The US National Credit Union Association (NCUA) has made changes to its cyberincident notification requirements, stating that all federally insured credit unions must notify the NCUA of any cyberincident within 72 hours of detection. The amendment, which also applies to third-party incidents, will come into effect on September 1. In preparation for the implementation of the new rule, the NCUA recommends that covered entities update their response plans, review contracts with critical service providers, and educate employees on the new response process. It is also important for organizations to regularly monitor and review the plan to ensure its effectiveness and to document all cyber incidents for reporting purposes.
The amendment is a significant development in cybersecurity regulations for credit unions. By requiring notification within a specific timeframe, the NCUA aims to address the growing threat of cyberattacks and improve incident response. Tom Kellermann, the SVP of cyber strategy at Contrast Security, emphasized the importance of the first 72 hours in preventing further damage caused by cybercriminals. He also praised the inclusion of third-party incidents in the notification requirements, as many banks are targeted due to the compromise of shared service providers.
In recent years, healthcare institutions have become increasingly targeted by ransomware attackers. These attackers exploit hospitals’ need to resume critical services, putting pressure on administrators to meet ransom demands. To counter this threat, the Advanced Research Projects Agency for Health (Arpa-H), a research agency established by the US Department of Health and Human Services, has launched the Digital Health Security Project.
Known as “Digiheals,” this project focuses on supporting cybersecurity tools that will help defend digital systems in the healthcare sector. The initiative calls on researchers and technologists to submit proposals for cybersecurity technology for healthcare systems, hospitals, clinics, and health-related devices. The goal is to make significant and equitable progress in protecting the medical sector from cyber threats.
Andrew Carney, the program manager for Digiheals, highlighted the need for rapid progress in cybersecurity. The aim is to develop solutions that are not only effective but also accessible to all healthcare facilities, regardless of their IT staff or security budget. The project will accept proposals until September 7, with a willingness to consider submissions that do not meet the deadline or may not initially seem like an obvious fit. The ultimate goal is to bridge the technical gap in protecting medical facilities from emerging cyber threats and safeguard patient privacy, safety, and lives.
The Digiheals project comes at a crucial time when the US healthcare system urgently requires stronger cybersecurity capabilities. Off-the-shelf software tools often fall short in detecting and protecting against emerging threats, leaving medical facilities vulnerable to cyberattacks. The initiative seeks to address this gap and ensure that healthcare institutions have the necessary tools to defend against cyber threats.
Both the NCUA’s changes to cyberincident notification requirements and the launch of the Digiheals project demonstrate the growing recognition of the severity and frequency of cyberattacks. These developments aim to strengthen cybersecurity measures in the financial and healthcare sectors and protect institutions from potentially devastating cyber incidents. It is crucial for organizations to comply with the new rules and actively participate in initiatives like Digiheals to bolster their cybersecurity defenses and safeguard their operations.