Cybersecurity News

A May data breach involving MOVEit Transfer software on Medicare contractor Maximus Federal Services’ corporate network may have exposed an estimated 612,000 Medicare beneficiaries’ personally identifiable information and/or protected health information, the Centers for Medicare & Medicaid Services announced July 28.

Malicious actors recently exploited a Citrix vulnerability to steal active directory data from a critical infrastructure organization, the Cybersecurity and Infrastructure Security Agency reported recently, urging organizations to take certain steps to detect a potential system compromise and apply patches.

The Department of Health and Human Services’ Office for Civil Rights and Federal Trade Commission yesterday sent a letter to about 130 hospital systems and telehealth providers reminding them to comply with HIPAA Privacy, Security and Breach Notification Rules, the FTC Act and FTC Health Breach Notification Rule when using technologies that can track a user’s online activities, such as Meta/Facebook Pixel and Google Analytics.

Microsoft announced plans to offer government and commercial customers free access to additional cloud security logs beginning in September, prompting applause from the Cybersecurity and Infrastructure Security Agency.

The White House the week of July 10 released a federal plan for collaborating with the private sector and others to implement the National Cybersecurity Strategy.

In response to recent malicious activity identified in a federal civilian agency’s Microsoft 365 audit logs, the Cybersecurity and Infrastructure Security Agency and FBI July 12 released guidance to help health care and other critical infrastructure organizations detect similar malicious activity and secure their cloud environments.

The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, recently announced this year’s Top 25 Most Dangerous Software Weaknesses, which an attacker could use to control a system, steal data and prevent applications from working.

The Cybersecurity & Infrastructure Security Agency is warning of a significant, high-risk vulnerability in Medtronic’s Paceart Optima System, which is used to compile and manage patients’ cardiac device data.

A Department of Justice expert discusses the Cybersecurity Information Sharing Act of 2015 and how the relatively unknown law can be a valuable tool for protection.

The Department of Health and Human Services Friday alerted the health sector to a recent ransomware attack on a U.S. cancer center that reduced cancer treatment capability, rendered digital services unavailable and threatened exposure of patient personal health information.

The Cybersecurity and Infrastructure Security Agency yesterday urged organizations to apply Progress Software updates  to the MOVEit Transfer web application to prevent ransomware attackers from exploiting a critical vulnerability used to steal data

The Cybersecurity and Infrastructure Security Agency, FBI, Multi-State Information Sharing and Analysis Center (MS-ISAC) and international partners June 14 recommended health care and other critical infrastructure organizations take certain actions to defend their networks against LockBit ransomware based on observed incidents.

The FBI and Cybersecurity & Infrastructure Security Agency this week advised all organizations to implement certain recommendations to defend their networks from the latest tactics by the CLOP ransomware gang, which include using a SQL injection vulnerability in Progress Software's managed file transfer solution to steal data.

The Federal Trade Commission June 8 released for public comment a notice of proposed changes to breach notification requirements for entities that collect health information but are not covered by HIPAA’s privacy and security requirements.

U.S. and international cybersecurity authorities released an advisory to help health care and other critical infrastructure organizations identify and protect their networks from a People’s Republic of China state-sponsored group known as Volt Typhoon that uses built-in network administration tools to avoid detection.  

An interagency task force chaired by the Cybersecurity and Infrastructure Security Agency and FBI yesterday released an updated guide offering best practices and a checklist to help critical infrastructure organizations such as hospitals and health systems prevent and respond to ransomware and data extortion attacks.

During a month-long ransomware attack on four hospitals in 2021, two neighboring hospital emergency departments experienced increased patient volumes, wait times and stroke patients, among other impacts, according to a study reported this month in JAMA Network Open.

The FBI, Cybersecurity and Infrastructure Security Agency, and Australian Cyber Security Centre issued recommendations to help critical infrastructure organizations protect their networks from ransomware attacks and data extortion by a cybercriminal group known as BianLian. 

Health sector organizations should immediately patch a vulnerability in Veeam software used to back up, replicate and restore data on virtual machines, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Centers (HC3) said in an alert May 10.

The Food and Drug Administration last week alerted health care providers and laboratory personnel to a cybersecurity vulnerability affecting the Universal Copy Service software in certain Illumina medical devices used to sequence DNA for clinical diagnostic use or research.