Security News Update for the Week Ending May 31, 2024
Feds Say ChangeHealth Can File Breach Notice on Behalf of Doctors After All
Changing your mind … is a federal agency’s prerogative, apparently. Normally under HIPAA, it is the doctor or hospital that has to file the breach notice and until this week, that was the fed’s (HHS) position for the ChangeHealth breach. However, smarter brains have prevailed and rather that consumers getting a dozen notices from different doctors, pharmacies and other care providers, in this case, ChangeHealth will file the notices, Eventually. Credit: The Record
NIST Says National Vulnerability Database Will be Current by September
The National Vulnerability Database (NVD) is used by security software makers, researchers, consulting companies and others to understand new vulnerabilities and update anti-malware software. For most of this year, for reasons unknown, NIST has been way behind in adding new entries, to the consternation of many. Now NIST says they have hired a vendor to work with them and the database should be caught up by the end of the government’s fiscal year in September. Credit: HelpNet Security
While Feds Tell Companies to Improve Security, Theirs Sucks Too
More than half of the government’s applications have at least one vulnerability that has not been patched for over a year. But, the good news is that less than 1 percent of those are critical bugs. Half of them are in the government’s own code. Veracode, who makes software to detect vulnerabilities, says that 68% of government organizations have some security debt, about the same as industry. But, 59 percent of government apps have debt, compared to 42 percent of apps overall. See the rest of the details at CSO Online
Google is Warning People About Changes to Ads Due to Privacy Laws
As new state privacy laws go into effect that restrict targeted advertising (Colorado’s goes into effect in a month), Google is warning customers to beware that their advertising may suddenly become less effective. On their other hand, their bill may go down because there are less eyeballs allowing targeted advertising. Google is also discontinuing certain services due to the legal risk to them. Other advertising service providers may tell you it is your problem or not say anything at all, which de facto, makes it your problem. That means that you have to start honoring global opt out or risk large fines. If you need help, contact us. Credit: Google
Cyber Teams Intentionally Underreport Breaches
I bet this shows up as a shocker … to no one. Forty percent of cyber teams have not reported a cyber incident out of fear of getting fired. Total and complete shock. Half of the surveyed security pros say they are unprepared for an attack on a critical third party. More than half said they were not prepared to defend against AI based attacks. Two thirds said they could not currently meet the SEC’s four day disclosure requirement. Why? Time (staff) and money. And executive support. Credit: CyberNews