By Justin Snair, Senior Program Analyst and David G. Henry, former Senior Program Analyst, Public Health Preparedness, NACCHO

October is National Cyber Security Awareness Month. This post is adapted from an article on cyber security that originally ran in The CIP Report, a newsletter from the Center for Infrastructure Protection and Homeland Security at George Mason University.

In December 2011, a hospital in Georgia was forced to divert all non-emergency admissions to other medical centers, after a malware infection downed the institution’s IT network and required staff to use paper records. The attack affected computer connectivity, as hospital computers could not communicate with each other. The hospital was forced to use a runner system, where papers were shuttled by personnel from station to station.[1]

A cyber attack on a healthcare facility that disrupts its capacity to manage patients can be devastating to a local community’s ability to manage the routine care of its population, as well as patient surge during catastrophic events. The impact of cyber attacks on healthcare facilities can be organized into three categories: [2][3]

• Losses of confidentiality: The exposure of personal data can trigger ripple effects for victims of cyber crime, including theft or loss of patient information. Another consideration is the connection between patient data and personal medical devices. Those devices carry security and privacy risks as they become increasingly networked and wireless.
• Losses of integrity: Patients and practitioners may lose confidence in a healthcare provider’s ability to maintain patient privacy, due to perceptions of inadequate security.
• Losses of availability: Cyber threats to data and operations systems can take a facility off-line, leading to disruption of care due to software outages. In addition, the loss of access to health records may limit the provider’s ability to provide appropriate care, shelter, and medicine in times of need. Lastly, damage to infrastructure—such as insurance and payment or utility systems—could also prevent people from accessing necessary medical care.

Healthcare infrastructure is already vulnerable, as our healthcare delivery system routinely operates at or near 100 percent of capacity on a daily basis.[4] Compounding the stress on the system is the increase in the aging U.S. population and rise in hospital admissions due to the impacts of hospital closures, the use of emergency departments as a primary point of care for the uninsured, and increased length of stay due to rising chronic illness rates in recent years. In addition, close collaboration among public, private, and non-governmental stakeholders to assure safe healthcare infrastructure is a challenge.

Private and non-profit healthcare delivery systems do not carry the burden of critical infrastructure protection alone. The public health sector—state and local health departments—are leaders within the healthcare sector to prepare for, respond to, and recover from man-made and natural disasters. For local public health, healthcare is an equal partner in keeping the nation’s health services secure for all communities. Public trust depends upon the sustainability and resilience of our national healthcare and public health critical infrastructure.[4]

Current policy falls short of protecting the health sector from cyber threats. To foster the improvements of the healthcare delivery system, Federal doctrine, such as the National Health Security Strategy (NHSS), the Center for Disease Control and Prevention’s Public Health Preparedness Capabilities: National Standards for State and Local Planning (PHEP), and U.S. Department of Health and Human Services’ Office of the Assistant Secretary for Preparedness and Response’s Healthcare Capabilities: National Guidance for Healthcare System Preparedness (HPP) has promoted the adoption of technology in healthcare facilities. However, as healthcare providers begin to use e-Health, information technology, and other web-based tools with inadequate security systems or enforcement, the sector opens itself to exposure to cyber threats. According to the Third Annual Benchmark Study on Patient Privacy & Data Security (2012), 94 percent of healthcare organizations have had at least one data breach in the past two years. Forty-five percent report that they have had more than five incidents.[5]

From the executive level, President Obama issued Presidential Policy Directive (PPD)– 21 and Executive Order (EO) 13636: Improving Critical Infrastructure Cybersecurity, emphasizing the need for holistic thinking about critical infrastructure security and risk management. Those directives and executive orders will drive action towards critical infrastructure systems—including healthcare—to improve their network security. Additionally, those policies will help promote and incentivize the adoption of cyber security practices, increase cyber threat information sharing, evaluate and mature public-private partnerships, and understand the cascading consequences of infrastructure failures. With the release of PPD-21 and EO 13636 and the subsequent operationalization of these policies, Federal agencies responsible for NHSS, PHEP, and HPP should prioritize improving security of healthcare information systems, strengthening of public-private partnerships vital to healthcare cyber security and resiliency, and adopting standards and frameworks for information sharing and security within the revisions of guidance doctrine.

Moving forward, public health and healthcare partners need not wait for revisions of federal doctrine or full implementation of PPD-21 and EO 13636 to begin improving the security of healthcare facilities. Communities can improve cyber security by opening a dialogue with the key local public-private stakeholders to improve partnerships and information sharing. Healthcare facilities can coordinate across sectors to engage technology experts to further improve system security and ensure the protection of their data and systems. Lastly, the healthcare sector can raise employee awareness of cyber threat by implementing digital hygiene training – meant to create a common understanding of how to keep computer systems safe. By making those first considerations to improve health information sharing and cyber security, healthcare sector operators can begin to reduce the risk and exposure that comes with the adoption of new technologies to improve their service delivery, patient care and resiliency of their communities.

