US senators propose law to require bare minimum security standards American hospitals and healthcare organizations would be required to adopt multi-factor authentication (MFA) and other minimum cybersecurity standards under new legislation proposed by a bipartisan group of US senators. The Health Care Cybersecurity and Resiliency Act of 2024 [PDF], introduced on Friday by US Senators Bill …
A fair point. The standard should be such that the answer to your question would be "No, that's fine."
In which case, what should the bare minimum standards be, in the humble opinions of the assembled commetardiat?
This is well outside my area of real expertise, but I'd at least put in a requirement for salted and hashed passwords. (More generally, I'd like a legal requirement for all password-storing organizations to do so, with penalties when unsalted and/or unhashed passwords leak.) For the gummint entities in question, some backup requirements (with backups tested in a specified manner)... what else?
Most of the attacks are hitting ones that don't meet even these low standards, so even if you were right and it disincentivized those already doing 2FA from doing better, it would significantly reduce the successful attacks on healthcare/hospital systems.
Providing they don't allow SMS as the second factor.
Thing is, there already are minimum security standards in place. It's called HIPAA, I believe the article covers it.
Not sure what adding a second set of what would be the same standars is supposed to accomplish. Maybe to signifiy they are super serious for real about them this time.
HIPAA only covers specific data (SSN), specific usecases (identification), in specific places (health care).
There were incidents where hospitals had tracking pixels on their websites, seemingly nothing “wrong” according to to HIPAA, generally speaking.
There’s also everyone and their dog storing all sorts of information they really should have no business storing (insurance companies….) - SSN should never be written down, but if it is… let’s just put **** on the client side and clear text it all the way. Same with most other information.
They should mandate PII to be treated the same as credit card numbers / PINs - maybe a bit harsh, but easier to just have two very obvious choices than this grey area everyone treats security with: I don’t care if you get hacked if you don’t store any of my information / if you have to store it, it’s encrypted.
So the security will only be as good as the security of whatever is chosen for MFA. SIM swapping and SMS interception aren't common, but unless the mobile service providers are going to get regulated and audited on the security of their procducts/services the healthcare regs are almost a waste of time. Ditto email, dongles, etc.. Security happens in layers and all the layers need to be regulated. When I worked in aerospace our site was preparing for List-X. Top of the list of our first audit was that we had too many doors into the building. Not doors from the street but doors from the employee car park, which was inside the site security fence and which you couldn't get into without a pass.
They'd rather someone who hops the fence not be able to actually be inside the security perimeter. I'd guess our beady-eyed friends would be fine with a sally port, but then you have to potentially staff it locally rather than being remotely monitored from your security desk, and they do like to trap people inside.
We are now more than seven years since NIST updated their recommendations regarding password management. Based on my sample of slightly more than 100 health care providers and insurance companies, approximately 0 have updated their policies to match.
Those recommendations have been, IMHO, the bare minimum for six years now.
NIST appears to be taking its sweet time. They haven't posted the slides and recording from the last 800-63 webinar (August 2024), and they opened a second round of comments for issues that could easily be left to an addendum later and certainly shouldn't justify delaying the changes from being finalized (especially the explicit ban on periodic password rotation).
Icon for what needs to be done to whomever came up with the idea of periodic password rotation in the first place and the people who've kept it going in the US government even though we've known as long as information security classification has existed that if you don't want the password on a Post-It note underneath the keyboard, it needs to be memorized. In Minecraft.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
