Cybersecurity Saturday

Cybersecurity Saturday

From the cybersecurity policy front,

  • Fedscoop reports,
    • “Chris DeRusha is exiting his role as federal chief information security officer after more than three years on the job, the Office of Management and Budget confirmed Tuesday [May 14].
    • “DeRusha, who was appointed to the federal CISO position in January 2021, played a critical role in the development of the White House’s artificial intelligence executive order, in addition to the Biden administration’s 2021 executive order on cybersecurityand the corresponding national cybersecurity strategy and implementation plan.  * * *
    • “As the federal CISO, DeRusha oversaw the 25-member council of his chief information security officer peers and spearheaded the protection of federal networks, while also managing agencywide implementation of multifactor authentication and supporting the coordination of the nation’s broader cybersecurity as the deputy national cyber director. 
    • “DeRusha will also leave behind that role, the Office of the National Cyber Director confirmed.”
  • Cyberscoop adds,
    • “[T]op official at the Cybersecurity and Infrastructure Security Agency, Eric Goldstein, is stepping down from his role at the agency next month.”[T]op official at the Cybersecurity and Infrastructure Security Agency, Eric Goldstein, is stepping down from his role at the agency next month.
    • “As executive assistant director for cybersecurity, Goldstein has had his hands in many of CISA’s major undertakings, from its goal of pressuring companies into making their products secure during the design process to issuing emergency directives for agencies to shoring up defenses against vulnerabilities.”
  • Cyberscoop also offers an interview with Mr. Goldstein.
  • The CISA Director Jen Easterly discusses the “ninth iteration of the national cyber exercise, Cyber Storm. The planners, representing private industry, federal, state, and international government partners, managed an exercise that spanned across the globe to simulate a coordinated cyberattack targeting critical infrastructure. * * * Outcomes from Cyber Storm IX will be published later this year at Cyber Storm: Securing Cyber Space | CISA.

From the cyber vulnerabilities front,

  • Cybersecurity Dive reports,
    • The threat from nation state cyber adversaries with ties to Russia and China is growing more sophisticated and dangerous, National Cyber Director Harry Coker Jr. warned Tuesday [May 14]. International cooperation is required to defend common economic and national security interests, he said in a keynote speech at CyberUK 2024 in Birmingham, England.
    • Coker said Russia has enhanced its capabilities since the beginning of the Ukraine invasion in 2022, which has helped it gain success on the battlefield. 
    • “The Russian cyber threat in 2024 marks a new standard of aggression, persistence and operational agility,” Coker said.
  • The Cybersecurity and Infrastructure Security Agency (CISA) added six known exploited vulnerabilities to its catalog this week.
    • On May 13
      • CVE-2024-4671 Google Chromium in Visuals Use-After-Free Vulnerability
    • On May 14
      • CVE-2024-30051 Microsoft DWM Core Library Privilege Escalation Vulnerability
      • CVE-2024-30040 Microsoft Windows MSHTML Platform Security Feature Bypass Vulnerability
    • On May 15
      • CVE-2014-100005 D-Link DIR-600 Router Cross-Site Request Forgery (CSRF) Vulnerability
      • CVE-2021-40655 D-Link DIR-605 Router Information Disclosure Vulnerability
      • CVE-2024-4761 Google Chromium V8 Out-of-Bounds Memory Write Vulnerability

From the Ascension Healthcare breach front,

  • Here’s a link to the Ascension website about its May 8 “cybersecurity event.”
  • Cybersecurity Dive tracks the state by state impact of the event here.
  • The hospital community is praising Ascension for its transparency per Beckers Hospital Review.
  • Notwithstanding the kudos, Healthcare Dive reports,
    • “Ascension is staring down two proposed class-action lawsuits just one week after a cyberattack took systems offline across its 140-hospital portfolio, forcing the nonprofit system to divert ambulances and pause elective care.
    • “In complaints filed in the District Courts of Illinois and Texas plaintiffs allege Ascension acted negligently by failing to encrypt patient data and said the attack leaves them “at a heightened risk of identity theft for years to come.”
    • “Ascension has not said the attack compromised patient data. However, an investigation remains ongoing.

From the ransomware front,

  • IT Pro examines the Black Basta ransomware variant.
    • CNN reported that Black Basta was the variant of ransomware used [against Ascension] while Healthcare IT security group Health-ISAC said the group has recently accelerated attacks against the healthcare sector.
    • “In the past month, at least two healthcare organizations, in Europe and in the United States, have fallen victim to Black Basta ransomware and have suffered severe operational disruptions. Taking these latest developments into consideration, Health-ISAC has assessed that Black Basta represents a significant threat to the healthcare sector,” it said.
  • Cybersecurity Dive adds,
    • Microsoft researchers warn that a financially-motivated hacker has misused the company’s Quick Assist client management tool since mid-April in social-engineering attacks, ultimately leading to the deployment of Black Basta ransomware, according to a blog post released Wednesday [May 15]. With Quick Assist, users can remotely connect Windows or macOS with another person.
    • The attacks began using voice phishing, also known as vishing, and led to malicious use of remote-monitoring tools like ScreenConnect or NetSupport Manager, according to Microsoft. The hackers also deployed malware, including Cobalt Strike or Qakbot, before launching the Black Basta ransomware.
    • The disclosure came less than a week after the FBI and Cybersecurity and Infrastructure Security Agency warned about Black Basta ransomware being deployed in hundreds of attacks against critical infrastructure and healthcare worldwide.
  • Cybersecurity Dive further notes,
    • “Remote-access tools were the primary intrusion point for ransomware attacks, accounting for 3 in 5 attacks last year, cybersecurity insurance firm At-Bay said Wednesday [May 15] in a report.
    • “Attackers primarily targeted perimeter-access tools in 2023, but shifted their focus from remote desktop protocol to targeting self-managed VPNs. These on-premises VPNs were linked to more than 3 in 5 ransomware attacks where remote access was the initial entry vector, according to At-Bay.
    • “Attackers go after the same things. If you have a city that has walls around it, you’re going to go after the gate because the gate is a weaker point than the actual wall,” Rotem Iram, At-Bay founder and CEO, said last week at an Axios event on the sidelines of the RSA Conference in San Francisco.”
  • Tech Target offers National Security Agency views on the ransomware front while Politico reports on what happens after a ransomware attack is discovered.
  • Here’s a link to Bleeping Computer’s The Week in Ransomware.

From the cybersecurity defenses front,

  • Here’s a link to Dark Reading’s CISO Corner.
  • Cybersecurity Dive reports,
    • “A once volatile cyber insurance market has stabilized considerably as new companies have entered an increasingly competitive market, helping lower premium costs and raise coverage limits, according to S&P Global Ratings research released last week.
    • “Insurance companies have evolved underwriting methods by incorporating sophisticated tools to assess potential cyber risk with more flexibility and personalization, according to S&P. 
    • “Municipal governments have made significant advances in their ability to manage cyber risk and respond to malicious attacks, too, S&P found. After years of foregoing expensive commercial policies, these local organizations are now incorporating cyber risk coverage, while smaller governments in many cases are joining cyber risk pools.”

Cybersecurity Saturday

From the cybersecurity policy front,

  • Cybersecurity Dive reports,
    • “The Biden administration plans to pursue a liability framework to hold the software industry accountable for insecure software, according to administration officials and documents released by the Office of the National Cyber Director this week. 
    • “Federal officials said they have taken steps toward a long-stated goal of shifting the security burden away from technology users and onto the industry. 
    • “The administration wants to pursue a plan to create incentives that will help enable long-term investment in cybersecurity and resilience, Nick Leiserson, assistant national cyber director for cyber policy and programs, said during a panel Monday [May 6] at the RSA Conference in San Francisco.
    • “Leiserson cautioned the objective was not to create a liability framework for the purposes of opening up the software industry to lawsuits.
    • “That’s not the point,” Leiserson said during the panel discussion. “The point is to secure investments in secure software development.”
  • and
    • “The Biden administration plans to launch aggressive actions to enhance cyber resilience across key critical infrastructure sectors, including the healthcare and water sectors, which were the targets of significant threat activity in recent months, according to a report released Tuesday by the Office of the National Cyber Director.
    • “The U.S. wants to speed the flow of intelligence sharing and facilitate closer cooperation with the private sector. The administration also plans to enhance its ability to proactively disrupt threat activity and take down malicious actors. 
    • “We are in the midst of a fundamental transformation in our nation’s cybersecurity,” National Cyber Director Harry Coker Jr., said in a statement. “We have made progress in realizing an affirmative vision for a safe, prosperous and equitable digital future, but the threats we face remain daunting.”
  • In that regard, Govinfosecurity adds,
    • “As the Department of Health and Human Services works on a proposed update to the HIPAA Security Rule this year, regulators are also ratcheting up enforcement efforts – including resuming long-dormant HITECH Act HIPAA audits, said Melanie Fontes Rainer, director of HHS’ Office for Civil Rights. * * *
    • “HHS OCR plans by the end of the year to publish a proposed update to the HIPAA Security Rule to better reflect the evolution of technology and healthcare delivery that’s occurred over the last two decades since the regulations were first issued, she said.
    • “The beauty of the HIPAA Security Rule is that it’s 20 years old – it is technology-neutral, and it’s scalable. So we’re still able to use it and enforce the law vigorously,” she said in a video interview with Information Security Media Group. 
    • “But at the same time, “the downside of the HIPAA Security Rule is that it’s 20 years old and doesn’t reflect how we receive healthcare today,” she adds. “That’s why we’re taking a look at it to make sure we’re building into it practices – like end-to-end encryption – and things like that.”
  • Cyberscoop reports,
    • The U.S. and British governments on Tuesday [May 7] identified Dmitry Yuryevich Khoroshev as the leader, developer and administrator of the LockBit ransomware operation, one of the most prolific and profitable cybercriminal syndicates in recent years.
    • Khoroshev, a Russian national, has been LockBit’s main administrator and developer since at least September 2019 continuing through the present, U.S. federal prosecutors said in an indictment unsealed Tuesday. Since its inception, LockBit has been used in attacks against more than 2,500 targets in at least 120 countries, leading to at least $500 million in ransom payments to Khoroshev and his affiliates and “billions of dollars in broader losses, such as revenue, incident response, and recovery,” the Department of Justice said in a statement.
  • Dark Reading points out that at the RSA Conference “CISA courted the private sector to get behind CIRCIA Reporting Rules. New regulations will require the private sector to turn over incident data to CISA within three days or face enforcement. Here’s how the agency is presenting this as a benefit to the entire private sector.”

From the cyber breaches and vulnerabilities front,

  • Cyberscoop reports,
    • Ascension, a health care system with 140 hospitals in 19 states and Washington, D.C., and tens of thousands of employees and affiliated providers, detected a “cyber security event” Wednesday [May 8] that has caused a “disruption to clinical operations,” the company said
    • Major impacts to medical services have been reported in multiple states, including KansasFlorida and Michigan, including some patients being diverted to other hospitals and lack of access to digital records.
    • “We have to write everything on paper,” one physician in Michigan told the Detroit Free Press. “It’s like the 1980s or 1990s.”
  • Dark Reading adds,
    • “The provider has temporarily paused non-emergency medical procedures and appointments, and some hospitals are diverting emergency medical services. Patients were advised to bring relevant medical information to appointments due to system limitations.
    • “We are actively supporting our ministries as they continue to provide safe, patient care with established downtime protocols and procedures,” a company statement said. “It is expected that we will be utilizing downtime procedures for some time.”
    • “The organization has tapped incident response help from Mandiant for investigation and remediation efforts. It is unknown if any patient data was exposed in the attack.
    • “We are working to fully investigate what information, if any, may have been affected by the situation,” Ascension said. “Should we determine that any sensitive information was affected, we will notify and support those individuals in accordance with all relevant regulatory and legal guidelines.”
  • Cybersecurity Dive tells us,
    • “The FBI and Cybersecurity and Infrastructure Security Agency urged software companies to eliminate directory traversal vulnerabilities from their products, citing a rise in attacks against critical industries, including hospitals and school operations, in a secure by design alert released Thursday
    • “The agencies are seeking industry action following two recent campaigns where threat groups engaged in extensive exploitation activity. The agencies referenced a path traversal vulnerability in ConnectWise ScreenConnect, listed as CVE-2024-1708, and a vulnerability in the file upload functionality of Cisco AppDynamics Controller, listed as CVE-2024-20345.
    • “In total, directory traversal or path traversal vulnerabilities were identified in 55 different cases listed on CISA’s Known Exploited Vulnerabilities catalog, according to the alert.”

From the ransomware front,

  • American Hospital Association News informs us,
    • “The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Department of Health and Human Services, and Multi-State Information Sharing and Analysis Center May 10 releasedjoint cybersecurity advisory to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the health care and public health sector.”
  • Bleeping Computer’s The Week in Ransomware is back this week.

From the cybersecurity defenses front,

  • Cybersecurity Dive calls attention to the fact that “Officials see a real change in Microsoft’s security plans: financial accountability. CISA Director Jen Easterly pointed to Microsoft’s decision to link security to executive compensation as a meaningful signal of its priorities.”
  • Tech Target offers “five tips for building a cybersecurity culture at your company.”
  • Dark Reading considers the future path of CISOs while the ISACA Blog notes “A Better Path Forward for AI By Addressing Training, Governance and Risk Gaps.”
  • Finally, SC Media dives into the cybersecurity insurance market.

Cybersecurity Saturday

From the cybersecurity policy front,

  • Cybersecurity Dive lets us know,
    • “Legislators slammed UnitedHealth Group CEO Andrew Witty over the cyberattack on subsidiary Change Healthcare at two Congressional hearings on Wednesday, raising concerns about the technology firm’s lack of cybersecurity and the potentially huge breach of Americans’ health data.”
  • The American Hospital News reports
    • “The Biden Administration April 30 released a memo announcing updated critical infrastructure protection requirements, which include the Cybersecurity & Infrastructure Security Agency acting as the National Coordinator for Security and Resilience, and heightening the importance of minimum security and resilience requirements within health care and other critical infrastructure sectors, consistent with the National Cybersecurity Strategy.”  
  • and
    • “The Cybersecurity and Infrastructure Security Agency May 3 extended the comment period to July 3 for the April 4 proposed rule that would implement cyber incident and ransom payment reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The rule would require critical infrastructure organizations, including hospitals and health systems, to report a covered cyber incident to the federal government within 72 hours and ransom payments within 24 hours, among other requirements.”
  • Cyberscoop adds.
    • “A draft rule for cyber incident reporting asks far too much of critical infrastructure entities and of the agency tasked with carrying out the law, trade groups representing the electric, telecommunications and finance sectors said during a House hearing Wednesday.
    • “The cyber incident reporting mandate is one of the Cybersecurity and Infrastructure Security Agency’s biggest forays into a regulatory role — and it is proving to be a thorny one. The 447-page draft rule, released in March, would require select critical infrastructure companies to report significant cyber incidents within 72 hours and any ransomware payments within 24 hours. The rule was established largely for the government to better understand the cyber landscape after multiple major cyberattacks — such as the SolarWinds espionage campaign — highlighted the fact that many attacks go unnoticed.
    • “Witnesses before the House Homeland Security’s cybersecurity subcommittee were largely in agreement that the rule is an important step for broader cyber awareness but also too broad, increasing the likelihood of CISA becoming overwhelmed by reports. Meanwhile, front-line defenders — particularly smaller organizations — could be hampered by trying to both file reports and deal with an attack. CISA will not be able to keep up with the amount of data due to the broad definition of cyber incidents and who should report, the witnesses argued.”
  • Health IT Security informs us,
    • “The Federal Trade Commission (FTC) finalized updates to its Health Breach Notification Rule (HBNR) with the goal of clarifying the rule’s applicability to health apps and other technologies that fall outside HIPAA’s purview.
    • “The FTC issued the HBNR more than a decade ago, when health apps were not as embedded into the US healthcare landscape as they are now. The HBNR requires vendors of personal health records (PHRs), PHR-related entities, and third-party service providers that are not subject to HIPAA to notify the FTC and impacted individuals in the event of a health data breach.”

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive tells us,
    • “A ransomware group accessed Change Healthcare’s systems with compromised credentials, UnitedHealth Group CEO Andrew Witty said in written testimony prepared for a Wednesday hearing before the House Energy and Commerce Committee Subcommittee on Oversight and Investigations
    • “On Feb. 12, the AlphV ransomware group used those compromised credentials to “remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops,” Witty said in his prepared remarks. “The portal did not have multifactor authentication.” 
    • “Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later,” Witty said.”
  • and
    • “The exploitation of vulnerabilities almost tripled as an initial access vector in 2023, fueled in part by the MOVEit breach, Verizon said in its Data Breach Investigations Report released Wednesday.
    • “Ransomware actors increasingly targeted zero-day vulnerabilities in IT systems, Verizon found. About a third of all breaches in 2023 included some type of extortion, and MOVEit involved Clop ransomware exploiting zero-day vulnerabilities in the file-transfer service.
    • T”he report shows 15% of breaches involved a third party, which includes data custodians, software vulnerabilities and direct or indirect supply chain issues, according to the report. This figure represented a 68% increase from the prior year, Verizon said.”
  • and
    • “Pro-Russia hacktivists are targeting operational technology systems in the water, energy and agricultural sectors by exploiting poor cyber hygiene techniques, the Cybersecurity and Infrastructure Security Agency warned Wednesday. CISA issued a joint fact sheet with the FBI, National Security Agency and multiple international agencies.”Pro-Russia hacktivists are targeting operational technology systems in the water, energy and agricultural sectors by exploiting poor cyber hygiene techniques, the Cybersecurity and Infrastructure Security Agency warned Wednesday. CISA issued a joint fact sheet with the FBI, National Security Agency and multiple international agencies.
    • “Threat groups are looking to compromise industrial control systems at small-scale operations in North America and Europe that are exposed to the internet and use default passwords or lack multifactor authentication, officials warned.
    • “The targeting thus far has involved unsophisticated techniques that target components like human-machine interfaces. The agencies urged providers to immediately change to more complex passwords and implement multifactor authentication.” 
  • SC Media offers five takeaways from the Verizon report.
  • Bleeping Computer tells us,
    • “The NSA and FBI warned that the APT43 North Korea-linked hacking group exploits weak email Domain-based Message Authentication Reporting and Conformance (DMARC) policies to mask spearphishing attacks.
    • “Together with the U.S. State Department, the two agencies cautioned that the attackers abuse misconfigured DMARC policies to send spoofed emails which appear to come from credible sources such as journalists, academics, and other experts in East Asian affairs.”
    • “The DPRK leverages these spearphishing campaigns to collect intelligence on geopolitical events, adversary foreign policy strategies, and any information affecting DPRK interests by gaining illicit access to targets’ private documents, research, and communications,” the NSA said.”
  • CISA added the following known exploited vulnerabilities to its catalog this week.
    • On April 30, CVE-2024-29988 Microsoft SmartScreen Prompt Security Feature Bypass Vulnerability, and
    • On May 1, CVE-2023-7028 GitLab Community and Enterprise Editions Improper Access Control Vulnerability.
  • Tech Republic adds, “Researchers from the University of Illinois Urbana-Champaign found that OpenAI’s GPT-4 is able to exploit 87% of a list of vulnerabilities when provided with their NIST descriptions.”

From the cybersecurity defenses front.

  • Here is a link to Dark Reading’s CISO Corner.
  • Security Week reports, “In the wake of a scathing US government report that condemned Microsoft’s weak cybersecurity practices and lax corporate culture, security chief Charlie Bell is pledging significant reforms and a strategic shift to prioritize security above all other product features.”
  • ISACA released its 2023 annual report. “Access ISACA’s annual report here.”
  • Mercer Consulting considers how to modernize HR data strategy to address cybersecurity risks.

Cybersecurity Saturday

From the cybersecurity policy front,

  • Cybersecurity Dive reports,
    • “The U.S. government and its partners have slowed the swell of ransomware over the last three years, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said Wednesday at an event.
    • “But the cyclical and persistent threat ransomware poses requires new ways of thinking, Easterly said, speaking at the Institute for Security and Technology’s annual ransomware task force event. Defenders and stakeholders have to turn the lens to software and hardware vendors, according to Easterly.
    • “There’s a lot about the villains. There’s a lot about victims. We do not talk enough about vendors,” she said.
    • “The way we are going to actually drive down the number of attacks, and the number of successful attacks, is if we go upstream and ensure that technology that is deployed and delivered is in fact prioritized to be secure,” Easterly said. “Not features, not speed to market, not driving down costs, but secure.”
  • Here is a link to a related blog post from the CISA Director on this important topic.
  • Cyberscoop adds,
    • ‘The Cybersecurity and Infrastructure Security Agency’s vulnerability warning program has issued more than 2,000 alerts to date to organizations that are running software with vulnerabilities being exploited by ransomware gangs, the agency’s director, Jen Easterly, said Wednesday.
    • “Currently running in a pilot phase, the program is mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 and aims to reduce the number of ransomware attacks by getting the owners and operators of vulnerable systems to patch them before they can be infiltrated. 
    • “The warning pilot is focused on reducing the prevalence of ransomware by using our vulnerability scanning tools to let businesses know if they have vulnerabilities that need to be patched,” Easterly said at an event hosted by the Institute for Security and Technology.
    • “Easterly said that since the pilot was launched in January of last year, it has expanded to include CISA’s database of known exploited vulnerabilities as well as common misconfigurations that can be linked to ransomware attacks. 
    • “In a Thursday blog about the warning pilot, CISA found that of the more than 1,700 notifications of vulnerable devices in 2023, 49% were mitigated through either patching, taking offline, or through other measures. The blog also said organizations reduce cyber risk when using CISA’s free cyber hygiene vulnerability scanning service, which monitors the web for vulnerable devices.
    • “Organizations participating in this no-cost service typically reduce their risk and exposure by 40% within the first 12 months and most see improvements in the first 90 days,” CISA said.”