1. Elliot, R. (2011, December 9). Hospital put under “Total Diversion” after computer virus. WSBTV. Retrieved from: http://www.wsbtv.com/news/news/local/hospital-diverting-trauma-cases-due-computer-probl/nFyYY/
2. US Army. (2005). Cyber Operations Cyber Operations and Cyber Terrorism. US Army Training and Doctrine Command DCSINT Handbook 1.02. Retrieved from: http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA439217
3. Barnett, D.J., Sell, T., Lord, R.K., Terbush, J., & Burke, T. (2013). Cyber Security Threats to Public Health. World Medical & Health Policy. no. 1 (2013): 37-46. Retrieved from: http://onlinelibrary.wiley.com/doi/10.1002/wmh3.19/abstract
4. Smith, W. M. (2009). Institute of Medicine Forum on Medical and Public Health Preparedness for Catastrophic Events. Financing Surge Capacity and Preparedness. Retrieved from: http://www.iom.edu/~/media/Files/Activity%20Files/PublicHealth/MedPrep/Jun-10-11-2009-Commissioned%20Papers/Jun-10-11-2009-Commissioned-Paper-Financing-Surge-Capacity-and-Preparedness.pdf
5. Ponemon Institute. (2012). Third Annual Benchmark Study on Patient Privacy & Data Security. Retrieved from: http://lpa.idexpertscorp.com/acton/attachment/6200/f-0033/1/-/-/-/-/file.pdf

As part of National Cyber Security Awareness Month, the Office of the National Coordinator (ONC) for Health Information Technology released its second Web-based security training module, “CyberSecure: Your Medical Practice” for healthcare providers and staff on October 24, 2013. The game provides training on disaster planning, data backup and recovery, and other elements of contingency planning to help prepare for power outages, floods, fires, or weather related events such as hurricanes or tornadoes. Because these events can damage patient health information or make it unavailable, planning can help ensure that information is protected and accessible when disasters are over. Contingency planning is also required by the HIPAA Security Rule.

“We know from recent experiences such as Hurricane Sandy, that these events can very adversely impact the delivery of health care,” said ONC Chief Privacy Officer Joy Pritts. “We hope that this video game will raise awareness of contingency planning and help practices begin to develop their own disaster plans, backup and recovery processes and other vital activities.” Learn more and try out the game

On Monday, August 18th, Community Health Systems, one of the largest U.S. hospital groups, reported that they were the victim of a cyber-attack from China, which resulted in the theft of Social Security numbers and other personal data belonging to 4.5 million patients. This attack is the largest of its type involving patient information since the U.S. Department of Health and Human Services started tracking such breaches in 2009.

Healthcare and public health patient information has often been viewed as a “soft target” for cyber-attacks. The Office for Civil Rights (OCR), which enforces privacy and security regulations for the Department of Health and Human Services, reported in February of this year that only 62 of more than 800 breaches of protected health information (P.H.I) involved cyber-attacks. However, evidence suggests that many organizations are not mature enough to detect data breaches, contributing to the low level of health related cyber-attacks. ^I

Public health organizations have been the victim of cyber-attacks in recent history. On May 22nd, 2014, the Montana Department of Public Health and Human services announced that a cyber-attack was detected on the health department’s server, allowing a hacker to illegally access the P.H.I. of 1.3 million individuals. ⁱⁱ On April 9th, 2012, the Utah Department of Health announced that a cyber-attack occurred in which 780,000 individuals had their  P.H.I. breached. In addition to their health records, it is estimated that 280,000 of these individuals had their social security numbers illegally accessed as well. ⁱⁱⁱ Cyber-attacks carry a large cost. Patient trust can be irreparably damaged, and the fines associated with a data breach can discourage the robust use of health information technology.

Cyber-attacks on healthcare and public health facilities can come in many forms. They can include not only theft of patient records, but also disruptions from both sophisticated or uncoordinated attacks, such as unauthorized access of networked medical devices or malignant emails that may cause utility and power grid failures and other cascading disruptions across a facility, forcing hospitals to divert patients or rely on paper based systems. Power and water utility outages at hospitals can force facilities to rely upon generator power and backup water supplies or go off line entirely. Power transmission and generation, heating ventilation and air conditioning, water, and patient oxygen supply in facilities are often controlled by Supervisory Control and Data Acquisition (SCADA) systems—networked computer control systems that can monitor and control multiple components in and between facilities. A cyber-attack could also result in the physical destruction of assets, such as backup generators. Disruption of assets and computer control systems automatically regulating facility environments and power systems would have devastating consequences for patient care, healthcare and public health facilities, and local communities.

The impact of cyber-attacks on healthcare and public health facilities can be organized into four categories:^iv,v

• Losses of integrity: Patients and practitioners may lose confidence in a healthcare providers ability to maintain patient privacy, due to perceptions of inadequate security. Legitimate information provided by government or expert sources transmitted via media and social media could be corrupted or distorted.
• Losses of availability: Cyber threats to data and operations systems can take a facility off-line, leading to disruption of care. In addition, the loss of access to health records may limit the provider’s ability to provide appropriate care, shelter, and medicine in times of need. Lastly, damage to infrastructure—such as insurance and payment or utility systems—could also prevent people from accessing necessary medical care. Cyber-attacks could also disrupt emergency telephone lines and EMS systems and slow or disable emergency medical response systems. Production of medical equipment or drugs through manufacturing stoppages caused by cyber-attacks.
• Losses of confidentiality: The exposure of personal data can trigger ripple effects for victims of cyber-crime, including theft or loss of patient and private information. Another consideration is the connection between patient data and personal medical devices. Those devices carry security and privacy risks as they become increasingly networked and wireless.
• Physical destruction of systems: Cyber-attacks could damage physical systems used to perform functions, such as regulate utilities, critical to healthcare and public health and could shut down or slow supply chains, impair patient care, and impede emergency response, potentially leading to significant loss of life. Medical and public health research institutions and laboratories may be vulnerable to power outages and computer breaches due to cyber threats. Valuable research and disruption of systems used for the environmental controls for research animals, cadavers, infectious agents, and specimens could result from a cyber-attack. The loss of electricity or water during heat waves or cold spells will require response from public health to prevent loss of life. Cyber-attacks may also result in the failures of industrial safety systems, such as those used in chemical manufacturing, and could cause widespread illness and possibly death.

