Cyber Security

Proposed Rule Change to Strengthen the Cybersecurity of Electronic Protected Health Information

The Department of Health and Human Services (HHS) recently published a proposed rule change on January 6, 2025, to modify the “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information” (ePHI). These updates aim to enhance the cybersecurity of ePHI in response to the evolving healthcare environment, increasing cyberattacks, and observed compliance deficiencies. This comprehensive 125-page document provides detailed guidelines for the protection of PHI and ePHI. Here is a high-level summary of the key proposals that covered entities and Business Associates need to know (please read the proposal here for more details; https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf):

• Removal of “Addressable” vs. “Required” Standards:
  • All implementation specifications are now mandatory, eliminating the previous flexibility in interpretation
• Mandatory Documentation:
  • Written documentation of all policies, procedures, plans, and analyses is required to ensure thorough and consistent compliance
• Technology Asset Inventory and Network Mapping:
  • Entities must maintain an up-to-date inventory of technology assets and a network map illustrating ePHI movement. This inventory and map must be updated annually or as needed
• Enhanced Risk Analysis Requirements:
  • The proposed rule specifies greater detail for conducting risk analyses, including identifying threats, vulnerabilities, and potential impacts on ePHI
• Regular Security Testing:
  • Annual compliance audits, penetration tests, and biannual vulnerability scans are now required to ensure ongoing security and compliance
• Data Restoration Procedures:
  • Entities must develop procedures to restore critical data within 72 hours, prioritizing the most critical data to minimize disruption
• Vendor Management:
  • Entities are required to verify the security measures of business associates and contractors to ensure they meet the new standards
• Encryption and Multifactor Authentication:
  • These measures are now explicitly required safeguards to enhance the security of ePHI
• Removal of Unnecessary Software:
  • Entities must actively remove unused software and disable unused network ports to reduce potential vulnerabilities

Additional Points of Interest:

• Public Comment Period: Stakeholders have until March 7, 2025, to submit comments on the proposed rule. This is an opportunity for covered entities, business associates, and other stakeholders to provide feedback and suggestions
• Tribal Consultation: The HHS is seeking input from Tribal governments on the proposed rule, indicating a commitment to inclusive consultation
• Impact on Small Entities: The proposed rule changes are expected to have a significant impact on small entities, including small healthcare providers and business associates. Key points include:
  • Increased Compliance Costs: Small entities may face higher costs to comply with the new mandatory requirements, such as maintaining detailed documentation, conducting regular security testing, and implementing advanced security measures like encryption and multifactor authentication.
  • Resource Allocation: Small entities might need to allocate more resources, both financial and human, to meet the enhanced cybersecurity standards. This could be challenging for organizations with limited budgets and staff.
  • Operational Adjustments: The need to maintain an up-to-date technology asset inventory and network map, conduct comprehensive risk analyses, and verify the security measures of business associates may require significant operational changes.
• Compliance Timeline: The proposed rule outlines specific timelines for compliance to ensure that covered entities and business associates have adequate time to implement the new requirements:
  • Public Comment Period: Stakeholders have until March 7, 2025, to submit comments on the proposed rule.
  • Final Rule Publication: The final rule is expected to be published sometime in 2026.
  • Grace Period: Once the final rule is published, there will be a six-month grace period for compliance, allowing entities time to adjust their policies and procedures to meet the new standards.
• Enforcement and Penalties: The proposed rule includes detailed enforcement mechanisms and potential penalties for non-compliance:
  • Enforcement Mechanisms: The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) will oversee the enforcement of the new standards. This includes conducting audits and investigations to ensure compliance.
  • Penalties for Non-Compliance: Entities that fail to comply with the new requirements may face significant penalties. The proposed rule emphasizes the importance of adhering to the standards to avoid fines and other enforcement actions.
  • Increased Accountability: The proposed rule aims to enhance accountability by requiring detailed documentation of security measures and regular security testing. This ensures that entities are actively maintaining and improving their cybersecurity practices.