From the cyber vulnerabilities and breaches front,

  • Cybersecurity Dive tells us,
    • “UnitedHealth Group said [on April 22] it paid hackers a ransom in an attempt to protect patient information from disclosure after a cyberattack against its subsidiary Change Healthcare in Februarythe company confirmed to Healthcare Dive on Monday. 
    • “The healthcare behemoth also said patient data was compromised. UnitedHealth found files involved in the cyberattack containing protected health information or personally identifiable information that “could cover a substantial proportion of people in America,” according to a press release. 
    • “UnitedHealth also said 22 screenshots of allegedly stolen files, some containing patient health information, were posted on the dark web for about a week. The healthcare giant said it’s continuing to monitor the internet and the dark web for stolen data. * * *
    • “The company also said it would take on breach reporting and notification requirements for customers whose data may have been exposed in the attack — a big concern for provider groups.”
  • Tech Crunch reports,
    • “U.S. health conglomerate Kaiser is notifying millions of current and former members of a data breach after confirming it shared patients’ information with third-party advertisers, including Google, Microsoft and X (formerly Twitter).
    • “In a statement shared with TechCrunch, Kaiser said that it conducted an investigation that found “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.”
    • “Kaiser said that the data shared with advertisers includes member names and IP addresses, as well as information that could indicate if members were signed into a Kaiser Permanente account or service and how members “interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia.”
    • “Kaiser said it subsequently removed the tracking code from its websites and mobile apps. ***
    • “Kaiser spokesperson Diana Yee said that the organization would begin notifying 13.4 million affected current and former members and patients who accessed its websites and mobile apps. The notifications will start in May in all markets where Kaiser Permanente operates, the spokesperson said.
    • “The health giant also filed a legally required notice with the U.S. government on April 12 but made public on Thursday confirming that 13.4 million residents had information exposed.”
  • Help Net Security informs us,
    • “More organizations hit by ransomware gangs are starting to realize that it doesn’t pay to pay up: “In Q1 2024, the proportion of victims that chose to pay touched a new record low of 28%,” ransomware incident response firm Coveware has found.
    • “Victim organizations are increasingly able to withstand an encryption attack and restore operations without the need for a decryption key, they said, and the stolen data is often leaked or traded even after the victims have paid the ransom, which repeatedly proves that paying up is no guarantee.
    • “LockBit was found to still be holding the stolen data of victims that had paid a ransom, and we have also seen prior Hive victims that had paid the extortion, have their data posted on the Hunters International leak site (a reboot / rebrand of Hive),” the company said, noting that “future victims of data exfiltration extortion are getting more evidence daily that payments to suppress leaks have little efficacy in the short and long term.”

From the cybersecurity defenses front,

  • Cybersecurity Dive lets us know,
    • “Global median dwell times — measured as the time that hackers remain undetected inside a targeted environment — have fallen to their lowest levels in more than a decade, according to the annual M-Trends report from Google Cloud’s Mandiant, released Tuesday. 
    • “Organizations were able to detect intrusions within a median of 10 days in 2023, compared with 16 days in 2022. Notably the largest improvements came in the Asia-Pacific region, where median dwell times fell to nine days in 2023, compared with 33 in 2022.  
    • :Zero-day vulnerabilities are a hot target for espionage actors as well as financially motivated threat groups. Zero-day usage rose 50% in 2023, compared with the prior year.”
  • and
    • “The majority of companies, 4 in 5, have suffered a cyberattack that wasn’t fully covered under their cyber insurance policy, according to an analysis by cyber risk quantification firm CYE.
    • “On average, each insurance gap left more than three-quarters of a breach uncovered, CYE said in a report released Wednesday. The research, which analyzed 101 breaches across various sectors, revealed an average of $27.3 million in uncovered losses per incident.
    • “This study underscores how many companies rely on cyber insurance to cover the losses incurred as a result of cyber incidents and are then taken by surprise when they find that their insurance only covers a small portion,” Nimrod Partush, vice president of data science at CYE, said in a press release.” 
  • Here is a link to Dark Reading’s latest CISO Corner.
  • SC Media considers whether the Change Healthcare case finally will make providers do a business impact analysis.

Cybersecurity Saturday

From the cybersecurity policy front,

  • Cyberscoop informs us,
    • “FBI Director Christopher Wray warned Thursday that the threat posed by Chinese hacking operations to U.S. critical infrastructure has become more urgent, as intelligence agencies have said that groups like Volt Typhoon are preparing for the possibility of widespread disruptive actions as early as 2027.
    • “Wray said during a speech at Vanderbilt University that China has targeted dozens of oil pipeline entities since 2011, in some cases ignoring business and financial information entirely while stealing data on control and monitoring systems.
    • “More recently, Volt Typhoon has conducted broad targeting of American companies in the water, energy and telecommunications sectors, among others, which U.S. officials have described as “pre-positioning” for future attacks that could disrupt or halt systems responsible for critical services upon which Americans rely. Dragos, a private threat intelligence company that focuses on critical infrastructure, said in February that the group has also been observed targeting entities that provide satellite and emergency management services.
    • “The ultimate purpose of this activity is to give Beijing “the ability to physically wreak havoc on our critical infrastructure at a time of its choosing,” Wray said.”
  • The Hill reports,
    • “Artificial intelligence (AI) is making ransomware faster and easier to use as the online crime hits record levels, experts said at a House Financial Services subcommittee hearing Tuesday.”Artificial intelligence (AI) is making ransomware faster and easier to use as the online crime hits record levels, experts said at a House Financial Services subcommittee hearing Tuesday.
    • “We have tremendous concern about the future of AI and the direction it is allowing criminal actors to take, including more sophisticated deepfakes that ultimately form the first step in the chain of ransomware attacks,” said Megan Stifel, chief strategy officer at the Institute for Security and Technology.”
  • Cybersecurity Dive adds,
    • The Institute for Security and Technology’s Ransomware Task Force threw cold water on the need for a ransomware payment ban in a report released Wednesday.
    • The nonprofit Institute for Security and Technology rejects the viability of a ransom payment ban for multiple reasons, including: 
      • Concerns about a ban’s impact on ransom payment reporting by victims. 
      • The potential to drive more payments underground. 
      • And the unintended consequences and practicalities of critical infrastructure exemptions.
      • Rather than a ban, the RTF detailed 16 milestones it asserts would be “the most reasonable and effective approach to reducing payments.” 
    • “While a ban may be an easier policy lift than activities designed to drive preparedness, it will almost certainly create the wrong kind of impact,” the RTF co-chairs said via email. “The number of organizations making payments is declining, which suggests we’re on the right path.”
  • HHS’s Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules, continues to update its “Change Healthcare Cybersecurity Incident Frequently Asked Questions” website.
  • The U.S. Government Accountability Office released a report titled “Cybersecurity: Implementation of Executive Order Requirements is Essential to Address Key Actions.”
    • “In 2021, the President issued an executive order to help protect federal IT systems from cyberattacks. The order contains 55 leadership and oversight requirements. DHS’s Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, and the Office of Management and Budget are responsible for implementing them.
    • “These agencies have fully completed 49 of 55 requirements. Remaining requirements include improving software that is critical to the supply chain and ensuring that other agencies have sufficient resources to carry out the order.
    • “We recommended that these agencies implement the order’s remaining requirements.”
  • The Cybersecurity and Infrastructure Security Administration Agency (CISA) announced,
    • “CISA hosted the final round of the fifth annual President’s Cup Cybersecurity Competition this week and announced the winners today of the three competitions.
    • “The President’s Cup is a national competition designed to recognize the top federal cybersecurity talent. Three separate competitions take place during each President’s Cup; two Individuals tracks -– Track A which focuses on defensive work roles and tasks from the NICE Framework, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, and Track B which focuses on offensive work roles and tasks, and a Teams competition comprised of defensive and offensive challenges. The first rounds of the competition began earlier this year in January.
    • “This year’s winning team, known as Artificially Intelligent, was composed of members of the Department of Defense, U.S. Army, and the U.S. Air Force. Artificially Intelligent featured four members of last year’s winning teams, including one member who has been on every winning team since President’s Cup began five years ago. The winner of Individuals Track A was U.S. Army Major Nolan Miles, and the winner of the Individuals Track B was U.S. Marine Corps Staff Sergeant Michael Torres. SSG Torres also finished in second place of the Individuals Track A competition and is the first Individuals winner to repeat having won President’s Cup 3 Track A.”

