Weekend Update

Weekend Update

From Washington, DC,

  • The House of Representatives and the Senate are on District / State work breaks from Capitol Hill this week due to the Thanksgiving holiday.
  • The Hill offers backgrounds on the Food and Drug Administration commissioner, Centers for Disease Control director, and Surgeon General nominees that President-elect Trump announced Friday evening.
  • STAT News reports
    • “A conservative federal judge in Texas has ruled in favor of UnitedHealth Group, saying the federal government unlawfully factored in a “disputed” phone call to lower UnitedHealth’s Medicare Advantage ratings. 
    • “The Centers for Medicare and Medicaid Services will now have to revise UnitedHealth’s 2025 Medicare Advantage ratings by taking out the call center metric, and “immediately publish the recalculated star ratings in the Medicare Plan Finder,” Judge Jeremy Kernodle wrote in his ruling.”
    • Congrats UHG.
    • “Four other large Medicare Advantage insurers — Humana, Elevance Health, Centene, and Blue Cross Blue Shield of Louisiana — have also sued Medicare for downgrading their 2025-star ratings. The lawsuits from Humana and Centene similarly involve the government’s evaluation of their call centers.”
  • Federal News Network tells us,
    • “The Office of Personnel Management has a new leader to focus specifically on federal employees working in HR. Jeff Bardwell will be the first-ever senior executive to serve as the advisor for human resources workforce programs at OPM. In the new position, Bardwell will be tasked with developing and managing the direction of the HR workforce governmentwide. His work will likely include defining HR career paths and improving HR training and professional development opportunities. Bardwell previously spent 15 years working at the Department of Homeland Security.”

From the public health and medical research front,

  • The New York Times discusses how healthcare can unnecessarily take time away from senior citizens.
    • “[S]lowing the health care treadmill — an approach Dr. Montori has called “minimally disruptive medicine” — is possible.
    • “If doctors and clinics and health care systems paid attention to ways to lessen the burden, we’d all be better off,” Dr. Ganguli said. “And some are fairly simple.”
    • “One strategy: reducing what experts call “low-value care.” Her research has confirmed what critics have pointed out for years: Older people receive too many services of dubious worth, including prostate cancer screening in men over 70 and unneeded tests before surgery.”
  • Fortune Well shares “Tips and habits for getting a good night’s rest and boosting your health.”
  • The Wall Street Journal offers an obituary for “Janelle Goetcheus, the ‘Mother Teresa of Washington, D.C.,’ dies at 84. She felt a pull to practice medicine and a call to serve God—the two were always intertwined.
    • “Goetcheus [and her husband, a Methodist minister] spent the [last] half-century treating the unhoused in Washington, D.C. She helped open clinics, organizations and warm buildings to support and care for them. She also visited patients on park benches and in the street—treating people where they are was central to her mission.
    • “Sometimes called the “Mother Teresa of Washington, D.C.,” Goetcheus was best known for co-founding Christ House with a group that included her husband, the Rev. Allen Goetcheus. A “medical respite,” Christ House is a place where men who are no longer sick enough to be in a hospital, but don’t have an appropriate place to convalesce, can live while they recover. It was also the home where the couple raised their three children and where she died, Oct. 26, at the age of 84.” * * *
    • “We wanted to learn to be with people and not just to do for people,” Goetcheus said in the oral-history interview.”
    • RIP Dr. Goetcheus.

From the U.S. healthcare business front,

  • The Washington Post reports,
    • “A growing number of companies have begun to offer employees access to menopause-related benefits in their health insurance, including paid time off, access to health providers knowledgeable about menopause, coverage of medication for menopause symptoms, and even altered work schedules and relaxed dress code options. These benefits are meant to help employees cope with symptoms such as hot flashes, depression and other physical discomforts.
    • “The benefits are designed to meet the needs of people dealing with menopause and of their employers, who are adding such coverage to help retain employees, many who have decades of experience, are in management and senior leadership positions or are in line for those posts.
    • “Among the companies offering a variety of menopause-related benefits are Microsoft, Genentech, Adobe and insurer Healthfirst.”
  • BioPharma Dive reports,
    • “The Food and Drug Administration has approved a new medicine for a deadly genetic heart condition, boosting its developer, BridgeBio Pharma, and teeing up a battle for control of a lucrative market targeted by several drugmakers.
    • “The agency on Friday cleared Attruby, known scientifically as acoramidis, for people with a cardiac form of transthyretin amyloidosis, a progressive disease that leads to heart failure and death.
    • “In testing, Attruby helped keep people alive and out of the hospital longer than those who’d received a placebo. Treatment was also associated with improvements in quality of life as well as markers of heart health.
    • “Notably, the drug is approved to prevent hospitalization or death resulting from heart complications of transthyretin amyloidosis with cardiomyopathy. Investors had been skeptical BridgeBio would earn such a distinction from regulators, leading to doubts about Attruby’scommercial prospects. 
    • “BridgeBio priced Attruby at just under $19,000 for a 28-day supply, translating to an annual list cost of about $244,000.”
  • McKinsey & Company considers what’s next for AI and healthcare.
    • In healthcare—with patient well-being and lives at stake—the advancement of AI seems particularly momentous. In an industry battling staffing shortages and increasing costs, health system leaders need to consider all possible solutions, including AI technologies. “Organizations are eager to use generative AI to help enhance how healthcare stakeholders work and operate,” write McKinsey’s Jessica Lamb and coauthors, “but some are still adopting a wait-and-see approach.” Where do you stand? Explore these insights to get up to date on AI and healthcare topics including: 
      • Adding artificial intelligence to nurses’ toolbox
      • Making coverage and cost information more understandable
      • AI impact on the payment integrity (PI) value chain
      • AI use cases in claims processing, enrollment, and underwriting.
  • HR Dive provides “a roundup of numbers from the last week of HR news — including the percentage of employers covering GLP-1s for obesity treatment [44%].”

Cybersecurity Saturday

From the cybersecurity policy and law enforcement front,

  • Cyberscoop reports,
    • “Protecting Americans’ health data and strengthening cybersecurity protections throughout the health care sector is the focus of a bill introduced Friday from a bipartisan quartet of Senate lawmakers.
    • “The Health Care Cybersecurity and Resiliency Act of 2024 (S.5390) is the culmination of a yearlong effort from Sens. Bill Cassidy, R-La., Maggie Hassan, D-N.H., John Cornyn, R-Texas, and Mark Warner, D-Va., who formed a working group in November 2023 to examine cyber issues in health care.
    • “Under the umbrella of the Senate Health, Education, Labor and Pensions Committee, the senators aimed to address a staggering stat from the Health and Human Services Department, which found that 89 million Americans’ health information was breached last year, more than twice as many as in 2022.  
    • “In an increasingly digital world, it is essential that Americans’ health care data is protected,” Cornyn said in a statement. “This commonsense legislation would modernize our health care institutions’ cybersecurity practices, increase agency coordination, and provide tools for rural providers to prevent and respond to cyberattacks.” 
  • and
    • “A bill that would require federal contractors to implement vulnerability disclosure policies that comply with National Institute of Standards and Technology guidelines cleared a key Senate panel Wednesday, setting the bipartisan legislation up for a vote before the full chamber.
    • “The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 (S. 5028) from Sens. Mark Warner, D-Va., and James Lankford, R-Okla., sailed through the Senate Homeland Security and Governmental Affairs Committee, after a companion bill from Rep. Nancy Mace, R-S.C., passed the House Oversight Committee in May.
    • “The bill from Warner and Lankford would formalize a structure for contractors to receive vulnerability reports about their products and take action against them ahead of an attack. In announcing the legislation in August, Warner said that vulnerability disclosure policies, or VDPs, “are a crucial tool used to proactively identify and address software vulnerabilities,” and that this bill would “better protect our critical infrastructure and sensitive data from potential attacks.”
    • “Federal law mandates that civilian federal agencies have VDPs, but no standard currently exists for federal contractors. The legislation would require contractors to accept, assess and manage any vulnerability reports that they receive.”
  • and
    • “A Russian man who allegedly served as an administrator of the Phobos ransomware that’s extorted millions of dollars from more than a thousand victims is in U.S. custody, the Justice Department said Monday.
    • “South Korea extradited Evgenii Ptitsyn, 42, to the United States for a court appearance Nov. 4, according to a news release about an unsealed 13-count indictment.
    • “The Phobos ransomware has extorted over $16 million from more than 1,000 victims worldwide, including schools, hospitals, government agencies and large corporations, DOJ said. The department chalked up the arrest to international team-ups.”

From the cybersecurity vulnerabilities and breaches front,

  • Per a Cybersecurity and Infrastructure Security Agency press release,
    • “The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Homeland Security Systems Engineering and Development Institute (HSSEDI), operated by MITRE, has released the 2024 CWE Top 25 Most Dangerous Software Weaknesses. This annual list identifies the most critical software weaknesses that adversaries frequently exploit to compromise systems, steal sensitive data, or disrupt essential services.
    • “Organizations are strongly encouraged to review this list and use it to inform their software security strategies. Prioritizing these weaknesses in development and procurement processes helps prevent vulnerabilities at the core of the software lifecycle.”
  • CISA added eight known exploited vulnerabilities to its catalog this week.
  • Cybersecurity Dive adds,
    • “Palo Alto Networks customers are confronting another actively exploited zero-day, a critical authentication bypass vulnerability in the security vendor’s PAN-OS operating system, which runs some of the company’s firewalls, the company said Monday in an updated security advisory.
    • “Palo Alto Networks has identified threat activity targeting a limited number of device management web interfaces,” the security vendor’s threat intelligence firm Unit 42 said in a Monday threat brief. “Observed post-exploitation activity includes interactive command execution and dropping malware, such as webshells, on the firewall.”
    • “The vulnerability, CVE-2024-0012, has a CVSS score of 9.3 and allows an unauthenticated attacker with network access to the management web interface to gain administrator privileges or tamper with the configuration. Active exploitation of the CVE can also allow attackers to exploit other authenticated privilege escalation vulnerabilities, such as CVE-2024-9474, which has a CVSS score of 6.9.” 
  • Security Week adds,
    • “Apple has rushed out major macOS and iOS security updates to cover a pair of vulnerabilities already being exploited in the wild.
    • “The vulnerabilities, credited to Google’s TAG (Threat Analysis Group), are being actively exploited on Intel-based macOS systems, Apple confirmed in an advisory released on Tuesday.
    • “As is customary, Apple’s security response team did not provide any details on the reported attacks or indicators of compromise (IOCs) to help defenders hunt for signs of infections.
    • “Raw details on the patched vulnerabilities:
      • CVE-2024-44308 — JavaScriptCore — Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
      • CVE-2024-44309 — WebKit — Processing maliciously crafted web content may lead to a cross-site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
    • “The company urged users across the Apple ecosystem to apply the urgent iOS 18.1.1macOS Sequoia 15.1.1 and the older iOS 17.7.2.”
  • Cybersecurity Dive lets us know,
    • “Password-spray attacks yielded prolific results for attackers across multiple sectors in North America and Europe during Q2 and Q3, the Trellix Advanced Research Center said in a Wednesday research report.
    • “The attack surface for password-spray attacks is vast, Trellix found. Attackers commonly target cloud-based systems, including Microsoft 365, Okta, Google Workspace, VPNs, Windows Remote Desktop, AWS, Google Cloud Platform and Microsoft Azure.
    • “Attackers most frequently targeted password-spray attacks at education, energy and transportation organizations during the six-month period, the report found.”
  • HHS Health Sector Cybersecurity Coordination Center offers an alert discussing a widespread phishing campaign abusing DocuSign software by impersonating well-known brands. The alert offers tips for avoiding this scam.
  • Dark Reading lets us know,
    • “Microsoft seized 240 domains belonging to ONNX, a phishing-as-a-serviceplatform that enabled its customers to target companies and individuals since 2017.
    • “ONNX was the top adversary-in-the-middle (AitM) phishing service, according to Microsoft’s “Digital Defense Report 2024,” with a high volume of phishing messages during the first six months of this year. Millions of phishing emails targeted Microsoft 365 accounts each month, and Microsoft has apparently had enough.”

From the ransomware front,

  • The American Hospital Association News reports,
    • joint advisory released Nov. 20 by the Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency and international partners warns of cybercriminal activity by the BianLian ransomware group. The agencies said actions by BianLian actors have impacted multiple sectors across the U.S. since 2022. They operate by gaining access to victims’ systems through valid remote desktop protocol credentials and use open-source tools and command-line scripting for finding and stealing credentials. The actors then extort money from victims by threatening to release the stolen data. 
    • “The BianLian group has been listed as one of the most active groups over the last several years, and they have been known to attack the health care sector,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “The group often uses RDP for access, which serves as a reminder to ensure that hospitals strictly limit the use of RDP and similar services to help mitigate this threat and the many others which use RDP as part of their initial access to penetrate networks. They do not appear to be encrypting networks and disrupting hospital operations. In the event that anyone’s personally identifiable information is stolen and think they may be a victim of identity theft, an excellent resource to help assist them is identitytheft.gov.” 
       
  • Hacker News informs us,
    • “Cybersecurity researchers have shed light on a Linux variant of a relatively new ransomware strain called Helldown, suggesting that the threat actors are broadening their attack focus.
    • “Helldown deploys Windows ransomware derived from the LockBit 3.0 code,” Sekoia said in a report shared with The Hacker News. “Given the recent development of ransomware targeting ESX, it appears that the group could be evolving its current operations to target virtualized infrastructures via VMware.”
    • “Helldown was first publicly documented by Halcyon in mid-August 2024, describing it as an “aggressive ransomware group” that infiltrates target networks by exploiting security vulnerabilities. Some of the prominent sectors targeted by the cybercrime group include IT services, telecommunications, manufacturing, and healthcare.
    • “Like other ransomware crews, Helldown is known for leveraging data leak sites to pressure victims into paying ransoms by threatening to publish stolen data, a tactic known as double extortion. It’s estimated to have attacked at least 31 companies within a span of three months.”
  • Per Dark Reading,
    • “The Akira ransomware group has updated its data-leak website on Nov. 13-14, listing more than 30 of its latest victims — the highest single-day total since the gang first began its malicious operations in March of last year.
    • “The group spares no one, targeting a variety of industries globally, and operates using a ransomware-as-a-service (RaaS) model, stealing sensitive data before encrypting it.
    • “Twenty-five of the latest victims are from the United States, two are from Canada, and the remaining originate from Uruguay, Denmark, Germany, the UK, Sweden, the Czech Republic, and Nigeria.
    • “The researchers at Cyberint found that the business services sector was most frequently targeted by the group, with 10 of its most recent victims belonging to that industry. Other affected sectors include manufacturing, construction, retail, technology, education, and critical infrastructure.” 
  • Security Intelligence tells us,
    • “Any good news is welcomed when evaluating cybercrime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021.
    • “Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in active ransomware groups in the first half of 2024, providing convincing evidence that the fight against ransomware is far from over.”

From the cybersecurity defenses front,

  • Per Cybersecurity Dive,
    • “Artificial intelligence could ease pernicious labor challenges facing the healthcare sector, but health systems will need to boost their cybersecurity spending to manage increased risks, according to a report by Moody’s Ratings. 
    • “The emerging technology could help recruit and retain staff through tools that help nurses pick more flexible schedules or assist clinicians documenting clinical care, according to the credit ratings agency. 
    • “But new technology also brings more vulnerabilities for hackers to exploit — already a challenge for the healthcare industry, which is dependent on IT systems that house sensitive and valuable patient data.”
  • and
    • “Microsoft unveiled the Windows Resiliency Initiative Tuesday, which follows the July global IT outage linked to a faulty CrowdStrike software update, according to a blog post from David Weston, VP of enterprise and OS security at Microsoft. The effort is intended to advance the company’s prior efforts to overhaul its security culture.
    • “We are committed to ensuring that Windows remains the most reliable and resilient open platform for our customers,” Weston said in the blog. 
    • “Microsoft will allow IT administrators to make changes to Windows Update on PCs, even if the machines are unable to boot up. Administrators will not require physical access to the machines to make the necessary changes. 
    • “The service will be available to the Windows Insider Program community starting in early 2025.”
  • Cyberscoop reports,
    • “Professional liability insurance is designed to protect executives against claims of negligence or inadequate work arising from their services. Companies often use these policies to safeguard a business’s financial assets from the potentially high costs of lawsuits and settlements in the event someone alleges executives have failed to uphold their duties. The policies often cover CEOs, CFOs, and other board members, but often fail to include CISOs. 
    • “New Jersey-based insurer Crum & Forster is looking to change that. The company recently unveiled a policy specifically designed to shield CISOs from personal liability. 
    • “Nick Economidis, vice president of eRisk at Crum & Forster, told CyberScoop that the company saw an opportunity since CISOs may not be recognized as corporate officers under a directors and officers liability policy, which normally covers executive liability. 
    • “CISOs are in a no-win situation,” Economidis said. “If everything goes right, that’s what people expect. If something goes wrong, they’re the person that everybody looks at and they’re left holding the bag. Then, there are potentially significant financial ramifications for them because they’re often not covered by traditional [professional liability] insurance policies.”
  • Here is a link to Dark Reading’s CISO Corner.
  • An ISACA commentator explains how to grow cyber defenses from seed to system using a plant pathology approach.
  • Dark Reading offers a commentary on the importance of learning from cybersecurity mistakes.
    • “Despite massive investments in cybersecurity, breaches are still on the rise, and attackers seem to evolve faster than defenses can keep up. The IBM “Cost of a Data Breach Report 2024” estimates the average global breach cost has reached a staggering $4.88 million. But the true damage goes beyond the financial — it’s about how quickly your organization can recover and grow stronger. Focusing only on prevention is outdated. It’s time to shift the mindset: Every breach is an opportunity to innovate.”

Monday Round up

Photo by Sven Read on Unsplash

From Washington, DC,

  • Federal News Network Interviews Consumer Checkbook’s Kevin Moss “on how a little planning can offset rise in premium costs” when selecting an FEHB or PSHB plan for 2025.
  • KFF examines Plan Offerings, Premiums and Benefits in Medicare Advantage Plans During the Medicare Open Enrollment Season for Coverage in 2025.
  • The American Hospital Association tells us,
    • “To recognize National Rural Health Day Nov. 21, AHA has released a blog and infographic that address challenges in accessing rural behavioral health care and approaches to solving them, respectively. From Nov. 18-22, AHA will honor our rural workforce by sharing rural health content through AHA Today, social media and other channels.” 
  • The Congressional Research Service released a Focus report about the qualified medical expenses that health savings account (“HSA”) holders can use the HSA to pay.
  • BioPharma Dive lets us know,
    • “Massachusetts-based Syndax Pharmaceuticals won Food and Drug Administration approval Friday for a new kind of drug to treat an aggressive form of leukemia in adults and some children.
    • “The oral drug, which Syndax will sell as Revuforj, is the first of its type, a class of compounds known as menin inhibitors. It’s cleared for patients one year or older who have relapsed or refractory acute leukemia that harbors a specific mutation: translocations in the lysine methyltransferase 2A, or KMT2A, gene.
    • ‘People with this type of leukemia are more likely to relapse and have a median overall survival of less than one year. Syndax plans to launch two doses of the drug, which it priced at about $475,000 per year before rebates or discounts, later in November. A lower dose for patients who weigh less will be available next year.”

The public health and medical research front,

  • The New York Times reports,
    • “One of the first warnings came in a paper published in 2021. There was an unexpected rise in pancreatic cancer among young people in the United States from 2000 to 2018. The illness can be untreatable by the time it is discovered, a death sentence.
    • “With publication of that report, by Dr. Srinivas Gaddam, a gastroenterologist at Cedars-Sinai Medical Center, researchers began searching for reasons. Could the increase be caused by obesity? Ultraprocessed foods? Was it toxins in the environment?
    • “Alternatively, a new study published on Monday in The Annals of Internal Medicine suggests, the whole alarm could be misguided.
    • “The authors of the paper, led by Dr. Vishal R. Patel a surgical resident at Brigham and Women’s Hospital in Boston, did not dispute the data showing a rising incidence. They report that from 2001 to 2019 the number of young people — ages 15 to 39 — diagnosed with pancreatic cancer soared. The rate of pancreatic surgeries more than doubled in women and men.
    • “The problem is that the expected consequence of such a rise in cancers did not occur. With more pancreatic cancers in young people, there should be more pancreatic cancer deaths. And there were not. Nor were more young people getting diagnosed with later-stage cancers. Instead, the increase was confined to cancers that were in very early stages.
    • “Many cancers will never cause harm if left alone, but with increasingly sensitive tools, doctors are finding more and more of them. Because there usually is no way to know if they are dangerous, doctors tend to treat them aggressively. But they would never have shown up in death statistics if they had not been found.
    • “It’s the hallmark of what researchers call overdiagnosis: a rise in incidence without a linked rise in deaths.”
  • STAT News informs us
    • “At the Milken Institute’s Future of Health Summit on Thursday, researchers and health care executives talked about efforts to detect cancers earlier, save lives, and get to the root of why cancers have begun to rise in this population. 
    • “The big question is always why,” said Kimryn Rathmell, director of the National Cancer Institute. “We need to understand the variation so that we can begin to understand which parts are related to obesity, diet and exercise; which ones are more related to sun exposure, smoking, alcohol — the risk factors that are well-known to us, but may have a variation in how they’re being consumed or exposed in younger people today.” * * *
    • “Since cancer is still rare among younger adults, people are likely to get negative test results. That “runs the risk of people, by the time they get older, kind of shrugging their shoulders and saying, ‘Well, I’ve been doing this for 10 years, why should I keep doing it?’” said Harlan Levine, president of health innovation and policy at the City of Hope.
    • “Part of the solution, the group agreed, is to develop more efficient, targeted tests that can detect cancers earlier on. Mohit Manrao, the head of U.S. oncology at AstraZeneca, noted that the company has recently developed an AI tool that can use biomarkers from common hospital tests to predict the likelihood that a person will get a disease, including some cancers, before a doctor would be able to make a diagnosis.
    • “It’s also important to expand outreach to populations that haven’t had access to it in the past. Black women, for example, have a lower incidence of breast cancer than white women but 40% higher chance of dying from it.”
  • and
    • “Lipoprotein(a) is a risk factor for cardiovascular disease you may not hear about in your annual physical. Like LDL, or “bad” cholesterol, too much of the LDL-like particle can create plaque that clogs arteries, creating potential blockages that lead to heart attacks or strokes. It’s also implicated in aortic stenosis, when the aortic valve narrows, pinching blood supply to the rest of the body.
    • “But unlike cholesterol, Lp(a) does not surrender to statins or respond to a healthier lifestyle of improved diet and more physical activity. Its levels are determined by your genes, putting the estimated 1 in 5 people who have high levels at a two- or threefold higher risk than people without what’s called the most common genetic dyslipidemia. In the United States, that would mean 64 million people are at risk and 1.4 billion people worldwide.
    • “At the American Heart Association’s scientific sessions Monday, researchers presented Phase 2 data on two treatments for elevated Lp(a): an oral drug called muvalaplin and an RNA-silencing injection called zerlasiran. Both studies were also published in JAMA and include several of the same co-authors, led by Steven Nissen of the Cleveland Clinic and Stephen Nicholls of Monash University.
    • “These two new reports add to the growing evidence in at least five different drug programs directed for lowering Lp(a) that the agents are potent, capable of 80% reduction or more, with durable effects over extended treatment,” said Eric Topol, cardiologist and geneticist and director of the Scripps Research Translational Institute. He was not involved in either study. “Most of the programs are siRNA injectables but one here is oral, which is encouraging, more practical, and may be less expensive.”
  • Per Medscape,
    • “Artificial intelligence (AI) helps produce echocardiograms more quickly and efficiently, with better-quality images and less fatigue for operators, shows the first prospective randomized controlled trial of AI-assisted echocardiography.
    • “The Japanese study used Us2.ai software, developed from an 11-country research platform and supported by the Singapore Agency for Science, Technology and Research. This system and another newly developed AI system, PanEcho — developed at the Yale School of Medicine in New Haven, Connecticut, and the University of Texas at Austin — can automatically analyze a wide range of structures, functions, and cardiographic views. Studies of these two systems were presented at the American Heart Association (AHA) Scientific Sessions 2024.
  • Per MedPage Today,
    • “More than half of all adults in the U.S. are eligible for semaglutide (Ozempic, Wegovy, Rybelsus), researchers estimated.
    • “Among 25,531 participants in the National Health and Nutrition Examination Survey (NHANES) from 2015 to 2020, 8,504 were eligible for semaglutide, representing an estimated 136.8 million adults across the country. All met the criteria for at least one of three indications that the drug is currently approved for — diabetes, weight management, or secondary cardiovascular disease (CVD) prevention, reported Dhruv S. Kazi, MD, MSc, of Beth Israel Deaconess Medical Center in Boston, and colleagues.”
  • The Washington Post adds,
    • “From August 2021 to August 2023, 4.5 percent of adults in the United States had undiagnosed diabetes, the Centers for Disease Control and Prevention says in a recent report. And a little over 11 percent of U.S. adults had been diagnosed with the condition as of the same time period, the CDC says.” * * *
    • “The study looked at how total, diagnosed and undiagnosed diabetes differed across demographics including age, weight and educational attainment. Undiagnosed diabetes prevalence increased with age. For example, about 1.3 percent of adults ages 20 to 39 with diabetes were undiagnosed vs. 5.6 percent of those 40 to 59. Among those 60 and older, some 6.8 percent of people with diabetes had not been diagnosed.”
  • The American Medical Association shares “what doctors wish patients knew about sciatica.”
  • Per BioPharma Dive,
    • “A single infusion of a CRISPR therapy developed by Intellia Therapeutics showed promising signs of stabilizing a heart disorder caused by the rare disease transthyretin amyloidosis, buoying the company’s hopes of finding success in late-stage clinical trials.
    • Phase 1 study data from 36 people with the cardiomyopathy form of transthyretin, or ATTR, amyloidosis showed Intellia’s gene editing treatment sharply and durably lowered levels of the ATTR protein that misfolds and gathers in the toxic clumps that characterize the disease.
    • “Prior trial results, in fewer people and across shorter periods of time, had already shown Intellia’s therapy capable of reducing ATTR protein. The new findings, which were published Friday in The New England Journal of Medicine, show those reductions appeared to translate to stability or improvement on several markers of cardiac disease progression, too.”
  • Per a National Institutes of Health press release,
    • “Researchers from the National Institutes of Health (NIH) have developed an artificial intelligence (AI) algorithm to help speed up the process of matching potential volunteers to relevant clinical research trials listed on ClinicalTrials.gov. A study published in Nature Communications(link is external) found that the AI algorithm, called TrialGPT, could successfully identify relevant clinical trials for which a person is eligible and provide a summary that clearly explains how that person meets the criteria for study enrollment. The researchers concluded that this tool could help clinicians navigate the vast and ever-changing range of clinical trials available to their patients, which may lead to improved clinical trial enrollment and faster progress in medical research.
    • “A team of researchers from NIH’s National Library of Medicine (NLM) and National Cancer Institute harnessed the power of large language models (LLMs) to develop an innovative framework for TrialGPT to streamline the clinical trial matching process. TrialGPT first processes a patient summary, which contains relevant medical and demographic information. The algorithm then identifies relevant clinical trials from ClinicalTrials.gov for which a patient is eligible and excludes trials for which they are ineligible. TrialGPT then explains how the person meets the study enrollment criteria. The final output is an annotated list of clinical trials—ranked by relevance and eligibility—that clinicians can use to discuss clinical trial opportunities with their patient.
    • “Machine learning and AI technology have held promise in matching patients with clinical trials, but their practical application across diverse populations still needed exploration,” said NLM Acting Director, Stephen Sherry, PhD. “This study shows we can responsibly leverage AI technology so physicians can connect their patients to a relevant clinical trial that may be of interest to them with even more speed and efficiency.”
    • “To assess how well TrialGPT predicted if a patient met a specific requirement for a clinical trial, the researchers compared TrialGPT’s results to those of three human clinicians who assessed over 1,000 patient-criterion pairs. They found that TrialGPT achieved nearly the same level of accuracy as the clinicians.”
  • Per Healio,
    • “Most people at high risk for lung cancer have not discussed screening for the disease with their clinician or have even heard of the test, according to a research letter published in JAMA Network Open.
    • “The findings come despite lung cancer screening demonstrating effectiveness at identifying cancer and reducing related mortality outcomes, a researcher pointed out.
    • “We’ve got a screening test that works. It works as well, if not better, than breast and colorectal cancer screening in terms of mortality reduction. It’s one of the most life-saving things we have for a cancer that kills more people than either of those two combined,” Gerard A. Silvestri, MD, MS, FCCP, a professor of medicine at the Medical University of South Carolina (MUSC) and the study’s senior author, said in a press release.
    • “Silvestri and colleagues noted that physician-patient communication is vital for the uptake of lung cancer screening, which only 18% of eligible patients are up to date on, according to a prior study published in JAMA Internal Medicine.”

