The CyberPHIx Roundup: Industry News & Trends, 2/7/23

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. 

In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this week: 


  • A new National Cybersecurity Strategy coming from the Biden administration in the next few weeks 
  • Healthcare cybersecurity legislation with mandatory requirements coming from Senator Mark Warner by the end of Q1
  • More ChatGPT analysis on malware writing and that it is NOT suitable for use in a HIPAA Privacy compliant manner 
  • A small hospital in Illinois closes due to COVID expenses and a cyber attack that shut down billing 
  • The new Rural Emergency Hospital rule for struggling critical access and rural facilities 
  • The impact of travel nursing on cybersecurity 
  • FBI and Hive ransomware + why FBI wants more victims to call them 
  • Microsoft OneDrive takes first place for cloud app malware distribution 
  • A new DDoS threat from KillNet against healthcare and what to do about it 
  • An interesting update from the Russian/Ukraine war 
  • A call for community help on the evolution of NIST CSF and CSA CCM 


Britton: [00:00:15] Hello and welcome to The CyberPHIx Health Care Security Roundup. Your quick source for keeping up with the latest cybersecurity news trends and industry-leading practices specifically for the healthcare industry. I am your host, Britton Burton. In addition to this roundup. Be sure to check out our Resource Center on Meditology Services, which includes our CyberPHIx interviews with leading health care, security, privacy, and compliance leaders, as well as blogs, webinars, articles, and lots of other educational stuff. We have a full agenda to cover today, so let's dive into it. Let's start today with some news about a new national. 

Britton: [00:00:56] Cybersecurity strategy document that appears to be imminent from the White House. You may have missed this one because it's not actually public yet. It didn't hit the typical cyber and privacy media outlets that we all monitor, at least that I monitor. But there were a few leaks from anonymous sources to mainstream news organizations. So you may be thinking, yeah, yeah, another one of these. But this one appears to be different from the dozen or so similar papers signed by presidents over the past 20 years in two significant ways. First, it will impose mandatory at least it says, mandatory regulations on a wide swath of American industries. Pretty much everything. Up until now have been strong suggestions and voluntary requirements. But these in the leaked news anyway, appear to be mandatory. Secondly, and honestly, most fascinatingly, to me, it authorizes us defense, intelligence, and law enforcement agencies to essentially hack back, and go on the offensive, attacking the networks of criminals and foreign governments in retaliation to or preempting their attacks on American networks. So here are a few of the direct citations from the document shared in this case by The Washington Post. One of the stated goals in a draft copy of the strategy that was obtained says We will use regulation to support national security and public safety. Regulation can level the playing field to meet the needs of national security. It also states that while voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has too often resulted in inconsistent and in many cases, inadequate outcomes. 

Britton: [00:02:39] It calls for a shift in liability onto those entities that fail to take reasonable precautions to secure their software. In regards to the back portion of the document and a section titled Disrupt and Dismantle Threat Activities. The document states that our goal is to make malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States. So this section actually calls for the US to disrupt and dismantle based on the title disrupt and dismantle hostile networks as part of a persistent, continuous campaign coordinated by the FBI's National Cyber Investigative Joint Task Force. That task force will work in conjunction with several relevant US agencies that you can probably imagine. So so even that fact represents a shift because it would be more of a kind of systematic collaboration than has really been attempted, or at least that has been publicly made known. A lot of it has been fractured, and that's been some of the complaints about the cybersecurity legislation in the US. And it looks like there's more of a joint effort there, at least on the attack-back portion. It also appears that private companies such as firms that specialize in the cybersecurity field will be full partners in the effort both to alert the government task force of intrusions and to help propel them. 

Britton: [00:03:58] I'm sure you can all think of a few big names that come to mind there, but of course, none were named. So all the reporting says that this paper is driven from some of the high-profile attacks that cause some real pain on American citizens. Every article I saw referenced the Colonial Pipeline attack that we all remember causing a gasoline shortage on the eastern half of the United States for a couple of weeks. And basically, the federal government appears to be saying enough is enough. It also stems, again, the reporting on the leak that happened [00:04:30] here. It also stems from the two emerging thoughts on how to finally start making some advances in cyber protection guidelines on cybersecurity, which Washington has previously allowed private companies to follow voluntarily have, for the most part, failed to block major intrusions by foreign governments or cyber criminals. And then purely defensive measures. Number two, purely defensive measures have also had limited impact as a clever attacker will eventually find ways around them. So this document is moving through the final stages of interagency approval right now, apparently involving more than 20 departments and agencies. And President Biden is expected to sign it in the coming weeks. Now, all the reporting I saw on this was between January 6th and January 25th. And I have not seen anything new since recording here on February 3rd. So if it's truly expected to sign in the coming weeks, as of January, the middle of January, it could be imminent that it will come out again. 

