From the cybersecurity front, Health IT Security interviewed Senator Mark Warner (D Va) “about the healthcare cybersecurity challenges discussed in his recent policy options paper and how he plans to address them.”

The healthcare sector will likely remain an enticing target for threat actors in the coming years, but a more streamlined approach to tackling cyber risk at the federal level is urgently needed. Warner shed light on this issue by first addressing the current patchwork of cyber leadership within the federal government.

“There are four different cabinet secretaries and sixteen different federal agencies that touch on healthcare,” Warner pointed out.

Even within HHS, agencies such as the Office for Civil Rights (OCR), the Office of the National Coordinator for Health Information Technology (ONC), and the Health Sector Cybersecurity Coordination Center (HC3) all have varying levels of oversight and expertise.

The question now, Warner explained, is “how do you put somebody in charge, or at least in charge of coordinating, so that you can take a holistic approach?”

This role would ideally help HHS “speak with one voice regarding cybersecurity in [healthcare],” the policy options paper stated, facilitating communication and collaboration between HHS and other entities such as the Cybersecurity and Infrastructure Security Agency (CISA).

Interesting.

From a cybersecurity vulnerabilities front,

Cybersecurity Dive informs us

The rising threat of flawed software will get even worse, as common vulnerabilities and exposures (CVEs) will average more than 1,900 per month, according to a report released Wednesday by insurance provider Coalition.

The monthly total will include 270 high-severity and 155 critical vulnerabilities, which often give attackers the ability to remotely take control of computer systems.

The San Francisco-based company said 94% of organizations scanned in 2022 had at least one unencrypted service that was exposed to the internet.

and

A total of 98% of organizations worldwide have integrations with at least one third-party vendor that has been breached in the last two years, according to a report released Wednesday from SecurityScorecard and the Cyentia Institute. 

Third-party vendors are five times more likely to exhibit poor security, the report found. Half of organizations have indirect links to at least 200 fourth-party vendors that have suffered prior breaches. 

The information services sector maintained on average 25 vendor relationships, which is the largest number of any sector and more than double the overall average of third-party vendors, which was 10. Healthcare averaged 15.5 vendors and the financial services industry averaged the lowest number, with 6.5. * * *

A separate report from Black Kite shows attacks on 63 vendor organizations during 2022 impacted almost 300 companies. On average, there were 4.7 impacted companies per vendor in 2022, compared with 2.5 per vendor in 2021. 

The most common vector of these attacks was unauthorized network access, accounting for 40% of the incidents, according to Black Kite. 

While the exact method of access is not usually disclosed or immediately known, unauthorized network access often is due to phishing, stolen credentials or vulnerabilities in access control, according to Bob Maley, CSO at Black Kite.

On a related note, an ISACA expert considers trends in cyberattacks.

Looking deeper into the crystal ball, Security Week discusses

The arrival of cryptanalytically-relevant quantum computers (CRQCs) that will herald the cryptopocalypse will be much sooner – possibly less than a decade. 

At that point our existing PKI-protected data will become accessible as plaintext to anybody; and the ‘harvest now, decrypt later’ process will be complete. This is known as the cryptopocalypse. It is important to note that all PKI-encrypted data that has already been harvested by adversaries is already lost. We can do nothing about the past; we can only attempt to protect the future.

Beckers Health IT informed us on February 1, 2023:

More U.S. hospitals and health systems have reported that their websites went down this week after a cyberattack that Russian hacking group Killnet claimed responsibility for.

Becker’s reported Jan. 31 on 17 hospitals and health systems that were affected. These six organizations were also reportedly hit, according to news reports and tech company BetterCyber:

1. Banner Health (Phoenix)

2. Boulder City (Nev.) Hospital

3. CHA Hollywood Presbyterian Medical Center (Los Angeles)

4. ChristianaCare (Newark, Del.)

5. Presbyterian Healthcare Services (Albuquerque, N.M.)

6. University of Iowa Health Care (Iowa City)

On January 30, 2023, the Heath Sector Cybersecurity Coordination Center (HC3) released an analyst note on this threat. The next day, HC3 issued a sector alert about “Multiple Vulnerabilities in OpenEMR Electronic Health Records System.”

Three vulnerabilities were identified in an older version of OpenEMR, a popular electronic health records system, which can allow for a cyberattacker to access sensitive information and even compromise the entire system. The prevalence of ransomware attacks and data breaches impacting the health sector make these vulnerabilities especially important. These vulnerabilities were fixed in newer versions of OpeEMR, and therefore upgrading to the most recent version will fully patch them.

On a related note, Cyberscoop points out, “ChatGPT isn’t a malware-writing savant, and much of the hype around it obscures just how much expertise is required to output quality code.”

From the cyber breach front, last Thursday, the HHS Office for Civil Rights announced a HIPAA Security Rule alleged violation settlement with Banner Health,

a nonprofit health system headquartered in Phoenix, Arizona, to resolve a data breach resulting from a hacking incident by a threat actor in 2016 which disclosed the protected health information of 2.81 million consumers.  The settlement is regarding the Health Insurance Portability and Accountability Act (HIPAA) Security Rule which works to help protect health information and data from cybersecurity attacks.  The potential violations specifically include: the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, failure to implement an authentication process to safeguard its electronic protected health information, and failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.  As a result, Banner Health paid $1,250,000 to OCR and agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information.

From the ransomware front, all the FEHBlog has this week (do we really need more?) is Bleeping Computer’s The Week in Ransomware.

While the week started slowly, it turned into a big ransomware mess, with attacks striking a big blow at businesses running VMware ESXi servers.

The attacks started Friday morning, with threat actors targeting unpatched VMware ESXi servers with a new ransomware variant dubbed ESXiArgs.

The attacks were fast and widespread, with admins worldwide soon reporting that they were encrypted in this new campaign.

What makes this attack so devastating is that many companies operate much of their server infrastructure on VMware ESXi, allowing the encryption of one device to encrypt multiple servers simultaneously.

The good news is that some admins have been able to recover their servers by rebuilding disks from flat files, but some have reported being unable to do so as those files were also encrypted.

