Cybersecurity Saturday

Cybersecurity

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI, Uncategorized

From the cybersecurity policy front,

  • Cyberscoop informs us,
    • “FBI Director Christopher Wray warned Thursday that the threat posed by Chinese hacking operations to U.S. critical infrastructure has become more urgent, as intelligence agencies have said that groups like Volt Typhoon are preparing for the possibility of widespread disruptive actions as early as 2027.
    • “Wray said during a speech at Vanderbilt University that China has targeted dozens of oil pipeline entities since 2011, in some cases ignoring business and financial information entirely while stealing data on control and monitoring systems.
    • “More recently, Volt Typhoon has conducted broad targeting of American companies in the water, energy and telecommunications sectors, among others, which U.S. officials have described as “pre-positioning” for future attacks that could disrupt or halt systems responsible for critical services upon which Americans rely. Dragos, a private threat intelligence company that focuses on critical infrastructure, said in February that the group has also been observed targeting entities that provide satellite and emergency management services.
    • “The ultimate purpose of this activity is to give Beijing “the ability to physically wreak havoc on our critical infrastructure at a time of its choosing,” Wray said.”
  • The Hill reports,
    • “Artificial intelligence (AI) is making ransomware faster and easier to use as the online crime hits record levels, experts said at a House Financial Services subcommittee hearing Tuesday.”Artificial intelligence (AI) is making ransomware faster and easier to use as the online crime hits record levels, experts said at a House Financial Services subcommittee hearing Tuesday.
    • “We have tremendous concern about the future of AI and the direction it is allowing criminal actors to take, including more sophisticated deepfakes that ultimately form the first step in the chain of ransomware attacks,” said Megan Stifel, chief strategy officer at the Institute for Security and Technology.”
  • Cybersecurity Dive adds,
    • The Institute for Security and Technology’s Ransomware Task Force threw cold water on the need for a ransomware payment ban in a report released Wednesday.
    • The nonprofit Institute for Security and Technology rejects the viability of a ransom payment ban for multiple reasons, including: 
      • Concerns about a ban’s impact on ransom payment reporting by victims. 
      • The potential to drive more payments underground. 
      • And the unintended consequences and practicalities of critical infrastructure exemptions.
      • Rather than a ban, the RTF detailed 16 milestones it asserts would be “the most reasonable and effective approach to reducing payments.” 
    • “While a ban may be an easier policy lift than activities designed to drive preparedness, it will almost certainly create the wrong kind of impact,” the RTF co-chairs said via email. “The number of organizations making payments is declining, which suggests we’re on the right path.”
  • HHS’s Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules, continues to update its “Change Healthcare Cybersecurity Incident Frequently Asked Questions” website.
  • The U.S. Government Accountability Office released a report titled “Cybersecurity: Implementation of Executive Order Requirements is Essential to Address Key Actions.”
    • “In 2021, the President issued an executive order to help protect federal IT systems from cyberattacks. The order contains 55 leadership and oversight requirements. DHS’s Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, and the Office of Management and Budget are responsible for implementing them.
    • “These agencies have fully completed 49 of 55 requirements. Remaining requirements include improving software that is critical to the supply chain and ensuring that other agencies have sufficient resources to carry out the order.
    • “We recommended that these agencies implement the order’s remaining requirements.”
  • The Cybersecurity and Infrastructure Security Administration Agency (CISA) announced,
    • “CISA hosted the final round of the fifth annual President’s Cup Cybersecurity Competition this week and announced the winners today of the three competitions.
    • “The President’s Cup is a national competition designed to recognize the top federal cybersecurity talent. Three separate competitions take place during each President’s Cup; two Individuals tracks -– Track A which focuses on defensive work roles and tasks from the NICE Framework, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, and Track B which focuses on offensive work roles and tasks, and a Teams competition comprised of defensive and offensive challenges. The first rounds of the competition began earlier this year in January.
    • “This year’s winning team, known as Artificially Intelligent, was composed of members of the Department of Defense, U.S. Army, and the U.S. Air Force. Artificially Intelligent featured four members of last year’s winning teams, including one member who has been on every winning team since President’s Cup began five years ago. The winner of Individuals Track A was U.S. Army Major Nolan Miles, and the winner of the Individuals Track B was U.S. Marine Corps Staff Sergeant Michael Torres. SSG Torres also finished in second place of the Individuals Track A competition and is the first Individuals winner to repeat having won President’s Cup 3 Track A.”

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive reports,
    • “Palo Alto Networks and security researchers said a growing number of attackers are targeting a command injection vulnerability in the PAN-OS operating system, which powers the security vendor’s firewall products. 
    • “Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability,” the company’s Unit 42 threat intelligence team said in a Tuesday update on its original threat brief. The vendor hasn’t disclosed how many devices are actively exploited, but said it observed 20 additional IP addresses attempting to exploit CVE-2024-3400.
    • “Since releasing the initial advisory on Friday [April 12], the company expanded the range of PAN-OS versions that are impacted by the CVE and retracted a secondary mitigation action. “Disabling telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability,” the company said in an update.”
  • On April 18, HHS’s Health Sector Cybersecurity Coordination Center (HC3) issued an update on the Palo Alto Networks Firewalls (CVE-2024-3400).
    • On April 12, 2024, Palo Alto Networks issued a warning about CVE-2024-3400, a zero-day command injection vulnerability found in its firewalls operating PAN-OS v10.2, 11.0, and 11.1 with configurations for both GlobalProtect gateway and device telemetry enabled. There have been an increasing number of attacks observed against this vulnerability since its release. In the original advisory, it was believed that disabling device telemetry would work as an effective secondary mitigation, but the most recent update states that device telemetry does not need to be enabled for PAN-OS to be vulnerable to attacks. Hotfixes were also released starting on April 14, 2024. HC3 strongly encourages all organizations to review the updated security advisory and apply any mitigations to prevent serious damage from occurring to the Healthcare and Public Health (HPH) sector.
  • Per Cybersecurity Dive,
    • “The rapid adoption of artificial intelligence tools is potentially making them “highly valuable” targets for malicious cyber actors, the National Security Agency warned in a recent report.
    • “Bad actors looking to steal sensitive data or intellectual property may seek to “co-opt” an organization’s AI systems to achieve, according to the report. The NSA recommends organizations adopt defensive measures such as promoting a “security-aware” culture to minimize the risk of human error and ensuring the organization’s AI systems are hardened to avoid security gaps and vulnerabilities.
    • “AI brings unprecedented opportunity, but also can present opportunities for malicious activity,” NSA Cybersecurity Director Dave Luber said in a press release.”
  • Dark Reading adds,
    • “A slicker phishing lure and some basic malware was about all threat actors have been able to squeeze out of artificial intelligence (AI) and large language model (LLM) tools so far — but that’s about to change, according to a team of academics.
    • “Researchers at the University of Illinois Urbana-Champaign have demonstrated that by using GPT-4 they can automate the process of gathering threat advisories and exploiting vulnerabilities as soon as they are made public. In fact, GPT-4 was able to exploit 87% of vulnerabilities it was tested against, according to the research. Other models weren’t as effective.
    • “Although the AI technology is new, the report advises that in response, organizations should tighten up tried-and-true best security practices, particularly patching, to defend against automated exploits enabled by AI. Moving forward, as adversaries adopt more sophisticated AI and LLM tools, security teams might consider using the same technologies to defend their systems, the researchers added. The report pointed to automating malware analysis a promising use-case example.”
  • and
    • “An ongoing, highly sophisticated phishing campaign may have led some LastPass users to give up their all-important master passwords to hackers.
    • “Password managers store all of a user’s passwords — for Instagram, their job, and everything in between — in one place, protected by one “master” password. They unburden users from having to remember credentials for hundreds of accounts, and empower them to use more complicated, unique passwords for each account. On the other hand, if a threat actor gains access to the master password, they’ll have keys to every single one of the accounts within.
    • “Enter CryptoChameleon, a new, hands-on phishing kit of unparalleled realism. 
    • “CryptoChameleon attacks tend not to be so widespread, but they’re successful at a clip largely unseen across the cybercrime world, “which is why we typically see this targeting enterprises and other very high-value targets,” explains David Richardson, vice president of threat intelligence at Lookout, which first identified and reported the latest campaign to LastPass. “A password vault is a natural extension, because you’re obviously going to be able to monetize that at the end of the day.”
  • Healthcare IT Security lets us know,
    • “Healthcare organizations are 65% less likely to fully outsource their cybersecurity services than organizations in other sectors, Kroll researchers said in the new report, “The State of Cyber Defense: Diagnosing Cyber Threats in Healthcare.”
    • “Their research maps out the cybersecurity threat landscape the healthcare sector currently operates in, looking at detection and response, cyber threat intelligence and offensive security.
    • “The realities of healthcare IT’s complexities, “not to mention the extremely time-poor staff that need both maximum convenience and security from IT operations,” make it hard for the industry to protect itself, according to Devon Ackerman, Kroll’s global head of incident response and cyber risk.”

From the ransomware front,

  • SC Media reports,
    • “The Akira ransomware group netted itself $42 million in payments in the last year from over 250 organizations, according to a joint advisory released April 18 by four leading cybersecurity agencies across Europe and the United States. [Here is a link to CISA’s Stop Akira Ransomware sire.]
    • “The advisory, which said Akira was now attacking Linux machines as well as Windows, was posted by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, Europol’s European Cybercrime Center, and the National Cyber Security Centre in the Netherlands.
    • “CISA said the advisory’s main goal was to help organizations mitigate these attacks by disseminating known Akira ransomware tactics, techniques and procedures, as well as indicators of compromise identified through FBI investigations as recent as February 2024.
    • “Evolving from an initial focus on Windows systems to a Linux variant targeting VMware ESXi virtual machines, CISA said in August 2023 the double-extortion group started deploying the Rust-based code Megazord and Akira, written in C++, as well as Akira_v2, also Rust-based.”
  • and
    • “Has ransomware hit a ceiling? We doubt it, but the pause outlined in a new report on active adversaries tells us ransomware has either saturated the available targets or enterprise defenses are starting to bear fruit.
    • “In its active adversaries report for the first half of 2024, Sophos’ X-Ops team analyzed more than 150 incident response cases. Through such a large analysis, the report provides good insights into the current tactics, techniques and procedures attackers currently employ. This is useful for anyone trying to better defend their systems.
    • “Sophos concludes that, despite a pause in the rise of ransomware, organizations are failing to take the steps necessary to adequately defend themselves against the increase in attacks to come. * * *
    • “The report concludes that while the current threat landscape is relatively calm, defenders must urgently learn from previous mistakes and prioritize basic security practices. Failing to bolster defenses now will only ease attackers’ impending sieges as they continue sharpening their capabilities.”
  • TechTarget identifies the top 13 ransomware targets in 2024 and beyond.
  • Bleeping Computer’s the Week in Ransomware is back.

From the cybersecurity defenses front,

  • “Healthcare Dive spoke with two cyber experts — Phil Morris and Chad Peterson, both managing directors at cybersecurity firm NetSPI — about how healthcare organizations can recover from the attack and what they need to do to protect themselves going forward.”
    • “HEALTHCARE DIVE: A survey by the American Hospital Association found that 94% of respondents were financially impacted by the Change attack. Why were so many providers impacted by this breach?
    • PHIL MORRIS: The cyberattack at Change Healthcare is really like the Francis Scott Key Bridge incident in Baltimore. It’s at the nexus of a very complex ecosystem we call healthcare delivery and payment systems here in the U.S. They handle so many claims, [pharmacy benefit managers], imaging, analytics and revenue management.
    • “It’s really a weak spot in the resiliency of healthcare because we have such a profit-driven healthcare system, that bringing that organization down had a rippling effect across not just hospitals but also network providers, pharmacies and patients. The ripple effects of this will go out across the healthcare system for some time.
    • CHAD PETERSON: Unfortunately, it’s a case of too many eggs in one basket, and it was the major choke point for a lot of healthcare systems that do their processing through [Change Healthcare]. So what they did is they basically hit the most vulnerable area to have the greatest impact.”
  • Healthcare Dive also reports on how cybersecurity took center stage at the American Hospital Association conference held last week.
    • “The majority of healthcare attacks aren’t coming from domestic hackers, experts stressed.
    • “Almost all cyberattacks against hospitals, including life-threatening ransomware attacks, originate from criminal gangs based in non-cooperative foreign jurisdictions,” AHA’s Riggi said. “That’s a euphemism, folks, for Russia, China, North Korea and Iran.” 
  • On April 15, CISA issued joint guidance deploying AI systems securely.
  • Tech Target offers four tips on securing cybersecurity insurance this year.
  • An ISACA expert discusses “Evolving Threats to Cloud Computing Infrastructure and Suggested Countermeasures.”