Today, a meeting of the United States Senate Committee is holding a hearing on “Big Tech Censorship”.  Over the last several months, this has become a very big issue.  With the internet being a primary source of information for many people, it is critical that people have accurate, complete, and accurate data.  WITHOUT getting into political aspects of this; as we all have our own opinions; I would like to see if we, as a community, can help to make suggestions and recommendations regarding this issue.  I believe that as Privacy and Security professionals, one of our roles is to ensure that data integrity and privacy is appropriate across the internet.

At the center of this discussion, is Section 230 of the Communications Decency Act.  As I am not an attorney, I will not attempt to interpret the law.  What I will do is provide some of the details and a link to a legal resource I use frequently, Cornell Law School.  It is my understanding that Section 230 is a reference to 47 U.S. Code § 230 – Protection for private blocking and screening of offensive material (https://www.law.cornell.edu/uscode/text/47/230).

This law opens with the following.

(a) The Congress finds the following:

(1) The rapidly developing array of Internet and other interactive computer services available to individual Americans represent an extraordinary advance in the availability of educational and informational resources to our citizens.

(2) These services offer users a great degree of control over the information that they receive, as well as the potential for even greater control in the future as technology develops.

(3) The Internet and other interactive computer services offer a forum for a true diversity of political discourse, unique opportunities for cultural development, and myriad avenues for intellectual activity.

(4) The Internet and other interactive computer services have flourished, to the benefit of all Americans, with a minimum of government regulation.

(5) Increasingly Americans are relying on interactive media for a variety of political, educational, cultural, and entertainment services.”

(b) Policy

It is the policy of the United States—

(1) to promote the continued development of the Internet and other interactive computer services and other interactive media.

(2) to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation.

(3) to encourage the development of technologies which maximize user control over what information is received by individuals, families, and schools who use the Internet and other interactive computer services.

(4) to remove disincentives for the development and utilization of blocking and filtering technologies that empower parents to restrict their children’s access to objectionable or inappropriate online material; and

(5) to ensure vigorous enforcement of Federal criminal laws to deter and punish trafficking in obscenity, stalking, and harassment by means of computer.”

 

This law goes on to talk about.

(c)Protection for “Good Samaritan” blocking and screening of offensive material

(1) Treatment of publisher or speaker

No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.

(2) Civil liability

No provider or user of an interactive computer service shall be held liable on account of—

(A)any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or

(B)any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph (1).[1]

(d)Obligations of interactive computer service

A provider of interactive computer service shall, at the time of entering an agreement with a customer for the provision of interactive computer service and in a manner deemed appropriate by the provider, notify such customer that parental control protections (such as computer hardware, software, or                  filtering services) are commercially available that may assist the customer in limiting access to material that is harmful to minors. Such notice shall identify, or provide the customer with access to information identifying, current providers of such protections.

(e)Effect on other laws

(1) No effect on criminal law

Nothing in this section shall be construed to impair the enforcement of section 223 or 231 of this title, chapter 71 (relating to obscenity) or 110 (relating to sexual exploitation of children) of title 18, or any other Federal criminal statute.

(2) No effect on intellectual property law

Nothing in this section shall be construed to limit or expand any law pertaining to intellectual property.

(3) State law

Nothing in this section shall be construed to prevent any State from enforcing any State law that is consistent with this section. No cause of action may be brought, and no liability may be imposed under any State or local law that is inconsistent with this section.

(4) No effect on communications privacy law

Nothing in this section shall be construed to limit the application of the Electronic Communications Privacy Act of 1986 or any of the amendments made by such Act, or any similar State law.

(5) No effect on sex trafficking law

Nothing in this section (other than subsection (c)(2)(A)) shall be construed to impair or limit—

(A)any claim in a civil action brought under section 1595 of title 18, if the conduct underlying the claim constitutes a violation of section 1591 of that title.

(B)any charge in a criminal prosecution brought under State law if the conduct underlying the charge would constitute a violation of section 1591 of title 18; or

(C)any charge in a criminal prosecution brought under State law if the conduct underlying the charge would constitute a violation of section 2421A of title 18, and promotion or facilitation of prostitution is illegal in the jurisdiction where the defendant’s promotion or facilitation of prostitution was                           targeted.”

 

The sections of the law are directly copied from the Cornell Law School site that I cited above.

In the spirit of being great cybersecurity professionals, I would like to ask each of us to weigh in on this concern and issue in a nonpolitical manner and a judge free mentality (without attacks and offensive responses).

