US Senators Propose Law To Require Bare Minimum Security Standards (theregister.com) 32
American hospitals and healthcare organizations would be required to adopt multi-factor authentication (MFA) and other minimum cybersecurity standards under new legislation proposed by a bipartisan group of US senators. From a report: The Health Care Cybersecurity and Resiliency Act of 2024 [PDF], introduced on Friday by US Senators Bill Cassidy (R-Louisiana), Mark Warner (D-Virginia), John Cornyn (R-Texas), and Maggie Hassan (D-New Hampshire), would, among other things, require better coordination between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) around cybersecurity in the healthcare and public health sector.
This includes giving HHS a year to implement a cybersecurity incident response plan and update the types of information displayed publicly via the department's breach reporting portal. Currently, all healthcare orgs that are considered "covered entities" under the US Health Insurance Portability and Accountability Act (HIPAA) are required to notify HHS if they are breached. The new law would require breached entities to report how many people were affected by the security incident.
It would also mandate that the portal include details on "any corrective action taken against a covered entity that provided notification of a breach" as well as "recognized security practices that were considered" during the breach investigation, plus any other information that the HHS secretary deems necessary.
This includes giving HHS a year to implement a cybersecurity incident response plan and update the types of information displayed publicly via the department's breach reporting portal. Currently, all healthcare orgs that are considered "covered entities" under the US Health Insurance Portability and Accountability Act (HIPAA) are required to notify HHS if they are breached. The new law would require breached entities to report how many people were affected by the security incident.
It would also mandate that the portal include details on "any corrective action taken against a covered entity that provided notification of a breach" as well as "recognized security practices that were considered" during the breach investigation, plus any other information that the HHS secretary deems necessary.
insufficient no knowledge of subject (Score:2)
Senators who have no idea what secure means specifying the means of security.
It is a hard problem, how do you incentivize companies/hospitals/whoever to take security seriously ? It's an expense and they will always try to minimize it. I mean given the number of breaches if they are not taking it seriously at this point they never will.
plus any other information that the HHS secretary deems necessary.
Great, can't wait to see what the incompetent idiot Trump appoints as Secretary of HHS deems necessary.
Re:insufficient no knowledge of subject (Score:4, Interesting)
...probably about the same as the incumbent, incompetent HHS secretary.
With that said, the Fed doesn't have to run back to Congress to regulate banks. They are mandated to have continuity of operations plans, practiced and ready for various types of failures. They have intensive reporting functions that go back to the federal government ultimately (though the Fed branch banks are private entities...I used to work for one). Why doesn't HHS have similar regulatory powers over hospitals and the like, and why is this some half measure rather than just subordinating the entire industry to regulatory authority? It's arguably just as important, no?
Re: (Score:2)
Because. that would be entirely undemocratic.
The FED should be abolished. No part of government should exist outside immediate accountability to the currently elected leadership.
By the people for the people means elections must have consequences! I would go as far as to say we should really end 'civil service' as a concept at least at the federal level and have a pure spoils system. If that bothers you or seems unworkable I would counter we need to make the federal government smaller, and less powerful, pe
short term thinking...enjoy Somalia? Argentina? (Score:5, Insightful)
Because. that would be entirely undemocratic.
The FED should be abolished. No part of government should exist outside immediate accountability to the currently elected leadership.
Bold wishes...childish AF...but you at least put a little thought into them. However, I completely disagree. Life is complex and for big projects, we need complex organizations and can't be flipping monetary policy every election. My life and prosperity and ensuring my family can afford food is more important than elections. No one will ever make hard choices if held accountable to the electorate.
...the many that voted against him...the many he failed...so many changed their vote because they care about their daily costs more than big picture stuff
This month, Joe Biden was preceding over an objectively good economy that was performing better than every other major nation on all metrics....but lost to Trump...a fucking senile felon who thinks Matt Gaetz should be attorney general and that Elon and Vivek aren't morons and that a woman with no leadership experience and credible accusations of being a Russian intelligence asset should be put in charge of the national security apparatus...and that's before accounting for RFK....and none of this was a surprise...EVERYONE knew what Trump was about and he's never won the popular vote until now...why?....because the pandemic fucked with our cost of groceries.
There WILL be consequences for this stupidity and I wager they'll be far greater than even I imagine, let alone those who voted for Trump, but...
There's one powerful message that can't be ignore....
In a democracy, don't fuck with people's pocket books.....they will vote you out. Trump's first term was a failure. Trump was a horrible president. He was not well liked...but the only thing worse than an anti-democracy autocrat who fumbled the pandemic, failed to protect the capital from rioters and wants to take away your civil liberties and rolled back Roe v Wade?...an increase in prices at the grocery store.
The many people who put down
Point being...if hold the fed accountable to the voters, they'll do what's best for the voters in the short term, not what's needed in the long term...the gov will be run worse than most major corporations...just hoping for a good quarter ever other November.
The people spoke...they wanted Trump...everyone who didn't has to accept that...and Trump wasn't popular or well-liked...but enough people to matter in the USa the only thing they dislike more than Trump's failures in his first term is seeing their costs go up
You're trying to solve the most complex problems in life with simple rules....if it worked, we would have done it long ago. It doesn't. That's why no one does what you're talking about...except failed states. The fed has the power to inflict short term pain to ensure long-term prosperity. No one will do such a thing unless forced to...especially when they're facing the electorate. Why do you think we haven't had a balanced budget since Bill Clinton?
Re: (Score:1)
It was bureaucrats that took away my civil liberties like my right to assemble during the pandemic. Frankly that was one of my biggest reservations about Trump he let them. Fauci should have been told to GTFO of his office and then locked out of his own!
Abortion is murder! Nobody who supports that is anything but ignorant or evil in my book.
Prices are the big picture stuff, that is the biggest driver of anyone's ability to pursue happiness in a free society. The role of our government is to "promote the
So you want big gov for pregnancy? (Score:2)
It was bureaucrats that took away my civil liberties like my right to assemble during the pandemic. Frankly that was one of my biggest reservations about Trump he let them. Fauci should have been told to GTFO of his office and then locked out of his own!
Abortion is murder! Nobody who supports that is anything but ignorant or evil in my book.
So...you want the gov out of your life, except for in pregnancy...then it's OK to micromanage? You see the hypocrisy there? No one "likes" abortion. I just think the gov should stay out of it. That's a choice to be made on an individual basis...if some chick is pregnant, neither you nor I should be telling her what to do with her own body. I think she knows what's best for her more than we ever will. Also, the majority of abortions are from moms with too many kids...not wreckless girls sleeping aroun
Re: (Score:2)
Abortion is murder! Nobody who supports that is anything but ignorant or evil in my book.
Forcing people to continue a pregnancy for nine months to create a child they don't want is what is evil. The idea it is "murder" is a ridiculous invention of pseudo-Christian politicians. How ridiculous becomes apparent when some judge decides frozen embryos are people and have constitutional rights like everyone else.
Re: (Score:2)
Why do you think we haven't had a balanced budget since Bill Clinton?
Because we have an enormous disparity in wealth. The wealthy are powerful and they don't want to pay their share. But they still want lots of government support for increasing their riches. If we had left taxes on the wealthy where they were in the 1970's there would be no national debt much less a deficit.
Joe Biden was preceding over an objectively good economy
Objectively good for the wealthy. The GDP was increasing but the giant share of that GDP growth was enriching the wealthy. At the same time, objectively, middle class wages were not keeping up with price
Re:insufficient no knowledge of subject (Score:5, Insightful)
The FED should be abolished. No part of government should exist outside immediate accountability to the currently elected leadership.
