HHS launches website for the 405(d) Aligning Health Care Industry Security Approaches Program

Today, the U.S. Department of Health and Human Services (HHS) through the Office of Chief Information Officer (OCIO) and Office of Information Security (OIS) launched a website for the HHS 405(d) Aligning Health Care Industry Security Approaches Program. The HHS 405(d) Program website was developed in partnership with the HHS 405(d) Task Group which includes more than 150 individuals from industry and the federal government who have tirelessly collaborated and provided their insights because they believe there is only one way to fight cybersecurity threats- together.  Through this new website, the 405(d) Program supports the motto that Cyber Safety is Patient Safety and provides the Healthcare and Public Health (HPH) sector with useful, impactful, and vetted resources, products, videos, and tools that help raise awareness and provide cybersecurity practices, which drive behavioral change and move toward consistency in mitigating the most relevant cybersecurity threats to the sector.

Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities

This joint cybersecurity advisory is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) to highlight ongoing malicious cyber activity by an advanced persistent threat (APT) group that FBI, CISA, ACSC, and NCSC assess is associated with the government of Iran. FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia.

Senate panels reach deal on cyber incident reporting mandate, push for NDAA inclusion
Two Senate committees have reached an agreement on a measure that would require critical infrastructure operators to report cyberattacks to the federal government. Senate Homeland Security leaders Gary Peters (D-Mich.) and Rob Portman (R-Ohio), Senate Intelligence Chair Mark Warner (D-Va.) and intelligence panel member Susan Collins (R-Maine) on Thursday announced they had filed their compromise measure as an amendment to the fiscal 2022 defense policy bill (S. 2792). The amendment also includes Homeland Security Committee legislation updating the Federal Information Security Modernization Act.
The AP Interview: Justice Dept. conducting cyber crackdown
The Justice Department is stepping up actions to combat ransomware and cybercrime through arrests and other actions, its No. 2 official told The Associated Press, as the Biden administration escalates its response to what it regards as an urgent economic and national security threat. Deputy Attorney General Lisa Monaco said that “in the days and weeks to come, you’re going to see more arrests,” more seizures of ransom payments to hackers and additional law enforcement operations.
Fall 2021 OCR Cybersecurity Newsletter

October is Cyber Security Awareness Month and a great time for organizations to revisit the protections they have in place for their legacy systems. Health care organizations rely on many technical systems to deliver their services. The HIPAA Security Rule requires covered entities and their business associates to implement safeguards that reasonably and appropriately secure the electronic protected health information (ePHI) that these organizations create, receive, maintain, or transmit. As health care entities’ technological footprint grows, the number of systems these organizations need to identify, assess, and maintain grows as well.