Healthcare Cybersecurity

Kaseya KSA Supply Chain Attack Sees REvil Ransomware Sent to 1,000+ Companies

A Kaseya KSA supply chain attack has affected dozens of its managed service provider (MSP) clients and saw REvil ransomware pushed out to MSPs and their customers. Kaseya is an American software company that develops software for managing networks, systems, and information technology infrastructure. The software is used to provide services to more than 40,000 organizations worldwide.

The REvil ransomware gang gained access to Kaseya’s systems, compromised the Kaseya’s VSA remote monitoring and management tool, and used the software update feature to install ransomware. The Kaseya VSA tool is used by MSPs to monitor and manage their infrastructure.

It is not clear when the ransomware gang gained access to Kaseya’s systems, but ransomware was pushed out to customers when the software updated on Friday July 2. The attack was timed to coincide with the July 4th holiday weekend in the United States, when staffing levels were much lower and there was less chance of the attack being detected and blocked before the ransomware payload was deployed.

Fast Response Limited Extent of the Attack

The fast response of Kaseya limited the extent of the attack. Over the weekend, Kaseya’s chief executive, Fred Voccola, said the software update was pushed out to around 40 customers and only affected on-premise customers who were running their own data centers and that its cloud-based services were not affected. The number of affected customers is now thought to be closer to 60.

Many of the victims were MSPs. In addition to their systems being encrypted, ransomware code was pushed out to their clients. More than 1,000 MSP clients are known to have been affected and had REvil ransomware installed. Sophos has reported that it is aware of 70 MSPs that have been affected, along with around 350 companies that use their services.

Kaseya has been issuing regular updates since the attack. In a Sunday morning update, Kaseya said there had been no further compromises since the Saturday evening report which suggests the measures implemented following the discovery of the attack have been successful. While no further ransomware attacks are believed to be occurring, the victim count will undoubtedly grow over the coming days.

When the attack was detected, Kaseya shut down its hosted and SaaS VSA servers and told all customers to switch off their own VSA servers while the attack was mitigated. Customers have been told to keep the servers switched off until further notice. Kaseya is working closely with CISA, the FBI, and cybersecurity forensics firms to investigate the incident and to determine the extent of the attack.

“Our security, support R&D, communications, and customer teams continue to work around the clock in all geographies through the weekend to resolve the issue and restore our customers to service,” said Kaseya in a July 4, 2021, statement about the attack. “We are in the process of formulating a staged return to service of our SaaS server farms with restricted functionality and a higher security posture (estimated in the next 24–48 hours but that is subject to change) on a geographic basis. More details on both the limitations, security posture changes, and time frame will be in the next communique later today.”

Supply chain attacks such as this can have a huge impact globally. Attackers compromise one company, then gain access to the networks of thousands of others, as was the case with the SolarWinds Orion supply chain attack in 2020. In that attack, malware was distributed through the software update mechanism which gave the attackers access to the systems of around 18,000 companies that received the update.

Kaseya Was Developing Patches for the Exploited Vulnerabilities

The REvil ransomware gang gained access to Kaseya’s systems by exploiting recently discovered vulnerabilities that had been reported to Kaseya by the Dutch Institute for Vulnerability Disclosure (DIVD). Those vulnerabilities had not been publicly disclosed and Kaseya was in the process of developing patches to correct the vulnerabilities when the REvil gang struck.

“Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch,” said Victor Gevers, chairman of DIVD.

Kaseya said patches are being developed to correct the flaws and will be released as soon as possible.

One of the Largest Ransomware Attacks to Date

The REvil gang is believed to operate out of Eastern Europe or Russia and is one of the most prolific ransomware-as-a-service operations. Recent attacks conducted by the gang include JBS Foods, computer giant Acer, Pan-Asian retail giant Dairy Farm, UK clothing company French Connection (FCUK), French pharmaceutical company Pierre Fabre, and Brazilian healthcare company Grupo Fleury to name but a few. The latest attack is one of the largest ransomware attacks ever seen.

