August 15, 2017 – Federal Government Incident Response

Hacking Healthcare

TLP White

Policy Analysis –

 This week, we will look at incident response policy. After all, August seems like a good month to revisit incident response plans. This will be the first stage in a multi-part series – today we will lay the ground work by reviewing how the federal government organizes itself to support cyber incidents that impact critical infrastructure. In future weeks, we will look at regulatory requirements under HIPAA and other statutes, as well as more closely examine the role NH-ISAC plays in incident response within the health care industry.

In 2016, the federal government released a policy to formalize incident response processes. Presidential Policy 41: United States Cyber Incident Coordination (PPD-41, for short) established a definition of cyber incidents, committed the government to core principles, defined different lines of effort, and created new coordinating structures.

To help clarify roles and responsibilities, the government came up with the concept of “concurrent lines of effort,” which would all be activated when responding to a significant cyber incident. Threat response (Led by FBI) is the work done to mitigate the threat, whether it be through law enforcement or disruptive operations. Asset response (led by DHS) focuses on defending IT assets and restoring services. This can involve sending technical staff to organizations that have been hacked, as well as analyzing and sharing information to limit impact within a firm or across a sector or region. Intelligence support (led by ODNI) includes building and sharing awareness of the threat. Business response is a fourth line of effort that is the responsibility of the victim of the attack. In the case of an attack against critical infrastructure, the agency responsible for the relevant sector will be responsible for serving as the federal coordinator with that entity. In the case of the healthcare sector, that’s HHS.

When a significant cyber incident occurs, two coordinating structures are automatically established. At the base level, a field-level coordination group will be established by the federal personnel that is in communication with a private entity. This is meant to enable a single federal voice and prevent confusion. A level up from the field, a Unified Coordination Group (UCG) will be formed. This will include senior cybersecurity officials from the agencies leading each line of response, as well as representatives from other required agencies. The CIO or CISO of a victim company, or the leadership of a relevant sector ISAC, might be invited to join this group.

If the UCG deems it necessary (or cabinet officials decide to intervene), a Cyber Response Group (CRG) will be formed to lead coordination out of the White House. The CRG is technically chaired by the President’s Homeland Security Council (currently Tom Bossert), but leadership may be deferred to the NSC Cyber Coordinator (currently Rob Joyce). This group is charged with ensuring that any risk to national security is fully considered and that necessary resources are deployed.

Continue TLP White blog herehttps://nhisac.org/wp-content/uploads/2017/08/Newsletter_NH-ISAC_081517_public_v2.docx

This is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.

 

August 9, 2017 – The NICE Framework

Policy Analysis –

On Monday, The National Institute of Standards and Technology published a cybersecurity workforce framework (SP-800-181). The NICE framework (as we’ll call it to differentiate from the NIST Cybersecurity Framework) is designed to enable a “common, consistent lexicon” for cybersecurity work within organizations and across sectors and the economy. The release of the NICE framework comes after nearly a decade of work by NICE – the National Initiative for Cybersecurity Education, a public-private program housed within NIST.

Read full blog herehttps://nhisac.org/wp-content/uploads/2017/08/Newsletter_NH-ISAC_080917_public.pdf

This is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.

 

 

 

Aug 2, 2017 – HCCIC and NH-ISAC

TLP White

Policy Analysis on Info Sharing

Welcome back to our final installment of the deep dive on the newly formed Health Cybersecurity and Communications Integration Center (HCCIC). You can follow these links to read part 1 and part 2.

This week, we’ll look at how the HCCIC plans on complementing the work of the NH-ISAC. To get a better sense of how this relationship might work, I spoke with Leo Scanlon, HHS Senior Adviser for Healthcare and Public Health, and Denise Anderson, President of the NH-ISAC.

As we discussed a few weeks ago, the HCCIC and the NH-ISAC have complementary (and potentially overlapping) missions. Both organizations have stated support for the work of the other and are committed to enhancing the work of the other, using the unique skill sets, authorities, and resources that each possess. Let’s look at how the two centers might work with each other as well as other organizations to share information and improve the security of the sector.

To start with, the HCCIC and NH-ISAC already share a technical connection to share indicators – the Automated Indicator Sharing program at DHS. The existence of a technical connection between the centers is a great start, but what information will they be sharing? From the NH-ISAC perspective, the hope is that the HCCIC can provide a single point of contact for HHS components, and other government agencies when necessary. This would be a direct corollary to the role NH-ISAC plays for the sector.

As companies and government agencies grapple with responding to an incident like WannaCry, NH-ISAC and HCCIC can serve to aggregate exchanges of information and questions of response. Specific incident response roles and responsibilities will need to be defined and tested between the centers, which is part of the focus of the grant that NH-ISAC was awarded by ASPR earlier this year. A future edition of this newsletter will look at the output of the grant in depth. Read the full blog here https://nhisac.org/wp-content/uploads/2017/08/Newsletter_NH-ISAC_080117_public.pdf.

As a reminder, this is the public version of the Hacking Healthcare newsletter. For full analysis of how the HCCIC and NH-ISAC might work together, become a member of NH-ISAC.