We also saw new research released this week, with Microsoft warning that over a hundred threat actors deploying ransomware and LockBit deciding to create a new decryptor based on Conti.

Finally, REsecurity released a report on the new Nevada ransomware-as-a-service recruiting and gearing up for future attacks.

From the cybersecurity policy front, Cybersecurity Dive tells us

The public-private cybersecurity supergroup, the Joint Cyber Defense Collaborative, is turning its attention to a 2023 agenda that will address risks to vulnerable industries and sensitive elements of civil society.

JCDC will assess risk in energy and water infrastructure sectors alongside the use of open-source software in industrial control systems, the group revealed Thursday. 

It also wants to increase cybersecurity and reduce risk for small- and medium-sized critical infrastructure providers. JCDC will collaborate with managed service providers, managed security service providers and remote monitoring and management as part of the effort.

FedScoop reports

The National Institutes of Standards and Technology intends to release version 2.0 of its Cybersecurity Framework in the coming years, and this week, the agency teased some of the “potential significant updates” that may land in that new framework.

On Thursday [January 24, 2023], NIST published a concept paper outlining significant changes to the Cybersecurity Framework and opening them to public feedback over the next several weeks. 

The framework is a voluntary guide to help organizations in all sectors to better understand, manage, reduce, and communicate cybersecurity risks. It is used widely, along with NIST’s Risk Management Framework, by federal agencies to plan their own cybersecurity approaches.

Of the proposed changes in the concept paper, the most notable are broadening the scope of the framework beyond critical infrastructure use cases to better include other organizations like small businesses and higher education institutions; including more guidance for implementation; and emphasizing the importance of cybersecurity governance and cybersecurity supply chain risk management, among others.

and

The National Institutes of Standards and Technology has issued the first version of its Artificial Intelligence Risk Management Framework that federal agency leaders and lawmakers hope will govern use of the technology.

The Department of Commerce agency Thursday released the initial document, which it emphasized will continue to evolve as the department receives further input from industry and the scientific research community.

Publication of the document comes as the use of AI technology receives increased public attention with the launch of new mainstream tools including Chat-GPT.

In the framework document, NIST sets out four key functions that it says are key to building responsible AI systems: govern, map, measure and manage.

Nextgov informs us

The Office of Personnel Management plans to launch a federal cyber workforce dashboard to provide agencies with a better tool to address workforce needs, according to a demo of the proposed dashboard held during a National Institute of Standards and Technology webinar on Tuesday [January 24, 2023].

An OPM spokesperson told Nextgov the cyber workforce data dashboard is a new tool that will have two versions: a public version looking at governmentwide data and an agency-specific version—where each agency will have a more granular view—to help support their workforce needs. The spokesperson added that OPM has been showing the dashboard to cyber workforce community stakeholders, such as the Office of the National Cyber Director and the Office of Management and Budget.

This past week has been Data Privacy Week. Spiceworks explains how to convert Data Privacy Week to Data Privacy Year. Security provides thoughts and advice from data security leaders. For example

Corey Nachreiner, Chief Security Officer at WatchGuard Technologies:

“Data Privacy Day provides a yearly reminder that data privacy and data security are inextricably linked. Even as laws around the world increasingly recognize the rights of individuals to control how information about them is collected, used and stored, they are also putting greater responsibility on companies for being good stewards of that data and holding them accountable when they aren’t. But protecting data from malicious actors is everyone’s responsibility.”

From the cyber vulnerabilities front —

Cybersecurity Dive reports

Malicious actors are using remote management and monitoring software to launch phishing attacks against federal employees, authorities warned Wednesday. 

The Cybersecurity and Infrastructure Security Agency, National Security Agency and Multi-State Information Sharing and Analysis Center said since June 2022 cybercriminals have sent help desk themed phishing emails to civilian executive branch agency staff using their personal and government email addresses. 

The lure aims to get the targeted workers to link to malicious domains in order to steal money from the targeted victims. However, authorities warn the same tactics could be used by APT actors in order to gain persistence within a network. 

Health IT Security also offers an article on this topic.

Fortune Magazine alerts us,

As tech transformations—for example a business unit built around A.I. or a new app geared toward personalized customer experience—have picked up steam in recent years, so have cyber risks and data privacy concerns.

But when organizations look internally for risk mitigation and compliance with data privacy laws, there’s a lack of qualified people to do so, according to a new report by ISACA, a professional IT governance association. Both technical privacy and legal/compliance teams are understaffed, enterprise privacy budgets are underfunded, and there are skills gaps. The findings are based on a global survey of 1,890 data privacy professionals who hold positions in IT, audit, compliance, and risk management, for example.

Health IT Security reports that “UCHealth and UCLA Health Report Healthcare Data Breaches
The healthcare data breach at UCHealth stemmed from a third-party vendor, and the UCLA Health breach was tied to the organization’s use of analytics tools.”

The Cybersecurity and Infrastructure Security Agency added known exploited vulnerabilities to its catalog — here and here.

Health IT Security adds

Ransomware remained a primary healthcare cyberattack tactic in Q4 2022, BlackBerry noted in its new Global Threat Intelligence Report. BlackBerry’s Threat Research and Intelligence team leveraged data collected by its own security solutions between September 1 and November 30, 2022, along with information from public and private intelligence sources.  

Throughout the 90-day period, researchers observed threat actors using a variety of tactics, from downloaders to ransomware, infostealers, and remote access Trojans (RATs). For the healthcare sector in particular, ransomware “still poses the biggest threat,” the report indicated.

From the ransomware front, The Wall Street Journal reports

U.S. authorities seized the servers of the notorious Hive ransomware group after entering its networks and capturing keys to decrypt its software, the Justice Department said Thursday, calling its effort a “21st-century cyber stakeout.”

The group linked to Hive ransomware is widely seen by authorities and cybersecurity experts as one of the most prolific and dangerous cybercriminal actors in recent years. It has been linked to attacks on more than 1,500 victims including hospitals and schools—and has extorted more than $100 million in ransom payments, the Justice Department said.