Public trust depends upon the sustainability, resilience, integrity, and availability of our national healthcare and public health critical infrastructure. Just as with many hazards public health must consider, preparing for, preventing, mitigating, and responding to the threat of cyber-attack to healthcare and public health facilitates requires a holistic approach. Successful planning involves coordination, communication, and cooperation among federal, state, local, tribal, and territorial governments, as well as healthcare facilities, medical device and equipment manufacturers, telecommunications and utilities providers, and medical supply chain operators. This coordination happens through healthcare and public health leadership at the state and local level.

October is National Cyber Security Awareness Month (NCSAM), which is designed to engage and educate public and private sector partners through events and initiatives with the goal of raising awareness about cyber-security and increasing the resiliency of the nation in the event of a cyber-incident. To get involved in National Cyber Security Awareness Month 2014:

• Stay tuned for more information about each week, including the 2014 Kick-Off.
• Find or register a local event on the official calendar.
• Get information on how your government, law enforcement, business, school, or organization can take action during National Cyber Security Awareness Month.
• Teach elementary, middle, and high school students about Internet safety and security.
• Post cyber-security tips, news, and resources highlighting NCSAM on social media sites during National Cyber Security Awareness Month.

The 2015 Preparedness Summit theme focuses on Global Health Security preparedness and how in an increasingly interconnected world, public health threats can emerge on the other side of the globe and arrive within a day on the doorstep of our health departments, healthcare providers, schools, and more. Global health security includes threats to healthcare and public health from cyber-attack. If you would like to learn more about cyber-security threats, consider attending the Summit. If you have a story or lessons to share, submit an presentation abstract for the Summit or reach out to Justin Snair at jsnair@naccho.org.

By Justin Snair, Senior Program Analyst for Critical Infrastructure and Environmental Health Security at NACCHO and Matthew DeLeon, Program Analyst for Public Health Informatics at NACCHO.

[i] Anderson, Howard. “Utah Health Breach Affects 780,000.” HealthcareInfoSecurity. Information Security Media Group, Corp ., 9 Apr. 2012. Web. 9 Aug 2014

[ii] Roman, Jeffery. “Montana Breach Victim Tally: 1.3 Million.” HealthcareInforSecurity. Information Security Media Group, Corp ., 25 Jun. 2014. Web. 9 Aug 2014

[iii] McGee, Marianne. “Hackers Hit Health System’s Server.” HealthcareInforSecurity. Information Security Media Group, Corp ., 6 Feb. 2014. Web. 9 Aug 2014

[iv] Synthesized from Barnett et al: Cyber Security Threats to Public Health. Institute of Medicine (2008) as adapted from Institute of Medicine, The Future of the Public’s Health in the 21st Century (2002) and U.S. Army Training and Doctrine Command, 2005

[v] Barnett, Daniel J., Tara Sell, Robert K Lord, James Terbush, and Thomas Burke. “Cyber Security Threats to Public Health.” World Medical & Health Policy. no. 1 (2013): 37-46. http://onlinelibrary.wiley.com/doi/10.1002/wmh3.19/abstract (accessed August 9, 2013).

By Justin Snair, Senior Program Analyst for Critical Infrastructure and Environmental Health Security at NACCHO and Matthew DeLeon, Program Analyst for Public Health Informatics at NACCHO

The constant connection to the Internet has enabled us to stay connected to friends and family, coordinate within our communities, and find innovative solutions for our most pressing challenges. While this increased reliance on information technology has bettered our day-to-day lives, it has also increased the risk of theft, fraud, and a variety of other abuses. All organizations and industries are susceptible to a cyber-attack, including the healthcare and public heath sectors. To engage and educate public and private sector partners and to raise awareness about cyber security and increasing the resiliency of the nation in the event of a cyber-incident, events and initiatives have been planned throughout the month of October, which marks National Cyber Security Awareness Month. As data breaches and cyber-attacks become more costly, it is essential that all organizations, especially local health departments, place a high priority on defending their cyber infrastructure from cyber-attack.

The healthcare industry and public health patient information has often been viewed as a “soft target” for cyber-attacks. The Office for Civil Rights, which enforces privacy and security regulations for the U.S. Department of Health and Human Services, reported in February 2014 that 62 of more than 800 breaches of protected health information involved cyber-attacks.[1] Evidence suggests that many organizations are not sophisticated enough to detect data breaches, contributing to the low level of health-related cyber-attacks that are reported.[2] The very nature of most healthcare and public health organizations makes them susceptible to cyber-attacks for three reasons:

• Security for health IT systems is not prioritized;
• The high frequency of data exchange requires many open connections to a healthcare information system; and
• The healthcare and public health workforce is largely untrained in cyber security practices.[3]

The value of health data provides a strong incentive to hackers who can illegally access patient information. New findings have shown that patient medical data on the black market can be worth almost ten times more than credit card information. Birth dates, billing information, and diagnosis codes, used by both healthcare providers and public health agencies, are the most valuable to data hackers. This is because they allow hackers to create fake IDs to purchase medical equipment, or file false claims with insurers by combining a patient number with a false provider number.[4]

This combination of factors makes health data breaches extremely costly and very large in scale. On August 18, Community Health Systems, one of the largest U.S. hospital groups, reported that they were the victim of a cyber-attack from China, which resulted in the theft of Social Security numbers and other personal data belonging to 4.5 million patients. This attack is the largest of its type involving patient information since the U.S. Department of Health and Human Services started tracking such breaches in 2009.