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive reports,
    • “Palo Alto Networks and security researchers said a growing number of attackers are targeting a command injection vulnerability in the PAN-OS operating system, which powers the security vendor’s firewall products. 
    • “Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability,” the company’s Unit 42 threat intelligence team said in a Tuesday update on its original threat brief. The vendor hasn’t disclosed how many devices are actively exploited, but said it observed 20 additional IP addresses attempting to exploit CVE-2024-3400.
    • “Since releasing the initial advisory on Friday [April 12], the company expanded the range of PAN-OS versions that are impacted by the CVE and retracted a secondary mitigation action. “Disabling telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability,” the company said in an update.”
  • On April 18, HHS’s Health Sector Cybersecurity Coordination Center (HC3) issued an update on the Palo Alto Networks Firewalls (CVE-2024-3400).
    • On April 12, 2024, Palo Alto Networks issued a warning about CVE-2024-3400, a zero-day command injection vulnerability found in its firewalls operating PAN-OS v10.2, 11.0, and 11.1 with configurations for both GlobalProtect gateway and device telemetry enabled. There have been an increasing number of attacks observed against this vulnerability since its release. In the original advisory, it was believed that disabling device telemetry would work as an effective secondary mitigation, but the most recent update states that device telemetry does not need to be enabled for PAN-OS to be vulnerable to attacks. Hotfixes were also released starting on April 14, 2024. HC3 strongly encourages all organizations to review the updated security advisory and apply any mitigations to prevent serious damage from occurring to the Healthcare and Public Health (HPH) sector.
  • Per Cybersecurity Dive,
    • “The rapid adoption of artificial intelligence tools is potentially making them “highly valuable” targets for malicious cyber actors, the National Security Agency warned in a recent report.
    • “Bad actors looking to steal sensitive data or intellectual property may seek to “co-opt” an organization’s AI systems to achieve, according to the report. The NSA recommends organizations adopt defensive measures such as promoting a “security-aware” culture to minimize the risk of human error and ensuring the organization’s AI systems are hardened to avoid security gaps and vulnerabilities.
    • “AI brings unprecedented opportunity, but also can present opportunities for malicious activity,” NSA Cybersecurity Director Dave Luber said in a press release.”
  • Dark Reading adds,
    • “A slicker phishing lure and some basic malware was about all threat actors have been able to squeeze out of artificial intelligence (AI) and large language model (LLM) tools so far — but that’s about to change, according to a team of academics.
    • “Researchers at the University of Illinois Urbana-Champaign have demonstrated that by using GPT-4 they can automate the process of gathering threat advisories and exploiting vulnerabilities as soon as they are made public. In fact, GPT-4 was able to exploit 87% of vulnerabilities it was tested against, according to the research. Other models weren’t as effective.
    • “Although the AI technology is new, the report advises that in response, organizations should tighten up tried-and-true best security practices, particularly patching, to defend against automated exploits enabled by AI. Moving forward, as adversaries adopt more sophisticated AI and LLM tools, security teams might consider using the same technologies to defend their systems, the researchers added. The report pointed to automating malware analysis a promising use-case example.”
  • and
    • “An ongoing, highly sophisticated phishing campaign may have led some LastPass users to give up their all-important master passwords to hackers.
    • “Password managers store all of a user’s passwords — for Instagram, their job, and everything in between — in one place, protected by one “master” password. They unburden users from having to remember credentials for hundreds of accounts, and empower them to use more complicated, unique passwords for each account. On the other hand, if a threat actor gains access to the master password, they’ll have keys to every single one of the accounts within.
    • “Enter CryptoChameleon, a new, hands-on phishing kit of unparalleled realism. 
    • “CryptoChameleon attacks tend not to be so widespread, but they’re successful at a clip largely unseen across the cybercrime world, “which is why we typically see this targeting enterprises and other very high-value targets,” explains David Richardson, vice president of threat intelligence at Lookout, which first identified and reported the latest campaign to LastPass. “A password vault is a natural extension, because you’re obviously going to be able to monetize that at the end of the day.”
  • Healthcare IT Security lets us know,
    • “Healthcare organizations are 65% less likely to fully outsource their cybersecurity services than organizations in other sectors, Kroll researchers said in the new report, “The State of Cyber Defense: Diagnosing Cyber Threats in Healthcare.”
    • “Their research maps out the cybersecurity threat landscape the healthcare sector currently operates in, looking at detection and response, cyber threat intelligence and offensive security.
    • “The realities of healthcare IT’s complexities, “not to mention the extremely time-poor staff that need both maximum convenience and security from IT operations,” make it hard for the industry to protect itself, according to Devon Ackerman, Kroll’s global head of incident response and cyber risk.”

From the ransomware front,

  • SC Media reports,
    • “The Akira ransomware group netted itself $42 million in payments in the last year from over 250 organizations, according to a joint advisory released April 18 by four leading cybersecurity agencies across Europe and the United States. [Here is a link to CISA’s Stop Akira Ransomware sire.]
    • “The advisory, which said Akira was now attacking Linux machines as well as Windows, was posted by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, Europol’s European Cybercrime Center, and the National Cyber Security Centre in the Netherlands.
    • “CISA said the advisory’s main goal was to help organizations mitigate these attacks by disseminating known Akira ransomware tactics, techniques and procedures, as well as indicators of compromise identified through FBI investigations as recent as February 2024.
    • “Evolving from an initial focus on Windows systems to a Linux variant targeting VMware ESXi virtual machines, CISA said in August 2023 the double-extortion group started deploying the Rust-based code Megazord and Akira, written in C++, as well as Akira_v2, also Rust-based.”
  • and
    • “Has ransomware hit a ceiling? We doubt it, but the pause outlined in a new report on active adversaries tells us ransomware has either saturated the available targets or enterprise defenses are starting to bear fruit.
    • “In its active adversaries report for the first half of 2024, Sophos’ X-Ops team analyzed more than 150 incident response cases. Through such a large analysis, the report provides good insights into the current tactics, techniques and procedures attackers currently employ. This is useful for anyone trying to better defend their systems.
    • “Sophos concludes that, despite a pause in the rise of ransomware, organizations are failing to take the steps necessary to adequately defend themselves against the increase in attacks to come. * * *
    • “The report concludes that while the current threat landscape is relatively calm, defenders must urgently learn from previous mistakes and prioritize basic security practices. Failing to bolster defenses now will only ease attackers’ impending sieges as they continue sharpening their capabilities.”
  • TechTarget identifies the top 13 ransomware targets in 2024 and beyond.
  • Bleeping Computer’s the Week in Ransomware is back.

From the cybersecurity defenses front,

  • “Healthcare Dive spoke with two cyber experts — Phil Morris and Chad Peterson, both managing directors at cybersecurity firm NetSPI — about how healthcare organizations can recover from the attack and what they need to do to protect themselves going forward.”
    • “HEALTHCARE DIVE: A survey by the American Hospital Association found that 94% of respondents were financially impacted by the Change attack. Why were so many providers impacted by this breach?
    • PHIL MORRIS: The cyberattack at Change Healthcare is really like the Francis Scott Key Bridge incident in Baltimore. It’s at the nexus of a very complex ecosystem we call healthcare delivery and payment systems here in the U.S. They handle so many claims, [pharmacy benefit managers], imaging, analytics and revenue management.
    • “It’s really a weak spot in the resiliency of healthcare because we have such a profit-driven healthcare system, that bringing that organization down had a rippling effect across not just hospitals but also network providers, pharmacies and patients. The ripple effects of this will go out across the healthcare system for some time.
    • CHAD PETERSON: Unfortunately, it’s a case of too many eggs in one basket, and it was the major choke point for a lot of healthcare systems that do their processing through [Change Healthcare]. So what they did is they basically hit the most vulnerable area to have the greatest impact.”
  • Healthcare Dive also reports on how cybersecurity took center stage at the American Hospital Association conference held last week.
    • “The majority of healthcare attacks aren’t coming from domestic hackers, experts stressed.
    • “Almost all cyberattacks against hospitals, including life-threatening ransomware attacks, originate from criminal gangs based in non-cooperative foreign jurisdictions,” AHA’s Riggi said. “That’s a euphemism, folks, for Russia, China, North Korea and Iran.” 
  • On April 15, CISA issued joint guidance deploying AI systems securely.
  • Tech Target offers four tips on securing cybersecurity insurance this year.
  • An ISACA expert discusses “Evolving Threats to Cloud Computing Infrastructure and Suggested Countermeasures.”

Cybersecurity Saturday

From the cybersecurity policy front,

  • Cybersecurity Dive reports,
    • “FBI Director Christopher Wray said state-linked threat groups are ramping up threat activity against the U.S., and pose a continued risk to key critical infrastructure sectors, in a speech Tuesday before the American Bar Association’s Standing Committee on Law and National Security
    • “Threat actors linked with the People’s Republic of China are continuing to build out offensive capabilities, setting up access to various sectors such as the water, energy and telecommunications industries, according to Wray. 
    • “We’re seeing hostile nation states become more aggressive in their efforts to steal our secrets and our innovation, target our critical infrastructure, export their aggression to our shores and front and center is China,” Wray said.”
  • and
    • “The [NIST] National Vulnerability Database is so overwhelmed with a steadily increasing number of software and hardware flaws that the National Institute of Standards and Technology, which maintains the common vulnerabilities and exposures repository, called for a slight pause to regroup and reprioritize its efforts.”The National Vulnerability Database is so overwhelmed with a steadily increasing number of software and hardware flaws that the National Institute of Standards and Technology, which maintains the common vulnerabilities and exposures repository, called for a slight pause to regroup and reprioritize its efforts.
    • “NIST scaled back the NVD program in mid-February, and is currently prioritizing analysis of the most significant or actively exploited vulnerabilities. The slowdown was precipitated by “an increase in software and, therefore, vulnerabilities, as well as a change in interagency support,” NIST said in the announcement.
    • The federal agency is seeking more support from within the government and reassigning staff as it assembles a public-private consortium to address long-term challenges and determine how to improve the NVD program. In the interim, the temporary delays in CVE analysis will result in less detailed analysis of vulnerabilities deemed non-urgent. * * *
  • and
    • “More than two dozen industry stakeholders, including the U.S. Chamber of Commerce, are seeking to extend the deadline to file comments on the Cyber Incident Reporting for Critical Infrastructure Act, according to a letter released Friday. The new deadline would be July 3 if the requested 30-day delay is granted. 
    • “The Cybersecurity and Infrastructure Security Agency issued the notice for CIRCIA, which will require critical infrastructure providers to report significant cyber incidents within 72 hours of discovery and report ransom payments within 24 hours. The notice was published Thursday in the Federal Register and currently has a June 3 deadline for public comments.
    • “The letter, signed by a range of industry groups including the American Bankers Association, National Retail Federation and American Petroleum Institute, is asking for additional time to absorb the complex set of regulations involved in reporting covered cyberattacks and breaches as well as reporting payments to federal authorities.”
  • NextGov relates,
    • “As intelligence agencies work to jettison Chinese cyberspies embedded in critical infrastructure and internet equipment throughout the U.S., a top cybersecurity CEO says that the hackers’ campaign is so robust and widespread that there will be victims targeted in the operation who won’t know they are impacted.
    • “To me, Volt Typhoon is the natural progression of great … Chinese cyberespionage,” said Kevin Mandia, CEO of Google cybersecurity subsidiary Mandiant, who spoke in an exclusive interview with Nextgov/FCW at the Google Cloud Next conference in Las Vegas.”
  • “DoD, GSA, and NASA recently established Federal Acquisition Regulation (FAR) part 40, Information Security and Supply Chain Security. The intent of this RFI is to solicit feedback from the general public on the scope and organization of FAR part 40.” Comments for this case are due by June 10, 2024. For information on how to comment, please visit the Federal eRulemaking portal.
  • Federal News Network lets us know,
    • “Sean Connelly, who has led many of the major federal cybersecurity initiatives over the last decade, is leaving federal service.
    • “Connelly, whose official title is senior cybersecurity architect and Trusted Internet Connections (TIC) program manager for the Cybersecurity and Infrastructure Security Agency, has been instrumental in everything from a major chunk of the lifecycle of the TIC program to the development and advancement of the concepts behind zero trust to the integration of these initiatives with others, including the Einstein and continuous diagnostics and mitigation (CDM) programs.
    • “Federal News Network has learned Connelly’s last day will be April 19. * * *
    • “Sources say Connelly will be joining Zscaler to work on zero trust from an international compliance perspective. He will help non-U.S. governments move toward a zero trust architecture based on the experience of the federal agencies.
    • “Connelly is now the second federal cyber executive to leave to join Zscaler in the last two weeks. Brian Conrad, the former acting director of the Federal Risk Authorization and Management Program (FedRAMP) joined the cyber company in early April to lead Zscaler’s international cloud security compliance program.”

From the cybersecurity vulnerabilities and breaches front,

  • Cyberscoop informs us,
    • “The Cybersecurity and Infrastructure Security Agency published an emergency directive Thursday in response to a Russian intelligence-linked hacking campaign that breached Microsoft, telling affected federal civilian agencies whose emails were stolen or passwords accessed to reset authentication credentials.
    • CISA’s directive comes in the week after CyberScoop first reported its existence.
    • “Microsoft and CISA have notified all federal agencies whose email correspondence with Microsoft was identified as exfiltrated by Midnight Blizzard,” the directive reads, referring to Microsoft’s name for the hacking group. “In addition, Microsoft has represented to CISA that for the subset of affected agencies whose exfiltrated emails contain authentication secrets, such as credentials or passwords, Microsoft will provide metadata for such emails to those agencies.
    • “Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” it continues.”
  • Cybersecurity Dive tells us,
    • “Ivanti Connect Secure devices were exploited and compromised by more threat groups than previously thought, Mandiant said in research released Thursday.
    • “Post-exploitation activity observed by Mandiant includes lateral movement with the aid of open-source tools and multiple custom malware families. 
    • “Mandiant said it observed “eight distinct clusters involved in the exploitation of one or more of” Ivanti’s vulnerabilities CVE-2023-46805CVE-2024-21887 and CVE-2024-21893, which the vendor first disclosed Jan. 10. This includes five China-linked espionage groups and three financially motivated attackers.”
  • Cyberscoop offers the reflections of Mandiant experts on this cybsercurity landscape.
  • Security Week lets us know,
    • Palo Alto Networks disclosed [a state-sponsored] vulnerability on Friday, warning that it was aware of limited in-the-wild exploitation and promising patches within the next two days.
    • “Tracked as CVE-2024-3400 (CVSS score of 10/10), the security defect is described as a command injection issue allowing unauthenticated attackers to execute arbitrary code on impacted firewalls, with root privileges.
    • “According to the vendor, all appliances running PAN-OS versions 10.2, 11.0, and 11.1 that have GlobalProtect gateway and device telemetry enabled are vulnerable. Other PAN-OS versions, cloud firewalls, Panorama appliances, and Prisma Access are not affected.”
  • CISA added new known exploited vulnerabilities to its catalog this week.
    • April 11, 2024
      • CVE-2024-3272 D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability
      • CVE-2024-3273 D-Link Multiple NAS Devices Command Injection Vulnerability
    • April 12, 2024
      • CVE-2024-3400 Palo Alto Networks PAN-OS Command Injection Vulnerability
    • FEHBlog note the CVE references are to the NIST National Vulnerability Database discussed above..
  • The HHS Health Sector Cybersecurity Coordination Center (HC3) posted its “March Vulnerabilities of Interest to the Health Sector.”
    • “In March 2024, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for March are from Ivanti, Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, and Atlassian. A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available, or if it is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration to the risk management posture of the organization.”

From the ransomware front,

  • TechTarget notes,
    • “Sophos said the majority of cyberattacks it investigated in 2023 involved ransomware, while 90% of all incidents included abuse of remote desktop protocol.
    • “The security vendor published its Active Adversary Report of 2024 Wednesday that drew on data from more than 150 incident response (IR) investigations it conducted in 2023. Breaking down the data set, 88% of the investigations were derived from organizations with fewer than 1,000 employees, while 55% involved companies with 250 employees or fewer. Twenty-six sectors were represented, and manufacturing remained the No. 1 sector to engage the Sophos IR team for the fourth consecutive year.
    • “For the report, Sophos tracked attack types, initial access vectors and root causes, and found that trends have remained consistent for the past two years. While attackers frequently abuse remote desktop protocol (RDPs) and credential access to infiltrate a victim’s network, enterprises continue to leave RDPs exposed and often lack multifactor authentication (MFA) protocols.
    • “Sophos added that enterprises also fell short regarding sufficient log visibility, which can hinder IR investigations.”
  • WIRED reports,
    • “Since Monday [April 8, 2024], RansomHub, a relatively new ransomware group, has posted to its dark-web site that it has 4 terabytes of Change Healthcare’s stolen data, which it threatened to sell to the “highest bidder” if Change Healthcare didn’t pay an unspecified ransom. RansomHub tells WIRED it is not affiliated with AlphV and “can’t say” how much it’s demanding as a ransom payment. * * *
    • “RansomHub initially declined to publish or provide WIRED any sample data from that stolen trove to prove its claim. But on Friday, a representative for the group sent WIRED several screenshots of what appeared to be patient records and a data-sharing contract for United Healthcare, which owns Change Healthcare, and Emdeon, which acquired Change Healthcare in 2014 and later took its name.
    • “While WIRED could not fully confirm RansomHub’s claims, the samples suggest that this second extortion attempt against Change Healthcare may be more than an empty threat. “For anyone doubting that we have the data, and to anyone speculating the criticality and the sensitivity of the data, the images should be enough to show the magnitude and importance of the situation and clear the unrealistic and childish theories,” the RansomHub contact tells WIRED in an email.
    • “We are working with law enforcement and outside experts to investigate claims posted online to understand the extent of potentially impacted data,” Change Healthcare said in an email to WIRED. “Our investigation remains active and ongoing. There is no evidence of any new cyber incident at Change Healthcare.”

From the cybersecurity defenses front,

  • MedCity News discusses four lessons learned from the Change Health cyberattack.
  • According to Dark Reading,
    • The US Cybersecurity and Infrastructure Security Agency (CISA) has given organizations a new resource for analyzing suspicious and potentially malicious files, URLs, and IP addresses by making its Malware Next-Gen Analysis platform available to everyone earlier this week.
    • The question now is how organizations and security researchers will use the platform and what kind of new threat intelligence it will enable beyond what is available via VirusTotal and other malware analysis services.
    • The Malware Next-Gen platform uses dynamic and static analysis tools to analyze submitted samples and determine if they are malicious. It gives organizations a way to obtain timely and actionable information on new malware samples, such as the functionality and actions a string of code can execute on a victim system, CISA said. Such intelligence can be crucial to enterprise security teams for threat hunting and incident response purposes, the agency noted.
  • According to Cybersecurity Dive,
    • “CISOs and other management level cybersecurity executives are gaining more influence and importance as companies have begun to recognize the need for strong cyber governance and oversight, according to a report from Moody’s Ratings
    • “About 90% of cybersecurity managers now report to a top level company executive, compared with 62% in 2021. A higher percentage of these cybersecurity executives now report directly to company CEOs, according to the report, which is based on a survey of more than 2,000 organizations around the world that issue debt, including 1,100 in North America. 
    • “The role of the CISO has risen in seniority and visibility within organizations,” Steven Libretti, assistant VP and analyst at Moody’s Ratings, said via email. “This means more direct reporting lines from the cyber manager to the C-suite executives and more frequent cyber briefings to the CEO.”
    • “Moody’s identified a more regular cadence within organizations of CISOs and other cybersecurity managers providing updates to the C-suite and board of directors. About 40% of cyber managers conduct monthly meetings with their CEO, according to the report.” 

Tuesday Tidbits

Photo by Patrick Fore on Unsplash

From Washington, DC,

  • The American Hospital News reports,
    • “Health care leaders and other officials April 9 discussed challenges to rural health care access and potential solutions during an event in Washington, D.C. sponsored by the Coalition to Strengthen America’s Health Care: Protecting 24/7 Care. The AHA is a founding member of the Coalition, which recently rebranded to reflect its renewed focus to protect and strengthen patients’ access to 24/7 care. 
    • “Today’s event hosted by Punchbowl News involved discussions on a range of topics including access, the importance of telehealth, health care innovations and Medicare underpayment, among others. 
    • “You can watch a video of today’s event here. 
  • The Wall Street Journal lets us know,
    • “The U.S. Postal Service said Tuesday it is seeking to raise the price of a stamp by 5 cents, in what would be the fourth increase since the start of 2023. 
    • “The proposed price of 73 cents, up 7.4% from the current price of 68 cents, would still need to be approved by the Postal Regulatory Commission. 
    • “The last increase happened in January 2024, when the cost of a stamp rose from 66 cents to 68 cents. Before that, the agency hiked prices in July 2023 by 3 cents. * * *
    • “The new 5-cent increase would go into effect July 14, the Postal Service said. 
    • “The Postal Service said it also wants to raise prices for other services, including sending a letter outside the U.S., which would cost $1.65, up from $1.55. Mailing a postcard within the U.S. would cost 3 cents more at 56 cents. And sending metered letters, a service used by small businesses, would cost 5 cents more at 69 cents.”
  • MedTech Dive relates,
    • “The Department of Justice filed a consent decree of permanent injunction against Philips on Tuesday in response to the company’s ongoing recall of sleep apnea and respiratory devices.
    • “The settlement would restrict Philips from producing or selling new continuous positive airway pressure (CPAP) and bi-level positive airway pressure (BiPAP) machines and other devices in the U.S. until the company meets certain requirements. Philips also faces restrictions on exporting devices that are being provided to patients impacted by the recall “to help ensure remediation of U.S. patients is prioritized over export for commercial distribution.” 
    • “Philips is required to implement a recall remediation plan that the Food and Drug Administration must agree on, including providing patients with new or reworked devices, or a partial refund. Jeff Shuren, director of the FDA’s Center for Devices and Radiological Health, said in a Tuesday statement that the finalization of the decree is a “significant milestone.” 

