Senate mandates cyberattack reporting to CISA

Meanwhile, the Cybersecurity and Infrastructure Security Agency flagged a pair of device vulnerabilities and a "highly sophisticated" attack affected the records of 213K individuals.
By Kat Jercich
09:31 AM

Senate Majority Leader Chuck Schumer, D-N.Y.

Photo: Imagennwo/Flickr, licensed under CC BY-ND 2.0.

The U.S. Senate this past week passed legislation that would mandate reports of cyberattacks on critical infrastructure and federal civilian agencies.  

Sponsored by Sen. Gary Peters, D-Mich., the Strengthening American Cybersecurity Act combines language from three separate bills.  

It would require critical infrastructure entities to report substantial cyber incidents – defined as those leading to a disruption of business operations and a loss of confidentiality – to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, and to report ransomware payments within 24 hours.  

Critical infrastructure sectors include healthcare and public health, along with information technology, emergency services and critical manufacturing.  

In addition, the bill would aim to modernize the government's cybersecurity posture and authorize the Federal Risk and Authorization Management Program to ensure federal agencies can adopt cloud-based technologies with the goal of improving government operations and efficiency.

The legislation will now move to the U.S. House of Representatives.  

"Our landmark, bipartisan bill will ensure CISA is the lead government agency responsible for helping critical infrastructure operators and civilian federal agencies respond to and recover from major network breaches and mitigate operational impacts from hacks," Peters said in a statement. 

"I will continue urging my colleagues in the House to pass this urgently needed legislation to improve public and private cybersecurity as new vulnerabilities are discovered, and ensure that the federal government can [safely] and securely utilize cloud-based technology to save taxpayer dollars," he added.  

CISA flags device vulnerability  

CISA published a pair of advisories this past week regarding medical devices manufactured by Becton, Dickinson (BD).

The first device, the BD Viper LT, is vulnerable due to the use of hard-coded credentials, which could allow a threat actor to access, modify or delete sensitive health information.   

"BD is working to remediate the hard-coded credentials vulnerability in the BD Viper LT system and is providing this information to increase awareness," said CISA in the advisory. "The fix is expected in an upcoming BD Viper LT system Version 4.80 software release."  

The Viper LT is a molecular STI testing system for use at low- and mid-volume laboratories.  

The second device, the BD Pyxis, a connected medication dispensing tool, has a similar issue with hard-coded credentials.  

"Successful exploitation of this vulnerability could allow an attacker to gain access to electronic protected health information or other sensitive information," said CISA in the advisory.   

BD, which voluntarily reported both vulnerabilities to CISA, is in the process of strengthening credential management capabilities and recommends several compensating controls for users.   

Montana health system hack affects 213K  

Logan Health Medical Center in Kalispell, Montana, recently notified patients that it had fallen victim to a "highly sophisticated" attack on its IT systems.  

According to a notice posted to the Montana attorney general's website, on Nov. 22, 2021, the organization discovered suspicious activity, including evidence of unauthorized access to one file server that includes shared folders for business operations.   

An investigation determined that there was unauthorized access to certain files that contained protected health information related to patients.  

Data may have involved individuals' names, addresses, medical record numbers, dates of birth, telephone numbers, email addresses, diagnosis and treatment codes, dates of service, treating or referring physicians, medical bill account numbers or health insurance information.  

"There was no unauthorized access to our electronic medical records," said the notice, signed by Logan Health's President and CEO Dr. Craig Lambrecht.

The breach affected 213,543 individuals, as reported to the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal.  

"Cyber criminal activity has increased significantly over the past 18 months," said Lambrecht in the notice. "We are committed to protecting the privacy of our patients and continue to take steps to combat these malicious threats."

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.