Security Leftovers
-
Secure software development insights from The Linux Foundation
The Linux Foundation published a new report, Maintainer Perspectives on Open Source Software Security, based on a survey of OSS maintainers and core contributors, to understand perspectives on OSS security and the uptake and adoption of security best practices by maintainers, core contributors, end users, and other members of the OSS ecosystem.
-
LWN ☛ Security updates for Tuesday
Security updates have been issued by CentOS (firefox, gstreamer1-plugins-bad-free, and tigervnc), Debian (ruby-sanitize), Fedora (kernel, kernel-headers, qt5-qtwebengine, and runc), Oracle (gnutls, kernel, libssh, rpm, runc, and tigervnc), Red Hat (runc), and SUSE (bouncycastle, jsch, python, and runc).
-
Nextgov ☛ Proposed contractor cyber reporting rule sets a ‘significantly problematic’ bar, industry groups say
Cybersecurity and technology trade groups are urging agencies to rethink a proposed measure that would intensify requirements for federal contractors when they report cybersecurity incidents, arguing they are inconsistent with other cyber regulations and demand too much from contracted firms targeted in cyberattacks.
The proposed rule from the Pentagon, GSA and NASA — the agency trio that jointly issues policy measures tied to the Federal Acquisition Regulation — would, among other things, require contractors to develop a Software Bill of Materials — or SBOM — for all software used when performing contracting tasks, as well as notify the Department of Homeland Security of a security incident within eight hours of its discovery.
-
Millions at risk of fraud after massive health data hack in France
Millions of people are at risk of fraud after a data breach at a company that manages the third-party payments for 84 top-up insurance providers.
Viamedis, whose systems the third-party payments for over 20 million people, announced the data breach on February 2. Its clients include Carte Blanche Partenaires, Itelis, Kalixia and Santéclair among many others.
“To date, we do not know precisely how many people have been affected, the matter is still under investigation,” Viamedis CEO Christophe Candé told AFP.
-
Hamilton’s Paramedic Service mistakenly sent patient info to wrong hospitals
The Hamilton Paramedic Service says it has been mistakenly sending the personal information of some of its patients to the wrong hospital.
Over the last four years, according to the municipal healthcare service, some paramedics have accidentally selected the incorrect hospital when submitting a patient’s records in correspondence to where they were being transported.
An out-of-city hospital flagged the issue in late October after they received patient records for someone who wasn’t in their care.
-
US Dept Of Health and Human Services ☛ HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million
Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Montefiore Medical Center, a non-profit hospital system based in New York City for several potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. OCR is responsible for administering and enforcing health information privacy, including enforcement of the HIPAA Privacy, Security, and Breach Notification Rules for the health care sector. OCR plays a unique role in serving as the agency at HHS that enforces federal civil rights, privacy and security laws in health care. HIPAA requires that health care providers, insurers and others take steps to protect the privacy and security of patients’ protected health information. The $4.75 million monetary settlement and corrective action resolves multiple potential failures by Montefiore Medical Center relating to data security failures by Montefiore that led to an employee stealing and selling patients’ protected health information over a six-month period.