The CyberPHIx Roundup: Industry News & Trends, 7/6/21

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:
-

  • Largest ransomware attack on record impacts 1,500 businesses via third-party Kaseya supply chain breach over the holiday weekend
  • Several large ransomware providers call it quits due to increased scrutiny and pressure
  • Ransomware attack on Ireland health system exceeds $600m in costs and remains active six weeks into the attack
  • Ukrainian police arrest members of CLOP ransomware gang
  • NIST releases draft guidance for Ransomware Risk Management & CISA releases a ransomware self-assessment tool
  • President Biden’s summit with Vladimir Putin and directive for a “no hack” list of US critical infrastructure
  • DOJ charges network security executive with hacking a Georgia health system for personal gain
  • One billion CVS records exposed in cloud configuration error breach
  • Details of the Ponemon Institute’s new third-party cloud compromise report
  • OIG and FDA updates on medical device security guidance and new GAO cybersecurity recommendations
  • Bipartisan data breach notification bill drafted which includes a 24-hour breach notification requirement
  • Meditology Services was ranked the #1 healthcare security and privacy consulting firm according to a new survey reported by Becker’s and Healthcare IT Security magazines

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:11] Good day and welcome to the CyberPHIx healthcare security roundup, a quick source for keeping up with the latest cybersecurity news trends and industry leading practices specifically for health care. I'm your host, Brian Selfridge. I apologize for the delay in getting this episode out in the last few weeks since we welcome a new baby Selfridge this month. This is the good news. Baby's doing well and has already begun cybersecurity training, as you might expect. The bad news is that the cyber attacks on health care entities did not let up while I was out. And we have lots to catch up on. So let's dive into it, shall we?

Brian Selfridge: [00:00:49] Another gargantuan cyber attack on the global supply chain took place over the holiday weekend which saw over 1,500 businesses infected with ransomware. The attackers exploited a vulnerability in the third party software for Kaseya, which provides back office IT solutions for small and mid sized businesses. This is one of the first major attacks to target smaller businesses. I am curious as to whether or not they will get paid in the same volumes since the attacks are so distributed across small companies and they would need to amass a higher volume of companies that are willing to pay. The organizations hit hardest included entire supermarket chains in Sweden and schools and kindergartens in New Zealand.

Brian Selfridge: [00:00:49] The attackers are demanding $70 million in payment, but say they are open to negotiations. Who are these attackers? Well, you get one guess really. That’s right, a Russian based ransomware gang. This group goes by the name REvil. REvil is best known for extorting $11 million from the meat processor JBS last month, perhaps that was the seed funding for this larger scale attack? That’s just speculation in my part, but these attacks are certainly becoming big business. We discuss that more in this episode a little later. The attack came just as a long Fourth of July weekend, which was no accident as it has given attackers a long weekend to attack while protection mechanisms are limited in the US due to the holiday break.

Brian Selfridge: [00:00:49] For my fellow tech nerds, the attack leverage a zero day vulnerability that Kaseya had knew about but not yet patched. The attack compromised Kaseya's VSA remote access software used to remotely support customer systems.

Brian Selfridge: [00:00:49] President Joe Biden said Saturday that he ordered a “deep dive” by U.S. intelligence into the attack and that the U.S. would respond if it determines the Kremlin is involved.  This comes very soon after president Biden and Putin had a summit wherein Biden gave a list of critical infrastructure to avoid hacking, the Kaseya attack was certainly not critical infrastructure, so maybe he listened? More on that later in this episode.

Brian Selfridge: [00:00:49] The Kaseya a CEO is tight lipped about the attack, although he said when the investigation is complete he is fairly confident that another third party software was used to breach his network and systems. Oh great, that’s comforting news, it’s not your fault but another forth party instead. Is that where we are headed with third party risk? Finger pointing downstream until it’s no ones fault? We have a long way to go on supply chain risk regardless of who is willing to own the risk. As we have said in the past, the business ultimately lives with the disruption, impacts, and financial pain, so I think that’s where the buck will stop eventually. Now on to other ransomware news.

