Global Edition
Privacy & Security

Senate mandates cyberattack reporting to CISA

Meanwhile, the Cybersecurity and Infrastructure Security Agency flagged a pair of device vulnerabilities and a "highly sophisticated" attack affected the records of 213K individuals.
By Kat Jercich
March 09, 2022
09:31 AM

Senate Majority Leader Chuck Schumer, D-N.Y.

Photo: Imagennwo/Flickr, licensed under CC BY-ND 2.0.

The U.S. Senate this past week passed legislation that would mandate reports of cyberattacks on critical infrastructure and federal civilian agencies.  

Sponsored by Sen. Gary Peters, D-Mich., the Strengthening American Cybersecurity Act combines language from three separate bills.  

It would require critical infrastructure entities to report substantial cyber incidents – defined as those leading to a disruption of business operations and a loss of confidentiality – to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, and to report ransomware payments within 24 hours.  

Critical infrastructure sectors include healthcare and public health, along with information technology, emergency services and critical manufacturing.  

In addition, the bill would aim to modernize the government's cybersecurity posture and authorize the Federal Risk and Authorization Management Program to ensure federal agencies can adopt cloud-based technologies with the goal of improving government operations and efficiency.

The legislation will now move to the U.S. House of Representatives.  

"Our landmark, bipartisan bill will ensure CISA is the lead government agency responsible for helping critical infrastructure operators and civilian federal agencies respond to and recover from major network breaches and mitigate operational impacts from hacks," Peters said in a statement. 

"I will continue urging my colleagues in the House to pass this urgently needed legislation to improve public and private cybersecurity as new vulnerabilities are discovered, and ensure that the federal government can [safely] and securely utilize cloud-based technology to save taxpayer dollars," he added.  

CISA flags device vulnerability  

CISA published a pair of advisories this past week regarding medical devices manufactured by Becton, Dickinson (BD).

The first device, the BD Viper LT, is vulnerable due to the use of hard-coded credentials, which could allow a threat actor to access, modify or delete sensitive health information.   

"BD is working to remediate the hard-coded credentials vulnerability in the BD Viper LT system and is providing this information to increase awareness," said CISA in the advisory. "The fix is expected in an upcoming BD Viper LT system Version 4.80 software release."  

The Viper LT is a molecular STI testing system for use at low- and mid-volume laboratories.  

The second device, the BD Pyxis, a connected medication dispensing tool, has a similar issue with hard-coded credentials.  

"Successful exploitation of this vulnerability could allow an attacker to gain access to electronic protected health information or other sensitive information," said CISA in the advisory.   

BD, which voluntarily reported both vulnerabilities to CISA, is in the process of strengthening credential management capabilities and recommends several compensating controls for users.   

Montana health system hack affects 213K  

Logan Health Medical Center in Kalispell, Montana, recently notified patients that it had fallen victim to a "highly sophisticated" attack on its IT systems.  

According to a notice posted to the Montana attorney general's website, on Nov. 22, 2021, the organization discovered suspicious activity, including evidence of unauthorized access to one file server that includes shared folders for business operations.   

An investigation determined that there was unauthorized access to certain files that contained protected health information related to patients.  

Data may have involved individuals' names, addresses, medical record numbers, dates of birth, telephone numbers, email addresses, diagnosis and treatment codes, dates of service, treating or referring physicians, medical bill account numbers or health insurance information.  

"There was no unauthorized access to our electronic medical records," said the notice, signed by Logan Health's President and CEO Dr. Craig Lambrecht.

The breach affected 213,543 individuals, as reported to the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal.  

"Cyber criminal activity has increased significantly over the past 18 months," said Lambrecht in the notice. "We are committed to protecting the privacy of our patients and continue to take steps to combat these malicious threats."

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Topics: 
Compliance & Legal, Government & Policy, Privacy & Security, Quality and Safety

More regional news

Clinician in scrubs at a hospital computer

CommonSpirit partners up with U of U for clinical collaboration

By
Andrea Fox
November 22, 2024
Stethoscope on an iPad

HIMSSCast: Care provider or tool? When and why patients like AI

By
Andrea Fox
November 22, 2024

EHR tips on migrating an all-digital hospital to Epic

By
Bill Siwicki
November 22, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story
EHR tips on migrating an all-digital hospital to Epic

Most Read

Meridian, Mae partner to boost maternal outcomes, lower disparities
What Loper Bright and the end of Chevron deference mean for HHS
Particle Health files antitrust suit against Epic
Choosing a managed IT service for aged care
The future of interoperability: shaped by patient experience priorities and the needs of AI
India to harness ABDM data to develop public AI

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

David Miles at Oklahoma Heart Hospital_Part 2_Doctor holding health icon Photo by Tippapatt/iStock/Getty Images Plus
Switching from Cerner to Epic? Meet a CIO who made it out alive
David Miles at Oklahoma Heart Hospital_Part 1_Doctor holding health icon Photo by Tippapatt/iStock/Getty Images Plus
The CIO of an all-digital hospital walks readers through its successes
Dr Alice Sutedjo Lisa at SMC Telogorejo Hospital_HIMSS24 APAC
Assisting the elderly in digital care
Dr. Benoit Desjardins of the University of Montreal
Cyberattacks are becoming more widespread, and more disruptive

More Stories

Agency cybersecurity infosec illustrated by many colored streams harnessed by a lock
OIG again deems HHS' infosec program ineffective
Joanna Lucas, RN, of St. Luke's University Health Network
Case and referral management technology gets big results for St. Luke's
Dr. Benoit Desjardins of the University of Montreal
Cyberattacks are becoming more widespread, and more disruptive
Northwestern Medicine
Northwestern Medicine announces international healthcare collaboration
BJ Schaknowski of symplr
Too many IT systems with limited alignment impacts care quality
Doctor in scrubs using computer
Tenet to deploy AI platform across its physician network
Healthcare CIO with other healthcare executives
Health system CIOs' strategic responsibilities continue to evolve
George Pappas at Intraprise Health_Digital shield and lock Photo by da-kuk/Getty Images
Tighter cyber mandates hold New York providers to higher security standards