Cybersecurity Saturday

Cyberscoop reports that

The Justice Department is undertaking a four-month review of its approach to combatting a range of malicious cyber activity from foreign governments and criminals amid a spate of ransomware attacks and supply chain compromises.

“We need to rethink … and really assess are we using the most effective strategies” against such hacking, Deputy Attorney General Lisa Monaco said Friday at the Munich Cyber Security Conference.

In this regard —

  • Health IT Security discusses “Healthcare’s Biggest Cybersecurity Blind Spots and Misconceptions — While awareness of the threats facing the healthcare sector has improved, providers have inherent blindspots and misconceptions leaving them exposed to a host of cybersecurity risks.”
  • Health Leaders Media explains why “Medical Device cyber-vulnerability casts a cloud over growing use.”
  • ISACA asks whether there are ever can be normalcy in cyberspace? “The cycle of conducting hearings after hacks occur, followed by writing laws and spending money, is exhausting. In short, doing the same things yet expecting different results is senseless. Lawmakers must accept the fact, known universally by security practitioners, that all digital devices are vulnerable—they always have been and always will be. Cybersecurity is a technical risk and, for the foreseeable future, the goal must be to make cyberattacks costly for malicious actors.”

Here’s the latest on the SolarWinds hack from the American Hospital Association. (The ISACA article’s author adds “But to categorize SolarWinds as merely a hack is a disservice, as it is now understood to be a major cybercampaign involving an estimated 1,000 nation-state actors.”).

From the ransomware front —

  • The New York Times warns “Don’t Ignore Ransomware. It’s Bad.”
  • The International Foundation of Employee Benefit Plans sets forth “Five Ransomware Risk Mitigation Strategies” for benefit plan administrators. The FEHBlog adds encrypting data in motion and at rest to that list.

The National Institutes of Standards and Technology is seeking public comments on two cybersecurity documents: