2018 cybersecurity projections are in!

Posted by: Julia      Date: December 12, 2017

TLP White

This week’s NH-ISAC Hacking Healthcare:


Hot Links –

  1. New NIST Draft – NIST published[1] a “second draft of the proposed update” to its Cybersecurity Framework last week. Your comments are due to NIST by January 19, 2018.

A quick history lesson — the original Framework was released in February 2014. In winter 2015 and spring of 2016, NIST solicited feedback on the original version. In January of this year, they released a “first draft” of version 1.1.

This “second draft” incorporates comments submitted over the last year to that first draft.

The big changes are:

  • The inclusion of a robust new category in the “Identify” function around Supply Chain Risk Management.
  • New subcategories in Prevent-Access Control (PR.AC-6, 7) related to identity proofing and credential management, as well as device authentication.
  • A new subcategory (PR.DS-8) in Prevent-Data Security for verifying hardware integrity.
  • A new subcategory (PR.PT-5) in Prevent-Protective Technology that focuses on increasing system availability.
  • A new subcategory (RS.AN-5) in Respond-Analysis that addresses vulnerability disclosure and management.
  • A number of new reference standards, primarily from CIS and COBIT.
  • A refocusing of section 4 as “Self-Assessing Cybersecurity Risk with the Framework” which “better emphasize[s] how organizations might use the Framework to measure their risk”, as Mike Barret of NIST has put it.[2]

[1] https://www.nist.gov/cybersecurity-framework/cybersecurity-framework-draft-version-11

[2] https://www.darkreading.com/cloud/nist-releases-new-cybersecurity-framework-draft/d/d-id/1330579?piddl_msgid=330189#msg_330189

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:


NH-ISAC Fall Summit Recap and DMARC

Posted by: Julia      Date: December 05, 2017

TLP White

Fall Summit recall on this week’s Hacking Healthcare:


  1. Last week was the NH-ISAC Fall Summit in Scottsdale, Arizona. What a great week in the desert sun. Here’s a couple of highlights:

ZDOGGMD delivered a powerhouse keynote – full of humor and insight. His message refocused the group on the purpose of the healthcare industry – helping people. He talked about his vision for a compassion-driven approach that unites patients, doctors, and technology to deliver better results. You can check out more of his stuff here: http://zdoggmd.com/

Included in the other presentations was a full track dedicated to medical devices. This is the fourth summit with a medical device specific track, and it continues to grow in size and scope. This year saw presentations around regulatory policy in both China and the U.S., including an appearance from Suzanne Schwartz of the FDA.

The conference also saw the launch of the new Cyber Outbreak tabletop exercise series. On Monday afternoon, 45 participants and observers joined the three hour exercise. We plan on holding many more exercises at future Summits and throughout the year.

  1. Now is the time for DMARC – Using DMARC, a protocol for improving email authentication, is a widely accepted, but chronically under-deployed best practice for securing email exchanges. It helps to cut down on spear-phishing, one of the most prevalent vectors for cyber-crime. DMARC is easy to implement and is supported by all the major email providers.

Adoption of DMARC is particularly beneficial in the healthcare sector – 57 percent of all email claiming to be FROM healthcare organizations is actually fraudulent. Despite its benefit, 98 percent of healthcare organizations are not utilizing DMARC protocols.[1]

NH-ISAC has joined a global challenge to increase the adoption of DMARC. The goal is to have members deploy DMARC in 90 days. This is inspired by DHS requiring all government agencies to begin implementing DMARC within 90 days.[2] Here’s a guide[3] on how you can take part.

[1] http://www.businesswire.com/news/home/20171128005546/en/Fifty-Seven-Percent-Email-%E2%80%9CFrom%E2%80%9D-Healthcare-Industry-Fraudulent

[2] [BOD 18-01] https://cyber.dhs.gov/

[3] https://www.globalcyberalliance.org/90-days-to-dmarc-a-global-cyber-alliance-challenge.html

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:


Vulnerabilities, Bugs and Bounties

Posted by: Julia      Date: November 21, 2017

One man’s vulnerabilities are another man’s exploits: bugs: bounties – this week’s Hacking Healthcare:

TLP White

Hot Links –

  1. First, a little of our own cyber-hygiene: This past week, Ed Brennan, Ops Director at NH-ISAC, gave me a friendly reminder that embedding links in emails is NOT an NH-ISAC approved best practice! The idea being that malicious links may be foisted upon unsuspecting recipients.


We would like to set a good example here and prove that killing hyperlinks can help mitigate cyber-risk while being user friendly. So we will move to footnoting any linked articles or reports. We would also recommend that organizations go beyond this measure and move to whitelist applications (See: a NIST guide to that[1]) to further protect against hazardous web-browsing and link clicking. Let us know how you get on with this or if you have recommendations on secure user-friendly practices.

  1. Vulnerabilities under review: This past week, Rob Joyce (White House Cyber Czar) publicly released[2] a newly revised process[3] by which the government decides whether to disclose computer vulnerabilities that it discovers. Known as the Vulnerability Equities Process, the new charter is most notable for the fact that it is now public.

The long shadow of public distrust cast by the Snowden leaks should inform any analysis of this new policy. Some[4] will criticize the VEP charter as not going far enough. Many believe that the government should responsibly disclose all vulnerabilities discovered in commercial products. Others think a patch should be developed alongside exploits. These are worth discussion, though the distrust caused by Snowden (and the government’s messy response) tends to poison any clear-eyed debate about what approach best balances intelligence collection, disruptive cyber-operations, and national defense.

I applaud the release of the charter as a good faith effort to better engage citizens and critical infrastructure operators in the process of national cyber defense. Rather than bemoan its shortcomings, we should look at this as the starting point in a process. Informing the government as to why changes might be necessary is the role of critical infrastructure sectors.

At this point, it seems most important to focus any critique on the structural approach of the process. If the main purpose is to provide documented and accountable cost benefit analysis of any vulnerabilities, the data being analyzed and the people responsible for the analysis are of primary import.

The benefit of vulnerabilities is relatively easy to calculate – you point to intelligence collected or accesses gained. Quantifying the downside risk of unpatched vulnerabilities being exploited is more difficult. There is a probabilistic debate over likelihood that an adversary has discovered the vulnerability. One must also point to an adversary’s intent to utilize such a vulnerability against a certain target – it is difficult to accomplish explicit attribution of such intent.

But even more challenging is understanding the impact to critical infrastructure if a vulnerability is exploited. Many companies cannot tell you the impact within their own business if a certain technology were to be exploited. This becomes more challenging when applied on a national scale and without understanding of commercial technology deployments or network architectures. The government simply doesn’t have the data.

Yet the private sector is not invited to participate in the discussion. The “Equities Review Board,” which is established in the charter, is comprised of government agencies. The usual players are there from law enforcement and the intelligence community, as well as some civilian representatives such as the Departments of Commerce, Treasury, and Energy.

One important (and notable) admission from the government stakeholder group which determines the release of vulnerabilities – Health and Human Services. HHS does not have the historical involvement in national security that Treasury or Energy do (two sector specific agencies included in the process), but determining impact of vulnerabilities on the health sector seems squarely within their remit.

  1. Bugs – Speaking of vulnerabilities, bug bounties are becoming ever more popular. Hacker One[5] and Bugcrowd[6] have recently put out reports on the state of the bug bounty industry. The Hacker One report says that only 3 percent of its bounty programs are run by companies in the healthcare sector. Why is that?


Also of note – healthcare is at least twice as likely to be vulnerable to SQL injection as other industries in the study.


  1. More Bills! – This time “Bill of Materials.” Rep. Greg Walden (R-Oregon) recently sent a letter[7] to HHS asking that the Secretary convene a group this year[8] to implement one of the Healthcare Cybersecurity Task Force recommendations – ship medical devices with a Bill of Materials.

[1] <https://www.nist.gov/news-events/news/2015/11/nist-offers-guidance-using-technology-prevent-intrusions-malware >

[2] <https://www.whitehouse.gov/blog/2017/11/15/improving-and-making-vulnerability-equities-process-transparent-right-thing-do>

[3] <https://www.whitehouse.gov/sites/whitehouse.gov/files/images/External%20-%20Unclassified%20VEP%20Charter%20FINAL.PDF>

[4] Schneier has a passionate take: <https://www.schneier.com/blog/archives/2017/11/new_white_house_1.html>

[5] < https://www.hackerone.com/resources/hacker-powered-security-report>

[6] < https://arstechnica.com/information-technology/2017/11/bugcrowd-unmasks-sort-of-hackers-to-cast-vulnerability-hunters-in-better-light/>

[7] < https://energycommerce.house.gov/wp-content/uploads/2017/11/20171116HHS.pdf>

[8] <https://healthitsecurity.com/news/healthcare-cybersecurity-threats-require-hhs-bill-of-materials>

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:


We’re Taking You to Court!

Posted by: Julia      Date: November 14, 2017

This week’s Hacking Healthcare:
TLP White

Hot Links –

1. Going to Court – CareFirst has been involved in a series of lawsuits related to data breaches that it disclosed in 2014 and 2015. On November 1, CareFirst filed a petition with the Supreme Court. If the Supreme Court hears the case, it will set precedent for corporate liability resulting from data breaches.

In question is how the court defines harm to individuals whose data has been exposed through a data breach. In August, an appeals court determined that plaintiffs only had to demonstrate “substantial risk” of injury through the improper disclosure of private information. By December 1, the Supreme Court will decide to hear the case.

2. The medical device Lifecycle – Suzanne Schwartz, FDA Associate Director for Science and Strategic Partnerships, has been on a media offensive in the last few weeks. First, here’s a blog that she put out at the end of October, emphasizing the need for manufacturers to consider the security of a device along its full lifecycle. She followed this up with a recent appearance on the Healthcare Info Security podcast this week. She discusses last year’s Postmarket Cybersecurity Guidance, in particular highlighting the policy shift that enables manufacturers to issue security patches without seeking re-certification from the FDA.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:

Life’s inevitabilities: bills, taxes, ransom

Posted by: Julia      Date: November 07, 2017

This week’s Hacking Healthcare:
TLP White

Hot Links –

1. Ransomware in 2018 – The Emergency Care Research Institute this week ranked ransomware as their top health technology hazard for 2018. This is probably unsurprising to most in the NH-ISAC community who have been dealing with the plague of ransomware for much of the last two years. The important acknowledgment is in the risk to patient safety that new ransomware attacks might pose. As we’ve seen, operational technology and medical devices are susceptible to ransomware and are being deliberately targeted. That’s my top threat for 2018 – IoT attacks that hold physical activity ransom.

2. HHS Cyber Bill – A bipartisan bill was introduced in the House last week that would give the HHS Secretary the authority to re-organize cybersecurity personnel. The bill would also require HHS to develop a plan that lays out its approach to coordinating within the department to address cybersecurity challenges. This would include regulatory (e.g., ONC, FDA, OCR) offices, as well as those offices charged with maintaining the resiliency of the sector against all hazards (i.e., ASPR). HHS would also have to report on how it secures its own systems. This bill is a step in the right direction – and consistent with HHS cyber task force recommendations – but needs funding attached to have more than marginal impact.

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:



“WannaCry and the [grim] Reaper”

Posted by: Julia      Date: October 31, 2017

TLP White

 Today we are digging into WannaCry and the [grim] Reaper. Enjoy, Hacking Healthcare:

Hot Links –

  1. 1. After-action on NHS WannaCry – The UK’s National Audit Office just concluded a review of NHS preparedness and response to WannaCry. The report finds no negative impacts on patient health and safety – some trusts had to reschedule appointments, 5 had to divert emergency visits to other hospitals, and a few trusts were able to continue receiving patients despite the impact of the incident knocking some systems offline.

NHS trusts were vulnerable to the attack due to poor patch management in Windows 7 systems and use of devices running XP. Unsurprisingly, those trusts that had absorbed the operations of other hospitals through mergers struggled with integrating patch management.

The government’s NHS Digital team had conducted on-sight inspections ahead of the attack (88 of 236 trusts had been inspected; none passed). In the inspections, NHS found that most hospitals had “not identified cybersecurity as a risk to patient outcomes, and had tended to overestimate their readiness to manage a cyber attack.”

The report also finds that there was not an effective system for NHS trusts to report the attack and its impact to the government. Despite NHS developing national incident response plans, they had never been tested at a local level.

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.


Don’t Poke the Bear and “Cyber Outbreak” TTX

Posted by: Julia      Date: October 24, 2017

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Welcome back to Hacking Healthcare!

