Top Stories
HITRUST i1 Revisions & RDS Introduction
This week, we caught up on some recent HITRUST developments.
HITRUST's new Results Distribution System (RDS) has made it possible for assessed entities to share their HITRUST Assessment results securely and electronically with designated relying parties who can seamlessly view key aspects of the assessment through the RDS portal or by using an API interface with their own TPRM solution. This should greatly streamline the process of sharing confidential Assessment results with customers, prospects, and other interested parties.
The first revisions to HITRUST's i1 framework are on the horizon. HITRUST concluded that adding two new requirement statements to the i1 Assessment would enhance the strength of coverage for MITRE Mitigations M1051 and M1017. Therefore, the two additional requirement statements will be included in i1 Assessments generated based upon the next release version of the HITRUST CSF framework expected later this year.
Lastly, some information about how HITRUST can be leveraged to meet the requirements of the upcoming Cyber Incident Reporting for Critical Infrastructure Act.
Breaches
Conti ransomware hacking spree breaches over 40 orgs in a month
In a report shared with BleepingComputer, researchers at cybersecurity company Group-IB say that one of Conti’s “most productive campaigns” occurred last year, between November 17 and December 20, 2021...During the campaign, Conti affiliates managed to compromise more than 40 organizations in various sectors of activity operating across wide geography but with a focus on companies based in the U.S.
Security
As API Adoption in Healthcare Skyrockets, Cybersecurity Risks Follow
Researchers discovered that the lack of security APIs may cause $12 billion to $23 billion in average annual API-related cyber loss in the US and anywhere from $41 billion to $75 billion globally.
CISA Clarifies Criteria for Adding Vulnerabilities to 'Must Patch' List
CISA has three main criteria for adding vulnerabilities to the KEV catalog: it needs to have a CVE identifier, there has to be reliable evidence of exploitation in the wild, and there needs to be clear remediation action for the vulnerability (a patch, workaround, or mitigation).
Select Hillrom Electrocardiograph Products Impacted by Medical Device Vulnerabilities
Two medical device vulnerabilities in select Hillrom electrocardiograph products may cause unauthorized access and security risks, a Cybersecurity and Infrastructure Security Agency (CISA) ICS advisory stated.
Privacy
Garante orders stop on Google Analytics transfers
Italy's data protection authority, the Garante, joined DPAs in Austria and France in ruling against data transfers to the U.S. using Google Analytics.
Your health data might be for sale.
Health care providers are covered under HIPAA’s privacy rules. But companies outside the narrow scope of HIPAA, from data brokers to period tracking apps, can legally sell Americans’ health-related information, and they do, from a list of your surgical procedures to your mental health conditions.
Guess What? HIPAA Isn’t a Medical Privacy Law
The law, which was enacted in 1996, was largely concerned with issues like helping people maintain health insurance when they change jobs. It does lay out privacy rules for health care providers and insurance companies to follow when they handle personally identifiable medical data. However, the same piece of information that’s protected at a doctor’s office can be totally unregulated in other settings.
This Children’s Hospital Network Was Giving Kids’ Information to Facebook
"With Meta’s tracker, however, we found the Nemours site sending Facebook visitors’ IP addresses, information about the specific doctor and specialty the patient was scheduling an appointment with, and in some cases the first and last name of the child the appointment was for."