Cybersecurity Saturday

David ErmerCybersecurity, Uncategorized

From the cybersecurity policy front,

  • Cybersecurity Dive reports,
    • “FBI Director Christopher Wray said state-linked threat groups are ramping up threat activity against the U.S., and pose a continued risk to key critical infrastructure sectors, in a speech Tuesday before the American Bar Association’s Standing Committee on Law and National Security
    • “Threat actors linked with the People’s Republic of China are continuing to build out offensive capabilities, setting up access to various sectors such as the water, energy and telecommunications industries, according to Wray. 
    • “We’re seeing hostile nation states become more aggressive in their efforts to steal our secrets and our innovation, target our critical infrastructure, export their aggression to our shores and front and center is China,” Wray said.”
  • and
    • “The [NIST] National Vulnerability Database is so overwhelmed with a steadily increasing number of software and hardware flaws that the National Institute of Standards and Technology, which maintains the common vulnerabilities and exposures repository, called for a slight pause to regroup and reprioritize its efforts.”The National Vulnerability Database is so overwhelmed with a steadily increasing number of software and hardware flaws that the National Institute of Standards and Technology, which maintains the common vulnerabilities and exposures repository, called for a slight pause to regroup and reprioritize its efforts.
    • “NIST scaled back the NVD program in mid-February, and is currently prioritizing analysis of the most significant or actively exploited vulnerabilities. The slowdown was precipitated by “an increase in software and, therefore, vulnerabilities, as well as a change in interagency support,” NIST said in the announcement.
    • The federal agency is seeking more support from within the government and reassigning staff as it assembles a public-private consortium to address long-term challenges and determine how to improve the NVD program. In the interim, the temporary delays in CVE analysis will result in less detailed analysis of vulnerabilities deemed non-urgent. * * *
  • and
    • “More than two dozen industry stakeholders, including the U.S. Chamber of Commerce, are seeking to extend the deadline to file comments on the Cyber Incident Reporting for Critical Infrastructure Act, according to a letter released Friday. The new deadline would be July 3 if the requested 30-day delay is granted. 
    • “The Cybersecurity and Infrastructure Security Agency issued the notice for CIRCIA, which will require critical infrastructure providers to report significant cyber incidents within 72 hours of discovery and report ransom payments within 24 hours. The notice was published Thursday in the Federal Register and currently has a June 3 deadline for public comments.
    • “The letter, signed by a range of industry groups including the American Bankers Association, National Retail Federation and American Petroleum Institute, is asking for additional time to absorb the complex set of regulations involved in reporting covered cyberattacks and breaches as well as reporting payments to federal authorities.”
  • NextGov relates,
    • “As intelligence agencies work to jettison Chinese cyberspies embedded in critical infrastructure and internet equipment throughout the U.S., a top cybersecurity CEO says that the hackers’ campaign is so robust and widespread that there will be victims targeted in the operation who won’t know they are impacted.
    • “To me, Volt Typhoon is the natural progression of great … Chinese cyberespionage,” said Kevin Mandia, CEO of Google cybersecurity subsidiary Mandiant, who spoke in an exclusive interview with Nextgov/FCW at the Google Cloud Next conference in Las Vegas.”
  • “DoD, GSA, and NASA recently established Federal Acquisition Regulation (FAR) part 40, Information Security and Supply Chain Security. The intent of this RFI is to solicit feedback from the general public on the scope and organization of FAR part 40.” Comments for this case are due by June 10, 2024. For information on how to comment, please visit the Federal eRulemaking portal.
  • Federal News Network lets us know,
    • “Sean Connelly, who has led many of the major federal cybersecurity initiatives over the last decade, is leaving federal service.
    • “Connelly, whose official title is senior cybersecurity architect and Trusted Internet Connections (TIC) program manager for the Cybersecurity and Infrastructure Security Agency, has been instrumental in everything from a major chunk of the lifecycle of the TIC program to the development and advancement of the concepts behind zero trust to the integration of these initiatives with others, including the Einstein and continuous diagnostics and mitigation (CDM) programs.
    • “Federal News Network has learned Connelly’s last day will be April 19. * * *
    • “Sources say Connelly will be joining Zscaler to work on zero trust from an international compliance perspective. He will help non-U.S. governments move toward a zero trust architecture based on the experience of the federal agencies.
    • “Connelly is now the second federal cyber executive to leave to join Zscaler in the last two weeks. Brian Conrad, the former acting director of the Federal Risk Authorization and Management Program (FedRAMP) joined the cyber company in early April to lead Zscaler’s international cloud security compliance program.”

From the cybersecurity vulnerabilities and breaches front,

  • Cyberscoop informs us,
    • “The Cybersecurity and Infrastructure Security Agency published an emergency directive Thursday in response to a Russian intelligence-linked hacking campaign that breached Microsoft, telling affected federal civilian agencies whose emails were stolen or passwords accessed to reset authentication credentials.
    • CISA’s directive comes in the week after CyberScoop first reported its existence.
    • “Microsoft and CISA have notified all federal agencies whose email correspondence with Microsoft was identified as exfiltrated by Midnight Blizzard,” the directive reads, referring to Microsoft’s name for the hacking group. “In addition, Microsoft has represented to CISA that for the subset of affected agencies whose exfiltrated emails contain authentication secrets, such as credentials or passwords, Microsoft will provide metadata for such emails to those agencies.
    • “Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” it continues.”
  • Cybersecurity Dive tells us,
    • “Ivanti Connect Secure devices were exploited and compromised by more threat groups than previously thought, Mandiant said in research released Thursday.
    • “Post-exploitation activity observed by Mandiant includes lateral movement with the aid of open-source tools and multiple custom malware families. 
    • “Mandiant said it observed “eight distinct clusters involved in the exploitation of one or more of” Ivanti’s vulnerabilities CVE-2023-46805CVE-2024-21887 and CVE-2024-21893, which the vendor first disclosed Jan. 10. This includes five China-linked espionage groups and three financially motivated attackers.”
  • Cyberscoop offers the reflections of Mandiant experts on this cybsercurity landscape.
  • Security Week lets us know,
    • Palo Alto Networks disclosed [a state-sponsored] vulnerability on Friday, warning that it was aware of limited in-the-wild exploitation and promising patches within the next two days.
    • “Tracked as CVE-2024-3400 (CVSS score of 10/10), the security defect is described as a command injection issue allowing unauthenticated attackers to execute arbitrary code on impacted firewalls, with root privileges.
    • “According to the vendor, all appliances running PAN-OS versions 10.2, 11.0, and 11.1 that have GlobalProtect gateway and device telemetry enabled are vulnerable. Other PAN-OS versions, cloud firewalls, Panorama appliances, and Prisma Access are not affected.”
  • CISA added new known exploited vulnerabilities to its catalog this week.
    • April 11, 2024
      • CVE-2024-3272 D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability
      • CVE-2024-3273 D-Link Multiple NAS Devices Command Injection Vulnerability
    • April 12, 2024
      • CVE-2024-3400 Palo Alto Networks PAN-OS Command Injection Vulnerability
    • FEHBlog note the CVE references are to the NIST National Vulnerability Database discussed above..
  • The HHS Health Sector Cybersecurity Coordination Center (HC3) posted its “March Vulnerabilities of Interest to the Health Sector.”
    • “In March 2024, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for March are from Ivanti, Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, and Atlassian. A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available, or if it is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration to the risk management posture of the organization.”

From the ransomware front,

  • TechTarget notes,
    • “Sophos said the majority of cyberattacks it investigated in 2023 involved ransomware, while 90% of all incidents included abuse of remote desktop protocol.
    • “The security vendor published its Active Adversary Report of 2024 Wednesday that drew on data from more than 150 incident response (IR) investigations it conducted in 2023. Breaking down the data set, 88% of the investigations were derived from organizations with fewer than 1,000 employees, while 55% involved companies with 250 employees or fewer. Twenty-six sectors were represented, and manufacturing remained the No. 1 sector to engage the Sophos IR team for the fourth consecutive year.
    • “For the report, Sophos tracked attack types, initial access vectors and root causes, and found that trends have remained consistent for the past two years. While attackers frequently abuse remote desktop protocol (RDPs) and credential access to infiltrate a victim’s network, enterprises continue to leave RDPs exposed and often lack multifactor authentication (MFA) protocols.
    • “Sophos added that enterprises also fell short regarding sufficient log visibility, which can hinder IR investigations.”
  • WIRED reports,
    • “Since Monday [April 8, 2024], RansomHub, a relatively new ransomware group, has posted to its dark-web site that it has 4 terabytes of Change Healthcare’s stolen data, which it threatened to sell to the “highest bidder” if Change Healthcare didn’t pay an unspecified ransom. RansomHub tells WIRED it is not affiliated with AlphV and “can’t say” how much it’s demanding as a ransom payment. * * *
    • “RansomHub initially declined to publish or provide WIRED any sample data from that stolen trove to prove its claim. But on Friday, a representative for the group sent WIRED several screenshots of what appeared to be patient records and a data-sharing contract for United Healthcare, which owns Change Healthcare, and Emdeon, which acquired Change Healthcare in 2014 and later took its name.
    • “While WIRED could not fully confirm RansomHub’s claims, the samples suggest that this second extortion attempt against Change Healthcare may be more than an empty threat. “For anyone doubting that we have the data, and to anyone speculating the criticality and the sensitivity of the data, the images should be enough to show the magnitude and importance of the situation and clear the unrealistic and childish theories,” the RansomHub contact tells WIRED in an email.
    • “We are working with law enforcement and outside experts to investigate claims posted online to understand the extent of potentially impacted data,” Change Healthcare said in an email to WIRED. “Our investigation remains active and ongoing. There is no evidence of any new cyber incident at Change Healthcare.”

From the cybersecurity defenses front,

  • MedCity News discusses four lessons learned from the Change Health cyberattack.
  • According to Dark Reading,
    • The US Cybersecurity and Infrastructure Security Agency (CISA) has given organizations a new resource for analyzing suspicious and potentially malicious files, URLs, and IP addresses by making its Malware Next-Gen Analysis platform available to everyone earlier this week.
    • The question now is how organizations and security researchers will use the platform and what kind of new threat intelligence it will enable beyond what is available via VirusTotal and other malware analysis services.
    • The Malware Next-Gen platform uses dynamic and static analysis tools to analyze submitted samples and determine if they are malicious. It gives organizations a way to obtain timely and actionable information on new malware samples, such as the functionality and actions a string of code can execute on a victim system, CISA said. Such intelligence can be crucial to enterprise security teams for threat hunting and incident response purposes, the agency noted.
  • According to Cybersecurity Dive,
    • “CISOs and other management level cybersecurity executives are gaining more influence and importance as companies have begun to recognize the need for strong cyber governance and oversight, according to a report from Moody’s Ratings
    • “About 90% of cybersecurity managers now report to a top level company executive, compared with 62% in 2021. A higher percentage of these cybersecurity executives now report directly to company CEOs, according to the report, which is based on a survey of more than 2,000 organizations around the world that issue debt, including 1,100 in North America. 
    • “The role of the CISO has risen in seniority and visibility within organizations,” Steven Libretti, assistant VP and analyst at Moody’s Ratings, said via email. “This means more direct reporting lines from the cyber manager to the C-suite executives and more frequent cyber briefings to the CEO.”
    • “Moody’s identified a more regular cadence within organizations of CISOs and other cybersecurity managers providing updates to the C-suite and board of directors. About 40% of cyber managers conduct monthly meetings with their CEO, according to the report.” 

Tuesday Tidbits

David ErmerCDC, COVID-19, Cybersecurity, FDA, Medical / Rx research, Obesity, Rx coverage, U.S. Healthcare
Photo by Patrick Fore on Unsplash

From Washington, DC,

  • The American Hospital News reports,
    • “Health care leaders and other officials April 9 discussed challenges to rural health care access and potential solutions during an event in Washington, D.C. sponsored by the Coalition to Strengthen America’s Health Care: Protecting 24/7 Care. The AHA is a founding member of the Coalition, which recently rebranded to reflect its renewed focus to protect and strengthen patients’ access to 24/7 care. 
    • “Today’s event hosted by Punchbowl News involved discussions on a range of topics including access, the importance of telehealth, health care innovations and Medicare underpayment, among others. 
    • “You can watch a video of today’s event here. 
  • The Wall Street Journal lets us know,
    • “The U.S. Postal Service said Tuesday it is seeking to raise the price of a stamp by 5 cents, in what would be the fourth increase since the start of 2023. 
    • “The proposed price of 73 cents, up 7.4% from the current price of 68 cents, would still need to be approved by the Postal Regulatory Commission. 
    • “The last increase happened in January 2024, when the cost of a stamp rose from 66 cents to 68 cents. Before that, the agency hiked prices in July 2023 by 3 cents. * * *
    • “The new 5-cent increase would go into effect July 14, the Postal Service said. 
    • “The Postal Service said it also wants to raise prices for other services, including sending a letter outside the U.S., which would cost $1.65, up from $1.55. Mailing a postcard within the U.S. would cost 3 cents more at 56 cents. And sending metered letters, a service used by small businesses, would cost 5 cents more at 69 cents.”
  • MedTech Dive relates,
    • “The Department of Justice filed a consent decree of permanent injunction against Philips on Tuesday in response to the company’s ongoing recall of sleep apnea and respiratory devices.
    • “The settlement would restrict Philips from producing or selling new continuous positive airway pressure (CPAP) and bi-level positive airway pressure (BiPAP) machines and other devices in the U.S. until the company meets certain requirements. Philips also faces restrictions on exporting devices that are being provided to patients impacted by the recall “to help ensure remediation of U.S. patients is prioritized over export for commercial distribution.” 
    • “Philips is required to implement a recall remediation plan that the Food and Drug Administration must agree on, including providing patients with new or reworked devices, or a partial refund. Jeff Shuren, director of the FDA’s Center for Devices and Radiological Health, said in a Tuesday statement that the finalization of the decree is a “significant milestone.” 

From the public health and medical research front,

  • KFF notes,
    • “Rates of long COVID have begun to flatten. About 1 in 10 adults with COVID have reported having long COVID since rates fell in 2023, according to a KFF analysis of the latest data from the Centers for Disease Control and Prevention. If the rate continues to hold steady, new forms of prevention or treatment may be important to achieve future reductions in long COVID.
    • “As of March 2024, 7% of all adults (17 million people) reported that they have long COVID. Among the 60% of adults who reported ever having had COVID, roughly 3 in 10 reported having long COVID at some point and about 1 in 10 reported currently having it. The ongoing gap between the two long COVID rates indicates that people are continuing to recover, even as rates stabilize.”
  • US News and World Report informs us,
    • “Measles infections have continued to spread in pockets of the U.S., as the latest nationwide count shows the number of cases have now reached more than 100.
    • “A total of 113 cases have been reported across 17 states as of April 5, according to the most recent figures from the Centers for Disease Control and Prevention, nearly double the total of 58 that for all of 2023.
    • “So far, seven outbreaks have occurred – defined by the CDC as three or more related cases – up from four in 2023. More than 70% of all cases this year have been associated with an outbreak, and approximately half of patients are children under the age of five.
    • “More than 80% of measles infections are among those who are either unvaccinated or with an unknown vaccination status, according to the CDC, while 12% of cases are those who have received only one dose of the measles, mumps and rubella vaccine.
    • “Chicago has had the majority of U.S. cases, with 58 infections as of April 8, according to the most recent figures from the Chicago Department of Public Health.
    • “The majority of measles infections in Chicago have been tied to an outbreak at one of the city’s largest migrant shelters.
    • “In an update released on April 5, CDPH stated measles cases were decreasing in the city, with a total of five new cases reported during the week of March 31 through April 5, compared to 23 infections reported from March 24 through March 30.”
  • The Wall Street Journal reminds us,
    • The fight against dementia actually starts in your 40s.
    • Midlife, not your 70s or 80s, is when brain changes start to occur that can pave the way toward dementia, Alzheimer’s disease and cognitive decline later, according to a growing body of research. 
    • Intervening earlier to improve brain health—and studying the midlife brain more closely—might help people stay sharper in their later years, researchers say. Regular exercise, getting enough sleep and doing activities that keep your brain stimulated are all steps that can help you combat dementia later in life.
    • “Middle age is an opportune time to make lifestyle choices and obtain treatment that will bring an enormous return on investment in old age,” says Terrie Moffitt, a professor of psychology and neuroscience at Duke University.
    • More scientists are looking for clues in the midlife brain because efforts to target dementia in older people have largely failed, says Ahmad Hariri, a professor of psychology and neuroscience also at Duke.
  • Beckers Hospital Review points out,
    • “Surprise pregnancies may be an unexpected side effect experienced by women who use Ozempic or other GLP-1 medications, The Washington Post reported April 5.”Surprise pregnancies may be an unexpected side effect experienced by women who use Ozempic or other GLP-1 medications, The Washington Post reported April 5.
    • “Numerous social media platforms include posts and discussions about unplanned pregnancies while on Ozempic or similar drugs. Although the reports of a possible Ozempic “baby boom” are anecdotal, it is a phenomenon researchers and experts are watching closely. 
    • “Experts speculate that weight loss drugs may impact the absorption of contraceptives, causing birth control failures or that they can affect ovulation and fertility. Others say losing weight can improve chances of pregnancy.”
  • According to Fierce Healthcare,
    • “Supplemental benefits administrator Avesis and Elevance Health subsidiary Amerigroup Georgia have teamed up with Uber Health in a pilot project to tackle the state’s maternal health crisis.
    • “Utilizing community health partners like the Georgia Primary Care Association and federally qualified health centers (FQHCs), hundreds of Amerigroup’s Medicaid members in December 2022 started receiving two individualized nutritional counseling sessions, a scale and $300 of Uber Eats vouchers.
    • “Though the program’s results have not been shared yet, Avesis Senior Manager of Care Transformation Don Trainor said the program has had promising results so far.”
  • The AHA News tells us,
    • “Women with health-related social needs such as food insecurity, housing instability and lack of transportation were less likely to report receiving a mammogram in the past two years when surveyed in 2022, according to a report  released April 9 by the Centers for Disease Control and Prevention. About 66% of women aged 50-74 with at least three health-related social needs were up to date with their mammograms, compared with 83% of women with no health-related social needs. Mammography use also was lower among women without health insurance and a usual source of care.”  

From the U.S. healthcare business front,

  • United Health Group has refreshed its response to the cyberattack against Change Healthcare website.
  • Per Fierce Healthcare,
    • “Artificial intelligence categorization can help stem the flood of patient messages that would otherwise demand physicians’ expensive time, Kaiser Permanente researchers report.
    • “In a recently published JAMA Network Open research letter, members of the system’s research division and medical group outlined a strategy that used real-time natural language processing (NLP) algorithms to attach category labels to messages and then direct them to an appropriate respondent.
    • “The approach, they wrote, allowed 31.9% of the more than 4.7 million patient messages reviewed by program staff to be resolved before reaching the inbox of a specific physician. Instead, these messages were handed by a “regional team” made up of medical assistants or teleservice representatives, pharmacists and other doctors.”
  • and
    • “Consumers expect a simple and easy digital experience, and health plans have plenty of room to improve on that front, according to a new report.
    • “J.D. Power released its inaugural U.S. Health Insurance Experience Study on Tuesday, where it found that 42% of adults with insurance ran into issues using their plan’s website and/or mobile app in the past year.
    • “The study is based on responses from more than 5,500 people enrolled in the 14 largest Medicare Advantage (MA) plans and 15 largest commercial plans. It was conducted alongside Corporate Insight.”
  • Beckers Hospital Review names the “25 drugs at Mark Cuban’s online pharmacy with biggest cost reductions.”

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • On April 4, the Cybersecurity and Infrastructure Security Agency (CISA) published its proposed Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements rule in the Federal Register. The public comment deadline is June 3, 2024.
  • Cybersecurity Dive summarizes what CISA wants to see in these CIRCIA reports.
  • Cybersecurity Dive reported on April 3,
    • “The state-linked intrusion on Microsoft Exchange Online that led to the theft of about 60,000 U.S. State Department emails last summer “was preventable and should never have occurred”, the Cyber Safety Review Board said Tuesday [April 2] in a report. 
    • “A series of operational and strategic decisions by Microsoft pointed to a corporate culture that deprioritized investments in enterprise security and rigorous risk management, despite the central role the company plays in the larger technology ecosystem, the report said. 
    • “The CSRB urged Microsoft to publicly share its plans to make fundamental, security focused reforms across the company and its suite of products. The board also recommended that all cloud services providers and government partners enact security-focused changes.
  • Cybersecurity Dive added on April 5,
    • “The Cybersecurity and Infrastructure Security Agency is working with Microsoft to investigate and mitigate Midnight Blizzard’s potential impacts on federal agencies. The Russia-linked threat group hacked into senior Microsoft executives’ accounts starting in late November and could pose a larger threat to federal agencies.
    • “As shared in our March 8 blog, as we discover secrets in our exfiltrated email we are working with our customers to help them investigate and mitigate any impacts,” a Microsoft spokesperson said Thursday via email. “This includes working with CISA on an emergency directive to provide guidance to government agencies.”
    • “CISA issued an emergency directive to federal agencies earlier this week on how to mitigate the potential threat from Midnight Blizzard, CyberScoop reported. But the agency has not yet made the directive public. 
    • “CISA officials did not comment on any directive, but confirmed to Cybersecurity Dive it’s working with Microsoft on how to respond to the threat.” 
  • Federal News Network lets us know,
    • “Amid the response to the Change Healthcare ransomware attack, the Department of Health and Human Services is aiming to better organize its healthcare cybersecurity resources and programs.
    • “HHS is creating a  “one-stop shop” for cyber at the department’s Administration for Strategic Preparedness and Response, according to Brian Mazanec, the deputy director for ASPR’s Office of Preparedness. ASPR leads U.S. health and medical preparedness for disasters and other public health emergencies.
    • “We’re really establishing ASPR as that one-stop shop to manage this information sharing across the department, with our partners in industry, with the interagency,” Mazanec said during a March 29 webinar hosted by the HHS-sponsored Regional Disaster Health Response System.”
  • The National Institutes of Standards and Technology announced,
    • “NIST is releasing the initial public draft of Special Publication (SP) 800-61r3 (Revision 3), Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile, for public comment. This publication seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities, as described by CSF 2.0. Doing so can help organizations prepare for incident responses, reduce the number and impact of incidents that occur, and improve the efficiency and effectiveness of their incident detection, response, and recovery activities.
    • The public comment period is open through May 20, 2024. See the publication detailsfor a copy of the draft and instructions for submitting comments.”
  • NIST also issued “a [draft] mapping between the security controls within NIST Special Publication 800-53 Revision 5 and the Cybersecurity Framework version 2.0.”
  • NextGov tells us,
    • “Camille Stewart Gloster, a cyber and technology attorney who has led the White House’s cybersecurity workforce and tech ecosystem strategies since taking up her role in August 2022, will step down Tuesday [April 4].
    • “She told Nextgov/FCW on the sidelines of an International Association of Privacy Professionals event in Washington, D.C. she had no plans as of yet for where she will be heading next.”

From the cyber vulnerabilities and breaches front,

  • HHS’s Health Sector Cybersecurity Coordination Center (HC3) informs us about “Social Engineering Attacks Targeting IT Help Desks in the Health Sector.”
    • “HC3 has recently observed threat actors employing advanced social engineering tactics to target IT help desks in the health sector and gain initial access to target organizations. In general, threat actors continue to evolve their tactics, techniques, and procedures (TTPs) to achieve their goals. HC3 recommends various mitigations outlined in this alert, which involve user awareness training, as well as policies and procedures for increased security for identity verification with help desk requests.”
    • More on this threat can be found on the American Hospital Association news site.
  • On April 4, 2024, CISA added two known exploited vulnerabilities to its catalog.

From the ransomware front,

  • Bleeping Computer’s The Week in Ransomware is back at long last.
  • Cyberscoop reports,
    • “Six weeks after executing an attack that crippled parts of the U.S. health care system, the cybercrime gang linked to the incident has picked up the pace of laundering the proceeds of an alleged ransom payment, even as the hackers implicated in the breach continue to maintain a low profile.  
    • “The ransomware group ALPHV claimed responsibility for the Feb. 21 attack on Change Healthcare, a payment processor that touches 1 in 3 American patient records. The attack on Change limited the ability of pharmacies and health care providers to receive payments and has placed severe strain on the U.S. health care system.
    • “Earlier this month, cybercrime researchers reported that a bitcoin wallet linked to previous ALPHV ransoms had received $22 million, fueling speculation that Change’s parent company, UnitedHealth Group, had ponied up a ransom payment.
    • “Now, ALPHV appears to be moving to further obscure the destination of those funds. 
    • “According to blockchain intelligence firm TRM Labs, funds have recently been moved from bitcoin wallets linked to other ransoms paid to ALPHV, with these funds transferred to multiple other addresses and through a mixer, a tool used to obfuscate transactions that can be tracked on a public ledger. 
    • “Over the last week or so we have seen increased laundering activity,” Ari Redbord, TRM Labs’s global head of policy, told CyberScoop in an email. On March 27, for instance, TRM Labs observed 50 bitcoin — approximately $3.5 million — “move from wallets associated with the group to a mixing service. In addition, between March 22nd & 27th, we saw multiple withdrawals by wallets associated with the ransomware group and sent to a global exchange.”
    • “The FBI declined to comment on the status of its investigation of the incident.” 

