Cybersecurity News

President Trump signed into law a bill (H.R. 7898) containing provisions that require the Secretary of Health and Human Services to consider certain recognized cybersecurity best practices when making determinations against HIPAA-covered entities and business associates victimized by a cyberattack.

In an alert this week, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) reminded health care providers and researchers to patch any vulnerabilities in their Picture Archiving Communication Systems that could expose patient records to unauthorized access.

A Federal Communications Commission advisory panel this week recommended best practices for voice service providers, hospitals, and federal and state governments to prevent unlawful robocalls from disrupting communications in hospitals.

The Cybersecurity and Infrastructure Security Agency and Health Sector Cybersecurity Coordination Center are alerting organizations to a global cyberattack using a hidden back door or “trojanized” legitimate updates to the SolarWinds Orion performance monitoring platform to access public and private networks.

A highly sophisticated threat actor has stolen tools used by cybersecurity company FireEye to evaluate the security posture of enterprise systems, which unauthorized third-party users could abuse to take control of targeted systems, the Cybersecurity and Infrastructure Security Agency announced.

The Cybersecurity and Infrastructure Security Agency alerted organizations to a global phishing and spearphishing campaign targeting the COVID-19 vaccine cold chain, the part of the supply chain used to store and transport a vaccine at safe temperatures.

The Senate Homeland Security and Governmental Affairs Committee held a hearing on defending communities from cyber threats during the COVID-19 pandemic.

The Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and Department of Health and Human Services said they continue to assess the ransomware threat to the health care sector.

The Cybersecurity and Infrastructure Security Agency, FBI and Department of Health and Human Services said they consider the recent ransomware threat to the health care sector to be credible, ongoing and persistent.

As physician practices reopen and hospitals around the country prepare for a second wave of COVID-19 infections coinciding with cold and flu season, the AHA and AMA have released a new resource to help them keep patients’ protected health information private and secure.

The National Security Agency released an advisory detailing 25 common vulnerabilities that Chinese state-sponsored cyber actors are actively exploiting to access computer networks for sensitive intellectual property and other information, and encouraged stakeholders to take appropriate action to protect their networks.

The good — our society clearly recognizes the vital role our hospitals and health systems play in our nation’s critical infrastructure and how important they are to our communities’ health and safety. The bad — we have seen an increase in the frequency, severity and sophistication of cyberattacks targeting hospitals and health systems.

Financial institutions and other organizations that facilitate ransomware payments may face sanctions for assisting a malicious cyber actor that the Department of the Treasury’s Office of Foreign Assets Control has sanctioned, according to a recent OFAC advisory.

The Cybersecurity and Infrastructure Security Agency and Multi-State Information Sharing & Analysis Center (MS-ISAC) released a guide to help organizations prevent and respond to ransomware attacks, including best practices and a ransomware response checklist. For additional ransomware resources, visit CISA’s ransomware webpage. 

The Department of Health and Human Services’ Office of the Assistant Secretary for Preparedness & Response released an update on the Ryuk ransomware threat to the health care and public health sector, and urged the sector to take certain actions to reduce the risk of an attack.

The National Institute of Standards and Technology has updated its Security and Privacy Controls for Information Systems and Organizations, a catalog of tools to help organizations manage and respond to security and privacy risks.

The Cybersecurity and Infrastructure Security Agency is tracking an unknown malicious cyber actor who is spoofing the Small Business Administration COVID-19 loan relief webpage via phishing emails, the agency announced.

The FBI today alerted the private sector to a sophisticated and aggressive nation-state campaign targeting known critical and common vulnerabilities in virtual private networks, initially reported by the government last year.

Ransomware attacks on hospitals are “threat-to-life crimes” because they directly threaten a hospital’s ability to provide patient care, writes John Riggi, AHA senior advisor for cybersecurity and risk.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency yesterday alerted organizations to a critical vulnerability affecting the SAP NetWeaver Application Server, which an attacker could exploit through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications.