From the policy front, Health IT Security reports that
In its latest report, the US Government Accountability Office (GAO) called on HHS to improve the healthcare data breach reporting process. Specifically, GAO urged HHS to create a mechanism for entities to provide feedback on the breach reporting process. * * *
HHS concurred with GAO’s recommendations and said it would begin soliciting feedback related to the breach reporting process.
“Specifically, OCR plans to add language and contact information to the confirmation email that regulated entities receive when they submit breach reports through the HHS Breach Portal to invite feedback and questions about the breach reporting process,” GAO stated.
“The agency also plans to implement procedures for OCR’s regional offices to regularly review and address emails received about the breach reporting process through their respective mailboxes. We will continue to follow-up with HHS to validate its implementation of this recommendation.”
Health IT Security adds that
GAO’s report also analyzed OCR’s methods of assessing whether covered entities had implemented recognized security practices, as required by the HIPAA Safe Harbor bill, a January 2021 amendment to HITECH.
To advance these efforts, in March 2022, OCR finalized standard operating procedures for investigators to use when assessing these security practices. Additionally, OCR issued a request for information to seek input on the contents of the recognized security practices in early April. OCR received feedback from a variety of industry groups and later announced that it would produce a video presentation on HITECH recognized security practices.
“OCR plans to finalize the review process for considering whether covered entities and business associates have implemented recognized security practices no later than the summer of 2022,” the report explained.
From the cyber vulnerabilities front —
CISA informs us
The Homeland Security Systems Engineering and Development Institute, sponsored by CISA and operated by MITRE, has released the 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. The list uses data from the National Vulnerability Database to compile the most frequent and critical errors that can lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition. This year’s list also incorporates updated weakness data for recent Common Vulnerabilities and Exposure records in the dataset that are part of CISA’s Known Exploited Vulnerabilities Catalog.
CISA encourages users and administrators to review the 2022 CWE Top 25 Most Dangerous Software Weaknesses and evaluate recommended mitigations to determine those most suitable to adopt.
CISA added nine known exploited vulnerabilities to its catalog this week in this post and that.
Here’s a link to a ZDNet article about this CISA action.
From the ransomware front
CISA posted the following joint cybersecurity advisory yesterday (“CSA”) yesterday
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) are releasing this CSA to provide information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments. Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder.
Download the PDF version of this report: pdf, 633 kb
Healthcare Dive adds
MedusaLocker operates under the ransomware as a service model, splitting payments with affiliates who typically get 55% to 60% of the proceeds. The group has been active as recently as May, launching phishing and spam email campaigns to gain initial access.
A report from CyberReason said the MedusaLocker first emerged in late 2019, targeting companies across industries. The group was particularly active in the healthcare space, where many organizations were attacked in connection to the COVID-19 pandemic.
ZDNet tells us
A recently developed form of malware has quickly become a key component in powering ransomware attacks.
The malware, called Bumblebee, has been analysed by cybersecurity researchers at Symantec, who’ve linked it to ransomware operations including Conti, Mountlocker and Quantum.
“Bumblebee’s links to a number of high-profile ransomware operations suggest that it is now at the epicenter of the cyber-crime ecosystem,” said Vishal Kamble, principal threat analysis engineer on Symantec’s Threat Hunter team.
Of course, here’s a link to Bleeping Computer’s The Week in Ransomware.
It has been relatively busy this week with new ransomware attacks unveiled, a bug bounty program introduced, and new tactics used by the threat actors to distribute their encryptors.
This week’s big news was the release of LockBit 3.0, which includes a new bug bounty reward program where the threat actors pay between $1,000 to $1 million for submitted bugs and new ways of enhancing their operation.
We also learned that a LockBit affiliate is distributing the ransomware through fake copyright infringement emails, Word docs are used to install AstraLocker directly, and the Black Basta gang is exploiting the PrintNightmare vulnerabilities.
From the cyberdefenses front
ZDNet reports
Many businesses will fail to see the benefits of their zero-trust efforts over the next few years, while legislation around paying off ransomware gangs will be extended and attacks on operational technology might have real-life consequences, according to set of cybersecurity predictions.
The list comes from tech analyst Gartner, which said business leaders should build these strategic planning assumptions into their security strategies for the next two years.
“We can’t fall into old habits and try to treat everything the same as we did in the past,” said Gartner senior director, Richard Addiscott. “Most security and risk leaders now recognize that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, our philosophy, our program and our architecture.”
[Here’s the list:}
1. Consumer Privacy Rights will be extended * * *
2. By 2025, 80% of enterprises will adopt a strategy to unify web, cloud services and private application access * * *
3. Many organizations will embrace zero-trust, but fail to realize the benefits * * *
4. Cybersecurity will become key to choosing business partners * * *
5. Ransomware payment legislation will rise * * *
6. Hackers will weaponize operational technology environments to cause human casualties [by 2025] * * *
7. Resilience will be about more than just cybersecurity * * *, and
8. Cybersecurity will matter for the CEO’s bonus * * *.
Cybersecurity Dive reports
Rate pressures on the cyber industry sector began to moderate as a surge in new buyers, and corporate enforcement of cyber hygiene led to a more stable market, according to research from global insurance firm Marsh released Wednesday.
Half of Marsh’s U.S. clients purchased standalone cyber insurance policies in 2021, almost double the 26% of clients in 2016. More businesses understand the financial risks of a cyberattack affecting their bottom line, Marsh said.
Meanwhile, cyber insurance rates are leveling out. Rate increases have steadily dropped from the high reached in Dec. 2021 when businesses paid, on average, 133% more for cyber insurance year over year. That rate increase dropped to 107% in March and 90% in April. Research firm AM Best also found a more moderate pace of rate increases in Q1, Chris Graham, senior industry analyst, said.
Health IT Security adds
Surveyed healthcare cybersecurity leaders reported leveraging multifactor authentication (MFA), identity and access management, and privileged access management (PAM) solutions in hopes of lessening the likelihood of a cyber insurance premium hike, a report from Imprivata conducted by WBR Insights found.
Closer to the desktop, Cybersecurity Dive tells us
Google is rolling out key updates to its password management capabilities as part of an effort to boost security across multiple operating systems and browsers for mobile and desktop users, the company said in an announcement Thursday.
Google Password Manager users will now have the same unified experience whether using Chrome or Android, and iPhone users can now manage passwords through the iOS platform.
Google will automatically warn users about compromised credentials, on top of reused and weak passwords. In addition, Google will warn users about compromised passwords on a range of operating systems and platforms, including Android, Chrome OS, Windows, iOS, MacOS and Linux.