CHIEF INFORMATION OFFICER

Transcription

1 OFFICE OF THE CHIEF INFORMATION OFFICER DEPARTMENT OF HEALTH AND HUMAN SERVICES U. S. D E P A R T M E N T O F H E A L T H A N D H U M A N S E R V I C E S Public-Private Collaboration - Bridging the Gap to Protect Health Information December 2014

2 Cyber State of the Healthcare & Public Health Sector (HPH) (U) Cyber actors will likely increase cyber intrusions against health care systems to include medical devices The biggest vulnerability was the perception of IT health care professionals beliefs that their current perimeter defenses and compliance strategies were working when clearly the data states otherwise. According to open source reporting from SANS, Ponemon, and EMC²/RSA, the health care industry is not technically prepared to combat against cyber criminals basic cyber intrusion tactics, techniques and procedures (TTPs), much less against more advanced persistent threats (APTs). dated March 2013, 63% of the health care organizations surveyed reported a data breach in the past two years with an average monetary loss of $2.4 million per data breach. FBI PIN #: Source: FBI Cyber Division, Private Industry Notification, (U)Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain, 17 April Page 2

3 Improving Critical Infrastructure Cybersecurity It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats. - Executive Order -- Improving Critical Infrastructure Cybersecurity Source: Page 3

4 Healthcare & Public Health Sector and Security Vision The HPH Sector will achieve overall resilience against all hazards. It will prevent or minimize damage to, or destruction of, the Nation s healthcare and public health infrastructure. It will strive to protect its workforce and preserve its ability to mount timely and effective responses (without disruption to services in unaffected areas) and to recover from both routine and emergency situations. Mission To sustain the essential functions of the Nation s healthcare and public health delivery system and to support effective emergency preparedness and response to nationally significant hazards by implementing strategies, evaluating risks, coordinating plans and policy advice, and providing guidance to prepare, protect, prevent, and, when necessary, respond to attacks on the Nation s infrastructure, and support the necessary resilience in infrastructure to recover and reconstitute healthcare and public health services. Goal 4: Cybersecurity Mitigate risks to the sector s cyber assets that may result in disruption to or denial of health services. Source: Healthcare and Public Health Sector-Specific Plan, An Annex to the National Infrastructure Protection Plan, Page 4

5 The HPH Sector Ecosystem HPH Sector Elements Source: Healthcare and Public Health Sector-Specific Plan, An Annex to the National Infrastructure Protection Plan, Page 5

6 HPH Sector Dependencies HPH Sector is dependent on other sectors Source: Healthcare and Public Health Sector-Specific Plan, An Annex to the National Infrastructure Protection Plan, Page 6

7 Layers of Collaboration Page 7

8 Opportunities for Information Sharing Page 8

9 Example 1: HPH Cyber Threat Exercise Scenarios HHS Cyber Scenario 1 Large Virginia hospital cyber security team detects unauthorized outbound connections. After further investigation they decide to make firewall changes to block the source and destination IP connections. Injection 1: Immediately after the IP is blocked at the firewall, the firewall logs start filling up with one source IP identified as an internal server. Further analysis quickly reveals this internal server is a Command & Control server and possessing files with patient medical records. Injection 2: Reporter blogs about a tip that a major hospital has been breached and the actor has patient data on high profile people. The actor states the best is yet to come. Injection 3: News Agency reports that a Pastebin posting shows the medical record of a Virginia Senator that describes his terminal illness in detail. Injection 4: Large Virginia hospital receives an demanding $5 million dollars to be wired to an offshore account or they will start to release the medical records of the 15 senators the hospital has been treating for the last 10 years. Page 9

10 Example 2: HPH Cyber Threat Exercise Scenarios HHS Cyber Scenario 2 Local news reports a Doctor in California is being interrogated on suspicion of altering radiology readings. Injection 1: Industry partner releases a Threat Intelligence Report notifying the health community of a foreign actor forum thread discussing an unidentified medical device vulnerability which has been undetected for months. The foreign actors are known to be associated with fraud activity. Injection 2: Local news report the Doctor is a radiologist and altered his patients x-ray images generated on the x-ray machine. Injection 3: It s reported the FBI is now supporting the investigation, leading to speculation this could be a federal crime. Injection 4: Foreign actor internet blog is found to report that several x-ray machines have been infected across the U.S. with software that randomly adds a mass to images. Injection 5: The FBI reports the Doctor paid hackers to develop malware to randomly add a mass to his patient s images so he could diagnose his patients, administer treatments, and charge for expensive treatments they didn t need. It appears the Doctor thought the actors gave him the only working version of the malware; however, it is believed the actors sold the malware on the black market to the highest bidder(s). The FBI is presently investigating all potential infections of x-ray machines and the potential impact to hospitals and patients. CyberRX 2.0 Level I Playbook Participant and Facilitator Guide: Page 10

11 Real Life Threats Real Life Threats Imagine receiving a diagnosis of cancer and then having to go through chemotherapy or other intensive treatments. Then imagine finding out that you never had cancer in the first place and that your doctor whom you trusted implicitly merely used you in his scheme to fraudulently bill the federal Medicare program and private insurance companies for hundreds of millions of dollars. That s exactly what happened to patients of Dr. Farid Fata, a Detroit-area hematologist and oncologist. And it was not only cancer diagnoses. Some patients were told, wrongly, that they had other conditions which required expensive intravenous therapies, medications, and diagnostic tests...all of which jeopardized their health and wellbeing. Source: Egregious Case of Health Care Fraud, Cancer Doctor Admits Prescribing Unnecessary Chemotherapy. November 6, Retrieved from Page 11

12 Scenario vs. Real Life HHS Cyber Scenario 2 Local news reports a Doctor in California is being interrogated on suspicion of altering radiology readings. Doctor altered his patients x-ray images generated on the x-ray machine FBI is now supporting the investigation The FBI reports the Doctor paid hackers to develop malware to randomly add a mass to his patient s images so he could diagnose his patients, administer treatments, and charge for expensive treatments they didn t need. Real Life Threats Imagine receiving a diagnosis of cancer and then having to go through chemotherapy or other intensive treatments. Then imagine finding out that you never had cancer in the first place and that your doctor whom you trusted implicitly merely used you in his scheme to fraudulently bill the federal Medicare program and private insurance companies for hundreds of millions of dollars. That s exactly what happened to patients of Dr. Farid Fata, a Detroit-area hematologist and oncologist. And it was not only cancer diagnoses. Some patients were told, wrongly, that they had other conditions which required expensive intravenous therapies, medications, and diagnostic tests...all of which jeopardized their health and well-being. Page 12

13 Example 3: Healthcare Threat Operations Center Healthcare Threat Operations Center (HTOC) The HTOC is a partnership of the HPH federal partners strategically and operationally merging cyber security operational capabilities in an effort to improve each partners cyber security capabilities, provide cost saving solutions, and advancements through centralized optimization. HTOC will provide the largest real-time federal healthcare sector cyber threat window under one roof. HPH Federal Partners Department of Veterans Affairs Network Security Operations Center (VA- NSOC) Space and Naval Warfare Systems Center Atlantic s Network Security Operations Center (SPAWAR NSOC) Department of Health & Human Services Computer Security Incident Response Center (HHS CSIRC) Page 13

14 We Each Have a Role to Play Page 14

15 Questions Robert Foster Deputy Chief Information Officer, Acting Chief Information Security Officer U.S. Department of Health and Human Services Sara Hall Deputy Chief Information Security Officer U.S. Department of Health and Human Services Reference: CyberRX 2.0 Level I Playbook Participant and Facilitator Guide: Page 15