From the public health and medical research front,

  • KFF notes,
    • “Rates of long COVID have begun to flatten. About 1 in 10 adults with COVID have reported having long COVID since rates fell in 2023, according to a KFF analysis of the latest data from the Centers for Disease Control and Prevention. If the rate continues to hold steady, new forms of prevention or treatment may be important to achieve future reductions in long COVID.
    • “As of March 2024, 7% of all adults (17 million people) reported that they have long COVID. Among the 60% of adults who reported ever having had COVID, roughly 3 in 10 reported having long COVID at some point and about 1 in 10 reported currently having it. The ongoing gap between the two long COVID rates indicates that people are continuing to recover, even as rates stabilize.”
  • US News and World Report informs us,
    • “Measles infections have continued to spread in pockets of the U.S., as the latest nationwide count shows the number of cases have now reached more than 100.
    • “A total of 113 cases have been reported across 17 states as of April 5, according to the most recent figures from the Centers for Disease Control and Prevention, nearly double the total of 58 that for all of 2023.
    • “So far, seven outbreaks have occurred – defined by the CDC as three or more related cases – up from four in 2023. More than 70% of all cases this year have been associated with an outbreak, and approximately half of patients are children under the age of five.
    • “More than 80% of measles infections are among those who are either unvaccinated or with an unknown vaccination status, according to the CDC, while 12% of cases are those who have received only one dose of the measles, mumps and rubella vaccine.
    • “Chicago has had the majority of U.S. cases, with 58 infections as of April 8, according to the most recent figures from the Chicago Department of Public Health.
    • “The majority of measles infections in Chicago have been tied to an outbreak at one of the city’s largest migrant shelters.
    • “In an update released on April 5, CDPH stated measles cases were decreasing in the city, with a total of five new cases reported during the week of March 31 through April 5, compared to 23 infections reported from March 24 through March 30.”
  • The Wall Street Journal reminds us,
    • The fight against dementia actually starts in your 40s.
    • Midlife, not your 70s or 80s, is when brain changes start to occur that can pave the way toward dementia, Alzheimer’s disease and cognitive decline later, according to a growing body of research. 
    • Intervening earlier to improve brain health—and studying the midlife brain more closely—might help people stay sharper in their later years, researchers say. Regular exercise, getting enough sleep and doing activities that keep your brain stimulated are all steps that can help you combat dementia later in life.
    • “Middle age is an opportune time to make lifestyle choices and obtain treatment that will bring an enormous return on investment in old age,” says Terrie Moffitt, a professor of psychology and neuroscience at Duke University.
    • More scientists are looking for clues in the midlife brain because efforts to target dementia in older people have largely failed, says Ahmad Hariri, a professor of psychology and neuroscience also at Duke.
  • Beckers Hospital Review points out,
    • “Surprise pregnancies may be an unexpected side effect experienced by women who use Ozempic or other GLP-1 medications, The Washington Post reported April 5.”Surprise pregnancies may be an unexpected side effect experienced by women who use Ozempic or other GLP-1 medications, The Washington Post reported April 5.
    • “Numerous social media platforms include posts and discussions about unplanned pregnancies while on Ozempic or similar drugs. Although the reports of a possible Ozempic “baby boom” are anecdotal, it is a phenomenon researchers and experts are watching closely. 
    • “Experts speculate that weight loss drugs may impact the absorption of contraceptives, causing birth control failures or that they can affect ovulation and fertility. Others say losing weight can improve chances of pregnancy.”
  • According to Fierce Healthcare,
    • “Supplemental benefits administrator Avesis and Elevance Health subsidiary Amerigroup Georgia have teamed up with Uber Health in a pilot project to tackle the state’s maternal health crisis.
    • “Utilizing community health partners like the Georgia Primary Care Association and federally qualified health centers (FQHCs), hundreds of Amerigroup’s Medicaid members in December 2022 started receiving two individualized nutritional counseling sessions, a scale and $300 of Uber Eats vouchers.
    • “Though the program’s results have not been shared yet, Avesis Senior Manager of Care Transformation Don Trainor said the program has had promising results so far.”
  • The AHA News tells us,
    • “Women with health-related social needs such as food insecurity, housing instability and lack of transportation were less likely to report receiving a mammogram in the past two years when surveyed in 2022, according to a report  released April 9 by the Centers for Disease Control and Prevention. About 66% of women aged 50-74 with at least three health-related social needs were up to date with their mammograms, compared with 83% of women with no health-related social needs. Mammography use also was lower among women without health insurance and a usual source of care.”  

From the U.S. healthcare business front,

  • United Health Group has refreshed its response to the cyberattack against Change Healthcare website.
  • Per Fierce Healthcare,
    • “Artificial intelligence categorization can help stem the flood of patient messages that would otherwise demand physicians’ expensive time, Kaiser Permanente researchers report.
    • “In a recently published JAMA Network Open research letter, members of the system’s research division and medical group outlined a strategy that used real-time natural language processing (NLP) algorithms to attach category labels to messages and then direct them to an appropriate respondent.
    • “The approach, they wrote, allowed 31.9% of the more than 4.7 million patient messages reviewed by program staff to be resolved before reaching the inbox of a specific physician. Instead, these messages were handed by a “regional team” made up of medical assistants or teleservice representatives, pharmacists and other doctors.”
  • and
    • “Consumers expect a simple and easy digital experience, and health plans have plenty of room to improve on that front, according to a new report.
    • “J.D. Power released its inaugural U.S. Health Insurance Experience Study on Tuesday, where it found that 42% of adults with insurance ran into issues using their plan’s website and/or mobile app in the past year.
    • “The study is based on responses from more than 5,500 people enrolled in the 14 largest Medicare Advantage (MA) plans and 15 largest commercial plans. It was conducted alongside Corporate Insight.”
  • Beckers Hospital Review names the “25 drugs at Mark Cuban’s online pharmacy with biggest cost reductions.”

Cybersecurity Saturday

From the cybersecurity policy front,

  • On April 4, the Cybersecurity and Infrastructure Security Agency (CISA) published its proposed Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements rule in the Federal Register. The public comment deadline is June 3, 2024.
  • Cybersecurity Dive summarizes what CISA wants to see in these CIRCIA reports.
  • Cybersecurity Dive reported on April 3,
    • “The state-linked intrusion on Microsoft Exchange Online that led to the theft of about 60,000 U.S. State Department emails last summer “was preventable and should never have occurred”, the Cyber Safety Review Board said Tuesday [April 2] in a report. 
    • “A series of operational and strategic decisions by Microsoft pointed to a corporate culture that deprioritized investments in enterprise security and rigorous risk management, despite the central role the company plays in the larger technology ecosystem, the report said. 
    • “The CSRB urged Microsoft to publicly share its plans to make fundamental, security focused reforms across the company and its suite of products. The board also recommended that all cloud services providers and government partners enact security-focused changes.
  • Cybersecurity Dive added on April 5,
    • “The Cybersecurity and Infrastructure Security Agency is working with Microsoft to investigate and mitigate Midnight Blizzard’s potential impacts on federal agencies. The Russia-linked threat group hacked into senior Microsoft executives’ accounts starting in late November and could pose a larger threat to federal agencies.
    • “As shared in our March 8 blog, as we discover secrets in our exfiltrated email we are working with our customers to help them investigate and mitigate any impacts,” a Microsoft spokesperson said Thursday via email. “This includes working with CISA on an emergency directive to provide guidance to government agencies.”
    • “CISA issued an emergency directive to federal agencies earlier this week on how to mitigate the potential threat from Midnight Blizzard, CyberScoop reported. But the agency has not yet made the directive public. 
    • “CISA officials did not comment on any directive, but confirmed to Cybersecurity Dive it’s working with Microsoft on how to respond to the threat.” 
  • Federal News Network lets us know,
    • “Amid the response to the Change Healthcare ransomware attack, the Department of Health and Human Services is aiming to better organize its healthcare cybersecurity resources and programs.
    • “HHS is creating a  “one-stop shop” for cyber at the department’s Administration for Strategic Preparedness and Response, according to Brian Mazanec, the deputy director for ASPR’s Office of Preparedness. ASPR leads U.S. health and medical preparedness for disasters and other public health emergencies.
    • “We’re really establishing ASPR as that one-stop shop to manage this information sharing across the department, with our partners in industry, with the interagency,” Mazanec said during a March 29 webinar hosted by the HHS-sponsored Regional Disaster Health Response System.”
  • The National Institutes of Standards and Technology announced,
    • “NIST is releasing the initial public draft of Special Publication (SP) 800-61r3 (Revision 3), Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile, for public comment. This publication seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities, as described by CSF 2.0. Doing so can help organizations prepare for incident responses, reduce the number and impact of incidents that occur, and improve the efficiency and effectiveness of their incident detection, response, and recovery activities.
    • The public comment period is open through May 20, 2024. See the publication detailsfor a copy of the draft and instructions for submitting comments.”
  • NIST also issued “a [draft] mapping between the security controls within NIST Special Publication 800-53 Revision 5 and the Cybersecurity Framework version 2.0.”
  • NextGov tells us,
    • “Camille Stewart Gloster, a cyber and technology attorney who has led the White House’s cybersecurity workforce and tech ecosystem strategies since taking up her role in August 2022, will step down Tuesday [April 4].
    • “She told Nextgov/FCW on the sidelines of an International Association of Privacy Professionals event in Washington, D.C. she had no plans as of yet for where she will be heading next.”

From the cyber vulnerabilities and breaches front,

  • HHS’s Health Sector Cybersecurity Coordination Center (HC3) informs us about “Social Engineering Attacks Targeting IT Help Desks in the Health Sector.”
    • “HC3 has recently observed threat actors employing advanced social engineering tactics to target IT help desks in the health sector and gain initial access to target organizations. In general, threat actors continue to evolve their tactics, techniques, and procedures (TTPs) to achieve their goals. HC3 recommends various mitigations outlined in this alert, which involve user awareness training, as well as policies and procedures for increased security for identity verification with help desk requests.”
    • More on this threat can be found on the American Hospital Association news site.
  • On April 4, 2024, CISA added two known exploited vulnerabilities to its catalog.

From the ransomware front,

  • Bleeping Computer’s The Week in Ransomware is back at long last.
  • Cyberscoop reports,
    • “Six weeks after executing an attack that crippled parts of the U.S. health care system, the cybercrime gang linked to the incident has picked up the pace of laundering the proceeds of an alleged ransom payment, even as the hackers implicated in the breach continue to maintain a low profile.  
    • “The ransomware group ALPHV claimed responsibility for the Feb. 21 attack on Change Healthcare, a payment processor that touches 1 in 3 American patient records. The attack on Change limited the ability of pharmacies and health care providers to receive payments and has placed severe strain on the U.S. health care system.
    • “Earlier this month, cybercrime researchers reported that a bitcoin wallet linked to previous ALPHV ransoms had received $22 million, fueling speculation that Change’s parent company, UnitedHealth Group, had ponied up a ransom payment.
    • “Now, ALPHV appears to be moving to further obscure the destination of those funds. 
    • “According to blockchain intelligence firm TRM Labs, funds have recently been moved from bitcoin wallets linked to other ransoms paid to ALPHV, with these funds transferred to multiple other addresses and through a mixer, a tool used to obfuscate transactions that can be tracked on a public ledger. 
    • “Over the last week or so we have seen increased laundering activity,” Ari Redbord, TRM Labs’s global head of policy, told CyberScoop in an email. On March 27, for instance, TRM Labs observed 50 bitcoin — approximately $3.5 million — “move from wallets associated with the group to a mixing service. In addition, between March 22nd & 27th, we saw multiple withdrawals by wallets associated with the ransomware group and sent to a global exchange.”
    • “The FBI declined to comment on the status of its investigation of the incident.” 