From the cyberdefenses front,

  • Cybersecurity Dive relates,
    • “[E[ven as Change [Healthcare] begins to restore its systems, cyberattacks are going to remain a challenge for the industry as healthcare digitizes, creating more potential vulnerabilities for cybercriminals to exploit, experts say. 
    • “The healthcare sector needs to learn from the wide-ranging impacts from the Change attack — and prepare for the next one.
    • “As an industry, there’s been a lot of advancement in cybersecurity, but we’re still pretty far behind where we need to be,” said Steve Cagle, CEO of healthcare cybersecurity firm Clearwater. “We need to face the reality that this is an issue that is here to stay for a long time.”
  • Health IT Security discusses “[h]ow can payers be prepared to manage third-party security incidents. Payers should implement vendor management programs, incident response plans, and training processes to prepare for third-party security incidents.”
  • Security Week points out,
    • “The US National Institute of Standards and Technology (NIST) this week announced  $3.6 million in grants to help address the cybersecurity skills shortage.
    • “As part of the project, 18 education and community organizations across 15 states will be granted roughly $200,000 each to educate future cybersecurity employees.
    • “The agreements will be overseen by NICE, a partnership between organizations in the government, education, and private sectors, which focuses on building cybersecurity workforce through education and training.
    • “The 18 selected organizations will build Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) cybersecurity education and workforce development projects aligned with the needs of local business and nonprofit organizations.”
  • Per Tech Target,
    • “Microsoft officially launched Copilot for Security on Monday [April 1], and while the generative AI tool might bolster security operations, enterprises could face implementation and integration challenges.
    • “The tech giant unveiled Copilot for Security, originally called Security Copilot, in March 2023 to assist security and IT teams with threat detection and response. Following a series of rollout stages for the generative AI (GenAI) tool, Microsoft added a pay-as-you-go pricing model and new capabilities, such as knowledge base integrations and multilanguage support.
    • “Vasu Jakkal, corporate vice president of security, compliance, identity and management at Microsoft, announced the launch in a blog post last month and emphasized that enterprises can use Copilot for Security as a standalone portal or embed the AI tool into existing security products.”
  • HHS’s 405(d) Program now offers a
    • “New Resource: Healthcare Threat Identification Poster!
    • “Cyber hygiene poster highlights threats exist at every level of your organization. Be aware of the threats that face your organization in order to protect PHI.”

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy front,

  • The Wall Street Journal reports,
    • “The U.S. Cybersecurity and Infrastructure Security Agency [CISA] on Wednesday [March 27, 2024] published long-awaited draft rules on how critical-infrastructure companies must report cyberattacks to the government.
    • “CISA developed the rules after President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law on March 15, 2022. Officials hope reports from companies in a range of industries will allow them to better spot attack patterns and determine tactics used by cybercriminals and nation-states to help improve defenses.
    • “Under the rules, companies that own and operate critical infrastructure would need to report significant cyberattacks within 72 hours and report ransom payments within 24 hours.  * * *
    • “The rules apply to any company owning or operating systems the U.S. government classifies as critical infrastructure, such as healthcare, energy, manufacturing and financial services. The rules will also apply to companies that don’t operate critical infrastructure, but whose systems may be vital to a particular sector, such as service providers.
    • “Reporting from a broad range of entities is necessary to provide adequate visibility of the cyber landscape across critical infrastructure sectors, which CIRCIA is meant to facilitate,” CISA said in its 447-page draft.
    • “There are exemptions for small organizations, with revenue and employee counts that qualify under the Small Business Administration’s criteria.” 
  • Here are a link to the CISA announcement and a link to the proposed rule.
  • Cyberscoop adds,
    • “While the rule is not expected to be finalized until 18 months from now or potentially later next year, comments are due 60 days after the proposal is officially published on April 4. One can be sure that the 16 different critical infrastructure sectors and their armies of lawyers will have much to say. The 447-page NOPR details a dizzying array of nuances for specific sectors and cyber incidents.
    • “For example, companies would only be required to report a distributed denial of service attack if it results in a service outage for an extended period. One that results in a “brief period of unavailability,” however, would not need to be reported.” * * *
    • “CISA expects the rules will cost industry and government combined around $2.6 billion between now and 2033 and anticipates receiving around 25,000 reports each year.
    • “Ranking member of the House Committee on Homeland Security Bennie Thompson, D-Mass., and Rep. Yvette Clark, D-N.Y., said in a joint statement that they’d like to see a reduction in compliance costs so that additional resources can be invested in security.” 
  • On March 28, 2024, the Defense Department released its “Defense Industrial Base Cybersecurity Strategy {which] plots a course for increased focus and collaboration between the Defense Department and the U.S. defense industrial base on cybersecurity initiatives amid what officials say are persistent cyberthreats.”

From the cyber-vulnerabilities and breaches front,

  • Per Security Week,
    • “While 2023 was a difficult year for cybersecurity teams, 2024 is likely to be worse. In just the first two months of 2024, threat intelligence firm Flashpoint has logged dramatic increases in all major threat indicators.
    • “By Flashpoint’s numbers, there were 6,077 recorded data breaches in 2023, with attackers accessing more than 17 billion personal records (up 34.5% on 2022’s figures). In the first two months of 2024, this increased by 429% over the first two months of 2023. * * *
    • “Despite the large numbers involved, one attack and one attacker stood out during 2023: the MOVEit attacks (leveraging CVE 2023-34362), and the LockBit ransomware group. The MOVEit attacks account for 19.3% of all reported 2023 attacks. LockBit claimed 1.049 victims, around 20% of all known ransomware attacks in 2023.”
  • Cybersecurity Dive tells us,
    • “Threat actors used phishing links or attacks in 71% of all security incidents in 2023, according to ReliaQuest’s Annual Cyber-Threat Report released Tuesday.
    • “Most of the tactics, techniques and procedures threat actors used last year to achieve initial access to a compromised environment were linked to user interaction or error, the report said. “This indicates attackers overwhelmingly gained initial access by exploiting the trust and vulnerability of unsuspecting individuals.”
    • “Phishing remains the most common route threat actors use to achieve initial access, accounting for 70% of all initial access related incidents last year, ReliaQuest said.”
  • Earlier this month, HHS’s Health sector Cybersecurity Coordination Center (HC3) posted the following two PowerPoints:
    • Credential Harvesting and Mitigations
      • “Cyberattacks against healthcare facilities can involve credential harvesting, which may lead to a disruption of operations. Credential harvesting, also known as credential stealing or credential phishing, is a technique that cybercriminals can use to obtain sensitive login credentials like usernames, passwords, and personal information. These credentials operate as the gateway to an individual’s digital identity, and can grant access to various types of information, such as online accounts and health data. The methods employed for credential harvesting are diverse, ranging from sophisticated phishing emails to fake websites and social engineering tactics.”
    • Defense and Mitigations from E-mail Bombing
      • E-mail bombing, also known as mail bomb or letter bomb attacks, occur when a botnet (a single actor or group of actors) flood an e-mail address or server with hundreds to thousands of e-mail messages. They are a type of Denial of Service (DoS) attack that allows attackers to bury legitimate transaction and security messages in an unsuspecting inbox by rendering the victim’s mailbox useless. By overloading a victim’s inbox, attackers hope that a victim will miss important e-mails like account sign-in attempts, updates to contact information, financial transaction details, or online order confirmations.
      • This type of attack is of particular importance to the Healthcare and Public Health (HPH) sector. In 2016, unknown assailants launched a massive cyber attack aimed at flooding thousands of targeted “dot-gov” (.gov) e-mail inboxes with subscription requests, rendering many unusable for days.
      • E-mail bombs are not only an inconvenience to the victim, but to everyone using that particular server. When an e-mail server is impacted by a DDoS, it can downgrade network performance and potentially lead to direct business downtime. This Sector Alert provides an overview of types of e-mail bomb techniques, as well as defenses and mitigations for targets of this type of attack.
  • Bleeping Computer adds that “Google’s Threat Analysis Group (TAG) and Google subsidiary Mandiant said they’ve observed a significant increase in the number of zero-day vulnerabilities exploited in attacks in 2023, many of them linked to spyware vendors and their clients.”

From the Change Healthcare situation front,.

  • HealthIT Security let us know on March 29.
    • “In a March 27th update, UnitedHealth Group said it had begun the process of determining whether any patient data was stolen during the cyberattack. UHG engaged a vendor to conduct a review of data that is “likely” to contain personally identifiable information and claims data. At this time, it is too soon to say with certainty the content of the data that the threat actor accessed.
    • “This is taking time because Change Healthcare’s own systems were impacted by the event and difficult to access, so it was not safe to immediately pull data directly from the Change systems,” UHG stated. “We recently obtained a dataset that is safe for us to access and analyze. Because of the mounting and decompression procedures needed as a first step, we have only recently reached a position to begin analyzing the data.”
    • “To date, UHG had not seen evidence of any data being published on the web.
    • “In other news, the US Department of State is offering a reward of up to $10 million for information or identification of ALPHV/BlackCat threat actors, who previously claimed responsibility for the Change Healthcare cyberattack.” 

From the ransomware front,

  • Beckers Hospital Review notes,
    • “A ransomware group that specializes in “double extortion” has claimed responsibility for a cyberattack on an Oklahoma hospital, HIPAA Journal reported.
    • “The Bian Lian hacking gang posted Lindsay (Okla.) Municipal Hospital to its data leak site and said the stolen data would be uploaded soon, according to the March 25 story.
    • “The hackers’ “double extortion” forte means they steal data then require ransom payments to both release the information and decrypt any encrypted files, the news outlet reported. HHS has warned that Bian Lian is targeting healthcare providers because of the group’s financial motivations.”

From the cybersecurity defenses front,

  • Cybersecurity Dive informed us on March 26, 2024,
    • “The Cybersecurity and Infrastructure Security Agency and FBI urged software manufacturers to take steps to eliminate SQL injection vulnerabilities in an alert issued Monday
    • “CISA and the FBI are asking leadership at software manufacturers to launch formal reviews of their code to find out whether they are susceptible to SQL injection compromises. If found, the agencies are asking the companies to take immediate steps to eliminate these defects from existing and future software.  
    • “The agencies cited the role SQL injection defects played in the widespread attacks linked to MOVEit file transfer software, which impacted thousands of organizations in 2023.”
  • The Wall Street Journal reports,
    • “Companies from the U.S. telecommunications, financial services and power sectors held a joint cybersecurity exercise with government agencies this week to test how their defenses held up against real attacks. [The report is dated March 29, 2024.)
    • “Security staff from AT&TLumen Technologies, Southern Co., Mastercard and Southern California Edison pitted defensive and offensive teams, known as blue and red teams, against each other on Wednesday and Thursday in Washington, D.C. * * *
    • “This week’s Tri-Sector Cyber Defense Exercise was an expanded version of a similar event held two years ago. While in the previous event individual teams from each participating company competed against each other, this year’s program drew staff from each participant into combined teams to learn from each other’s techniques. Those teams then assaulted and blocked attacks from fictitious entities in the various represented sectors, using the same tools and technology as they would in reality.”
  • and
    • “Cybersecurity leaders struggle to communicate with executives and boards of directors and often paint an overly positive image of their companies’ security, according to a new survey of C-suite executives. 
    • “With new regulations that require companies to disclose more details about cybersecurity, around half of those polled see an immediate need to improve security leaders’ communication skills. 
    • “Thirty-one percent of top executives said they believe their companies’ chief information security officers paint a more optimistic picture than reality, according to a new survey from communications advisory firm FTI Consulting * * *
    • “Executives want CISOs to improve how they communicate about cyber risks. The FTI survey found that 98% of executives support more funding for such training, and 45% said it is an immediate need.” 