Public health organizations have also been the victim of cyber-attacks in recent history. On May 22, the Montana Department of Public Health and Human Services announced that a cyber-attack was detected on the health department’s server, allowing a hacker to illegally access the protected health information of 1.3 million individuals.[5] On April 9, 2012, the Utah Department of Health announced that a cyber-attack occurred in which 780,000 individuals had their protected health information breached. In addition to their health records, it is estimated that 280,000 of these individuals had their social security numbers illegally accessed as well.[6] Cyber-attacks carry a large cost: patient trust can be irreparably damaged, and the fines associated with a data breach can discourage the robust use of health information technology.

Cyber-attacks on healthcare and public health facilities can come in many forms, such as theft of patient records and disruptions from both sophisticated or uncoordinated attacks. Examples include unauthorized access of networked medical devices and malignant emails that may cause utility and power grid failures and other cascading disruptions across a facility, forcing hospitals to divert patients or rely on paper based systems. Power and water utility outages at hospitals can force facilities to rely upon generator power and backup water supplies or go off line entirely. Power transmission and generation, heating ventilation and air conditioning, water, and patient oxygen supply in facilities are often controlled by Supervisory Control and Data Acquisition systems—networked computer control systems that can monitor and control multiple components in and between facilities. A cyber-attack could also result in the physical destruction of assets, such as backup generators. Disruption of assets and computer control systems automatically regulating facility environments and power systems would have devastating consequences for patient care, healthcare and public health facilities, and local communities.

Local health departments are encouraged to review the impact of cyber-attacks on healthcare and public health facilities, which can be organized into four categories: [7][8]

• Losses of integrity: Patients and practitioners may lose confidence in a healthcare providers’ ability to maintain patient privacy, due to perceptions of inadequate security. Legitimate information provided by governmental or expert sources transmitted via media and social media could be corrupted or distorted.
• Losses of availability: Cyber threats to data and operations systems can take a facility off-line, leading to disruption of care. In addition, the loss of access to health records may limit the provider’s ability to provide appropriate care, shelter, and medicine in times of need. Lastly, damage to infrastructure—such as insurance and payment or utility systems—could also prevent people from accessing necessary medical care. Cyber-attacks could also disrupt emergency telephone lines and EMS systems and slow or disable emergency medical response systems.
• Losses of confidentiality: The exposure of personal data can trigger ripple effects for victims of cyber-crime, including theft or loss of patient and private information. Another consideration is the connection between patient data and personal medical devices because those devices carry security and privacy risks as they become increasingly networked and wireless.
• Physical destruction of systems: Cyber-attacks could damage physical systems used to perform functions–such as regulate utilities–critical to healthcare and public health and could shut down or slow supply chains, impair patient care, and impede emergency response, potentially leading to significant loss of life. Medical and public health research institutions and laboratories may be vulnerable to power outages and computer breaches due to cyber threats. Valuable research and disruption of systems used for the environmental controls for research animals, cadavers, infectious agents, and specimens could result from a cyber-attack. The loss of electricity or water during heat waves or cold spells will require a response from public health to prevent loss of life. Cyber-attacks may also result in the failures of industrial safety systems, such as those used in chemical manufacturing, and could cause widespread illness and possibly death.

Public trust depends upon the sustainability, resilience, integrity, and availability of our national healthcare and public health critical infrastructure. Just as with many hazards public health must consider, preparing for, preventing, mitigating, and responding to the threat of cyber-attack to healthcare and public health facilitates requires a holistic approach. Local health departments can successfully plan by coordinating, communicating, and cooperating with federal, state, local, tribal, and territorial governments, as well as healthcare facilities, medical device and equipment manufacturers, telecommunications and utilities providers, and medical supply chain operators.

The following opportunities provide ways to mark National Cyber Security Awareness Month 2014 at your local health department:

• Get information about how your local health department can take action during National Cyber Security Awareness Month;
• Find or register a local event on the official calendar;
• Get involved with each awareness week as listed in this infographic;
• Educate elementary, middle, and high school students about Internet safety and security; and
• Post cyber security tips, news, and resources highlighting National Cyber Security Awareness Month on social media sites throughout the month of October.

Want to continue the conversation about cyber security? The 2015 Preparedness Summit, April 14-17 in Atlanta, will explore the theme, “Global Health Security: Preparing a Nation for Emerging Threats.” Sessions will focus on how, in an increasingly interconnected world, public health threats can emerge on the other side of the globe and arrive within a day on the doorstep of our health departments, healthcare providers, schools, and more. Global health security includes threats to healthcare and public health from cyber-attack. If you would like to learn more about cyber security threats, save your spot and register now for the Summit.

1. Anderson, H. (2012, April 9). Utah health breach affects 780,000. Data Security Today. Retrieved Aug. 9, 2014, from http://www.databreachtoday.com/utah-health-breach-affects-780000-a-4667.
2. Ibid.
3. Reed, T. (2014, Aug. 21). Three reasons why data is such a big target in the health care sector – and what health practices can do about it. Washington Business Journal. Retrieved Oct. 8, 2014, from http://www.bizjournals.com/washington/blog/2014/08/3-reasons-why-health-care-data-is-such-a-security.html?page=all.
4. Humer, C. and Finkle, J. (2014, Sept. 24). Your medical record is worth more to hackers than your credit card. Reuters. Retrieved Oct. 8, 2014, from http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924?feedType=RSS&feedName=healthNews.
5. Roman, J. (2014, June 25). Montana breach victim tally: 1.3 Million. Data Breach Today. Retrieved Aug 9., 2014, from http://www.databreachtoday.com/montana-breach-victim-tally-13-million-a-6992.
6. McGee, M. (2014, Feb. 6). Hackers hit health system’s server. Data Breach Today. Retrieved Aug 9., 2014, from http://www.databreachtoday.com/hackers-hit-health-systems-server-a-6481.
7. Synthesized from Barnett et al: Cyber Security Threats to Public Health. Institute of Medicine (2008) as adapted from Institute of Medicine, The Future of the Public’s Health in the 21st Century (2002) and U.S. Army Training and Doctrine Command, 2005.
8. Barnett, D. J., Sell, T., Lord, R.K., Terbush, J., and Burke, T. Cyber security threats to public health. World Medical & Health Policy 1: (2013): 37-46. Retrieved Aug. 9, 2014, from http://onlinelibrary.wiley.com/doi/10.1002/wmh3.19/abstract.

The Secretary’s Honors Program Cyber Student Volunteer Initiative is for current college students pursuing a program of study in a cybersecurity-related field. Selected students learn about the Department of Homeland Security’s (DHS) cybersecurity mission, complete hands-on cybersecurity work, and build technical experience in key areas such as digital forensics, network diagnostics, and incident response. Additionally, students participate in mentoring and professional development activities with DHS managers and senior leaders from across components. DHS expects to place more than 75 student volunteers at more than 50 DHS offices in 2015.

Learn more and apply by December 12.

The healthcare and public health sectors are vital to the health and security of the nation. These sectors are also increasingly becoming the target of cybersecurity attacks. These attacks include “ransomware,”  where an attacker gains access to an organization’s system, encrypts their data, and holds the information hostage until the organization agrees to pay. The MedStar Health System fell victim to an attack in March 2016, which forced them to shut down IT systems to several hospitals and outpatient centers in the Washington, D.C. area, and prevented the organization from accessing important patient records [1]. Other healthcare systems and hospitals in California, Kansas, Kentucky, and Indiana have also been victims of ransomware attacks in recent months [2].

Ransomware attacks create immediate disruption to daily activities, and in the case of the healthcare and public health sector, can challenge our ability to provide quality care for patients and the community, as well as imperil the security of patients’ financial and medical information. In response to this threat, the Secretary of Health and Human Services (HHS) released a letter and accompanying resources to educate and assist public health and healthcare organizations in protecting against and reporting these types of attacks to authorities.

It is critical that public health officials engage with their law enforcement and healthcare partners to understand the cybersecurity threats in their communities and what to do, should they fall victim to an attack. Local health departments are encouraged to share the Secretary’s letter and resources with other healthcare entities in their jurisdictions.

Listed below are some additional resources available to state and local public health related to cybersecurity:

• U.S. Department of Homeland Security Critical Infrastructure Cyber Community Volunteer Program (C3)
• National Cyber Security Alliance Stay Safe Online Program
• The Office of the National Coordinator for Health Information Technology’s Privacy and Security Challenge training
• Healthcare and Public Health Sector Coordinating Council Cybersecurity Checklist
• Contact local law enforcement agencies to connect with your local FBI field office or Fusion Center for information about available training and resources

***

[1] Source: The Washington Post and HealthCare IT News

[2] Source: CSO Online and HealthCare IT News

The U.S. Department of Homeland Security (DHS) is now accepting public comments on the National Cyber Incident Response Plan (NCIRP) through 5:00 PM EDT, October 31, 2016. All comments and questions can be submitted to FEMA-NCIRP-engagement@fema.dhs.gov. This plan formalizes incident response practices that have been developed over the past few years and will further detail organizational roles, responsibilities, and actions to prepare for, respond to, and coordinate the recovery from a significant cyber incident. This plan builds upon PPD-41 and includes the private sector and other levels of government. The draft NCIRP can be viewed at www.us-cert.gov/ncirp. DHS will adjudicate public comments in November and December and will submit the final draft of the NCIRP to the White House in January 2017.

DRAFT National Cyber Incident Response Plan
NCIRP Feedback Submission Form

Additionally, DHS is hosting a series of 60-minute engagement webinars to highlight key proposed changes to NCIRP and answer participant questions about submitting feedback.Please visit the following NCIRP Webinar Dates and Registration Web Links:

• Thursday, October 13th 11 am: https://fema.connectsolutions.com/ncirpengagement3/event/event_info.html
• Thursday, October 20th 1pm: https://fema.connectsolutions.com/ncirpengagement4/event/event_info.html

The following information and resources are being shared by the Assistant Secretary for Preparedness and Response to inform healthcare and public health sector partners about the potential for phishing scams following Hurricane Matthew.

In the wake of Hurricane Matthew, malicious actors are using the disaster to perpetrate phishing scams. Users should exercise caution when receiving e-mails from related to Hurricane Matthew, including those that contain links and attachments or that request donations. Please see the additional information below and steps users can take to avoid phishing scams. Contact law enforcement if you suspect your organization is the victim of a phishing scam.

Department of Homeland Security: https://www.us-cert.gov/ncas/current-activity/2016/10/11/Potential-Hurricane-Matthew-Phishing-Scams

Multi-State Information Sharing & Analysis Center: https://msisac.cisecurity.org/whitepaper/documents/MS-ISAC%20Security%20Primer%20-%20Phishing%5b2%5d.pdf 

The Critical Infrastructure Partnership Advisory Council (CIPAC) met on Tuesday, October 18. The CIPAC plenary brought together federal partners and private sector representatives to discuss key priorities in critical infrastructure resiliency and protection. Secretary Jeh Johnson was the keynote speaker, providing an overview of security and management initiatives within the Department of Homeland Security. Panel presentations included discussions on critical infrastructure cyber and physical risks; enhanced incident response and recovery; collaboration across sectors, resilience decision making, and information sharing. A large focus of the meeting was on the continued strengthening of public-private partnerships to enhance critical infrastructure protection and information sharing, and how the partnership can help address the evolving cybersecurity risk.