That's the reason the Fed has independence, so political hacks can't screw around with monetary policy on a whim. Seriously, do you want this next guy to have direct control of that -- the guy who's had 6 Corporate Bankruptcies [thoughtco.com], including several casinos and thinks exporting companies/countries pay the tariffs? (It's importers, who usually pass the expenses onto consumers.)
The President gets to appoint the people controlling the Fed, subject to Senate confirmations, but their terms run from 4 to 14 years, depending on position, largely, but not completely, independent from the Executive and Legislative branches, for various reasons, including stability. From The Fed Explained: How We Conduct Monetary Policy [federalreserve.gov]
This flexibility ensures that monetary policy decisions can be directed toward the longer term, be based on data and objective analysis, and best serve the interests of all Americans.
Notice the bit about "all Americans", not just those in charge.
Re: (Score:2)
Seriously, do you want this next guy to have direct control of that -- the guy who's had 6 Corporate Bankruptcies [thoughtco.com], including several casinos and thinks exporting companies/countries pay the tariffs? (It's importers, who usually pass the expenses onto consumers.)
Why do people keep bringing this up as if it means something? I do not like Trump at all, but when you leave out important information and zero in on one aspect of a statistic, you mislead people. Do you know how many total companies that clown owns? There are at least 250 currently under the Trump umbrella. If you've ever started a business or worked closely with people running their own businesses, you'd know how hard it is to build a successful business. Finding single digit business failures in that man
Re: (Score:2)
Notice the bit about "all Americans", not just those in charge.
That has not been its history. Instead it has almost exclusively focused on the interests of wealthy Americans who own the bulk of American wealth. The Feds efforts to keep down inflation is designed to protect people who lend money from getting paid back with money that is less valuable. When the wealthy investment class takes on large amounts of debt, as they did during covid, they loosen the strings.
Re: (Score:2)
Technically, the Federal Bank, is not a part of government. Which, yes, is a problem. But using a generic answer of "immediate accountability" is stupid.
In the 2024 elections across the USA, ballot papers in some counties, demanded election of 92 government officials. How much time do you spend deciding which candidate would make the best city dog-catcher?
It sounds like you haven't seen much of reality. It sounds like you've never been to a US municipal council meeting: In the last decade, most of th
Re: (Score:3)
Re: (Score:2)
Even though I said the branch Fed banks are private entities, they might as well be government agencies the way they are run. Their pay bands even mirror the GS ranks of the civilian force of the USG. They aren't phenomenal at what they do but at least it's _some_ rigor. I used to have to do DR exercises back in the 90s at the Fed's behest at a bank. They were serious exercises and we had to bring stuff online in reasonable timeframes - 8/24/48 hours kinds of things. We were forced to re-run the exerci
Re:insufficient no knowledge of subject (Score:5, Interesting)
Right.. the answer is accountability not trying to write a security prescription.
The problem with accountability is there has to be actual pain involved and nobody likes that because its 'disruptive'
If anything this 'approach' is likely to result in a relatively homogeneous set of controls, and probably not all together strong ones. Rather than prevent breaches it will pretty much make them a certain regular occurrence. The CYA people will decide to implement HHS-CYBER-100-1.1 or whatever to the letter, not matter what their unique requirements and concerns might be. Threat actors will learn to game that set of controls, and they will compromise everyone at will...
The way to fix it is always to make the share holders really feel it - but of course if you do that you reduce health care investment.
Re: (Score:2)
Senators who have no idea what secure means specifying the means of security.
It probably means that the affected companies will have to contract with an authorized cybersecurity provider to be compliant. The cybersecurity companies do whatever song and dance is required to become government authorized security providers, and then they get guaranteed revenue from the businesses who are required to use their services. There's always a crony capitalism angle to this sort of legislation.
Re: (Score:3)
It is actually pretty easy and demonstrated in regulated environments: Your security gets regularly independently evaluated against the state-of-the-art. Fail and fail to fix? Get special attention in the form of additional audits. Continue to fail? Get shut down. Liability of the board against owners and shareholders included.
This thing here will probably only have the Russian and Chinese attackers highly amused.
Re: (Score:2)
plus any other information that the HHS secretary deems necessary.
Great, can't wait to see what the incompetent idiot Trump appoints as Secretary of HHS deems necessary.
Probably not good for computer security, I heard that RFK Jr. guy is pro-virus (or something like that) ... :-)
Re: (Score:1)
Part of the issue is that in our post Chevron world, if Congress doesn't make it explicit and leaves it to regulators, it's ripe for even easier than ever lawsuits fighting it.
Lawsuit:
"Dear judge in the handpicked jurisdiction of my choice, congress didn't explicitly say to do this, so please rule we don't have to do this, even though the security experts in NIST or wherever have determined this is the best thing to do. You have to rule this way because SCOTUS said so".
.
Appeal to SCOTUS eventually:
"Hi SCOT
can mumps even do 2fa? (Score:2)
can mumps even do 2fa?
Re: (Score:3)
Fortunately the vt220's are almost gone.
Now doctors spend all of their time filling out forms instead of listening to patients.
Progress!
Re: (Score:2)
Re: (Score:2)
but the backend is parts of that still just username and password.
So no Windows then? (Score:5, Insightful)
So no Windows then, right?
Right?
No? GTFOH then.
Windows is spyware by design and they are defaulting on things like training AI from your Office documents, even in orgs which have most of their tracking turned off.
I had to go into the Office settings and turn that off manually even though I am in an org with PII, FTI, and other protected data. And no, it's not clearly labeled.
And then there's just Microsoft's general incompetence when it comes to security, of course. Nobody with confidential information should ever use it for anything.
But Microsoft is a defense contractor, and part of PRISM, and critical to the whole operation of Five Eyes, so we know they will never hold them accountable for their actions — they requested those actions.
I have a better idea (Score:2)
Let's punish scammers / hackers with the death penalty. Why should the WHOLE FUCKING WORLD need to constantly run on the security treadmill. Let's solve this from the other end.
Re: (Score:1)
Another thought... Predator drones hitting scam call centers in India. We did it for Bin Laden... We can do it to the asshats scamming grandma.
Re: (Score:2)
Worthless, idiotic and ineffective. Cave-men like you believe violence does fix things. That is almost universally not the case and here you do not even know who to apply it to.
Re: (Score:1)
Violence and the threat of violence are powerful motivators. Taxes, for instance are backed by threat of violence. Every social construct we live with are, at the end of the day, backed by the threat of violence. Now the death penalty is a stretch (and a bit of a tongue in cheek reference to ST:TNG's Season 1 Episode 8 'Justice').
I do think extremely powerful punishments are appropriate for a person ruining someone's life via digital means. Jail, public humiliation, fines, no access to internet, maybe a
Threat of Violence essential for Democracy (Score:2)
Violence and the threat of violence are powerful motivators.
It may sound strange, but they are essential for maintaining democracy. Churchill has a quote attributed to him that "Democracy is the worst for of government, except for all the others." The only reason people will abide by a democratic decision that is contrary to their interests is that the alternative of violent resistance is worse. Without the threat of violence, those with power would pay no attention to what most people think.
Can we deprecate SMS for 2FA while we're at it? (Score:3)
Given that SMS is backdoored by design because of wiretapping, it seem like a terrible idea to continue using it for 2FA.
Even if you're not on [insert foreign adversary here]'s hit list (either via SS7 hijack, social engineering US telecoms, or directly trojaning their systems) , you can still be the victim of sim-swapping.
Re: (Score:3)
Every security catalog worth anything already does that.
My minimum (Score:2)
Company devices only, VPN as first line of defense.
You can have all your end point security and zero trust massive attack surface malarky ... behind dedicated devices and a VPN. Defense in depth, remember that?