Hack Back Fever

Posted by: Julia Annaloro      Date: October 17, 2017

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.

TLP White

Welcome back to Hacking Healthcare! You will now be seeing us at a regularly scheduled time – every Tuesday morning.


Hot Links –

  1. Hack Back Fever – A bipartisan bill was introduced in the House last week, which if passed would enable companies to take action against cyber attackers. The bill would amend the Computer Fraud and Abuse Act to prohibit prosecution against network defenders who act outside of their networks to disrupt ongoing attacks or conduct reconnaissance for purposes of attribution or network defense. The bill would require that an organization notify the FBI before taking any action – a time lag which may limit the effectiveness of disruptive defensive operations. And it would only enable defensive measures against infrastructure located in the United States (which law enforcement already can take action against). If a U.S. person (or their computers) were harmed during a hack-back, the bill would enable private action to seek damages.


There are also portions of the bill that clarify the legality of beaconing implants that might help establish attribution. This seems like firmer ground to start on as we better develop standards for attribution and increase law enforcement capacity in the U.S. and overseas.


Interoperability, Medical Device and HPH SCC

Posted by: Julia Annaloro      Date: October 12, 2017

This information is marked TLP White; Subject to standard copyright laws. TLP: White information may be distributed without restriction.


Welcome back to Hacking Healthcare!

Hot Links –

  1. Securing interoperability – ONC goes “hackathon” in their approach to secure technology development to support interoperability. The office will host a two-part competition to encourage the development of secure servers and APIs to support integration of the FHIR standard. One novel approach – they’re also awarding prizes to security researchers who find flaws in the FHIR submissions. Here’s hoping that this sort of initiative starts to bring the security community into closer contact with EHR developers.


  1. All aboard the medical device train – Another bill from Congress – this one from the house – is seeking to legislate security of medical devices. This bill would require FDA and NIST to form a working group to study and report on the various security frameworks and underlying security standards that are relevant to medical devices. If this was to be conferenced and combined with the Senate bill introduced in August, the result would be a comprehensive shift in how the government regulates the security of medical devices. The Senate bill looked to increase transparency through disclosure of security methods by manufacturers, as well as requiring continued free manufacturer support of devices.


  1. Coordinating Council appoints Greg Garcia as Executive Director – Greg has been around the block in this space – previously leading the financial services coordinating council. This is a good get for the sector and a signal that leadership is serious about the cyber threat. As Terry Rice (Merck CISO) says – “the healthcare sector is at an inflection point…” We’ll look to sit down with Greg in coming weeks and report back on his priorities to lead the sector forward.

*Any reproduction or reposting of this content requires proper credit/attribution to NH-ISAC.

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion on responding to a cyber breach, become a member of NH-ISAC.


Exercise Exercise Exercise

Posted by: Julia Annaloro      Date: September 28, 2017

Policy Analysis –

This past week, NH-ISAC announced the launch of a new tabletop exercise – Cyber Outbreak.

Cyber Outbreak will test the sector’s ability to respond to cyber-threats, share information, and maintain resilience during attacks against critical infrastructure. To do this we will hold regular tabletops over the next year that evaluate threats against different sub-sectors. The exercises will initially just include members of NH-ISAC, but will likely expand to include organizations from other interconnected sectors as well as the Government.

The first exercise in the series will be held on November 27, as the NH-ISAC Fall Summit gets underway in Scottsdale, Arizona. The scenario for the first exercise will be derived from the experiences and lessons learned during the “WannaCry” and “NotPetya” attacks. We will test information sharing capabilities between health care organizations as well as other sector-wide response capabilities.

If you’d like to participate in the kick-off exercise, please register here.

Hot Links

 The Office of the National Coordinator for Health Information Technology at HHS dropped some big news last week, loosening testing and certification requirements.

First, they reduced the requirements on third party testing – organizations will now be able to “self-declare” certification on 30 of 55 certifications that are required. Second, ONC indicated they would not enforce the requirement for third party testing companies to conduct randomized surveillance on certified health IT products and services.

Having a list of government approved certification companies may not have been the most efficient way to tackle security auditing, but it’s not like the sector has proved so adept at defending itself. The test of whether this approach works will be if and how enforcement actions take place when a self-declaring certification is exploited.

Read full blog https://nhisac.org/wp-content/uploads/2017/09/Newsletter_NH-ISAC_Public_092617.pdf

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion on responding to a cyber breach, become a member of NH-ISAC.

September 21 – Hurricane Response

Posted by: Julia Annaloro      Date: September 21, 2017

Policy Analysis – 

 This week, we are going to look at NH-ISAC’s work to support the sector maintain resiliency during hurricane season. Ed Brennan, the Director of Operations at NH-ISAC, filled me in on his work leading the ISAC’s hurricane response efforts in recent weeks.

First let’s start with the overall structure that guides response. FEMA leads planning and response to national level emergencies within the federal government. The Stafford Act gives FEMA certain broad authorities to coordinate activities and deploy federal resources when certain conditions are met – most notably when the president declares a major disaster or emergency.

When a disaster is declared, FEMA’s work is guided by the National Response Framework (NRF). The NRF is the policy and planning document that identifies roles and responsibilities, establishes coordinating structures, and assigns tasks and actions.

The NRF assigns HHS as the coordinator for Emergency Support Function 8 (ESF-8), which is public health and medical services. In this role, HHS coordinates (as they have done in response to Harvey and Irma) the medical response by deploying public health assets and capabilities and working with private sector partners to maintain health resiliency in an impacted region. In addition, HHS (through their Security Operations Center) supports preparation, mitigation, response, and recovery though Healthcare and Public Health Sector calls. These calls bring together Public and private sector organizations to resolve unmet needs and aid recovery.

NH-ISAC is engaged in all aspects of disaster planning, response, and recovery, despite not being formally named in the National Response Framework. As the officially designated ISAC for the health care and public health sector, NH-ISAC supports HHS and its mission as well as the efforts of all sector organizations.

During this hurricane season, Ed has regularly joined the FEMA/HHS led planning, response, and recovery calls. He represents the ISAC what would be akin to an “Emergency Manager” under the NRF structure, but his primary role is to maintain situational awareness and readiness, and step in to support the sector or lead federal agencies if asked. Ed serves as a conduit for members to engage the government.

Within its own mission, NH-ISAC has sought to support the sector’s cyber-resiliency through the impact of the hurricanes. Ed has been tracking and distributing information on the rise of internet-based scams that target individuals and organizations impacted by the storms. NH-ISAC has put out a bulletin as has US-CERT – both are worth reviewing and sharing within your organizations as you feel are appropriate.

This is Ed’s top recommendation to members – be aware of the cascading hazards that can arise out of a disaster event and engage in information sharing to stay informed and help warn others. He also recommends making sure that you have business continuity plans in place that have identified key points of contact in the national coordinating structure, including the local ESF-8 contact in your region.

Read Full blog https://nhisac.org/wp-content/uploads/2017/09/Newsletter_NH-ISAC_092017.pdf


September 14 – How a Bill Becomes a Law

Posted by: Julia Annaloro      Date: September 14, 2017
TLP White

Policy Analysis – 

 After years of debate (or at least threat of debate) on a Federal data breach notification law, Congress has approached the subject with a new sense of energy in the wake of the Equifax breach. The breach, which may have exposed PII of 143 million Americans, is most notable for how poorly the company handled the announcement and response. It announcing the breach nearly 2 months after discovery and providing unclear, unhelpful, and potentially deceptive notification it provided to those potentially involved. Otherwise, it was just another ho-hum theft of nearly half the country’s PII that occurred as the result of unpatched, known vulnerabilities in poorly architected legacy systems.

So what is Congress going to do about it?

Well, they will hold a few hearings and demand answers with feigned outrage. We’ve seen this before, but it has not led to meaningful reform of breach notification or the legal and economic structure that facilitates the lax approach to security we saw at Equifax. There’s not much reason to think this breach will elicit a different response from Washington. But it is worth noting that the White House has said they will look into new regulations to protect consumers from the impact of such breaches.

Federal Data Breach Notification – Back in 2011 and then again in 2015, the Obama Administration put forward legislative proposals to create a Federal data breach notification standard. These proposals were constructed so as not to “pre-empt” the 47 state laws (good comparison tool here) already in place, or specific industry regulations. As a result, the scope was pretty narrow, which was viewed as the only way to get a law passed. But even such a limited Federal approach didn’t make any headway in Congress, despite a series of large scale breaches. Various bills from different Congressional committees have been introduced since, but none have made serious progress towards becoming law.

Read Full Blog https://nhisac.org/wp-content/uploads/2017/09/Newsletter_NH-ISAC_091217_public.pdf

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion on responding to a cyber breach, become a member of NH-ISAC.

September 6 – Government’s Cyber Mission: Overview PT 2

Posted by: Julia Annaloro      Date: September 06, 2017
TLP White

Policy Analysis – Who does what (pt. 2)

 This week we will wrap up our review of different federal agencies with a cybersecurity mission. Last week we looked at how DHS and FBI work to protect and support U.S. interests in the face of cyber-threats. Today we will look at HHS’s role as well as the other agencies that contribute legal authorities and cyber-capabilities to the U.S. government’s “defensive” cyber-mission. We will also do a quick overview of the agencies responsible for the government’s “offensive” activities in cyber-space and give you a sense of the doctrine that helps determine how it is applied.

 HHS has three cybersecurity missions that have been authorized and funded by Congress – defend its own networks and data; support the health care sector; develop and enforce regulations. The new Health Cybersecurity and Communications Center (HCCIC) has a role to play in executing responsibilities in line with all three mission areas. As we described in a previous edition of the newsletter, the HCCIC will serve to integrate SOC functions across the different HHS bureaus, lend health sector specific expertise to threat intelligence analysis at the six cyber centers (specifically the NCCIC), and inform the long-term development of regulatory policy to reflect the nature of the cyber threat against the healthcare sector.

Planning for public health emergencies is conducted within HHS by the Assistant Secretary for Preparedness and Response (ASPR), who is also responsible for carrying out the role of “sector-specific agency.” The role of a sector specific agency (created under PPD-21) is to support the resiliency of the health care sector from within the federal government. This includes lending sector relevant expertise to other agencies around the government, such as DHS, the FBI, or the intelligence community, as well as serving as an interface between the government and private sector personnel during both steady-state and incident response.

HHS’ regulatory authorities sit within a few different offices – the Office of Civil Rights (OCR) and the Food and Drug Administration (FDA), as well as the Office of the National Coordinator for health IT (ONC) and the Centers for Medicare & Medicaid Services (CMS). Congress gave OCR the authority to implement and enforce HIPAA, which sets expectations for how health organizations protect patient information. FDA sets the regulations by which medical devices must comply and has issued both pre- and post-market guidance for the cybersecurity of medical devices. ONC and CMS are not regulators in the traditional sense, but both oversee federal subsidy programs and set “regulatory” requirements that health care organizations must meet in order to receive benefits. ONC (for “Meaningful Use”) and CMS (for Medicare/Medicaid), both expect participants to appropriately manage cyber risks.

Read full blog https://nhisac.org/wp-content/uploads/2017/09/Newsletter_NH-ISAC_090517_public.pdf

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion on responding to a cyber breach, become a member of NH-ISAC.

August 30 – Government’s Cyber Mission: An Overview PT 1

Posted by: Julia Annaloro      Date: August 30, 2017
TLP White

Policy Analysis – Who does what

After looking at the roles and responsibilities of different Federal agencies during incident response, we thought it might help to step back and provide an overview of the agencies themselves and the cyber capabilities and authorities they each possess.

You can break down the government’s cyber mission into defensive and offensive authorities and responsibilities. Most of the funding and attention is directed towards defensive capabilities, and as such, that’s what we’ll focus on here.

Read full blog https://nhisac.org/wp-content/uploads/2017/08/Newsletter_NH-ISAC_082917_public.pdf

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion on responding to a cyber breach, become a member of NH-ISAC.

August 23 – Cyber Breach Response

Posted by: Julia Annaloro      Date: August 23, 2017
TLP White

Policy Analysis –

 Last week, we looked at how the federal government organizes itself to support critical infrastructure in responding to significant cyber incidents that threaten national security. Today we will focus on the regulatory expectations for health care organizations responding to a cyber breach.

The primary federal regulator in this space is HHS’s Office of Civil Rights (OCR), which has responsibility for administering the Health Insurance Portability and Accountability Act (HIPAA). To implement its authorities under HIPAA, OCR published the HIPAA Security Rule (first proposed in 1998, finalized in 2003). The Security Rule “establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.” This includes considerations for not only how to protect information, but also how to respond and recover from incidents that may compromise protected health information.

When an incident occurs, OCR is unequivocal in saying that a covered entity “must execute its response and mitigation procedures and contingency plans.” The clear message is that a health care organization should first worry about defending its own systems and mitigating the threat. Only after an incident is under control, should it begin considering regulatory reporting requirements. After all, HIPAA gives an entity up to 60 days after discovery to report a breach. If a health care organization has considered HIPAA expectations in advance, incident response should occur in a way that is easy to document and present to regulators if PHI is compromised and an investigation is conducted later.

