This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Hey everyone. I'm Drex and this is the two minute drill where I cover three hot security stories twice a week. All part of the 2 29 Project, cyber and Risk community here at this week, health Sign Up. I'll keep you posted on all the latest webinars and podcasts and all the other inside info. Including upcoming in-person events like 2 29 Project City Tour dinners and summits, and there is something new coming this fall.

Uh, I can't wait to tell you about it. It's easy to stay informed. You go to this week, health.com/subscribe and sign up for all the latest, including of course, the security and risk updates. Great to see everyone today. Here's some stuff you might wanna know about. Okay, here's a big one from the weekend.

You probably know about this, I hope you already know about it. Microsoft just patched the zero day vulnerability in SharePoint server that's already being actively exploited. It's listed as CBE 20 24 38 0 23, and this scary part is this. It allows attacker to. With basic owner permissions to execute remote code on the underlying windows server in non-tech speak, mostly plain English.

That means that a not. So Trusted Insider or a compromised user account could be used to take over the SharePoint box and from there, pivot into the broader network and do a whole bunch of nasty stuff. So if your team is running on-prem SharePoint, now's the time to get really serious about that patching and also double check who really needs that owner access and reduce that surface area wherever possible.

Least privilege. Least privilege. Okay. Journal is reporting on a pair of data breaches at dermatology practices, Mount Laurel Dermatology in North Carolina, and Anne Arundel Dermatology in Maryland. Both incidents stemmed from third party cloud service providers for Mount Laurel. It was an unauthorized access situation involving their EHR vendor and arundel's incident included potential PHI exposure across multiple systems.

This was one of the largest breaches so far this year, affecting more than 1.9 million individuals. Look, these aren't big hospitals, but the impact is still significant. If you're a health system with affiliated clinics or partner groups, remember your vendors' security practices are your risk. So it's time to dust off that business associate agreement and your actual enforcement of it and take another look.

And finally today, cybersecurity veteran, Paul Conley just published the Substack piece. Absolutely worth your time in it. He questions the continued obsession with annual training and phishing simulations as the go-to cyber defense strategy in healthcare. His argument well. These exercises alone don't really drive meaningful behavior change.

In the article, he talks about human risk management, human risk management. He calls the concept a major step forward in maturity and risk reduction, and it's based on an understanding of each individual's behaviors and then assigning risk informed training controls and interventions. Specific to them in my head, he's kind of describing personalized medicine as an approach to cybersecurity training, continuous embedded engagement from the boardroom to the bedside that builds actual cyber culture and shared accountability.

Give the article a read if your cyber awareness strategy still looks like a once a year slide deck and some gotcha phishing. You're maybe not really building resilience, you're just checking a compliance box. So start small, go continuous, make it personal. More on all those stories and a lot of other healthcare innovation, tech and security news at this week.

health.com/news. You can find all our security podcast, including the ones you might have missed at this week. health.com/unh hack. And that's it for today's two minute drill. Thanks for being here. Stay a little paranoid. And I will see you around campus.