Bravo. Bleeping Computer’s The Week in Ransomware focuses on this important development.

Yesterday [January 26, 2023], an international law enforcement operation seized the Tor websites for the Hive ransomware operation and disclosed that they had secretly hacked the organization’s servers in July 2022.

For the past six months, the police have monitored their communications, intercepted decryption keys, and helped victims with free decryptors.

While no arrests were made, this was a massive blow to a prominent player in this cybercrime space while preventing $100 million in ransom payments.

Here’s the Justice Department’s press release.

Furthermore, an ISACA expert writes about common misconceptions about ransomware.

From the cyber defense front, the Wall Street Journal provides advice on assessing the likelihood of a ‘Catastrophic” cyber attack, and Security Week explains how to end to password dependency.

From the cyberpolicy front —

Cyberscoop reports

The Government Accountability Office said Thursday that U.S. federal departments have implemented just 40% of the cybersecurity recommendations the watchdog agency has issued since 2010.

The lethargic pace in which government agencies put in place cybersecurity precautions and best practices underlines the need for the Biden administration to “urgently” release a comprehensive national cybersecurity strategy with effective oversight, the GAO said in its report.

The GAO said that the updated national cybersecurity strategy, which the administration is reportedly planning to release soon, should address key “desirable characteristics of national strategies” such as performance measures that was missing in President Trump’s 2018 cybersecurity strategy.

“We stressed that moving forward, the incoming administration needed to either update the existing strategy and plan or develop a new comprehensive strategy that addresses those characteristics,” the report noted. 

The GAO noted that only about 145 of its 335 recommendations have been put in place. The agency recommended such actions establishing the national cyber director and the General Service Administration updating their security plans.

The Cybersecurity and Infrastructure Security Agency released a report on 2022 year in review. Health IT Security examines the CISA report from the standpoint of the healthcare sector.

The FEHBlog noticed that two Federal Acquisition Regulation proposed rules that he has been tracking are now pending review at OMB’s Office of Information and Regulatory Affairs.

DOD/GSA/NASA (FAR)

AGENCY: FAR RIN: 9000-AO34 Status: Pending Review
TITLE: Federal Acquisition Regulation (FAR); FAR Case 2021-017, Cyber Threat and Incident Reporting and Information Sharing
STAGE: Proposed Rule ECONOMICALLY SIGNIFICANT: Yes
RECEIVED DATE: 12/19/2022 LEGAL DEADLINE: None

AGENCY: FAR RIN: 9000-AO35 Status: Pending Review
TITLE: Federal Acquisition Regulation (FAR); FAR Case 2021-019, Standardizing Cybersecurity Requirements for Unclassified Information Systems
STAGE: Proposed Rule ECONOMICALLY SIGNIFICANT: No
RECEIVED DATE: 12/19/2022 LEGAL DEADLINE: None

Should these regulations clear OIRA review, then the next step will be published in the Federal Register.

From the cyberbreach front,

Cybersecurity Dive reports

T-Mobile on Thursday said a threat actor accessed personal data on about 37 million current customers in an intrusion that went undetected since late November.

The wireless network operator identified the malicious activity on Jan. 5 and during a subsequent investigation determined the unauthorized access began on or around Nov. 25, the company said in a filing with the Securities and Exchange Commission.

T-Mobile said it was able to trace the source of the malicious activity to an application programming interface and stop it with the help of cybersecurity consultants. 

This incident marks the eighth publicly acknowledged data breach at T-Mobile since 2018, including a massive data breach in August 2021 that exposed personal data of at least 76.6 million people.

The investigation is ongoing, but T-Mobile said there is no evidence its systems or network were breached during the incident.

From the cyber vulnerabilities front —

Cybersecurity Dive reports

• Potential cyber incidents and business interruption remained the two leading worldwide corporate risk concerns for the second year in a row, according to a report published Tuesday by Allianz Group’s corporate insurance unit, Allianz Global Corporate & Specialty. 
• Both cyber and business interruptions were the top concerns among 34% of respondents in the annual Allianz Risk Barometer. The study measured the responses of 2,712 risk management experts in 94 countries and territories, including CEOs, risk managers, brokers and other insurance experts. 
• Respondents were concerned about a range of potential incidents, from ransomware to data breaches and IT outages. The report noted ransomware remains a frequent threat and cited IBM data showing the average cost of a data breach hit a record of $4.35 million, with the cost expected to surpass $5 million this year.

Health IT Security tells us

Cloud security concerns settled into the number five spot on ECRI’s list of “Top 10 Health Technology Hazards for 2023,” a report that the organization has released annually for the past 16 years. ECRI is a nonprofit organization that focuses on healthcare technology and safety.

The organization’s annual health tech hazards list is compiled by a team of clinicians, healthcare management experts, and biomedical engineers. Last year, ECRI identified cyberattacks as the number one health tech hazard.

CISA added one more known exploited vulnerability to its catalog.

The Healthcare Sector Cybersecurity Coordination Center issues three reports this week:

• Healthcare Cybersecurity Bulletin for Q4 2022 “Ransomware attacks, data breaches, and often both together, continued to be prevalent attacks against the health sector,” the bulletin notes. “Ransomware operators continued to evolve their techniques and weapons for increasing extortion pressure and maximizing their payday. Vulnerabilities in software and hardware platforms, some ubiquitous and some specific to healthcare, continued to keep the attack surface of healthcare organizations wide open. Managed service provider compromise continued to be a significant threat to the health sector, as did supply chain compromise.”

• December Vulnerabilities of Interest to the Health Sector “In December 2022, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for this month are from Microsoft, Google/Android, Apple, Intel, Cisco, SAP, Citrix, VMWare, and Fortinet.”

• Artificial Intelligence and Its Current Potential to Aid in Malware Development Artificial intelligence (AI) has now evolved to a point where it can be effectively used by threat actors to develop malware and phishing lures. While the use of AI is still very limited and requires a sophisticated
  user to make it effective, once this technology becomes more user-friendly, there will be a major paradigm shift in the development of malware. One of the key factors making AI particularly dangerous for the healthcare sector is the ability of a threat actor to use AI to easily and quickly customize attacks against the healthcare sector.

In this regard CSO offers a feature on how ChatGPT changes the phishing game. “The Microsoft-backed free chatbot is improving fast and can not only write emails, essays but can also code. ChatGPT is also polyglot and that could facilitate and increase exponentially phishing attacks.” Wonderful.

From the ransomware front —

• An ISACA expert explains why ransomware looms large on the third party risk landscape. “As adoption of cloud datacenters and software as a service grows, so does reliance on complex and global supply chains that introduce a multitude of potential vulnerabilities that can be exploited by cybercriminals. In this blog post, we will explore some key strategies for identifying and mitigating supply chain risks, with a special emphasis on ransomware risks in the supply chain.”

• Bleeping Computer’s The Week in Ransomware covers several ransomware topics this week.

• In Cybersecurity Dive, a ransomware negotiator shares three tips for victim organizations.

• Dark Reading adds “in another sign that the tide may be finally turning against ransomware actors, ransom payments declined substantially in 2022 as more victims refused to pay their attackers — for a variety of reasons.”

From the cyber defenses front, Tech Republic explains that while the cybersecurity implications of ChatGPT are vast, especially for email exploits, putting up guardrails, flagging elements of phishing emails that it doesn’t touch and using it to train itself could help boost defense. Ah, a double edged sword.

While Congress did enact a nationwide data breach law for healthcare organizations, including FEHB plans, Cyberscoop reports that last month’s data breach affecting password manager LastPass “exposes how US breach notification laws can leave consumers in the lurch.”

The U.S. famously does not have a federal privacy law — something that might determine the rights of consumers to know their personal data has been stolen. What it has instead are 50 different state laws governing breach notification. When a company realizes its systems have been breached and data inappropriately accessed, it must examine the affected users state by state and determine whether the data stolen and belonging to them qualifies for notification under each user’s state data-breach notification regime. 

“It’s really messy,” says Chris Frascella, who studies consumer privacy at the Electronic Privacy Information Center, a nonprofit research group. “What you’re required to report in Alabama may not be something that you have to report in Connecticut.”

Against this backdrop, policymakers in Washington are attempting to step up their breach notification requirements, but these efforts are at an early stage.

As mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022, the owners and operators of critical infrastructure will soon have to report cyber incidents and ransomware payments to the Department of Homeland Security. DHS is currently in the process of writing rules governing these disclosures, but it is important to note that these requirements are focused on critical infrastructure, rather than consumer goods. 

Over at the Securities and Exchange Commission, policymakers have proposed requiring publicly traded companies to report in public filings breaches considered to be material to investors — but what amounts to a “material” breach is a matter of some debate. 

The Federal Trade Commission is also stepping up its efforts to push companies to implement better security practices and do a better job of notifying consumers when they are affected by a data breach.

Congress can fix this problem.

Cybersecurity Dive tells us

The consistent increase in annual cybercrime damages is not sustainable, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency said Thursday at CES in Las Vegas.

Cybercrime damages cost organization $6 trillion last year, she said. They are projected to reach $8 trillion this year and $10.5 trillion in 2025.

“We cannot accept that 10 years from now it’s going to be the same or worse than where we are now,” Easterly said. “The critical infrastructure that Americans rely on every day … is underpinned by a technology base and that technology base was created effectively in an insecure way.”

This won’t change until priorities and incentives are realigned, she said.

Change starts with a recognition that cybersecurity is a fundamental safety issue, according to Easterly.

“We’ve somehow accepted that the incentives in technology are all aligned toward cost, capability, performance, speed to market, and not safety,” she said.

Companies are automatically blamed when they’ve been breached or didn’t patch a vulnerability that resulted in an attack, but that sole blame misses the broader challenge and questions everyone should be asking of technology vendors, according to Easterly.

“Why did that software have so many vulnerabilities in it that it has to be constantly patched every week? Why did that software have a vulnerability that caused such a damaging breach?” she said.

Organizations are relying on technology that short shrifts security.

“We can’t just let technology off the hook,” Easterly said.

Good point, Ms. Easterly

From the cyber vulnerabilities front,

Cybersecurity Dive informs us

• “For the second consecutive year, disputes over cybersecurity and data represent the greatest global risk to organizations, according to a report from Baker McKenzie. 
• “The majority, 3 in 5, of senior legal and risk officers name cybersecurity and data as presenting the greatest risk to organizations, according to the firm’s 2023 Global Disputes Survey, which is based on responses from 600 legal and risk officers at organizations in the U.S., U.K., Singapore and Brazil with annual revenue of at least $500 million. 
• “Cybersecurity concerns are becoming more frequent and they represent a range of challenges for companies, including the risk of financial, operational and reputational damage, according to the survey.”

Cybersecurity Dive also points out

The Cybersecurity and Infrastructure Security Agency added a Microsoft Exchange Server flaw linked to the Play ransomware attack on Rackspaceto its catalog of known exploited vulnerabilities Tuesday [January 10]. 

The escalation of privilege vulnerability, listed as CVE-2022-41080, was linked to the Dec. 2 ransomware attack that disrupted email access for thousands of Hosted Exchange customers at Rackspace. 

CrowdStrike disclosed an attack method using CVE-2022-41080 and CVE-2022-41082 that achieves remote code execution via Outlook Web Access.  * * *

CISA also added CVE-2023-21674, which is a Microsoft Windows advanced local procedure call (ALPC) to its catalog. The escalation of privilege vulnerability happens when Windows improperly handles calls to ALPC, allowing an attacker to escalate privileges from sandboxed execution inside Chromium to kernel execution, according to researchers at Automox. 

Here’s a link to the CISA catalog for your ease of reference.

FYI, the Wall Street Journal reports, that “Biden administration officials and cybersecurity experts said the Federal Aviation Administration’s system outage on Wednesday didn’t appear the result of a cyberattack.”

