Cyber Risk Governance Insights | January 6, 2025

WEEK IN BRIEF

GOVERNMENT - Cyber-Attacks on Taiwan Double in 2024

• Summary: In 2024, Taiwan's government networks faced an average of 2.4 million daily cyber-attacks, doubling from 1.2 million in 2023. The National Security Bureau attributes most of these attacks to Chinese state-backed hackers, who employed techniques such as exploiting vulnerabilities in network devices, social engineering, and DDoS attacks. Critical industries, including telecommunications, transportation, and defense, experienced significant increases in targeted attacks, with the telecommunications sector seeing a 650% rise. These cyber operations aim to steal confidential data, disrupt infrastructure, and undermine Taiwan's government credibility.
• Analysis: The cyber incidents involved the exploitation of vulnerabilities in network communication devices. Implementing a robust patch management policy could have mitigated this threat.
• Preventive Measure: Promptly addressing vulnerabilities through effective patch management significantly reduces the attack surface available to adversaries. This proactive approach limits opportunities for exploitation, thereby enhancing the organization's security posture and protecting your infrastructure from potential breaches.
• Mitigation Explanation: These types of attacks demonstrate the importance of a patch management strategy. A regular cadence for patch deployment ensures timely updates for software and hardware vulnerabilities. By consistently updating network devices, organizations proactively minimize the window of vulnerability and reduce the risk of exploitation by threat actors.

SOURCE: Infosecurity Magazine

TECHNOLOGY - Provider Denies Breach; Attributes Exposure to 3rd-Party

• Summary: French IT services firm Atos refuted claims by the ransomware group Space Bears of a direct breach of its systems. Atos clarified that while no internal infrastructure was compromised, data referencing the company was accessed through an external third-party system not managed by Atos. The company emphasized that no proprietary information or source code was exposed.
• Analysis: The incident stemmed from a third-party compromise leading to the exposure of data associated with Atos.? Nevertheless, Atos has suffered valuation impact and reputational damage as customers remember the breach headline, not the investigation report months later.
• Preventive Measure: Implementation of a comprehensive third-party risk management (TPRM) program.
• Mitigation Explanation: A TPRM program involves assessing and monitoring the security practices of external partners to ensure they meet stringent cybersecurity standards. By enforcing such measures, your organization can identify potential vulnerabilities within third-party systems that interact with their data. This proactive approach minimizes the risk of data exposure resulting from external breaches, thereby safeguarding your organization's information assets.

SOURCE: Security Week

MANUFACTURING - Chemical Maker Suffers Ransomware Attack

• Summary: Nikki-Universal Co. Ltd., a prominent Japanese chemical manufacturer, experienced a ransomware attack on December 22, 2024. The cybercriminal group, identified as Hunters International, claims to have exfiltrated 762 gigabytes of data, including confidential information. In response, Nikki-Universal promptly shut down affected servers and initiated an investigation to assess the breach's scope and impact.
• Analysis: The ransomware attack resulted in significant data exfiltration, indicating potential weaknesses in the company's network security and data protection measures.
• Preventive Measure: Implement a comprehensive data encryption strategy.
• Mitigation Explanation: Data encryption ensures that sensitive information remains unreadable to unauthorized users, even if exfiltrated during a breach. By encrypting data at rest and in transit, organizations can protect the confidentiality and integrity of their information. In the event of unauthorized access, encrypted data would be indecipherable without the appropriate decryption keys, thereby mitigating the impact of data theft.

SOURCE: Cyber Security News

HEALTHCARE - Medical Center Ransomware Attack Exposes Data of 670,000 Individuals

• Summary: In May 2023, Richmond University Medical Center (RUMC) in Staten Island, New York, experienced a ransomware attack causing significant operational disruptions. Subsequent investigations revealed that the personal and health information of over 670,000 individuals was compromised. Exposed data includes names, Social Security numbers, dates of birth, financial account details, biometric information, and medical records. RUMC is offering 12 months of free credit monitoring services to affected individuals.
• Analysis: The ransomware attack led to unauthorized access and exfiltration of sensitive personal and health information, indicating vulnerabilities in the hospital's cybersecurity defenses.
• Preventive Measure: Implement a comprehensive network segmentation strategy.
• Mitigation Explanation: Network segmentation involves dividing a network into isolated segments to restrict lateral movement by threat actors. In the event of a breach, this containment strategy limits attackers' access to critical systems and sensitive data, thereby reducing the potential impact of ransomware attacks. By isolating sensitive information and essential services, organizations can enhance their security posture and protect against data exfiltration.

