Cybersecurity Saturday

So much has happened with the Change Healthcare situation over the past week that the FEHBlog has discussed the situation in FEHBlog posts during the week.

To recapitulate, the ScreenConnect-related vulnerability was not the cause of the Change Healthcare situation. “Change Healthcare can confirm we are experiencing a cyber security issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat,” said Tyler Mason, vice president at UnitedHealth, in a statement to TechCrunch on Thursday.”

  • Change Healthcare, which handles backend claims operations for many health plans, among other services, has created a temporary funding assistance for providers dealing with claim payment delays due to the Change Healthcare situation.
    • “We understand the urgency of resuming payment operations and continuing the flow of payments through the health care ecosystem. While we are working to resume standard payment operations, we recognize that some providers who receive payments from payers that were processed by Change Healthcare, may need more immediate access to funding.   
    • “We are mobilizing Optum Financial Services to help our Change Healthcare colleagues and customers support the most impacted providers.  
    • “For provider organizations impacted by that payer system outage, we’ve established a temporary funding assistance support program to help with short-term cash flow needs. You can now choose to receive short-term temporary funding assistance from us.
    • “Once standard payment operations resume, the funds will simply need to be repaid.  We have been able to estimate your average weekly payments, which will be the basis for the support. Our plan is to take this week by week with people re-upping for funding each week as needs persist.” 
  • The Change Healthcare website about the program includes FAQs.

In other vulnerability and ransomware news,

  • Cybersecurity Dive reports,
    • A patch issued to mitigate vulnerabilities in Ivanti Connect Secure does not eradicate the threat if a malicious actor previously gained access to their computer network, researchers from Mandiant warned on Tuesday.
    • A suspected espionage actor linked to the People’s Republic of China has utilized living off the land techniques and deployed novel malware to in an attempt to maintain persistence despite system upgrades, factory resets and patch deployment, according to Mandiant.  
    • Ivanti released an enhanced external integrity checker tool on Tuesday. The company and Mandiant researchers are urging organizations to run the new tool to confirm if they are still protected against additional intrusions.  
  • Here is a link to a related CISA notice published on Thursday February 29.
  • Per Statescoop,
    • “The Cybersecurity and Infrastructure Security Agency on Thursday released an advisory warning of known cyberattack techniques and indicators of compromise to help public sector organizations better protect themselves against ransomware, specifically from the threat actor Phobos.
    • “The advisory says that since 2019, Phobos, a ransomware-as-a service provider, has targeted the IT systems of municipal and county governments, emergency services, education institutions, public health care systems and other critical infrastructure. Ransomware-as-a-service, or RaaS, allows those with minimal technical expertise to launch ransomware attacks by using pre-developed tools.
    • “Randy Rose, vice president of security operations and intelligence at the Center for Internet Security, an Upstate New York nonprofit that runs the federally funded Multi-State Information Sharing and Analysis Center, said he’s seen a growing frequency of RaaS cyberattacks across the public sector in recent years.
    • “Phobos is pretty standard ransomware,” Rose told StateScoop. “We do see them across the [state, local, tribal and territorial] sector, which is one of the reasons why we pay a lot of attention to them.”
  • Bleeping Computer adds,
    • “CISA ordered U.S. Federal Civilian Executive Branch (FCEB) agencies to secure their Windows systems against a high-severity vulnerability in the Microsoft Streaming Service (MSKSSRV.SYS) that’s actively exploited in attacks.
    • “The security flaw (tracked as CVE-2023-29360) is due to an untrusted pointer dereference weakness that enables local attackers to gain SYSTEM privileges in low-complexity attacks that don’t require user interaction.”
  • Here’s a link to related CISA addition of this known exploited vulnerability on February 29.
  • American Hospital Association News adds,
    • “Perhaps the most important point to mention at this moment is that we do not have any indication this alert is in any way related to the Change Healthcare breach,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “Nevertheless, this remains a significant threat being actively exploited by sophisticated foreign adversaries targeting previously published vulnerabilities in the Ivanti Connect Secure VPN and Policy Secure services. According to the alert, threat actors are able to bypass authentication controls and maintain undetected, root-level persistent access. The alert references multiple cyber threats related to the Chinese government. Organizations still using these Ivanti services should implement described patches and consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.”
  • For keen ransomware insights listen to or read the transcript of this podcast conversation between Duke University professor Mike Munger and King’s College, London, professor Anja Shortland

From the cybersecurity policy and defenses front,

  • Dark Reading informs us,
    • “The US National Institute of Standards and Technology (NIST) has released the latest draft of its well-regarded Cybersecurity Framework (CSF) this week, leaving companies to mull how a few significant changes to the document affects their cybersecurity programs.
    • “Between the new “Govern” function to incorporate greater executive and board oversight of cybersecurity, and the expansion of the best practices beyond just those for critical industries, cybersecurity teams will have their work cut out for them, says Richard Caralli, senior cybersecurity adviser at Axio, an IT and operational technology (OT) threat management firm.”
  • Here is a link to the NIST CSF 2.0 website.
  • Health IT Security adds,
    • “Surveyed healthcare organizations that used the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) as their primary framework saw lower cyber insurance premium increases compared to those that had not adopted the NIST CSF, the 2024 edition of the Healthcare Cybersecurity Benchmarking Study revealed.
    • “The study is the result of an ongoing collaboration between healthcare risk management solutions company Censinet, KLAS Research, the American Hospital Association (AHA), and the Healthcare and Public Health Sector Coordinating Council (HSCC). These groups interviewed 54 payer and provider organizations and 4 healthcare vendors between September and December 2023 to gather data for the study. * * *
    • “Once again, supply chain risk management remained the NIST CSF category with the lowest coverage, despite the prevalence of third-party data breaches in healthcare. What’s more, the study noted that higher coverage of supply chain risk management is associated with smaller increases in cyber insurance premiums.
    • “Surveyed organizations that used the NIST CSF as their primary security framework saw a 6 percent increase in cyber insurance premiums, compared to an 18 percent increase among organizations that did not use the NIST CSF as their primary framework.
    • “Higher coverage within the NIST CSF categories related to cyber resiliency is especially correlated with lower increases in cybersecurity premiums,” the study stated.”
  • CISA offers password advice.