“WannaCry and the [grim] Reaper”

Posted by: Julia Annaloro      Date: October 31, 2017

TLP White

 Today we are digging into WannaCry and the [grim] Reaper. Enjoy, Hacking Healthcare:

Hot Links –

  1. 1. After-action on NHS WannaCry – The UK’s National Audit Office just concluded a review of NHS preparedness and response to WannaCry. The report finds no negative impacts on patient health and safety – some trusts had to reschedule appointments, 5 had to divert emergency visits to other hospitals, and a few trusts were able to continue receiving patients despite the impact of the incident knocking some systems offline.

NHS trusts were vulnerable to the attack due to poor patch management in Windows 7 systems and use of devices running XP. Unsurprisingly, those trusts that had absorbed the operations of other hospitals through mergers struggled with integrating patch management.

The government’s NHS Digital team had conducted on-sight inspections ahead of the attack (88 of 236 trusts had been inspected; none passed). In the inspections, NHS found that most hospitals had “not identified cybersecurity as a risk to patient outcomes, and had tended to overestimate their readiness to manage a cyber attack.”

The report also finds that there was not an effective system for NHS trusts to report the attack and its impact to the government. Despite NHS developing national incident response plans, they had never been tested at a local level.

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of H-ISAC.


Exercise Exercise Exercise

Posted by: Julia Annaloro      Date: September 28, 2017

Policy Analysis –

This past week, H-ISAC announced the launch of a new tabletop exercise – Cyber Outbreak.

Cyber Outbreak will test the sector’s ability to respond to cyber-threats, share information, and maintain resilience during attacks against critical infrastructure. To do this we will hold regular tabletops over the next year that evaluate threats against different sub-sectors. The exercises will initially just include members of H-ISAC, but will likely expand to include organizations from other interconnected sectors as well as the Government.

The first exercise in the series will be held on November 27, as the H-ISAC Fall Summit gets underway in Scottsdale, Arizona. The scenario for the first exercise will be derived from the experiences and lessons learned during the “WannaCry” and “NotPetya” attacks. We will test information sharing capabilities between health care organizations as well as other sector-wide response capabilities.

If you’d like to participate in the kick-off exercise, please register here.

Hot Links

 The Office of the National Coordinator for Health Information Technology at HHS dropped some big news last week, loosening testing and certification requirements.

First, they reduced the requirements on third party testing – organizations will now be able to “self-declare” certification on 30 of 55 certifications that are required. Second, ONC indicated they would not enforce the requirement for third party testing companies to conduct randomized surveillance on certified health IT products and services.

Having a list of government approved certification companies may not have been the most efficient way to tackle security auditing, but it’s not like the sector has proved so adept at defending itself. The test of whether this approach works will be if and how enforcement actions take place when a self-declaring certification is exploited.

Read full blog https://nhisac.org/wp-content/uploads/2017/09/Newsletter_H-ISAC_Public_092617.pdf

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion on responding to a cyber breach, become a member of H-ISAC.

September 14 – How a Bill Becomes a Law

Posted by: Julia Annaloro      Date: September 14, 2017
TLP White

Policy Analysis – 

 After years of debate (or at least threat of debate) on a Federal data breach notification law, Congress has approached the subject with a new sense of energy in the wake of the Equifax breach. The breach, which may have exposed PII of 143 million Americans, is most notable for how poorly the company handled the announcement and response. It announcing the breach nearly 2 months after discovery and providing unclear, unhelpful, and potentially deceptive notification it provided to those potentially involved. Otherwise, it was just another ho-hum theft of nearly half the country’s PII that occurred as the result of unpatched, known vulnerabilities in poorly architected legacy systems.

So what is Congress going to do about it?

Well, they will hold a few hearings and demand answers with feigned outrage. We’ve seen this before, but it has not led to meaningful reform of breach notification or the legal and economic structure that facilitates the lax approach to security we saw at Equifax. There’s not much reason to think this breach will elicit a different response from Washington. But it is worth noting that the White House has said they will look into new regulations to protect consumers from the impact of such breaches.

Federal Data Breach Notification – Back in 2011 and then again in 2015, the Obama Administration put forward legislative proposals to create a Federal data breach notification standard. These proposals were constructed so as not to “pre-empt” the 47 state laws (good comparison tool here) already in place, or specific industry regulations. As a result, the scope was pretty narrow, which was viewed as the only way to get a law passed. But even such a limited Federal approach didn’t make any headway in Congress, despite a series of large scale breaches. Various bills from different Congressional committees have been introduced since, but none have made serious progress towards becoming law.

Read Full Blog https://nhisac.org/wp-content/uploads/2017/09/Newsletter_H-ISAC_091217_public.pdf

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion on responding to a cyber breach, become a member of H-ISAC.

September 6 – Government’s Cyber Mission: Overview PT 2

Posted by: Julia Annaloro      Date: September 06, 2017
TLP White

Policy Analysis – Who does what (pt. 2)

 This week we will wrap up our review of different federal agencies with a cybersecurity mission. Last week we looked at how DHS and FBI work to protect and support U.S. interests in the face of cyber-threats. Today we will look at HHS’s role as well as the other agencies that contribute legal authorities and cyber-capabilities to the U.S. government’s “defensive” cyber-mission. We will also do a quick overview of the agencies responsible for the government’s “offensive” activities in cyber-space and give you a sense of the doctrine that helps determine how it is applied.

 HHS has three cybersecurity missions that have been authorized and funded by Congress – defend its own networks and data; support the health care sector; develop and enforce regulations. The new Health Cybersecurity and Communications Center (HCCIC) has a role to play in executing responsibilities in line with all three mission areas. As we described in a previous edition of the newsletter, the HCCIC will serve to integrate SOC functions across the different HHS bureaus, lend health sector specific expertise to threat intelligence analysis at the six cyber centers (specifically the NCCIC), and inform the long-term development of regulatory policy to reflect the nature of the cyber threat against the healthcare sector.

Planning for public health emergencies is conducted within HHS by the Assistant Secretary for Preparedness and Response (ASPR), who is also responsible for carrying out the role of “sector-specific agency.” The role of a sector specific agency (created under PPD-21) is to support the resiliency of the health care sector from within the federal government. This includes lending sector relevant expertise to other agencies around the government, such as DHS, the FBI, or the intelligence community, as well as serving as an interface between the government and private sector personnel during both steady-state and incident response.

HHS’ regulatory authorities sit within a few different offices – the Office of Civil Rights (OCR) and the Food and Drug Administration (FDA), as well as the Office of the National Coordinator for health IT (ONC) and the Centers for Medicare & Medicaid Services (CMS). Congress gave OCR the authority to implement and enforce HIPAA, which sets expectations for how health organizations protect patient information. FDA sets the regulations by which medical devices must comply and has issued both pre- and post-market guidance for the cybersecurity of medical devices. ONC and CMS are not regulators in the traditional sense, but both oversee federal subsidy programs and set “regulatory” requirements that health care organizations must meet in order to receive benefits. ONC (for “Meaningful Use”) and CMS (for Medicare/Medicaid), both expect participants to appropriately manage cyber risks.

Read full blog https://nhisac.org/wp-content/uploads/2017/09/Newsletter_H-ISAC_090517_public.pdf

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion on responding to a cyber breach, become a member of H-ISAC.

August 23 – Cyber Breach Response

Posted by: Julia Annaloro      Date: August 23, 2017
TLP White

Policy Analysis –

 Last week, we looked at how the federal government organizes itself to support critical infrastructure in responding to significant cyber incidents that threaten national security. Today we will focus on the regulatory expectations for health care organizations responding to a cyber breach.

The primary federal regulator in this space is HHS’s Office of Civil Rights (OCR), which has responsibility for administering the Health Insurance Portability and Accountability Act (HIPAA). To implement its authorities under HIPAA, OCR published the HIPAA Security Rule (first proposed in 1998, finalized in 2003). The Security Rule “establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.” This includes considerations for not only how to protect information, but also how to respond and recover from incidents that may compromise protected health information.

When an incident occurs, OCR is unequivocal in saying that a covered entity “must execute its response and mitigation procedures and contingency plans.” The clear message is that a health care organization should first worry about defending its own systems and mitigating the threat. Only after an incident is under control, should it begin considering regulatory reporting requirements. After all, HIPAA gives an entity up to 60 days after discovery to report a breach. If a health care organization has considered HIPAA expectations in advance, incident response should occur in a way that is easy to document and present to regulators if PHI is compromised and an investigation is conducted later.

As part of its incident response procedures, health care entities should also have a mechanism for reporting the incident to law enforcement agencies. Notifying law enforcement of an incident will enable a criminal investigation that can lead to the arrest and prosecution of those responsible, but it can also get your incident into the process set forth in PPD-41 and described last week. Law enforcement may also provide helpful network defense information if the incident is part of a larger campaign that they are already investigating.

