Skip to main content

An official website of the United States government

U.S. Department of Health & Human Services

Official websites use .gov

A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS

A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

The Healthcare and Public Health Sector Highlights

Cybersecurity Edition

December 20, 2024

The Healthcare and Public Health (HPH) Sector Highlights - Cybersecurity Edition is a weekly newsletter produced by the Office of Cybersecurity and Infrastructure Protection  (OCIP)  within the U.S. Department of Health and Human Services' (HHS) Administration for Strategic Preparedness and Response (ASPR).

Table of Contents

CISA Requests Public Comment for Draft National Cyber Incident Response Plan Update

Source:  CISA

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Office of the National Cyber Director (ONCD), has released the National Cyber Incident Response Plan Update Public Comment Draft. The draft, open for public comment until January 15, 2025, aims to strengthen the national approach to cyber incident detection and response. Building on feedback since the original 2016 publication, the update incorporates lessons from past incidents and highlights the roles of the private sector, state, local, tribal, and territorial governments, as well as federal agencies in responding to cyber threats. CISA encourages stakeholders from all sectors to contribute their insights via the Federal Register. For additional information, refer to the National Cyber Incident Response Plan Update Public Comment Draft.

FBI Releases Private Industry Notification (PIN): HiatusRAT Actors Targeting Web Cameras and DVR

Source: FBI

The Federal Bureau of Investigation (FBI) has issued a PIN warning about a resurgence of the HiatusRAT malware, which has been scanning for vulnerabilities in Chinese-branded web cameras and DVRs since March 2024. This Remote Access Trojan enables cyber actors to remotely control affected devices, targeting models from Xiongmai and Hikvision, among others. The malware exploits known vulnerabilities such as weak passwords and unpatched security flaws (CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, etc.) in devices with telnet access.

To mitigate these threats, the FBI advises companies to limit or isolate affected devices, apply security patches, enforce strong password policies, and utilize multi-factor authentication. Regular monitoring and auditing of network activity are also crucial, as is the removal of unsupported devices from networks. For further guidance on security practices, visit the FBI's full document.

CISA Publishes BOD 25-01: Implementing Secure Practices for Cloud Services

Source: CISA

CISA has issued Binding Operational Directive (BOD) 25-01, which mandates that federal agencies implement secure practices for cloud services. This directive requires agencies to adopt the Secure Cloud Business Applications (SCuBA) Secure Configuration Baselines for cloud services, such as Microsoft Office 365, and deploy automated tools to assess compliance. These measures aim to reduce risks associated with cloud security vulnerabilities and strengthen the resilience of federal systems against cyber threats. Agencies must identify and report all relevant cloud tenants by February 2025 and update this inventory annually. By April 2025, agencies are required to deploy SCuBA assessment tools and begin continuous reporting, either through integration with CISA's monitoring infrastructure or via manual quarterly reports. Additionally, mandatory SCuBA policies must be implemented by June 2025, and continuous monitoring must be established before granting Authorization to Operate for new cloud systems. CISA will provide ongoing support, including updates on mandatory policies, troubleshooting assistance, and reporting instructions. For further guidance, agencies should refer to CISA's BOD 25-01.

HHS HC3 Analyst Note: Credential Harvesting

Source: HHS HC3

The U.S. Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) released an analyst note on credential harvesting, highlighting the growing threat of cyberattackers targeting various sectors, including the health industry. Credential harvesting is a technique in which attackers collect sensitive login data, such as usernames and passwords, to gain unauthorized access to systems or accounts. This can result in data theft, fraud, disruption of critical systems, or the initiation of more severe cyberattacks. Common methods used by attackers include phishing, keylogging, man-in-the-middle attacks, credential stuffing, and social engineering.

To mitigate the risks associated with credential harvesting, HC3 outlines several defense strategies. Organizations should educate employees on the importance of strong passwords, avoiding password reuse, and recognizing phishing or social engineering attacks. Implementing multi-factor authentication provides an additional layer of security by requiring multiple forms of verification. Additionally, deploying email filters and endpoint security solutions can help block phishing attempts and malware, while continuous system monitoring can help detect credential harvesting attacks in real-time. Regularly updating software through vulnerability and patch management is also crucial to prevent exploitation of known vulnerabilities. Lastly, organizations should have a comprehensive incident response plan in place to quickly address any credential harvesting incidents and minimize their impact. For more information and detailed recommendations, refer to HHS HC3's Credential Harvesting Analyst Note.