From the U.S. healthcare business front,

  • Healthcare Dive reflects,
    • “Despite growing revenues, most major insurers saw their profits from offering health plans shrink in the third quarter as pressures in government programs stretched into the back half of the year.
    • “In Medicare Advantage, seniors are still utilizing more healthcare than insurers expected when pricing their plans. And in Medicaid, states’ payment rates continue to land well below the cost of caring for beneficiaries in the safety-net programs, payers say.
    • “Those forces coalesced to hit insurers, slamming some — notably, CVS-owned Aetna and Humana — while swatting others. Aetna was particularly affected, posting the steepest year-over-year drop in operating profit by a wide margin.
    • “Only two insurers — Cigna and Molina — reported a year-over-year increase in operating profit from insurance arms: Cigna, because most of its members are in commercially insured plans, which shelters the payer from headwinds in government plans; and Molina due to risk corridors that absorbed the worst of unexpected cost trends, and rate updates from Medicaid states. 
    • “Yet overall, medical loss ratios — an important metric of spending on patient care — increased 3.3 percentage points year over year when averaged across the seven major publicly traded payers. That’s a major leap. Again, Aetna saw the most drastic change — and management warned investors the MLR could increase further, from 95.2% this quarter to 95.5% in the fourth.”
  • The Wall Street Journal adds,
    • CVS Health is adding four new members to its board in an agreement with Glenview Capital Management, a hedge fund that pushed for changes at the healthcare company.
    • “The new members include Glenview Chief Executive Larry Robbins, as well as three other executives with health-sector and financial experience. The board’s total membership will be 16 with the new additions.
    • ‘Robbins and CVS Executive Chairman Roger Farah said the company and the investor had agreed to cooperate. 
    • “The board members that are joining bring unique skills, they’ll be additive to the existing board, and we expect to work collaboratively,” Farah said in an interview.”
  • Beckers Hospital Review offers eight predictions about hospital financial stability in 2025 based ona a November 13 report issued by Moody’s Investor Services.
  • Modern Healthcare reports,
    • “Ascension Wisconsin plans to close a hospital in Waukesha and consolidate a few lines of service among other facilities in the southeast region of the state.
    • “The Waukesha “micro-hospital,” which offers emergency and low-acuity care services, is slated to shut down in January, said Ascension Wisconsin Senior Director of External Relations Mo Moorman on Monday.
    • “The facility is part of a joint venture between Glendale-based Ascension Wisconsin and micro-hospital developer Emerus, which staffs and manages the location. The decision to close was due to consistently low patient volumes, Moorman said.
    • “Other facilities run by the joint venture will not be affected.”

Cybersecurity Saturday

From the cybersecurity policy front,

  • Cybersecurity Dive reports,
    • “The U.S. must take collective action to address “unacceptable” cybersecurity risks to the country, National Cyber Director Harry Coker Jr. said in a speech at Columbia University’s Conference on Cyber Regulation and Harmonization in New York City. Coker called for federal authorities to work together with critical infrastructure providers, private sector companies and other stakeholders. 
    • “Cybersecurity threats like the China state-linked Volt Typhoon present unacceptable risks to the U.S., Coker said, and more investments are required to build long term cyber resilience. As part of that strategy, companies need to ensure that cybersecurity is as much of a focus as quarterly profits. 
    • “At the same time, Coker called for the government to streamline its regulations and harmonize compliance demands for the benefit of the private sector and critical infrastructure providers. This could allow CISOs and other security leaders to spend more time mitigating their own organizational cyber risk, he said.”
  • NextGov/FCW tells us,
    • Jen Easterly, the Cybersecurity and Infrastructure Security Agency’s stalwart champion and a figurehead among cybersecurity and intelligence community practitioners, will leave her post Jan. 20 next year when President-elect Donald Trump is inaugurated back into the White House, people familiar with her plans said.
    • The plans were communicated via internal emails and an all-hands staff meeting, said the people, who asked not to be identified to share news of her departure. Deputy Director Nitin Natarajan also plans to depart at that time, one of the people said. * * *
    • “A CISA spokesperson told Nextgov/FCW that all appointees under the current administration vacate their positions when a new administration takes office and affirmed the agency’s commitment to a seamless transition.” * * *
    • “Ohio Secretary of State Frank LaRose is being considered to lead the agency after Easterly leaves, Politico reported last week, citing four people who have spoken to those in his orbit.”
  • and
    • “With 66 days until Inauguration Day, Federal Chief Information Officer Clare Martorana says her top priority in the last days of the Biden administration is cybersecurity. 
    • “Continuing to make sure that cybersecurity is not an afterthought,” she told Nextgov/FCW on the sidelines of an ACT-IAC event Friday, adding that she wants cyber to be part of the IT community, rather than segmented away from each other.
    • “In government, it just continues to perplex me that we don’t necessarily co-join in our product development and the ongoing maintenance of our digital properties as a single, cohesive team,” she said. 
    • “Second up is facilitating an effective transition for the incoming Trump administration 
    • “Making sure that the next team that comes in knows exactly what we’ve accomplished, knows exactly the areas that we feel need additional attention and that are going to be what the catalysts are for the next four years of technology, customer experience, digital experience evolution” is a “really, really important part of my job right now,” said Martorana. 
    • “I want to make sure that the next federal CIO has the best chance of hitting the ground running and being as effective as they can be,” she added.” 
  • The Government Accountability Office released a report highlighting that
    • “As the lead federal agency for the healthcare and public health critical infrastructure sector, the Department of Health and Human Services (HHS) has faced challenges in carrying out its cybersecurity responsibilities. Implementing our related prior recommendations can help HHS in its leadership role.”
  • The National Institute for Standards and Technology announced,
    • “The initial public draft (ipd) of NIST Special Publication (SP) 800-172r3 (Revision 3), Enhanced Security Requirements for Protecting Controlled Unclassified Information (CUI), is available for comment.
    • “SP 800-172r3 provides recommended security requirements to protect the confidentiality, integrity, and availability of CUI when it is resident in a nonfederal system and organization and is associated with a high value asset or critical program. The enhanced security requirements give organizations the capability to achieve a multidimensional, defense-in-depth protection strategy against advanced persistent threats (APTs) and help to ensure the resiliency of systems and organizations. The enhanced security requirements in SP 800-172r3 supplement the security requirements in SP 800-171 and are intended for use by federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations. There is no expectation that all of the enhanced security requirements are needed universally; enhanced security requirements are selected by federal agencies based on specific mission needs and risks.
    • The public comment period is open through January 10, 2025. NIST strongly encourages you to use the comment template available on the publication details page and submit comments to 800-171comments@list.nist.gov. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.
  • FEHB claims data is classified as CUI. Significant changes are called out on this NIST website.

From the cybersecurity vulnerabilities and breaches front,

  • From a November 12, 2024, CISA press release
    • “Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and international partners released joint Cybersecurity Advisory, 2023 Top Routinely Exploited Vulnerabilities.” * * *
    • “The authoring agencies urge all organizations to review and implement the recommended mitigations detailed in this advisory. The advisory provides vendors, designers, and developers a guide for implementing secure by design and default principles and tactics to reduce the prevalence of vulnerabilities in their software and end-user organizations mitigations. Following this guidance will help reduce the risk of compromise by malicious cyber actors.”
  • Also on November 12, HHS’s Health Sector Cybersecurity Coordination Center released an Analyst Note on the Godzilla Webshell.
  • CISA added seven known exploited vulnerabilities to its catalog this week.
  • Per Cybersecurity Dive,
    • “Attackers are actively exploiting a pair of previously disclosed vulnerabilities in Palo Alto Networks Expedition, federal cyber authorities said Thursday. 
    • “The Cybersecurity and Infrastructure Security Agency added CVE-2024-9463, an OS command injection vulnerability with a CVSS score of 9.9, and CVE-2024-9465, an SQL injection vulnerability with a CVSS score of 9.2, to its known exploited vulnerabilities catalog on Thursday. The alert comes one week after the agency confirmed another vulnerability in the same product, CVE-2024-5910, was under active exploitation
    • “Palo Alto Networks disclosed and released a patch for the vulnerabilities along with three additional CVEs in the migration tool on Oct. 9.”
  • Per Dark Reading,
    • “Microsoft pulled its November 2024 Exchange security updates that it released earlier this month for Patch Tuesday due to them breaking email delivery.
    • “This decision came after there were reports from admins saying that email had stopped flowing altogether.
    • “The issue affects Microsoft Exchange customers who use transport rules, or mail flow rules, as well as data loss protection rules. The mail flow rules filter and redirect emails in transit, while the data loss protection rules ensure that sensitive information isn’t being shared via email to an outside organization.”
  • and
    • “ChatGPT exposes significant data pertaining to its instructions, history, and the files it runs on, placing public GPTs at risk of sensitive data exposure, and raising questions about OpenAI’s security on the whole.
    • “The world’s leading AI chatbot is more malleable and multifunctional than most people realize. With some specific prompt engineering, users can execute commands almost like one would in a shell, upload and manage files as they would in an operating system and access the inner workings of the large language model (LLM) it runs on: the data, instructions, and configurations that influence its outputs.
    • “OpenAI argues that this is all by design, but Marco Figueroa, a generative AI (GenAI) bug-bounty programs manager at Mozilla who has uncovered prompt-injection concerns before in ChatGPT, disagrees.
    • “They’re not documented features,” he says. “I think this is a pure design flaw. It’s a matter of time until something happens, and some zero-day is found,” by virtue of the data leakage.”
  • Per AI Business,
    • “When most people think of AI-generated deepfakes, they probably think of videos of politicians or celebrities being manipulated to make it appear as though they said or did something they didn’t. These can be humorous or malicious. When deepfakes are in the news, for instance, it is usually in connection to a political misinformation campaign.
    • “What many people don’t realize, however, is that the malicious use of deepfakes extends well beyond the political realm. Scammers are increasingly adept at using real-time deepfakes to impersonate individuals with certain permissions or clearances, thus granting them access to private documents, sensitive personal data and customer information.” * * *
    • “Governments and businesses are taking deepfakes more and more seriously. Protecting against this kind of manipulation requires a combination of technological solutions and personnel-based ones. First and foremost, a regular red-teaming process must be in place. Stress-testing deepfake detection systems with the latest deepfake technology is the only way to make sure a given detection system is working properly.
    • “The second essential aspect of defending against deepfakes is educating employees to be skeptical of videos and video conferences with requests that seem too drastic, urgent, or otherwise out of the ordinary. A culture of moderate skepticism is part of security awareness and preparedness alongside solid security protocols. Often the first line of defense is common sense and person-to-person verification. This can save companies millions and their cybersecurity teams hundreds of hours.
    • “Alongside technological solutions, the best defense against malicious AI is common sense. Businesses that take this two-pronged approach will have a better shot at protecting themselves than businesses that don’t. Considering the speed at which deepfakes are evolving, this is nothing short of critical.”