SOURCE: Becker's Hospital Review

DATA BROKERS - DOJ Finalizes Rule to Restrict Access to Americans' Sensitive Data

• Summary: On December 27, 2024, the U.S. Department of Justice (DOJ) issued a final rule implementing EO14117, aimed at preventing foreign adversaries from accessing Americans' bulk sensitive personal data and U.S. government-related information. The rule establishes prohibitions and restrictions on specific data transactions, sets thresholds for bulk data transfers, and introduces enforcement mechanisms, including civil and criminal penalties. The rule will take effect 90 days from publication, with certain due diligence, reporting, and auditing requirements becoming effective 270 days after publication.
• Analysis: The DOJ's final rule addresses the national security threat posed by foreign adversaries' access to Americans' sensitive personal data through data brokers and other entities.? Specifically, if your organization is in these industries, please look into your governance related to data management: Data Brokers Technology Firms Healthcare Entities Telecommunications Providers Financial Institutions (This likely includes Insurance) Educational Institutions Defense Contractors
• Preventive Measure: Implement stringent data access controls and compliance programs to comply with the new DOJ regulations.
• Mitigation Explanation: By establishing appropriate data access controls, you can ensure preventing unauthorized foreign access to sensitive personal and government-related data, and achieve compliance with the DOJ's final rule. Conduct a thorough due diligence on data transactions, and know the supply chain of your data.? Implement comprehensive reporting and auditing mechanisms, and enforce strict data-sharing policies. Such measures will mitigate the risk of data exploitation by foreign adversaries and enhance national security.

SOURCE: Reuters

Stakeholder Insights

Executives (C-Suite & Boards)

• Prioritize Cybersecurity as a Strategic Imperative: As cyberattacks evolve in scale and sophistication, consider treating cybersecurity as a core business priority, not a technical issue. Allocate resources toward proactive mitigation measures like advanced patch management, robust encryption, and third-party risk assessments.
• Reinforce Reputational Resilience: Reputational harm from cyber incidents can linger, even when the organization isn’t directly at fault. A clear crisis communication plan, combined with board-level oversight of risk, can help mitigate fallout and reassure stakeholders.
• Lead the Charge on Regulatory Compliance: Emerging regulations like the DOJ rule on data restrictions signal increased scrutiny. Boards must advocate for strong governance frameworks to handle sensitive data securely and avoid potential legal or financial repercussions.

Governors (Internal Audit & Compliance)

• Focus on Risk-Centric Audits: Shift audit priorities to high-risk areas, such as third-party relationships and internal defenses against ransomware. Ensure that all vendors meet stringent cybersecurity requirements to mitigate exposure from external breaches.
• Prepare for Regulatory Scrutiny: The DOJ’s data security rule emphasizes due diligence, reporting, and auditing. Internal audit teams must verify that compliance frameworks are in place, with a particular focus on sectors handling sensitive or bulk data.
• Enhance Incident Response Validation: Regularly review and test your organization’s incident response plans to ensure rapid containment and recovery in the event of breaches or ransomware attacks.

Technologists (IT & Cybersecurity)

• Strengthen Proactive Defenses: Implement automation to expedite patching, regularly update IDS, and evaluate encryption protocols safeguarding sensitive data.
• Secure Third-Party Interactions: It’s essential to collaborate with compliance teams to establish comprehensive third-party risk management programs, including continuous monitoring of vendors and secure data-sharing practices.
• Support Compliance with Technology: Implementing technologies like data anonymization and tokenization, along with strong auditing capabilities, will help organizations meet evolving regulatory requirements and ensure systems are prepared for detailed reporting when needed.

INSIGHTS & EXPERT PERSPECTIVES

HIPAA’s New Cybersecurity Rules Are Comin

On December 27, 2024, the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to amend the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The proposed amendments aim to strengthen cybersecurity protections for electronic protected health information (ePHI) by:

• Eliminating the distinction between "required" and "addressable" implementation specifications, thereby making all specifications mandatory with specific exceptions.
• Mandating written documentation for all Security Rule policies, procedures, plans, and analyses.
• Updating definitions and revising implementation specifications to align with current cybersecurity threats and technological advancements.?

These proposed changes are part of HHS's broader initiative to enhance the cybersecurity posture of the healthcare sector, in line with the National Cybersecurity Strategy.

Highlights:

1. Mandatory Implementation Specifications: The removal of the "addressable" category signifies a shift towards uniform compliance requirements, potentially increasing the administrative burden on covered entities and business associates.
2. Documentation Requirements: The mandate for comprehensive documentation of all policies and procedures may necessitate significant resource allocation to ensure compliance, particularly for smaller organizations.
3. Alignment with National Strategy: The proposed amendments reflect a strategic alignment with national cybersecurity objectives, indicating a commitment to addressing evolving cyber threats within the healthcare sector.

?

INSIGHT: Healthcare as a sector has increasingly become vulnerable to cyber risks associated with data breaches, ransomware attacks, and third-party vendor compromises. These incidents often result in significant harm to patients, undermining trust in healthcare organizations, and damaging the sector’s reputation.

Often, we find that specialty healthcare organizations are not adequately prepared to identify, respond, and recover from cyber incidents either to themselves or the third-party SaaS that have become increasingly relied upon across the industry (i.e. Change Health).

Historically, the penalties for incidents and the resulting non-compliance with HIPAA have been criticized as insufficiently punitive, often amounting to "meaningless" fines that fail to incentivize lasting cybersecurity improvements.

In many cases, healthcare organizations impacted by breaches face severe operational disruptions, leading to bankruptcies rather than recovery, which further diminishes their ability to address the root causes of security failures.

The recent proposed amendments to the HIPAA Security Rule by the U.S. Department of Health and Human Services (HHS) are a much-needed step in addressing these systemic weaknesses. These enhanced cybersecurity measures are crucial for several reasons:

1. Mandatory Compliance Enhances Accountability: By eliminating the distinction between "required" and "addressable" specifications, HHS aims to create a more consistent and enforceable framework. This shift ensures that all covered entities and business associates are held to the same standards, reinforcing the importance of compliance across the healthcare sector. Such measures move beyond token penalties and push organizations to actively address cybersecurity risks.
2. Proactive Risk Management: The new requirement for comprehensive documentation of security policies, procedures, and risk assessments is a vital step in ensuring that cybersecurity is an ongoing, prioritized activity. This documentation forces healthcare organizations to take a proactive approach to security, regularly revising their strategies in line with emerging threats, rather than reacting only when a breach occurs.
3. Alignment with National Cybersecurity Strategy: The proposed amendments reflect the federal government’s growing recognition of the need to protect critical infrastructure, such as healthcare, from cyber threats. By aligning HIPAA regulations with the broader National Cybersecurity Strategy, HHS is placing healthcare organizations in a stronger position to fend off sophisticated cyber-attacks that pose significant risks to both patient privacy and national security.
4. Long-Term Cost Avoidance: Although these enhanced measures may seem burdensome in the short term, they are designed to mitigate the far higher costs of data breaches, ransomware attacks, and other cybersecurity incidents. Implementing robust cybersecurity protocols will reduce the likelihood of such events, ultimately saving organizations from costly recovery efforts, reputational damage, and the potential for bankruptcy. Healthcare providers can no longer afford to treat cybersecurity as an afterthought.

We believe that the proposed amendments to the HIPAA Security Rule are a necessary and strategic response to the growing cyber risks facing the healthcare industry. Strengthening cybersecurity standards will not only protect sensitive patient data but will also help safeguard the long-term sustainability of healthcare organizations. These measures mark a critical shift towards proactive, comprehensive cybersecurity that aligns with both national security interests and the health sector’s operational needs.

The proposed updates would establish stricter and more specific cybersecurity requirements compared to current guidelines. While prior guidelines allowed flexibility, the new rule mandates measures and procedures. These changes aim to standardize the security and protection of health information in light of growing cyber threats.

Healthcare organizations might consider these changes as an opportunity to better protect their patients, increase organizational value, and ensure the integrity of their operations in an increasingly threat-laden environment.

Sharpen Your Cyber Edge with Netswitch

Master Compliance & Minimize Risks:

1. Independent Security Audit: Identify network risks with our automated Security And Risk Assessment (SARA). Get a clear picture, prioritize improvements, and optimize resource allocation. Contact Netswitch.
2. Free "Quick Start" Program: Gain a free cyber risk and governance health check. Enroll now and start building resilience.

Deepen Your Knowledge:

• Join Our LinkedIn Group: Collaborate with industry leaders in the CyberRisk Governance Community on LinkedIn. Share insights and stay ahead of the curve.
• Live Events: Participate in interactive LinkedIn Live sessions. Explore cyber risk topics with executives, technologists, and governance professionals.

Don't wait.

Contact Netswitch Technology Management today to take control of your cyber risk.

Disclaimer: The information and links provided in this newsletter are for informational purposes only. Netswitch does not warrant the accuracy or completeness of such information and is not liable for any damages arising from its use.