More information about the CIPAC meeting can be found here.

General information about CIPAC and the Healthcare and Public Health critical infrastructure sector partnership can be found here.

The Department of Homeland Security (DHS) recently released the National Cyber Incident Response Plan (NCIRP). DHS led the development of this document, in coordination with the Departments of Justice and Defense, the Office of the Director of National Intelligence, the Sector Specific Agencies (SSAs) and other interagency partners, representatives from across 16 critical infrastructure sectors, others in the private sector, and state and local governments.

This Plan applies to cyber incidents and more specifically those with high likelihood to result in demonstrable harm to the nation’s security interests, foreign relations, and/or economy well as the public confidence, civil liberties, or public health and safety of the American people.

The NCIRP includes the following:

• Description of a national approach to dealing with cyber incidents, emphasizing the important role played by the private sector, states, and multiple federal agencies and how the actions of all relevant stakeholders fit together for an integrated response;
• Reflection on lessons learned from exercises and real U.S. incidents and policy updates, such as Presidential Policy Directive (PPD)-41 on Cyber Incident Coordination Policy and the National Cybersecurity Protection Act of 2014;
• Explanation of the roles taken on by lead Federal agencies during a significant cyber incident.

To view the entire NCIRP, please follow this link.

The Naval Postgraduate School Center for Homeland Defense and Security recently posted a digital version of the January 5, 2017 Joint Statement for the Record to the Senate Armed Services Committee regarding Foreign Cyber Threats to the United States. This online overview is formatted as a microsite and includes an introductory page, the joint statement featured in written and full video versions as well as a number of supporting documents and visuals. Some of the resources include commercial and security consequences, physiological consequences, foreign cyber policies, diplomacy, cyber warfare and more.

Access the full online resource at this link.

This past January, the Department of Homeland Security (DHS) released the National Cyber Incident Response Plan (NCIRP). This is an essential component of DHS’s mission to strengthen the security and resilience of the Nation by working to improve the ability of all to manage cyber incidents.  Please join them for one of the four webinar sessions hosted on the Homeland Security Information Network (HSIN) at 3:00 p.m. (EST) on March 27-30, 2017.  Please see the logistical information below as each webinar session will cover the same information. 

NCIRP Stakeholder Webinar #1
Date: Monday March 27, 2017
Start Time: 3:00 pm ET
URL: https://share.dhs.gov/r3fctx11w2x/
Conference number: 1-800-320-4330
Passcode: 372094

NCIRP Stakeholder Webinar #2
Date: Tuesday March 28, 2017
Start Time:  3:00 pm ET
URL: https://share.dhs.gov/r8bvryj2nu9/
Conference number: 1-800-320-4330
Passcode: 372094

NCIRP Stakeholder Webinar #3
Date: Wednesday March 29, 2017
Start Time: 3:00 pm ET
URL: https://share.dhs.gov/r6cmtu0qngo/
Conference number: 1-800-320-4330
Passcode: 372094

NCIRP Stakeholder Webinar #4
Date: Thursday March 30, 2017
Start Time: 3:00pm ET
URL: https://share.dhs.gov/r22skziadr4/
Conference number: 1-800-320-4330
Passcode: 372094

Ransomware: A Prime Cyber Threat for the Healthcare and Public Health Sector

The Department of Homeland Security (DHS) Office of Cybersecurity and Infrastructure Analysis (OCIA) has released a new document titled “Ransomware – A Prime Cyber Threat for the Healthcare and Public Health Sector – 21 June 2017.”  This document is intended to inform infrastructure and cybersecurity professionals in the Healthcare and Public Health Sector about the threats and potential consequences of successful ransomware attacks against the Sector. OCIA developed this using government and open source reporting and has high confidence in the accuracy of the multiple government reports referenced. The report is available here. Additionally, the FBI Internet Crime Complaint Center (IC3) has released its 2016 Annual Report highlighting the numbers and common types of complaints received during 2016 on suspected Internet fraud and other Internet-based crimes.  The report is available for viewing here.

If your local health department is not able to access the report or you have additional questions, please contact NACCHO at preparedness@naccho.org.

If you would like to receive notifications about cyber and other threats to healthcare and public health critical infrastructure, please contact CIP@HHS.gov.

The U.S. government is aware of an international ransomware campaign that may be affecting Healthcare and Public Health Sector assets in addition to other Sectors. The Critical Infrastructure Program within the Assistant Secretary for Preparedness and Response (ASPR) has provided the following information and resources. Please feel free to share this information with your health department’s information security officials and partners in the healthcare sector.

To receive updates and information from ASPR on healthcare and public health critical infrastructure, including cyber threats, sign up for the mailing list here: https://www.phe.gov/Preparedness/planning/cip/Pages/mailinglist.aspx

If you are the victim of a ransomware attack

If your organization is the victim of a ransomware attack, HHS recommends the following steps:

1. Please contact your FBI Field Office Cyber Task Force (www.fbi.gov/contact-us/field/field-offices) or US Secret Service Electronic Crimes Task Force (www.secretservice.gov/investigation/#field) immediately to report a ransomware event and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.
2. Please report cyber incidents to the US-CERT (www.us-cert.gov/ncas) and FBI’s Internet Crime Complaint Center (www.ic3.gov).
3. If your facility experiences a suspected cyberattack affecting medical devices, you may contact FDA’s 24/7 emergency line at 1-866-300-4374. Reports of impact on multiple devices should be aggregated on a system/facility level.
4. For further analysis and healthcare-specific indicator sharing, please also share these indicators with HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) at HCCIC@hhs.gov

Mitigating against this threat

• *new* Our partners at NH-ISAC have tested a “vaccine” that has been reported as potentially helpful for systems that have not been impacted.  The “vaccine” may also help spread of infection.  Use of this “vaccine” should not preclude proper patching as it only  prevents harm from one specific strain of malware.  When using this vaccine, consider any potential business impact.  The “vaccine” is the creation of a file C:\Windows\perfc and setting the permissions to READ ONLY. As with any patch/update, this modification should be evaluated before implementation by appropriate system security personnel. For further information on this “vaccine” please visit https://nhisac.org/nhisac-alerts/petya-ransomware-updates/
• Educate users on common Phishing tactics to entice users to open malicious attachments or to click links to malicious sites.
• Patch vulnerable systems with the latest Microsoft security patches: https://technet.microsoft.com/en-us/security/bulletins.aspx
• Verify perimeter tools are blocking Tor .Onion sites
• Use a reputable anti-virus (AV) product whose definitions are up-to-date to scan all devices in your environment in order to determine if any of them have malware on them that has not yet been identified. Many AV products will automatically clean up infections or potential infections when they are identified.
• Monitor US-CERT for the latest updates from the U.S. government.  See below for current reporting.
• Utilize HPH Sector ISAC and ISAO resources.  See below for further information.

US-CERT Resources

Multiple Petya Ransomware Infections Reported

06/27/2017 12:56 PM EDT

Original release date: June 27, 2017

US-CERT has received multiple reports of Petya ransomware infections occurring in networks in many countries around the world. Ransomware is a type of malicious software that infects a computer and restricts users’ access to the infected machine until a ransom is paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.

Petya ransomware encrypts the master boot records of infected Windows computers, making affected machines unusable. Open-source reports indicate that the ransomware exploits vulnerabilities in Server Message Block (SMB). US-CERT encourages users and administrators to review the US-CERT article on the Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010. For general advice on how to best protect against ransomware infections, review US-CERT Alert TA16-091A. Please report any ransomware incidents to the Internet Crime Complaint Center (IC3).

Additional resources

National Health Information-Sharing and Analysis Center has shared the following TLP-White Message and will continue to share information at nhisac.org.

HITRUST has shared the following Threat Bulletin for distribution.

*new* HIMSS: http://www.himss.org/news/notpetya-another-global-malware-epidemic-hitsecurity

In June 2016, NACCHO conducted the second Preparedness Profile assessment to gather information about preparedness trends and emerging issues at local health departments (LHDs). The results from this assessment provide a better understanding of the strengths, gaps, and opportunities in local public health preparedness. Furthermore, its findings inform priorities at the local, state, and national levels, and influence NACCHO’s preparedness activities.

The 2016 Preparedness Profile assessment was distributed online via Qualtrics Survey Software™ to a statistically representative sample of 871 preparedness coordinators, stratified by jurisdiction population size. Preparedness coordinators are individuals identified by LHDs as having a significant responsibility for leading or coordinating an LHD’s disaster/emergency preparedness planning and response activities. Large LHDs (population 500,000+) were oversampled, and results were weighted to adjust for both oversampling and non-response.

Preparedness coordinators were asked to respond to 18 closed- and open-ended questions about their LHDs’ preparedness workforce, planning, and activities, including topics regarding current and emerging threats, healthcare coalitions, administrative preparedness and the National Health Security Strategy. A total of 458 preparedness coordinators completed the assessment for a response rate of 53 percent. During the analysis phase, NACCHO took into account the results of this and the 2015 Preparedness Profile assessment results, as well as qualitative information provided by members through NACCHO workgroups and programmatic activities.

Some of the highlights of the results of this assessment include:

• Approximately one third of LHDs reported a decrease in preparedness staff, mainly among larger LHDs. Compared to 2015, 12 percent more LHDs reported staffing decreases.
• Most preparedness coordinators (73%) in large LHDs dedicate all their time to preparedness efforts, while preparedness coordinators in smaller LHDs spend their time working in a variety of public health areas.
• Most LHDs reported excellent partnerships with emergency management services, emergency management agencies, and hospitals. LHDs were least likely to report strong partnerships with pharmacies and local businesses.
• In both 2015 and 2016, the majority of LHDs reported being members of a regional healthcare coalition to plan and implement preparedness activities.
• LHDs most frequently selected terrorism-related events and accidental nuclear/radiation releases as the current threats they feel least prepared to address.
• Extreme weather and infectious diseases are the top global/emerging threats that LHDs are most concerned will affect their community in the future.
• Overall, the broadest range of activities conducted by LHDs in the past year were focused on medical countermeasure, community preparedness, and infectious disease topics. Conversely, LHDs most often report not conducting any preparedness activities in climate change/adaptation, cybersecurity, and counterterrorism and response.
• Approximately half (51%) of LHDs were not aware of the National Health Security Strategy, but this has decreased slightly from 2015.

This annual assessment represents a significant contribution by preparedness coordinators to the knowledge base of the overall state of preparedness personnel, infrastructure, and practice at LHDs. The results should help inform national, state, and local preparedness activities and priorities for the future.

For more information about the assessment results and NACCHO’s specific recommendations, please refer to the final report. If you have any questions, or would like more information, please e-mail preparedness@naccho.org.