The gang is known to exfiltrate data prior to file encryption and demands payment of a ransom for the keys to decrypt encrypted files and to prevent the exposure or sale of data stolen in the attack. It is currently unclear if these attacks involved data theft.

Businesses and organizations affected by the latest attack have been issued with ransom demands ranging from $50,000 to $5 million according to Sophos malware analyst Mark Loman and Emsisoft CTO Fabian Wosar. The REvil gang has asked for a payment of $70 million to supply a universal decryptor that will unlock all systems that have been encrypted in the attack.

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour,” wrote the gang on its data leak site.

“We have been advised by our outside experts, that customers who experienced ransomware and receive a communication from the attackers should not click on any links - they may be weaponized,” said Kaseya.

President Biden Orders Federal Investigation

After learning of the attack, U.S. President Joe Biden ordered federal intelligence agencies to investigate the incident, stating on Saturday that it was unclear who was responsible for the attack. President Biden spoke with Vladamir Putin at the June 16 Geneva summit and urged him to crack down on cybercriminal gangs operating out of Russia and warned of consequences should the ransomware attacks continue. “The initial thinking was it was not the Russian government but we’re not sure yet,” President Biden told reporters on a Saturday visit to Michigan. He also confirmed the U.S. would respond if it is determined Russia was to blame for the attack.

CISA Issues Guidance for MSPs and MSP Customers Affected by the Kaseya VSA Supply Chain Attack

Kaseya issued a Compromise Detection Tool on July 3, 2021, which was rolled out to around 900 customers. The tool can be used to quickly determine if a customer’s VSA server has been compromised in the attack. The U.S. Cybersecurity and Infrastructure Security Agency is urging all Kaseya MSP customers to download and run the Compromise Detection Tool as soon as possible.

Kaseya MSP customers have also been advised to enable and enforce multi-factor authentication on every single account and, as far as is possible, to enable and enforce MFA for customer-facing services.

CISA also says MSPs should “implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.”

MSP customers affected by the attack have been advised to implement cybersecurity best practices, especially MSP customers who do not currently have their RMM service running due to the Kaseya attack. CISA recommends the following measures:

  • Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;
  • Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;
  • Implement:
    • Multi-factor authentication; and
    • Principle of least privilege on key network resources admin accounts.

The post Kaseya KSA Supply Chain Attack Sees REvil Ransomware Sent to 1,000+ Companies appeared first on HIPAA Journal.

HHS: Take Action Now to Secure Vulnerable PACS Servers

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a TLP:White Alert warning about vulnerabilities in the Picture Archiving Communication Systems (PACS) used by hospitals, clinics, small healthcare practices, and research institutions for sharing patient data and medical images.

The HC3 Sector Alert warns that PACS vulnerabilities are exposing sensitive patient data and placing systems at risk of compromise. Vulnerable Internet-exposed PACS servers can easily be identified and compromised by hackers, threatening not just the PACS servers but also any systems to which those servers connect.

PACS was initially developed to help with the transition from analog to digital storage of medical images. PACS servers receive medical images from medical imaging systems such as magnetic resonance imaging (MRI), computed tomography (CT), radiography, and ultrasound and store the images digitally using the Digital Imaging and Communications in Medicine (DICOM) format. DICOM is now three decades old and was discovered to have vulnerabilities that could easily be exploited.

The vulnerabilities were first described by security researchers in September 2019, who showed it is possible for the flaws to be exploited to gain access to medical images and patient data. Thousands of vulnerable PACS were identified worldwide, with a second study several months later uncovering even more PACS that were exposed to the Internet and vulnerable to attack.

In June 2021, a study by ProPublica revealed millions of medical images have been exposed via the Internet via vulnerable PACS. 130 health systems were found to have exposed around 8.5 million case studies involving more than 2 million patients, with more than 275 million medical images from their examinations placed at risk along with any associated protected health information. Exposed protected health information included patient names, examination dates, images, physician names, dates of birth, procedure types, procedure locations, and Social Security numbers.