From the ransomware front,

  • On November 13, the Register reported,
    • “American Associated Pharmacies (AAP) is the latest US healthcare organization to have had its data stolen and encrypted by cyber-crooks, it is feared.
    • “The criminals over at the Embargo ransomware operation claimed responsibility for the hit job, allegedly stealing 1.469 TB of AAP’s data, scrambling its files, and demanding payment to restore the information.
    • “AAP, which oversees a few thousand independent pharmacies in the country, hasn’t officially confirmed an attack, nor has it responded to The Register‘s request for input on the claims. At the time of writing, its website warns all user passwords were recently force-reset. It did not explain why the resets were forced nor mention a cyberattack.
    • “All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing credentials will no longer be valid to access the sites,” a website notice reads. “Please click ‘forgot password’ on the log in screen and follow the prompts accordingly to reset your password.”
  • Bleeping Computer informs us,
    • “North Korean threat actors target Apple macOS systems using trojanized Notepad apps and minesweeper games created with Flutter, which are signed and notarized by a legitimate Apple developer ID.
    • “This means that the malicious apps, even if temporarily, passed Apple’s security checks, so macOS systems treat them as verified and allow them to execute without restrictions.
    • “The app names are centered around cryptocurrency themes, which aligns with North Korean hackers’ interests in financial theft.
    • “According to Jamf Threat Labs, which discovered the activity, the campaign appears more like an experiment on bypassing macOS security than a fully-fledged and highly targeted operation.”
  • Infosecurity Magazine discusses how ransomware groups use cloud services for data exfiltration.
    • “Alex Delamotte, a threat researcher at SentinelLabs, the cybersecurity provider’s research branch, published The State of Cloud Ransomware in 2024 on November 14.
    • “Cloud services provide an advantage over endpoint and web server-based services by having a smaller attack surface.
    • “However, the ubiquitous use of cloud services makes them attractive to attackers, who have developed new approaches to compromise them.
    • “Despite being designed to securely store, manage, and retrieve large volumes of unstructured data at scale, cloud-based storage services, such as the Amazon Web Services (AWS) Simple Storage Service (S3) or Microsoft Azure Blob Storage, have become prime targets.
    • “S3 buckets are one of the most referenced targets of malicious activity.
    • P.S. S3 Buckets are public cloud storage containers for objects stored in simple storage service (S3). S3 buckets can be likened to file folders and object storage.

From the cybersecurity defenses front,

  • Per Cybersecurity Dive,
    • “Microsoft will disclose vulnerabilities under the Common Security Advisory Framework, a move designed to help customers respond and remediate CVEs in a more efficient manner, the company said this week.  
    • “CSAF is a format that is machine readable, which helps organizations digest the CVEs faster and in larger volumes. Customers will still be able to get CVE updates through the Microsoft security update guide or through an API based on the Common Vulnerability Reporting Framework. The CVRF serves as the standard for disclosing vulnerability information. 
    • “The CSAF rollout represents the third in a series of changes to make vulnerability disclosure more transparent at Microsoft. The company in June announced Cloud Service CVEs and in April said it would publish root cause analysis using the Common Weakness Enumeration standard.”
  • HHS’s 405(d) program released an Operational Continuity Cyber Incident Checklist.
  • Here is a link to Dark Reading’s CISO Corner.
  • Bleeping Computer lets us know,
    • “Bitdefender has released a decryptor for the ‘ShrinkLocker’ ransomware strain, which uses Windows’ built-in BitLocker drive encryption tool to lock victim’s files.
    • “Discovered in May 2024 by researchers at cybersecurity company Kaspersky, ShrinkLocker lacks the sophistication of other ransomware families but integrates features that can maximize the damage of an attack.
    • “According to Bitdefender’s analysis, the malware appears to have been repurposed from benign ten-year-old code, using VBScript, and leverages generally outdated techniques.”





Thursday Miscellany

Photo by Josh Mills on Unsplash

From Washington, DC,

  • The Wall Street Journal reports,
    • “President-elect Donald Trump said he would nominate environmental lawyer and vaccine skeptic Robert F. Kennedy Jr. to serve as health and human services secretary, putting a noted critic of U.S. public policy atop the country’s vast health bureaucracy. 
    • “Kennedy has promised sweeping changes to food-and-drug regulation and government-funded scientific research, in recent days saying the Food and Drug Administration’s nutrition department needed to be eliminated and warning the agency’s employees to “pack your bags.”
    • “Kennedy, 70 years old, abandoned his independent presidential bid in August and endorsed Trump, promising that he and the Republican would work to “make America healthy again.”
    • “Kennedy said on social media after his nomination that “we have a generational opportunity to bring together the greatest minds in science, medicine, industry, and government to put an end to the chronic disease epidemic.”
  • Per an HHS press release,
    • “Today, the Health Resources and Services Administration (HRSA), an agency of the U.S. Department of Health and Human Services (HHS), announced a new nationwide campaign to raise public awareness of the National Maternal Mental Health Hotline (1-833-TLC-MAMA). The National Maternal Mental Health Hotline is a cornerstone of the Biden-Harris Administration’s broader efforts to improve maternal health and supports HRSA’s ongoing initiative to reduce maternal mortality and health disparities. While mental health conditions are the leading cause of pregnancy-related deaths, more than 80 percent of pregnancy-related deaths are preventable according to the Centers for Disease Control and Prevention (CDC).
    • “As part of the campaign, HHS will collaborate with companies and organizations such as retailers, grocers, pharmacies, and health and community associations to publicize mental health resources for moms and pregnant women in everyday locations. The first six Maternal Mental Health Champions announced today have thousands of locations and a broad presence in all 50 states, Washington, D.C., Puerto Rico, and the U.S. Virgin Islands. HRSA Deputy Administrator Jordan Grossman announced this campaign in conjunction with HRSA’s latest state Enhancing Maternal Health Initiative convening in Portland, Oregon.” * * *
    • “The National Maternal Mental Health Hotline is a safe space for pregnant women and new moms to get the emotional and mental health support they need, and we want to continue to reach even more pregnant women, new moms, and their loved ones with this vital support,” said HRSA Administrator Carole Johnson. “That’s why we are excited to partner with grocery stores, pharmacies, and other organizations to help get the word out about this important resource for in communities across the country.” * * *
    • “For more information on the National Maternal Mental Health Hotline and to download new promotional materials, visit: https://mchb.hrsa.gov/national-maternal-mental-health-hotline.”
  • Healthcare Dive lets us know,
    • “The Biden administration is moving to lessen the importance of a controversial metric used to calculate valuable Medicare Advantage star ratings that’s been at the center of recent lawsuits.
    • “UnitedHealthcare, Centene and Humana have all sued the government this fall for downgrading their quality scores based on assessments of their customer support centers. Payers argued the measure had an outsized impact on final star ratings, and it now seems regulators might agree.
    • “We have already put in place that [the call center metric] is going to have a smaller weighting on star ratings moving forward,” CMS Medicare Director Meena Seshamani said Wednesday at the Milken Institute’s Future of Health Summit in Washington, D.C.”
  • Federal News Network interviews OPM Director Rob Shriver about the Federal Employee Benefits Open Season.
  • Tammy Flanagan, writing in Govexec, identifies federal and postal employee “retirement decisions that require careful consideration since they cannot be changed.”
  • Federal News Network tells us,
    • “The Postal Service is reporting a deeper financial loss than it’s seen in recent years and is calling on Congress and the incoming Trump administration to address rising costs that are beyond its control.  
    • “USPS reported a $9.5 billion net loss for fiscal 2024, despite year-over-year growth in revenue and a reduction in its controllable expenses. The agency saw a $6.5 billion loss in FY 2023. 
    • “USPS officials said 80% of the agency’s losses come from fixed costs — including pension contributions for its retirees and workers’ compensation claims for employees injured on the job.  
    • “The agency will not seek to raise mail prices in January 2025, but it plans to keep setting higher prices each July and January after that, through the end of 2027.
    • “USPS projections show the agency will end FY 2025 with a $6.9 billion net loss for FY 2025 and is falling short of its “break-even” goal under a 10-year reform plan.” 

From the public health and medical research front,

  • STAT News reports,
    • “A Canadian teenager who is in critical condition after contracting H5N1 bird flu was infected with a version of the virus that is different from the one circulating in dairy cattle in the United States, Canadian authorities announced Wednesday.
    • “The National Microbiology Laboratory in Winnipeg confirmed the infection was indeed caused by the H5N1 virus. But genetic sequencing showed that it is of a genotype that has been found in wild birds, not the version that has been circulating in dairy cattle in the U.S. 
    • “Canada has been doing surveillance in dairy cows looking for the virus, but to date has not detected it in any herds.
    • “Bonnie Henry, British Columbia’s provincial health officer, told STAT in an interview that she’d been expecting these genetic sequencing results. “That’s what we’ve been seeing consistently,” she said.”
  • HCPLive informs us,
    • “Initiation of population-wide screening for chronic kidney disease (CKD) followed by treatment with conventional CKD therapy combined with sodium-glucose cotransporter-2 (SGLT2) inhibitors would be cost-effective for US adults when initiated at 55 years of age, according to findings from a recent study.
    • “Results showed screening every 5 years combined with SGLT2 inhibitors from 55-75 years of age would cost $128,400 per quality-adjusted life year (QALY) gained. While initiation of screening at 35 or 45 years of age produced larger population health benefits, these strategies incurred additional costs totaling> $200,000 per QALY gained.
    • “In the absence of effective CKD treatment options at the time, in 2012, the US Preventive Services Task Force found insufficient evidence to show screening and early detection of CKD improved clinical outcomes. However, the recent emergence of SGLT2 inhibitors as a practice-changing therapy for CKD has prompted clinical guideline organizations to update standard of care recommendations for CKD to include these medications.”
  • Per BioPharma Dive,
    • “PTC Therapeutics on Wednesday won Food and Drug Administration approval for Kebilidi, the first gene therapy cleared in the U.S. for direct administration to the brain.
    • “The treatment is designed for patients with aromatic L-amino acid decarboxylase, or AADC, deficiency, a condition that affects the way neurons transmit information to other cells. The potentially fatal disorder typically manifests in the first six months after babies are born and affects all aspects of their lives, both physical and mental.
    • “Kebilidi is designed to deliver a functioning DDC gene into the body, correcting the genetic defect that causes the disorder. It’s administered by a neurosurgeon in four infusions in one session.”
  • Healthcare Dive relates,
    • “Increased telehealth utilization wasn’t linked to more low-value services at primary care clinics, according to a study published this week in JAMA Network Open.
    • “The research found no association between practices that used high levels of telehealth and most types of low-value care, or services that have no clinical benefit for patients and rack up costs.
    • “The findings could reassure policymakers who have raised concerns that virtual care could increase unnecessary or wasteful services and drive-up healthcare spending, the study’s authors wrote.” 
  • The Wall Street Journal reports,
    • “Intermittent fasting probably isn’t the health hack you hoped it would be.
    • “More studies suggest the tactic can help you lose weight, but likely isn’t a silver bullet for other health improvements like lowering your inflammation levels or lengthening your lifespan. And some evidence suggests fasting can make it harder to build and retain muscle.
    • “People were hoping it was this magical thing that did amazing things for them,” says Krista Varady, a professor of nutrition at the University of Illinois Chicago who has been studying intermittent fasting for 20 years. “All it does is help people eat less.”

From the U.S. healthcare business front,

  • AHIP lets us know,
    • “With more than half of Americans – approximately 180 million people – receiving health care coverage through work, a new nationwide poll finds that a strong majority are satisfied with their current employer-provided plans (75%) and prefer to get their coverage through an employer rather than through the federal or state government (74%).
    • “The poll found that Americans’ satisfaction with employer-provided coverage is driven by the comprehensive coverage (49%), affordability (48%) and choice of providers (45%) their plans provide.” * * *
    • “The national survey of 1,000 people with employer-provided coverage was conducted online from July 10-19, 2024, with a margin of error of +/- 3%. 
      • “Click here to view the infographic.
      • “Click here to view the survey results.
      • “Click here to view a slide presentation of the survey results.”
  • Fierce Healthcare reports about the second day of its Fierce Health Payer Summit.
  • The FEHBlog took sometime today listening to the HCPLAN Summit, which was held in Baltimore. At the Summit, HCPLAN released the 2024 results of its Alternative Payment Models survey.
  • Adam Fein, writing in his Drug Channels blog, points out,
    • “Uh oh. As I predicted, the stand-alone Medicare Part D prescription drug plans (PDP) market is vanishing.
    • “For 2025, DCI’s exclusive analysis of Center for Medicare & Medicaid Services’ (CMS) data reveals that the number of PDPs will drop to a historic low. What’s more, the share of plans with a preferred cost sharing pharmacy network will fall to its lowest rate in more than 10 years. Check out the distressing charts below and our review of the remaining national players (Aetna, Cigna, Humana, UnitedHealthcare, and WellCare). 
    • “The destruction of the Part D market marks yet another unintended consequence of the Inflation Reduction Act of 2022 (IRA). The IRA makes PDPs less economically viable and will drive even more seniors into Medicare Advantage Prescription Drug (MA-PD) plans—despite the challenges facing those plans. The 2025 decline will occur even after CMS gifted $7 billion to PDPs to prevent a complete collapse of the 2025 market. 
    • “Legislate in haste. Repent in leisure.”
  • STAT News reports,
    • “In a move to safeguard the company’s dominant position in cancer, Merck said Thursday it will license a new cancer drug from LaNova Medicines, a Shanghai-based firm, for $588 million upfront and as much as $2.7 billion in potential milestone payments.
    • “The cancer immunotherapy Keytruda, Merck’s most important product and the best-selling drug in the world with $23 billion in annual sales, is set to lose patent protection and face competition from generic drugmakers as early as 2028, and investors are already fretting about what will happen at Merck when revenues from the medicine begin to decline.”
  • Healthcare Dive lets us know,
    • “A group of health systems, led by Boston-based Mass General Brigham, is hoping to solve that problem. 
    • “On Wednesday, the academic medical center launched the Healthcare AI Challenge Collaborative, which will allow participating clinicians to test the latest AI offerings in simulated clinical settings. Clinicians will pit models against each other in head-to-head competition and produce public rankings of the commercial tools by the end of the year.
    • “Participating health systems say that the chance to directly compare AI products is overdue.”
  • Per Fierce Healthcare,
    • “Blue Cross Blue Shield of Massachusetts members will benefit from an expanded partnership with Maven Clinic, a new doula pilot program and more caregiving support in collaboration with Cleo, the company announced Nov. 13.
    • “Its doula program, called Accompany Doula Care, connects “racially and ethnically diverse” members with a trained doula. The pilot will collect data to assess whether the program is adequately reaching members through the birthing timeline, including prenatal visits, in-person support during childbirth and postpartum visits.
    • “Black women experience higher levels of maternal morbidity, Blue Cross’ health equity report found.
    • “Eligible Blues members will also have access to Maven Clinic’s Menopause and Midlife Health program. This program can be utilized as a buy-up for self-insured accounts, a news release explains.”
  • and
    • “Amazon One Medical is rolling out a new service to provide Prime members access to clinical treatments for common health and lifestyle conditions like men’s hair loss and anti-aging skin care.
    • “The new service builds on Amazon One Medical’s existing Pay-per-visit telehealth service that offers healthcare for more than 30 common conditions.
    • “The new service offers a subscription plan with low, upfront monthly pricing for a clinical visit, treatment plan, and free medication delivery. The service initially focuses on five conditions: anti-aging skin care treatment, men’s hair loss, erectile dysfunction, eyelash growth, and motion sickness.
    • “Through this service, Prime members can get anti-aging skin care treatment from $10/month; men’s hair loss solutions from $16/month; ED treatment from $19/month; eyelash growth solutions from $43/month; and treatment for motion sickness from $2/use—using Prime Rx at checkout, the company said in a blog post Thursday.”

Midweek Update

From Washington, DC,

  • Roll Call reports,
    • “Sen. John Thune [R SD] on Wednesday was elected the next Senate majority leader, as Republicans are set to take over the chamber in January — and with a demanding President-elect Donald Trump poised to return to power.
    • “Having defeated Texas Sen. John Cornyn and Florida Sen. Rick Scott, the fourth-term South Dakotan will replace Mitch McConnell of Kentucky in January as the chamber’s top Republican. McConnell had held the top GOP spot since taking his party’s leadership reins in early 2007, making him minority leader in six Congresses and majority leader in three Congresses.
    • “Thune defeated Cornyn 29-24 on the day’s second ballot, with Scott eliminated from contention after the first ballot, according to a source inside the Capitol’s Old Senate Chamber, where Republicans chose their next leader.
    • “Senate Republicans also selected Sens. James Lankford, R-Okla., as Republican Conference vice chair; Shelley Moore Capito, R-W.Va., as Republican Policy Committee chair; John Barrasso, R-Wyo., as assistant majority leader; Tim Scott, R-S.C., as National Republican Senatorial Committee chair; and Tom Cotton, R-Ark., as Republican Conference chair.”
  • Tuesday night, the AP results for control of the House now stand at 218 Republicans vs. 208 Democrats with 218 seats constituting a majority. Decision Desk HQ already had awarded control of the House to the Republicans, 219 Republicans vs. 211 Democrats.
  • Federal News Network lets us know,
    • “The House passed the Social Security Fairness Act Tuesday evening in a vote of 327 to 75, bringing the removal of the Windfall Elimination Provision and the Government Pension Offset closer than ever to reality.
    • “Social Security’s WEP and GPO have been around for decades. The two provisions reduce and, in some cases, fully cancel out Social Security benefits for Civil Service Retirement System annuitants and other public sector employees who have worked in state and local government, as well as their spouses, widows and widowers.
    • “The House’s vote came after Reps. Abigail Spanberger (D-Va.) and Garret Graves (R-Pa.), the original cosponsors of the reintroduced Social Security Fairness Act, filed a discharge petition in September to try to push the bill toward a vote. About one week later, the petition reached the 218-signature threshold needed to force the bill to the House floor.” * * *
  • OPM yesterday released a fact sheet titled OPM Highlights its Key Actions under Biden Administration’s AI Executive Order.
  • Govexec tells us,
    • “The Office of Personnel Management reported a slight increase in the backlog of pending federal employee retirement claims in October, though still a marked improvement from the same period last year.
    • “OPM received 6,872 new retirement requests from departing federal workers last month, an increase of around 1,250 more claims than in September. Though OPM cleared 6,458 claims—itself an increase of around 150 claims from the previous month—the backlog ticked up by around 400 cases to 14,908. OPM’s goal is a “steady state” of 13,000 pending retirement claims.
    • “Despite that, the average time it takes to process a retirement claim fell from 63 to 62 days, as measured on a monthly basis.” * * *
    • Now the legislation faces its next hurdle: passage in the Senate. The Senate’s companion to the Social Security Fairness Act currently has 62 cosponsors. * * *
    • “Unlike the House, the Senate does not have a discharge petition procedure — the strategy that Spanberger and Graves used to force the floor vote in the House.
    • “In the Senate, we have the votes to defeat a filibuster, but it has to be brought to a vote,” John Hatton, NARFE’s staff vice president of policy and programs, told The Federal Drive with Tom Temin. “But somebody may object to proceeding, which could cause a two-week or so delay in getting it through.”
  • Per a government press release,
    • “The Substance Abuse and Mental Health Services Administration (SAMHSA), an agency within the U.S. Department of Health and Human Services (HHS), announced today the launch of the Behavioral Health Workforce Career Navigator, designed to help current and aspiring behavioral health professionals identify state requirements for a range of behavioral health careers. The navigator supports President Biden and Vice President Harris’ commitment to expanding America’s behavioral health workforce, a key element of the Administration’s Unity Agenda for the Nation.”

From the public health and medical research front,

  • National Institutes of Health Director Dr. Monica Bertagnolli writes in her blog, about “Advancing a Whole-Person Approach to Women’s Health Research.”
    • “NIH has committed $200 million in fiscal year 2025 to supporting cross-cutting research focused on the health needs of women. We also issued a Notice of Special Interest to highlight our interest in receiving project applications on diseases and conditions that impact women differently, disproportionately, and uniquely across nearly all NIH Institutes and Centers. We are already considering close to 300 new applications for women’s health research projects.
    • “The whole-person approach to women’s health allows researchers and clinicians to address unique needs throughout a woman’s lifetime and to provide a more complete picture of women’s health. It also must be integrated into all stages of the research process—from identifying innovative research questions, to producing impactful scientific and clinical results, to developing ways to equitably adopt new treatments. It begins with science that convenes researchers and clinicians from different disciplines to accelerate progress through combined efforts and knowledge. The White House Initiative on Women’s Health Research calls for this comprehensive approach, renewing NIH’s commitment to research that addresses the needs of women everywhere. It demands that we approach this work with urgency, putting women and their lived experiences at its center of a focus on translating insights from biology and society into better health.
    • Links:
  • The Washington Post reports,
    • “A Canadian teenager infected with bird flu — that country’s first case involving a locally acquired infection — is in critical condition and experiencing difficulty breathing, health officials said Tuesday.
    • “The previously healthy British Columbia teen went to a hospital emergency room Nov. 2 with initial symptoms of pink eye, fever and cough, conditions common to many respiratory illnesses, Bonnie Henry, provincial health officer, said during a news conference. The teen was sent home.
    • “But after the patient’s condition deteriorated, the teen was admitted to BC Children’s Hospital in Vancouver late Friday.
    • “So far, no one who came into contact with the teen has fallen ill.” * * *
    • “On Wednesday, the Public Health Agency of Canada confirmed the H5N1 diagnosis in the teen and said genomic sequencing indicates the virus is related to the bird flu viruses from the ongoing outbreak in poultry in British Columbia, which is related to wild birds.”
  • STAT News informs us,
    • “U.S. drug overdose deaths are plummeting, putting the country on pace for its first year with fewer than 100,000 overdose deaths since 2020 — a powerful, if bleak, symbolic milestone.
    • “Reported drug deaths fell nearly 17% during the 12-month period ending in June, to 93,087, according to new statistics released this week by the Centers for Disease Control and Prevention. 
    • “The epidemic’s toll remains immense but is substantially lower than the 111,615 lives lost to overdose during the 12 months ending in June 2023. Fentanyl, the potent illicit opioid that now dominates the U.S. illicit drug supply, contributed to a large majority.” 
  • Per Health Day,
    • “Even as the pressures of the pandemic began to ebb, Americans’ growing dependence on alcohol did not, a troubling new study shows.
    • “Two years into the globe-altering health crisis, the percentage of Americans who consumed alcohol — which had already spiked between 2018 and 2020 — inched even further up in 2021 and 2022. Not only that, but more folks reported heavy or binge drinking, the findings published Tuesday in the Annals of Internal Medicine revealed.
    • “Our results provide national data to draw further attention to the potential alcohol-related public health effects that may remain from the pandemic,” the researchers wrote in their research. “Potential causes of this sustained increase include normalization of and adaptation to increased drinking due to stress from the pandemic and disrupted access to medical services.” 
  • Per MedTech Dive,
    • “Livanova said Monday a trial of its obstructive sleep apnea (OSA) implant met its primary safety and efficacy endpoints, positioning the company to seek approval once the analysis is complete.  
    • “The randomized trial linked Livanova’s aura6000 to improvements on measures of OSA severity and blood oxygen after six months of treatment with the hypoglossal nerve stimulator. The hypoglossal nerve controls the tongue muscles.
    • “Leerink Partners analysts said the results were largely in line with outcomes seen in a trial of Inspire Medical Systems’ rival device. The analysts see ways that Livanova could differentiate its device but said the company “may have a difficult time breaking into the sleep apnea market.”
  • Fierce Pharma points out,
    • “Following an impressive data drop this summer highlighting the potential for Eli Lilly’s tirzepatide to stave off progression to Type 2 diabetes in prediabetic patients, the Indianapolis-based drugmaker is laying out full results from its longest completed study of the dual GIP/GLP-1 receptor agonist to date.
    • “In the three-year SURMOUNT-1 trial, tirzepatide curbed the risk of disease progression to Type 2 diabetes by 94% versus placebo in adult prediabetes patients who were obese or overweight, Lilly said in a release Wednesday. The number represents a pooled result from three tirzepatide doses (5 mg, 10 mg and 15 mg) studied in the trial.
    • “Putting those results into perspective, one new case of diabetes could be prevented for every nine patients treated with tirzepatide, which is marketed in the U.S. as Mounjaro for Type 2 diabetes and as Zepbound for obesity, Lilly said.
    • “Overall, nearly 99% of patients on tirzepatide remained diabetes-free at the end of the trial’s 176-week treatment period, the company added. 
    • ‘Further, at the 193-week mark, which followed a 17-week off-treatment follow-up period, only 2.4% of patients on Lilly’s drug were diagnosed with Type 2 diabetes compared to 13.7% of patients in the study’s placebo cohort.
  • Beckers Hospital Review identifies “nine new drug shortages to know, according to databases compiled by the FDA and the American Society of Health-System Pharmacists.” 

From the U.S. healthcare business front,

  • Healthcare Dive reports,
    • “Self-funded employer clients of Aetna have access to SimplePay Health, a new healthcare plan design that provides employees and other plan members with essentially an interest-free line of credit to pay for care and requires no out-of-pocket costs due at the time of service, Aetna said in a Oct. 15 press release.
    • “The plan requires only copays for medical services and prescription drugs up to the plan member’s out-of-pocket maximum, with no deductibles or coinsurance costs. Each plan member is mailed a monthly statement — which Aetna compared to a credit card statement — that summarizes all medical and pharmacy claims from the prior 30 days.
    • “Payment terms are generally chosen by the plan sponsor, Amie Benedict, president, diversified commercial solutions at Aetna, said in an email to HR Dive, but payment plans are generally between 12 to 18 months long. “SimplePay will work with members requiring longer payment periods,” Benedict said.” * * *
    • “Aside from SimplePay, UnitedHealthcare company Surest also offers a plan model to self-funded employers without coinsurance or deductibles.
    • “Jim Winkler, chief strategy officer at the Business Group on Health, said in an interview that SimplePay, Surest and similar products are designed to curate a set of preferred healthcare providers and encourage plan members to use these providers by keeping down out-of-pocket costs.
    • “This is especially the case for “shoppable” care, or care that is neither urgent nor emergency in nature and for which employees can select from a variety of providers, Winkler said. “In these shoppable moments, these programs are designed to ensure that the right choice is the easy choice.”
  • Fierce Healthcare fills us in on the first day of its Fierce Health Payer Summit here in beautiful Austin Texas.
  • Corporate Synergies exposes “The Myths Preventing Employees from Embracing HSA-Qualified Plans.”
  • Per BioPharma Dive,
    • “BioNTech is buying into one of the hottest areas of oncology, agreeing to pay $800 million to acquire China-based Biotheus and, with it, a type of drug some analysts think could rival Merck & Co.’s dominant immunotherapy Keytruda.
    • “The deal will hand BioNTech full global rights to a dual-targeting drug that’s designed to block two proteins: the PD-L1 “checkpoint” targeted by Keytruda and another called VEGF that’s coopted by tumors to fuel their growth.
    • “This specific type of “bispecific antibody” is newly on drugmakers’ radar screens after Summit Therapeutics wowed the cancer field with data showing its drug ivonescimab outperformed Keytruda in a head-to-head lung cancer trial.”

Cybersecurity Saturday

From the cybersecurity policy and law enforcement front,

  • Federal News Network tells us,
    • “The White House’s lead regulatory office is reviewing a proposed rule that would upgrade the cybersecurity protections required under the Health Insurance Portability and Accountability Act (HIPAA).
    • “The White House Office of Information and Regulatory Affairs (OIRA) received the proposed rule on Oct. 18.
    • The changes to the HIPAA security rule will “improve cybersecurity in the health care sector by strengthening requirements for HIPAA regulated entities to safeguard electronic protected health information to prevent, detect, contain, mitigate, and recover from cybersecurity threats,” according to a rule abstract published by OIRA.
    • “OIRA is charge of reviewing major agency rulemakings before they are published. Once the HIPAA updates clear White House review, the Department of Health and Human Services would be able to release the Notice of Proposed Rulemaking for public comment.”
  • Here’s the entry in reginfo.gov
    • AGENCY: HHS-OCR. RIN: 0945-AA22. Status: Pending Review. Request EO Meeting
      TITLE: Proposed Modifications to the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information
      STAGE: Proposed Rule. SECTION 3(f)(1) SIGNIFICANT: Yes. RECEIVED DATE: 10/18/2024
      LEGAL DEADLINE: None  
  • Fedscoop tells us,
    • “The Biden administration published its anticipated national security memo on artificial intelligence Thursday, establishing a roadmap that aims to ensure U.S. competitiveness with adversaries on the technology, while still upholding democratic values in its deployment. 
    • “Specifically, the memo details more responsibilities for the Department of Commerce’s AI Safety Institute, directs agencies to evaluate models for risks and identify areas in which the AI supply chain could be disrupted, outlines actions to streamline acquisition of AI used for national security, and defines new governance practices for federal agencies through a new framework.
    • “In remarks on the memo delivered Thursday at National Defense University, National Security Advisor Jake Sullivan highlighted the potential AI has for the country’s national security advantage but spoke in dire terms about taking action.
    • “The stakes are high,” Sullivan said. “If we don’t act more intentionally to seize our advantages, if we don’t deploy AI more quickly and more comprehensively to strengthen our national security, we risk squandering our hard-earned lead.”
  • Per a NIST announcement,
    • “NIST has released an initial public draft (ipd) revision of Special Publication (SP) 800-131A, Transitioning the Use of Cryptographic Algorithms and Key Lengths.
    • “NIST provides cryptographic key management guidance for defining and implementing appropriate key-management procedures, using algorithms that adequately protect sensitive information, and planning for possible changes in the use of cryptography because of algorithm breaks or the availability of more powerful computing techniques. This publication provides guidance on transitioning to the use of stronger cryptographic keys and more robust algorithms.
    • “This revision proposes a) the retirement of ECB as a confidentiality mode of operation and the use of DSA for digital signature generation and b) a schedule for the retirement of SHA-1 and the 224-bit hash functions. This draft also discusses the transition from a security strength of 112 bits to a 128-bit security strength and to quantum-resistant algorithms for digital signatures and key establishment.
    • The public comment period is open through December 4, 2024. See the publication details for a copy of the draft and instructions for submitting comments.”
  • The Wall Street Journal reports,
    • “Four tech companies settled federal cases over allegations they misled investors about the extent to which they were compromised in the 2020 SolarWinds hack. 
    • “Avaya Holdings, Check Point Software Technologies, Mimecast and Unisys didn’t admit wrongdoing in separate deals with the U.S. Securities and Exchange Commission, which found their financial disclosures played down what the companies knew about how their systems were affected by breached SolarWinds software. 
    • “Unisys agreed to pay a penalty of $4 million, and the other three companies will pay about $1 million each.
    • “In a breach disclosed in 2020, which the U.S. later attributed to Russia, hackers slipped malicious code into software from Austin, Texas-based SolarWinds. Thousands of customers inadvertently downloaded the malware. Moscow has denied involvement.”

From the cybersecurity vulnerabilities and breaches front,

  • Cyberscoop lets us know,
    • “The Change Healthcare data breach in February affected 100 million Americans, the company told the Health and Human Services Department this week, making it the biggest breach of health care data ever reported to U.S. regulators.
    • “The development is the latest ripple in what was already an unprecedented attack, one in which the company paid a $22 million ransom, resulted in estimated losses of more than $1 billion and attracted the attention of policymakers who have sought new rules for the industry.
    • “Change Healthcare notified HHS about the updated number, with the company previously stating only that “a substantial proportion of people in America” were affected. HHS posted about the new figure it in its own update Thursday. HHS’s Office of Civil Rights is conducting an investigation of the breach.
    • “The previous record for victims of a breach in the sector was the Anthem breach of 2015, which impacted nearly 79 million Americans and resulted in the company paying a $16 million settlement to HHS.”
  • Cybersecurity Dive adds,
    • “Attackers are actively exploiting a critical zero-day vulnerability in Fortinet’s network and security management tool FortiManager, according to security researchers and federal authorities. The earliest exploitation was on June 27, and at least 50 organizations across various industries have been impacted to date, Mandiant said in a Wednesday blog post.
    • “Fortinet disclosed active exploitation of CVE-2024-47575, which has a CVSS score of 9.8, in a security advisory Wednesday. Hours later, the Cybersecurity and Infrastructure Security Agency added the CVE to its known exploited vulnerabilities catalog. Fortinet did not say how many customers are impacted or when it became aware of CVE-2024-47575 and active exploitation.
    • “The exploitation observed thus far appears to be automated in nature and is identical across multiple victims,” Mandiant Consulting CTO Charles Carmakal said in a Wednesday post on LinkedIn. “However, with most mass exploitation campaigns, we often observe targeted follow-on activity at some victims.”
  • Dark Reading informs us,
    • “Russia’s premiere advanced persistent threat group has been phishing thousands of targets in militaries, public authorities, and enterprises.
    • “APT29 (aka Midnight Blizzard, Nobelium, Cozy Bear) is arguably the world’s most notorious threat actor. An arm of the Russian Federation’s Foreign Intelligence Service (SVR), it’s best known for the historic breaches of SolarWinds and the Democratic National Committee (DNC). Lately, it has breached Microsoft’s codebase and political targets across EuropeAfrica, and beyond. Russia’s premiere advanced persistent threat group has been phishing thousands of targets in militaries, public authorities, and enterprises.
    • “APT29 embodies the ‘persistent’ part of ‘advanced persistent threat,'” says Satnam Narang, senior staff research engineer at Tenable. “It has persistently targeted organizations in the United States and Europe for years, utilizing various techniques, including spear-phishing and exploitation of vulnerabilities to gain initial access and elevate privileges. Its modus operandi is the collection of foreign intelligence, as well as maintaining persistence in compromised organizations in order to conduct future operations.”
  • Per Bleeping Computer,
    • “Cisco fixed a denial-of-service flaw in its Cisco ASA and Firepower Threat Defense (FTD) software, which was discovered during large-scale brute force attacks against Cisco VPN devices in April.
    • ‘The flaw is tracked as CVE-2024-20481 and impacts all versions of Cisco ASA and Cisco FTD up until the latest versions of the software.
    • “A vulnerability in the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) of the RAVPN service,” reads the CVE-2024-20481 security advisory.”

From the ransomware front,

  • Dark Reading points out,
    • “Nearly 400 US healthcare organizations have been infected with ransomwarethis fiscal year, compromising private information, disrupting facilities, and putting lives at risk, according to a study released this week.
    • “The average payment that these organizations have reported paying has gone up to roughly $4.4 million and is costing facilities up to $900,000 in downtime, putting healthcare among ransomware’s most lucrative target sectors.
    • “The disruption that healthcare operations face when hit with ransomware attacks doesn’t just affect hospitals either. It also impacts clinics and doctors in adjacent areas, which absorb displaced patients in these emergencies.” * * *
    • According to the study, ransomware has become such a pronounced issue for the healthcare sector because of its track record of complying with the bad actors and making ransom payments. But since these organizations are dealing with literal life and death issues, they are usually willing to pay millions of dollars to avoid any disruption of care and the data that support it.
  • Cyberscoop relates,
    • “Ransomware developers are used to their malware being detected. Once defenses against it have been built, they revise and update their code to circumvent those defenses. Then developers deploy an updated version in renewed attacks, often with increased sophistication, to evade detection and achieve their malicious objectives.
    • “That cycle has started anew with the Qilin ransomware-as-a-service operation, according to a new report from the cybersecurity firm Halcyon about the group’s updated and upgraded variant. 
    • “Researchers at the firm warned Thursday that “Qilin.B” is a “more advanced” ransomware variant that boosted encryption and evasion techniques to the big game hunters’ arsenal.
    • “Qilin.B’s combination of enhanced encryption mechanisms, effective defense evasion tactics, and persistent disruption of backup systems marks it as a particularly dangerous ransomware variant,” the report noted.”
  • Per Cybersecurity Dive,
    • “Ransomware attacks hit at least 30 organizations using SonicWall firewalls running firmware affected by a critical vulnerability the vendor disclosed and patched two months ago, security researchers at Arctic Wolf Labs said Thursday.
    • “SonicWall disclosed and patched the improper access control vulnerability, CVE-2024-40766, which has a CVSS score of 9.3, on Aug. 22. Arctic Wolf Labs said it began observing Akira and Fog ransomware variant intrusions involving the affected SSL VPN feature of SonicWall firewalls in early August.
    • “We have observed a significant increase in activity consistent with attempted intrusions since August, with spikes in activity typically occurring during non-business hours,” Bret Fitzgerald, senior director of global public relations at SonicWall, said Thursday via email.”
  • Bleeping Computer alerts us,
    • “The BlackBasta ransomware operation has moved its social engineering attacks to Microsoft Teams, posing as corporate help desks contacting employees to assist them with an ongoing spam attack.
      “Black Basta is a ransomware operation active since April 2022 and responsible for hundreds of attacks against corporations worldwide.
      “After the Conti cybercrime syndicate shut down in June 2022 following a series of embarrassing data breaches, the operation split into multiple groups, with one of these factions believed to be Black Basta.”

From the cybersecurity defenses front,

  • Cybersecurity Dive reports,
    • “Microsoft Chair and CEO Satya Nadella asked for the board to reduce part of his annual compensation package to account for his role in how the company prepared for malicious cyberattacks that led to an overhaul of its internal security culture. 
    • “Nadella received more than $79 million in total compensation in fiscal 2024, which included a base salary of $2.5 million, about $71.2 million in stock awards and $5.2 million in non-equity incentive plan compensation, according to a filing with the Securities and Exchange Commission. The total included almost $170,000 classified as other compensation. 
    • “However, Nadella “asked the board to consider departing from the established performance metrics and reduce his cash incentive to reflect his personal accountability for the focus and speed required for the changes that today’s cybersecurity threat landscape showed were necessary,” according to a letter included in the filing from the compensation committee at Microsoft.” 
  • Per Bleeping Computer,
    • Apple created a Virtual Research Environment to allow public access to testing the security of its Private Cloud Compute system, and released the source code for some “key components” to help researchers analyze the privacy and safety features on the architecture.
    • The company also seeks to improve the system’s security and has expanded its security bounty program to include rewards of up to $1 million for vulnerabilities that could compromise “the fundamental security and privacy guarantees of PCC.”
    • Private Cloud Compute (PCC) is a cloud intelligence system for complex AI processing of data from user devices in a way that does not compromise privacy.
  • Cybersecurity Dive shares Gartner’s four ways AI could impact employees, workflows.
  • Here is a link to Dark Reading’s CISO Corner.
  • An ISACA commentator discusses “How the Emerging Technology Landscape is Impacting Cybersecurity Audits.”
  • “In a conversation with The Regulatory Review, Penn Medicine Chief Privacy Officer Lauren Steinfeld discusses how health care systems work to comply with regulations on data privacy.”
  • Tripwire shares “Advanced Tips for Leveraging the NIST Cybersecurity Framework for Compliance.”

