it rebuilt authentication services for the solutions on a new network with the help of cybersecurity firms Palo Alto Networks and Mandiant, a Google subsidiary. The company said it is also testing the security of the external-facing parts of those applications.”
  • Per the Society for Human Resource Management,
    • “Employees are experiencing more mental health struggles and overall negative feelings about their work, underscoring an “urgent need” for employers to take more aggressive measures to help with their benefits offerings.
    • “Employees are now more likely to experience negative feelings at work, including stress (12 percent more likely) and burnout (17 percent more likely) than they were pre-pandemic (2019), according to new data from MetLife. Employees are also 51 percent more likely to feel depressed at work than they were pre-pandemic as they face what the insurer calls a “complex macro environment and permacrisis state”—a state which has included the pandemic, persistent high inflation, international turmoil and war, and more.
    • “Those are among the findings in MetLife’s 22nd annual U.S. Employee Benefit Trends Study, released March 18—data indicating that employers may have to revisit benefits offerings to not only support employees, but retain them.”
  • HR Dive explains “How menopausal and other reproductive health benefits can help retain women” and “Data shows that fertility treatments are extremely valuable to workers who need them. Here’s why one people officer is working on integrating them.”
  • STAT News relates,
    • “Just as Pfizer spooked Wall Street after its record pandemic revenue came parabolically back to earth, BioNTech, the company’s Covid-19 vaccine partner, is now dealing with investor malaise of its own.
    • “Shares in the German firm fell about 5% yesterday, hitting a 52-week low, after the company reported disappointing financials. BioNTech’s cut of Covid vaccine revenue fell by about more than three-quarters last year, missing analyst estimates and leading the company to lower its projections for 2024.
    • “Now BioNTech, much like Pfizer, is making the case that its future in oncology will compensate for the rapid erosion in demand for Covid vaccines. The company has more than 20 cancer medicines in its pipeline, including late-stage treatments for tumors of the breast and lung that could hit the market in the next two years.”
  • Per Healthcare Dive,
    • “Walgreens-backed VillageMD sold 11 locations in Rhode Island to Boston-based medical group management firm Arches Medical Partners for an undisclosed sumArches said Wednesday.
    • “The practices, which include about 75,000 patients, joined Arches on March 2, according to VillageMD’s website. 
    • “The deal follows VillageMD clinic closures. The primary care chain recently exited Florida — once one of chain’s largest markets — and plans to withdraw from its home state in Illinois next month.”