TLP White


Hot Links –

  1. Don’t poke the Bear: DHS has warned critical infrastructure operators that Russian hackers are targeting U.S. critical infrastructure firms and looking for access to systems. Their goal: gain access to ICS/SCADA systems. While healthcare organizations have not been named as targets, it would be surprising to learn that the sector wasn’t part of the Russian strategic plan. It is worth being vigilant to the attack TTPs out of caution, especially given other reporting on Russian targeting of cyber experts. The approach has been to access small vendors with poor security via spear-phishing and watering hole attacks and then leveraging trusted access to move across networks to core targets.
  2. A different model for private sector support: An interesting report from ITIF that challenges the status quo for counterintelligence. The report places domestic cybersecurity as a subset of counterintelligence and looks at historical efforts by government to support the private sector with information and assistance. This goes back to FBI programs to prevent strategic industries during World War 2. It doesn’t offer a panacea for how to fix the issue, but helpful to develop a dialogue in this space. The intelligence community has identified private sector engagement as a weak spot, but leadership has yet to articulate a model for addressing the problem. Public-private exercises, like the Cyber Outbreak series NH-ISAC is launching at its fall summit may be one way to develop good ideas for pilots in this space.

Hack Back Fever

Posted by: Julia      Date: October 17, 2017

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.

TLP White

Welcome back to Hacking Healthcare! You will now be seeing us at a regularly scheduled time – every Tuesday morning.


Hot Links –

  1. Hack Back Fever – A bipartisan bill was introduced in the House last week, which if passed would enable companies to take action against cyber attackers. The bill would amend the Computer Fraud and Abuse Act to prohibit prosecution against network defenders who act outside of their networks to disrupt ongoing attacks or conduct reconnaissance for purposes of attribution or network defense. The bill would require that an organization notify the FBI before taking any action – a time lag which may limit the effectiveness of disruptive defensive operations. And it would only enable defensive measures against infrastructure located in the United States (which law enforcement already can take action against). If a U.S. person (or their computers) were harmed during a hack-back, the bill would enable private action to seek damages.


There are also portions of the bill that clarify the legality of beaconing implants that might help establish attribution. This seems like firmer ground to start on as we better develop standards for attribution and increase law enforcement capacity in the U.S. and overseas.


Interoperability, Medical Device and HPH SCC

Posted by: Julia      Date: October 12, 2017

This information is marked TLP White; Subject to standard copyright laws. TLP: White information may be distributed without restriction.


Welcome back to Hacking Healthcare!

Hot Links –

  1. Securing interoperability – ONC goes “hackathon” in their approach to secure technology development to support interoperability. The office will host a two-part competition to encourage the development of secure servers and APIs to support integration of the FHIR standard. One novel approach – they’re also awarding prizes to security researchers who find flaws in the FHIR submissions. Here’s hoping that this sort of initiative starts to bring the security community into closer contact with EHR developers.


  1. All aboard the medical device train – Another bill from Congress – this one from the house – is seeking to legislate security of medical devices. This bill would require FDA and NIST to form a working group to study and report on the various security frameworks and underlying security standards that are relevant to medical devices. If this was to be conferenced and combined with the Senate bill introduced in August, the result would be a comprehensive shift in how the government regulates the security of medical devices. The Senate bill looked to increase transparency through disclosure of security methods by manufacturers, as well as requiring continued free manufacturer support of devices.


  1. Coordinating Council appoints Greg Garcia as Executive Director – Greg has been around the block in this space – previously leading the financial services coordinating council. This is a good get for the sector and a signal that leadership is serious about the cyber threat. As Terry Rice (Merck CISO) says – “the healthcare sector is at an inflection point…” We’ll look to sit down with Greg in coming weeks and report back on his priorities to lead the sector forward.

*Any reproduction or reposting of this content requires proper credit/attribution to NH-ISAC.

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion on responding to a cyber breach, become a member of NH-ISAC.


Major Hurricane Maria Report 2 October 2017 (1800z)

Posted by: Julia      Date: October 02, 2017
TLP White
This aggregated report summarizes activities and impacts as sourced by FEMA, DHS, NOAA and HHS.

*Any reproduction or reposting of this content requires proper credit/attribution to NH-ISAC.

Meteorological Quick Look.

    • With sustained winds of 155 mph at landfall — a strong Category 4 storm and nearly a Category 5 — Maria was so powerful that it disabled radar, weather stations and cell towers across Puerto Rico. The entire critical infrastructure impacts to that island are devastating.