July 19, 2017 – How HCCIC Works With NCCIC

TLP White

Policy Analysis on Info Sharing

Last week, we started diving deeper into HHS’ newly formed Health Cybersecurity and Communications Integration Center (HCCIC). We looked at how it might improve the security of HHS systems themselves. This week let’s look at how the HCCIC will work with DHS’ National Cybersecurity and Communications Integration Center (NCCIC) and the other government agencies.

For HCCIC to add value to the already crowded government information sharing space, it needs to bring unique skills or capabilities and integrate those capabilities into the existing structure. For instance, the HCCIC will not add value if it just seeks to put out additional bulletins that are similar to what the NH-ISAC or NCCIC have already released. The information sharing community is awash in bulletins when new incidents occur. Just look at the recent ransomware and destructive malware attacks as an example.

As always, become a member of the NH-ISAC for full in-depth analysis each and every week.

Next week, we will close out our first look at the HCCIC by discussing how the new center will work with the NH-ISAC itself.

Read the full blog here: https://nhisac.org/wp-content/uploads/2017/07/Newsletter_NH-ISAC_071917_public.pdf

This is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.

July 12, 2017 – Looking at HCCIC

TLP White

Policy Analysis on Info Sharing

We now have the HCCIC to add to the NCCIC on the list of relevant government acronyms in healthcare cybersecurity. Just how they work with one another remains to be seen, but let’s look at what we know so far.

First, the Health Cybersecurity and Communications Integration Center (HCCIC) has three stated goals:

  • “Strengthen engagement across HHS Operating Divisions;
  • Strengthen reporting and increase awareness of the health care cyber threats across the HHS enterprise; and,
  • Enhance public-private partnerships through regular engagement and outreach.”

It is striking, given the press coverage and general sentiment in the sector, to see HHS position the HCCIC as being primarily responsible for internal security improvements. Given that positioning, it is unsurprising that the HCCIC has been headquartered under the HHS CISO’s office and not in an operating unit with a primarily external facing mission. Location within the CISO’s office also makes a lot of sense from a technical perspective – HHS was one of the first agencies to connect with the Automated Indicator Sharing (AIS) system at DHS. The CISO’s office pursued AIS to bolster its own defenses and can utilize the AIS pipes to feed information into the HCCIC (and from the HCCIC back to DHS).

Much of the focus on government cybersecurity has been around adoption of shared services and migration to a more defensible technology stack. This is rightly placed and the security (and efficiency!) burden of legacy systems is significant. But there is also a burden of legacy governance in government security programs. Staff and budget are disparate and suffer from a lack of consolidation and scale. It is difficult to align IT and security modernization efforts within departments and across government. Coordinating centers such as the HCCIC may offer some benefit in this regard.

HHS (and other agencies) should be encouraged to try innovative approaches to addressing their own security challenges. For the HCCIC (and other such initiatives) to be successful, it will need to be properly resourced. But the challenge of securing government systems is so significant that experimentation and action (above all else) should be encouraged.

Over the next couple of weeks, we will look at how the HCCIC might look to utilize their relative expertise and work with the NCCIC and NH-ISAC to maximize value in support of the health care sector.

Read the full blog here: https://nhisac.org/wp-content/uploads/2017/07/Newsletter_NH-ISAC_071217.pdf

This is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.

July 4, 2017 – Post Petya

TLP White

Happy 4th of July everyone. Hopefully everyone could get away from their computers and out to see the fireworks. They were spectacular here in Nashville.

The Petya aftermath seems to have consumed everyone’s already thin holiday week bandwidth. Congress is out of town and the Administration is consumed with a Presidential trip to Europe. We’ve got a round-up of the news (and speculation) on Petya, as well as a collection of other top stories from the week. But first, a couple of policy thoughts.

Policy Analysis

The world’s leaders – including Presidents Trump and Putin – are sitting down this week in Germany. Let’s hope they talk about partnering on the “cyber.” The Petya (and WannaCry) attacks may provide a key opportunity for otherwise adversarial nations to work together to improve security.

———-

Prepared cyber-specific crisis communications and information sharing plans is a positive development for industry. This increasingly well-established “best practice” within companies may provide a lesson for government agencies as well as ISACs as they look to provide clear and timely communications to their communities.

Next week we will look at how NH-ISAC, the NCCIC, and the newly formed HCCIC might all work together on these and other issues.

Read the full blog here https://nhisac.org/wp-content/uploads/2017/07/Newsletter_NH-ISAC_070417_public.pdf

This is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.

June 27, 2017 – Premier Cybersecurity Blog

TLP White

Welcome to the first edition of Hacking Healthcare, NH-ISAC’s new weekly newsletter designed to guide you through the week in healthcare cybersecurity and policy. Every Wednesday, Hacking Healthcare, will bring you analysis on the latest news stories, policy developments, reports, and public remarks that impact the cybersecurity practitioner across all the different healthcare industries. We have our views on what matters, but we also want to reflect your interests – so get in touch and let the Hacking Healthcare team know what you want to see. Here we go…

Read the full blog here: https://nhisac.org/wp-content/uploads/2017/07/Newsletter_Public_062717_1.pdf

This is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.