Cybersecurity Saturday - Ermer and Suter PLLC

The American Hospital Association informs us

The Healthcare Cyber Communications Center, FBI, Cybersecurity & Infrastructure Security Agency and National Security Agency in December warned of new ransomware strains and other cyber threats targeting health care.

The FBI and CISA warned of the “Cuba” Ransomware threat.

HC3 warned of the Royal ransomware threat.

HC3 warned that a new ransomware strain known as Blackcat was also targeting health care and appeared to be the successor of the notorious Russian speaking REvil ransomware gang.

HC3 also warned of the latest version of the LockBit ransomware, known as LockBit 3.0. The LockBit “ransomware as service” in its various forms has targeted health care since 2019.

The NSA advised of an advanced persistent threat known as APT5, which may be affiliated with the Chinese government, targeting the Citrix Application Delivery Controller which then provides the adversary broad network access.

“Our cyber adversaries believe we may pause for the holidays, which may result in their increased targeting of hospitals and health systems as we have seen around past holidays,” said John Riggi, AHA national advisor for cybersecurity and risk. “But our hospitals never close and our network defenders never cease their vigilance.

Cybersecurity Dive provides guidance on the same topic.

Health IT Security reports

HITRUST plans to release version 11 of its cybersecurity framework (CSF) in January with new and improved features for managing emerging cybersecurity threats and reducing certification efforts, the organization announced.

As previously reported, HITRUST can help healthcare organizations improve their security postures and manage third-party risk. The HITRUST CSF is a risk and compliance-based framework that aims to provide structure and guidance across a variety of data privacy and security regulations and standards, helping organizations reduce burden and complexity.

Specifically, CSF v11 offers improved control mappings and precision in order to reduce certification efforts by 45 percent. In addition, the new version “enables the entire HITRUST assessment portfolio to leverage cyber threat-adaptive controls that are appropriate for each level of assurance.”

CSF v11 also includes expanded authoritative sources, including the National Institute of Standards and Technology (NIST) SP 800-53, Rev 5, and the Health Industry Cybersecurity Practices (HICP) standards.

HITRUST also developed artificial intelligence-based standards development capabilities to assist its assurance experts in mapping and maintaining authoritative sources. HITRUST said that this AI-based toolkit will reduce maintenance and mapping efforts by up to 70 percent.

In event news, CMS announced

The National Standards Group (NSG), on behalf of the Department of Health and Human Services (HHS), issued a Notice of Proposed Rulemaking (NPRM) CMS-0053-P. The proposed rule, if finalized, would make a regulatory change that would implement requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Patient Protection and Affordable Care Act (Pub. L. 111-148).

This webinar will provide a public forum for CMS to hear feedback on the proposed rule. The call will cover the following topics:

• Background on the current standards
• What the proposed rule would do
• How to submit comments on the proposed rule

Note: Feedback received during this call is not a substitute for formal comments on the rule. See the proposed rule for information on submitting comments.

This free webinar will be held on January 25, 2023, at 2 pm ET. You can register here.

From the vulnerabilities front, the Healthcare Sector Cybersecurity Coordination Center issued an Analyst Note last Thursday. According to the Executive Summary:

HC3 is closely tracking hacktivist groups which have previously affected a wide range of countries and industries, including the United States Healthcare and Public Health (HPH) sector. One of these hacktivist groups—dubbed ‘KillNet’—recently targeted a U.S. organization in the healthcare industry. The group is known to launch DDoS attacks primarily targeting European countries perceived to be hostile to Russia, and operates multiple public channels aimed at recruitment and garnering attention from these attacks.

From the ransomware front, Cybersecurity Dive reports

CrowdStrike researchers discovered a new exploit method by Play ransomware actors that can bypass URL rewrite mitigations released by Microsoft in October, according to a Tuesday blog post from the incident response firm. Microsoft’s updates were designed to mitigate ProxyNotShell vulnerabilities.

Crowdstrike researchers discovered the new method while investigating Play ransomware activity. The entry vector was suspected to be zero-day vulnerabilities CVE-2022-41080 and CVE-2022-41082, according to the blog.

While investigating the attacks, researchers found threat actors entered through Outlook Web Access (OWA) and leveraged Plink and AnyDesk in order to maintain access.

Bleeping Computer’s The Week in Ransomware is available here. After sharing its thoughts on the Microsoft issue, Bleeping Computer adds

TrendMicro also confirmed this week our September report that a Conti cell known as Zeon rebranded to Royal Ransomware.

Other reports this week shed light on various ransomware operations:

A report on how Reveton was the precursor to Ransomware-as-a-Service operations.

A report on the Nokoyawa ransomware operation.

Vice Society finally gets its own custom ransomware encryptor instead of relying on other operations’ malware.

A technical report on the Play ransomware, which has expanded its operations recently.

From the cybersecurity defenses front

Healthcare IT News offers a roundup of strategies and next steps for improving cybersecurity in 2023.

ISACA offers interesting articles titled “Cybersecurity: What is Changing and What Isn’t” and “Top Cyberattacks of 2022: Lessons Learned.”

The Wall Street Journal reports that Chief Information Officers and Chief Information Security Officers are working together to better align their respective positions.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog