August 23 – Cyber Breach Response

Posted by: Julia      Date: August 23, 2017
TLP White

Policy Analysis –

 Last week, we looked at how the federal government organizes itself to support critical infrastructure in responding to significant cyber incidents that threaten national security. Today we will focus on the regulatory expectations for health care organizations responding to a cyber breach.

The primary federal regulator in this space is HHS’s Office of Civil Rights (OCR), which has responsibility for administering the Health Insurance Portability and Accountability Act (HIPAA). To implement its authorities under HIPAA, OCR published the HIPAA Security Rule (first proposed in 1998, finalized in 2003). The Security Rule “establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.” This includes considerations for not only how to protect information, but also how to respond and recover from incidents that may compromise protected health information.

When an incident occurs, OCR is unequivocal in saying that a covered entity “must execute its response and mitigation procedures and contingency plans.” The clear message is that a health care organization should first worry about defending its own systems and mitigating the threat. Only after an incident is under control, should it begin considering regulatory reporting requirements. After all, HIPAA gives an entity up to 60 days after discovery to report a breach. If a health care organization has considered HIPAA expectations in advance, incident response should occur in a way that is easy to document and present to regulators if PHI is compromised and an investigation is conducted later.

As part of its incident response procedures, health care entities should also have a mechanism for reporting the incident to law enforcement agencies. Notifying law enforcement of an incident will enable a criminal investigation that can lead to the arrest and prosecution of those responsible, but it can also get your incident into the process set forth in PPD-41 and described last week. Law enforcement may also provide helpful network defense information if the incident is part of a larger campaign that they are already investigating.

Sharing information through NH-ISAC should also be part of your response plans. Actively sharing information informs your network defense, as well as enabling others in the sector to defend against similar threats. And sharing with NH-ISAC enables the sector to coordinate its response to campaigns or widespread attacks, freeing you to focus on your own enterprise. It is important to note that NH-ISAC does not share any cyber-threat indicators or incident information with OCR or other federal regulators.

Read full blog https://nhisac.org/wp-content/uploads/2017/08/Newsletter_NH-ISAC_082317_public.docx

As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion on responding to a cyber breach, become a member of NH-ISAC.

August 15, 2017 – Federal Government Incident Response

Posted by: Julia      Date: August 18, 2017

TLP White

Policy Analysis –

 This week, we will look at incident response policy. After all, August seems like a good month to revisit incident response plans. This will be the first stage in a multi-part series – today we will lay the ground work by reviewing how the federal government organizes itself to support cyber incidents that impact critical infrastructure. In future weeks, we will look at regulatory requirements under HIPAA and other statutes, as well as more closely examine the role NH-ISAC plays in incident response within the health care industry.

In 2016, the federal government released a policy to formalize incident response processes. Presidential Policy 41: United States Cyber Incident Coordination (PPD-41, for short) established a definition of cyber incidents, committed the government to core principles, defined different lines of effort, and created new coordinating structures.

To help clarify roles and responsibilities, the government came up with the concept of “concurrent lines of effort,” which would all be activated when responding to a significant cyber incident. Threat response (Led by FBI) is the work done to mitigate the threat, whether it be through law enforcement or disruptive operations. Asset response (led by DHS) focuses on defending IT assets and restoring services. This can involve sending technical staff to organizations that have been hacked, as well as analyzing and sharing information to limit impact within a firm or across a sector or region. Intelligence support (led by ODNI) includes building and sharing awareness of the threat. Business response is a fourth line of effort that is the responsibility of the victim of the attack. In the case of an attack against critical infrastructure, the agency responsible for the relevant sector will be responsible for serving as the federal coordinator with that entity. In the case of the healthcare sector, that’s HHS.

When a significant cyber incident occurs, two coordinating structures are automatically established. At the base level, a field-level coordination group will be established by the federal personnel that is in communication with a private entity. This is meant to enable a single federal voice and prevent confusion. A level up from the field, a Unified Coordination Group (UCG) will be formed. This will include senior cybersecurity officials from the agencies leading each line of response, as well as representatives from other required agencies. The CIO or CISO of a victim company, or the leadership of a relevant sector ISAC, might be invited to join this group.

If the UCG deems it necessary (or cabinet officials decide to intervene), a Cyber Response Group (CRG) will be formed to lead coordination out of the White House. The CRG is technically chaired by the President’s Homeland Security Council (currently Tom Bossert), but leadership may be deferred to the NSC Cyber Coordinator (currently Rob Joyce). This group is charged with ensuring that any risk to national security is fully considered and that necessary resources are deployed.

Read full blog https://nhisac.org/wp-content/uploads/2017/08/Newsletter_NH-ISAC_081517_public_v2.docx

This is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.

 

August 9, 2017 – The NICE Framework

Posted by: Julia      Date: August 09, 2017

Policy Analysis –

On Monday, The National Institute of Standards and Technology published a cybersecurity workforce framework (SP-800-181). The NICE framework (as we’ll call it to differentiate from the NIST Cybersecurity Framework) is designed to enable a “common, consistent lexicon” for cybersecurity work within organizations and across sectors and the economy. The release of the NICE framework comes after nearly a decade of work by NICE – the National Initiative for Cybersecurity Education, a public-private program housed within NIST.

Read full blog https://nhisac.org/wp-content/uploads/2017/08/Newsletter_NH-ISAC_080917_public.pdf

This is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.

 

 

 

Aug 2, 2017 – HCCIC and NH-ISAC

Posted by: Julia      Date: August 02, 2017
TLP White

Policy Analysis on Info Sharing

Welcome back to our final installment of the deep dive on the newly formed Health Cybersecurity and Communications Integration Center (HCCIC). You can follow these links to read part 1 and part 2.

This week, we’ll look at how the HCCIC plans on complementing the work of the NH-ISAC. To get a better sense of how this relationship might work, I spoke with Leo Scanlon, HHS Senior Adviser for Healthcare and Public Health, and Denise Anderson, President of the NH-ISAC.

As we discussed a few weeks ago, the HCCIC and the NH-ISAC have complementary (and potentially overlapping) missions. Both organizations have stated support for the work of the other and are committed to enhancing the work of the other, using the unique skill sets, authorities, and resources that each possess. Let’s look at how the two centers might work with each other as well as other organizations to share information and improve the security of the sector.

To start with, the HCCIC and NH-ISAC already share a technical connection to share indicators – the Automated Indicator Sharing program at DHS. The existence of a technical connection between the centers is a great start, but what information will they be sharing? From the NH-ISAC perspective, the hope is that the HCCIC can provide a single point of contact for HHS components, and other government agencies when necessary. This would be a direct corollary to the role NH-ISAC plays for the sector.

As companies and government agencies grapple with responding to an incident like WannaCry, NH-ISAC and HCCIC can serve to aggregate exchanges of information and questions of response. Specific incident response roles and responsibilities will need to be defined and tested between the centers, which is part of the focus of the grant that NH-ISAC was awarded by ASPR earlier this year. A future edition of this newsletter will look at the output of the grant in depth.

Read full blog https://nhisac.org/wp-content/uploads/2017/08/Newsletter_NH-ISAC_080117_public.pdf.

As a reminder, this is the public version of the Hacking Healthcare newsletter. For full analysis of how the HCCIC and NH-ISAC might work together, become a member of NH-ISAC.

July 19, 2017 – How HCCIC Works With NCCIC

Posted by: Julia      Date: July 24, 2017
TLP White

Policy Analysis on Info Sharing

Last week, we started diving deeper into HHS’ newly formed Health Cybersecurity and Communications Integration Center (HCCIC). We looked at how it might improve the security of HHS systems themselves. This week let’s look at how the HCCIC will work with DHS’ National Cybersecurity and Communications Integration Center (NCCIC) and the other government agencies.

For HCCIC to add value to the already crowded government information sharing space, it needs to bring unique skills or capabilities and integrate those capabilities into the existing structure. For instance, the HCCIC will not add value if it just seeks to put out additional bulletins that are similar to what the NH-ISAC or NCCIC have already released. The information sharing community is awash in bulletins when new incidents occur. Just look at the recent ransomware and destructive malware attacks as an example.

As always, become a member of the NH-ISAC for full in-depth analysis each and every week.

Next week, we will close out our first look at the HCCIC by discussing how the new center will work with the NH-ISAC itself.

Read full blog https://nhisac.org/wp-content/uploads/2017/07/Newsletter_NH-ISAC_071917_public.pdf

This is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.

July 12, 2017 – Looking at HCCIC

Posted by: Julia      Date: July 24, 2017
TLP White

Policy Analysis on Info Sharing

We now have the HCCIC to add to the NCCIC on the list of relevant government acronyms in healthcare cybersecurity. Just how they work with one another remains to be seen, but let’s look at what we know so far.

First, the Health Cybersecurity and Communications Integration Center (HCCIC) has three stated goals:

  • “Strengthen engagement across HHS Operating Divisions;
  • Strengthen reporting and increase awareness of the health care cyber threats across the HHS enterprise; and,
  • Enhance public-private partnerships through regular engagement and outreach.”

It is striking, given the press coverage and general sentiment in the sector, to see HHS position the HCCIC as being primarily responsible for internal security improvements. Given that positioning, it is unsurprising that the HCCIC has been headquartered under the HHS CISO’s office and not in an operating unit with a primarily external facing mission. Location within the CISO’s office also makes a lot of sense from a technical perspective – HHS was one of the first agencies to connect with the Automated Indicator Sharing (AIS) system at DHS. The CISO’s office pursued AIS to bolster its own defenses and can utilize the AIS pipes to feed information into the HCCIC (and from the HCCIC back to DHS).

Much of the focus on government cybersecurity has been around adoption of shared services and migration to a more defensible technology stack. This is rightly placed and the security (and efficiency!) burden of legacy systems is significant. But there is also a burden of legacy governance in government security programs. Staff and budget are disparate and suffer from a lack of consolidation and scale. It is difficult to align IT and security modernization efforts within departments and across government. Coordinating centers such as the HCCIC may offer some benefit in this regard.

HHS (and other agencies) should be encouraged to try innovative approaches to addressing their own security challenges. For the HCCIC (and other such initiatives) to be successful, it will need to be properly resourced. But the challenge of securing government systems is so significant that experimentation and action (above all else) should be encouraged.

Over the next couple of weeks, we will look at how the HCCIC might look to utilize their relative expertise and work with the NCCIC and NH-ISAC to maximize value in support of the health care sector.

Read full blog https://nhisac.org/wp-content/uploads/2017/07/Newsletter_NH-ISAC_071217.pdf

This is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.

July 4, 2017 – Post Petya

Posted by: Julia      Date: July 24, 2017
TLP White

Happy 4th of July everyone. Hopefully everyone could get away from their computers and out to see the fireworks. They were spectacular here in Nashville.

The Petya aftermath seems to have consumed everyone’s already thin holiday week bandwidth. Congress is out of town and the Administration is consumed with a Presidential trip to Europe. We’ve got a round-up of the news (and speculation) on Petya, as well as a collection of other top stories from the week. But first, a couple of policy thoughts.

Policy Analysis

The world’s leaders – including Presidents Trump and Putin – are sitting down this week in Germany. Let’s hope they talk about partnering on the “cyber.” The Petya (and WannaCry) attacks may provide a key opportunity for otherwise adversarial nations to work together to improve security.

———-

Prepared cyber-specific crisis communications and information sharing plans is a positive development for industry. This increasingly well-established “best practice” within companies may provide a lesson for government agencies as well as ISACs as they look to provide clear and timely communications to their communities.

Next week we will look at how NH-ISAC, the NCCIC, and the newly formed HCCIC might all work together on these and other issues.

Read full blog https://nhisac.org/wp-content/uploads/2017/07/Newsletter_NH-ISAC_070417_public.pdf

This is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.

June 27, 2017 – Premier Cybersecurity Blog

Posted by: Julia      Date: July 21, 2017
TLP White

Welcome to the first edition of Hacking Healthcare, NH-ISAC’s new weekly newsletter designed to guide you through the week in healthcare cybersecurity and policy. Every Wednesday, Hacking Healthcare, will bring you analysis on the latest news stories, policy developments, reports, and public remarks that impact the cybersecurity practitioner across all the different healthcare industries. We have our views on what matters, but we also want to reflect your interests – so get in touch and let the Hacking Healthcare team know what you want to see. Here we go…

Read full blog  https://nhisac.org/wp-content/uploads/2017/07/Newsletter_Public_062717_1.pdf

This is the public version of our Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of NH-ISAC.