Cybersecurity Saturday

From the cybersecurity policy front —

Health IT Security reports

Following reports that patient data was transmitted to Facebook through the use of tracking technology on hospital websitesand within password-protected patient portals, the HHS Office for Civil Rights (OCR) issued a bulletin outlining the dos and don’ts of using tracking tech as a HIPAA-covered entity or business associate.

Covered entities and business associates using tracking tools such as Google Analytics and Meta Pixel should pay close attention to their obligations under HIPAA, OCR noted.

Cybersecurity Dive informs us

The Cyber Safety Review Board is set to examine the Lapsus$ ransomware gang, the U.S. Department of Homeland Security announced Friday. A prolific group, Lapsus$ has targeted a wide range of global companies and government agencies, sometimes with ruthless digital extortion, since late 2021. * * *

“The CSRB will review how this group has allegedly impacted some of the biggest companies in the world, in some cases with relatively unsophisticated techniques, and determine how we all can build resilience against innovative social engineering tactics and address the role of international partnerships in combating criminal cyber actors,” Mayorkas said Friday during a conference call with reporters. “As cyberthreats continue to evolve, we have to evolve the methods we use to protect ourselves against cybercriminal activity and increase our resilience against future attacks.” * * *

CSRB Deputy Chair Heather Adkins, VP of security engineering at Google, noted that many of the reported targets of Lapsus$ were considered to have very strong cybersecurity programs. These organizations had followed recommended security controls, and in some cases even advanced controls, but still felt a significant impact from the attacks. 

Several alleged members of the extortion gang have been arrested, but researchers suspect other affiliates of Lapsus$ remain unaccounted for.

Healthcare Dive offers an interview with the National Coordinator for Health IT, Mickey Tripathi, about federal health information blocking enforcement.

From the cybersecurity breaches/vulnerabilities front —

  • Health IT Security summarizes recent breaches suffered by healthcare organizations.
  • ZIP and RAR files have overtaken Office documents as the file most commonly used by cyber criminals to deliver malware, according to an analysis of real-world cyber attacks and data collected from millions of PCs. 
  • The research, based on customer data by HP Wolf Security, found in the period between July and September this year, 42% of attempts at delivering malware attacks used archive file formats, including ZIP and RAR.  
  • That means cyber attacks attempting to exploit ZIP and RAR formats are more common than those which attempt to deliver malware using Microsoft Office documents like Microsoft Word and Microsoft Excel files, which have long been the preferred method of luring victims into downloading malware

From the ransomware front —

  • The Health Sector Cybersecurity Coordination Center shared an updated CISA / FBI alert about a Cuba ransomware actor.
  • The Bleeping Computer released its Week in Ransomware.

From the cybersecurity defenses front —

  • Venture Beat offers Gartner analysts’ eight cybersecurity predictions for 2023.
  • Health IT Security reports “Connected device security company Ordr published a maturity model to help healthcare organizations evaluate and improve the security of their connected devices. The guide is broken down into five stages of maturity, each with recommended actions and detailed descriptions.”
  • The Wall Street Journal warns “Companies should do a better job of handling internal cybersecurity complaints before they escalate to whistleblowing, which is becoming more common in the cyber field, lawyers and industry veterans said.”