The Department of Homeland Security’s Office of Cyber and Infrastructure Analysis (OCIA), with the support of the Office of Cybersecurity and Communications, invites you to participate in a webinar discussion about its recent analysis of healthcare and public health cyberdependencies. In addition, the Department of Health and Human Services will provide an overview of prioritization plans related to the recent findings from the Cyber Task Force’s report to Congress and an operational review of the new Healthcare Cybersecurity and Communications Integration Center.

The intended audience includes federal, state, local, and private sector healthcare and public health stakeholders and decision makers who are interested in gaining a better understanding of the risks involved with critical infrastructure systems and interdependencies.

EVENT DETAILS
Date: August 15, 2017
Time: 1:00-2:00 PM Eastern

REGISTRATION
Register HERE with your HSIN credentials.
If you do not have a HSIN account, please use the direct meeting link at the webinar’s scheduled date and time.

Speakers:
Alexander Reniers, DHS/OCIA
Kevin James, DHS/CS&C/ITA
Maggie Amato, Dept. of Health and Human Services
Steve Curren, Dept. of Health and Human Services
Leo Scanlon, Dept. of Health and Human Services

For more information, contact OCIA at OCIA@hq.dhs.gov.

The National Health – Information Sharing and Analysis Center (NH-ISAC) is hosting their 2017 Fall Summit on November 28-30 in Scottsdale, AZ. The theme is “Cyber Rodeo” and the summit will feature sessions on medical device cyber security, securing health IT, and lessons learned from past cyber attacks. More information is available on the NH-ISAC website here: https://nhisac.org/events/cyber-rodeo/

Location:

Fairmont Scottsdale Princess
7575 E. Princess Drive
Scottsdale, AZ 58255

Registration: https://nhisac.org/events/event-registration-login/

In association with the National Health- Information Sharing and Analysis Center (NH-ISAC), the Georgia Rural Health Association is hosting a free workshop titled “Basic Best Practices in Cybersecurity” in Savannah, Georgia on December 13 at 1:30 p.m. ET. Topics will include:

• The Cyber Threat Landscape: High level overview of the various cyber threats facing healthcare such as Ransomware, Phishing and DDos and potential impacts to healthcare organizations
• Importance of Information Sharing: An overview of the role of information sharing in helping protect healthcare organizations from potential threats through situational awareness and mitigations strategies.
• NIST CSF Basic Best Practices in Cybersecurity: Basic cyber hygiene and best practices.  A discussion of simple strategies that healthcare organizations can employ that will go a long way in protecting against cyber threats. The session will cover best practices used within industry and will offer practical insights from cyber security practitioners.

For more information on the event and to register, go to the NH-ISAC registration site.

The Department of Health and Human Services, Office of the Assistant Secretary for Preparedness and Response (ASPR), in coordination with NACCHO, is seeking to learn more about the needs of public health and healthcare organizations related to cybersecurity preparedness. As part of this project, NACCHO and ASPR will set up a committee of federal, state, and local representatives from public health, healthcare, information technology, homeland security, and other relevant fields, to examine cybersecurity preparedness measures for public health and healthcare information technology systems and recovery and information needs for public health and healthcare organizations in the event that cyber threats compromise their organizational information technology systems.

NACCHO will use the information gathered from the committee to generate a needs assessment and an analytical report to inform future national and federal cybersecurity efforts and to also produce resources that can help public health and healthcare organizations prepare for cyber threats.

Committee meetings will take place on a monthly basis via conference call starting in January 2018 and continuing through June 2018. NACCHO welcomes a range of local public health and healthcare perspectives including those within rural communities and those within larger cities and encourages persons who have done cybersecurity related planning to participate in this committee. If you are interested in hearing more about this committee, please contact Raymond Puerini at rpuerini@naccho.org or 202-507-4257 by Dec. 22, 2018.

A recent wave of cyber “ransomware” attacks known as SamSam has impacted healthcare and governmental organizations throughout the country. The following unclassified summary of SamSam was adapted from a report developed by the Healthcare Cybersecurity and Communications Integration Center (HCCIC), in coordination with the HHS Computer Security Incident Response Center (CSIRC).

In 2018, there have been at least eight separate cyber-attacks on healthcare and government organizations utilizing a form of ransomware known as SamSam. This has included two Indiana-based hospitals, an electronic health record provider, and various  systems and public services in Colorado, North Carolina, New Mexico, and Atlanta, Georgia.

Authorities believe these attacks are not necessarily targeted and appear to be more opportunistic in nature. As in previous campaigns, attackers are believed to gain initial access to the target systems through open vulnerabilities, before gaining access to additional computers once inside the network and deploying the SamSam malware.

In order to prevent attackers from gaining access to servers via RDP, as is the case with many ransomware events, the following mitigations strategies are recommended:

• restrict access behind firewalls and by using a RDP Gateway, VPNs
• use strong/unique username and passwords with two-factor authentication (2FA)
• limit users who can log in using remote desktop
• implement an account lockout policy to help thwart brute force attacks (set a maximum number of attempts before locking out the account)

The following practices should be considered to help ensure business and healthcare continuity in the face of potential disruptions from ransomware or other factors:

• Back up data regularly, and verify the integrity of those backups and test the restoration process to ensure it is working
• Conduct an annual penetration test and vulnerability assessment
• Secure your backups – ensure backups are not connected permanently to the computers and networks they are backing up. Examples include securing backups in the cloud or physically storing backup data offline. Some instances of ransomware have the capability to lock cloud-based backups when systems continuously backup in real time, also known as persistent synchronization. Backups are critical in ransomware recovery and response; if infected, a backup may be the best way to recover critical data.

For more information, view the full report. For questions relating to the content in the report e-mail the HCCIC at HHSHCCIC@HHS.GOV.

This posting is being shared on behalf of the Healthcare and Public Health sector.