White House Publishes National Cybersecurity Strategy Implementation Plan

Posted by Steve Alder

The White House has published a roadmap for implementing President Biden’s March 2023 National Cybersecurity Strategy to ensure transparency and a continued path for coordination. The National Cybersecurity Strategy Implementation Plan (NCSIP) includes more than 65 federal initiatives that aim to improve resilience against cyber threats and disrupt cyber threat operations, and changes how the United States allocates roles, responsibilities, and resources in cyberspace.

Two major shifts include ensuring that the biggest, most capable, and best-positioned entities in both the public and private sectors assume a greater share of the burden for mitigating cyber risk and increasing the incentives to favor long-term investments in cybersecurity. The initiatives are based on five pillars and aim to achieve 27 strategic objectives. The first pillar is concerned with defending critical infrastructure against cyberattacks that are increasing in number and sophistication. Cybersecurity requirements will be established to support national security and public safety across all critical infrastructure sectors, including healthcare. Public-private collaboration will be scaled to drive the development and adoption of secure-by-design and secure-by-default technology, Federal defenses will be modernized, and the Federal incident response plans and processes will be updated.

The second pillar is concerned with the disruption and dismantling of threat actors’ infrastructure. The initiatives include increasing the speed and scale of intelligence sharing and victim notification, the prevention of abuse of U.S. infrastructure, countering cybercrime, and disrupting ransomware. The third pillar is concerned with shaping market forces to drive security and resilience, including initiatives to drive the development of secure IoT devices, shifting liability for insecure software products and services, using grants and other incentives to ensure built-in security, and exploring the need for a Federal cyber insurance backstop for catastrophic cyber events.

The fourth pillar concerns investment in a cyber-resilient future, including securing the technical foundation of the internet, improving federal research and development in cybersecurity, preparing for a post-quantum computing future, and developing a national strategy for strengthening the cyber workforce. The fifth pillar involves forging international partnerships to pursue shared cybersecurity goals, including building coalitions to counter digital threats, strengthening the capabilities of international partners, expanding the ability of the U.S. to assist allies and partners achieve shared goals, and securing global supply chains for information, communications, and operational technology products and services.

The plan will be spearheaded by 18 Federal agencies, with the Office of the National Cyber Director (ONCD) coordinating all activities under the plan. Several of the initiatives are already underway and some have already been completed ahead of schedule.

The post White House Publishes National Cybersecurity Strategy Implementation Plan appeared first on HIPAA Journal.

First Lawsuit Filed Against HCA Healthcare Over 11 Million-Record Data Breach

Posted by Steve Alder

Lawsuits against HCA Healthcare were an inevitability following a data breach that affected approximately 11 million individuals and saw the stolen data listed for sale on a dark web forum. The breach was announced by HCA Healthcare on July 10, 2023, and while the total number of affected individuals affected has yet to be confirmed, 27 million lines of data were compromised, which equates to around 11 million individuals.

Since the investigation is still in the early stages, little information has been released so far about the nature of the cyberattack, other than an unauthorized individual gaining access to an external storage location used for formatting emails. HCA Healthcare said highly sensitive information such as Social Security numbers, financial information, and clinical information does not appear to have been compromised, only information such as names, dates of birth, email addresses, phone numbers, and next appointment dates.

The first lawsuit in relation to the breach was filed in the Tennessee Middle District Court on Wednesday by the law firms Shamis & Gentile and Kopelowitz Ostrow Ferguson Wieselberg Gilbert, naming Gary Silvers and Richard Marous as plaintiffs. The lawsuit, Silvers et al v. HCA Healthcare, Inc., alleges a failure to comply with the HIPAA Rules and FTC guidelines, and HCA Healthcare was negligent by failing to safeguard the personal and protected health information of patients. As a result of that negligence, patient data is now in the hands of cybercriminals and the plaintiffs and class members are likely to have their sensitive data misused in a variety of fraudulent ways and face a lifetime risk of identity theft and fraud.

This lawsuit claims injuries have been suffered in a number of ways, including the lost or diminished value of private information, costs associated with the prevention, detection, and recovery from identity theft and fraud, lost opportunity costs to mitigate the data breach’s consequences and lost time, and emotional distress from the loss and control of “highly sensitive private information.”

The lawsuit seeks monetary damages, legal fees, a jury trial, and injunctive relief, requiring HCA Healthcare to implement a variety of safeguards to better protect patient data. The injunctive relief requested includes data protection through encryption, the deletion of private information unless there is a legitimate reason for retaining that information, prohibiting the storage of data in a cloud-based database, independent third-party security audits, data segmentation, the implementation and maintenance of threat management and monitoring programs, and audits, tests, and training of security personnel.

Lawsuits are commonly filed following healthcare data breaches and a breach of this magnitude is likely to trigger many more lawsuits over the coming days and weeks; however, while legal action can be taken, there is no guarantee of success. Healthcare data breach lawsuits often hinge on whether there has been a concrete injury that more than likely was caused by a specific data breach. Lawsuits that only allege a risk of identity theft and fraud are unlikely to be granted standing.

The post First Lawsuit Filed Against HCA Healthcare Over 11 Million-Record Data Breach appeared first on HIPAA Journal.

Return to Big Game Hunting Sees Ransomware Revenues Soar

Posted by Steve Alder

There has been a sizeable fall in revenues from cryptocurrency-related crimes in the first half of 2023, with scammers seeing a 77% reduction in revenues from the same period in 2022, amassing a little over $1 billion in the first half of the year compared to $3.3 billion in the first half of 2022. While this is certainly good news, ransomware-related cryptocurrency payments increased significantly in H1 2023, and if the trend continues in the second half of the year, ransomware revenues could eclipse those of 2022. At the current rate, transactions related to ransomware attacks can be expected to reach $899 million by the end of the year, only trailing 2021 – a record-breaking year, where $939.9 million in payments were made following ransomware attacks.

The mid-year analysis from Chainalysis shows a 65% decline in cryptocurrency transfers to known darknet marketplaces, scam sites, and fraud shops compared to the same period last year, with high-risk exchanges and mixers also experiencing a notable decline, down 42% on this time last year. The fall has been attributed, in part, to the disappearance of two major investment scam campaigns, VidiLook and Chia Tai Tianqing Pharmaceutical Financial Management.

The same cannot be said of ransomware-related transfers, which are up at least $175.8 million from H1 2022, with at least $449.1 million paid in ransom payments up to the end of June 2023. Chainalysis attributes the increase to a combination of a return to big game hunting – targeting large organizations with deep pockets – using ransomware strains such as BlackBasta, BlackCat, and Cl0p, and an increase in attacks on smaller entities using ransomware variants such as Dharma and Phobos. The average/median payment size for Dharma was $265/$275 and $1,719/$300 for Phobos, compared to BlackBasta $762,634/$147,106, BlackCat $1,504,579/$305,585 and Cl0p $1,730,486/$1.946,335.

While the attacks on smaller entities yield much lower payments, the attacks are much easier to conduct since smaller firms lack the cybersecurity resources of larger firms.  These smaller attacks tend to be conducted by ransomware affiliates using spray-and-pray tactics, rather than targeted attacks. Since the ransom demands are relatively low, payment is more likely to be made; however, there has been a trend of non-payment of ransoms, especially at larger firms. Chainalysis suggests the non-payment trend could be prompting attackers to issue very high demands for payment in their big game hunting attacks due to the high percentage of firms choosing not to pay ransoms.

The post Return to Big Game Hunting Sees Ransomware Revenues Soar appeared first on HIPAA Journal.