Utah Updates Breach Notification Law

Utah has updated its online data security and privacy laws with new definitions and new requirements for data breach notifications to the Utah Cyber Center. The amendments were signed into law by Utah Governor Spencer J. Cox on March 19, 2024, and updated the Utah Protection of Personal Information Act and the Utah Technology Governance Act.

The Utah Cyber Center was established by the Utah Technology Governance Act and coordinates efforts between State, Local, and Federal resources to bolster statewide security and help defend against future cyberattacks. The online data security and privacy amendments (S.B. 98) to the Technology Governance Act establish new definitions for a data breach reporting to the Utah Cyber Center. A data breach is defined as “the unauthorized access, acquisition, disclosure, loss of access, or destruction of (a) personal data affecting 500 or more individuals; or (b) data that compromises the security, confidentiality, availability, or integrity of the computer systems used or information maintained by the governmental entity.” Personal data is defined as any information that is linked to or can reasonably be linked to an identified individual or an identifiable individual.

The amended law also includes details of the types of information that government entities must provide when reporting data breaches to the Utah Cyber Center. These requirements include the date/time of the breach; date of breach discovery; number of people affected, data types involved, a short description of the breach; path/means of access; perpetrator of the breach (if known); the steps taken in response to the data breach; and any other specific information requested by the Utah Cyber Center. The Protection of Personal Information Act has been amended to state that documents submitted to the Attorney General or the Utah Cyber Center may be deemed confidential and classified as a protected record in certain circumstances.

The post Utah Updates Breach Notification Law appeared first on HIPAA Journal.

HHS Shares Credential Harvesting Mitigations

The Health Sector Cybersecurity Coordination Center (HC3) has issued a healthcare and public health (HPH) sector alert about credential harvesting, one of the most common tactics used by hackers in cyberattacks on the HPH sector.

While there are more secure ways of authenticating individuals and controlling access to accounts and resources, credentials such as usernames, passwords, and personal information are commonly used. Credentials provide access to online accounts, email systems, patient data, and network resources. If credentials are obtained, hackers will gain the user’s privileges and a foothold in the network.

Credential harvesting leads to data breaches, but oftentimes credential harvesting is the first stage in a much more extensive attack. The access may allow a hacker to compromise further accounts and escalate privileges, exploit vulnerabilities in internal systems, deploy malware, move laterally within the network, disrupt administrative functions, and cause system downtime, which can impair healthcare professionals’ ability to provide patient care.

Credential harvesting is most commonly associated with phishing, but credentials can be obtained using a variety of methods, the most common of which are:

  • Phishing: The use of deceptive messages to trick users into disclosing their login credentials, often on attacker-controlled websites
  • Keylogging: Malware that records keystrokes as they are entered by users, including usernames and passwords.
  • Brute Force Attacks: Automated attempts using numerous combinations of usernames and commonly used passwords until the correct combination is identified.
  • Person-in-the-Middle (PITM) Attacks: The interception of communications between two parties, capturing login credentials exchanged during the authentication process.
  • Credential Stuffing: The use of credentials obtained in one data breach to access accounts on other platforms/systems where the same username/password combinations have been used.

Since there are a variety of ways that credentials can be harvested, there is no single mitigation that can protect against this tactic. Healthcare organizations need to be proactive and implement several mitigations to reduce risk. Multi-factor authentication (MFA) is one of the most important security measures as it adds an extra layer of authentication. If credentials are compromised, without the additional authentication, account access will not be granted. Phishing-resistant MFA provides the highest level of protection.

Many credential harvesting attacks use email to make initial contact with users. Email filtering solutions such as spam filters will block the majority of these messages and prevent them from reaching end users; however, even the most advanced email security solutions will not block all malicious messages. Employee training and awareness are therefore important. Members of the workforce (from the CEO down) should be educated about phishing and other credential harvesting methods and be taught cybersecurity best practices.

Monitoring and detection solutions should be used to identify suspicious login attempts and suspicious user behavior, endpoint security solutions can protect against malware such as keyloggers, systems should be kept up to date to prevent the exploitation of vulnerabilities, and organizations should ensure they have comprehensive incident response plans to minimize the harm caused should an attack prove successful.

This is the second sector alert to be issued by HC3 this month on tactics used by malicious actors in attacks on the HPH sector. The earlier alert covers email bombing, which is used for denial of service attacks.

The post HHS Shares Credential Harvesting Mitigations appeared first on HIPAA Journal.