    • Though the winds themselves were of catastrophic nature, the threat and hazard of inland flooding created a great concern.


    • The U.S. Virgin Islands had rainfall totals excessing 35 inches.


    • Greater than 50 % of the island of Puerto Rico experienced more than 15 inches of rainfall total. This hazard was made worst by the mountainous terrain and risk of landslides and severe flash flooding.


    • A note that as of Monday morning 2nd October, the Puerto Rican National Weather Service forecasts additional rain and flash flooding to an otherwise already devastated topography.


Overview of Meteorological Impact (Puerto Rico)

    • Maria’s strong winds spread large amounts of debris across the entire area. All full trees were leafless, and those that were not snapped or uprooted by Maria’s strong winds, lost medium to large branches. During the interview process, stories and images were particularly similar.


    • Most structures across island are built using concrete as the main material, countless homes and buildings sustained some type of structural damage. Structures without a concrete roof suffered some type of roof damage or it was completely blown off.


    • Nearly all commercial signage, fences, and canopies were destroyed, including large digital high definition billboards. The last time that Puerto Rico experienced a category 4 or higher hurricane was back on 1928 with Hurricane San Felipe II.


    • Floods were considered catastrophic, overwhelming and overflowing rivers and tributaries, medium to large scale mudslides and the extensive damage to structures, as well as roads and bridges.


    • Streamflow data from the U.S. Geological Survey showed that 53 out of 65 river gauges met or exceeded flood stage.


    • Among these rivers, 30 exceeded major flood stage while 13 reached or exceeded all-time record level.


    • Widespread river flooding was observed across the island, particularly along the southeastern, northern and western portions of Puerto Rico.


    • The situation was aggravated by flood water accumulation in low lying and poor drainage areas. Several water pumps failed, and as a result, vast areas were flooded by rain, sewage and sea water. Some areas severely affected within the Metro Area include Ocean Park, Santurce, Condado, Cataño and Loiza.


FEMA Activities

    • Officials in the U.S. Virgin Islands and Puerto Rico opened points of distribution (POD) in Puerto Rico and the U.S. Virgin Islands for survivors to get meals, water, and other commodities.


    • FEMA, working in coordination with federal partners, provided millions of meals and millions of liters of water to Puerto Rico and U.S. Virgin Islands. Additional meals and water continue to arrive to the islands daily via both air and sea.


    • As of October 1, the Governor of Puerto Rico established 11 Regional Staging Areas around the island, serving all 78 municipalities.


    • FEMA’s National Business Emergency Operations Center (NBEOC) is facilitating private sector requests for humanitarian relief. The NBEOC continues coordination between government and private sector organizations as the community responds to Hurricane Maria.


    • Mobile Emergency Response Support (MERS) communications assets and personnel continue to support the FEMA Incident Management Assistance Teams (IMAT), Urban Search and Rescue (US&R), National Disaster Medical System (NDMS), and other federal teams in Puerto Rico and the U.S. Virgin Islands. There are currently more than 30 MERS personnel in Puerto Rico and more than 20 MERS personnel in the U.S. Virgin Islands.


    • A U.S. Coast Guard (USCG) mobile communications team is in Puerto Rico to help improve communications across the storm-impacted area.


Healthcare and Public Health Status

    • The U.S. Department of Health and Human Services established seven temporary medical sites in Puerto Rico to aid local hospitals that are partially operational, and preparing to provide medical care.


    • The hospital sites are part of a three-tiered approach to supporting medical needs in Puerto Rico.


  1. – Providing medical staff working at a temporary medical site set up at Centro Medico to assist that emergency and trauma center;
  2. – Providing medical staff at temporary medical sites augmenting six hospitals in key locations across the territory
  3. – Maintaining contact with the remaining 61 hospitals to stay abreast of the supply and fuel needs.


    • Power is being restored to hospitals and all hospital assessments are complete. In Puerto Rico, 59 hospitals are operational to care for current patients or receiving patients with one hospital being fully operational. Power has been restored to nine hospitals. One Department of Veterans Affairs hospital is open and five are open for walk-ins.