Monday Roundup

David ErmerCybersecurity, Federal employment benefits, Medicare, Mental health care, Rx coverage, U.S. Healthcare
Photo by Sven Read on Unsplash

From Washington, DC,

  • STAT News reminds us,
    • “The public will soon find out whether the federal government is willing to meet the health insurance industry’s demands and deposit more money into the bank accounts of next year’s Medicare Advantage plans.
    • “Budget officials within the Biden administration started reviewing final payment regulations for 2025 Medicare Advantage plans last week after more than 42,000 public comments rolled into the federal government’s inbox. Those rules will come out no later than April 1.
  • Becker’s Hospital CFO Report adds,
    • “Onerous” authorization requirements and high denial rates have health systems considering whether to drop Medicare Advantage plans, according to a report from the Healthcare Financial Management Association and Eliciting Insights. 
    • “HFMA Health System CFO Pain Points Study 2024” is based on a survey of 135 health system CFOs conducted in January. 
    • According to the report, 16% of health systems are planning to stop accepting one or more Medicare Advantage plans in the next two years. Another 45% said they are considering the same but have not made a final decision.
    • Health systems have been increasingly pushing back on Medicare Advantage. Chris Van Gorder, president and CEO of San Diego-based Scripps Health, told Becker’s last year that “it’s becoming a game of delay, deny and not pay.” Scripps terminated Medicare Advantage contracts effective Jan. 1 for its integrated medical groups. The medical groups, Scripps Clinic and Scripps Coastal, employ more than 1,000 physicians, including advanced practitioners. Mr. Van Gorder said the health system was facing an annual loss of $75 million on MA contracts.  
    • “Providers are going to have to get out of full-risk capitation because it just doesn’t work — we’re the bottom of the food chain, and the food chain is not being fed,” he said.
    • Despite tensions with some health systems, the Medicare Advantage program had a 95% quality satisfaction rating among enrolled members in 2023.
  • The FEHBlog notes that MA plans are subject to the Affordable Care Act’s medical loss ratio. The medical loss ration encourages health plans to make payments to providers.
  • FedSmith lets us know,
    • The Federal Salary Council (FSC) recently proposed adding about 15,000 federal employees to existing locality pay areas for 2025 from the “Rest of the U.S.” Being added to a locality pay area usually results in higher pay for impacted employees.
    • FSC is recommending the Pay Agent add Wyandot County, OH, to the Columbus, OH, locality pay area and Yuma County, AZ, to the Phoenix, AZ, locality pay area. These recommendations do not create new locality pay areas. In this case, they are adding employees to existing pay areas using various techniques to reduce employees in the “Rest of the U.S.” and add more to higher-paying locality pay areas.
    • A proposal from the Federal Salary Council does not mean a decision to make these additions is finalized. The recommendations have to be approved by the President’s Pay Agent. That approval usually follows, although not necessarily in the recommended time frame. Once the Pay Agent decides to move ahead, the Office of Personnel Management has to issue a proposed change in the Federal Register and a final decision in the Federal Register a few months later.
  • Reg Jones, writing in Fedweek, discusses “Survivor Annuity Benefits for Children of Deceased Federal Employees and Retirees.”
  • KFF discusses Medicare spending on GLP-1 drugs, like Ozempic, to treat diabetes.
    • “Gross spending on Ozempic alone increased from $2.6 billion in 2021 to $4.6 billion in 2022, pushing it to 6th place among the top-selling drugs in Medicare Part D that year, up from 10th place the year before.  
    • “The fact that covering GLP-1s under Medicare Part D for authorized uses is already making a mark on total Part D program spending could be a sign of even higher spending to come as Part D plans are now able to cover Wegovy for its heart health benefits, and if new uses for GLP-1s are approved.”
  • CNBC adds,
    • “Americans can’t seem to get enough of weight loss drugs despite their limited insurance coverage and roughly $1,000 monthly price tags before discounts. 
    • “But some patients are willing to pay more out of pocket for those treatments than others — and it’s strongly correlated to their annual income.
    • “That’s according to a recent survey from Evercore ISI that focused on GLP-1s, which include Novo Nordisk’s weight loss injection Wegovy and diabetes counterpart Ozempic.

From the public health and medical research front,

  • The American Medical Association advises its members about measles, now at 64 cases, and tells patient what doctors wish they knew about vasectomies.
  • Medscape shares five things to know about Adult Respiratory Syncytial Virus (RSV) Infection.
  • The Washington Post features a Consumer Reports article on maintaining kidney health. “Hydration and exercise are just two of the keys to reducing the risk of kidney disease.”
  • The Society for Human Resource Management offers nine mental health questions for employee engagement surveys.
  • CNN reports,
    • “Drugmaker Eli Lilly warned this week that two of its formulations of insulin would be temporarily out of stock through the beginning of April, citing a “brief delay in manufacturing.”
    • “The 10-milliliter vials of Humalog and insulin lispro injection will be in short supply at wholesalers and some pharmacies, Lilly said in a statement posted online Wednesday [March 20]. The company said that prefilled pen versions of those medicines are still available in the US and that it continues to manufacture the 10-milliliter vials “and will ship them as soon as we can.”

From the U.S. healthcare business front,

  • The Wall Street Journal relates,
    • “Hospitals are adding billions of dollars in facility fees to medical bills for routine care in outpatient centers they own. Once an annoyance, the fees are now pervasive, and in some places they are becoming nearly impossible to avoid, data compiled for The Wall Street Journal show. The fees are spreading as hospitals press on with acquisitions, snapping up medical groups and tacking on the additional charges. 
    • “The fees raise prices by hundreds of dollars for widely used and standard medical care, including colonoscopies, mammograms and heart screening. 
    •  “Hospitals say facility fees help offset the extra costs that they incur to meet federal regulations. “It’s not as simple as same services, across-the-board,” said Jason Kleinman, director of federal relations for the American Hospital Association.” * * *
    • “Lawmakers and Congress have proposed limiting fees covered by Medicare, which advisers to the federal insurer have unanimously recommended. Under a bill passed by the House in December, Medicare would no longer pay hospital facility fees for chemotherapy and other drugs infused by doctors in clinics off a hospital campus, saving about $3.7 billion over 10 years. 
    • “The American Hospital Association opposes limiting the fees, saying restrictions would cut revenue to hospitals already squeezed financially by high labor costs and inflation.”   
  • Beckers Hospital CFO Report adds,
    • “Kaufman Hall’s latest “National Hospital Flash Report,” which is based on data from more than 1,300 hospitals, outlined three key areas that separate high-performing hospitals’ and low-performing hospitals when it comes to their operating performances: 
      • Outpatient revenue. In general, hospitals with higher and accelerating outpatient revenue are more profitable.
      • Contract labor. Hospitals that quickly reduced their percentage of contract labor demonstrate improved operating profitability. In addition, hospitals that aggressively marched down contract labor costs were correlated to rising wage rates for full-time staff. Rising wage rates appeared to attract and retain full-time staff, which has allowed those hospitals to decrease contract labor more quickly, all of which has led to increased profitability, according to the report. 
      • Average length of stay. A lower average length of stay corresponded with improved profitability. Hospitals that hyper-focused on patient throughput — which has led to appropriate and prompt patient discharge — have also proven this to be a solid financial strategy, according to the report.”
    • “Hospitals on the other end of the scale continue to struggle, with the poorest financially performing hospitals reporting negative margins from -4% to -19%, according to Kaufman Hall. Continuation of this level of performance is unsustainable and makes it impossible to reinvestment in community care.” 
  • Per BioPharma Dive,
    • “Novo Nordisk will pay as much as $1 billion to acquire RNA drug developer Cardior and its experimental treatment for heart failure, the companies announced Monday
    • “Cardior’s treatment, dubbed CDR132L, is currently being tested in a mid-stage study involving 280 people with heart failure who previously experienced a heart attack. Results are expected by September, according to a U.S. clinical trial database.
    • “In addition to that study, Novo said it plans to start another Phase 2 trial in heart failure patients whose heart muscle has become thick and stiff, also known as cardiac hypertrophy. Novo, which will pay an undisclosed upfront payment to Cardior per deal terms, expects the acquisition to close in the second quarter.”
  • and
    • “Abbvie is expanding its pipeline of inflammatory disease drugs, announcing Monday a small deal to acquire biotechnology company Landos Biopharma.
    • “Per the deal, Abbvie will buy Landos for $20.42 per share, or about $138 million. Abbvie has also agreed to pay a so-called contingent value right worth $11.14 per share, or another $75 million, if certain milestones are met. The upfront price represents a premium of about 155% to the closing price Friday of Landos stock.
    • “Landos is currently running a mid-stage trial of its lead drug, dubbed NX-13, in ulcerative colitis. Abbvie is also interested in NX-13’s potential in Crohn’s disease.”
  • Per Healthcare Dive,
    • “Change Healthcare said its largest claims clearinghouses would come back online over the weekend, more than a month after a cyberattack at the technology firm disrupted the healthcare sector. 
    • “More than $14 billion in charges have been prepared for processing, according to an update from parent company UnitedHealth Group on Friday. Change’s electronic payments platform has also been restored, and the company is working on payer implementations.”

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • Cyberscoop tells us,
    • “A bill proposed Friday in the Senate would allow health care providers who suffer cyberattacks to qualify for advanced and accelerated payments through government programs so long as they and their vendors met minimum cybersecurity standards.
    • “The legislation from Sen. Mark Warner, D-Va., comes a month after the ransomware attack that targeted Change Healthcare — a payment processor whose technology touches 1 in 3 American patient records — crippled the health industry and the ability for many health care facilities to bill insurance companies and receive payments.”
  • Healthcare Dive informs us,
    • “In a Thursday letter to the HHS’ Office for Civil Rights, hospital lobbying organizations sought to clarify who may need to provide data breach notifications to patients following the cyberattack on UnitedHealth’s Change Healthcare: the hospitals that contracted with Change, or the organization directly attacked. 
    • “The letter, penned by counsels for the American Hospital Association and the Federation of American Hospitals, said the onus should be on UnitedHealth and Change alone to report a breach, should one be found. 
    • “Requiring hospitals to also issue breach notifications could result in patients receiving duplicate notifications, leading to unnecessary “public confusion, misunderstandings and added stress,” the letter warned.”
  • The HIPAA privacy and security rules permit a covered entity health provider or health plan to treat healthcare claims clearinghouse as a fellow covered entity or a business associate. The article suggests that healthcare providers at least are treating Change Healthcare as a business associate. Of course, when Change Healthcare is provided services other than clearinghouse services to a healthcare provider or a health plan Change Healthcare would be acting as a business associate.
  • Speaking of which, a colleague shared with the FEHBlog with this PowerPoint presentation of the HHS Office for Civil Rights Updates & 2024 Priorities presented at HIPAA Summit 41 on Feb. 27, 2024.
  • Nextgov reports,
    • The federal government’s HR shop is pitching a legislative proposal to give federal agencies new authorities and flexibilities in how they hire and pay cybersecurity workers to members of Congress, but so far no member has stepped up to sponsor the bill.
    • The package is meant to allow agencies across the government to increase pay for in-demand cyber talent, as they look to recruit in a tight market. The Office of Personnel Management developed the proposal with the Office of Management and Budget and the Office of the National Cyber Director. 
    • The proposal is geared at solving the cyber workforce problem across the government so that hiring officials don’t have to seek agency-specific authorities to bring on such talent, OPM says. 
  • The Cybersecurity and Infrastructure Security (CISA) announced on March 18, 2024,
    • “the availability of the Repository for Software Attestation and Artifacts that software producers who partner with the federal government can use to upload software attestation forms and relevant artifacts. Last week, CISA and the Office of Management and Budget (OMB) announced the secure software development attestation form, which enables software producers serving the federal government to attest to implementation of specific security practices.  
    • “Software integrity is key to protecting federal systems from malicious cyber actors seeking to disrupt our nation’s critical functions. This new repository will help federal agencies employ software from producers that attest to using sound secure development practices.”  

From the Change Healthcare situation front,

  • United Healthcare Group offered a timeline for “key” product restoration on its Change Healthcare cyberattack website on March 22, 2024.