Sharing information through H-ISAC should also be part of your response plans. Actively sharing information informs your network defense, as well as enabling others in the sector to defend against similar threats. And sharing with H-ISAC enables the sector to coordinate its response to campaigns or widespread attacks, freeing you to focus on your own enterprise. It is important to note that H-ISAC does not share any cyber-threat indicators or incident information with OCR or other federal regulators.

Read full blog https://nhisac.org/wp-content/uploads/2017/08/Newsletter_H-ISAC_082317_public.docx

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion on responding to a cyber breach, become a member of H-ISAC.

August 15, 2017 – Federal Government Incident Response

Posted by: Julia Annaloro      Date: August 18, 2017

TLP White

Policy Analysis –

 This week, we will look at incident response policy. After all, August seems like a good month to revisit incident response plans. This will be the first stage in a multi-part series – today we will lay the ground work by reviewing how the federal government organizes itself to support cyber incidents that impact critical infrastructure. In future weeks, we will look at regulatory requirements under HIPAA and other statutes, as well as more closely examine the role H-ISAC plays in incident response within the health care industry.

In 2016, the federal government released a policy to formalize incident response processes. Presidential Policy 41: United States Cyber Incident Coordination (PPD-41, for short) established a definition of cyber incidents, committed the government to core principles, defined different lines of effort, and created new coordinating structures.

To help clarify roles and responsibilities, the government came up with the concept of “concurrent lines of effort,” which would all be activated when responding to a significant cyber incident. Threat response (Led by FBI) is the work done to mitigate the threat, whether it be through law enforcement or disruptive operations. Asset response (led by DHS) focuses on defending IT assets and restoring services. This can involve sending technical staff to organizations that have been hacked, as well as analyzing and sharing information to limit impact within a firm or across a sector or region. Intelligence support (led by ODNI) includes building and sharing awareness of the threat. Business response is a fourth line of effort that is the responsibility of the victim of the attack. In the case of an attack against critical infrastructure, the agency responsible for the relevant sector will be responsible for serving as the federal coordinator with that entity. In the case of the healthcare sector, that’s HHS.

When a significant cyber incident occurs, two coordinating structures are automatically established. At the base level, a field-level coordination group will be established by the federal personnel that is in communication with a private entity. This is meant to enable a single federal voice and prevent confusion. A level up from the field, a Unified Coordination Group (UCG) will be formed. This will include senior cybersecurity officials from the agencies leading each line of response, as well as representatives from other required agencies. The CIO or CISO of a victim company, or the leadership of a relevant sector ISAC, might be invited to join this group.

If the UCG deems it necessary (or cabinet officials decide to intervene), a Cyber Response Group (CRG) will be formed to lead coordination out of the White House. The CRG is technically chaired by the President’s Homeland Security Council (currently Tom Bossert), but leadership may be deferred to the NSC Cyber Coordinator (currently Rob Joyce). This group is charged with ensuring that any risk to national security is fully considered and that necessary resources are deployed.

Read full blog https://nhisac.org/wp-content/uploads/2017/08/Newsletter_H-ISAC_081517_public_v2.docx

This is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of H-ISAC.


August 9, 2017 – The NICE Framework

Posted by: Julia Annaloro      Date: August 09, 2017

Policy Analysis –

On Monday, The National Institute of Standards and Technology published a cybersecurity workforce framework (SP-800-181). The NICE framework (as we’ll call it to differentiate from the NIST Cybersecurity Framework) is designed to enable a “common, consistent lexicon” for cybersecurity work within organizations and across sectors and the economy. The release of the NICE framework comes after nearly a decade of work by NICE – the National Initiative for Cybersecurity Education, a public-private program housed within NIST.

Read full blog https://nhisac.org/wp-content/uploads/2017/08/Newsletter_H-ISAC_080917_public.pdf

This is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of H-ISAC.




Aug 2, 2017 – HCCIC and H-ISAC

Posted by: Julia Annaloro      Date: August 02, 2017
TLP White

Policy Analysis on Info Sharing

Welcome back to our final installment of the deep dive on the newly formed Health Cybersecurity and Communications Integration Center (HCCIC). You can follow these links to read part 1 and part 2.

This week, we’ll look at how the HCCIC plans on complementing the work of the H-ISAC. To get a better sense of how this relationship might work, I spoke with Leo Scanlon, HHS Senior Adviser for Healthcare and Public Health, and Denise Anderson, President of the H-ISAC.

As we discussed a few weeks ago, the HCCIC and the H-ISAC have complementary (and potentially overlapping) missions. Both organizations have stated support for the work of the other and are committed to enhancing the work of the other, using the unique skill sets, authorities, and resources that each possess. Let’s look at how the two centers might work with each other as well as other organizations to share information and improve the security of the sector.