Cybersecurity Saturday

From the cybersecurity policy and law enforcement front,

  • Cyberscoop tells us,
    • “Members of Congress are pressing federal agencies and telecommunications companies for more information about a reported Chinese government-backed hacking campaign that breached the networks of at least three major U.S. telecoms.
    • “Earlier this month, the Wall Street Journal reported that a hacking group tied to Beijing successfully broke into the networks of Verizon, AT&T and Lumen Technologies. The hackers reportedly went undetected for months, possibly gaining access to systems and infrastructure used to process court-authorized wiretaps.
    • ‘On Thursday, Republican and Democratic leaders on the House Energy and Commerce Committee wrote to the three telecommunication firms asking for more information on their response, calling the incident “extremely alarming for both economic and national security reasons.” * * *
    • “The members requested a briefing with the telecoms to learn more about when they became aware of the compromise, findings from any internal investigations and subsequent engagement with law enforcement, their plans to notify affected customers and what if any corrective steps have been taken to harden cybersecurity in the wake of the incident.
    • “The House Homeland Security Committee has also requested a briefing on the hack from the Cybersecurity and Infrastructure Security Agency, according to a committee aide.”
  • Federal News Network lets us know,
    • “The Defense Department released the final rule for the long-awaited Cybersecurity Maturity Model Certification program today [October 11], further paving the way for CMMC requirements to show up in contracts starting next year.
    • “The final CMMC program rule was released for public inspection today. It’s expected to officially publish in the Federal Register on Tuesday, Oct. 15.
    • “The rule establishes the mechanisms for the CMMC program. The goal of CMMC is to verify whether defense contractors are following cybersecurity requirements for protecting critical defense information. Many contractors will be required to receive a third-party audit under the program, a significant departure from the current regime of relying on self-attestation.”
  • Per an October 3, 2024, HHS press release,
    • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $240,000 civil monetary penalty against Providence Medical Institute in Southern California, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following a ransomware attack breach report investigation by OCR. Ransomware and hacking are the primary cyber-threats in health care. There has been a 264% increase in large breaches reported to OCR involving ransomware attacks since 2018.
    • “Failures to fully implement all of the HIPAA Security Rule requirements leaves HIPAA covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patients’ health information,” said OCR Director Melanie Fontes Rainer. “The health care sector needs to get serious about cybersecurity and complying with HIPAA. OCR will continue to stand up for patient privacy and work to ensure the security of health information of every person. On behalf of OCR, I urge all health care entities to always stay alert and take every precaution and steps to keep their systems safe from cyberattacks.” * * *
    • “The Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/pmi-nfd/index.html
  • Fedscoop notes,
    • “The Department of Health and Human Services is working on a new strategic plan for the use of artificial intelligence across the entire breadth of its mission, the department’s top AI official said Tuesday.
    • “Micky Tripathi — HHS’s acting chief AI officer and its assistant secretary for technology policy — said at the NVIDIA AI Summit in Washington, D.C., that the AI strategic plan should arrive sometime in January and that it will span “the entire, you know, sort of breadth of what the department covers.”
    • “During a panel discussion, Tripathi detailed the complex web of mission sets spanning “the value chain of life sciences and health care” that HHS oversees that the new strategic plan will attempt to wrap its arms around. Those include medical research and discovery, preclinical work, measuring the safety and effectiveness of medical products, health care delivery, health technology standards setting, human services, public health and more, he said.”

From the cybersecurity vulnerabilities and breaches front,

  • Beckers Health IT informs us,
    • “In the past 12 months, 92% of healthcare organizations reported experiencing at least one cyberattack, up from 88% in 2023, an Oct. 8 survey from Proofpoint and Ponemon Institute found.
    • “Of those cyberattacks, 69% reported disruptions to patient care as a direct consequence.”
  • The American Hospital Association News reports,
    • “The FBI, along with the National Security Agency, Cyber National Mission Force and United Kingdom’s National Cyber Security Centre, today released a joint agency advisory on cyber operations by the Russian Federation’s Foreign Intelligence Service (SVR), also known as APT29, Midnight Blizzard, Cozy Bear, and the Dukes, targeting U.S. and global entities. The agencies recommend prioritizing rapid patch deployment and keeping software up to date to protect against cyberattacks.
    • “This alert highlights the SVR’s aggressive targeting of U.S. critical infrastructure for espionage and possible future offensive cyber operations,’ said John Riggi, AHA national advisor for cybersecurity and risk. “Although health care is not cited as being intentionally targeted by this SVR campaign, it is noted that any entity could become a target of opportunity if it has internet-facing vulnerabilities. The SVR takes advantage of opportunistic tactics to host malicious infrastructure, conduct follow-on operations from compromised accounts, or attempt to pivot to other networks on unprotected victim infrastructure. To mitigate this threat and other types of cyberattacks, such as ransomware attacks, it is imperative that health care entities prioritize patching internet-facing vulnerabilities, employ multi-factor authentication and follow the voluntary cybersecurity performance goals.”
  • HHS’s Health Section Cybersecurity Coordination Center issued its September report on vulnerabilities of interest to the health sector.
  • Cyberscoop points out,
    • “The number of malicious packages found in the open-source ecosystem has dramatically grown in the past year, according to a new report from Sonatype.
    • “The cybersecurity firm found that the number of malicious packages intentionally uploaded into open-source repositories has jumped by more than 150% compared to last year. Open-source software, a transparent development process where almost anyone can contribute to the code and components, is the bedrock of the digital age that can be found in most modern digital technologies.
    • “Sonatype, a firm that specializes in the open-source supply chain, looked at more than 7 million open-source projects and found that more than 500,000 contained a malicious package.
    • “Vulnerabilities in open-source packages and the developers who maintain them have become a hot topic following a spree of high-profile bugs and cyberattacks in recent years. Earlier this year, the maintainer of the data-compression tool XZ Utils was the focus of a yearslong campaign by hackers with the aim of inserting a vulnerability that would have been found in Linux servers throughout the world.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) alerted us on October 10,
    • CISA has observed cyber threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to enumerate other non-internet facing devices on the network. F5 BIG-IP is a suite of hardware and software solutions designed to manage and secure network traffic. A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network.
    • CISA urges organizations to encrypt persistent cookies employed in F5 BIG-IP devices and review the following article for details on how to configure the BIG-IP LTM system to encrypt HTTP cookies. Additionally, F5 has developed an iHealth heuristic to detect and alert customers when cookie persistence profiles do not have encryption enabled. BIG-IP iHealth is a diagnostic tool that “evaluates the logs, command output, and configuration of a BIG-IP system against a database of known issues, common mistakes, and published F5 best practices” to help users verify the optimal operation of their BIG-IP systems.
  • CISA added six more known exploited vulnerabilities to its catalog this week.
  • Cybersecurity Dive adds,
    • “Ivanti released updates for three actively exploited zero-day vulnerabilities in Ivanti Cloud Service Appliance, which hackers are chaining together with a previously disclosed path traversal vulnerability, the company said in a Tuesday blog post
    • “Successful exploitation of the flaws can allow an attacker to gain administrative privileges to bypass restrictions, obtain remote code execution or run arbitrary SQL statements. The vulnerabilities are listed as CVE-2024-9379CVE-2024-9380CVE-2024-9381
    • “Ivanti previously disclosed and issued a patch that would address the prior critical vulnerability, listed as CVE-2024-8963, on Sept. 10. The company said it discovered the path traversal vulnerability when it was investigating exploitation of an OS command injection vulnerability, listed as CVE-2024-8190.”

From the ransomware front,

  • Tech Radar reports,
    • “The number of active ransomware groups over the last 12 months is on the rise as criminals look for more ways to target businesses, new research has claimed.
    • “The 2024 State of Threat Report from Secureworks has revealed a rise in the number of active ransomware groups over the last 12 months – identifying a 30% rise in the number of active groups.
    • “The figures represents a diversification of the landscape rather than a particularly drastic increase in criminals. Since the notorious Lockbit disruption, in which the most prolific group was briefly shut down, the ransomware ecosystem has evolved, with 31 new groups being established.” * * *
    • “One of the key findings from the report is that unpatched vulnerabilities remain the top Initial Access Vector (IAV) in ransomware attacks, making up almost 50% of all IAVs. This outlines more than ever the importance of staying on top of cybersecurity and software updates.”
  • Per Security Affairs,
    • “Sophos researchers warn that ransomware operators are exploiting the critical vulnerability CVE-2024-40711 in Veeam Backup & Replication to create rogue accounts and deploy malware.
    • “In early September 2024, Veeam released security updates to address multiple vulnerabilities impacting its products, the company fixed 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One.
    • “The most severe flaw included in the September 2024 security bulletin is a critical, remote code execution (RCE) vulnerability tracked as CVE-2024-40711 (CVSS v3.1 score: 9.8) impacting Veeam Backup & Replication (VBR).”
  • Palo Alto Networks Unit 24 tells us,
    • “In July 2024, researchers from Palo Alto Networks discovered a successor to INC ransomware named Lynx. Since its emergence, the group behind this ransomware has actively targeted organizations in various sectors such as retail, real estate, architecture, and financial and environmental services in the U.S. and UK.
    • “Lynx ransomware shares a significant portion of its source code with INC ransomware. INC ransomware initially surfaced in August 2023 and had variants compatible with both Windows and Linux. While we haven’t confirmed any Linux samples yet for Lynx ransomware, we have noted Windows samples. This ransomware operates using a ransomware-as-a-service (RaaS) model.”

From the cybersecurity defenses front,

  • American Hospital Association cybersecurity expert John Riggi offers his perspective on this year’s cybersecurity challenges in the healthcare sector.
  • “Moffitt Cancer Center was one of many health systems impacted by the Change Healthcare ransomware attack earlier this year. The organization’s VP of RCM operations [Lynn Ansley] explains [in Health Leaders] how she navigated the disaster.”
  • Here is a link to Dark Reading’s CISO Corner.
  • HHS’s 405(d) program shares an endpoints security poster with the public.

Monday Roundup

Photo by Sven Read on Unsplash

From Washington, DC,

  • Federal News Network tells us,
    • “Close to 15,000 blue-collar federal employees working in trade, craft and manual labor jobs are likely to see their federal pay rates increase by as much as 12%, once a new proposed rule from the Office of Personnel Management becomes finalized.
    • “The proposed regulations, which OPM released on Monday, aim to improve overall pay parity for roughly 168,000 blue-collar federal workers who are paid hourly through the Federal Wage System (FWS). In practice, OPM’s proposal would align the map of FWS wage areas more closely with the General Schedule’s locality pay map.
    • “This would lead to greater equity across federal pay systems, with FWS workers’ pay more aligned with GS workers who work in the same geographic area,” OPM wrote in a press release Monday.
    • ‘As a result of the proposed re-mapping, around 15,000 blue-collar federal employees would begin receiving higher pay rates once OPM’s regulations become final — as long as there are no major changes to how the proposed regulations are currently written.”
  • and
    • “The Postal Service, more than three years into a 10-year reform plan, is seeking a higher borrowing limit with the Treasury Department to sustain its infrastructure upgrades.
    • ‘USPS, in an update to its “Delivering for America” plan last week, said its current $15 billion debt limit with Treasury was set in the 1970s, and has not been adjusted for inflation in decades.
    • “We continue to lack access to capital and credit markets that most in the private sector rely on in transformative situations like ours,” USPS wrote in a report last week.
    • “USPS is also calling on the Office of Personnel Management to reassess what it pays into the Civil Service Retirement System, the pension system for federal employees who began government service before 1987.”
  • Gallagher timely reminds us about ACA FAQ 63 which told us
  • The American Hospital Association News informs us,
    • “AHA President and CEO Rick Pollack Oct. 7 sent a letter to President Biden urging the Administration to take immediate actions to increase the supply of IV solutions for hospitals and other health care providers that are struggling with shortages following the closure of a Baxter manufacturing plant as a result of Hurricane Helene.  
    • “Our members are already reporting substantial shortages of these lifesaving and life-supporting products,” Pollack wrote. “Patients across America are already feeling this impact, which will only deepen in the coming days and weeks unless much more is done to alleviate the situation and minimize the impact on patient care.”  
    • “The letter includes a number of specific actions the AHA is asking the Administration to take to support hospitals’ ability to care for patients and communities. In addition, the AHA invited the White House and agency experts to join the association in a forum to communicate directly with hospitals and health systems to “inform each other in real time on the status of the situation while we work together to mitigate the impact on patients.” 
  • Fierce Healthcare offers a summary of HHS’s proposed 2026 notice of benefit and payment parameters for the ACA marketplace. The public comment deadline is November 12, 2024.