Brian Selfridge: [00:00:49] The heat is on, there's been a string of ransomware operators calling it quits, so some of the larger ransomware operators have recently indicated that they will retire from launching ransomware attacks against health care and other entities. Now, we'll give you our insights in a moment of how much we believe their retirements and its sincerity on the whole. But before we do that, the handful of groups that have made their announcements and we will not be throwing them parties are the Avaddon Ransomware Gang. That's a group that launched ransomware as a service is just which is a whole new idea. RaaS, an operation in March twenty twenty. But now they say they're shutting down and releasing their decryption keys for their victims. Ok, we'll take it if you send them. The next one is Babuk ransomware announcing a shutdown. And they are a syndicate that said it will be closing its doors, but not entirely. They said they will no longer launch any attacks, but they will kindly still make source code available for their risk. Ransomware as a service model or RaaS model again. So there sounds like they're changing business models to be a B2B or a ransomware or to bad guy provider, whatever the acronym would be, rather than launching attacks themselves. I think a lot of that has to do with the heat that's coming down From the government entities and in various places across the country.

Brian Selfridge: [00:02:09] The last one is darkside and they they went as far as to apologize. Now, we covered this in prior episodes, so I won't go into too much detail. But dark side if you'll recall is the Russian affiliated Ransomware gang. And they the FBI has said they're responsible for the Colonial Pipeline ransomware attack in particular. So they had a ton of heat on them. So, you know, do we believe these folks and does it matter? No, not really. And no, not all that much in the aggregate. Before I share my perspective, I will relay the point of view on this from what I think is one of the most informed voices in the field on this topic. And that is Brian Krebs of Krebs on Security. If you've never seen his stuff, he's a leading sort of journalist in the space. So I watched Brian speak this past week and on this topic, actually, and he says he doesn't buy it. He said, you know, these ransomware operators have become billion dollar private businesses, and that's not an exaggeration. Several of them have reached a billion dollar revenue thresholds, which is which is no small business. And they're they're contracting out their work to the grunt work in the pen testing basis up and testing the penetration services to a lot of contractors. And it's a very, very big ecosystem and now a very, very profitable one. So it's creating a ton of underground jobs. And, you know, Brian's perspective, the other Brian's perspective is that virtual currencies have really changed the game here and made it easier for the bad guys to get paid. And so, you know, he just sees all roads leading to ransomware and it's the easiest and fastest way to get paid. So that's his perspective.

Brian Selfridge: [00:03:41] Now for this Brian's perspective, I think he's on the right track and it's hard to disagree with much of that. If you look at what we're seeing in the aggregate, you have money is being made and the bad guys are getting this kind of return on investment, then we're going to keep seeing these attacks for some time to come, in my view. Now, I like the fact that we're turning up the heat as the federal government and other sources, other international governments and syndicates are putting pressure on and anything we can do to make it more difficult for cyber criminals or increase their risk or their operating cost and disrupt these business models to help reduce the return on investment for them, I think is absolutely a worthy objective to curb these attacks on the aggregate. So glad to see announcements of shutdowns. I'm not going to go celebrating just yet, but we will take any wins we can now in terms of actual attack.

Brian Selfridge: [00:04:31] So we're not out of the woods with with current ransomware attacks. We saw a major one underway with the Ireland Health Service Exchange, and they are continuing to operate under an electronic health record shutdown and downtime procedures after suffering a ransomware attack almost six weeks ago. So this has been ongoing and the recovery has been slow going. And the director, Paul Reid, projected the cost to exceed six hundred million dollars. And that estimate comes from one hundred and twenty million dollars in current ongoing recovery needs. And that includes hiring technical security folks and support recovery efforts and backup and recovery systems processes and everything else. And then the remaining cost estimates. We're used to recover the upgrade to systems crippled by ransomware and payments to outside cybersecurity support. So, you know, the numbers add up really quickly and doesn't matter quite as much how you slice and dice it. If you if you heard us talk about the results a while back where they had a ransomware attack and they were tallying up the numbers, it gets very big, very quick, regardless of the location or the source of the attack. So these these attacks are very much continuing and the stakes are getting higher.

Brian Selfridge: [00:05:43] We saw Scripps Health in San Diego this past. Week is now getting sued by its patients in a class action lawsuit over their recent ransomware attack, and in this case, they had specific patients that are claiming harm from the incident, including the inability to access lab results that had implications for medication dosages and related to bone marrow transplants is one of the examples. So that's always been the big question with the class action lawsuits is, is there harm that can be demonstrated from this? I think there certainly is. It's just you have to connect the dots and that takes time and effort. So we'll see if this Scripps lawsuit sticks or not. If nothing else, it's it's a distraction and their legal costs that will go into it in addition to the ransomware event. So that's another thing that will sort of add a tally to the cost of ransomware events overall.

Brian Selfridge: [00:06:34] Now, one fun news item, I don't know how if it's fun for me anyway. Authorities in Ukraine now charged six people alleged to be part of the CLOP ransomware group, a cyber criminal gang that is said to get have gotten more than half a billion dollars in revenue from its victims, at least. And some of their victims this year alone include Stanford University Medical Center, Medical School, University of California and the University of Maryland says some high profile attacks. And they you know, if you check out the news article on this and this was posted on Krebs on security, I mentioned Brian Krebs earlier. It includes a video of the authorities breaking into the ransomware gang's house and rounding up their technology and their blocks of money. It looks like, you know, Breaking Bad or something if you ever watch these television shows about cyber criminals. But this is the real deal.

Brian Selfridge: [00:07:22] These are the ransomware folks. And if you want to see what they look like, they look like pretty normal folks in the nice house and cars that were being loaded onto flatbed trucks and taken away, for example. That's worth a quick look to see how that works. Now, CLOP, this particular group in particular was has been busy over the past couple of months because they were exploiting some of the breaches that we've been talking about here, the file transfer appliance, the Accellion and company that had that major supply chain breach and they were exploiting that and introducing ransomware. So, you know, if you're connecting those dots here to Colonial Pipeline, solar winds, Accellion, and all these these third party breaches are then become the entry point for for ransomware. That's that's what we've been talking about, expecting to have happen over time. And here we are. That's exactly what's going on. So that's an interesting one worth checking out. And we're glad to see at least part of that group. Now, they arrested it like they say, six people or something like that there. That's not the entire KLOP group. They got, I think, the most of the financial arm or some big chunk of it. So as with any large cyber crime group, you're not going to round them all up sitting in one house at one time.

Brian Selfridge: [00:08:32] But any positive direction to disrupt operations is certainly welcome. Now, let's talk about what the industry and federal sectors are doing to address ransomware. Right. It's one thing to report on all the bad news, but there has been a lot of flurry of activity in the last few weeks on sort of countermeasures. So we'll start with NIST, which is released draft guidance for ransomware risk management. And we all know who NIST is, but they drafted the Cybersecurity Framework profile For ransomware risk management to help organizations protect, respond and recover from ransomware attacks. So the profile, the ransomware profile talks about basic measures that can be implemented to improve defense against these attacks. And that includes things like antivirus protections and best practices via scanning and automatically conducted on emails and flash drives. This is this is their language. So don't don't blame me for any clunky terminology, keeping computers fully patched, blocking access to known ransomware sites. Of course, that's worth doing. Only permitting authorized apps to be used, restricting the use of personally own devices, restricting the use of accounts with administrative privileges. Of course, we've been talking about that to avoiding the use of personal apps and conducting security awareness trainings for employees, for clicking and links and opening files from unknown sources.

Brian Selfridge: [00:09:52] So not a lot of surprises on the types of things that need to be done for prevention and response. But I think the profile is a good tool that can be used to kind of assess where you are and start putting in protections along that whole NIST Cybersecurity Framework model with which they align this with the identify, protect, detect, respond and recover if you're familiar with the NIST CSF. So definitely worth a look and incorporate this into your ransomware, playbook's your tabletop exercises and all that good stuff. Now, it's not finalized. They're actually accepting comments on the framework through July 9th and then they're going to do another another comment period after that. So if you want to weigh in, please do. In similar news, the CISPA, the Cybersecurity and Infrastructure Security Agency for the US, released a new ransomware self-assessment

Brian Selfridge: [00:10:40] Tool, which they call the Ransomware Readiness Assessment are a which is a new module for its cybersecurity. Valuation tool or see set now the Aurora is a security audit self-assessment tool for organizations that want to better understand how they are equipped to defend against and recover from ransomware attack. So that's probably more formalized tool set, much more along the assessment side of things. Definitely. You know, as we've seen here at Meditology, you if you're just trying to figure out where to start in this journey, a ransomware specific assessment, risk assessment makes a lot of sense, as well as very prescriptive action plan, corrective action plan, which is typically addressed at some of those areas that we mentioned in the NIST guidance earlier, but also really running those tabletop exercises at various different groups at your leadership group with your IoT security information security function, risk management function, as well as with your kind of privileged users and other other specific groups that have a role to play in all this. So it's great to see some tools coming out to help you do that. I hope you'll check them out and take a look at how President Biden has gotten in the mix on this as well. This is becoming a major disruption to our supply chain and national security risk. So in his conversations with Vladimir Putin recently, President Biden gave Putin a list of 16 U.S. senators that need to be on Russia's no hack list.

Brian Selfridge: [00:12:03] Now, the list appears to follow a typical critical infrastructure as identified by the CIA. And they highlight 16 sectors of which health care is one, but also inclusive of chemical communications, dams, defense, emergency services, energy, financial services and others. So, you know, we'll see how that whole diplomacy side of things is playing out. Biden has had that conversation with Putin and stated explicitly that the US has offensive cyber capabilities. And he said, I'm not going to outline them for you, Mr. Putin, but President Putin. But we have countermeasures here if we need to do them. So let's not go that route and let's, you know, don't touch these particular industry segments. So we'll see if that, coupled with other enforcement will will help us put a dent in some of these attacks coming out of Eastern Europe. Now, in other news, I'll give you a break from ransomware is a lot of ransomware updates there, but it's hard to avoid them these days. Let's talk about our own self-inflicted wounds. And this is this case is a very unique one where the Department of Justice has charged a network security executive with a cyber attack targeting a Georgia health system. So this one this one makes me want to crawl under under a rug or something, a health care cybersecurity executive. In other words, the work that we do, not us but but my field. So I sort of am embarrassed.

Brian Selfridge: [00:13:26] For us and for this individual has been charged with the attack. His name is Vikas Singla and he's allegedly responsible for a cyber attack on Gwinnett Medical Center, which is now north side in the Atlanta area. And that's disrupted two hospital networks, phone service and network printer in September of twenty eighteen. So it happened a little while back, but he's accused of obtaining information from a digitizing device. I don't know what that is used by the health care network. Now, I'll give a quote from the FBI on this. When they said the cyber attack on a hospital is not only could have had disastrous consequences for patients, personal information was also compromised. This came from Chris Hacker, who is the acting special agent in charge of FBI Atlanta. Their last name is glorious in this field. So he said the FBI and our law enforcement partners are determined to hold accountable those who allegedly put people's health safety at risk while driven by greed. So they said, you know, prosecutors said he could have damaged at least 10 computers, impaired the medical examination and diagnosis and treatment of care operations for Gwinnett and North Side. So, you know, it didn't mention Singla's employer or what company he worked for by name. They just said a network security company that offered services for the health care industry.

Brian Selfridge: [00:14:46] So this is fortunately, this is a rare occurrence. It's happened a handful of times in my memory over the last 15, 20 years where you have a security person in one of the alleged defenders go rogue and and go the other direction. So this is a black eye for for all of us professionals. And there's clear ethical lines that should never be crossed in cybersecurity. And if these allegations are validated, then this individual is clearly moved from the category of cyber protector to cyber attacker. And this attack also stings us personally a little bit here at our organizations as this happens to have happened in our backyard as our company headquarters are in Atlanta, Georgia. And just just terrible behavior on the part of this individual. And let's hope that's the last we see of something like that for a while.

Brian Selfridge: [00:15:36] Moving on, let's talk about some of the one of the big breaches that came out over the last several weeks while I was sort of out of operation here, there were more than one billion, a billion records exposed after a misconfiguration error from CVS Health and a cloud database was left without password protection. Yikes. CVS has not been out of the news or for, gosh, the last decade. Plus, we've had some major CVS breaches that have been game changers for the industry. This one, a billion records is is up there, although not on par with their their breach some years ago.

Brian Selfridge: [00:16:15] So in this case, information that was left publicly accessible to anyone who knew or how to look for it. So is basically Internet searchable and Web enabled, had search histories from CVS detailing patient medications and production records, exposed visitor ID, session IDs and device information. And CVS Health said we were able to reach out to our vendor and they immediately took action to remove the database from Internet facing capacity. And, you know, as we've reported here previously in the CyberPHIx misconfiguration of cloud implementations have been noted as a top source of breaches this year. So that's on the aggregate statistics. And often these these are accidental, which it looks like in this case. But, you know, there's some lessons that need to be learned from this. Accidental is not OK. And that's that's not excusing anything. You know, we've got the whole third party risk, third party vendor phenomenon that we have to grapple with. And that is something we've been noting as a major, major priority in twenty one and beyond. Then we've got our cloud configuration challenges, the skill sets, they're limited, the attention and focus on.

Brian Selfridge: [00:17:23] A lot of organizations are just Looking to the third party vendor and say, OK, or their cloud hosting provider, say, OK, what's cloud hosted? That's your problem. Or it's third party hosted and cloud hosted. That's their problem. The risk goes with them. And I think we're all learning pretty clearly that the risk stays with us. Right. Stays with the contracting entity, stays with the health care entities in terms of both visibility and reputation, but also in terms of accountability that it's our data and where it flows downstream we'll need to be protected. So I think we're going to need to get better training, oversight and a. Development processes and privileged administrative systems like databases are cloud implementations and third party risk in general and more so hang tight for additional recommendations since we'll cover some of that in the rest of our updates here. So speaking of third party cloud compromises, the Ponemon Institute, which is our favorite source of studies, they just put out some great material over the years. They put forth a study around third party cloud account compromises, saying that they cost organizations over six million dollars annually on average. So that is a pretty significant number of when these things do happen. You're looking at, you know, six figures times, six pretty, pretty intense costs.

Brian Selfridge: [00:18:43] So they say that 68 percent of those surveys believe cloud account takeovers present a significant security risk to their organizations and more than half indicating that the frequency and severity of cloud account compromise has increased over the last 12 months. I'm not surprised by any of those statistics. And Dr. Larry Ponemon, who is a good friend there at the institute, has said that this research illustrates that leaving software as a service security in the hands of end users and lines of business can be quite costly. Only 44 percent of survey respondents believe that their organizations have established clearly defined roles and responsibilities and accountability for safeguarding confidential and sensitive information in the cloud and inclusive. A third party hosted platforms. So, again, not surprising. There are a lot of work to to make sure we have coverage on who's accountable.

Brian Selfridge: [00:19:32] And we look at those those shared accountability matrices. If you see them from from the Cloud Security Alliance and other places, it's a pretty common thought process these days that that you've got to understand what you own and what you don't, what they own, what they're accountable for and how you measure and track that. So finally, with this, some of the key findings around this survey also included that cloud account compromises are costly incidents and present a significant security risk. No surprise there. And they said 86 percent of respondents, the annual cost of cloud and compromises is over five hundred thousand dollars per year. And they also reported 64 cloud account compromises per year on average. So that's pretty, pretty significant numbers.

Brian Selfridge: [00:20:12] The report also notes that shadow it is creating substantial risks for organizations with seventy five percent of respondents saying the use of cloud apps and services without the approval of it is a serious security risk. And that, again, that's a trend that we've seen grow up way back to the early days of radiology and these specialty groups and organizations now medical devices and a lot of cases that create shadow I.T. for vendors that sort of bring in the whole suite of middleware, as well as the devices and network operating capabilities. So it's becoming an increasing footprint and increasing risk. And then the last sort of key finding in this report is around strong authentication and adaptive access controls are essential in securing an admission to cloud resources. So no surprise there. Privileged access, strong authentication, multifactor authentication.

Brian Selfridge: [00:21:02] Got to do it. There's no more. The days are done of the conversation around this little inconvenience. Health care providers and we can't do multifactor. It's just too much. It's going to mess with clinical flow care like that, that that whole discussion is just done. And if you're still having it, give us that. Give us a call and we'll help bring in some of the industry guidance here that, you know, the attacks that we're seeing and the implications around third party risk and multifactor are just just too much to handle without that particular control. So hopefully you're not there. But if you are and give us a call now.

Brian Selfridge: [00:21:38] There was another survey that came out, and that's from the office of inspector general of the United States that indicates that a lack of cybersecurity and networked medical devices oversight at hospitals. So if you work for a hospital health system, you probably are not surprised by these findings. But I think what's happening is there's becoming a lot more awareness raised around the lack of maturity of security control processes for for medical devices in particular. So this report talks about requiring hospitals to have implemented a cybersecurity plan for networked medical devices. And they found that most hospitals don't that they did not identify device cybersecurity and their risk assessments even very often.

Brian Selfridge: [00:22:19] And that's sort of a gap like we're still stuck looking at electronic health records. And a lot of that's driven by the perceived meaningful use. And latest iterations of that from CMS, where it's like, let's just look at the the the electronic health record. But the. But the report is going to show us that the risk assessments and risk analysis has to be much more broader than that. And we've seen with the OCR, the enforcement activity around risk analysis, risk assessments has also been beating this drum for some time of making sure that you're looking at information everywhere that it exists and making sure your inventories are up to date and your risk analysis and risk assessments are fully covered there. So that's the report.

Brian Selfridge: [00:23:04] Now, in a related story, the FDA has outlined medical device cybersecurity goals recently in response to the National Institute of Standards and Technology, or NIST Workshop, and a call for papers around President Biden's cybersecurity executive order that we talked about on this podcast a while back. Listen to that episode. If you haven't. We did a special one just on that. And the FDA in its responses, has voiced its support and concerns about medical device security in particular and the need for standards, security standards. So the original executive order stated that the guidelines shall include criteria that can be used to evaluate software security, include criteria and evaluate security practices of the developers and suppliers of your medical device manufacturers, and identify innovative tools and methods to demonstrate and conform with secure practices. So that was sort of the objective put out here at the at the what do you call the executive order level. Now, the some of the sort of nuggets out of the FDA's responses I found more interesting than others were that they're saying, look, cybersecurity is crucial for medical device safety and effectiveness. So it's not just a regulatory thing, like for these things to work effectively amidst the risk landscape and attack landscape,

Brian Selfridge: [00:24:18] Cybersecurity critical and critical functions are shifting from on premises software infrastructure to distribute in remote infrastructure, including newly essential cloud services, depending upon the diagnosis and treatment of disease. So our dependency is getting much wider and broader. And the FDA stressed that the software supply chain is one essential part of managing risk to patients. To critical software, according to the FDA may include any device, electronic health record system, cloud service, any software is necessary for safe and effective use of any given device. So it's that it's that whole infrastructure behind the medical devices as well that they're they're pointing out is is really part of the vulnerability to allowing these devices to work properly. The more that we go to the cloud, the more they become networked. And I think that's an interesting way of framing it. They also the FDA also voiced their support for NIST goals around developing security testing and software of materials in particular. Again, we talked about as bombs or software bill of materials in the past. And in fact, there's a a podcast episode we did with Susan Rimonabant a while back where we talked all about that almost exclusively about that. If you want to listen to that episode.

Brian Selfridge: [00:25:30] I'll leave with one sort of final quote from the FDA that I think is Telling. And I said, Increasing Communications on existing science and engineering principle standards and guidance can translate into improvements in Cybersecurity, which has a fundamentally Different risk management calculus from traditional IT cybersecurity. And that last piece, I think, is critical. You can't run your traditional cybersecurity playbooks against medical devices. It just doesn't work. We've tried there are very special animal and we know that. So it's going to require a special set of cybersecurity protocols, run books, policies to get medical device security right.

Brian Selfridge: [00:26:05] And so good news. The FDA has been really active. They made some new hires. They've got our friend Kevin Fu from the University of Michigan in a leadership role there. And I think they are really heading in the right direction to drive some meaningful change in the coming years. But we've got a lot of work to do there.

Brian Selfridge: [00:26:21] The next sort of government update I'll give for you and I'll keep this one quick, because it's a little it's a little dense. There was a report put out by HHS for recommendations to improve cybersecurity. This came out of the GAO, the Government Accountability Office, and they indicated seven recommendations to improve cybersecurity. And they're again, they're a little thick and a little bit bureaucratic in the way they're written. But I'll try To give you a gist of it.

