US Senators Propose Law To Require Bare Minimum Security Standards (theregister.com) 24
American hospitals and healthcare organizations would be required to adopt multi-factor authentication (MFA) and other minimum cybersecurity standards under new legislation proposed by a bipartisan group of US senators. From a report: The Health Care Cybersecurity and Resiliency Act of 2024 [PDF], introduced on Friday by US Senators Bill Cassidy (R-Louisiana), Mark Warner (D-Virginia), John Cornyn (R-Texas), and Maggie Hassan (D-New Hampshire), would, among other things, require better coordination between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) around cybersecurity in the healthcare and public health sector.
This includes giving HHS a year to implement a cybersecurity incident response plan and update the types of information displayed publicly via the department's breach reporting portal. Currently, all healthcare orgs that are considered "covered entities" under the US Health Insurance Portability and Accountability Act (HIPAA) are required to notify HHS if they are breached. The new law would require breached entities to report how many people were affected by the security incident.
It would also mandate that the portal include details on "any corrective action taken against a covered entity that provided notification of a breach" as well as "recognized security practices that were considered" during the breach investigation, plus any other information that the HHS secretary deems necessary.
This includes giving HHS a year to implement a cybersecurity incident response plan and update the types of information displayed publicly via the department's breach reporting portal. Currently, all healthcare orgs that are considered "covered entities" under the US Health Insurance Portability and Accountability Act (HIPAA) are required to notify HHS if they are breached. The new law would require breached entities to report how many people were affected by the security incident.
It would also mandate that the portal include details on "any corrective action taken against a covered entity that provided notification of a breach" as well as "recognized security practices that were considered" during the breach investigation, plus any other information that the HHS secretary deems necessary.
insufficient no knowledge of subject (Score:1)
Senators who have no idea what secure means specifying the means of security.
It is a hard problem, how do you incentivize companies/hospitals/whoever to take security seriously ? It's an expense and they will always try to minimize it. I mean given the number of breaches if they are not taking it seriously at this point they never will.
plus any other information that the HHS secretary deems necessary.
Great, can't wait to see what the incompetent idiot Trump appoints as Secretary of HHS deems necessary.
Re: (Score:3)
...probably about the same as the incumbent, incompetent HHS secretary.
With that said, the Fed doesn't have to run back to Congress to regulate banks. They are mandated to have continuity of operations plans, practiced and ready for various types of failures. They have intensive reporting functions that go back to the federal government ultimately (though the Fed branch banks are private entities...I used to work for one). Why doesn't HHS have similar regulatory powers over hospitals and the like, and wh
Re: (Score:2)
Because. that would be entirely undemocratic.
The FED should be abolished. No part of government should exist outside immediate accountability to the currently elected leadership.
By the people for the people means elections must have consequences! I would go as far as to say we should really end 'civil service' as a concept at least at the federal level and have a pure spoils system. If that bothers you or seems unworkable I would counter we need to make the federal government smaller, and less powerful, pe
short term thinking...enjoy Somalia? Argentina? (Score:5, Insightful)
Because. that would be entirely undemocratic.
The FED should be abolished. No part of government should exist outside immediate accountability to the currently elected leadership.
Bold wishes...childish AF...but you at least put a little thought into them. However, I completely disagree. Life is complex and for big projects, we need complex organizations and can't be flipping monetary policy every election. My life and prosperity and ensuring my family can afford food is more important than elections. No one will ever make hard choices if held accountable to the electorate.
...the many that voted against him...the many he failed...so many changed their vote because they care about their daily costs more than big picture stuff
This month, Joe Biden was preceding over an objectively good economy that was performing better than every other major nation on all metrics....but lost to Trump...a fucking senile felon who thinks Matt Gaetz should be attorney general and that Elon and Vivek aren't morons and that a woman with no leadership experience and credible accusations of being a Russian intelligence asset should be put in charge of the national security apparatus...and that's before accounting for RFK....and none of this was a surprise...EVERYONE knew what Trump was about and he's never won the popular vote until now...why?....because the pandemic fucked with our cost of groceries.
There WILL be consequences for this stupidity and I wager they'll be far greater than even I imagine, let alone those who voted for Trump, but...
There's one powerful message that can't be ignore....
In a democracy, don't fuck with people's pocket books.....they will vote you out. Trump's first term was a failure. Trump was a horrible president. He was not well liked...but the only thing worse than an anti-democracy autocrat who fumbled the pandemic, failed to protect the capital from rioters and wants to take away your civil liberties and rolled back Roe v Wade?...an increase in prices at the grocery store.
The many people who put down
Point being...if hold the fed accountable to the voters, they'll do what's best for the voters in the short term, not what's needed in the long term...the gov will be run worse than most major corporations...just hoping for a good quarter ever other November.
The people spoke...they wanted Trump...everyone who didn't has to accept that...and Trump wasn't popular or well-liked...but enough people to matter in the USa the only thing they dislike more than Trump's failures in his first term is seeing their costs go up
You're trying to solve the most complex problems in life with simple rules....if it worked, we would have done it long ago. It doesn't. That's why no one does what you're talking about...except failed states. The fed has the power to inflict short term pain to ensure long-term prosperity. No one will do such a thing unless forced to...especially when they're facing the electorate. Why do you think we haven't had a balanced budget since Bill Clinton?
Re: (Score:2)
It was bureaucrats that took away my civil liberties like my right to assemble during the pandemic. Frankly that was one of my biggest reservations about Trump he let them. Fauci should have been told to GTFO of his office and then locked out of his own!