Successful exploitation of the vulnerabilities could result in an attacker obtaining sensitive data, but it would also be possible to exploit vulnerabilities in the DICOM protocol to install malicious code, manipulate diagnoses, falsify scans, sabotage research, or install malware. Once access to PACS systems is gained, an attacker could move laterally and spread to other parts of the network undetected.

The main issue is PACS servers have been exposed to the Internet without applying basic security principles. These include:

  • Checking and validating connections to ensure the systems can only be accessed by authorized individuals.
  • Configuring the systems in accordance with manufacturer documentation.
  • Restricting network access to vulnerable systems and ensuring, where possible, that they are not accessible over the Internet.
  • Placing PACS systems behind firewalls, whenever possible.
  • Ensuring a Virtual Private Network (VPN) must be used to access PACS systems remotely.
  • Ensuring traffic between Internet connected systems and physicians/patients is encrypted by enabling HTTPS.
  • Ensuring default passwords are changed to strong, unique passwords.
  • Closing all unused ports on affected systems.
  • Where possible, discontinuing or limiting the use of third-party software on affected systems to decrease the attack surface.
  • Ensuring patches are applied promptly.
  • Logging and monitoring all network traffic attempting to reach vulnerable systems.

HC3 says there are still several PACS servers that are currently visible and vulnerable. All healthcare organizations have been advised to review their inventory to determine if they are running any PACS servers and to take the steps outlined in the guidance to ensure those systems are secured.

The Department of Homeland Security has produced a list of GE Healthcare PACS that are known to have vulnerabilities that need to be addressed. The list is not all-inclusive so security measures should be assessed for all PACS servers, regardless of whether there are known vulnerabilities.

The post HHS: Take Action Now to Secure Vulnerable PACS Servers appeared first on HIPAA Journal.

CISA Releases Ransomware Readiness Assessment Audit Tool

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has launched a new tool that can be used by organizations to assess how well they are equipped to defend and recover from a ransomware attack.

The threat from ransomware has gown significantly over the past year. The Verizon Data Breach Investigations Report shows 10% of cyberattacks now involve the use of ransomware, with SonicWall reporting a 62% global increase in ransomware attacks since 2019 and a 158% spike in attacks in North America during the same period. BlackFog predicts loses due to ransomware attacks will increase to $6 trillion in 2021, up from $3 trillion in 2015.

The Ransomware Readiness Assessment (RRA) audit module has been added to CISA’s Cyber Security Evaluation Tool (CSET). CSET is a desktop software tool that guides network defenders through a step-by-step process of assessing their cybersecurity practices for both their information technology (IT) and operational technology (OT) networks. CSET can be used to perform a comprehensive evaluation of an organization’s cybersecurity posture using recognized government and industry standards and recommendations.

The RRA can be used to evaluate cybersecurity defenses specifically relating to ransomware. CISA says the RRA tool has been developed for organizations at all levels of cybersecurity maturity and will allow network defenders to evaluate their defenses against recognized standards and best practice recommendations in a systematic, disciplined, and repeatable manner.

The RRA guides asset owners and operators through a systematic process to evaluate cybersecurity practices against ransomware threats and provides an analysis dashboard with graphs and tables displaying the results of the assessment, both in summarized and detailed form.

The RRA tool is available through CSET, which should first be downloaded and correctly installed. The installation file and instructions on installing CSET and starting the ransomware readiness assessment is available on GitHub on this link.

CISA is urging all organizations to install the CSET tool and conduct a Ransomware Readiness Assessment to evaluate their cybersecurity defenses.

The post CISA Releases Ransomware Readiness Assessment Audit Tool appeared first on HIPAA Journal.

Exploit Released ‘PrintNightmare’ Zero-Day Windows Print Spooler RCE Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert following the publication of a proof of concept (PoC) exploit for a zero-day vulnerability in the Windows Print Spooler service.

The vulnerability has been dubbed PrintNightmare and is tracked as CVE-2021-34527. The flaw is due to the Windows Print Spooler service improperly performing privileged file operations. Microsoft says the flaw can be exploited by an authenticated user calling RpcAddPrinterDriverEx(). If exploited, an attacker would gain SYSTEM privileges and could execute arbitrary code and could install programs; view, change, or delete data; or create new accounts with full user rights.

The PoC exploit for the vulnerability was published by the Chinese security firm Sangfor. Typically, exploits for unpatched vulnerabilities are not released publicly until software developers have been notified about a flaw and sufficient time has been allowed for a patch to be released and applied by users.

In this case an error was made. Sangfor researchers published the PoC exploit in late June, as Microsoft had released a patch to fix the flaw on June 8, 2021. The patch fixed a Windows Print Spooler service vulnerability tracked as CVE-2021-1675, but did not fully fix the PrintNightmare vulnerability, which now has a second CVE code. The researchers deleted the exploit, but it had already been shared and remains in the public domain.

“Microsoft has partially addressed this issue in their update for CVE-2021-1675. Microsoft Windows systems that are configured to be domain controllers and those that have Point and Print configured with the NoWarningNoElevationOnInstall option configured are still vulnerable,” said the CERT Coordination Center.

It is not clear whether Microsoft will release a patch to fix the CVE-2021-34527 vulnerability on Patch Tuesday on July 13 or will issue an out-of-bad update in the next few days.

Microsoft has published two workarounds that will prevent the flaw from being exploited; however, applying those workarounds will affect printing. Exploitation can be prevented either by disabling the Print Spooler service using PowerShell commands or disabling inbound remote printing through Group Policy on all Domain Controllers and Active Directory admin systems. CISA recommends using the workarounds on all Domain Controllers and systems that are not required to print.

This is a good best practice regardless of the PrintNightmare flaw. If any Domain Controller or system is not required to print, the print Spooler Service should be disabled. This will prevent any future vulnerabilities in the Print Spooler service from being exploited.

The post Exploit Released ‘PrintNightmare’ Zero-Day Windows Print Spooler RCE Vulnerability appeared first on HIPAA Journal.

CISA Publishes Catalog of Cybersecurity Bad Practices That Must Be Eradicated

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has published a new resource that lists cybersecurity bad practices that are exceptionally dangerous and significantly increase risk to critical infrastructure.

There are many published resources that provide information about cybersecurity best practices that should be adopted to improve security, but CISA felt an additional perspective was required as it is equally, if not more, important to ensure that bad cybersecurity practices are eliminated. “Ending the most egregious risks requires organizations to make a concerted effort to stop bad practices,” explained CISA.

CISA is urging leaders of all organizations to engage in urgent conversations to address technology bad practices, especially organizations that support national critical functions.

One of the foundational elements of risk management is “focus on the critical few”, explained CISA Executive Assistant Director Eric Goldstein in a blog post announcing the launch of the new website resource. Organizations may have limited resources to identify and mitigate risks, but eliminating cybersecurity bad practices is an essential element of every organization’s strategic approach to security. “Addressing bad practices is not a substitute for implementing best practices, but it provides a rubric for prioritization and a helpful answer to the question of ‘what to do first’,” said Goldstein.

The new resource was created following cyberattacks on critical infrastructure which demonstrated the impact they can have on critical government functions and how they pose a threat to security, national economic security, and/or national public health and safety.

The CISA Bad Practices catalog will grow over time, but currently lists two cybersecurity bad practices that are exceptionally risky: The use of unsupported software that has reached end-of-life and the continued use of known, fixed, and default passwords and credentials in service of Critical Infrastructure and National Critical Functions.

The post CISA Publishes Catalog of Cybersecurity Bad Practices That Must Be Eradicated appeared first on HIPAA Journal.

OIG Survey Reveals Lack of Oversight of Cybersecurity of Networked Medical Devices in Hospitals

The HHS’ Office of Inspector General (OIG) has conducted a review to determine the extent to which the Centers for Medicare and Medicaid Services (CMS) and Medicare Accreditation Organizations (AOs) require hospitals to have implemented a cybersecurity plan for networked devices and the methods used to assess the cybersecurity of networked medical devices.

Cybersecurity controls are required to protect medical devices that are connected to the Internet, other medical devices, or internal hospital networks. Without those controls, the devices could be accessed by unauthorized individuals and patients could be at risk of harm. Networked medical devices include MRIs, computed tomography, ultrasound, nuclear medicine, and endoscopy systems, as well as systems that communicate with clinical laboratory analyzers such as laboratory information systems. OIG cited an estimate that a large hospital may have around 85,000 medical devices connected to its network.

These devices are usually separated from other systems, they may connect to the same network as the electronic health record (EHR) system. If cybersecurity controls are lacking, they could be vulnerable to an attack that could potentially impact critical healthcare systems. While there have not been any known cases of cyberattacks being conducted specifically to cause patients harm, patients may inadvertently be harmed as a result of an attack conducted for other reasons. In Germany in 2020, a patient died as a result of a ransomware attack. Without access to hospitals systems, the patient had to be rerouted to an alternative facility and died before treatment could be provided.

The CMS has minimum cybersecurity requirements for hospitals but relies on state survey agencies and Medicare accreditation organizations (AOs) to inspect Medicare-participating hospitals. Those surveys are conducted every 3 years. The Social Security Act requires AOs’ survey protocols to be equivalent to or more stringent than those of CMS.

For the study, OIG sent written interview questions to the CMS and conducted telephone interviews with 4 AOs. The study revealed the CMS survey protocol does not include requirements for networked medical device cybersecurity and AOs do not require hospitals to implement cybersecurity plans covering networked medical devices.

OIG found that AOs sometimes review certain aspects of device cybersecurity. The study revealed two AOs had equipment maintenance requirements, which may provide limited insights into medical device cybersecurity. If hospitals identified networked device cybersecurity in their emergency-preparedness risk assessments, AOs would review their mitigation plans; however, most hospitals did not identify device cybersecurity in the risk assessments very often. AOs may also examine networked devices when assessing hospital safeguards for medical record privacy. Nether the CMS nor the AOs had any plans to update their survey requirements in the future to cover networked devices or general cybersecurity.

OIG has recommended the CMS identify and implement a method of addressing the cybersecurity of networked medical devices in its quality oversight of hospitals, in consultation with HHS partners and others. CMS concurred with the recommendation and is considering additional ways to appropriately highlight the importance of cybersecurity of networked medical devices for providers.

OIG suggested several ways that the CMS could improve its oversight and assess medical device cybersecurity. For example, the CMS could use language stating it considers cybersecurity to be part of keeping devices in safe operating condition, highlight the risk that unsecured medical devices connected to the EHR could be a threat to protected health information, and could also remind hospitals to maintain compliance with HIPAA requirements, including the HIPAA Security Rule. The CMS could also instruct surveyors to ask hospitals if they considered cybersecurity of networked devices when they conducted their hazard vulnerability analyses.

The post OIG Survey Reveals Lack of Oversight of Cybersecurity of Networked Medical Devices in Hospitals appeared first on HIPAA Journal.

NIST Publishes Critical Software Definition for U.S. Agencies

President Biden’s Cybersecurity Executive Order requires all federal agencies to reevaluate their approach to cybersecurity, develop new methods of evaluating software, and implement modern security approaches to reduce risk, such as encryption for data at rest and in transit, multi-factor authentication, and using a zero-trust approach to security.

One of the first requirements of the Executive Order was for the National Institute of Standards and Technology (NIST) to publish a definition of critical software, which the Cybersecurity and Infrastructure Security Agency (CISA) will use to create a list of all software covered by the Executive Order and for creating security rules that federal agencies will be required to follow when purchasing and deploying the software. These measures will help to prevent cyberattacks such as the SolarWinds Orion supply chain attack that saw the systems of several federal agencies infiltrated by state-sponsored Russian hackers.

The Executive Order required NIST to publish its critical software definition within 45 days. NIST sought input from the public and private sector and multiple government agencies when defining what critical software actually is.

“One of the goals of the EO is to assist in developing a security baseline for critical software products used across the Federal Government,” explained NIST. “The designation of software as EO-critical will then drive additional activities, including how the Federal Government purchases and manages deployed critical software.”

NIST’s critical software definition is software or software dependencies that contain one or more of the following attributes:

  • Software designed to run with elevated privileges or used to manage privileges.
  • Software with direct or privileged access to networking or computer resources.
  • Software designed to control access to data or operational technology.
  • Software that performs a function critical to trust.
  • Software that operates outside of normal trust boundaries with privileged access.

The above definition applies to all software, whether it is integral to devices or hardware components, stand-alone software, or cloud-based software used for or deployed in production systems or used for operational purposes. That definition covers a broad range of software, including operating systems, hypervisors, security tools, access management applications, web browsers, network monitoring tools, and other software created by private companies and sold to federal agencies, or software developed internally by federal agencies for use within federal networks, including government off-the-shelf software.

NIST has recommended federal agencies should initially focus on implementing the requirements of the Executive Order on standalone, on-premises software that has critical security functions or has significant potential to cause harm if compromised. Next, federal agencies should move onto other categories of software, such as cloud-based software, software that controls access to data, and software components in operational technology and boot-level firmware.

NIST has published a list of EO-critical software, although CISA will publish a more comprehensive finalized list in the coming weeks.

The post NIST Publishes Critical Software Definition for U.S. Agencies appeared first on HIPAA Journal.

Government Watchdog Makes 7 Recommendations to HSS to Improve Cybersecurity

The Government Accountability Office has published a report following a review of the organizational approach to cybersecurity of the U.S. Department of Health and Human Services (HHS).

The study was conducted because both the HHS and the healthcare and public health sector are heavily reliant on information systems to fulfil their missions, which include providing healthcare services and responding to national health emergencies. Should any information systems be disrupted, it could have major implications for the HHS and healthcare sector organizations and could be catastrophic for Americans who rely on their services.

“A cyberattack resulting in the disruption of IT systems supporting pharmacies, hospitals, and physicians’ offices would interfere with the approval and distribution of the life-saving medications and other products needed by patients and healthcare facilities,” said the GAO in the report.

The HHS must implement safeguards in place to protect its computer systems from cyber threat actors looking to obtain sensitive data to commit fraud and identity theft, conduct attacks that aim to disrupt operations, or gain access to networks to launch attacks on other computer systems.  Throughout the pandemic, many threat actors and APT groups have targeted the healthcare sector, with the GAO pointing out that the FBI and CISA have issued multiple alerts over the past 12 months warning about cyber threats specifically targeting healthcare and public health entities.

The GAO reports that the HHS has clearly defined roles and responsibilities, which is essential for effective collaboration; however, there were several areas where improvements could be made, mostly concerning collaboration with its partners.

HHS working groups were assessed on the extent to which they demonstrated Leading Practices for Collaboration. All seven of the HHS working groups met the Leading Practices: Bridge organizational cultures, identify leadership, include relevant participants in the group, identity resources. 6 working groups met the Leading Practices: Clarify roles and responsibilities and document and regularly update written guidance and agreements, and five groups met the Leading Practice: Define and track outcomes and accountability.

The GAO made seven recommendations on how the HHS can improve collaboration and coordination within the HHS and with the healthcare sector.