From the cyberdefenses front,

  • Cybersecurity Dive relates,
    • “[E[ven as Change [Healthcare] begins to restore its systems, cyberattacks are going to remain a challenge for the industry as healthcare digitizes, creating more potential vulnerabilities for cybercriminals to exploit, experts say. 
    • “The healthcare sector needs to learn from the wide-ranging impacts from the Change attack — and prepare for the next one.
    • “As an industry, there’s been a lot of advancement in cybersecurity, but we’re still pretty far behind where we need to be,” said Steve Cagle, CEO of healthcare cybersecurity firm Clearwater. “We need to face the reality that this is an issue that is here to stay for a long time.”
  • Health IT Security discusses “[h]ow can payers be prepared to manage third-party security incidents. Payers should implement vendor management programs, incident response plans, and training processes to prepare for third-party security incidents.”
  • Security Week points out,
    • “The US National Institute of Standards and Technology (NIST) this week announced  $3.6 million in grants to help address the cybersecurity skills shortage.
    • “As part of the project, 18 education and community organizations across 15 states will be granted roughly $200,000 each to educate future cybersecurity employees.
    • “The agreements will be overseen by NICE, a partnership between organizations in the government, education, and private sectors, which focuses on building cybersecurity workforce through education and training.
    • “The 18 selected organizations will build Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) cybersecurity education and workforce development projects aligned with the needs of local business and nonprofit organizations.”
  • Per Tech Target,
    • “Microsoft officially launched Copilot for Security on Monday [April 1], and while the generative AI tool might bolster security operations, enterprises could face implementation and integration challenges.
    • “The tech giant unveiled Copilot for Security, originally called Security Copilot, in March 2023 to assist security and IT teams with threat detection and response. Following a series of rollout stages for the generative AI (GenAI) tool, Microsoft added a pay-as-you-go pricing model and new capabilities, such as knowledge base integrations and multilanguage support.
    • “Vasu Jakkal, corporate vice president of security, compliance, identity and management at Microsoft, announced the launch in a blog post last month and emphasized that enterprises can use Copilot for Security as a standalone portal or embed the AI tool into existing security products.”
  • HHS’s 405(d) Program now offers a
    • “New Resource: Healthcare Threat Identification Poster!
    • “Cyber hygiene poster highlights threats exist at every level of your organization. Be aware of the threats that face your organization in order to protect PHI.”

Cybersecurity Saturday

From the cybersecurity policy front,

  • The Wall Street Journal reports,
    • “The U.S. Cybersecurity and Infrastructure Security Agency [CISA] on Wednesday [March 27, 2024] published long-awaited draft rules on how critical-infrastructure companies must report cyberattacks to the government.
    • “CISA developed the rules after President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law on March 15, 2022. Officials hope reports from companies in a range of industries will allow them to better spot attack patterns and determine tactics used by cybercriminals and nation-states to help improve defenses.
    • “Under the rules, companies that own and operate critical infrastructure would need to report significant cyberattacks within 72 hours and report ransom payments within 24 hours.  * * *
    • “The rules apply to any company owning or operating systems the U.S. government classifies as critical infrastructure, such as healthcare, energy, manufacturing and financial services. The rules will also apply to companies that don’t operate critical infrastructure, but whose systems may be vital to a particular sector, such as service providers.
    • “Reporting from a broad range of entities is necessary to provide adequate visibility of the cyber landscape across critical infrastructure sectors, which CIRCIA is meant to facilitate,” CISA said in its 447-page draft.
    • “There are exemptions for small organizations, with revenue and employee counts that qualify under the Small Business Administration’s criteria.” 
  • Here are a link to the CISA announcement and a link to the proposed rule.
  • Cyberscoop adds,
    • “While the rule is not expected to be finalized until 18 months from now or potentially later next year, comments are due 60 days after the proposal is officially published on April 4. One can be sure that the 16 different critical infrastructure sectors and their armies of lawyers will have much to say. The 447-page NOPR details a dizzying array of nuances for specific sectors and cyber incidents.
    • “For example, companies would only be required to report a distributed denial of service attack if it results in a service outage for an extended period. One that results in a “brief period of unavailability,” however, would not need to be reported.” * * *
    • “CISA expects the rules will cost industry and government combined around $2.6 billion between now and 2033 and anticipates receiving around 25,000 reports each year.
    • “Ranking member of the House Committee on Homeland Security Bennie Thompson, D-Mass., and Rep. Yvette Clark, D-N.Y., said in a joint statement that they’d like to see a reduction in compliance costs so that additional resources can be invested in security.” 
  • On March 28, 2024, the Defense Department released its “Defense Industrial Base Cybersecurity Strategy {which] plots a course for increased focus and collaboration between the Defense Department and the U.S. defense industrial base on cybersecurity initiatives amid what officials say are persistent cyberthreats.”

From the cyber-vulnerabilities and breaches front,

  • Per Security Week,
    • “While 2023 was a difficult year for cybersecurity teams, 2024 is likely to be worse. In just the first two months of 2024, threat intelligence firm Flashpoint has logged dramatic increases in all major threat indicators.
    • “By Flashpoint’s numbers, there were 6,077 recorded data breaches in 2023, with attackers accessing more than 17 billion personal records (up 34.5% on 2022’s figures). In the first two months of 2024, this increased by 429% over the first two months of 2023. * * *
    • “Despite the large numbers involved, one attack and one attacker stood out during 2023: the MOVEit attacks (leveraging CVE 2023-34362), and the LockBit ransomware group. The MOVEit attacks account for 19.3% of all reported 2023 attacks. LockBit claimed 1.049 victims, around 20% of all known ransomware attacks in 2023.”
  • Cybersecurity Dive tells us,
    • “Threat actors used phishing links or attacks in 71% of all security incidents in 2023, according to ReliaQuest’s Annual Cyber-Threat Report released Tuesday.
    • “Most of the tactics, techniques and procedures threat actors used last year to achieve initial access to a compromised environment were linked to user interaction or error, the report said. “This indicates attackers overwhelmingly gained initial access by exploiting the trust and vulnerability of unsuspecting individuals.”
    • “Phishing remains the most common route threat actors use to achieve initial access, accounting for 70% of all initial access related incidents last year, ReliaQuest said.”
  • Earlier this month, HHS’s Health sector Cybersecurity Coordination Center (HC3) posted the following two PowerPoints:
    • Credential Harvesting and Mitigations
      • “Cyberattacks against healthcare facilities can involve credential harvesting, which may lead to a disruption of operations. Credential harvesting, also known as credential stealing or credential phishing, is a technique that cybercriminals can use to obtain sensitive login credentials like usernames, passwords, and personal information. These credentials operate as the gateway to an individual’s digital identity, and can grant access to various types of information, such as online accounts and health data. The methods employed for credential harvesting are diverse, ranging from sophisticated phishing emails to fake websites and social engineering tactics.”
    • Defense and Mitigations from E-mail Bombing
      • E-mail bombing, also known as mail bomb or letter bomb attacks, occur when a botnet (a single actor or group of actors) flood an e-mail address or server with hundreds to thousands of e-mail messages. They are a type of Denial of Service (DoS) attack that allows attackers to bury legitimate transaction and security messages in an unsuspecting inbox by rendering the victim’s mailbox useless. By overloading a victim’s inbox, attackers hope that a victim will miss important e-mails like account sign-in attempts, updates to contact information, financial transaction details, or online order confirmations.
      • This type of attack is of particular importance to the Healthcare and Public Health (HPH) sector. In 2016, unknown assailants launched a massive cyber attack aimed at flooding thousands of targeted “dot-gov” (.gov) e-mail inboxes with subscription requests, rendering many unusable for days.
      • E-mail bombs are not only an inconvenience to the victim, but to everyone using that particular server. When an e-mail server is impacted by a DDoS, it can downgrade network performance and potentially lead to direct business downtime. This Sector Alert provides an overview of types of e-mail bomb techniques, as well as defenses and mitigations for targets of this type of attack.
  • Bleeping Computer adds that “Google’s Threat Analysis Group (TAG) and Google subsidiary Mandiant said they’ve observed a significant increase in the number of zero-day vulnerabilities exploited in attacks in 2023, many of them linked to spyware vendors and their clients.”

From the Change Healthcare situation front,.

  • HealthIT Security let us know on March 29.
    • “In a March 27th update, UnitedHealth Group said it had begun the process of determining whether any patient data was stolen during the cyberattack. UHG engaged a vendor to conduct a review of data that is “likely” to contain personally identifiable information and claims data. At this time, it is too soon to say with certainty the content of the data that the threat actor accessed.
    • “This is taking time because Change Healthcare’s own systems were impacted by the event and difficult to access, so it was not safe to immediately pull data directly from the Change systems,” UHG stated. “We recently obtained a dataset that is safe for us to access and analyze. Because of the mounting and decompression procedures needed as a first step, we have only recently reached a position to begin analyzing the data.”
    • “To date, UHG had not seen evidence of any data being published on the web.
    • “In other news, the US Department of State is offering a reward of up to $10 million for information or identification of ALPHV/BlackCat threat actors, who previously claimed responsibility for the Change Healthcare cyberattack.” 

From the ransomware front,

  • Beckers Hospital Review notes,
    • “A ransomware group that specializes in “double extortion” has claimed responsibility for a cyberattack on an Oklahoma hospital, HIPAA Journal reported.
    • “The Bian Lian hacking gang posted Lindsay (Okla.) Municipal Hospital to its data leak site and said the stolen data would be uploaded soon, according to the March 25 story.
    • “The hackers’ “double extortion” forte means they steal data then require ransom payments to both release the information and decrypt any encrypted files, the news outlet reported. HHS has warned that Bian Lian is targeting healthcare providers because of the group’s financial motivations.”