From the ransomware front,

Security Weeks relates, “Security researchers at Microsoft are flagging ransomware attacks on Apple’s flagship macOS operating system, warning that financially motivated cybercriminals are abusing legitimate macOS functionalities to exploit vulnerabilities, evade defenses, or coerce users to infect their devices.”

The Health Sector Cybersecurity Coordination Center issued an analysis of “Royal & BlackCat Ransomware: The Threat to the Health Sector.”

Bleeping Computer’s The Week in Ransomware tells us

New research on ransomware was also disclosed, or discovered, with various reports listed below:

• A technical report from Rapid 7 on the Hive Ransomware.
• The Cuba Ransomware operation exploits the Microsoft Exchange OWASSRF flaw.
• The Lorenz ransomware group is planting backdoors for initial access months later.

CISA now requires federal agencies to patch the OWASSRF flaw by the end of January due to its active exploitation by both the Cuba and Play ransomware operations.

From the cyber defense front,

• The Wall Street Journal reports, “Cloud-infrastructure company Cloudflare Inc. announced Wednesday new email security capabilities aimed at helping businesses defend against phishing, malware and other cyberattacks commonly targeting corporate email accounts.”

• Health IT Security informs us, “More than 20 healthcare leaders have come together to form the Health 3rd Party Trust (Health3PT) Initiative and Council, aimed at introducing new standards, automated workflows, and assurance models to the third-party risk management (TRPM) conversation.”

• Following up on Ms. Easterly’s comments on cyber safety, Federal News Network notes that “CISA and the Department of Homeland Security’s Science and Technology Directorate, for instance, are sketching out projects to dig into the use of open source software in critical infrastructure sectors, Allan Friedman, CISA senior advisor and strategist, said at a Jan. 10 event at the Center for Strategic and International Studies sponsored by GitHub.”

Happy New Year! Cybersecurity Dive offers viewpoints of “six security experts on what cyber threats they expect in 2023. In sum
Organizations will keep a close eye on geopolitical tension and supply chain attacks. But at the core, the biggest threats are built on mistakes.”

Becker’s Health IT provides the viewpoints of healthcare cybersecurity experts on what’s in store for 2023.

Security Week discusses five stories that shaped cybersecurity in 2022.

From the ransomware front —

The Healthsector Cybersecurity Coordination Center released an analyst note on CLOP ransomware last Wednesday:

Clop operates under the Ransomware-as-service (RaaS) model, and it was first observed in 2019. Clop was a highly used ransomware in the market and typically targeted organizations with a revenue of $5 million U.S. Dollars (USD) or higher. Since its appearance, HC3 is aware of attacks on the Health and Public Health (HPH) sector. The HPH sector has been recognized as being a highly targeted industry for the Clop ransomware.

Health IT Security provides a related article.

Bleeping Computer’s The Week in Ransomware reports

BitDefender and law enforcement released a free decryptor for the MegaCortex ransomware.  Any victims who saved their encrypted files in the hopes of a decryptor being released can recover their files for free.

From the cyber defense front —

• Health Tech informs us about “Tips for health systems on managing legacy systems to strengthen security bolstering; basic security can help protect legacy systems as healthcare organizations make strides to modernize infrastructure.”

• ISACA posted articles about the relationship between “high IP address IQ” and strong cybersecurity and the new emergent CISO.

• The National Institute of Standards and Technology informs us

The Zero Trust Architecture (ZTA) team at NIST’s National Cybersecurity Center of Excellence (NCCoE) has published the second version of volumes A-D and the first version of volume E of a preliminary draft practice guide titled “Implementing a Zero Trust Architecture” and is seeking the public’s comments on their contents. This guide summarizes how the NCCoE and its collaborators are using commercially available technology to build interoperable, open standards-based ZTA example implementations that align to the concepts and principles in NIST Special Publication (SP) 800-207, Zero Trust Architecture.

The Wall Street Journal reports on Chief Information Officer cybersecurity priorities for 2023:

At Cisco Systems Inc., CIO Fletcher Previn said the company is focusing on addressing cyber threats for a remote and in-office workforce, where “we might have video games and smart thermostats on the same network segment as an employee’s remote workplace.”

That means the networking-equipment maker is adopting a zero-trust architecture, as well as practices like two-factor authentication, investing in network automation, and application scanning, Mr. Previn said.

“The threat landscape has become more challenging and our networks more porous,” Mr. Previn said. “All it takes is one slip-up or letting your guard down for a minute for an adversary to get in.”

The Journal also lists CIO favorite reads in 2022.

Health IT Security “spoke with a variety of industry leaders who shared their healthcare cybersecurity and privacy predictions for the upcoming year.”

The experts suggested that in order to maintain cybersecurity and patient privacy, organizations will have to continue to adapt and enhance existing security practices to combat ongoing cyber threats.

However, positive regulatory changes may be on the horizon, and the lasting effects of the pandemic have shown that the sector is more than willing to pivot its strategies and remain resilient amid constant challenges.

The Cybersecurity Infrastructure Security Agency added two more known exploited vulnerabilities to its catalog.

Health IT Security also reminds us

Improper disposal of protected health information (PHI) can result in HIPAA violations, Office for Civil Rights (OCR) investigations, and hefty fines. * * *

Fortunately, HHS maintains a great deal of guidance on the proper and improper ways to dispose of physical records and electronic PHI as required under the HIPAA Privacy and Security Rules.

Happy New Year!

The American Hospital Association informs us

The Healthcare Cyber Communications Center, FBI, Cybersecurity & Infrastructure Security Agency and National Security Agency in December warned of new ransomware strains and other cyber threats targeting health care.

• The FBI and CISA warned of the “Cuba” Ransomware threat.
• HC3 warned of the Royal ransomware threat.
• HC3 warned that a new ransomware strain known as Blackcat was also targeting health care and appeared to be the successor of the notorious Russian speaking REvil ransomware gang.
• HC3 also warned of the latest version of the LockBit ransomware, known as LockBit 3.0. The LockBit “ransomware as service” in its various forms has targeted health care since 2019.
• The NSA advised of an advanced persistent threat known as APT5, which may be affiliated with the Chinese government, targeting the Citrix Application Delivery Controller which then provides the adversary broad network access.