  1. The HHS Secretary should order the CIO coordinate cybersecurity threat information sharing between the Health Sector Cybersecurity Coordination Center (HC3) and the Healthcare Threat Operations Center (HTOC).
  2. The HHS Secretary should order the CIO to monitor, evaluate, and report on the progress and performance of the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group.
  3. The HHS Secretary should order the Assistant Secretary for Preparedness and Response to monitor, evaluate, and report on the progress and performance of the Government Coordinating Council’s Cybersecurity Working Group and HHS Cybersecurity Working Group.
  4. The HHS Secretary should order the CIO to regularly monitor and update written agreements describing how the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group will facilitate collaboration, and ensure that authorizing officials review and approve the updated agreements.
  5. The HHS Secretary should order the Assistant Secretary for Preparedness and Response to ensure that authorizing officials review and approve the charter describing how the HHS Cybersecurity Working Group will facilitate collaboration.
  6. The HHS Secretary should direct the Assistant Secretary for Preparedness and Response to finalize written agreements that include a description of how the Government Coordinating Council’s Cybersecurity Working Group will collaborate; identify the roles and responsibilities of the working group; monitor and update the written agreements on a regular basis; and ensure that authorizing officials leading the working group approve the finalized agreements.
  7. The HHS Secretary should order the Assistant Secretary for Preparedness and Response to update the charter for the Joint Healthcare and Public Health Cybersecurity Working Group for the current fiscal year and ensure that authorizing officials leading the working group review and approve the updated charter.

The HHS concurred with six of the recommendations and disagreed with one. The HHS is currently taking action to address the 6 recommendations it concurred with. The HHS did not concur with the recommendation to coordinate cybersecurity information sharing between HC3 and HTOC.

The post Government Watchdog Makes 7 Recommendations to HSS to Improve Cybersecurity appeared first on HIPAA Journal.

Bipartisan Group of Senators Introduce Federal Data Breach Notification Bill

A bipartisan group of senators has introduced a federal data breach notification bill – the Cyber Incident Notification Act of 2021 – that requires all federal agencies, contractors, and businesses that have oversight over critical infrastructure to report significant cyber threats to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of discovery.

The draft bill was introduced by Senators Mark Warner (D-VA), Marco Rubio (R-FL), and Susan Collins (R-ME) but has yet to be formally introduced in the Senate. The bill seeks to address many of the issues that have been identified following recent cyberattacks that have impacted critical infrastructure, such as the SolarWinds Orion supply chain attack and the ransomware attacks on JBS and Colonial Pipeline.

The purpose of the new bill is to ensure timely federal government awareness of cyber intrusions that pose a threat to national security, which will enable the development of a common operating picture of national-level cyber threats. Entities discovering cyber threats will be required to provide actionable cyber threat information which will be made available to government and private sector entities and the public to allow action to be taken promptly to tackle threats.

Incidents classified as significant cybersecurity intrusions that would warrant notifications are cyberattacks that:

  • Involve or are believed to involve a nation state.
  • Involve or are believed to involve an Advanced Persistent Threat (APT) actor.
  • Involve or are believed to involve a transnational organized crime group.
  • Could harm U.S. national security interests, foreign relations, or the U.S. economy.
  • Likely to be of significant national consequence.
  • Has potential to affect CISA systems.
  • Involves ransomware.

The draft bill requires breach notifications to include a description of the cybersecurity intrusion, the affected systems and networks, estimates of the dates when the intrusion is thought to have occurred, a description of the vulnerabilities thought to have been exploited, and the tactics, techniques, and procedures (TTPs) used by the threat actor. In addition, notifications should include any information that could be used to identify the threat actor, contact information to allow the breached entity to be contacted by federal agencies, and details of any actions taken to mitigate the threat.

The bill requires the Department of Homeland Security to work with other federal agencies to draw up a set of reporting criteria and to harmonize those criteria with the regulatory requirements in effect on the date of enactment.

Any covered entity that fails to report a cyber intrusion covered by the bill will face penalties determined by the Administrator of the General Services Administration. Businesses violating the terms of the Cyber Incident Notification Act of 2021 could face a financial penalty of 0.5% of gross revenue for the previous year and sanctions could include removal from federal contracting schedules.

While there is clearly a need for a national data breach notification law, several attempts have been made previously to introduce a data breach notification bill, but all have failed to make it through the Senate.  In addition to this bill, Several House members and Senators are believed to be working on their own data breach notification bills.

The post Bipartisan Group of Senators Introduce Federal Data Breach Notification Bill appeared first on HIPAA Journal.