From the cybersecurity defenses front,

  • Cybersecurity Dive informed us on March 26, 2024,
    • “The Cybersecurity and Infrastructure Security Agency and FBI urged software manufacturers to take steps to eliminate SQL injection vulnerabilities in an alert issued Monday
    • “CISA and the FBI are asking leadership at software manufacturers to launch formal reviews of their code to find out whether they are susceptible to SQL injection compromises. If found, the agencies are asking the companies to take immediate steps to eliminate these defects from existing and future software.  
    • “The agencies cited the role SQL injection defects played in the widespread attacks linked to MOVEit file transfer software, which impacted thousands of organizations in 2023.”
  • The Wall Street Journal reports,
    • “Companies from the U.S. telecommunications, financial services and power sectors held a joint cybersecurity exercise with government agencies this week to test how their defenses held up against real attacks. [The report is dated March 29, 2024.)
    • “Security staff from AT&TLumen Technologies, Southern Co., Mastercard and Southern California Edison pitted defensive and offensive teams, known as blue and red teams, against each other on Wednesday and Thursday in Washington, D.C. * * *
    • “This week’s Tri-Sector Cyber Defense Exercise was an expanded version of a similar event held two years ago. While in the previous event individual teams from each participating company competed against each other, this year’s program drew staff from each participant into combined teams to learn from each other’s techniques. Those teams then assaulted and blocked attacks from fictitious entities in the various represented sectors, using the same tools and technology as they would in reality.”
  • and
    • “Cybersecurity leaders struggle to communicate with executives and boards of directors and often paint an overly positive image of their companies’ security, according to a new survey of C-suite executives. 
    • “With new regulations that require companies to disclose more details about cybersecurity, around half of those polled see an immediate need to improve security leaders’ communication skills. 
    • “Thirty-one percent of top executives said they believe their companies’ chief information security officers paint a more optimistic picture than reality, according to a new survey from communications advisory firm FTI Consulting * * *
    • “Executives want CISOs to improve how they communicate about cyber risks. The FTI survey found that 98% of executives support more funding for such training, and 45% said it is an immediate need.” 

Monday Roundup

Photo by Sven Read on Unsplash

From Washington, DC,

  • STAT News reminds us,
    • “The public will soon find out whether the federal government is willing to meet the health insurance industry’s demands and deposit more money into the bank accounts of next year’s Medicare Advantage plans.
    • “Budget officials within the Biden administration started reviewing final payment regulations for 2025 Medicare Advantage plans last week after more than 42,000 public comments rolled into the federal government’s inbox. Those rules will come out no later than April 1.
  • Becker’s Hospital CFO Report adds,
    • “Onerous” authorization requirements and high denial rates have health systems considering whether to drop Medicare Advantage plans, according to a report from the Healthcare Financial Management Association and Eliciting Insights. 
    • “HFMA Health System CFO Pain Points Study 2024” is based on a survey of 135 health system CFOs conducted in January. 
    • According to the report, 16% of health systems are planning to stop accepting one or more Medicare Advantage plans in the next two years. Another 45% said they are considering the same but have not made a final decision.
    • Health systems have been increasingly pushing back on Medicare Advantage. Chris Van Gorder, president and CEO of San Diego-based Scripps Health, told Becker’s last year that “it’s becoming a game of delay, deny and not pay.” Scripps terminated Medicare Advantage contracts effective Jan. 1 for its integrated medical groups. The medical groups, Scripps Clinic and Scripps Coastal, employ more than 1,000 physicians, including advanced practitioners. Mr. Van Gorder said the health system was facing an annual loss of $75 million on MA contracts.  
    • “Providers are going to have to get out of full-risk capitation because it just doesn’t work — we’re the bottom of the food chain, and the food chain is not being fed,” he said.
    • Despite tensions with some health systems, the Medicare Advantage program had a 95% quality satisfaction rating among enrolled members in 2023.
  • The FEHBlog notes that MA plans are subject to the Affordable Care Act’s medical loss ratio. The medical loss ration encourages health plans to make payments to providers.
  • FedSmith lets us know,
    • The Federal Salary Council (FSC) recently proposed adding about 15,000 federal employees to existing locality pay areas for 2025 from the “Rest of the U.S.” Being added to a locality pay area usually results in higher pay for impacted employees.
    • FSC is recommending the Pay Agent add Wyandot County, OH, to the Columbus, OH, locality pay area and Yuma County, AZ, to the Phoenix, AZ, locality pay area. These recommendations do not create new locality pay areas. In this case, they are adding employees to existing pay areas using various techniques to reduce employees in the “Rest of the U.S.” and add more to higher-paying locality pay areas.
    • A proposal from the Federal Salary Council does not mean a decision to make these additions is finalized. The recommendations have to be approved by the President’s Pay Agent. That approval usually follows, although not necessarily in the recommended time frame. Once the Pay Agent decides to move ahead, the Office of Personnel Management has to issue a proposed change in the Federal Register and a final decision in the Federal Register a few months later.
  • Reg Jones, writing in Fedweek, discusses “Survivor Annuity Benefits for Children of Deceased Federal Employees and Retirees.”
  • KFF discusses Medicare spending on GLP-1 drugs, like Ozempic, to treat diabetes.
    • “Gross spending on Ozempic alone increased from $2.6 billion in 2021 to $4.6 billion in 2022, pushing it to 6th place among the top-selling drugs in Medicare Part D that year, up from 10th place the year before.  
    • “The fact that covering GLP-1s under Medicare Part D for authorized uses is already making a mark on total Part D program spending could be a sign of even higher spending to come as Part D plans are now able to cover Wegovy for its heart health benefits, and if new uses for GLP-1s are approved.”
  • CNBC adds,
    • “Americans can’t seem to get enough of weight loss drugs despite their limited insurance coverage and roughly $1,000 monthly price tags before discounts. 
    • “But some patients are willing to pay more out of pocket for those treatments than others — and it’s strongly correlated to their annual income.
    • “That’s according to a recent survey from Evercore ISI that focused on GLP-1s, which include Novo Nordisk’s weight loss injection Wegovy and diabetes counterpart Ozempic.

From the public health and medical research front,

  • The American Medical Association advises its members about measles, now at 64 cases, and tells patient what doctors wish they knew about vasectomies.
  • Medscape shares five things to know about Adult Respiratory Syncytial Virus (RSV) Infection.
  • The Washington Post features a Consumer Reports article on maintaining kidney health. “Hydration and exercise are just two of the keys to reducing the risk of kidney disease.”
  • The Society for Human Resource Management offers nine mental health questions for employee engagement surveys.
  • CNN reports,
    • “Drugmaker Eli Lilly warned this week that two of its formulations of insulin would be temporarily out of stock through the beginning of April, citing a “brief delay in manufacturing.”
    • “The 10-milliliter vials of Humalog and insulin lispro injection will be in short supply at wholesalers and some pharmacies, Lilly said in a statement posted online Wednesday [March 20]. The company said that prefilled pen versions of those medicines are still available in the US and that it continues to manufacture the 10-milliliter vials “and will ship them as soon as we can.”

From the U.S. healthcare business front,

  • The Wall Street Journal relates,
    • “Hospitals are adding billions of dollars in facility fees to medical bills for routine care in outpatient centers they own. Once an annoyance, the fees are now pervasive, and in some places they are becoming nearly impossible to avoid, data compiled for The Wall Street Journal show. The fees are spreading as hospitals press on with acquisitions, snapping up medical groups and tacking on the additional charges. 
    • “The fees raise prices by hundreds of dollars for widely used and standard medical care, including colonoscopies, mammograms and heart screening. 
    •  “Hospitals say facility fees help offset the extra costs that they incur to meet federal regulations. “It’s not as simple as same services, across-the-board,” said Jason Kleinman, director of federal relations for the American Hospital Association.” * * *
    • “Lawmakers and Congress have proposed limiting fees covered by Medicare, which advisers to the federal insurer have unanimously recommended. Under a bill passed by the House in December, Medicare would no longer pay hospital facility fees for chemotherapy and other drugs infused by doctors in clinics off a hospital campus, saving about $3.7 billion over 10 years. 
    • “The American Hospital Association opposes limiting the fees, saying restrictions would cut revenue to hospitals already squeezed financially by high labor costs and inflation.”   
  • Beckers Hospital CFO Report adds,
    • “Kaufman Hall’s latest “National Hospital Flash Report,” which is based on data from more than 1,300 hospitals, outlined three key areas that separate high-performing hospitals’ and low-performing hospitals when it comes to their operating performances: 
      • Outpatient revenue. In general, hospitals with higher and accelerating outpatient revenue are more profitable.
      • Contract labor. Hospitals that quickly reduced their percentage of contract labor demonstrate improved operating profitability. In addition, hospitals that aggressively marched down contract labor costs were correlated to rising wage rates for full-time staff. Rising wage rates appeared to attract and retain full-time staff, which has allowed those hospitals to decrease contract labor more quickly, all of which has led to increased profitability, according to the report. 
      • Average length of stay. A lower average length of stay corresponded with improved profitability. Hospitals that hyper-focused on patient throughput — which has led to appropriate and prompt patient discharge — have also proven this to be a solid financial strategy, according to the report.”
    • “Hospitals on the other end of the scale continue to struggle, with the poorest financially performing hospitals reporting negative margins from -4% to -19%, according to Kaufman Hall. Continuation of this level of performance is unsustainable and makes it impossible to reinvestment in community care.” 
  • Per BioPharma Dive,
    • “Novo Nordisk will pay as much as $1 billion to acquire RNA drug developer Cardior and its experimental treatment for heart failure, the companies announced Monday
    • “Cardior’s treatment, dubbed CDR132L, is currently being tested in a mid-stage study involving 280 people with heart failure who previously experienced a heart attack. Results are expected by September, according to a U.S. clinical trial database.
    • “In addition to that study, Novo said it plans to start another Phase 2 trial in heart failure patients whose heart muscle has become thick and stiff, also known as cardiac hypertrophy. Novo, which will pay an undisclosed upfront payment to Cardior per deal terms, expects the acquisition to close in the second quarter.”
  • and
    • “Abbvie is expanding its pipeline of inflammatory disease drugs, announcing Monday a small deal to acquire biotechnology company Landos Biopharma.
    • “Per the deal, Abbvie will buy Landos for $20.42 per share, or about $138 million. Abbvie has also agreed to pay a so-called contingent value right worth $11.14 per share, or another $75 million, if certain milestones are met. The upfront price represents a premium of about 155% to the closing price Friday of Landos stock.
    • “Landos is currently running a mid-stage trial of its lead drug, dubbed NX-13, in ulcerative colitis. Abbvie is also interested in NX-13’s potential in Crohn’s disease.”
  • Per Healthcare Dive,
    • “Change Healthcare said its largest claims clearinghouses would come back online over the weekend, more than a month after a cyberattack at the technology firm disrupted the healthcare sector. 
    • “More than $14 billion in charges have been prepared for processing, according to an update from parent company UnitedHealth Group on Friday. Change’s electronic payments platform has also been restored, and the company is working on payer implementations.”