Cyberscoop and Federal News Network discuss the history and next steps of the cyber incident reporting rules found in Division Y of the Consolidated Appropriations Act, 2022.
In other policy news, Healthcare Dive offers an interview with National Coordinator for Health IT Micky Tripathi in which he “shared his thoughts on the scope and content of the interoperability complaints, when industry can expect penalties for providers found information blocking and how the government plans to build on TEFCA moving forward.”
Health IT Security informs us
The Biden-Harris Administration recently called on all private sector organizations to immediately harden their cyber defenses in preparation for potential Russian cyberattacks.
“My Administration will continue to use every tool to deter, disrupt, and if necessary, respond to cyberattacks against critical infrastructure,” Biden stated publicly.
While there have been no direct threats against healthcare, the sector is known to be a top target for cyberattacks. The Health Sector Cybersecurity Coordination Center’s (HC3) most recent threat brief outlined a detailed history of Russian attacks on US healthcare entities.
Conti ransomware group, which has ties to Russia, was connected to at least 300 cyberattacks against US-based organizations. Conti claimed responsibility for at least 16 US healthcare sector cyberattacks.
HC3 listed past attacks committed by NotPetya, FIN12, and Ryuk, all of which have ties to Russia. In addition, the government identified two new forms of disk-wiping malware, HermeticWiper and WhisperGate, which threat actors used to attack Ukrainian organizations shortly before Russia’s invasion.
Echoing the President’s sentiments, HC3 and Health-ISAC released a statement warning the healthcare sector to take the Administration’s advice and tighten security controls.
Health IT Security adds
Of all critical infrastructure sectors, the healthcare sector faced the most ransomware attacks in 2021, the Federal Bureau of Investigation’s (FBI) 2021 Internet Crime Report revealed. The FBI’s Internet Crime Complaint Center (IC3) also observed a 7 percent increase in total internet crime complaints in 2021 compared to 2020.
Phishing scams, non-payment or non-delivery scams, and personal data breaches were the most reported cybercrimes in 2021, the report continued. The victims tracked by the IC3 in 2021 lost over $6.9 billion in total, thanks to a multitude of cyber threats. Many of those cyber threats hid in plain sight, disguising themselves as legitimate investment opportunities, tech support, and real estate prospects.
The IC3 received 148 complaints of healthcare ransomware attacks. The next-highest number came from the finance sector, with just 89 complaints.
Looking at the issue from the perspective of a different data source, Politico reports
Nearly 50 million people in the U.S. had their sensitive health data breached in 2021, a threefold increase in three years, according to a POLITICO analysis of the latest HHS data.
Health care organizations including providers and insurers in every state except South Dakota reported such incidents last year. About half of states and Washington, D.C., saw more than 1 in 10 of their residents directly impacted by unauthorized access to their health information, according to the analysis. And hacking accounted for nearly 75 percent of all such breaches — up from 35 percent in 2016.
Experts say the increased hacking can be attributed to the health care industry’s rapid move to digital, particularly amid the Covid-19 pandemic; an increase inremote work, which allows more avenues for attacks with employees using more personal devices; the financially lucrative information for cybercriminals in health care; and greater awareness of attacks across the industry, thus more reporting.
Also from the cyberthreat front —
- “The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE) published a joint Cybersecurity Advisory [on March 24] with information on multiple intrusion campaigns targeting U.S. and international energy sector organizations conducted by indicted Russian state-sponsored cyber actors from 2011 to 2018. In conjunction with the U.S. Department of Justice unsealed indictments today, this advisory provides the technical details of a global energy sector intrusion campaign using Havex malware, and the compromise of a Middle East-based energy sector organization using TRITON malware.”
- CISA added “66 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow on the of the “Date Added to Catalog” column, which will sort by descending dates.”
- TechRepublic reports “A relatively new cybercriminal group has quickly gained an infamous reputation for its unique tactics and successful attacks against several major organizations. Known as Lapsus$, the gang uses social engineering to target its victims and has reportedly hit such companies as Samsung, Okta, NVIDIA and Microsoft. In a blog post published Tuesday, Microsoft provides insight into the group’s tactics and techniques and offers tips on how to protect your organization from these attacks.”
- The FBI and Treasury’s FinCen released “a joint Cybersecurity Advisory identifying indicators of compromise associated with AvosLocker ransomware. AvosLocker is a ransomware-as-a-service affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including, but not limited to, the Financial Services, Critical Manufacturing, and Government Facilities sectors.”
- Here is a link to Bleeping Computer’s The Week in Ransomware.
From the cyber defense and responsibilities front —
- The Department of Health and Human Services released “guidance to clarify covered entities’ obligation to require that business associates comply with HIPAA regulations, as specified by 45 Code of Federal Regulations (C.F.R.) § 162.923(c).”
- Cybersecurity Dive discusses “how to keep business operations running after a cyber incident.”
- ZDNet offers small business and individuals Windows 11 security advice.