To start with, the HCCIC and H-ISAC already share a technical connection to share indicators – the Automated Indicator Sharing program at DHS. The existence of a technical connection between the centers is a great start, but what information will they be sharing? From the H-ISAC perspective, the hope is that the HCCIC can provide a single point of contact for HHS components, and other government agencies when necessary. This would be a direct corollary to the role H-ISAC plays for the sector.

As companies and government agencies grapple with responding to an incident like WannaCry, H-ISAC and HCCIC can serve to aggregate exchanges of information and questions of response. Specific incident response roles and responsibilities will need to be defined and tested between the centers, which is part of the focus of the grant that H-ISAC was awarded by ASPR earlier this year. A future edition of this newsletter will look at the output of the grant in depth.

Read full blog https://nhisac.org/wp-content/uploads/2017/08/Newsletter_H-ISAC_080117_public.pdf.

As a reminder, this is the public version of the Hacking Healthcare newsletter. For full analysis of how the HCCIC and H-ISAC might work together, become a member of H-ISAC.

July 19, 2017 – How HCCIC Works With NCCIC

Posted by: Julia Annaloro      Date: July 24, 2017
TLP White

Policy Analysis on Info Sharing

Last week, we started diving deeper into HHS’ newly formed Health Cybersecurity and Communications Integration Center (HCCIC). We looked at how it might improve the security of HHS systems themselves. This week let’s look at how the HCCIC will work with DHS’ National Cybersecurity and Communications Integration Center (NCCIC) and the other government agencies.

For HCCIC to add value to the already crowded government information sharing space, it needs to bring unique skills or capabilities and integrate those capabilities into the existing structure. For instance, the HCCIC will not add value if it just seeks to put out additional bulletins that are similar to what the H-ISAC or NCCIC have already released. The information sharing community is awash in bulletins when new incidents occur. Just look at the recent ransomware and destructive malware attacks as an example.

As always, become a member of the H-ISAC for full in-depth analysis each and every week.

Next week, we will close out our first look at the HCCIC by discussing how the new center will work with the H-ISAC itself.

Read full blog https://nhisac.org/wp-content/uploads/2017/07/Newsletter_H-ISAC_071917_public.pdf

This is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of H-ISAC.

July 12, 2017 – Looking at HCCIC

Posted by: Julia Annaloro      Date: July 24, 2017
TLP White

Policy Analysis on Info Sharing

We now have the HCCIC to add to the NCCIC on the list of relevant government acronyms in healthcare cybersecurity. Just how they work with one another remains to be seen, but let’s look at what we know so far.

First, the Health Cybersecurity and Communications Integration Center (HCCIC) has three stated goals:

  • “Strengthen engagement across HHS Operating Divisions;
  • Strengthen reporting and increase awareness of the health care cyber threats across the HHS enterprise; and,
  • Enhance public-private partnerships through regular engagement and outreach.”

It is striking, given the press coverage and general sentiment in the sector, to see HHS position the HCCIC as being primarily responsible for internal security improvements. Given that positioning, it is unsurprising that the HCCIC has been headquartered under the HHS CISO’s office and not in an operating unit with a primarily external facing mission. Location within the CISO’s office also makes a lot of sense from a technical perspective – HHS was one of the first agencies to connect with the Automated Indicator Sharing (AIS) system at DHS. The CISO’s office pursued AIS to bolster its own defenses and can utilize the AIS pipes to feed information into the HCCIC (and from the HCCIC back to DHS).

Much of the focus on government cybersecurity has been around adoption of shared services and migration to a more defensible technology stack. This is rightly placed and the security (and efficiency!) burden of legacy systems is significant. But there is also a burden of legacy governance in government security programs. Staff and budget are disparate and suffer from a lack of consolidation and scale. It is difficult to align IT and security modernization efforts within departments and across government. Coordinating centers such as the HCCIC may offer some benefit in this regard.

HHS (and other agencies) should be encouraged to try innovative approaches to addressing their own security challenges. For the HCCIC (and other such initiatives) to be successful, it will need to be properly resourced. But the challenge of securing government systems is so significant that experimentation and action (above all else) should be encouraged.

Over the next couple of weeks, we will look at how the HCCIC might look to utilize their relative expertise and work with the NCCIC and H-ISAC to maximize value in support of the health care sector.

Read full blog https://nhisac.org/wp-content/uploads/2017/07/Newsletter_H-ISAC_071217.pdf

This is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of H-ISAC.