Drex dives into the critical feedback surrounding CISA's proposed Cyber Incident Reporting rule, addressing concerns from healthcare organizations about reporting strains and exemptions. He also covers the recent challenges faced by Snowflake due to clients leaving off multi-factor authentication and highlights the cybersecurity risks associated with the ubiquitous QR code.
Remember, Stay a little paranoid.
Subscribe: https://www.thisweekhealth.com/subscribe/
Linkedin: https://www.linkedin.com/company/ThisWeekHealth
Twitter: https://twitter.com/thisweekhealth
Donate: Alex’s Lemonade Stand: Foundation for Childhood Cancer - https://www.alexslemonade.org/mypage/3173454
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Hey everyone, I'm Drex, and this is the Two Minute Drill, where I do three stories, two times a week, all part of one great community, the 229 Cyber and Risk Community here at This Week Health. Today's drill is brought to you by Fortified Health Security. No matter where you are in your cybersecurity journey, Fortified can help you improve your security posture 7 threat defense services or advisory solutions.
Delivered through Central Command, a first of its kind platform that simplifies cybersecurity management and provides the visibility you need to mature your program. Learn more at FortifiedHealthSecurity. com. Thanks for being with me today. Here's some stuff you might want to know about. There's been a lot of public feedback to CISA, the Cybersecurity and Infrastructure Security Agency.
Why, it's still too, why's two securities in the name? I, it's, don't, don't worry about it, just keep going. On their proposed rule aimed at implementing the Cyber Incident Reporting for Critical Infrastructure Act, or CIRSIA, and a lot of that feedback has been critical of the rule as written. As you'd expect, there's concerns about the strains of additional reporting and the distraction of the short reporting timeline and how that might create problems for teams who are trying to recover from cyber incidents.
There's also calls for harmonizing other reporting requirements and reducing redundant reporting. But the biggest issue seems to be over what type of healthcare organizations will be covered or not. under the new rules. Smaller organizations continue to declare that they want to be exempted and it turns out CISA did not include health insurers or clearinghouses, health IT vendors, or other third parties as being covered by the rules.
ttacks across the industry in:whether you know it or not. And I'm not really sure that anyone or anything touching healthcare should be exempted. If we're going to do this, consider starting with a low bar and raise it over time. But put everybody on the radar. It's security 101. If you can't see it, you can't protect it. Or in this case, maybe be protected from it.
One of the stories I've been watching over the past few months is the ongoing challenges at Snowflake. Your org might use their business intelligence or analytics products, or those products might be integrated into some other products that you use. Over the past few months, there's been a wave of attacks that have exposed data from more than a hundred of their customers.
because the customers had not turned on multi factor authentication or MFA for their users. Well, now Snowflake has changed their policy and they will turn on MFA by default. Customers will now have to turn MFA off if that's how they want to operate. A months long investigation by third party cyber companies reported that the data exposure had nothing to do with a breach of Snowflake or Snowflake's platform itself.
The takeaway here is that even when you use third party software or cloud services, the services themselves may be secure, but if you use or configure the service improperly, your data can still be at risk. I know you know this, but it's worth saying. Over and over and over again, especially after the snowflake event.
ck of Juicy Fruit gum back in:So watch yourself. Oh, and by the way, I just got my notice of data breach from Ticketmaster. So more free credit monitoring for me. What's that? Oh, oh, it's my Fred Hutch notification of data breach. So yeah, more free credit monitoring for me. Thanks again to our Two Minute Drill sponsor, healthcare's cyber partner, Fortified Health Security.
With a 98 percent client retention rate and three consecutive best in class awards, Fortified's exclusive focus on healthcare cybersecurity makes them the go to partner for healthcare organizations wanting to strengthen their security posture. Find out more at fortifiedhealthsecurity. com. That's it for today's Two Minute Drill.
Thanks for being here. Stay a little paranoid, Ill see you around campus