Monday, June 10, 2024

Small town hospitals, big time problems

Delivered every Monday by 10 a.m., Weekly Cybersecurity examines the latest news in cybersecurity policy and politics.
Jun 10, 2024 View in browser
 
POLITICO's Weekly Cybersecurity newsletter logo

By Joseph Gedeon

With help from Maggie Miller

Driving the day

Cyberattacks have disrupted access to critical medical services at rural hospitals with particularly thin cyber budgets, prompting the White House to enlist Microsoft and Google to provide free and low-cost cybersecurity services to try and assuage the problem.

HAPPY MONDAY and welcome to MORNING CYBERSECURITY! I recently switched to a “dumb” phone to simplify my life, and things have gotten pretty blissful. The only downside is the youth have finally figured out that I’m an adult now that I can’t keep up with what’s hip and happening on social media.

Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Find me on X at @JGedeon1 or email me at jgedeon@politico.com. You can also follow @POLITICOPro and @MorningCybersec on X. Full team contact info is below.

 

JOIN US ON 6/12 FOR A TALK ON THE AIRLINE INDUSTRY: As air travel soars again, policymakers and airlines are grappling with a series of contemporary challenges to the industry's future. Join POLITICO on June 12 for a topical and timely conversation with government leaders and aviation stakeholders about the state of the airline industry. From what passengers want to what airlines need amid the high demand for air traffic, workers and technology solutions. What can Washington do to ensure passengers and providers are equipped to fly right? REGISTER HERE.

 
 
At the White House

HOSPITAL SECURITY — The White House is enlisting tech giants Microsoft and Google to provide free and low-cost cybersecurity resources, services, and training at rural hospitals across America, according to deputy national security adviser for cyber and emerging tech Anne Neuberger.

In a call with reporters on Sunday, Neuberger explained that cyberattacks targeting the U.S. haven't just exposed Americans' sensitive personal data, but also cut access to critical medical services like stroke diagnosis and emergency surgeries.

“Disruptions have taken days, weeks or even months to resolve before the full access that was needed for healthcare services or payment systems were restored,” Neuberger said.

— The deals: The moves represent a concerted White House effort to lean on industry to fill cybersecurity gaps at cash-strapped remote healthcare providers.

Under today’s new public-private partnerships that would support between 1,800 to 2,100 rural hospitals:

  • Microsoft will extend its program for nonprofits to provide grants and up to a 75 percent discount on security products for independent critical access and rural emergency hospitals. The security giant will also offer its advanced security suite at no cost for a year.
  • Google will provide endpoint security advice and funding to support software migration for rural hospitals and nonprofits at no cost. The company also plans to launch a pilot program tailored to the unique security needs of rural hospitals.

— Some big problems: Fending off future ransomware attacks hinges largely on cybersecurity funding from Congress, and a recent report from the influential Cyberspace Solarium Commission 2.0 explained that this is the thin line that will either make or break the healthcare sector's rural providers — an issue that Neuberger also noted.

Neuberger also pointed the finger squarely at Russia-based ransomware groups she says are being given a "permissive environment" to wreak havoc on medical facilities.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

The International Scene

FIRST IN MC — The U.S. and Poland are today standing up a new messaging and coordination hub aimed at battering back Kremlin disinformation about the war in Ukraine.

The intergovernmental messaging hub — dubbed the “Ukraine Communications Group” — will be based in Warsaw and would bring together representatives from allied countries to synchronize their public communications, amplify Ukraine's messaging, call out Russian disinformation, and "support fact-based reporting" on Moscow's invasion, the State Department said.

— Who’s involved: Along with co-leads the United States and Poland, the UCG will launch with backing from Canada, Germany, Latvia, Slovenia, Finland and Ukraine. Invites are still pending and more countries are expected to join the fray.

— Disinfo crackdown: The announcement comes as the Biden administration continues attempting to wrestle control of the narratives around the conflict away from Moscow, which has deployed a heavy disinformation campaign at home and abroad to justify its unprovoked assault on Ukraine.