From the cyber vulnerabilites and breaches front,

  • HHS’s Healthcare Sector Cybersecurity Coordination Center (HC3) released its report about February 2024 vulnerabilities of interest to the health sector on March 19, 2024.
    • “In February 2024, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for February are from Ivanti, ConnectWise, Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, and Atlassian.
    • “A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available or if it is publicly disclosed.
    • “HC3 recommends patching all vulnerabilities, with special consideration given to the risk management posture of the organization.”
  • Cybersecurity Dive notes,
    • “Threat actors are going after broadly deployed enterprise software and network infrastructure, exploiting vulnerabilities in file-transfer services and VPNs at a significantly higher rate, according to Recorded Future’s annual threat analysis report.
    • “The number of high-risk vulnerabilities exploited in attacks against enterprise software and network infrastructure approximately tripled from 2022 to 2023, analysts in the cybersecurity company’s threat research division Insikt Group said in the Thursday report. 
    • “Analysts warned that businesses’ ongoing efforts to increase virtualization and migrate workloads to the cloud are narrowing the supply chain of vendors they rely on, introducing new security risks to the enterprise environment.”
  • and
    • Security researchers are warning about a novel variant of the AcidRain wiper, which was used to disrupt satellite communications during Russia’s invasion of Ukraine, according to a blog post released Thursday by SentinelLabs
    • The discovery of the new variant, dubbed AcidPour, coincides with the disruption of multiple telecom networks in Ukraine, which have been offline since March 13.
    • The AcidPour variant has capabilities beyond that of AcidRain, raising fears that embedded devices are at risk, including IoT, networking, large storage and even industrial control systems devices running Linux x86 distributions, according to SentinelLabs.
  • On March 21, 2024, “CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an updated joint guide, Understanding and Responding to Distributed Denial-Of-Service Attacks, to address the specific needs and challenges faced by organizations in defending against DDoS attacks. The guidance now includes detailed insight into three different types of DDoS techniques: 
    • “Volumetric, attacks aiming to consume available bandwidth. 
    • “Protocol, attacks which exploit vulnerabilities in network protocols. 
    • Application, attacks targeting vulnerabilities in specific applications or running services.” 
  • Dark Reading lets us know, “Apple has released iOS 17.4.1, its latest security update, just weeks after releasing iOS 17.4, but is being intentionally vague about details surrounding the new release.” Keep your Apple devices updated.

From the cybersecurity defenses front,

  • Tech Target discusses continuity / disaster planning best practices.
  • Forbes interviews Tomer Weingarten, the founder and CEO of SentinelOne.
    • “Traditional cyber defense tools and tactics have increasingly fallen short in the face of sophisticated digital threats. This pivotal realization has spearheaded a dramatic shift towards AI-driven defense strategies, marking a significant departure from the conventional paradigms of cybersecurity.
    • “Central to this transformation is [Tomer Weingarten’s] pioneering work * * *. Artificial intelligence and generative AI are pervasive now, but SentinelOne is a company that has been at the forefront of integrating AI into cybersecurity from its inception.”

Thursday Miscellany

David ErmerAHRQ, CDC, CMS, Congress, Cybersecurity, Electronic health records, FDA, HSA, Medical / Rx research, Medicare, Mental health care, NCQA, U.S. Healthcare
Photo by Josh Mills on Unsplash

From Washington, DC,

  • Roll Call reports,
    • “Lawmakers released a more than $1.2 trillion, six-bill appropriations package early Thursday morning, less than 48 hours ahead of a Friday night deadline for this second and final wrapup measure for the fiscal year that began Oct. 1. 
    • “Both parties were touting “wins” in the package well before unveiling the massive 1,012-page bill, which had already won President Joe Biden’s blessing and pledge to sign it “immediately.” That, plus the lure of a two-week recess, should help get the package over the finish line, though it seems likely to slip past the 11:59 p.m. Friday cutoff for the current stopgap spending law.
    • “But lawmakers weren’t really sweating the prospect of a weekend funding lapse, given its limited impact on government operations — especially with Friday’s expected House passage likely to be a strong signal of congressional intent to keep the lights on.”
  • The bill includes appropriations for OPM (pages 247 – 250) and its Inspector General (page 250) plus the three now standard appropriations measures:
    • A prohibition against imposing full Cost Accounting Standards coverage on FEHB carriers. Division B, Section 611, page 268.
    • The Hyde amendment limiting FEHB coverage of abortions to cases “where the life of the mother would be endangered if the fetus were carried to term, or the pregnancy is the result of an act of rape or incest.” Division B, Section 613 and 614, pages 268 – 269.
    • A contraceptive prescription drug coverage mandate with conscience protections for FEHB plans and healthcare providers. Division B, Section 726, page 298.
  • The American Hospital Association News discusses HHS appropriations, which also are included in this bill.
    • “The House may vote on the measure Friday, with Senate action expected over the weekend. A short government shutdown may occur over the weekend, depending how long it takes both chambers to pass the measure and for President Biden to sign it into law.” 
  • Govexec points out “the nine biggest agency and program reforms in the final FY24 spending package.”
  • The Wall Street Journal scoops,
    • “Some Medicare members could get help paying for the popular new weight-loss drug Wegovy—as long as they have a history of heart disease and are using it to prevent recurring heart attacks and strokes.
    • “Medicare Part D drug-benefit plans—which are administered by private insurers—may cover anti-obesity medications if the drugs receive approval for an additional use that is considered medically accepted under federal law, the Centers for Medicare and Medicaid Services told The Wall Street Journal on Thursday. * * *
    • “Some Medicare members could get help paying for the popular new weight-loss drug Wegovy—as long as they have a history of heart disease and are using it to prevent recurring heart attacks and strokes.
    • “Medicare Part D drug-benefit plans—which are administered by private insurers—may cover anti-obesity medications if the drugs receive approval for an additional use that is considered medically accepted under federal law, the Centers for Medicare and Medicaid Services told The Wall Street Journal on Thursday.”
  • STAT News adds,
    • “Early data regarding the use of GLP-1 medications like Ozempic and Wegovy to treat addiction is “very, very, exciting,” Nora Volkow, the director of the National Institute on Drug Abuse, said Thursday.
    • “But even as she expressed enthusiasm for the new drugs’ potential, Volkow criticized pharmaceutical companies for neglecting a moral imperative to develop new addiction treatments — but acknowledged that the health system more broadly doesn’t incentivize drug companies to treat the U.S. drug crisis with urgency.”
  • The U.S. Preventive Services Task Force finalized its research plan for re-evaluating its September 2019 recommendations on the topic of medications to reduce the risk of breast cancer.
  • Beckers Health IT interviews Alexandra Mugge, chief health informatics officer at CMS, about the agency’s efforts “to expedite prior authorizations, through digitization and better data exchange, saving the healthcare industry $15 billion over a decade — in the hopes of one day having the decisions made instantaneously, right in the EHR.”

From the Food and Drug Administration front,

  • Per a press release,
    • “Today, the U.S. Food and Drug Administration approved Duvyzat (givinostat) oral medication for the treatment of Duchenne Muscular Dystrophy (DMD) in patients six years of age and older. Duvyzat is the first nonsteroidal drug approved to treat patients with all genetic variants of DMD. It is a histone deacetylase (HDAC) inhibitor that works by targeting pathogenic processes to reduce inflammation and loss of muscle.
    • “DMD denies the opportunity for a healthy life to the children it affects. The FDA is committed to advancing the development of new therapies for DMD,” said Emily Freilich, M.D., director of the Division of Neurology 1, Office of Neuroscience in the FDA’s Center for Drug Evaluation and Research. “This approval provides another treatment option to help reduce the burden of this progressive, devastating disease for individuals impacted by DMD regardless of genetic mutation.”
  • MedTech Dive informs us,
    • Johnson & Johnson subsidiary Abiomed recalled its Impella left sided blood pumps for risk that the devices could perforate the heart during a procedure. The recall began on Dec. 27 with Abiomed updating its instructions for use.
    • The Food and Drug Administration identified the recall as a Class I event, the most serious type of recall, in a Thursday notice. The agency has received 129 reports of serious injuries, including 49 deaths, related to the problem. 
    • Abiomed’s Impella heart pumps, which are used to support the heart during procedures or during cardiogenic shock, were the subject of four Class I recalls last year, including the latest recall. The company also received an FDA warning letter for quality problems with Impella and software used in the device that had not been authorized by the agency.

From the public health and medical research front,

  • The CDC shares with us,
    • Data from the National Vital Statistics System
      • Life expectancy for the U.S. population in 2022 was 77.5 years, an increase of 1.1 years from 2021.
      • The age-adjusted death rate decreased by 9.2% from 879.7 deaths per 100,000 standard population in 2021 to 798.8 in 2022.
      • Age-specific death rates increased from 2021 to 2022 for age groups 1–4 and 5–14 years and decreased for all age groups 15 years and older.
      • The 10 leading causes of death in 2022 remained the same as in 2021, although some causes changed ranks. Heart disease and cancer remained the top 2 leading causes in 2022.
      • The infant mortality rate was 560.4 infant deaths per 100,000 live births in 2022, an increase of 3.1% from the rate in 2021 (543.6).
  • STAT News adds,
    • “The U.S. recorded 107,941 drug overdose deaths in 2022, according to a new federal report — a total that marks an all-time record but also shows signs that the country’s overdose rate may finally be leveling off after years of steady increase.
    • “The 2022 total marks only a slight increase from the drug death toll of 106,699 the year before, according to the Centers for Disease Control and Prevention. The flattening of drug death rates could provide a rare glimmer of hope amid the bleak U.S. drug crisis, which has seen overdose rates rise inexorably for the past two decades and especially during the Covid-19 pandemic.
    • “A large majority of those deaths were driven by the potent synthetic opioid fentanyl. Since emerging in the drug supply in the mid-2010s, fentanyl has increasingly come to dominate the U.S. illicit drug market. Even as fentanyl deaths have skyrocketed, the share of deaths involving other opioids — like heroin, methadone, and prescription painkillers — has decreased.”
  • The Washington Post reports,
    • “After once losing hope because of end-stage kidney disease, a 62-year-old man is now the first living person to receive a genetically edited kidney from a pig, according to doctors at Massachusetts General Hospital who performed the landmark surgery Saturday.
    • “Richard Slayman, whom doctors praised for his courage, is doing well after the four-hour surgery and is expected to be discharged from the Boston hospital soon, officials said.
    • “The advance, which builds on decades of work, gives hope to the hundreds of thousands of Americans who depend on dialysis machines to do the work of their failing kidneys. Each day, 17 Americans die awaiting a kidney transplant, a problem further complicated by unequal access given to Black and other patients. Doctors expressed hope that using pigs to vastly increase the supply of kidneys might correct the inequity.”
  • The Wall Street Journal lets us know,
    • “A new class of anticoagulant drugs on the horizon is taking fresh aim at one of cardiology’s toughest challenges: how to prevent blood clots that cause heart attacks and strokes, without leaving patients at risk of bleeding.
    • “At least a half-dozen experimental blood thinners are in development that inhibit a protein called factor XI, one of several blood factors that regulate how the body forms clots. * * *
    • “Any factor XI agent that reaches the market would likely represent an important advance over drugs called factor Xa inhibitors, a blockbuster class of medicines dominated by Eliquis and Xarelto. Since they were approved just over a decade ago, these drugs have supplanted warfarin as the standard-of-care anticoagulant to prevent stroke in patients with the heart-rhythm disorder atrial fibrillation as well as other indications.”
  • HealthDay informs us,
    • “About 1 in every 10 U.S. children ages 5 to 17 has been diagnosed with attention deficit hyperactivity disorder (ADHD), according to the latest government statistics.
    • “The data from the National Health Interview Survey covers the years 2020 through 2022 and came from in-person or phone interviews involving a representative sample of American homes.
    • “It found that 11.3% of school-age children have been diagnosed with ADHD, with boys more likely to have this diagnosis (14.5%) than girls (8%), according to report authors Cynthia Reuben and Nazik Elgaddal, of the National Center for Health Statistics (NCHS).
    • “ADHD is diagnosed more often among white children (13.4%) than Black youngsters (10.8%) or Hispanic (8.9%) kids, the survey also showed. 
    • “Family income seemed to matter, too:  As income levels rose, the rate of child ADHD diagnoses declined.”
  • WTW, an actuarial consulting firm, offers insights on hepatitis C, HPV vaccine and value based insurance design.

