At a glance.
- NCUA changes its cyberincident notification requirements.
- Digiheals aims to protect medical institutions from ransomware attacks.
NCUA changes its cyberincident notification requirements.
The US National Credit Union Association (NCUA) has announced an amendment to its Cyber Incident Notification Rule that states all federal insured credit unions must notify the NCUA of any cyberincident no more than seventy-two hours after detection. The amendment also applies to third-party incidents, and it comes into effect on September 1. The NCUA recommends that covered entities prepare for implementation by updating their response plans, reviewing contracts with critical service providers, and educating employees on the new response process. As well, organizations should make plans to regularly monitor and review the new plan to ensure it’s effective, and closely document all cyber incidents to make sure all the necessary reporting info is readily at hand.
Tom Kellermann, SVP of cyber strategy at Contrast Security, wrote that deniability has now become implausible. “Plausible deniability is now dead. This has been a long time coming. The first 72 hours is of paramount importance to prevent lateral movement by Cybercriminals and systemic fraud. I applaud the mention of third parties as many banks are hacked due to the compromise of shared service providers via island hopping.”
Digiheals aims to protect medical institutions from ransomware attacks.
In recent years, healthcare institutions have been increasingly targeted by ransomware attackers who hope that a hospital’s need to resume critical services will pressure administrators to meet ransom demands. To respond to these threats, the Advanced Research Projects Agency for Health (Arpa-H), a research agency recently established by the US Department of Health and Human Services, announced yesterday that it’s launching the Digital Health Security Project.
Called “Digiheals,” the new effort is focused on supporting cybersecurity tools that will help defend digital systems in the healthcare sector. The initiative calls on researchers and technologists to submit proposals for cybersecurity tech for healthcare systems, hospitals, clinics, and health-related devices. Digiheals program manager Andrew Carney told Wired, “We’re looking for rapid and stupendous progress. We want to ensure that the impact we have is significant but also equitably distributed. It doesn’t matter if we develop a perfect cure that makes a network completely impenetrable if a rural hospital can’t adopt it because of light IT staff or minimal or no security budget.”
Researchers will have until September 7 to submit their proposals, but Carney says that in the interest of considering all the possible options, they’re open to receiving submissions that don’t necessarily meet the deadline or might not seem to be an obvious fit at first glance. Arpa-H director Renee Wegrzyn stated, “Currently, off-the-shelf software tools fall short in detecting emerging cyber threats and protecting our medical facilities, resulting in a technical gap we seek to bridge with this initiative. The Digiheals project comes when the US health care system urgently requires rigorous cybersecurity capabilities to protect patient privacy, safety, and lives.”
(Added, 9:15 PM ET, August 21st, 2023.) Ted Miracco, CEO of Approov Mobile Security, wrote to express approval of the initiative's timing. “We believe the Digital Health Security project (Digiheals) is an important effort that is coming at the right time, with so many of our healthcare facilities under attack or in the crosshairs of bad actors," he said. “Andrew Carney is absolutely correct in identifying the resource limitations and budgets as a prime factor to address, and we are optimistic that rapid improvements can be made by deploying both existing technologies more broadly, and sharing information rapidly when new threats emerge. Many of the recent attack are not new, so a component of the solution must be better information sharing across the complex healthcare ecosystem."