In your response, I ask that we all answer the following questions.

1. Is this a cybersecurity/privacy professional concern?
2. Is this an issue that we face in the world today?
3. Should private organizations have the responsibility or authority to control the messages that are being delivered to the world?
4. How do we, as a community of security and privacy professionals, come together and help to ensure the integrity of free information, while ensuring that everyone is safe and free of offensive material?

I would also ask that you tag your US Senator https://www.senate.gov/senators/index.htm and your US Congress member https://www.congress.gov/members?searchResultViewType=expanded

Lets become part of the SOLUTION and show our value!

Cyber Self-Defense has been receiving a large number of calls regarding the CMMC process for Government (especially DOD related contracts). Many of the questions involve the following:

• Do I need to get certified?
  • Starting in 2021 the DOD will phase in RFI’s that require companies to achieve a level of CMMC certification.
• How do I get certified?
  • Assessments will be performed by Licensed Certified Assessors who work for licenses CMMC Third Party Assessment Organizations (C3PAOs).  These C3PAOs will be listed on the CMMC AB website when available.
• How hard is it to build a program?
  • The CMMC is based on NIST 800-171, and most of the practices have been available for years.  Depending on level it could be fairly simple (level 1) or more complicated (level 3+).  “Hard” is dependent on current state.
• Who can get us certified?
  • A Licensed C3PAO will manage the entire process
• What is the cost?
  • It’s dependent on size and complexity.  A level 1 for a small company is estimated at 1 day, but size, number of networks, level of complexity, whether a company handles CUI, etc. all require more time to assess.

If you are doing government contracting, you likely have a ton of questions and need them answered. The reality is that there are still many unknowns. Cyber Self-Defense has done a considerable amount of research and we are following the CMMC process VERY closely, as we hope to be one of the first companies to become certified in this process.  It is something we highly support and believe in.  We have believed in such a process since well before CMMC was officially established!

Here are our interpretations, based on our research, of some key aspects of the CMMC process.

• Currently, there are NO COMPANIES OR AUDITORS who can certify you! We know that the CMMC board is working hard to get companies and auditors trained, but this is a time-consuming process and one that will not happen overnight.
  • We have received MANY claims from MANY companies saying that they can get you certified; this is FALSE! While we are working towards certification, we (nor anyone else!) can claim the ability to certify anyone.
  • There are Provisional Assessors; they have a defined scope and our understanding is that they will NOT be able to immediately conduct audits outside of their current scope. We have heard that this is still being negotiated, but currently, nobody and no person cam conduct these audits for anyone outside the current scope.
• The DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices.
• Initially, the CMMC pertains only to DoD contracts. We have heard rumors that many other government entities are looking to adopt this process.
• We KNOW that the CMMC WILL be based on 48 CFR 52.204-21, NIST SP 800-171 (the framework says revision one, we believe it will be version 2), and the Draft of NIST SP 800-171B (the framework says NIST SP 800-171B, we believe it will be version NIST SP 800-172).
  • This means that you CAN and SHOULD begin building your program. We recommend that you begin now; when we build programs for companies, it takes time. Training must be done, policies written, risk assessment completed, identity and access reviews completed, etc. There is a great deal of work that goes into this and waiting until the last minute will not be to your advantage.
  • Another point we would like to make is that these requirements are based on good business practices; we recommend these preparations to ensure the success of your business. What is being asked (at least in the first three stages) is the minimum that ANY company should achieve. Many have talked about the high cost of CMMC.  It’s really the potential for costs related to basic cyber security that are at issue.

If you or your executives would like a one-on-one presentation of what we KNOW or can reasonably assume, we would be happy to discuss this with you. This would not be a sales presentation and would be free, simply a way to help you started in the right direction.  Please send an E-Mail to in**@**************se.com

Most of us are sick of seeing ransomware in the news.  Ransomware continues to plague our world and cause major issues for companies of every size and shape and for companies in every industry.  Every time I read about or investigate these attacks, I ask “why?”! Why did the company not prepare themselves?

