.st0{fill:#FFFFFF;}

Podcast

NIST, Moobot, Ransomware AI Impact – Ep 447 

 March 1, 2024

By  Donna Grindle

Share0
Tweet0
Share0

The rapid advancement of AI could soon eclipse our understanding, with its capability to predict and even manipulate human behavior. Today, we will dive into how AI is reshaping our understanding and preparedness for the digital threats lurking around the corner. Plus, NIST just released guidance that can be used to help improve the healthcare sector’s cybersecurity posture and assist with achieving compliance with the HIPAA Security Rule.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

NIST, Moobot, Ransomware AI Impact – Ep 447

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

The HIPAA Privacy and Security Boot Camp

3.5 day In Person Event

April 9, 10, 11 and 12, 2024

PriSecBootCamp.com

HIPAA Briefs

[08:58] Strengthening Cybersecurity in Health Care Act announced Feb 2024 nothing to get excited about. It officially says:

A bill to require the Inspector General of the Department of Health and Human Services to evaluate the cybersecurity practices and protocols of the Department, and for other purposes.

Here’s the opening:

“Not later than 2 years after the date of enactment of this Act, and every 2 years thereafter, the Inspector General of the Department of Health and Human Services shall evaluate the cybersecurity practices and protocols of the Department through the conduct of penetration tests and other testing procedures to determine how systems processing, transmitting, or storing mission critical or sensitive data by, for, or on behalf of the Department is currently, or could be compromised and—

(1) expose patient data, including Medicare numbers of individuals; or

(2) impact patient safety.”

Basically, it says 2 years from now give us a report that says you looked at the cybersecurity practices of HHS and what you found that could make it better. I know this legal stuff can be complicated but what we need and what this says are two different things. PLUS, 2 years from now everything will be different. Doing it every 2 years means you are working on very old data. Any improvements won’t be reported for another 2 years. I hope I am missing something, otherwise this thing is a dud, IMHO.

NIST, Moobot, Ransomware AI Impact

[15:29] Three stories that won’t make a whole episode by themselves just get jammed together today.

New NIST Guide for HIPAA Security Rule

NIST Released the latest updates to Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (SP800-66r2 for those who keep up with NIST ID numbers).

SP 800-66 Rev. 2, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide

Grab your copy of it and start looking through it. We are in the process of comparing our processes to their recommendations. There is so much coming out it is getting harder to know when to do updates but between this and HICP 2023 and CPGs it is definitely time now. It will only make it easier when the next round of changes come down the pipe.

It is good to see how they are referencing HICP in a few places along with NIST CSF. See it can be done!

It happens to us too

[19:13] I was just reviewing my news list over the weekend and BAM. I spotted this little nugget. Sharing it with David got the expected response Ugh (it would have been more colorful the other way around).

Fbi Disrupts Russian Moobot Botnet Infecting Ubiquiti Routers – RedPacket Security

Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)

“This botnet was distinct from prior GRU and Russian Federal Security Service (FSB) malware networks disrupted by the Department in that the GRU did not create it from scratch. Instead, the GRU relied on the ‘Moobot’ malware, which is associated with a known criminal group,” the Justice Department said.

AI is good. But, AI is bad.

[30:14] The UK has the National Cyber Security Centre (NCSC) sort of like our CISA. They released a report of their recent assessment of how AI will impact the efficacy of cyber operations and the implications for the cyber threat over the next 2 years, in January. The TechRepublic article about it got my attention with the headline:

National Cyber Security Centre Study: Generative AI May Increase Global Ransomware Threat

Their press release didn’t have the same zing but it says the same:

Global ransomware threat expected to rise with AI, NCSC warns

The near-term impact of AI on the cyber threat – NCSC.GOV.UK

The NCSC CEO, Lindy Cameron, points included in the press release were very telling about where we really stand:

“We must ensure that we both harness AI technology for its vast potential and manage its risks – including its implications on the cyber threat.

“The emergent use of AI in cyber attacks is evolutionary not revolutionary, meaning that it enhances existing threats like ransomware but does not transform the risk landscape in the near term.

“As the NCSC does all it can to ensure AI systems are secure-by-design, we urge organisations and individuals to follow our ransomware and cyber security hygiene advice to strengthen their defences and boost their resilience to cyber attacks.”

Much like all of our acronyms they get caught up in the same cycle too. The NCSC Assessment (NCSC-A) is part of the Professional Heads of Intelligence Assessment (PHIA).

The Professional Head of Intelligence Assessment (PHIA) probability yardstick used by the NCSC-A is pretty cool. How does risk measure up on the yardstick – but their yardstick doesn’t have inches.

I don’t think we were at all blind to the fact that AI will be immensely impactful in both a good and bad way. It is happening very quickly too. But I think it is important to include this new threat in how we calculate the risk of these attacks occurring.

Let’s define something important. We discuss AI all the time. We have had AI in the world of systems for a few years now. However, this new level is Generative AI. That is AI that can create its own things like text, images, and program code, plus much, much more.

[44:31] The report included some specific “Key judgements”:

Key judgements

  • Artificial intelligence (AI) will almost certainly increase the volume and heighten the impact of cyber attacks over the next two years. However, the impact on the cyber threat will be uneven (see table 1).
  • The threat to 2025 comes from evolution and enhancement of existing tactics, techniques and procedures (TTPs).
  • All types of cyber threat actor – state and non-state, skilled and less skilled – are already using AI, to varying degrees.
  • AI provides capability uplift in reconnaissance and social engineering, almost certainly making both more effective, efficient, and harder to detect.
  • More sophisticated uses of AI in cyber operations are highly likely to be restricted to threat actors with access to quality training data, significant expertise (in both AI and cyber), and resources. More advanced uses are unlikely to be realised before 2025.
  • AI will almost certainly make cyber attacks against the UK more impactful because threat actors will be able to analyse exfiltrated data faster and more effectively, and use it to train AI models.
  • AI lowers the barrier for novice cyber criminals, hackers-for-hire and hacktivists to carry out effective access and information gathering operations. This enhanced access will likely contribute to the global ransomware threat over the next two years.
  • Moving towards 2025 and beyond, commoditization of AI-enabled capability in criminal and commercial markets will almost certainly make improved capability available to cyber crime and state actors.
[54:37] The reference above to table 1 is a great chart to help lay out just how much of an “uplift” generative AI is and will in the future give them. Side note: Uplift is another buzzword that seems to be popping up everywhere. We hear all of them when the big enterprises start using them to the point that their people use them in other meetings.

All that uplifting in there means we better do some uplifting on our side of the equation or bigger problems are coming our way.

Go to top

The complexity of the cybersecurity challenges we are facing today and the changes that are fast approaching cannot be overstated. We’ve got to have an uplift in your cybersecurity program to keep up if you are going to have a chance at fighting the battle. Make the investment now. Don’t get further behind.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: