2018 cybersecurity projections are in!

Posted by: Julia      Date: December 12, 2017

TLP White

This week’s NH-ISAC Hacking Healthcare:


Hot Links –

  1. New NIST Draft – NIST published[1] a “second draft of the proposed update” to its Cybersecurity Framework last week. Your comments are due to NIST by January 19, 2018.

A quick history lesson — the original Framework was released in February 2014. In winter 2015 and spring of 2016, NIST solicited feedback on the original version. In January of this year, they released a “first draft” of version 1.1.

This “second draft” incorporates comments submitted over the last year to that first draft.

The big changes are:

  • The inclusion of a robust new category in the “Identify” function around Supply Chain Risk Management.
  • New subcategories in Prevent-Access Control (PR.AC-6, 7) related to identity proofing and credential management, as well as device authentication.
  • A new subcategory (PR.DS-8) in Prevent-Data Security for verifying hardware integrity.
  • A new subcategory (PR.PT-5) in Prevent-Protective Technology that focuses on increasing system availability.
  • A new subcategory (RS.AN-5) in Respond-Analysis that addresses vulnerability disclosure and management.
  • A number of new reference standards, primarily from CIS and COBIT.
  • A refocusing of section 4 as “Self-Assessing Cybersecurity Risk with the Framework” which “better emphasize[s] how organizations might use the Framework to measure their risk”, as Mike Barret of NIST has put it.[2]

[1] https://www.nist.gov/cybersecurity-framework/cybersecurity-framework-draft-version-11

[2] https://www.darkreading.com/cloud/nist-releases-new-cybersecurity-framework-draft/d/d-id/1330579?piddl_msgid=330189#msg_330189

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:


NH-ISAC Fall Summit Recap and DMARC

Posted by: Julia      Date: December 05, 2017

TLP White

Fall Summit recall on this week’s Hacking Healthcare:


  1. Last week was the NH-ISAC Fall Summit in Scottsdale, Arizona. What a great week in the desert sun. Here’s a couple of highlights:

ZDOGGMD delivered a powerhouse keynote – full of humor and insight. His message refocused the group on the purpose of the healthcare industry – helping people. He talked about his vision for a compassion-driven approach that unites patients, doctors, and technology to deliver better results. You can check out more of his stuff here: http://zdoggmd.com/

Included in the other presentations was a full track dedicated to medical devices. This is the fourth summit with a medical device specific track, and it continues to grow in size and scope. This year saw presentations around regulatory policy in both China and the U.S., including an appearance from Suzanne Schwartz of the FDA.

The conference also saw the launch of the new Cyber Outbreak tabletop exercise series. On Monday afternoon, 45 participants and observers joined the three hour exercise. We plan on holding many more exercises at future Summits and throughout the year.

  1. Now is the time for DMARC – Using DMARC, a protocol for improving email authentication, is a widely accepted, but chronically under-deployed best practice for securing email exchanges. It helps to cut down on spear-phishing, one of the most prevalent vectors for cyber-crime. DMARC is easy to implement and is supported by all the major email providers.

Adoption of DMARC is particularly beneficial in the healthcare sector – 57 percent of all email claiming to be FROM healthcare organizations is actually fraudulent. Despite its benefit, 98 percent of healthcare organizations are not utilizing DMARC protocols.[1]

NH-ISAC has joined a global challenge to increase the adoption of DMARC. The goal is to have members deploy DMARC in 90 days. This is inspired by DHS requiring all government agencies to begin implementing DMARC within 90 days.[2] Here’s a guide[3] on how you can take part.

[1] http://www.businesswire.com/news/home/20171128005546/en/Fifty-Seven-Percent-Email-%E2%80%9CFrom%E2%80%9D-Healthcare-Industry-Fraudulent

[2] [BOD 18-01] https://cyber.dhs.gov/

[3] https://www.globalcyberalliance.org/90-days-to-dmarc-a-global-cyber-alliance-challenge.html

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:


Vulnerabilities, Bugs and Bounties

Posted by: Julia      Date: November 21, 2017

One man’s vulnerabilities are another man’s exploits: bugs: bounties – this week’s Hacking Healthcare:

TLP White

Hot Links –

  1. First, a little of our own cyber-hygiene: This past week, Ed Brennan, Ops Director at NH-ISAC, gave me a friendly reminder that embedding links in emails is NOT an NH-ISAC approved best practice! The idea being that malicious links may be foisted upon unsuspecting recipients.


We would like to set a good example here and prove that killing hyperlinks can help mitigate cyber-risk while being user friendly. So we will move to footnoting any linked articles or reports. We would also recommend that organizations go beyond this measure and move to whitelist applications (See: a NIST guide to that[1]) to further protect against hazardous web-browsing and link clicking. Let us know how you get on with this or if you have recommendations on secure user-friendly practices.

  1. Vulnerabilities under review: This past week, Rob Joyce (White House Cyber Czar) publicly released[2] a newly revised process[3] by which the government decides whether to disclose computer vulnerabilities that it discovers. Known as the Vulnerability Equities Process, the new charter is most notable for the fact that it is now public.

The long shadow of public distrust cast by the Snowden leaks should inform any analysis of this new policy. Some[4] will criticize the VEP charter as not going far enough. Many believe that the government should responsibly disclose all vulnerabilities discovered in commercial products. Others think a patch should be developed alongside exploits. These are worth discussion, though the distrust caused by Snowden (and the government’s messy response) tends to poison any clear-eyed debate about what approach best balances intelligence collection, disruptive cyber-operations, and national defense.

I applaud the release of the charter as a good faith effort to better engage citizens and critical infrastructure operators in the process of national cyber defense. Rather than bemoan its shortcomings, we should look at this as the starting point in a process. Informing the government as to why changes might be necessary is the role of critical infrastructure sectors.

At this point, it seems most important to focus any critique on the structural approach of the process. If the main purpose is to provide documented and accountable cost benefit analysis of any vulnerabilities, the data being analyzed and the people responsible for the analysis are of primary import.

The benefit of vulnerabilities is relatively easy to calculate – you point to intelligence collected or accesses gained. Quantifying the downside risk of unpatched vulnerabilities being exploited is more difficult. There is a probabilistic debate over likelihood that an adversary has discovered the vulnerability. One must also point to an adversary’s intent to utilize such a vulnerability against a certain target – it is difficult to accomplish explicit attribution of such intent.

But even more challenging is understanding the impact to critical infrastructure if a vulnerability is exploited. Many companies cannot tell you the impact within their own business if a certain technology were to be exploited. This becomes more challenging when applied on a national scale and without understanding of commercial technology deployments or network architectures. The government simply doesn’t have the data.

Yet the private sector is not invited to participate in the discussion. The “Equities Review Board,” which is established in the charter, is comprised of government agencies. The usual players are there from law enforcement and the intelligence community, as well as some civilian representatives such as the Departments of Commerce, Treasury, and Energy.

One important (and notable) admission from the government stakeholder group which determines the release of vulnerabilities – Health and Human Services. HHS does not have the historical involvement in national security that Treasury or Energy do (two sector specific agencies included in the process), but determining impact of vulnerabilities on the health sector seems squarely within their remit.

  1. Bugs – Speaking of vulnerabilities, bug bounties are becoming ever more popular. Hacker One[5] and Bugcrowd[6] have recently put out reports on the state of the bug bounty industry. The Hacker One report says that only 3 percent of its bounty programs are run by companies in the healthcare sector. Why is that?


Also of note – healthcare is at least twice as likely to be vulnerable to SQL injection as other industries in the study.


  1. More Bills! – This time “Bill of Materials.” Rep. Greg Walden (R-Oregon) recently sent a letter[7] to HHS asking that the Secretary convene a group this year[8] to implement one of the Healthcare Cybersecurity Task Force recommendations – ship medical devices with a Bill of Materials.

[1] <https://www.nist.gov/news-events/news/2015/11/nist-offers-guidance-using-technology-prevent-intrusions-malware >

[2] <https://www.whitehouse.gov/blog/2017/11/15/improving-and-making-vulnerability-equities-process-transparent-right-thing-do>

[3] <https://www.whitehouse.gov/sites/whitehouse.gov/files/images/External%20-%20Unclassified%20VEP%20Charter%20FINAL.PDF>

[4] Schneier has a passionate take: <https://www.schneier.com/blog/archives/2017/11/new_white_house_1.html>

[5] < https://www.hackerone.com/resources/hacker-powered-security-report>

[6] < https://arstechnica.com/information-technology/2017/11/bugcrowd-unmasks-sort-of-hackers-to-cast-vulnerability-hunters-in-better-light/>

[7] < https://energycommerce.house.gov/wp-content/uploads/2017/11/20171116HHS.pdf>

[8] <https://healthitsecurity.com/news/healthcare-cybersecurity-threats-require-hhs-bill-of-materials>

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:


We’re Taking You to Court!

Posted by: Julia      Date: November 14, 2017

This week’s Hacking Healthcare:
TLP White

Hot Links –

1. Going to Court – CareFirst has been involved in a series of lawsuits related to data breaches that it disclosed in 2014 and 2015. On November 1, CareFirst filed a petition with the Supreme Court. If the Supreme Court hears the case, it will set precedent for corporate liability resulting from data breaches.

In question is how the court defines harm to individuals whose data has been exposed through a data breach. In August, an appeals court determined that plaintiffs only had to demonstrate “substantial risk” of injury through the improper disclosure of private information. By December 1, the Supreme Court will decide to hear the case.

2. The medical device Lifecycle – Suzanne Schwartz, FDA Associate Director for Science and Strategic Partnerships, has been on a media offensive in the last few weeks. First, here’s a blog that she put out at the end of October, emphasizing the need for manufacturers to consider the security of a device along its full lifecycle. She followed this up with a recent appearance on the Healthcare Info Security podcast this week. She discusses last year’s Postmarket Cybersecurity Guidance, in particular highlighting the policy shift that enables manufacturers to issue security patches without seeking re-certification from the FDA.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:

Life’s inevitabilities: bills, taxes, ransom

Posted by: Julia      Date: November 07, 2017

This week’s Hacking Healthcare:
TLP White

Hot Links –

1. Ransomware in 2018 – The Emergency Care Research Institute this week ranked ransomware as their top health technology hazard for 2018. This is probably unsurprising to most in the NH-ISAC community who have been dealing with the plague of ransomware for much of the last two years. The important acknowledgment is in the risk to patient safety that new ransomware attacks might pose. As we’ve seen, operational technology and medical devices are susceptible to ransomware and are being deliberately targeted. That’s my top threat for 2018 – IoT attacks that hold physical activity ransom.

2. HHS Cyber Bill – A bipartisan bill was introduced in the House last week that would give the HHS Secretary the authority to re-organize cybersecurity personnel. The bill would also require HHS to develop a plan that lays out its approach to coordinating within the department to address cybersecurity challenges. This would include regulatory (e.g., ONC, FDA, OCR) offices, as well as those offices charged with maintaining the resiliency of the sector against all hazards (i.e., ASPR). HHS would also have to report on how it secures its own systems. This bill is a step in the right direction – and consistent with HHS cyber task force recommendations – but needs funding attached to have more than marginal impact.

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:



“WannaCry and the [grim] Reaper”

Posted by: Julia      Date: October 31, 2017

TLP White

 Today we are digging into WannaCry and the [grim] Reaper. Enjoy, Hacking Healthcare:

Hot Links –

  1. 1. After-action on NHS WannaCry – The UK’s National Audit Office just concluded a review of NHS preparedness and response to WannaCry. The report finds no negative impacts on patient health and safety – some trusts had to reschedule appointments, 5 had to divert emergency visits to other hospitals, and a few trusts were able to continue receiving patients despite the impact of the incident knocking some systems offline.

NHS trusts were vulnerable to the attack due to poor patch management in Windows 7 systems and use of devices running XP. Unsurprisingly, those trusts that had absorbed the operations of other hospitals through mergers struggled with integrating patch management.

The government’s NHS Digital team had conducted on-sight inspections ahead of the attack (88 of 236 trusts had been inspected; none passed). In the inspections, NHS found that most hospitals had “not identified cybersecurity as a risk to patient outcomes, and had tended to overestimate their readiness to manage a cyber attack.”

The report also finds that there was not an effective system for NHS trusts to report the attack and its impact to the government. Despite NHS developing national incident response plans, they had never been tested at a local level.

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.


Don’t Poke the Bear and “Cyber Outbreak” TTX

Posted by: Julia      Date: October 24, 2017

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Welcome back to Hacking Healthcare!

TLP White


Hot Links –

  1. Don’t poke the Bear: DHS has warned critical infrastructure operators that Russian hackers are targeting U.S. critical infrastructure firms and looking for access to systems. Their goal: gain access to ICS/SCADA systems. While healthcare organizations have not been named as targets, it would be surprising to learn that the sector wasn’t part of the Russian strategic plan. It is worth being vigilant to the attack TTPs out of caution, especially given other reporting on Russian targeting of cyber experts. The approach has been to access small vendors with poor security via spear-phishing and watering hole attacks and then leveraging trusted access to move across networks to core targets.
  2. A different model for private sector support: An interesting report from ITIF that challenges the status quo for counterintelligence. The report places domestic cybersecurity as a subset of counterintelligence and looks at historical efforts by government to support the private sector with information and assistance. This goes back to FBI programs to prevent strategic industries during World War 2. It doesn’t offer a panacea for how to fix the issue, but helpful to develop a dialogue in this space. The intelligence community has identified private sector engagement as a weak spot, but leadership has yet to articulate a model for addressing the problem. Public-private exercises, like the Cyber Outbreak series NH-ISAC is launching at its fall summit may be one way to develop good ideas for pilots in this space.