    • FEMA reports the Royal Caribbean cruise ship departed September 29 for Ft. Lauderdale, transporting passengers from St. Croix, St. John, and St. Thomas; will arrive 03 Oct


    • The U.S. Department of Health and Human Services (HHS) reports more than 500 of its personnel remain engaged in Puerto Rico and USVI to address residents’ medical and public health needs


Puerto Rico


    • On 01 Oct, HHS reported 14 hospitals are on grid power (20 percent back on electric grid)


    • On 01 Oct, FEMA reported one hospital is fully operational, 62 hospitals remain degraded, and two are closed. There are four hospitals with unknown status. There are ten hospitals back on the electrical grid with intermittent generator support



    • FEMA reported the Schneider Regional Medical Center on St. Thomas and the Governor Juan Luis facility on St. Croix have been condemned


Communications Status

    • 75 of 78 municipalities (counties) have less than 20 % cell phone towers operational.


    • Broadcast radio has been largely restored with television restoration ongoing.


    • On 01 Oct, ESF-2 reports 280 satellite phones arrived in PR on 30 Sep and are being tested and distributed throughout the island.


    • MERS personnel continue to assess land mobile radio coverage to ensure all hospitals fall within coverage ranges; working to develop tracking by primary, alternate, contingency and emergency communications capabilities


    • Primary and alternate cover wireline and cellular capabilities provided by industry and commercial while contingency is being handled by high frequency armature radio relay lead (HF/ARRL) collaboration and emergency is the Land Mobile Radio (LMR) network.


    • SMS text messaging available to Iridium Satellite Phones


Dams Infrastructure Status

    • On 01 Oct, the U.S. Army Corps of Engineers completed 14 of 17 priority dam inspections


    • The Guajataca Dam spillway continues to erode and rainfall related inflows are increasing the elevation of the reservoir pool. Immediate risk reduction measures are ongoing to stabilize the dam spillway and clear outlet blockage


Puerto Rico

    • As of 1030 EDT on 01 Oct, the Department of Energy (DOE) reported at least five percent of Puerto Rico Electric Power Authority (PREPA) customers have had power restored. The airport, marine terminal, and several hospitals are also back on grid power


    • DLA is working with USACE, FEMA, and DOD to identify material and distribution requirements to support PR electrical grid rebuild efforts



    • On 01 Oct, FEMA reported the Northeast Public Power Association is transporting 40 crewmen and 29 trucks to support power restoration on St. Thomas and St. John; the date of arrival is yet to be determined


    • On Saturday afternoon, 30 Sep, DOE reported approximately 15 percent of customers on St. Thomas and 10 percent of customers on St. Croix have had powered restored, including critical facilities such as airports and hospitals.


    • On 30 Sep, FEMA reported the Virgin Islands Water and Power Authority (VIWAPA) expects to re-energize portions of Cruz Bay, St. Thomas between 09 Oct and 14 Oct


Transportation and Fuel Status

  • All commercial airports in Puerto Rico are operational. Recovery efforts are now supporting more than a dozen commercial passenger flights per day at Luis Munoz Marin International Airport in San Juan, Puerto Rico. Six hurricane relief flights, including military flights, are arriving at Luiz Munoz Marin International Airport (SJU) per day.
  • 26 chainsaw teams and one Incident Management Team (IMT) (23 individuals) from the Department of Agriculture’s United States Forest Service arrived in Puerto Rico Wednesday to conduct emergency road clearance and manage logistics.
  • A fourteen-person team from the U.S. Fish and Wildlife Service is supporting debris removal and tree clearance to help restore access to roads in Vieques.
  • The U.S. Army Corps of Engineers (USACE) debris experts are assisting FEMA with debris management strategies in Puerto Rico and U.S. Virgin Islands.
  • One of the first priorities is emergency route clearance in multiple locations to enable access to remote locations.


Water / Wastewater/ Waste Management System

    • The U.S. Virgin Islands Water and Power Authority drinking water system is back online and other drinking water systems on the islands are top priority for receiving generators. Additionally, the Concordia potable water pump station is online in St. Croix.
    • The U.S. Virgin Islands Water and Power Authority Waste Management, and USACE are addressing potential public health risks of garbage build up; coordinating route clearance of wires and poles to enable garbage haulers to access the St. Thomas landfill.
    • On 01 Oct, the EPA recommended the deployment of eight assessment teams of EPA and DOH staff beginning on Monday. The first assessment visits will be to the Non-PRASA systems in the Municipality of Cagua

******* End Report *******