As part of its incident response procedures, health care entities should also have a mechanism for reporting the incident to law enforcement agencies. Notifying law enforcement of an incident will enable a criminal investigation that can lead to the arrest and prosecution of those responsible, but it can also get your incident into the process set forth in PPD-41 and described last week. Law enforcement may also provide helpful network defense information if the incident is part of a larger campaign that they are already investigating.

Sharing information through NH-ISAC should also be part of your response plans. Actively sharing information informs your network defense, as well as enabling others in the sector to defend against similar threats. And sharing with NH-ISAC enables the sector to coordinate its response to campaigns or widespread attacks, freeing you to focus on your own enterprise. It is important to note that NH-ISAC does not share any cyber-threat indicators or incident information with OCR or other federal regulators.

Read full blog https://nhisac.org/wp-content/uploads/2017/08/Newsletter_NH-ISAC_082317_public.docx

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion on responding to a cyber breach, become a member of NH-ISAC.

August 15, 2017 – Federal Government Incident Response

Posted by: Julia Annaloro      Date: August 18, 2017

TLP White

Policy Analysis –

 This week, we will look at incident response policy. After all, August seems like a good month to revisit incident response plans. This will be the first stage in a multi-part series – today we will lay the ground work by reviewing how the federal government organizes itself to support cyber incidents that impact critical infrastructure. In future weeks, we will look at regulatory requirements under HIPAA and other statutes, as well as more closely examine the role NH-ISAC plays in incident response within the health care industry.

In 2016, the federal government released a policy to formalize incident response processes. Presidential Policy 41: United States Cyber Incident Coordination (PPD-41, for short) established a definition of cyber incidents, committed the government to core principles, defined different lines of effort, and created new coordinating structures.

To help clarify roles and responsibilities, the government came up with the concept of “concurrent lines of effort,” which would all be activated when responding to a significant cyber incident. Threat response (Led by FBI) is the work done to mitigate the threat, whether it be through law enforcement or disruptive operations. Asset response (led by DHS) focuses on defending IT assets and restoring services. This can involve sending technical staff to organizations that have been hacked, as well as analyzing and sharing information to limit impact within a firm or across a sector or region. Intelligence support (led by ODNI) includes building and sharing awareness of the threat. Business response is a fourth line of effort that is the responsibility of the victim of the attack. In the case of an attack against critical infrastructure, the agency responsible for the relevant sector will be responsible for serving as the federal coordinator with that entity. In the case of the healthcare sector, that’s HHS.

When a significant cyber incident occurs, two coordinating structures are automatically established. At the base level, a field-level coordination group will be established by the federal personnel that is in communication with a private entity. This is meant to enable a single federal voice and prevent confusion. A level up from the field, a Unified Coordination Group (UCG) will be formed. This will include senior cybersecurity officials from the agencies leading each line of response, as well as representatives from other required agencies. The CIO or CISO of a victim company, or the leadership of a relevant sector ISAC, might be invited to join this group.

If the UCG deems it necessary (or cabinet officials decide to intervene), a Cyber Response Group (CRG) will be formed to lead coordination out of the White House. The CRG is technically chaired by the President’s Homeland Security Council (currently Tom Bossert), but leadership may be deferred to the NSC Cyber Coordinator (currently Rob Joyce). This group is charged with ensuring that any risk to national security is fully considered and that necessary resources are deployed.

Read full blog https://nhisac.org/wp-content/uploads/2017/08/Newsletter_NH-ISAC_081517_public_v2.docx

This is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.


August 9, 2017 – The NICE Framework

Posted by: Julia Annaloro      Date: August 09, 2017

Policy Analysis –

On Monday, The National Institute of Standards and Technology published a cybersecurity workforce framework (SP-800-181). The NICE framework (as we’ll call it to differentiate from the NIST Cybersecurity Framework) is designed to enable a “common, consistent lexicon” for cybersecurity work within organizations and across sectors and the economy. The release of the NICE framework comes after nearly a decade of work by NICE – the National Initiative for Cybersecurity Education, a public-private program housed within NIST.

Read full blog https://nhisac.org/wp-content/uploads/2017/08/Newsletter_NH-ISAC_080917_public.pdf

This is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.