CISA Issues ICS Advisory Regarding BD Diagnostic Solutions Products Related to Use of Default Credentials

Source: CISA

CISA has released an industrial control system (ICS) medical advisory on Becton, Dickinson and Company (BD) Diagnostic Solutions products, highlighting a critical vulnerability related to the use of default credentials in several systems. This vulnerability assigned a CVSS v3.1 score of 8.0, could allow attackers to gain unauthorized access to sensitive data, such as Protected Health Information and Personally Identifiable Information, and potentially disrupt system availability or cause a shutdown. Affected products include the BD BACTEC Blood Culture System, BD COR System, BD EpiCenter Microbiology Data Management System, BD MAX System, BD Phoenix M50 Automated Microbiology System, and BD Synapsys Informatics Solution (only when installed on a NUC server). BD is actively addressing the issue by working with affected users to update default credentials and strengthen security measures. Users are advised to limit access to these devices, monitor network traffic for suspicious activity, isolate devices behind firewalls, and disconnect them from the network when not in use. CISA recommends employing secure remote access methods, such as virtual private networks, and implementing comprehensive cybersecurity best practices. No public exploitation of this vulnerability has been reported, and it is not remotely exploitable. For additional information, reference the ICS Medical Advisory.

White House Press Release: ONCD and CISA Publish Guide to Strengthen Cybersecurity of Grant-Funded Infrastructure Projects

Source: White House

The White House has published a press release from ONCD and CISA, announcing the release of a new guide designed to help federal grant programs incorporate cybersecurity into infrastructure projects. Titled Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure, the guide offers tools and resources to help grant recipients build cyber resilience into their projects. It includes recommended actions for embedding cybersecurity throughout the grant lifecycle, model language for grant managers to use in Notices of Funding Opportunity and Terms & Conditions, templates for Cyber Risk Assessments and Cybersecurity Plans, and a comprehensive list of available cybersecurity resources. Developed to minimize the burden on the federal grant process, the guide provides flexible guidance to ensure recipients can effectively integrate cybersecurity best practices into their projects. ONCD and CISA aim to ensure that the next generation of infrastructure is both “shovel ready and cyber ready," enhancing national security and resilience. For additional details, refer to the White House Press Release.

CISA Confirms Exploitation of Critical Cleo Bug in Ransomware Attacks

Source:  BleepingComputer.com

CISA has confirmed that a critical security vulnerability in Cleo Harmony, VLTrader, and LexiCom file transfer software (CVE-2024-50623) is being actively exploited in ransomware campaigns. The flaw, which affects all versions prior to 5.8.0.21, allows unauthenticated attackers to execute remote code on vulnerable servers. Cleo released patches in October, urging customers to update their software to mitigate risks. Despite Cleo not disclosing specific incidents, CISA added the vulnerability to its catalog of known exploited vulnerabilities, requiring U.S. federal agencies to secure their networks by January 3. The attacks share similarities with previous data theft campaigns and may involve the Termite ransomware operation.

Additionally, Huntress researchers found that even patched servers were being compromised, likely using a bypass method to execute commands via default Autorun folder settings. Cleo has issued another patch for this actively exploited zero-day bug and recommends upgrading to version 5.8.0.24. Admins unable to upgrade are advised to disable the Autorun feature to reduce exposure. For more details on the vulnerability, refer to  CISA's Vulnerability Record Information.

HPH Sector Ransomware Resource Library


The HPH Sector Highlights- Cybersecurity Edition features this continually growing HPH Ransomware Resource Library in every weekly bulletin. The library has a variety of resources that you can use to keep your healthcare facility protected from ransomware attacks.

Latest CISA Vulnerability Summary

The latest CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the NIST National Vulnerability Database (NVD) in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Happy Holidays! The next HPH Sector Highlights - Cybersecurity Edition newsletter will be published on January 10, 2025. We'll see you in the new year!

Comments and Questions

If you have comments or questions, send an email to  hhscyber@hhs.gov. The OCIP team will work to answer your inquiries or connect you to the proper entity. 

Traffic Light Protocol (TLP) Designation: CLEAR

 

TLP: CLEAR  information may be distributed without restriction.

Did someone forward this to you?

Subscribe to HPH Sector communications.

Disclaimer: ASPR provides the above sources of information for the convenience of the HPH Sector community and is not responsible for the availability or content of the information or tools provided, nor does ASPR endorse, warrant or guarantee the products, services or information described or offered. It is the responsibility of the user to determine the usefulness and applicability of the information provided. U.S. Department of Health & Human Services , Administration for Strategic Preparedness and Response

400 7th Street, SW
Washington, DC 20024