Britton: [00:05:28] This podcast is being recorded on February 3rd, so keep your eyes peeled. So I don't want to oversell what this is. I think we've seen news on this topic so many times that we all have to take a little bit of a wait-and-see approach. But, you know, this feels like it's something maybe in a way that some others haven't. The use of the term mandatory across many industries and the hack back concept are truly novel. Compared to most of the legislation we hear talked about or have seen actually come through. So I mostly wanted to cover this because we've said for several months on this podcast that it feels like the winds are shifting to new legislation in 2023 and 2024 that we all need to be aware of and prepared for. And this certainly adds fuel to that fire. Continuing on the theme of expected legislation. So back in the December podcast, we covered a memo that Senator Mark Warner from Virginia sent on cybersecurity and health care. He sent the memo in November. We covered it in December. As a reminder, that report was divided into three basic sections it recommending the Section one recommending the federal government improve the country's cybersecurity risk posture in the healthcare sector, to recommending helping the private sector mitigate cyber threats. And number three, assist health care providers in responding and recovering from cyber-attacks won't go into all the details because we did that before. 

Britton: [00:06:48] But those were the three basic sections. And one reminder, one of the more interesting angles to me was the mention of tying Medicare reimbursement rates to certain cyber hygiene practices, something that gets discussed by practitioners a lot, but maybe not as much by important figures in federal government like Senator Warner here. So on February 1st, Warner did an interview with health I.T. security and stated that he hopes to introduce healthcare cybersecurity legislation by the end of this quarter. So that is way quicker than I anticipated When I first saw that memo back in November, he said his office received more than 60 responses from industry groups and individuals on the paper and that his team is now in the refinement stage as they work to incorporate feedback into future legislation and as they visit other senators who have been working in this space. He also says several things throughout the interview that hedge his bets a little. First of all, he says he doesn't underestimate the challenge of introducing meaningful policies and legislation that help the evolving sector enhance its security posture from the ground up. He's quoted as saying, I have seen how hard it is to pass things into law that I thought should have been no-brainers. He also discusses some of the logistical issues of trying to decide if it should be a comprehensive bill or if he should try to introduce two or three small bills and partner with others to get pieces of legislation forward. 

Britton: [00:08:09] Some of the probably machinations that folks in Washington think about all the time that people like me, maybe not as aware of the logistical happenings of how that all comes to be. But despite all that, he said he hopes to have some legislation ready by the end of the first quarter. Again, to repeat that that's big news to me. I wanted to share it because at the end of the first quarter is now only about eight weeks away. So a few other details from this story, this interview. Warner also discusses some of the challenges in the space he's quoted as saying. There are four different Cabinet secretaries and 16 different federal agencies that touch on health care, even within HHS agencies such as OCR and C and the Health Care Sector Cybersecurity Coordination Center. Hc three is, as you all know, them all have varying levels of oversight and expertise. And his point is that that just causes complication because of the number of cooks in the kitchen. Warner also asked a question, You know, how do you put somebody in charge or at least in charge of coordinating so that you can take a more holistic approach? He discussed some of the mixed feedback surrounding the, quote-unquote, age-old voluntary or mandate debate when it comes to minimum cyber requirements in health care. 

Britton: [00:09:19] Interesting point here. He said a lot of lobbying groups came back and said, you know, we know there's a problem, but we want voluntary standards. That one actually isn't the interesting one. That's not surprising at all. He said he also heard from numerous hospitals and he even says doctors, which is super interesting. If individual doctors chimed in championing that they need mandatory standards. So you probably don't hear that as often. That was kind of interesting to me. And then he's quoted it was a real telling comment that those who are on the front line realize that the kind of iterative pattern we have had at this point just isn't getting it done. You have to have some level of mandatory standards. Again, that's him saying that you have to have some level of mandatory standards. You're seeing some themes here. And both of these first stories that I think are just really important for us to be aware of. The concept of mandatory versus voluntary mandatory seems to be winning out there. The concept of too many agencies touching some form of cybersecurity oversight, it's impossible to think that something big isn't coming when you start to tie these stories together. And again, both of these feel imminent. Biden's saying within the next few weeks, and Warner saying by the end of the first quarter. So definitely keep your eyes peeled on both of these. In the realm of predictable stories to be covered on The CyberPHIx the analysis on the use of GPT continues to evolve and is just fascinating to me. 

Britton: [00:10:39] We covered in January that it could be used by attackers to craft phishing emails and write malware, but we mostly focused on the phishing side and it could have been more than a week later that some more news on this came out. So in January, the Health Sector Cybersecurity Coordination Center hc3 again sent an analyst note warning healthcare entities that the tool has been confirmed to have been used for malware development purposes. Specifically, on December 21st, 2022, a threat actor posted a Python-based multi-layer encryption decryption script on an underground hacking forum. The script could potentially be used as ransomware, end quote. C three points out that there are definite warning signs that GPT is already being used by attackers. For example, Deep Locker was developed to better understand how artificial intelligence models could be combined with existing malware techniques to create more potent attacks. In the case of Deep Locker, it analyzes the payload distribution lifecycle based on a deep neural network AI model to look for appropriate trigger conditions in order to reach the intended target. H. C three wrote that current artificial intelligence technologies are widely believed to only be at the very beginning of what will likely be a whole array of capabilities that will cut across industries and enter into people's private lives. 

Britton: [00:11:55] And they also, not so optimistically said the cybersecurity community is far from developing mitigations and defenses for such malicious code, and it remains unclear if there will ever be ways to specifically prevent AI-generated malware from being successfully used in attacks. So that's not super encouraging, but interesting nonetheless. It does list some resources for exploring the ethics as it applies to AI and appropriate governing models that we can read on. But they're there. Just like they said, there really isn't a lot in the way of actual deployable controls or mitigations for this right now. Obviously, an area to watch. And then on the heels of this story, we came across this one that I just thought it would be good to share. It's more on the positive side because it's a bit more solvable than the AI-augmented malware scenario. So a few different compliance and legal analysis groups want to make sure that the healthcare industry knows that in its current state, there is no way to use GPT with any patients in a manner that would be considered HIPAA compliant. So as you all know, the HIPPA privacy rule clearly states that we have to limit access to, but the terms of use for chat, GPT explicitly state that Openai is allowed to use personal information gain from the use of their services, including things like log data, device information and most importantly, usage data. So this is a quote directly from their terms. 

Britton: [00:13:20] Quote, We may automatically collect information about your use of the services such as the types of content that you view or engage with the features you use, the actions you take, as well as your time zone country, the dates, times of access, user agent and version type of computer or mobile device, computer connection, IP address, and the like, end quote. So maybe there's some interpretation that could be done there, but I really think you just have to assume that any data typed into the tool is going somewhere that you probably don't want it to and that you, even if you're okay with it going there, you definitely don't have a bay with, you know, there will inevitably be cool use case ideas that come up from your clinical communities, your operational leaders. So if you have privacy or compliance responsibilities, we definitely suggest you get out ahead of this through awareness messaging, getting on town hall meetings, and leveraging your C suite to talk about it for you. At the very least, try to get yourself looped into discussions if your organization is considering some sort of chat. Gpt use case, which if you look at the internet, it seems like every company on earth is right now. But get into those discussions so you can make sure at the very least no identifiable, no identifiable data is included. But there are also plenty of competitive intellectual property-type reasons to be careful with the use of this tool too. 

Britton: [00:14:42] This is one area you don't want to be the no police, but you certainly need to get ahead of the messaging and just make sure people are aware in a health care setting. Vet You're really cool idea for a tool like chat. Before you before you go out and start entering any kind of protected data. Some sad news to share next. But I think it's really important for us all to be aware of a small hospital called St Margaret's Health in Peru. Illinois announced its plans to close on January 28. It is the only hospital in the town. The CEO sent a letter to its employees and called it a temporary closure. Here's hoping that's that's true. In the letter, it says the hospital's current provider of physicians terminated its contract with St Margaret's, and St Margaret's can't find or financially support a new emergency room provider. It also says it doesn't have enough staff to operate this hospital and its sister location in a town called Spring Valley, Illinois. That's down the road a bit. So you may be wondering why are you sharing this. And that's because the letter specifically blames COVID, a cyberattack preventing timely billing, staffing shortages, and other rising costs. I think we can all probably assume that cyber attack that prevented billing was ransomware. And look, I was always very, very conscious of doing any kind of fear-mongering as a cyber leader. 

Britton: [00:16:02] I think that's a really good way to find yourself excluded from the conversations in the meetings that you need to be in. You have to be very, very careful and never come across as a fear-monger. But this is a real-world example of the thing that we all fear. A hospital closing, not just going on diversion. We talk about diversion a lot, but a hospital actually closing with cyber attack being one of the reasons publicly mentioned is kind of mind-boggling to me. This hospital apparently used to be one of the largest employers in the city. So the impact goes well beyond just access to patient care. This is a real-life issue for the viability of that community and people's jobs and economic stimulation and so on. Now, one other angle of the story to keep an eye on. The CEO says that St Margaret's may reopen as a rural emergency hospital. R e h if you haven't heard that acronym before. Under a federal program to reduce the number of rural hospitals closing nationwide, this program is something that I saw in an Axios story late in January, and I thought, Well, that's interesting, but I'm not too concerned about it. And then just a week or so later saw this story about a hospital closing. But considering this thing. So the PH thing, I think, is something to be aware of because it affects our industry. So the Biden administration is offering struggling rural hospitals a new financial lifeline that started January 1st of this year. 

Britton: [00:17:29] Basically, a facility can opt-in to becoming a rural emergency hospital. And in order to bring enhanced Medicare payments and upwards of $3 Million in subsidies each year, however, the catch facilities that opt-in have to agree to close their nonemergency inpatient services. So that means patients typically have to leave within about 24 hours. So those who can't go home have to be discharged to a full-service hospital. And in many cases that may be in another state. The kinds of facilities that are eligible are critical access hospitals or rural facilities with less than 50 beds. Basically, the way that it works is hospitals that elect to convert to this concept can begin receiving monthly subsidies of more than 272,000, plus a 5% increase in Medicare, outpatient, and emergency services. However, if they participate, they are also in addition to the closing of other inpatient services. They are also locked out of the federal 340 B drug pricing program. Some of you probably are familiar with that. It provides low-cost medicines to ensure access to low-income patients to the drugs that are needed for treatment. And of course, that's often a big need in these rural settings. So there appears to be a ton of debate about whether this is actually a good thing or a bad thing. I'm not here to weigh in on that. 

Britton: [00:18:50] I will leave that to the operators who run hospitals for a living. But I think security and privacy folks in health, in health care need to be aware because these kinds of trimmers in the business of health care absolutely have impacts in our world. I can think of several implications into the realm of telehealth expansion, for example, as other health systems need to pick up the slack of inpatient closures, not to mention just the general technology and kind of vendor supplier changes that will inevitably come with any kind of major service model change like this. So maybe not the typical story we cover here, but I think just keeping your finger on the pulse of the business of health care is a good thing to do because it will impact us down the road. And actually, in that vein, I'm going to keep going down the business road. And another topic that makes sure we're staying informed on where the business is going. The travel nurse trend that reached a crescendo during COVID is has slowed down but is not expected to go away any time soon. The workforce has not recovered to pre-pandemic levels, according to some recent reports, So hospitals are still planning to and actively are relying on travel nurses to fill those gaps. And again, it doesn't appear that that will be going away. And the nurses themselves are still interested in this option because the pay can be so much higher. 

Britton: [00:20:06] I bring this up because this trend can cause some difficult security issues. You know, these are temporary staff who need to get ramped up on access and technology quickly and who will leave quickly as well. That means they don't know your general security and I.T. processes. It means that making devices and access available quickly is imperative, but also difficult. And then also recovering those devices and tearing down access quickly is really challenging. So it sounds like the prevailing wisdom here seems to be focused on if you can afford to do it, kind of designating a portion of your device fleet for that travel nurse population. So you can have dedicated device types that are available with even more restrictive controls and use cases for the device, but then also doing things like ensuring they still get some kind of baseline security training at onboarding. Apparently, it's very common, understandably so, for these travel nurses to just kind of pass-through orientation and get on the floor. We need you to do patient care, but try to find some way to give some baseline security and training, security training at onboarding, and then finally make sure you can tie their account creation and termination to your official HR and payment systems. So you know, when they start and stop working. All of that sounds simple. You know, I just explained it. Why not do it right? But it's obviously all of that [00:21:30] is much easier said than done, but something worth mentioning, if that's something you're facing in your system, I think that would be a great kind of roundtable topic to have with other CISOs about is this really impacting you and how are you dealing with it? All right. 

Britton: [00:21:46] Moving into threat landscape and law enforcement, I'm guessing most of you saw the really cool news that the FBI recently managed to infiltrate the Hive ransomware group for a big win for the Defenders. So Hive has mostly targeted health systems, schools, and other types of critical infrastructure around the world. And in January, the FBI managed to penetrate hive systems and stole and then distributed decryption keys to hundreds of victims mid-attack that ultimately shut down some of the gang's key digital infrastructure. The FBI success prevented victims from having to pay, they say, $130 Million in ransom payments are the Justice Department is actually who said that. So awesome. Right? Let's celebrate that. Let's celebrate a win. I'm guessing you saw that. I saw a lot of stories about that. But what you may not have seen, because I only saw one story on this is a piggyback story about the hive operation. And basically, the story was saying the FBI and the DOJ are not so subtly using this story to beg more ransomware victims to call the FBI for help when they are victimized. So at a press conference detailing the campaign, FBI Director Chris Wray estimated that only 20% of Hive's victims reported potential issues to law enforcement during the bureau's seven-month sting operation, where they were monitoring and seeing that attacks were happening. 

Britton: [00:23:09] The FBI is hoping that the speedy assistance they provided victims during this OP could help encourage more ransomware targets to call the FBI when they are actually attacked. And again, that number, $130 million spared and payments I think is probably getting some attention. So there's a long-standing mistrust between companies who have been victimized in terms of divulging too much or in most cases, any type of information to agencies like the FBI, because there's this fear that it will disrupt your response efforts, that it might be used against you in investigations and penalties. And so groups like CISA and FBI are really trying to counter that narrative by sharing success stories like this. Another thing that should be mentioned, FBI field agents are usually really interested and open to meeting with cybersecurity leaders and companies that are in their territory, in their territories. So at the very least, establishing that relationship proactively is always something that I believe in. I think it's also probably a good time to draw some criteria up in your IR plan. When do you involve law enforcement? That's a really tough decision to make in the heat of the moment. So thinking about it ahead of time and documenting some scenarios is a good idea. 

Britton: [00:24:22] At the very least, talking to your co-leaders in the cybersecurity realm and your C-suite about it is I think,  good to do before you're in the heat of the moment. And then finally, I definitely want to mention, you know, one of the many requirements that we all see coming is mandatory reporting of cyber incidents, whether it's from the SEC that we're still just kind of waiting to see when that comes from the FTC. There's already some stuff there from the FTC or from CISA that this is something I want to remind you of because I had kind of lost track of it. And then this story brought it back to my attention. The CISA circa c i r c i a stands for Cyber Incident Reporting for Critical Infrastructure Act of 2022. They have a mandate from Biden's 2022 law signed in March to create a proposed rule for incident reporting, and their due date for that proposed rule is March of 2024. Now, that means it will be well after that that any kind of final rule goes into place. But, you know, it's a mandate. It's going to it's going to happen. And some of the details within their state that setting the requirements to for any compromised entity to report within 72 hours. So this is stuff that we know is coming. And it's again, just it seems like everything ties back into some of these movements and shake-ups that are going with going along and the government for new regs, but got to be aware of them. 

Britton: [00:25:46] And you know look, maybe you can save $130 Million if you start planning. Okay, here's a quick hitter in the threat space to make sure your defenses are properly focused. Net Scope released a report in January that 400 cloud applications delivered malware in 2022, which honestly kind of surprised me. I figured that number would be higher, but it's notable because that number triples the number of distinct cloud applications that deliver malware in 2021. That's not really the part that I wanted to talk about. That's not surprising. The one nugget that I thought was really important from this report, the researchers found that 30% of all cloud malware downloads originated from Microsoft OneDrive. Interesting. Right. More interesting. The next closest were Weebly and GitHub with only 8.6 and 7.6% respectively. So a massive gulf between number one, Microsoft, OneDrive at 30% and those two others at seven and a half, eight and a half percent. Obviously, OneDrive is a tool that's used more and more by businesses because of the ease of collaboration. So just mentioning this because you may want to check into how you're blocking and inspecting traffic from that location. Netscape did a good thing here, I think, and including some very practical recommendations for what to do about this. So I'll go over those really quickly. 

Britton: [00:27:04] They recommend enforcing granular policy controls to limit data flow and to include within that those policy controls flow to and from applications between company and personal instances among users to and from the web, and then adapting the policies based on device, location, and risk. They also then recommend deploying multilayered inline threat protection for all cloud and web traffic to block inbound malware and outbound malware communications and then enable multifactor authentication for unmanaged enterprise apps. So some things to look at. Check how your monitoring and defending your OneDrive, because it's apparently a very robust source of malware infections. Another one in the threat space. Dos seems to be coming back into vogue. It never really leaves Vogue. It just sort of spikes and declines, you know, throughout the cycles of the year, it seems like. But back in vogue from a Russian-backed group called Kill Net, they claimed credit for hitting 17 US hospitals in January and HC three is now warning about it. The attacks caused outages ranging from a few hours to several days. Dose doesn't cause as much long-term damage as ransomware as you all know, but can be just as disruptive during the throes of the actual attack. If your systems are unusable, they're unusable, whether it be from distributed denial of service or ransomware. Now, a lot of attackers use this technique because it's [00:28:30] typically a little bit more difficult to stop. But I did want to use this opportunity to mention to folks about some joint guidance that was produced by FBI and CISA in October. 

Britton: [00:28:39] I admittedly missed this one when it came out last October, just a few months ago, but it surfaced with this story. And I thought, you know, that's something people need to know about because I think DDoS is one that for a lot of us, it's not like, well, here's the five things you do off the top of your head to deal with DDoS because it's not as common anymore and may not be like some of the other attack techniques that we're all a little more comfortable with and can just kind of spout off the top of our head. Some of the key controls for this document, again, came out in October. It's called Understanding and Responding to DDoS attacks. So search that term. It's a joint production by the FBI and CISA and you should be able to find it. And there's some really good practical tips in it. It's only nine pages long. Hallelujah. Right? This isn't a 500-page NIST document. It's nine pages. And then specifically on pages four and six, it has four through six, I should say. It has several specific steps to take before a dose attack to prepare for basically. So I'll run through some of those really quick. Those steps include identifying your most critical assets and services that are Internet-facing. That's important, right? So you can deploy a web app firewall configured to the deny state on those. 

Britton: [00:29:48] Make sure you understand your baseline expected remote connectivity by your users because that's an indicator that something may be weird if you're seeing things that are out of the norm. Enrolling in DDoS protection services that can detect strange or potentially malicious traffic and offload it to the server farm somewhere else, talk with your ISPs and your cloud providers to understand what protections they offer. A lot of them have sort of native DDoS protection mechanisms that you can either pay a little extra for or in the midst of an emergency, ask them to deploy without necessarily having to pay. Inspect your high availability and load-balancing network architecture that wouldn't make sense. And then developing DOS-specific IRR plans and business continuity plans, plus plan to include your DOS scenario in one of your DRT tests or tabletops so that you're actually walking through what the DOS scenario is, how it might be different from other IRR, all very understandable practical tips that I think we could learn from and try to respond to. And I want to share this. One is I think we've all kept an eye on the Russia-Ukraine conflict. If you recall early on the predictions of Russian cyber attacks as a major component of the war seemed like a near certainty. But then that didn't really play out in reality. And the US government is now saying that they expect an uptick in Russian cyber attacks against Ukraine here in the first quarter of 2023, but they actually don't think it will have that large of an impact on the war. 