From the Food and Drug Administration front,

  • Per an FDA press release,
    • “Today [October 7], the U.S. Food and Drug Administration granted marketing authorization for the Healgen Rapid Check COVID-19/Flu A&B Antigen Test. The test, authorized for use without a prescription, is for use by individuals experiencing respiratory symptoms and uses a nasal swab sample to deliver at-home results in approximately 15 minutes for COVID-19 and influenza (flu). The test detects proteins from both SARS-CoV-2 (the virus that causes COVID-19) and influenza A and B (the viruses that causes flu).  
    • “This is the first over the counter (OTC) test that can detect influenza to be granted marketing authorization using a traditional premarket review pathway, which enables the test to be marketed in the absence of an applicable emergency use declaration. Other OTC flu/COVID tests are currently available under emergency use authorization.” 
  • Per MedTech Dive,
    • The Food and Drug Administration approved Exact Sciences’ Cologuard Plus colorectal cancer test, the company said Friday [October 4]
    • The product is an updated version of Exact Sciences’ existing stool-based cancer test. The company expects to launch the test, which has higher specificity than its predecessor, with Medicare coverage and guideline inclusion in 2025.
    • Exact Sciences recently failed to land a Medicare price premium for Cologuard Plus, but Leerink Partners and William Blair analysts expect one of the company’s subsequent attempts to succeed.

From the public health and medical research front,

  • The Wall Street Journal reports,
    • “The Nobel Prize in medicine was awarded to Victor Ambros and Gary Ruvkun for the discovery of microRNA, molecules that help control how genes are expressed.
    • “Their findings unlocked new areas of research into the roles these molecules play in human health. Researchers are exploring microRNA treatments for cancer, heart disease and dementia.”
    • “Ruvkun and Ambros were giddy with excitement on Monday after learning of their Nobel honors.”
    • Kudos to the recipients.
  • and, on a different topic,
    • “Inflammaging, a chronic low-grade inflammation, is associated with an increased risk of heart attack, cancer, Alzheimer’s and other conditions. It occurs as we age, but some people develop it more than others.
    • “Chronic inflammation can be caused by cellular senescence, where damaged aging cells secrete inflammatory proteins. 
    • “Prevention and treatment measures include lifestyle changes such as exercise, healthy diet and adequate sleep.”
  • The American Medical Association lets us know eight things that doctors wish their patient knew about the flu vaccine.
  • Consumer Reports, writing in the Washington Post, fills us in on how to choose the right multivitamin for your body’s needs.
  • Per BioPharma Dive,
    • “An experimental, muscle-preserving therapy from Scholar Rock succeeded in a Phase 3 trial in spinal muscular atrophy, positioning the biotechnology company to seek approvals in the U.S. and Europe early next year.
    • “A regimen of Scholar Rock’s drug, apitegromab, and a standard SMA therapy significantly improved motor function after one year versus treatment with a typical SMA medicine and a placebo, the company said Monday. Specifically, a prespecified, pooled analysis showed children between 2 and 12 years old who received one of two tested doses had an average difference versus placebo of about a 1.8-point change from baseline on a scale used to evaluate their physical abilities.
    • “Motor function benefits were also observed in a smaller, exploratory group of 13- to 21-year-olds, according to the company. No new safety findings were reported, and no one dropped out of the trial due to side effects. “We believe these data collectively show that apitegromab has the potential to become part of a new standard of care,” CEO Jay Backstrom said on a conference call. Shares more than quadrupled in value Monday.”

From the U.S. healthcare business front,

  • Per Fierce Healthcare,
    • “The healthcare industry is making the push toward greater adoption of value-based care, yet it’s not a secret that progress has been slow-moving.
    • “With that backdrop, UnitedHealth Group has released its latest “A Path Forward” report, which is a biennial look at progress in the shift to value. The paper includes dozens of policy recommendations that the team believes can accelerate that transformation.
    • “Wyatt Decker, M.D., UnitedHealth Group executive vice president and chief physician who’s leading the charge at the company on value-based care and innovation, told Fierce Healthcare in an interview that the U.S. healthcare system is extremely effective at addressing crises, complex patient conditions and end-stage needs. But it’s in prevention where “we really fall down,” he said.
    • “We don’t, by and large, have a system that focuses on keeping people healthy and well,” Decker said. “Most people wonder why their physician or their assistants don’t reach out when it’s time to get a screening and why they have so much trouble scheduling appointments, finding doctors, and, of course, figuring out how much it’s all going to cost.” 
  • and
    • “GenAI experimentation, research and potential use cases proliferate by the day. Like other industries, healthcare is hurrying to jump on the opportunity. A growing number of companies are creating genAI products to help organizations streamline their administrative workflows, simplify physician notetaking or respond to basic patient questions. But publicly available tools, like ChatGPT, are popular, easy to access and simple to use. If consumers are using them, are doctors, too?
    • “The answer, Fierce Healthcare finds, is yes. In the first in-depth look of its kind into physician use of public genAI tools, Fierce Healthcare spoke with nearly two dozen doctors, students, AI experts and regulators, and helped conduct a survey of more than 100 physicians. The reporting confirms that some doctors are turning to tools intended for non-clinical uses to make clinical decisions. With no standardized guidelines, lagging physician training and regulators racing to try to keep up with rapidly changing technology, guardrails to protect patients appear to be years behind current rates of utilization.
    • “You have an uncertain regulatory environment, you’ve got a march of technology and at the same time, you have an uptake by both consumers and healthcare professionals. And the consequences of that are very much uncertain,” Peter Bonis, M.D., chief medical officer at Wolters Kluwer, an information services company, told Fierce Healthcare.”

  • The FEHBlog learned a new use for the work “hallucination” today at the Texas Bar Association’s Health Law Conference. A generative AI mistake is a hallucination.
  • McKinsey and Company discuss “Advancing inclusive care pathways for people with disabilities. Across disease types, patients with disabilities experience inequities all along the care pathway—with consequently worse outcomes. Inclusive pathway designs and targeted interventions could help.”

Cybersecurity Saturday

From the cybersecurity policy front,

  • Healthcare Dive informs us,
    • “Lawmakers introduced a bill Thursday [September 26] that would set cybersecurity standards for healthcare organizations as the industry faces a wave of cyberattacks and data breaches. 
    • “The legislation, sponsored by Sens. Ron Wyden, D-Ore., and Mark Warner, D-Va., would direct the HHS to develop minimum cybersecurity standards for providers, health plans, claims clearinghouses and business associates. Enhanced cyber standards would apply to organizations that are deemed important to national security.” * * *
    • “The bill requires the HHS to adopt minimum and enhanced cybersecurity measures that would apply to HIPAA-covered entities and their business associates.
    • “Healthcare organizations would be required to conduct cybersecurity assessments and stress tests. The HHS would audit the data security of at least 20 companies per year to ensure compliance. 
    • “The legislation also seeks to increase civil penalties for organizations that fail to comply with security standards — including a proposed minimum fine of $250,000 for violations in willful neglect that go uncorrected. 
    • “The HHS would also be authorized to charge user fees to covered entities and business associates. Those fees would allow the agency to take on the increased oversight work, a challenge the HHS hasn’t been appropriately funded to manage, the senators wrote in a summary of the legislation.”
  • Wow. It strikes the FEHBlog that at least parts of this bill, in not the whole tamale, could be enacted in the lame duck session of Congress at the end of this year. The bill has a variety of effective dates.
  • Why? Beckers Health IT adds,
    • “The financial fallout from recent data breaches in the healthcare industry continues to raise alarms as organizations grapple with the costs of cyberattacks and ensuing lawsuits.
    • “Two incidents — the ransomware attack on St. Louis-based Ascension and a class-action lawsuit faced by Allentown, Pa.-based Lehigh Valley Health Network — highlight the impact of these breaches on health systems’ operations and bottom lines.”
  • Cybersecurity Dive points out,
    • “The U.S. has made significant progress improving its cybersecurity posture, implementing about 80% of the recommendations the Cyberspace Solarium Commission detailed in 2020, according to a report released Thursday [September 26]. But more work is still required to shore up additional efforts related to critical infrastructure and economic security. 
    • “Among the key remaining priorities is a push to identify the “minimum security burdens” of critical infrastructure entities that have a “disproportionate impact on U.S. national security,” the report said. The commission called on the next administration to detail intelligence and information-sharing benefits, alongside security burdens, to these “systemically important entities.”
    • “The U.S. needs to develop an economic continuity plan that would operate as an incident response and resilience plan in case of a catastrophic cyber event or other crisis, the commission said. Federal authorities also need to codify a joint collective plan for sharing threat information between government, private industry and international intelligence partners.”
  • Per a NIST press release,
    • “Today [September 24], U.S. Secretary of Commerce Gina Raimondo announced that the Department of Commerce’s National Institute of Standards and Technology (NIST) has awarded $6 million to Carnegie Mellon University (CMU) to establish a joint center to support cooperative research and experimentation for the test and evaluation of modern AI capabilities and tools. The center will be housed on the Carnegie Mellon campus, in Pittsburgh.
    • “Artificial intelligence is the defining technology of our generation, and at the Commerce Department we are committed to working with America’s world-class higher education institutions, like Carnegie Mellon University, to advance safe, secure and trustworthy development of AI,” Raimondo said. “I am excited to announce this NIST award of $6 million for Carnegie Mellon to boost research of AI systems and support a new generation of scientists and engineers that will help advance American innovation globally.”

From the CrowdStrike front

  • Cybersecurity Dive offers five takeaways from a CrowdStrike official’s apologetic testimony before Congress last Thursday.

From the cyber breaches and vulnerabilities front,

  • Cybersecurity Dive lets us know,
    • “Security researchers are warning about critical vulnerabilities in the Common Unix Printing System used on Linux, which could allow a hacker to gain control over remote command execution when the flaws are chained together and a print job is separately launched by the user.
    • “The vulnerabilities, listed as CVE-2024-47076CVE-2024-47175CVE-2024-47176 and CVE-2024-47177, can allow an attacker to replace IPP urls on a printer with a malicious version, giving them the ability to command capabilities on a system. 
    • “The vulnerabilities were initially assigned a score of 9.9, with the expectation of coordinated disclosure and later public notification by Oct. 6. However, the original research leaked on Thursday, and security researchers have since dialed back some of their initial fears, which compared the potential impact to Log4j and Heartbleed.”
  • This week, the Cybersecurity and Infrastructure Security Administration added one known exploited vulnerability to its catalog on September 24, 2024,
    • CVE-2024-7593. Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
  • Cybersecurity Dive cautions,
    • “A state-linked botnet linked to the Flax Typhoon threat group is actively targeting 66 security vulnerabilities for exploitation, researchers from VulnCheck said Monday. Last week the Five Eyes intelligence partners named the botnet in a global threat advisory
    • “However, researchers from VulnCheck warn that only 27 of the CVEs are listed in the Cybersecurity and Infrastructure Security Agency’s closely monitored catalog of known exploited vulnerabilities.  
    • “Researchers say the discrepancy between the actively targeted CVEs and the official CISA catalog highlights a longstanding backlog in identifying security threats that critical infrastructure providers, private companies and government agencies are up against.” * * *
    • NIST brought in an outside firm to help reduce the analysis backlog. A NIST spokesperson said the agency has made progress towards reducing the backlog, and an update on that progress is pending.” 

From the ransomware front,

  • Modern Healthcare tells us,
    • The number of healthcare providers affected by ransomware attacks is steadily growing. 
    • More than two-thirds of healthcare providers reported a ransomware attack in the past year compared with 60% in 2023, according to a survey released Thursday from cybersecurity company Sophos. In 2021, only 34% of providers said they were affected by an attack.
  • Bleeping Computer warns,
    • “Microsoft warns that ransomware threat actor Storm-0501 has recently switched tactics and now targets hybrid cloud environments, expanding its strategy to compromise all victim assets.
    • “The threat actor first emerged in 2021 as a ransomware affiliate for the Sabbath ransomware operation. Later they started to deploy file-encrypting malware from Hive, BlackCat, LockBit, and Hunters International gangs. Recently, they have been observed to deploy the Embargo ransomware.
    • “Storm-0501’s recent attacks targeted hospitals, government, manufacturing, and transportation organizations, and law enforcement agencies in the United States.”
  • PC World explains how to turn on Microsoft Windows’ built in ransomware protection.

From the cybersecurity defenses front,

  • SC Media calls attention to “five ways to beef up network security and reduce data theft.”
    • “Rethink access control
    • “Raise the firewall game
    • “Take incident response seriously
    • “Tap into network visibility
    • “Segment the network
  • “These five approaches to network data security have been around for quite some time, yet they continue to mature and stay relevant because of new AI features that align with emerging challenges. Ultimately, the security team needs to choose and deploy the right combination of these tools that correlate with industry-specific risks facing the organization.”
  • A Dark Reading commentator explains why “Managing Cyber-Risk Is No Different Than Managing Any Business Risk. A sound cyber-risk management strategy analyzes all the business impacts that may stem from an attack and estimates the related costs of mitigation versus the costs of not taking action.”
  • Per a CISA press release,
    • “Today [September 26], the Australian Signals Directorate Australian Cyber Security Centre (ASD ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), and other U.S. and international partners released the joint guide Detecting and Mitigating Active Directory Compromises. This guide informs organizations of recommended strategies to mitigate common techniques used by malicious actors to compromise Active Directory.
    • “Active Directory is the most widely used authentication and authorization solution in enterprise information technology (IT) networks globally. Malicious actors routinely target Active Directory as part of efforts to compromise enterprise IT networks by escalating privileges and targeting the highest confidential user objects.  
    • “Responding to and recovering from malicious activity involving Active Directory can be consuming, costly, and disruptive. CISA encourages organizations review the guidance and implement the recommended mitigations to improve Active Directory security.”