From the U.S. healthcare business front,

  • STAT News reports,
    • “The last decade has seen billions of dollars flow into digital health companies that promise to improve outcomes for the 38 million Americans living with type 2 diabetes. Their products aren’t cheap, but in the long term, they pitch to health plans and employers that these digital tools will help cut health care costs by preventing serious complications like amputation and kidney failure.
    • A systematic review by the Peterson Health Technology Institute found, though, that digital tools used to manage diabetes with the help of finger-stick blood glucose readings don’t result in clinically meaningful improvements over standard care. As a result, they don’t reduce health care spending — they drive it up.
    • “Most of the solutions in this category do not deliver clinical benefits that justify their cost,” Caroline Pearson, executive director of the institute, told STAT. Despite finding that some populations may benefit, the report concludes that current evidence doesn’t support broader adoption for most products.”
  • Plan Sponsor notes,
    • “In the face of rising health care expenditures and out-of-pocket spending, average health savings account balances have also steadily increased since the COVID-19 pandemic, according to new data from the Employee Benefit Research Institute.
    • “The average HSA balance rose to $4,418 at the end of 2022 from $2,711 at the start of the year, the most recent data available in EBRI’s database, given that participants can still contribute to 2023 HSAs until taxes are due in April.
    • “Jake Spiegel, a research associate at EBRI, says he sees this trend continuing in 2023 and into the start of 2024 as well.
    • “EBRI’s analysis revealed two predominant factors associated with higher average account balances. The first was that age is strongly associated with higher HSA balances: the older the accountholder, the higher the average balance.”
  • Beckers Hospital Review lets us know,
    • “Change Healthcare said it has reinstated Amazon cloud services for two of its platforms a month into a cyberattack against the company.
    • “The UnitedHealth Group and Optum subsidiary said March 20 it restored Amazon Web Services from backups for Assurance, a claims and remittance management program, and claims clearinghouse Relay Exchange. Change said it rebuilt authentication services for the solutions on a new network with the help of cybersecurity firms Palo Alto Networks and Mandiant, a Google subsidiary. The company said it is also testing the security of the external-facing parts of those applications.”
  • Per the Society for Human Resource Management,
    • “Employees are experiencing more mental health struggles and overall negative feelings about their work, underscoring an “urgent need” for employers to take more aggressive measures to help with their benefits offerings.
    • “Employees are now more likely to experience negative feelings at work, including stress (12 percent more likely) and burnout (17 percent more likely) than they were pre-pandemic (2019), according to new data from MetLife. Employees are also 51 percent more likely to feel depressed at work than they were pre-pandemic as they face what the insurer calls a “complex macro environment and permacrisis state”—a state which has included the pandemic, persistent high inflation, international turmoil and war, and more.
    • “Those are among the findings in MetLife’s 22nd annual U.S. Employee Benefit Trends Study, released March 18—data indicating that employers may have to revisit benefits offerings to not only support employees, but retain them.”
  • HR Dive explains “How menopausal and other reproductive health benefits can help retain women” and “Data shows that fertility treatments are extremely valuable to workers who need them. Here’s why one people officer is working on integrating them.”
  • STAT News relates,
    • “Just as Pfizer spooked Wall Street after its record pandemic revenue came parabolically back to earth, BioNTech, the company’s Covid-19 vaccine partner, is now dealing with investor malaise of its own.
    • “Shares in the German firm fell about 5% yesterday, hitting a 52-week low, after the company reported disappointing financials. BioNTech’s cut of Covid vaccine revenue fell by about more than three-quarters last year, missing analyst estimates and leading the company to lower its projections for 2024.
    • “Now BioNTech, much like Pfizer, is making the case that its future in oncology will compensate for the rapid erosion in demand for Covid vaccines. The company has more than 20 cancer medicines in its pipeline, including late-stage treatments for tumors of the breast and lung that could hit the market in the next two years.”
  • Per Healthcare Dive,
    • “Walgreens-backed VillageMD sold 11 locations in Rhode Island to Boston-based medical group management firm Arches Medical Partners for an undisclosed sumArches said Wednesday.
    • “The practices, which include about 75,000 patients, joined Arches on March 2, according to VillageMD’s website. 
    • “The deal follows VillageMD clinic closures. The primary care chain recently exited Florida — once one of chain’s largest markets — and plans to withdraw from its home state in Illinois next month.”

Midweek Update

David ErmerCMS, Congress, COVID-19, Cybersecurity, Employee Wellness Programs, FDA, Generative AI, Medical / Rx research, Mental health care, Obesity, OPM, Rx coverage, U.S. Healthcare
Photo by Manasvita S on Unsplash

From Washington, DC,

  • Roll Call reports,
    • “Speaker Mike Johnson, R-La., and his top lieutenants on Wednesday morning moved to quell reservations among their conference about the emerging $1.2 trillion-plus final spending package headed for a vote likely on Friday, while their Democratic counterparts did likewise in a separate meeting.
    • “Appropriators were scrambling under a tight timeline to finish drafting the measure, which is taking longer than expected due to a last-minute decision to write a full-year Homeland Security bill. But Johnson told reporters after a GOP conference meeting that text is expected as soon as Wednesday afternoon.
    • “Other sources expected the bill drop to slip to Thursday, with the standard “reading out” of the DHS title, to catch any errors before posting, not even expected to begin until later Wednesday. But no matter: Lawmakers said they expect the chamber to vote as soon as Friday, regardless of a 72-hour review rule. * * *
    • “Final passage wouldn’t come until this weekend at the earliest, and senators are working to accommodate Sen. Susan Collins, R-Maine, who has never missed a vote but will be attending her mother’s funeral on Saturday. That could push votes off until Sunday or Monday, though few are worried at this point about the effects of such a brief funding lapse. 
    • “I don’t think we’ll do a [continuing resolution],” Johnson said.”
  • The American Hospital Association (AHA) News informs us,
    • “The House Energy and Commerce Committee March 20 unanimously passed AHA-supported legislation to reauthorize through 2029 the Dr. Lorna Breen Health Care Provider Protection Act (H.R. 7153), which provides grants to help health care organizations offer behavioral health services for front-line health care workers. The bill also would reauthorize a national campaign that provides hospital leaders with evidence-based solutions to support worker well-being. Without congressional action, the law will expire at the end of this year.”
  • and
    • “Congress should address any statutory constraints that prevent the Centers for Medicare & Medicaid Services and Department of Health and Human Services from adequately helping hospitals and other health care providers impacted by the Change Healthcare cyberattack, AHA said a letter submitted to the House Ways and Means Committee for a hearing March 20 with HHS Secretary Xavier Becerra on fiscal year 2025 funding for HHS.”
  • Govexec tells us,
    • “The top senator with direct oversight of the U.S. Postal Service is calling on its leadership to pause its overhaul of the agency’s mailing network due to potential impacts they are having on delivery, rejecting USPS assertions that is has provided transparency. 
    • “USPS should not continue its nationwide operational reforms until it can prove the changes will not negatively impact mail service, Sen. Gary Peters, D-Mich., who chairs the Senate Homeland Security and Governmental Affairs Committee, said in a letter to Postmaster General Louis DeJoy. Agency leadership said in response to the letter it has offered volumes of documents and many staff-level briefings to Congress, though Peters said USPS ignored many of his requests for additional information on its efforts and left Congress uncertain about the fallout that could befall postal customers.”
  • On March 18, 2024, the Office of Management and Budget’s Office of Information and Regulatory Affairs received for final regulatory review an OPM proposed rule with additional requirements and clarifications for the Postal Service Health Benefits Program (RIN 3206-AO59).
  • The AHA News tells us,
    • “U.S. health care organizations should immediately transition away from using certain unauthorized plastic syringes made in China by Jiangsu Caina Medical Co. and Jiangsu Shenli Medical Production Co., and should only use other plastic syringes made in China until they can transition to alternatives, the Food and Drug Administration announced March 19, citing potential quality and performance issues. The recommendations do not apply to glass syringes, pre-filled syringes, or syringes used for oral or topical purposes, FDA said. The agency advises health care providers to confirm the manufacturing location by reviewing the labeling, outer packaging, or contacting the supplier or group purchasing organization.”
  • The Assistant Secretary of Labor for Employee Benefit Security, Lisa M. Gomez, posted on her blog about “Health and Money Smarts for Women.”
  • Fierce Healthcare lets us know,
    • “The Employee Retirement Income Security Act, or ERISA, is turning 50 this year and lawmakers are curious to hear about how the law could be updated to increase coverage affordability and care access.
    • “Payers and providers, it turns out, have very different ideas on where Congress should focus its efforts.
    • “In response to the House Committee on Education and the Workforce’s January request for information, lobbying groups representing both sides of the industry weighed in on the act that outlines federal guidelines for employee benefit plans, including employer-sponsored group health plans.”
    • The article delves into these comments.
  • Newfront offers insights about 2024 RxDC reporting considerations. The reports are due June 1, 2025.
  • The Congressional Budget Office released a presentation about “The Federal Perspective on Coverage of medications to treat obesity. Assuming Congress allows Medicare to cover anti-obesity medications (AOM),
  • “The future price trajectory of AOMs is highly uncertain.
    • “CBO expects semaglutide to be selected for price negotiation by the Secretary of Health and Human Services within the next few years, which would lower its price (and potentially the prices of other drugs in the AOM class).
    • “CBO expects generic competition for semaglutide and tirzepatide to start in earnest in the second decade of a policy allowing Medicare Part D to cover AOMs.
    • “New AOMs are expected to become available. The new drugs might be more effective, have fewer side effects, or be taken less frequently or more easily than current medications. Those improvements could translate to higher prices, on average, even if prices decline for drugs that exist today.”
  • See also the Beckers Hospital Review article below on the next generation of AMOs.
  • Healthcare Dive tells us,
    • “The Medicare Advisory Payment Commission, which advises Congress on Medicare policy, is recommending boosting hospital payment rates by 1.5% in 2025 and base physician payment rates by 1.3% above current law, according to its annual report released Friday. 
    • “MedPAC suggested tying the rate of physician payment increasesmoving forward to the Medicare Economic Index, an annual measure of practice cost inflation. MedPAC suggested payments increase “by the amount specified in current law plus 50% of the projected increase in the MEI.”
    • “Provider groups, including the Medical Group Management Association and American Medical Association, have said the proposed payment increases are inadequate.”

