From the cybersecurity policy front,

• Federal News Network informs us
  • “Vulnerability disclosure policies have proliferated throughout federal agencies in recent years, and if a new House bill ends up becoming law, federal contractors would have to adopt policies for accepting vulnerability information from security researchers as well.
  • “Rep. Nancy Mace (R-S.C.) today announced the Federal Cybersecurity Vulnerability Reduction Act of 2023. Mace is chairwoman of the House Oversight and Accountability Committee’s cybersecurity, information technology and government innovation subcommittee.
  • “The bill would require the White House Office of Management and Budget to lead updates to the Federal Acquisition Regulation that ensure federal contractors implement a vulnerability disclosure policy. * * *
  • “Mace’s bill would have contractors specifically follow the VDP guidelines established by the National Institute of Standards and Technology.
  • “In May, NIST published “Recommendations for Federal Vulnerability Disclosure Guidelines.” The document lays out a federal vulnerability disclosure framework, including information about how agencies should set up a system for receiving information about potential security vulnerabilities, as well as methods for communicating ways to resolve those vulnerabilities to other agencies and the public.

From the cybersecurity vulnerabilities and breaches front,

• HHS’s Health Sector Cybersecurity Coordination Center released its July 2023 report on vulnerabilities of interest to the health sector.
  • “In July 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for July are from Microsoft, Google/Android, Apple, Mozilla, SAP, Cisco, Fortinet, VMWare, MOVEit, Oracle, and Adobe. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or if it is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.”

• The Cybersecurity and Infrastructure Security Administration added a new known exploited vulnerability to its catalog on August 21; two more on August 22, and another two on August 24.

• Per Health IT Security,
  • “Healthcare data breaches remain a troubling and frequent occurrence despite an observed dip in the number of breaches reported to HHS in the first six months of 2023, Critical Insight noted in its H1 2023 Healthcare Data Cyber Breach Report.
  • “While the number of breaches dropped 15 percent in the first six months of the year compared to the latter half of 2022, the number of records compromised jumped by 31 percent. As previously reported, nearly 40 million records were implicated in healthcare data breaches reported to HHS from January to June.”

In HIPAA Privacy Rule news,

• Health IT Security says,
  • “The HHS Office for Civil Rights (OCR) reached a settlement with UnitedHealthcare Insurance Company (UHIC) to resolve potential HIPAA right of access violations. UHIC, a health insurer that provides coverage to millions across the US, agreed to pay $80,000 to OCR to resolve the investigation.
  • “The investigation marks the 45th case settled under OCR’s HIPAA Right of Access Initiative, which was created in 2019 to underscore OCR’s commitment to ensuring that patients have timely access to their medical records.
  • “The UHIC case arose in March 2021, when OCR received a complaint alleging that UHIC had not responded to an individual’s request for a copy of their medical record. The individual requested their records in January 2021, finally receiving them in July 2021, after OCR had initiated its investigation into the matter.”

From the ransomware front,

• Cybersecurity Dive reports
  • “The median dwell time for ransomware attacks fell in the first half of 2023, down to 5 days from the 2022 average of 9 days, according to Sophos research released Wednesday.
  • “The majority of ransomware attacks are taking place during the work week, yet outside standard business hours, Sophos found. The bulk of 80 cases its incident response team worked on during the first half of 2023 took place between 11 p.m. and 8 a.m. in the target’s time zone. Attackers also strongly favored a “late hour at the end of the week” to launch an attack.
  • “Monitoring and reactions have to be 24/7 these days,” said Chester Wisniewski, field CTO of applied research at Sophos. “The criminals are striking when we’re not sitting at the keyboard waiting for them.”

• and
  • “Clop was responsible for one-third of all ransomware attacks in July, positioning the financially-motivated threat actor to become the most prolific ransomware threat actor this summer, according to multiple threat intelligence reports.
  • “Clop’s mass exploit of a zero-day vulnerability in the MOVEit file transfer service rapidly catapulted the group to the head of the global ransomware threat actor pack.
  • “The threat actor has compromised more than 730 organizations as part of this campaign, according to the latest figures tracked by Emsisoft and KonBriefing Research.”
• and
  • “The Rhysida ransomware group claimed responsibility for a ransomware attack against Prospect Medical Holdings that forced multiple hospital closures earlier this month and continues to impact operations.
  • “The threat actor said it stole more than 500,000 Social Security numbers, passport data of clients and employees, patient medical files, and financial and legal documents, according to a Thursday post on the dark web. 
  • “Emsisoft Threat Analyst Brett Callow shared a screenshot of the post on X, the platform formerly known as Twitter, Thursday [August 24].”

• Bleeping Computers’ The Week in Ransomware is on summer vacation this week.

From the cybersecurity defenses front,

• Per CISA,
  • “[On August 21,] the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and National Institute of Standards and Technology (NIST) released a joint factsheet, Quantum-Readiness: Migration to Post-Quantum Cryptography (PQC), to inform organizations—especially those that support Critical Infrastructure—of the impacts of quantum capabilities, and to encourage the early planning for migration to post-quantum cryptographic standards by developing a Quantum-Readiness Roadmap.
  • “CISA, NSA, and NIST urge organizations to review the joint factsheet and to begin preparing now by creating quantum-readiness roadmaps, conducting inventories, applying risk assessments and analysis, and engaging vendors. For more information and resources about CISA’s PQC work, visit the Post-Quantum Cryptography Initiative.”

• Per Health IT Security,
  • “The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) issued an updated version of its “Health Industry Cybersecurity Information Sharing Best Practices” guide (HIC-ISBP) to help healthcare organizations craft and maintain a cybersecurity threat information sharing program.
  • “Originally published in March 2020 in partnership with the Health Information Sharing and Analysis Center (Health-ISAC), the document serves to address barriers to information sharing and guide organizations toward overcoming regulatory obstacles that may make information sharing a challenge.
  • “The document is a companion to another recently updated publication known as the “Matrix of Information Sharing Organizations,” which provides healthcare organizations with a list of reputable information-sharing entities.”

• Dark Reading identifies five best practices for implementing Risk-First Cybersecurity.
  • “Organizations face an uphill battle to safeguard hybrid cloud assets and sensitive data from evolving cyber threats in an increasingly interconnected and digitized world. While the security-first approach is essential, it has limitations in addressing the dynamic nature of these threats. The risks resulting from these threats are multifaceted and sophisticated, encompassing cybersecurity, compliance, privacy, business continuity, and financial implications. Therefore, a shift toward a risk-first approach is necessary.”

• ISACA shares an executive view of key cybersecurity trends in 2023.
  • “2023 has further proven that the state of cybersecurity is constantly evolving. New technologies are emerging and increasingly being adopted for purposes of enhancing threat detection, analyzing large volumes of data for anomalies and automating security processes. Meanwhile, cyber threats are becoming increasingly sophisticated. In 2022, 76% of organizations were targeted by a ransomware attack, of which 64% were infected.¹ To more effectively defend against such attacks, it is important for cyber professionals to understand current trends and challenges that exist in the field of cybersecurity.”

• The Wall Street Journal offers its quarterly cyber insurance update.
  • In this quarter’s update, we look at new Securities and Exchange Commission cyber rules that may increase insurance risks for corporate directors, how new technologies such as artificial intelligence are helping assess a company’s cyber risk profile, and whether having a cyber insurance policy increases the likelihood of being a victim of a ransomware attack?