The move builds on the Biden administration’s January rollout of the "Framework to Counter Foreign State Information Manipulation" which serves as a blueprint for shoring up national policies, government structures, tech capacity, civil society ties and international collaboration against state-backed disinformation campaigns.

— Stay tuned: The State Department’s Global Engagement Center, the government’s top stopper of foreign state and non-state disinformation efforts, is behind the effort and special envoy James Rubin is in Poland today to share more details.

On the Hill

CYBER AMENDMENTS FLOOD NDAA — Amendments are pouring in for the House version of the 2025 National Defense Authorization Act prior to its final passage in that chamber — and lawmakers have some ideas for improving federal cyber policy, as Maggie writes in.

— FISMA refresh: Among the more than 1,300 amendments submitted by House members for potential inclusion in the 2025 NDAA — which is slated for a House vote sometime this week — is one from the bipartisan leaders of the House Oversight and Accountability Committee that would update the Federal Information Security Modernization Act, or FISMA.

This effort has been ongoing for most of the past decade, and this bill has been kicked around on Capitol Hill for the past year, looking for a pathway to passage.

Another measure, put forward by House Homeland Security Chair Mark Green (R-Tenn.), would require the Pentagon to study establishing a cyber unit within every state’s national guard.

— Threats to life: In the wake of the massive Change Healthcare breach, Rep. Vern Buchanan (R-Fla.) introduced an amendment requiring the Pentagon to examine the incident's impact on military hospitals and service records. A separate measure from Reps. Adriano Espaillat (D-N.Y.), Sean Casten (D-Ill.) and Dina Titus (D-Nev.) would require all Veterans Affairs hospitals to adopt cyber threat detection tools on their networks.

— There’s more: Republicans put forward several standalone cyber measures:

  • Rep. Tony Gonzales (R-Texas) proposed an amendment to establish a National Digital Reserve Corps at the General Services Administration, a group that would be used to help federal agencies address cybersecurity concerns.
  • Rep. Nick LaLota (R-N.Y.) introduced an amendment requiring the Pentagon to establish a multilateral artificial intelligence working group to coordinate AI initiatives with allied nations. 
  • Rep. Byron Donalds (R-Fla.) introduced a measure to require a study of whether advanced nuclear reactors would enhance the Pentagon’s cybersecurity. 

— Democratic priorities: Rep. Chrissy Houlahan (D-Pa.) offered an amendment to study a federally-funded cyber university, and another allowing CISA to establish a cyber apprenticeship program for veterans.

— Tracking terror tactics: Reps. Debbie Wasserman Schultz (D-Fla.) and Brian Fitzpatrick (R-Pa.) introduced a measure requiring threat assessments on how designated terrorists and other foreign actors leverage cyber harassment.

— Realistic outlook: Whether any or all of these amendments will be included in the House version of the 2025 NDAA prior to its passage on the floor is not clear, though typically cyber-related amendments have an easier path to passage due to the relative bipartisanship of the issue.

PARIS PLANS— Senate Intelligence Chair Mark Warner (D-Va.) is worried about reported cyber and disinformation threats to the upcoming Summer Olympics in Paris — and he’s asked the Biden administration for a briefing.

“They are scheduled, they have not taken place yet,” Warner told Maggie. When asked which agencies were involved, Warner said he had asked the Department of Homeland Security, but beyond that declined to give details. Spokespersons for both DHS and CISA did not respond to requests for comment on the upcoming briefing.

Industry Intel

QUESTIONS, CONCERNS — A coalition of tech advocacy groups, under the United for Privacy leadership, sent a letter Monday to the leaders of the House Energy and Commerce Committee, raising serious concerns with the proposed American Privacy Rights Act.

The letter, signed by more than 20 organizations — including the U.S. Chamber of Commerce, TechNet, NetChoice, Business Roundtable and the Consumer Technology Association — details the groups’ concerns that the bill would fall short of its goal to create a federal privacy standard due to the lack of a clause to preempt state measures.

“Without full preemption of state laws, APRA will add to the privacy patchwork, create confusion for consumers, and hinder economic growth,” the letter reads, while also emphasizing that the organizations support the idea of federal privacy law.