“Our cyber adversaries believe we may pause for the holidays, which may result in their increased targeting of hospitals and health systems as we have seen around past holidays,” said John Riggi, AHA national advisor for cybersecurity and risk. “But our hospitals never close and our network defenders never cease their vigilance.

Cybersecurity Dive provides guidance on the same topic.

Health IT Security reports

HITRUST plans to release version 11 of its cybersecurity framework (CSF) in January with new and improved features for managing emerging cybersecurity threats and reducing certification efforts, the organization announced.

As previously reported, HITRUST can help healthcare organizations improve their security postures and manage third-party risk. The HITRUST CSF is a risk and compliance-based framework that aims to provide structure and guidance across a variety of data privacy and security regulations and standards, helping organizations reduce burden and complexity.

Specifically, CSF v11 offers improved control mappings and precision in order to reduce certification efforts by 45 percent. In addition, the new version “enables the entire HITRUST assessment portfolio to leverage cyber threat-adaptive controls that are appropriate for each level of assurance.”

CSF v11 also includes expanded authoritative sources, including the National Institute of Standards and Technology (NIST) SP 800-53, Rev 5, and the Health Industry Cybersecurity Practices (HICP) standards.  

HITRUST also developed artificial intelligence-based standards development capabilities to assist its assurance experts in mapping and maintaining authoritative sources. HITRUST said that this AI-based toolkit will reduce maintenance and mapping efforts by up to 70 percent.

In event news, CMS announced

The National Standards Group (NSG), on behalf of the Department of Health and Human Services (HHS), issued a Notice of Proposed Rulemaking (NPRM) CMS-0053-P. The proposed rule, if finalized, would make a regulatory change that would implement requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Patient Protection and Affordable Care Act (Pub. L. 111-148).

This webinar will provide a public forum for CMS to hear feedback on the proposed rule. The call will cover the following topics:

• Background on the current standards
• What the proposed rule would do
• How to submit comments on the proposed rule

Note: Feedback received during this call is not a substitute for formal comments on the rule. See the proposed rule for information on submitting comments.

This free webinar will be held on January 25, 2023, at 2 pm ET. You can register here.

From the vulnerabilities front, the Healthcare Sector Cybersecurity Coordination Center issued an Analyst Note last Thursday. According to the Executive Summary:

HC3 is closely tracking hacktivist groups which have previously affected a wide range of countries and industries, including the United States Healthcare and Public Health (HPH) sector. One of these hacktivist groups—dubbed ‘KillNet’—recently targeted a U.S. organization in the healthcare industry. The group is known to launch DDoS attacks primarily targeting European countries perceived to be hostile to Russia, and operates multiple public channels aimed at recruitment and garnering attention from these attacks.

From the ransomware front, Cybersecurity Dive reports

• CrowdStrike researchers discovered a new exploit method by Play ransomware actors that can bypass URL rewrite mitigations released by Microsoft in October, according to a Tuesday blog post from the incident response firm. Microsoft’s updates were designed to mitigate ProxyNotShell vulnerabilities.
• Crowdstrike researchers discovered the new method while investigating Play ransomware activity. The entry vector was suspected to be zero-day vulnerabilities CVE-2022-41080 and CVE-2022-41082, according to the blog. 
• While investigating the attacks, researchers found threat actors entered through Outlook Web Access (OWA) and leveraged Plink and AnyDesk in order to maintain access.

Bleeping Computer’s The Week in Ransomware is available here. After sharing its thoughts on the Microsoft issue, Bleeping Computer adds

TrendMicro also confirmed this week our September report that a Conti cell known as Zeon rebranded to Royal Ransomware.

Other reports this week shed light on various ransomware operations:

• A report on how Reveton was the precursor to Ransomware-as-a-Service operations.
• A report on the Nokoyawa ransomware operation.
• Vice Society finally gets its own custom ransomware encryptor instead of relying on other operations’ malware.
• A technical report on the Play ransomware, which has expanded its operations recently.

From the cybersecurity defenses front

• Healthcare IT News offers a roundup of strategies and next steps for improving cybersecurity in 2023.

• ISACA offers interesting articles titled “Cybersecurity: What is Changing and What Isn’t” and “Top Cyberattacks of 2022: Lessons Learned.”

• The Wall Street Journal reports that Chief Information Officers and Chief Information Security Officers are working together to better align their respective positions.

From Capitol Hill, Roll Call informs us

The Senate voted overwhelmingly Thursday to pass the final defense authorization bill for fiscal 2023, clearing the sweeping measure for President Joe Biden’s signature.

If Biden signs the NDAA into law, as he is expected to do, it would be the 62nd straight fiscal year that the defense policy measure has been enacted.

The Senate’s final NDAA passage vote was 83-11, and 60 votes were required. The House passed the bicameral compromise on Dec. 8.

Of note to FEHB carriers in the bill, as noted last week, is the Chinese-made semiconductor provision. The law requires a FAR rule to implement the provision within three years, and the FAR rule cannot take effect until December 2027, five years after enactment, which will occur when the President signs the bill.

The New York Times adds

The Biden administration on Thursday stepped up its efforts to impede China’s development of advanced semiconductors, restricting another 36 companies and organizations from getting access to American technology.

The action, announced by the Commerce Department, is the latest step in the administration’s campaign to clamp down on China’s access to technologies that could be used for military purposes and underscored how limiting the flow of technology to global rivals has become a prominent element of United States foreign policy. * * *

Among the most notable companies added to the list is Yangtze Memory Technologies Corporation, a company that was said to be in talks with Apple to potentially supply components for the iPhone 14.

On Thursday, Congress passed a military bill including a provision that will prevent the U.S. government from purchasing or using semiconductors made by Y.M.T.C. and two other Chinese chip makers, Semiconductor Manufacturing International Corporation and ChangXin Memory Technologies, because of their reported links to Chinese state security and intelligence organizations.

The Wiley law firm helpfully offers details on this important provision.