A Forbes article written by Bob Zukis in June of this year, points out that “Ransomware is a rapidly growing cyber threat, and attacks overall were up 25% in Q1.” https://www.forbes.com/sites/bobzukis/2020/06/18/ransomware-has-a-new-and-very-valuable-hostage-in-sight/#6a5c9461170f

Bob Zukis adds; “The average ransomware payment is up 33% from Q4 of 2019 to $111,605. But the real cost is the impact on business, such as lost revenue or employee productivity or the impact to public services. The average business downtime due to a ransomware attack is 15 days.”

This morning, I came across an article that discusses the Lazarus (Hidden Cobra, MATA, ZINC) ransomware that appears to have been written by the North Koreans.  While this ransomware is primarily being used in non-US countries, I believe that it is common sense that the virus will be seen in US Companies. Japanese CERT personnel have been able to analyze Lazarus and have identified some key features of the malware and the Command and Control communication between an infected system and the criminal Command and Control systems.  https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html

The article states,

“The communication is performed in the mostly same format as mentioned earlier. It is confirmed that the module offers multiple functions including the following: (See Appendix C for details.)

• Operation on files (create a list, delete, copy, modify time created)
• Operation on processes (create a list, execute, kill)
• Upload/download files
• Create and upload a ZIP file of arbitrary directory
• Execute arbitrary shell command
• Obtain disk information
• Modify system time”

The bottom line is that this ransomware can be used to do anything the criminals program it to do; including searching databases, network and local shares, and anything not properly locked down for information and then exfiltrate the information.  Since the malware can also delete files, all log files can be destroyed, and it could become extremely difficult to investigate.

This is a very timely article; last night I spoke to Jeff Longo from Fortinet and heard that Fortinet is hearing from many people; asking for assistance in preventing these attacks.  Jeff explained their sandboxing tools and several other tools to mitigate the risks.  In May of 2019, I wrote an article called, “Ransomware Attacks Are Out to Get You!!”  https://www.cyberselfdefense.com/ransomware-attacks-are-out-to-get-you/

You have the information you need to significantly reduce your risk; why would you risk falling victim?

Please reach out if you have questions, comments, or concerns.

Last week, I talked about risk management.  https://www.cyberselfdefense.com/covid-19-has-created-cybersecurity-issues-for-my-company-help/

This morning, Business Insider presented an article that was of immense value to most companies.  https://www.businessinsider.com/microsoft-poll-zero-trust-cybersecurity-pandemic-2020-8

During this pandemic, we are seeing more people online.  This presents some real concerns for IT and security staff in EVERY organization.  If it does not cause concerns, there is likely something wrong with the program.  The question, is how do I build a world class cybersecurity program, while keeping costs low?  The answer was discussed in the article I presented last week.  Any good cybersecurity or executive will tell you that risk management is critical to the success of the business.

In this article, Jeff Elder, presents the idea that all companies are talking about “Zero Trust”, a concept that alludes to the fact that nobody is trusted.  While I agree with the concept, I think that the technology is still just a concept.  The reality is that people MUST be trusted.  We can and should limit their access, we can and should force multifactor authentication, we can and should validate their security controls when accessing the network, and we should employ all of the other security tools, processes, training, controls, etc.  The reality though, is that for me to say that I do not trust a high-ranking person like a CEO and have tools to enforce this model/concept is not complete.  The first time I allow the CEO access to any system, application, document, etc., I am trusting him/her! I used to present the idea when publicly speaking that I can place a computer into a room with infinitely thick walls, ceilings, and floors, post armed security around it, ensure that the computer is not connected to ANY external source and has no wireless signals; as soon as a person enters the room (trusted or not) we have the potential for a security breach.

So, what does this all mean?  It means that we have to find a way in which we can balance the needs of the business through the enablement of the business, keep costs manageable, and build quality security.  The ONLY way this is possible is through a formal risk management process.

The Microsoft poll in this article presents the idea that “…while more than half of the business leaders (58%) reported budget increases for security and 65% for compliance, 81% also reported feeling pressure to lower overall security costs.”  I believe that these pressures come from security teams making educated guesses, following the advice of salespeople who sell “a magic button” that stops security breaches, and who fail to properly assess and manage risk.  If you are spending the right amount of money on your program, your risk assessment should help you to show your executives that your program is fine-tuned and operating efficiently.