Abortion is murder! Nobody who supports that is anything but ignorant or evil in my book.
Prices are the big picture stuff, that is the biggest driver of anyone's ability to pursue happiness in a free society. The role of our government is to "promote the
Re: (Score:3)
The FED should be abolished. No part of government should exist outside immediate accountability to the currently elected leadership.
That's the reason the Fed has independence, so political hacks can't screw around with monetary policy on a whim. Seriously, do you want this next guy to have direct control of that -- the guy who's had 6 Corporate Bankruptcies [thoughtco.com], including several casinos and thinks exporting companies/countries pay the tariffs? (It's importers, who usually pass the expenses onto consumers.)
The President gets to appoint the people controlling the Fed, subject to Senate confirmations, but their terms run from 4 to 14 yea
Re: (Score:2)
Re:insufficient no knowledge of subject (Score:4, Interesting)
Right.. the answer is accountability not trying to write a security prescription.
The problem with accountability is there has to be actual pain involved and nobody likes that because its 'disruptive'
If anything this 'approach' is likely to result in a relatively homogeneous set of controls, and probably not all together strong ones. Rather than prevent breaches it will pretty much make them a certain regular occurrence. The CYA people will decide to implement HHS-CYBER-100-1.1 or whatever to the letter, not matter what their unique requirements and concerns might be. Threat actors will learn to game that set of controls, and they will compromise everyone at will...
The way to fix it is always to make the share holders really feel it - but of course if you do that you reduce health care investment.
Re: (Score:2)
Senators who have no idea what secure means specifying the means of security.
It probably means that the affected companies will have to contract with an authorized cybersecurity provider to be compliant. The cybersecurity companies do whatever song and dance is required to become government authorized security providers, and then they get guaranteed revenue from the businesses who are required to use their services. There's always a crony capitalism angle to this sort of legislation.
Re: (Score:2)
It is actually pretty easy and demonstrated in regulated environments: Your security gets regularly independently evaluated against the state-of-the-art. Fail and fail to fix? Get special attention in the form of additional audits. Continue to fail? Get shut down. Liability of the board against owners and shareholders included.
This thing here will probably only have the Russian and Chinese attackers highly amused.
Re: (Score:2)
plus any other information that the HHS secretary deems necessary.
Great, can't wait to see what the incompetent idiot Trump appoints as Secretary of HHS deems necessary.
Probably not good for computer security, I heard that RFK Jr. guy is pro-virus (or something like that) ... :-)
Re: (Score:2)
Part of the issue is that in our post Chevron world, if Congress doesn't make it explicit and leaves it to regulators, it's ripe for even easier than ever lawsuits fighting it.
Lawsuit:
"Dear judge in the handpicked jurisdiction of my choice, congress didn't explicitly say to do this, so please rule we don't have to do this, even though the security experts in NIST or wherever have determined this is the best thing to do. You have to rule this way because SCOTUS said so".
.
Appeal to SCOTUS eventually:
"Hi SCOT
can mumps even do 2fa? (Score:2)
can mumps even do 2fa?
Re: (Score:2)
Fortunately the vt220's are almost gone.
Now doctors spend all of their time filling out forms instead of listening to patients.
Progress!
Re: (Score:2)
Re: (Score:2)
but the backend is parts of that still just username and password.
So no Windows then? (Score:3)
So no Windows then, right?
Right?
No? GTFOH then.
Windows is spyware by design and they are defaulting on things like training AI from your Office documents, even in orgs which have most of their tracking turned off.
I had to go into the Office settings and turn that off manually even though I am in an org with PII, FTI, and other protected data. And no, it's not clearly labeled.
And then there's just Microsoft's general incompetence when it comes to security, of course. Nobody with confidential information should ever use it for anything.
But Microsoft is a defense contractor, and part of PRISM, and critical to the whole operation of Five Eyes, so we know they will never hold them accountable for their actions — they requested those actions.
I have a better idea (Score:1)
Let's punish scammers / hackers with the death penalty. Why should the WHOLE FUCKING WORLD need to constantly run on the security treadmill. Let's solve this from the other end.
Re: (Score:1)
Another thought... Predator drones hitting scam call centers in India. We did it for Bin Laden... We can do it to the asshats scamming grandma.
Re: (Score:2)
Worthless, idiotic and ineffective. Cave-men like you believe violence does fix things. That is almost universally not the case and here you do not even know who to apply it to.
Re: (Score:1)
Violence and the threat of violence are powerful motivators. Taxes, for instance are backed by threat of violence. Every social construct we live with are, at the end of the day, backed by the threat of violence. Now the death penalty is a stretch (and a bit of a tongue in cheek reference to ST:TNG's Season 1 Episode 8 'Justice').
I do think extremely powerful punishments are appropriate for a person ruining someone's life via digital means. Jail, public humiliation, fines, no access to internet, maybe a
Can we deprecate SMS for 2FA while we're at it? (Score:3)
Given that SMS is backdoored by design because of wiretapping, it seem like a terrible idea to continue using it for 2FA.
Even if you're not on [insert foreign adversary here]'s hit list (either via SS7 hijack, social engineering US telecoms, or directly trojaning their systems) , you can still be the victim of sim-swapping.
Re: (Score:3)
Every security catalog worth anything already does that.
My minimum (Score:2)
Company devices only, VPN as first line of defense.
You can have all your end point security and zero trust massive attack surface malarky ... behind dedicated devices and a VPN. Defense in depth, remember that?