From the cyber vulnerabilities front —

The Cybersecurity Infrastructure and Security Agency (CISA) added five known exploited vulnerabilities and then one more to its catalog.

Healthcare Dive reports

The HHS’ Office of Information Security has released a report looking at the implications of automation for healthcare cybersecurity and how criminals are using artificial intelligence in their hacking activities.

Cyberattackers are using AI to build better malware, the office said. The technology includes machine learning-enabled penetration testing tools, AI-supported password guessing and data to enable impersonation on social networking platforms.

Hackers are also using automated software to identify valuable information such as emails, passwords, credit cards and personal data, according to the report.

The Healthcare Sector Cybersecurity Coordination Center issued this sector alert:

Citrix released patches for a vulnerability that impacts both their Application Delivery Controller and Gateway platforms. This vulnerability allows a remote attacker to completely compromise a target system. These vulnerabilities are known to be actively exploited by a highly capable state-sponsored adversary. Furthermore, the Department of Health and Human Services is aware of U.S. healthcare entities that have already been compromised by the exploitation of this vulnerability. HC3 strongly urges all healthcare and public health organizations to review their inventory for these systems and prioritize the implementation of these patches.

Forbes explains “Why Employee-Targeted Digital Risks Are The Next Frontier Of Enterprise Cybersecurity.”

From the ransomware front —

Bleeping Computer’s The Week in Ransomware has a long introduction which begins

To evade detection by security software, malware developers and threat actors increasingly use compromised code-signing certificates to sign their malware.

This trend was illustrated this week when Microsoft disclosed during the December Patch Tuesday that developer accounts were compromised to sign malicious, kernel-mode hardware drivers in the Windows Hardware Developer Program.

Health IT Security reports

The HHS Health Sector Cybersecurity Coordination Center (HC3) issued two new analyst notes detailing the tactics and indicators of compromise for LockBit 3.0 and BlackCat. The LockBit ransomware family and the BlackCat ransomware variant have been observed targeting the healthcare sector.

Healthcare organizations should remain vigilant and apply recommended mitigations to reduce risk.

CISA released an update to its Cuba ransomware advisory.

From the cybersecurity defenses front

• Health IT Security tells us

Organization executives are doubling down on investments toward cybersecurity reliance as an uptick in data security breaches jeopardizes business operations and overwhelms industries, including the healthcare sector, according to a recent Cisco report.

The “Security Outcomes Report, Volume 3: Achieving Security Resilience” revealed that 96 percent of executives consider security resilience crucial, with 62 percent of organizations surveyed reporting a data security event that impacted business in the past two years.

When asked to elaborate on the types of resilience-impacting incidents, over half the respondents reported data breaches and system outages. Further, ransomware events and distributed denial of service (DDoS) attacks impacted more than 46 percent of surveyed organizations.

The report also indicated that the state of security resilience among organizations is mixed less than 40 percent confident their organization would fare well during a cybersecurity event.

• Forbes identifies ten qualities of a good security program and delves into “Tackling Mental Health And Burnout In Cybersecurity.”

From the cybersecurity policy front, Cyberscoop reports on the highlights of the cybersecurity provisions of the bipartisan National Defense Authorization Act that the House of Representatives passed this week and the Senate is expected to pass next week.

The December 7 FEHBlog quote included the following Roll Call quote:

Also of note, the bill would ban contractors across the government from using Chinese-made semiconductors, after a lengthy phase-in period, an aide with knowledge of the provision said Tuesday. Many federal contractors and other businesses say they are unclear how they will comply.

The Cyberscoop article does not treat this provision as a highlight of the bill. The FEHBlog turned to ComputerWorld, which provides more details on this provision —

While the draft legislation still provides for [Chinese made semiconductor] restrictions to be enacted, contractors now have five years to comply with them, rather than the two years stipulated in an earlier version of the proposal, and the language of the new draft leaves room for waivers to the restrictions under certain circumstances.

Cyberscoop adds

There are a few major exclusions in the combined House and Senate versions, too.

[For example,] FedScoop’s John Hewitt Jones reports that the NDAA left out an amendment to codify a software bill of materials, or SBOM, in the federal procurement process. Lawmakers removed it following strong criticism from industry.

That piece of the legislation would have required “all holders of existing covered contracts and those responding to requests for proposals from the U.S. Department of Homeland Security to provide a bill of materials and to certify that items in the bill of materials are free of vulnerabilities or defects,” Hewitt Jones reported.

Health IT Security tells us

Experts gathered in Boston on December 5 and 6 for the HIMSS Healthcare Cybersecurity Forum to explore topics such as risk quantification, clinical perspectives on cybersecurity, and medical device security.

Speakers included leaders from the Health Sector Coordination Council (HSCC), Northwell Health, Forrester, the Federal Bureau of Investigation, the National Institute for Standards and Technology (NIST), and more.

The presentations collectively showed that healthcare cybersecurity experts are well aware of the risks facing the sector. However, more collaboration, communication, and balance are needed to effectively tackle those risks and emerge stronger as an industry.

The Cybersecurity Infrastructure and Security Agency (CISA) offers a readout from the December 6 meeting of its Cybersecurity Advisory Committee:

[CISA] Director [Jen] Easterly led a discussion with committee members on the CSAC’s strategic focus for 2023.   

“I truly appreciate the caliber of experts who have taken the time to participate in this committee and, moreover, for their continuous work in helping CISA become the Cyber Defense Agency our nation needs and deserves,” said CISA Director Jen Easterly. “I look forward to working with the Committee in the new year to ensure we are continuing to build a more cyber resilient nation to confront the challenges we face in cyber space.”   

“In a time of critical cybersecurity threats, CISA is in a unique position to make a meaningful impact on our Nation’s security,” said the CSAC Chair and Chairman, President & CEO of Southern Company, Tom Fanning. “The Committee members and I look forward to providing strategic recommendations to CISA’s Director Jen Easterly in the coming year to advance CISA’s mission, as they continue to strengthen the cybersecurity posture of the United States.” 

