Thursday, 18 Aug 2022

Senate mandates cyberattack reporting to CISA

Photo: Image, nnwo/Flickr, licensed under CC BY-ND 2.0.

The U.S. Senate this past week passed legislation that would mandate reports of cyberattacks on critical infrastructure and federal civilian agencies.  

Sponsored by Sen. Gary Peters, D-Michigan, the Strengthening American Cybersecurity Act combines language from three separate bills.  

It would require critical infrastructure entities to report substantial cyber incidents – defined as those leading to a disruption of business operations and a loss of confidentiality – to the Cybersecurity and Infrastructure Security Agency within 72 hours, and to report ransomware payments within 24 hours.  

Critical infrastructure sectors include healthcare and public health, along with information technology, emergency services and critical manufacturing.  

In addition, the bill would aim to modernize the government’s cybersecurity posture, and authorize the Federal Risk and Authorization Management Program to ensure federal agencies can adopt cloud-based technologies with a goal of improving government operations and efficiency.

The legislation will now move to the U.S. House of Representatives.  

“Our landmark, bipartisan bill will ensure CISA is the lead government agency responsible for helping critical infrastructure operators and civilian federal agencies respond to and recover from major network breaches and mitigate operational impacts from hacks,” said Peters in a statement.   

“I will continue urging my colleagues in the House to pass this urgently needed legislation to improve public and private cybersecurity as new vulnerabilities are discovered, and ensure that the federal government can [safely] and securely utilize cloud-based technology to save taxpayer dollars,” he added.  

CISA flags device vulnerability  

CISA published a pair of advisories this past week regarding medical devices manufactured by BD.

The first device, the BD Viper LT, is vulnerable due to the use of hard-coded credentials, which could allow a threat actor to access, modify or delete sensitive health information.   

“BD is working to remediate the hard-coded credentials vulnerability in the BD Viper LT system and is providing this information to increase awareness,” said CISA in the advisory. “The fix is expected in an upcoming BD Viper LT system Version 4.80 software release.”  

The Viper LT is a molecular STI testing system for use at low- and mid-volume laboratories.  

The second device, the BD Pyxis, has a similar issue with hard-coded credentials.  

“Successful exploitation of this vulnerability could allow an attacker to gain access to electronic protected health information or other sensitive information,” said CISA in the advisory.   

BD is in the process of strengthening credential management capabilities and recommends several compensating controls for users.   The Pyxis is a connected medication dispensing tool.  

BD voluntarily reported both vulnerabilities to CISA.  

Montana health system hack affects 213K  

Logan Health Medical Center in Kalispell, Montana, recently notified patients that it had fallen victim to a “highly sophisticated” attack on its IT systems.  

According to a notice posted to the Montana Attorney General’s website, on November 22, 2021, the organization discovered suspicious activity, including evidence of unauthorized access to one file server that includes shared folders for business operations.   

An investigation determined that there was unauthorized access to certain files that contained protected health information related to patients.  

Data may have involved the individuals’ name, address, medical record number, date of birth, telephone number, email address, diagnosis and treatment codes, date of service, treating or referring physician, medical bill account number or health insurance information.  

“There was no unauthorized access to our electronic medical records,” said the notice, signed by President and CEO Dr. Craig Lambrecht.

The breach affected 213,543 individuals, as reported to the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal.  

“Cyber criminal activity has increased significantly over the past 18 months,” said Lambrecht in the notice. “We are committed to protecting the privacy of our patients and continue to take steps to combat these malicious threats.”

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.

Source: Read Full Article