From Capitol Hill, Health IT Security reports
The US Senate Committee on Health, Education, Labor, and Pensions (HELP) held a full committee hearing on May 18 to discuss the need for an increased focus on education and healthcare cybersecurity.
“Attacks on healthcare are increasing in volume, variety, and impact—with consequences that now include the loss of life,” Joshua Corman, founder of I Am the Cavalry, said in his testimony.
“While directionally correct steps have been taken, we’re getting worse faster than we’re getting better. Bold actions and assistance will be required to change this trajectory, address these market failures, lack of incentives, and historical under-investments.”
Healthcare Dive adds
* Internal actors continue to pose a sticky cybersecurity problem for healthcare companies despite not causing a majority of data breaches, according to a new data breach report from Verizon.
* Employees were responsible for 39% of healthcare breaches last year. That’s compared to just 18% across all industries, Verizon found.
* The makeup of the insider breach has shifted from generally malicious misuse incidents to miscellaneous errors, with employees being more than 2.5 times more likely to make an error than purposefully misuse their access. Data misdelivery — like sending an email to the wrong person — along with device or document loss are the most common employee errors in healthcare, according to the report.
CISA offers its assistance:
Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. This joint Cybersecurity Advisory identifies commonly exploited controls and practices and includes best practices to mitigate the issues. This advisory was coauthored by the cybersecurity authorities of the United States, Canada, New Zealand, the Netherlands,and the United Kingdom.
Also from the vulnerability front, Cybersecurity Dive reports
Recurring critical vulnerabilities for VMware products this year indicate a worrying trend for customers that suggests the virtualization leader is taking a more reactive approach to security.
The company’s VMware Horizon product got hit hard by the Log4j vulnerability, and earlier this month VMware found itself entangled in an emergency directive from the Cybersecurity and Infrastructure Security Agency (CISA) that impacts up to 10 VMware products.
It was the 10th emergency directive issued by CISA since the agency was founded in late 2018.
Virtualization software is ubiquitous and managing the technology is further complicated by its many parts, ExtraHop CISO Jeff Costlow wrote in an email. Threat actors target vulnerabilities across these disaggregated systems before patches are released or deployed by impacted organizations.
VMware’s reputation in this regard has also taken a hit.
Perhaps that’s what lead to this Wall Street Journal reports
Broadcom Inc. Chief Executive Hock Tan’s $61 billion deal to buy VMware Inc. marks the biggest bet yet that the boom in enterprise software demand will endure despite the economic tumult—and that bundling disparate offerings of low-profile products can yield outsize returns.
Mr. Tan built Broadcom into a microchip powerhouse by acquiring makers of a host of unsexy-but-essential components, then cutting costs and leveraging the company’s growing pricing power. He is now banking that the same model will work in corporate software.
The deal to buy VMware, announced Thursday after The Wall Street Journal reported on details of the talks earlier in the week, would push Broadcom deeper into a software world populated by incumbents such as International Business Machines Corp. and Oracle Corp. as well as independent companies that specialize in niche applications.
CISA added 20 known exploited vulnerabilities to its catalog this past week.
Bleeping Computer’s the Week in Ransomware was not published this week. Have a good Memorial Day Weekend.