From the cyber vulnerabilities front —

HHS’s Health Sector Cybersecurity Coordinating Center (HC3) released the following documents on this topic:

• November Vulnerabilities of Interest to the Health Sector

• A presentation titled “Automation and Hacking: Potential Impacts on Healthcare.”

CISA added one more known exploited vulnerability to its catalog.

Cybersecurity Dive looks back at the log4shell cybersecurity crisis that first gained widespread public attention in December 2021.

One year after the disclosure of a critical vulnerability in the Apache Log4j logging utility, the nation’s software supply chain remains under considerable threat as federal authorities and the information security community struggle to transform how it develops, maintains and consumes applications in a more secure fashion. 

The vulnerability, dubbed Log4Shell, allowed unauthenticated and untrained threat actors to gain control over applications using a single line of code. 

Thus far, many of the initial fears of catastrophic cyberattacks have failed to materialize, but federal authorities warn this constitutes a long-term threat that must be carefully monitored and fully remediated to prevent a major security crisis. 

From the ransomware front —

Cybersecurity Dive reports, “Ransomware attacks shift beyond US borders; U.S.-based organizations remain the top target for ransomware gangs, but the scale of that misfortune is waning, according to Moody’s.” Here’s the Moody report on 2023 Global Cyber Risk.

HC3 released an analyst report on Royal ransomware. “Royal is a human-operated ransomware that was first observed in 2022 and has increased in appearance. It has demanded ransoms up to millions of dollars. Since its appearance, HC3 is aware of attacks against the Healthcare and Public Healthcare (HPH) sector. Due to the historical nature of ransomware victimizing the healthcare community, Royal should be considered a threat to the HPH sector.”

The Bleeping Computer’s Week in Ransomware informs us

This week has been filled with research reports and news of significant attacks having a wide impact on many organizations.

Last week, Rackspace suffered a massive outage on their hosted Microsoft Exchange environment, preventing customers from accessing their email. On Tuesday, Rackspace finally confirmed everyone’s fears that a ransomware attack caused the outage.

However, today [December 9] they began warning customers to be on the lookout for targeted phishing emails and to monitor their credit reports and banking account statements for suspicious activity. This warning could indicate that the ransomware operation likely stole data in the attack.

From the cyber defenses front —

CISA provides us with

a Phishing Infographic to help protect both organizations and individuals from successful phishing operations. This infographic provides a visual summary of how threat actors execute successful phishing operations. Details include metrics that compare the likelihood of certain types of “bait” and how commonly each bait type succeeds in tricking the targeted individual. The infographic also provides detailed actions organizations and individuals can take to prevent successful phishing operations—from blocking phishing attempts to teaching individuals how to report successful phishing operations.

ZDNet also discusses how people can identify and deter phishing attacks.

The National Institute of Standards and Technology issued Special Publication (SP) 1800-34, which offers organizations guidance on verifying that the internal components of the computing devices they acquire are genuine and have not been tampered with.

From the cybersecurity policy front —

Health IT Security reports

Following reports that patient data was transmitted to Facebook through the use of tracking technology on hospital websitesand within password-protected patient portals, the HHS Office for Civil Rights (OCR) issued a bulletin outlining the dos and don’ts of using tracking tech as a HIPAA-covered entity or business associate.

Covered entities and business associates using tracking tools such as Google Analytics and Meta Pixel should pay close attention to their obligations under HIPAA, OCR noted.

Cybersecurity Dive informs us

The Cyber Safety Review Board is set to examine the Lapsus$ ransomware gang, the U.S. Department of Homeland Security announced Friday. A prolific group, Lapsus$ has targeted a wide range of global companies and government agencies, sometimes with ruthless digital extortion, since late 2021. * * *

“The CSRB will review how this group has allegedly impacted some of the biggest companies in the world, in some cases with relatively unsophisticated techniques, and determine how we all can build resilience against innovative social engineering tactics and address the role of international partnerships in combating criminal cyber actors,” Mayorkas said Friday during a conference call with reporters. “As cyberthreats continue to evolve, we have to evolve the methods we use to protect ourselves against cybercriminal activity and increase our resilience against future attacks.” * * *

CSRB Deputy Chair Heather Adkins, VP of security engineering at Google, noted that many of the reported targets of Lapsus$ were considered to have very strong cybersecurity programs. These organizations had followed recommended security controls, and in some cases even advanced controls, but still felt a significant impact from the attacks. 

Several alleged members of the extortion gang have been arrested, but researchers suspect other affiliates of Lapsus$ remain unaccounted for.

Healthcare Dive offers an interview with the National Coordinator for Health IT, Mickey Tripathi, about federal health information blocking enforcement.

From the cybersecurity breaches/vulnerabilities front —

• Health IT Security summarizes recent breaches suffered by healthcare organizations.

• ZDNet explains that

• ZIP and RAR files have overtaken Office documents as the file most commonly used by cyber criminals to deliver malware, according to an analysis of real-world cyber attacks and data collected from millions of PCs. 
• The research, based on customer data by HP Wolf Security, found in the period between July and September this year, 42% of attempts at delivering malware attacks used archive file formats, including ZIP and RAR.  
• That means cyber attacks attempting to exploit ZIP and RAR formats are more common than those which attempt to deliver malware using Microsoft Office documents like Microsoft Word and Microsoft Excel files, which have long been the preferred method of luring victims into downloading malware. 

From the ransomware front —

• The Health Sector Cybersecurity Coordination Center shared an updated CISA / FBI alert about a Cuba ransomware actor.

• The Bleeping Computer released its Week in Ransomware.

From the cybersecurity defenses front —

• Venture Beat offers Gartner analysts’ eight cybersecurity predictions for 2023.

• Health IT Security reports “Connected device security company Ordr published a maturity model to help healthcare organizations evaluate and improve the security of their connected devices. The guide is broken down into five stages of maturity, each with recommended actions and detailed descriptions.”

• The Wall Street Journal warns “Companies should do a better job of handling internal cybersecurity complaints before they escalate to whistleblowing, which is becoming more common in the cyber field, lawyers and industry veterans said.”