Cybersecurity Saturday

April is National Supply Chain Integrity Month!

In partnership with the Office of the Director of National Intelligence (ODNI), the Department of Defense, and other government and industry partners, CISA is promoting a call to action for a unified effort by organizations across the country to strengthen global supply chains.

This week’s focus is on Building Collective Supply Chain Resilience.

Monday April 5 is the effective date for the Health and Human Services Department’s Office of National Coordinator for Health IT (“ONC”) information blocking rule which implements part of the 2016 Cures Act. According to Fierce Healthcare,

While health IT experts have been calling for interoperability for years, they say this particular rule could finally be a major step in achieving a meaningful level of data sharing far beyond what’s been seen before in the healthcare sector.

If effectively enforced, the mandate that prohibits information blocking has the potential to revolutionize how patients interact with the healthcare system, said Deven McGraw, a health privacy expert and co-founder and chief regulatory officer at Ciitizen, a consumer health technology company.

“[The information blocking rule] has enormous potential to open up data sources that have previously been closed to patients but hold rich data about patients and that would be potentially game changing for them to tap into and access,” she told Fierce Healthcare.

EHR Intelligence reports on the ONC’s annual meeting held last Monday.

[National Coordinator Mickey] Tripathi identified the importance of “taking health IT to the next level” by making EHR adoption ubiquitous, delivering on the potential of FHIR-based capabilities, and making interoperability a priority by building on past accomplishments.

“One of the things that we should recognize is that there’s been tremendous progress made in interoperability,” he said. “I don’t think the industry gets enough credit for the amount of progress that’s been made in interoperability.”

The ONC leader said credit is lacking because interoperability permitted purposes remain focused on treatment purposes only, rather than the rest of the healthcare sector.

“We haven’t quite figured out how to integrate all the various layers of interoperability into a seamless experience,” he added.

But, Tripathi said ONC is still trying to decipher how local, state, and regional health information exchange (HIE) networks fit within nationwide networks, such as eHealth Exchange and CommonWell Health Alliance.

In significant news for government contractors, Cyberscoop reports that

Under a forthcoming White House order, companies that do business with the federal government would have to meet software security standards and swiftly report cyber incidents to a new entity within the Department of Homeland Security, sources familiar with a draft version of the document said.

The order’s other upgrades to federal agency security include use of multi-factor authentication and improvements to FedRAMP, the federal process for authorizing and continuously monitoring the security of cloud services.

Federal agencies would need to use data encryption and develop plans for shifting to a “zero trust” model, which assumes that organizations should not automatically assume they can trust anyone or anything inside the network. They would need to keep logs for cyber incidents.

Some of the steps might not come to fruition for some time because they will require additional federal rulemaking, an oft-slow process that includes several phases of public comment.

On the hacking front, Bleeping Computer reports

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warn of advanced persistent threat (APT) actors targeting Fortinet FortiOS servers using multiple exploits.

In the Joint Cybersecurity Advisory (CSA) published today [April 2], the agencies warn admins and users that the state-sponsored hacking groups are “likely” exploiting Fortinet FortiOS vulnerabilities CVE-2018-13379CVE-2020-12812, and CVE-2019-5591.

The attackers are enumerating servers unpatched against CVE-2020-12812 and CVE-2019-5591, and scanning for CVE-2018-13379 vulnerable devices on ports 4443, 8443, and 10443.

Following up on last week’s Cybersecurity Saturday post, Business Insurance reports that

The cyberattack that crippled CNA Financial Corp.’s computer systems nearly two weeks ago has been contained and the insurer has reestablished the functionality of its email, according to an update posted to the CNA website Thursday.

Cyberscoop informs us

The company did say, however, that it now believes it has the attack contained and has ascertained that the hackers and their ransomware lacked the ability to automatically move around in internal and external systems. Bleeping Computer reported that the Phoenix CryptoLocker ransomware was involved, possibly with links to a cybercriminal collective dubbed Evil Corp.

CNA said it was still communicating with regulators, law enforcement and outside forensics experts. CyberScoop has learned that CNA has enlisted help from CrowdStrike.