Brian Selfridge: [00:26:48] Basically, their recommendations around coordinating better information, cybersecurity information sharing, which we've talked about well worth doing, improvements around continuing continuous monitoring and risk scoring and a working group around that in particular. So the directive is kind of on that front. They have some very sort of bureaucratic updates around making sure that a process will be established for reporting on the progress and performance of these work groups that are being stood up and monitoring updates and communicating those updates across entities and agencies, finalizing written agreements, and then updating the charter for the Joint Health Care and Public Health Cybersecurity Work Group.

Brian Selfridge: [00:27:28] So still in that really formative kind of bureaucratic stage, but glad to see things move. I'm glad to see some some tactical action happening on some of the executive orders that went out earlier this year.

Brian Selfridge: [00:27:40] One of the more interesting regulatory updates, if you will, is that there's a a bipartisan group of senators that have introduced a federal data breach notification bill. Now it's still just introduced. Right? I mean, this this may land. It may not. There's also a bunch of other data breach bills that are floating around out there. But the latest draft is a federal data breach notification, and it's called the Cyber Incident Notification Act of twenty, twenty one. And it requires all federal agencies, contractors and businesses that have oversight over critical infrastructure, which includes is inclusive of some health care to report significant cyber threats to the cybersecurity and Infrastructure Agency, the CIA within 24 hours of discovery. Now, any time I see any law that says do anything within 24 hours of discovery, it makes me sort of shudder a little bit. But I like the intent. I like where they're where they're trying to go with increasing the notification. The bill was introduced by Senators Mark Warner of Virginia and Marco Rubio of Florida and Susan Collins of Maine. And it's yet to be formally introduced into the Senate. But it's very obviously a response to the supply chain attacks and solar winds and the Colonial Pipeline and some others. So we'll see. We'll see where it goes and we'll keep you posted. But you've been informed. It's been drafted and it's out there.

Brian Selfridge: [00:29:00] The final update for today and this has been a long episode. I appreciate you sticking with us. If you've made it this far, is that our own organization, Meditology Services, has made the news this this month. And we were cited as the top number one healthcare, security, privacy and consulting firm, which we're very pleased and honored to have the the designation as such. So a slew of news articles came out this past week from Becker's Hospital review and healthcare IT security .com and others.

Brian Selfridge: [00:29:30] That are citing a recent survey of security leaders of 74 health care entities, which to determine which security firms are perceived to have the strongest services that health care organizations need. And the top 10 security firms were listed and the four organizations said they were very likely to engage with and have the highest degree of partnership and highest reputation and then words to the effect. And we were thankful and appreciative that Meditology was ranked number one on that list. We were noted as one of the top firms most likely to be seen as a partner by health care organizations and most leaders in these designations that were surveyed considered expertise from responsiveness and quality of consultants as top reasons for for choosing the partners that they do.

Brian Selfridge: [00:30:14] Midsize and large organizations appreciated the expertise, staff and response times of Meditology services, and we were noted as having extremely positive reputation among security leaders. So if You're listening to this podcast and you probably know about us already, and I'm very thankful for you for taking the time to listen and learn together over the over these podcasts and other materials that we put out so we can we can address these emerging cybersecurity risk and compliance challenges together as we as they crop up to the industry for us as a whole.

Brian Selfridge: [00:30:45] And on behalf of the entire team of Meditology here, I'd like to thank you for helping us establish the trust and partnership that, you know, is highlighted in these external reports. And a partnership, by definition is a two way street. And, you know, it's not it's not just us. It's everybody. And we appreciate the high degree of collaboration that we've experienced with you all and with those that are even listening, as well as our clients, business partners, our work with the regulators and others that that help us all work together to safeguard the health care industry from cyber risk. So I apologize for for tooting our own horn there a little bit. But this is a round up, and it did hit the news. I have to report it. So that's that.

Brian Selfridge: [00:31:23] Now, that's all for the session of the CyberPHIx health care security roundup. We hope that's been informative for you and we'd love to hear from you if you want to talk about any of this, to reach out to us at [email protected],  so long. And thank you for everything you do to keep our healthcare systems and organizations safe. And we'll see you next time.