NTSC Technology Security Roundup

Weekly News Roundup: April 24, 2017

Department of Energy Presents Findings of December 2016 Energy Infrastructure Cyber Incident Exercise

In December 2016, the Department of Energy conducted an exercise called Liberty Eclipse that tested the response of federal agencies and the private sector to a major energy infrastructure cyber incident. The exercise simulated a massive power outage affecting 37 million people in the Northeast. Key findings from the exercise included noting a lack of coordination between the government and the private sector, concerns about information sharing, and challenges about keeping the public informed in the wake of such an incident.

Healthcare Information and Management Systems Society (HIMSS) Offers Areas of Improvement for NIST Cybersecurity Framework

In a letter to NIST, the Healthcare Information and Management Systems Society (HIMSS) offered areas of improvement to the NIST Cybersecurity Framework. Areas addressed included cyber supply chain risk management (SCRM), asset lifecycle and management, insider threat management, and holistic cybersecurity. Concerning cyber SCRM, HIMSS stated, “…both care providers and public health leaders have great concerns with respect to the medical device supply chain, given the potentially significant risk to patient safety. Accordingly, HIMSS recommends that the Framework provide more granular detail on the “how” and “why” of SCRM, to include a relevant context of insider threat detection and management.”

Health and Human Services Department Starting Center to Help with Mobile Cybersecurity

According to Federal News Radio, the Department of Health and Human Services is starting a new center that works similarly to the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). The Health Cybersecurity and Communications Integration Center (HCCIC) will “educate health organizations and consumers about the risks of using mobile applications and data.” The center is expected to “achieve initial operating capability” by June 2017.

Colorado Becomes Next State to Seek Adoption of Cybersecurity Requirements for Financial Services

Colorado—through the Colorado Department of Regulatory Agencies and by amending the Colorado Securities Act—will seek to adopt cybersecurity requirements for the financial services industry. This action follows New York State’s adoption of similar requirements that took effect in March and suggests that further states will act on this issue. According to Robinson+Cole’s Data Privacy + Security Insider, “Although the requirements are arguably not as stringent as New York’s, the theme is similar, in that the entities would be required to conduct an annual cybersecurity risk assessment, implement policies and procedures to address the use of encryption, authentication of clients and employees, access controls, and disclosures to clients of the risk of using electronic communications.”

Accenture Report Notes Lack of Real-World Testing Hurting Banks’ Cybersecurity

A recent Accenture report, Building Confidence: Solving Banking’s Cybersecurity Conundrum, notes that banks are confident about their cybersecurity capabilities but lack real-world testing. That lack leave gaps in their cybersecurity defenses. According to the report, “Pressure-testing company defenses can help leaders understand whether they can withstand a targeted, focused attack. Organizations can engage a ‘red team’ in sparring matches with their cybersecurity people and systems to assess preparedness and response effectiveness.”