Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • Cyberscoop tells us,
    • “A bill proposed Friday in the Senate would allow health care providers who suffer cyberattacks to qualify for advanced and accelerated payments through government programs so long as they and their vendors met minimum cybersecurity standards.
    • “The legislation from Sen. Mark Warner, D-Va., comes a month after the ransomware attack that targeted Change Healthcare — a payment processor whose technology touches 1 in 3 American patient records — crippled the health industry and the ability for many health care facilities to bill insurance companies and receive payments.”
  • Healthcare Dive informs us,
    • “In a Thursday letter to the HHS’ Office for Civil Rights, hospital lobbying organizations sought to clarify who may need to provide data breach notifications to patients following the cyberattack on UnitedHealth’s Change Healthcare: the hospitals that contracted with Change, or the organization directly attacked. 
    • “The letter, penned by counsels for the American Hospital Association and the Federation of American Hospitals, said the onus should be on UnitedHealth and Change alone to report a breach, should one be found. 
    • “Requiring hospitals to also issue breach notifications could result in patients receiving duplicate notifications, leading to unnecessary “public confusion, misunderstandings and added stress,” the letter warned.”
  • The HIPAA privacy and security rules permit a covered entity health provider or health plan to treat healthcare claims clearinghouse as a fellow covered entity or a business associate. The article suggests that healthcare providers at least are treating Change Healthcare as a business associate. Of course, when Change Healthcare is provided services other than clearinghouse services to a healthcare provider or a health plan Change Healthcare would be acting as a business associate.
  • Speaking of which, a colleague shared with the FEHBlog with this PowerPoint presentation of the HHS Office for Civil Rights Updates & 2024 Priorities presented at HIPAA Summit 41 on Feb. 27, 2024.
  • Nextgov reports,
    • The federal government’s HR shop is pitching a legislative proposal to give federal agencies new authorities and flexibilities in how they hire and pay cybersecurity workers to members of Congress, but so far no member has stepped up to sponsor the bill.
    • The package is meant to allow agencies across the government to increase pay for in-demand cyber talent, as they look to recruit in a tight market. The Office of Personnel Management developed the proposal with the Office of Management and Budget and the Office of the National Cyber Director. 
    • The proposal is geared at solving the cyber workforce problem across the government so that hiring officials don’t have to seek agency-specific authorities to bring on such talent, OPM says. 
  • The Cybersecurity and Infrastructure Security (CISA) announced on March 18, 2024,
    • “the availability of the Repository for Software Attestation and Artifacts that software producers who partner with the federal government can use to upload software attestation forms and relevant artifacts. Last week, CISA and the Office of Management and Budget (OMB) announced the secure software development attestation form, which enables software producers serving the federal government to attest to implementation of specific security practices.  
    • “Software integrity is key to protecting federal systems from malicious cyber actors seeking to disrupt our nation’s critical functions. This new repository will help federal agencies employ software from producers that attest to using sound secure development practices.”  

From the Change Healthcare situation front,

  • United Healthcare Group offered a timeline for “key” product restoration on its Change Healthcare cyberattack website on March 22, 2024.

From the cyber vulnerabilites and breaches front,

  • HHS’s Healthcare Sector Cybersecurity Coordination Center (HC3) released its report about February 2024 vulnerabilities of interest to the health sector on March 19, 2024.
    • “In February 2024, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for February are from Ivanti, ConnectWise, Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, and Atlassian.
    • “A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available or if it is publicly disclosed.
    • “HC3 recommends patching all vulnerabilities, with special consideration given to the risk management posture of the organization.”
  • Cybersecurity Dive notes,
    • “Threat actors are going after broadly deployed enterprise software and network infrastructure, exploiting vulnerabilities in file-transfer services and VPNs at a significantly higher rate, according to Recorded Future’s annual threat analysis report.
    • “The number of high-risk vulnerabilities exploited in attacks against enterprise software and network infrastructure approximately tripled from 2022 to 2023, analysts in the cybersecurity company’s threat research division Insikt Group said in the Thursday report. 
    • “Analysts warned that businesses’ ongoing efforts to increase virtualization and migrate workloads to the cloud are narrowing the supply chain of vendors they rely on, introducing new security risks to the enterprise environment.”
  • and
    • Security researchers are warning about a novel variant of the AcidRain wiper, which was used to disrupt satellite communications during Russia’s invasion of Ukraine, according to a blog post released Thursday by SentinelLabs
    • The discovery of the new variant, dubbed AcidPour, coincides with the disruption of multiple telecom networks in Ukraine, which have been offline since March 13.
    • The AcidPour variant has capabilities beyond that of AcidRain, raising fears that embedded devices are at risk, including IoT, networking, large storage and even industrial control systems devices running Linux x86 distributions, according to SentinelLabs.
  • On March 21, 2024, “CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an updated joint guide, Understanding and Responding to Distributed Denial-Of-Service Attacks, to address the specific needs and challenges faced by organizations in defending against DDoS attacks. The guidance now includes detailed insight into three different types of DDoS techniques: 
    • “Volumetric, attacks aiming to consume available bandwidth. 
    • “Protocol, attacks which exploit vulnerabilities in network protocols. 
    • Application, attacks targeting vulnerabilities in specific applications or running services.” 
  • Dark Reading lets us know, “Apple has released iOS 17.4.1, its latest security update, just weeks after releasing iOS 17.4, but is being intentionally vague about details surrounding the new release.” Keep your Apple devices updated.

From the cybersecurity defenses front,

  • Tech Target discusses continuity / disaster planning best practices.
  • Forbes interviews Tomer Weingarten, the founder and CEO of SentinelOne.
    • “Traditional cyber defense tools and tactics have increasingly fallen short in the face of sophisticated digital threats. This pivotal realization has spearheaded a dramatic shift towards AI-driven defense strategies, marking a significant departure from the conventional paradigms of cybersecurity.
    • “Central to this transformation is [Tomer Weingarten’s] pioneering work * * *. Artificial intelligence and generative AI are pervasive now, but SentinelOne is a company that has been at the forefront of integrating AI into cybersecurity from its inception.”