From the public health and medical research front,

  • The Washington Post reports,
    • “More than two-thirds of young children in Chicago could be exposed to lead-contaminated water, according to an estimate by the Johns Hopkins Bloomberg School of Public Health and the Stanford University School of Medicine.
    • “The research, published Monday in the journal JAMA Pediatrics, estimated that 68 percent of children under the age of 6 in Chicago are exposed to lead-contaminated drinking water. Of that group, 19 percent primarily use unfiltered tap water, which was associated with a greater increase in blood lead levels.
    • “The extent of lead contamination of tap water in Chicago is disheartening — it’s not something we should be seeing in 2024,” lead author Benjamin Huynh, assistant professor of environmental health and engineering at the Johns Hopkins Bloomberg School of Public Health, said in a news release.”
  • The Wall Street Journal relates,
    • “Debi Lucas had a tremor in her arm. Her feet froze when she tried to walk and she fell into her coffee table, busting her lip. 
    • “She went to a neurologist who thought she had Parkinson’s disease. Doctors normally diagnose the neurodegenerative condition by symptoms. Lucas, 59, had them. 
    • “But the neurologist, Dr. Jason Crowell, couldn’t be sure. The symptoms might be related to a traumatic brain injury Lucas suffered in a car accident decades earlier, he thought. Or they might be from her medications. 
    • “To find an answer, Crowell turned to a new test: a skin biopsy that can detect an abnormal protein people with Parkinson’s have inside their nerves. He took samples of skin near her ankle, knee and shoulder and sent them to a lab. 
    • “The results confirmed that Lucas has Parkinson’s. The diagnosis was scary, but Lucas finally knew what was causing her symptoms. “I was glad to have a name on it,” she said. 
    • “The test sped her diagnosis, said Crowell, a movement-disorders neurologist at the Norton Neuroscience Institute in Louisville, Ky. “It just gives me more confidence,” he said. 
    • “The skin test is an important part of progress researchers are making against Parkinson’s, the second-most common age-related neurodegenerative condition, which is on the rise and a major driver of disability, dementia and death. The test Lucas received, made by CND Life Sciences, a medical technology company in Scottsdale, Ariz., is one of a few in use or development to allow doctors to diagnose Parkinson’s based on biology rather than symptoms that can take years to appear“.
  • Medscape explains “why a new lung cancer treatment is so promising.”
  • MedPage Today notes,
    • “The FDA has approved aprocitentan (Tryvio), making it the first endothelin receptor antagonist for the treatment of high blood pressure (BP), Idorsia Pharmaceuticals announced on Wednesday.
    • “The once-daily oral medication is indicated in combination with other antihypertensive drugs to lower BP in adult patients who do not have their BP controlled with other therapies.
    • “It is believed that some people may respond better to the drug’s novel mechanism, as aprocitentan is a dual endothelin receptor antagonist that works differently than conventional diuretics, renin-angiotensin-aldosterone system antagonists, calcium channel blockers, and beta-blockers used to lower BP.”
  • Beckers Hospital Review considers the three generations of weight loss drugs.
    • “Anita Courcoulas, MD, defines GLP-1s as “generation one;” dual GLP-1 and GIPs as the second; and a triple threat of GLP-1, GIP and GCGRs as the third generation of weight loss drugs. 
    • “Dr. Courcoulas is chief of Pittsburgh-based UPMC’s minimally invasive bariatric and general surgery program. She told Becker’s the next class of anti-obesity medications are finally reaching weight loss outcomes seen from gastric sleeve and bypass procedures, the two most common surgeries for trimming pounds. * * *
    • “Dr. Courcoulas said the biggest unknown is long-term durability of these medications, a concern other bariatric experts have raised. 
    • “She expects GLP-GIP-GCGR medications to gain approval and enter the U.S. market next year. 
    • “I think it’s very exciting to realize there are medications that are under investigation now that could come to market that could have even better weight loss results than the two drug [classes] we’re seeing now,” Dr. Courcoulas said.”
  • The National Institutes of Health announced,
    • “SARS-CoV-2, the virus that causes COVID-19, can damage the heart even without directly infecting the heart tissue, a National Institutes of Health-supported study has found. The research, published in the journal Circulation, specifically looked at damage to the hearts of people with SARS-CoV2-associated acute respiratory distress syndrome (ARDS), a serious lung condition that can be fatal. But researchers said the findings could have relevance to organs beyond the heart and also to viruses other than SARS-CoV-2.
    • “Scientists have long known that COVID-19 increases the risk of heart attack, stroke, and Long COVID, and prior imaging research has shown that over 50% of people who get COVID-19 experience some inflammation or damage to the heart. What scientists did not know is whether the damage occurs because the virus infects the heart tissue itself, or because of systemic inflammation triggered by the body’s well-known immune response to the virus.
    • “This was a critical question and finding the answer opens up a whole new understanding of the link between this serious lung injury and the kind of inflammation that can lead to cardiovascular complications,” said Michelle Olive, Ph.D., associate director of the Basic and Early Translational Research Program at the National Heart, Lung, and Blood Institute (NHLBI), part of NIH. “The research also suggests that suppressing the inflammation through treatments might help minimize these complications.”
  • and
    • “An investigational gene therapy for a rare neurodegenerative disease that begins in early childhood, known as giant axonal neuropathy (GAN), was well tolerated and showed signs of therapeutic benefit in a clinical trial led by the National Institutes of Health (NIH). Currently, there is no treatment for GAN and the disease is usually fatal by 30 years of age. Fourteen children with GAN, ages 6 to 14 years, were treated with gene transfer therapy at the NIH Clinical Center and then followed for about six years to assess safety. Results of the early-stage clinical trial appear in the New England Journal of Medicine
    • “The gene therapy uses a modified virus to deliver functional copies of the defective GAN gene to nerve cells in the body. It is the first time a gene therapy has been administered directly into the spinal fluid, allowing it to target the motor and sensory neurons affected in GAN. At some dose levels, the treatment appeared to slow the rate of motor function decline. The findings also suggest regeneration of sensory nerves may be possible in some patients. The trial results are an early indication that the therapy may have favorable safety and tolerability and could help people with the rapidly progressive disease.
    • “One striking finding in the study was that the sensory nerves, which are affected earliest in GAN, started ‘waking up’ again in some of the patients,” said Carsten G. Bonnemann, M.D., senior author and chief of the Neuromuscular and Neurogenetic Disorders of Childhood Section at the National Institute of Neurological Disorders and Stroke (NINDS), part of NIH. “I think it marks the first time it has been shown that a sensory nerve affected in a genetic degenerative disease can actually be rescued with a gene therapy such as this.”
  • Lifesciences Intelligence reports,
    • “Recently, JAMA Network Open published a study analyzing the association between a healthy diet, sleep duration, and type 2 diabetes (T2D) risk. The study data revealed that habitual short sleep duration was linked to an increased probability of T2D by as much as 41%.
    • “Using data on 247,867 individuals from the UK biobank, researchers divided patients into groups based on their sleeping habits. The stratified groups included normal (7–8 hours per night), mildly short (6 hours per night), moderately short (5 hours per night), and extremely short (3–4 hours per night).
    • “Across all study participants, only 3.2% were diagnosed with T2D; however, the adjusted hazard ratios revealed that the prevalence of T2D was higher among shorter sleep groups. More specifically, the increased probability of T2D was identified in those who slept 5 hours or less per night. Those in the moderate short sleep group were 16% more likely to have a T2D diagnosis. Additionally, those in the extremely short sleep group had a 41% greater likelihood of being diagnosed with T2D.”

From the U.S. healthcare business front,

  • BioPharma Dive relates,
    • “Orchard Therapeutics said Wednesday it will offer a new gene therapy to children with a rare, devastating disease at a record-setting wholesale price of $4.25 million. 
    • “The therapy, Lenmeldy, won Food and Drug Administration approval on Monday to treat patients with early-onset metachromatic leukodystrophy, or MLD. The disease, which most often attacks infants between six months and two years of age, robs patients of the ability to walk, talk and function in the world, killing most of its earliest victims within five years of onset.
    • “Lenmeldy’s price tag will leapfrog those of the two most expensive gene therapies available in the U.S. Sarepta Therapeutics sells its Elevidys treatment for Duchenne muscular dystrophy for $3.2 million, while CSL and UniQure’s hemophilia treatment Hemgenix costs $3.5 million.”
  • MedPage Today lets us know,
    • “Despite being a growing percentage of the physician workforce, women physicians continued to be paid less than their male colleagues, a strong body of evidence shows.
    • “While the gender pay gap decreased by 2% from 2021 to 2022 — from 28% to 26% — the gap was still significant, according to online networking service Doximity’s 2023 physician compensation reportopens in a new tab or window.
    • “Women doctors in 2022 earned nearly $110,000 less per year than men physicians, on average, after adjusting for specialty, location, and years of experience. Data from individual states have backed up this figure, too. For instance, in 2022, the Maryland State Medical Society conducted a survey and found that women doctors in Maryland are paid about $100,000 less annually than men.”
  • Beckers Hospital Review lists ten common issues in pharmacies.
  • United Healthcare updated its Change Healthcare cyberattack response website today.
  • HR Daily Advisor explains how companies are exploring the limitations of employee assistance plans amid the country’s mental health crisis.
  • Forbes reports,
    • “Medical diagnosis and procedure codes are so numerous and varied that Debbie Beall, manager of coding at Houston Methodist in Texas, needs a 49-person team to translate the medical notes written by the system’s 1,600 clinicians into the codes needed to bill insurers.
    • “There is a medical code for every imaginable scenario – from “burn due to water-skis on fire” to “spacecraft collision injuring occupant” — and their specificity determines how much the insurance companies pay. Each team member processes anywhere from 70 to 250 claims per day, depending on the complexity, she said. That’s why Beall is so excited about the possibility of using artificial intelligence to speed up the job.
    • “There’s no way I’m ever going to replace coders completely with an AI system,” Beall told Forbes. But for run-of-the-mill procedures performed multiple times a day in a hospital, like X-rays and EKGs? “Yes, an AI engine can do that.”
    • “Beall was one of the first dozen or so people to test a prototype of an AI-powered medical coding tool from electronic health records giant Epic Systems, which had $4.6 billion in revenue in 2022. Based on GPT-4, the large language model that powers the viral chatbot ChatGPT, Epic’s coding assistant prototype ingests and summarizes clinician notes and then tees up the “most likely” diagnosis codes and procedures codes, along with suggestions of “other potential codes,” according to mock ups viewed by Forbes that did not include real patient information. * * *
    • “While Epic has so far focused on using generative AI in back office functions, it has also been working on a patient-facing application that wouldn’t require human review. Krause told Forbes a tool that would help explain the patient’s bill, including their deductible and outstanding balance, could be rolled out by November. “We feel like that’s a fairly benign place to start. It’s not about healthcare at that point, but it’s really about their billing,” he said. “That’s not going to harm a patient in any way.”

   

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy,

  • Cyberscoop reports,
    • “A cyberattack on a payment processor that has crippled large parts of the U.S. health care system is inspiring calls in Washington to urgently implement cybersecurity regulations for the sector, setting up a showdown with hospital and health care groups that are stridently arguing against such a move. 
    • “As these companies have become so large, it is creating a systemic cybersecurity risk,” Sen. Ron Wyden, an Oregon Democrat, said Thursday during a Senate Finance Committee hearing featuring Health and Human Services Secretary Xavier Becerra, whose agency is responsible for overseeing the health care industry’s digital security standards. * * *
    • “The incident has reinvigorated conversations among policymakers in Washington about how to improve the health care sector’s security posture. HHS has proposed a voluntary set of cybersecurity standards and is working to develop mandatory rules, but these are unlikely to come into effect soon. 
    • “Until mandatory rules are in place, industry critics like Wyden want sharper action. “The next step has got to be fines and accountability for negligent CEOs, which will enable HHS to protect patients and our national security,” he said Thursday.”
  • Cybersecurity Dive adds,
    • ‘Ransomware remains a persistent threat, despite law enforcement actions aimed at disrupting the infrastructure threat actors rely on to conduct their attacks, according to the Office of the Director of National Intelligence’s latest annual threat assessment.
    • “Transnational organized criminals involved in ransomware operations are improving their attacks, extorting funds, disrupting critical services and exposing sensitive data,” said the report, which was publicly released Monday. “Important U.S. services and critical infrastructure such as healthcare, schools and manufacturing continue to experience ransomware attacks.”
    • “National intelligence leaders warned that the ransomware problem is worsening and is growing more difficult to combat.”
  • In this regard, the Wall Street Journal considers “Why Are Data Breaches Still Rising If Companies Are So Focused on Cybersecurity.”
    • Evolving Ransomware Attacks * *. * First, after a slight drop [in 2022], [ransomware] attacks are on the rise again due to the emergence of ransomware gangs that franchise their malware and make it available to budding cybercriminals. This trend is allowing more criminals, even those with minimal computer knowledge, to get into the ransomware game.”
    • “Second, these attacks are becoming more damaging in that many attackers are now stealing their victims’ data, in addition to just locking it up. I refer to this new approach as Ransomware 2.0. The hackers threaten to disclose the private information if they don’t receive a ransom payment. This results in large leaks of corporate and consumer data that didn’t occur before.
    • Cloud misconfiguration: More companies now store and maintain their corporate data in the cloud via services such as Amazon Web Services, Google Cloud and Microsoft Azure to avoid the expense of having to own and operate their own data centers. This is making the cloud an attractive target for hackers. In fact, 82% of breaches in 2023 involved data stored in the cloud, according to a recent IBM report.
    • “Cybercriminals are taking advantage of the fact that many organizations migrated rapidly to the cloud without fully understanding all of the configuration settings and establishing procedures to keep their data safe. As a result, errors and glitches in these settings are common, and many companies have no idea that their sensitive information is exposed to the public internet until it is too late. Such misconfigurations have become one of the most common security issues when deploying new cloud-based applications.
    • Exploitation of vendor systems: Almost every company, especially large companies, rely on a network of vendors to provide services ranging from maintaining the air conditioning to updating software packages. These vendors often have special access to the company’s computers, which I refer to as “side doors,” similar to a passkey given to the cleaning crew. 
    • “As large companies have become better prepared to repel cyberattacks, hackers have shifted their attention to vendors, often much smaller companies with limited cyber defense resources and expertise. Attackers exploit those weaknesses to first get into the vendor’s system, then use the vendor’s privileged access to get into the computer systems of every company that uses the vendor.” 

From the cyber vulnerabilities and breaches front,

  • Cybersecurity Dive tells us,
    • “The Cybersecurity and Infrastructure Security Agency was hit by a cyberattack earlier this year after a yet-to-be identified threat actor intruded the agency’s systems by exploiting critical vulnerabilities in Ivanti products.
    • “About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson told Cybersecurity Dive Friday. Threat actors started widely exploiting a pair of zero-day vulnerabilities in Ivanti Connect Secure and other remote access VPNs in early December.
    • “The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time,” the spokesperson said.”
  • It happens to the best of us.
  • SC Media informs us,
    • “StopCrypt, the most common ransomware family of 2023, has a new variant leveraging more advanced evasion tactics.
    • “StopCrypt, also known as STOP/DJVU, surpassed the LockBit ransomware family in detections in 2023, according to Trend Micro’s 2023 Annual Cybersecurity Report published last week. STOP typically targets smaller targets with an average ransom payment size of $619 in the first half of 2023, according to a mid-year report by Chainalysis.
    • “SonicWall reported Tuesday that a new StopCrypt variant employes several evasion tactics in a multi-stage shellcode deployment process, including a long delay loop, dynamic API resolution and process hollowing, or the replacement of code in a legitimate executable to malicious code. * * *
    • “The STOP variant described by SonicWall bears similarities to a variant discovered by PCrisk researchers last year, which was originally submitted through VirusTotal. Similarities include the “.msjd” file extension and the ransom note, including the threat actor’s contact information.”
  • UHC continues to update it Change Healthcare cyberattack response site. The new feature is a “how-to video on the temporary funding process for UnitedHealthcare providers.”

From the cybersecurity defenses front,

  • Healthcare IT News offers an interview with Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance about early lessons learned from the Change Healthcare situation.
  • SC Media offers an expert article on the same topic.
  • Tech Target makes available ten best practices for deploying patches.