Britton: [00:31:19] So I thought this was interesting. The belief is that people basically just underestimated the challenge of coordinating kinetic and digital attacks. And so it's not for lack of trying on the part of Russia. It's just not as simple as it sounds, due to Ukraine cyber defenses, and also because the Kremlin is being attacked by Ukraine and Ukraine sympathizers as they're attacking. But Michael Daniel, President and CEO at Cyber Threat Alliance, was quoted in this story as saying Using cyber capabilities to cause disruption is easier if you're not trying to tie it to specific military operations because it gives you more flexibility in terms of choosing the time and place of where you try to get as actually happen. So that's good news, I suppose. But there is some bad news. Russia is definitely expected to ratchet up the volume on these attacks, and there is belief that even though it may not make a huge difference in the actual war, in the short term businesses providing direct support and aid to Ukraine or just in the area of Ukraine are much better targets because disrupting them disrupts supplies to Ukraine. So those attacks are expected to be more common, but also hopefully low-level and maybe unsophisticated, according to this report. It sounds to me like we should continue to be aware of the situation, but that escalation or red alert that we kind of all keep waiting for and that we thought was probably inevitable early on. 

Britton: [00:32:43] Seems like it's it's still not really necessary. However, there may be some a little due diligence you could do to kind of hedge your bets here. I think knowing do you have any third parties that support you, especially critical things that you do that are in the Ukraine area, [00:33:00] that do anything that supports Ukraine. It'd be really good idea to talk to your head of supply chain or your CFO or whoever knows where your most critical third-party suppliers and vendors operate and alert them of this so they have some business continuity in mind if they face any kind of disruption from an important partner. And then anything on the more on the cyber security angle, anything you can do to harden your own network and access management so on against companies, vendors that may be in that area or supporting Ukraine, probably something to look into. But this is not a red alert situation. Final story to close out here. Two quick notes. If you're the type who likes to get involved in helping shape standards for our industry, there are two pretty big opportunities coming up that I wanted to mention just to help get the word out with Cloud Security Alliance and with NIST. So first one, the Cloud Security Alliance, CSA, and the Cloud Controls Matrix Working Group is kicking off a new project for developing guidelines that pertain to the Shared Security Responsibility model and that are to be tailored to each of the total of the 197 cloud controls. 

Britton: [00:34:07] Matrix Control Specifications. The objective of the project is to extend the CCM that's the cloud-controlled matrix version four framework and develop additional guidelines for the system controls that pertain to the Shared Security Responsibility model in order to educate cloud customers on how they and their service providers share the responsibility for securing their cloud footprint. It's supported by Adobe as [00:34:30] one of the co-chairs. The project actually began on December 15th of 2022, but it runs through the end of Q three this year, and they are still actively looking for folks who want to contribute. So I know I have some experience trying to model risk around the shared responsibility model and certainly trying to implement how do we break that down? Who actually is responsible for what? And it's no small task if any of you probably all of you are in the midst of trying to figure this out in some way, shape or form. So this is a good opportunity to improve something here that I think would help a lot of people. If you're one of those folks that likes to shape some of these standards, you could probably search cloud controls, Matrix Working Group, and I think you'll be able to find some information on it. 

Britton: [00:35:11] Secondly, NIST is hosting its second virtual workshop to discuss potential changes to the cybersecurity framework. So the CSF is obviously an important part of many of our security programs. And given all the topics I just covered earlier in the podcast about potentially pending legislation, it is, I would say, very likely that it's going to grow in importance for all of us. So any opportunity to understand and even influence changes that are coming to the CSF I think are good to join. The workshop is February 15th from 9 a.m. to 4:30 p.m.. So hopefully if you're listening to this before that date, you can sign up for it. There is a concept paper published on what the changes might entail and at a high level those include clarifying its potential applications, the CSF, potential applications, providing better context and connections to existing standards and resources, updating and expanding [00:36:00] guidance on practical framework implementation, something we can all get behind. Emphasizing the importance of cybersecurity governance, expanding the supply chain risk management coverage that was introduced fairly recently, and advancing understanding of cybersecurity measurement and assessment. That's another one if you search NIST Cybersecurity Framework 2.0 concept paper, I think you'll find that and then search the Cybersecurity Framework 2.0 workshop to find the registration link for the event. I'll be there virtually and hope to virtually see some of you there and I'll share what I learn. 

Britton: [00:36:31] On the next podcast. That's all for this session of The CyberPHIx Health care Security round up. We hope this was informative for you and we'd love to hear from you. If you want to talk about any of this. Please just reach out to us at [email protected]. That's all for this week. So long. And thanks for everything you do to keep our health care organizations safe.