Multiple groups that signed the letter represent companies including Meta, Amazon, Microsoft and Google, among other tech and social media giants.

— Background on the bill: The American Privacy Rights Act is set to be marked up by the House committee in the coming weeks, and would set standards for data security along with requiring companies to be more transparent with how consumer data is used, among many other policies. A federal privacy law has gotten close to passage several times in the past decade, but did not make it over the finish line, resulting in more than a dozen states signing into law their own privacy legislation.

MICROSOFT HEARD YOU LOUD AND CLEAR — Microsoft is addressing privacy and security concerns around the new Recall feature for its upcoming Copilot+ PCs ahead of their June 18 launch. Sort of.

Recall allows users to visually retrace their PC activities by capturing periodic encrypted snapshots of their screen. But there has been serious pushback over potential surveillance risks, including Sen. Ron Wyden (D-Ore.) telling MC Microsoft was essentially “incorporating spyware into Windows.”

In a blog post ahead of the weekend, Pavan Davuluri, Microsoft's corporate vice president for Windows and devices, announced several changes to increase user control and data protection for Recall:

  • Recall will be opt-in and disabled by default during Copilot+ PC setup
  • Windows Hello enrollment and authentication will be required to enable and access Recall
  • Snapshots will use "just in time" decryption tied to Windows Hello sign-in
  • The snapshot search index database will be encrypted

— How we see it: The new messaging aims to reassure customers that Microsoft is prioritizing "privacy, safety and security first" with this AI-powered virtual memory aid. But doubts still linger over the wisdom of routine visual recording, even if well-intentioned. We also think it would be fair to note that it comes at conspicuous timing — just days ahead of Microsoft President Brad Smith’s hearing in front of the House Homeland Security committee on Thursday.

Tweet of the Weekend

Nothing like having trust issues pre-relationship.

Source: https://x.com/malwrhunterteam/status/1799334671630930180

Quick Bytes

LONDON HOSPITALS REELING — After a cyberattack that crippled pathology services, hospitals in England have issued an urgent plea for medical students to volunteer in helping the hospitals function. Those tasks include hand-delivering blood tests, reports the BBC’s Sharon Barbour and Jess Warren.

HOLE IN THE MARKET — A group of researchers showed how insecure the VS Code marketplace is by adding hidden malicious code to a popular theme, infecting over 100 organizations, writes Bill Toulas for BleepingComputer.

ICYMI — Alaska's isolation makes it vulnerable to cyberattacks that could disrupt essential services. CISA deputy director Nitin Natarajan sat down with Alaska Public Media’s Casey Grove to discuss what the state’s remoteness means for its infrastructure security during his recent visit to Anchorage.

Chat soon. 

Stay in touch with the whole team: Joseph Gedeon (jgedeon@politico.com); John Sakellariadis (jsakellariadis@politico.com); Maggie Miller (mmiller@politico.com); and Heidi Vogt (hvogt@politico.com).

 

JOIN US ON 6/13 FOR A TALK ON THE FUTURE OF HEALTH CARE: As Congress and the White House work to strengthen health care affordability and access, innovative technologies and treatments are increasingly important for patient health and lower costs. What barriers are appearing as new tech emerges? Is the Medicare payment process keeping up with new technologies and procedures? Join us on June 13 as POLITICO convenes a panel of lawmakers, officials and experts to discuss what policy solutions could expand access to innovative therapies and tech. REGISTER HERE.

 
 
 

Follow us on Twitter

Heidi Vogt @HeidiVogt

Maggie Miller @magmill95

John Sakellariadis @johnnysaks130

Joseph Gedeon @JGedeon1

 

Follow us

Follow us on Facebook Follow us on Twitter Follow us on Instagram Listen on Apple Podcast
 

To change your alert settings, please log in at https://login.politico.com/?redirect=https%3A%2F%2Fwww.politico.com/settings

This email was sent to edwardlorilla1986.paxforex@blogger.com by: POLITICO, LLC 1000 Wilson Blvd. Arlington, VA, 22209, USA

Unsubscribe | Privacy Policy | Terms of Service

No comments:

Post a Comment

If you’re doing this - beware.

...