Hack Back Fever

Posted by: Julia      Date: October 17, 2017

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.

TLP White

Welcome back to Hacking Healthcare! You will now be seeing us at a regularly scheduled time – every Tuesday morning.


Hot Links –

  1. Hack Back Fever – A bipartisan bill was introduced in the House last week, which if passed would enable companies to take action against cyber attackers. The bill would amend the Computer Fraud and Abuse Act to prohibit prosecution against network defenders who act outside of their networks to disrupt ongoing attacks or conduct reconnaissance for purposes of attribution or network defense. The bill would require that an organization notify the FBI before taking any action – a time lag which may limit the effectiveness of disruptive defensive operations. And it would only enable defensive measures against infrastructure located in the United States (which law enforcement already can take action against). If a U.S. person (or their computers) were harmed during a hack-back, the bill would enable private action to seek damages.


There are also portions of the bill that clarify the legality of beaconing implants that might help establish attribution. This seems like firmer ground to start on as we better develop standards for attribution and increase law enforcement capacity in the U.S. and overseas.


Interoperability, Medical Device and HPH SCC

Posted by: Julia      Date: October 12, 2017

This information is marked TLP White; Subject to standard copyright laws. TLP: White information may be distributed without restriction.


Welcome back to Hacking Healthcare!

Hot Links –

  1. Securing interoperability – ONC goes “hackathon” in their approach to secure technology development to support interoperability. The office will host a two-part competition to encourage the development of secure servers and APIs to support integration of the FHIR standard. One novel approach – they’re also awarding prizes to security researchers who find flaws in the FHIR submissions. Here’s hoping that this sort of initiative starts to bring the security community into closer contact with EHR developers.


  1. All aboard the medical device train – Another bill from Congress – this one from the house – is seeking to legislate security of medical devices. This bill would require FDA and NIST to form a working group to study and report on the various security frameworks and underlying security standards that are relevant to medical devices. If this was to be conferenced and combined with the Senate bill introduced in August, the result would be a comprehensive shift in how the government regulates the security of medical devices. The Senate bill looked to increase transparency through disclosure of security methods by manufacturers, as well as requiring continued free manufacturer support of devices.


  1. Coordinating Council appoints Greg Garcia as Executive Director – Greg has been around the block in this space – previously leading the financial services coordinating council. This is a good get for the sector and a signal that leadership is serious about the cyber threat. As Terry Rice (Merck CISO) says – “the healthcare sector is at an inflection point…” We’ll look to sit down with Greg in coming weeks and report back on his priorities to lead the sector forward.

*Any reproduction or reposting of this content requires proper credit/attribution to NH-ISAC.

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion on responding to a cyber breach, become a member of NH-ISAC.


Exercise Exercise Exercise

Posted by: Julia      Date: September 28, 2017

Policy Analysis –

This past week, NH-ISAC announced the launch of a new tabletop exercise – Cyber Outbreak.

Cyber Outbreak will test the sector’s ability to respond to cyber-threats, share information, and maintain resilience during attacks against critical infrastructure. To do this we will hold regular tabletops over the next year that evaluate threats against different sub-sectors. The exercises will initially just include members of NH-ISAC, but will likely expand to include organizations from other interconnected sectors as well as the Government.

The first exercise in the series will be held on November 27, as the NH-ISAC Fall Summit gets underway in Scottsdale, Arizona. The scenario for the first exercise will be derived from the experiences and lessons learned during the “WannaCry” and “NotPetya” attacks. We will test information sharing capabilities between health care organizations as well as other sector-wide response capabilities.

If you’d like to participate in the kick-off exercise, please register here.

Hot Links

 The Office of the National Coordinator for Health Information Technology at HHS dropped some big news last week, loosening testing and certification requirements.

First, they reduced the requirements on third party testing – organizations will now be able to “self-declare” certification on 30 of 55 certifications that are required. Second, ONC indicated they would not enforce the requirement for third party testing companies to conduct randomized surveillance on certified health IT products and services.

Having a list of government approved certification companies may not have been the most efficient way to tackle security auditing, but it’s not like the sector has proved so adept at defending itself. The test of whether this approach works will be if and how enforcement actions take place when a self-declaring certification is exploited.

Read full blog https://nhisac.org/wp-content/uploads/2017/09/Newsletter_NH-ISAC_Public_092617.pdf

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion on responding to a cyber breach, become a member of NH-ISAC.