Cybercrime: A New Kind of Disaster

HealthcareSecurityForum.com/Boston/2017 #HITsecurity

SEPTEMBER 11–13, 2017 BOSTON, MA

HIMSS Security Presentation

September 2017

3

Chris Wlaschin Chief Information Security Officer and Executive Director, Information Security Office of the Chief Information Officer Department of Health and Human Services Chris Wlaschin oversees cybersecurity for the Department of Health and Human Services, a cabinet level department with a $1.1 trillion dollar budget including $14 billion in IT spending. HHS has 11 Operating Divisions including the FDA, CDC, CMS, NIH and others. As the Executive Director for Information Security and Chief Information Security Officer, he is responsible for leading cybersecurity efforts across HHS, as well as building collaborative relationships and sharing best practices for cybersecurity across the healthcare and public health sectors. Before joining the HHS team, Chris served as the Senior Director for Information Security and Infrastructure for NRC Health, and as the CISO for the University of Nebraska system. Prior to that, Chris was the Associate Deputy Assistant Secretary for Security Operations, Information Security for the Department of Veterans Affairs. Chris also served as Chief Information Officer (CIO) for the US Navy’s Military Sealift Command. Chris is a member of the Executive Committee of the American Council on Technology (ACT), and is a Fellow at the Institute for Critical Infrastructure Technology (ICIT) Chris served with distinction in the US Navy for over 28 years in a variety of leadership roles.

Healthcare and Public Health Subsectors

4

Resilient People. Healthy Communities. A Nation Prepared. 5

Healthcare and Public Health Critical Infrastructure Throughcollabora,on

withgovernmentandprivatesectorpartners,CIPenhancesthesecurityandresilienceofHealthcareandPublicHealthCri,calInfrastructure

SECURITY OPERATION

S IT OPERATIONS

CDC

CMS

FDA

IHS

NIH

OS

ACF

AHRQ

SAMHSA

HRSA

LARG

E O

PDIV

s SM

ALL

OPD

IVs

ASA

ASFR

OASH

ASL

ASPE

ASPR

ASPA

OCR

DAB

OGC

OGA

OIG

OMHA

ONC

OCIO

OBMT

OHR

OSSI

PSC

OIS

OEAD

OSPG

ITIO

HHS OIS

OS OIS

ESS

ACF

ACL

ACL

AHRQ

HRSA

SAMHSA

HHS is a large, complex and highly federated environment. It consists of both large and small OpDivs, StaffDivs, and capability specific support groups managing infrastructure at varying levels. Each component has a specific focus alongside varying missions,

visions and goals. These inform how those components view information security and data overall.

De

pa

rtm

ent

of H

ea

lth

and

Hum

an

Serv

ice

s

PIM

6

HHS Organizational Structure

Office of Information Security

The HHS Office of Information Security (OIS) is tasked with implementing a comprehensive, enterprise-wide cybersecurity program to protect the critical information with which the HHS is entrusted. To accomplish this, HHS provides and engages in:

•  Implementing specific cybersecurity capabilities

•  Cultivating cybersecurity partnerships in the public and private sectors

•  Engaging in HHS-wide security collaboration activities

•  Enhancing HHS’ security capabilities through current and future programs and projects

Healthcare delivery – IHS cares for 80,000 patients in 34 states

Financial - CMS pays out $1M every minute in benefits 24/7/365.

FDA protects Intellectual Property for medicine and medical devices

NIH and CDC conducting critical research with world-wide partners requiring open sharing of

information

What does HHS Cybersecurity Protect?

HHS Cyber Facts

2016 Highlights ! 9,047 cybersecurity incidents in FY 2016

! Joint Federal Healthcare Threat Operation Center led 465 investigations and 14 identifiable threats leading to actionable case for prosecution.

! Biggest threats Phishing & Ransomware

Last Month !  FDA had over 1.6 billion security breach

attempts

!  HHS investigated 5,226 incidents of spam; 450 were found to be malicious.

!  HHS ran over 600 vulnerability scans covering over 120,000 HHS web pages

2017 $1.1T $12.6 billion IT budget

$315.5 million for cybersecurity 2.5% of budget Average is 6-8%

Opera,ngdivisionseachwithuniqueini,a,ves,focusesandcapabili,es• 350separateinforma1onsystems–somewithhundredsofsub-systems,componentsfor• Morethan280,000hardwareassetsacrossthe

Awards • ISC22016ChiefInforma1onSecurityOfficer–IHS• ISC22016BestCyberprogram–HHSCyberCarerunner-up PartnersandCollaboratorsprotec,ng

HealthcareSectorThreatsharinginforma1onthatisac1onable

andmakessense

Committees ChairISC2 CHIME

HIMSS

Healthcare Cybersecurity Communications Integration Center (HCCIC)

HCCIC seeks to strengthen and improve healthcare cybersecurity through the implementation of the Cybersecurity Act of 2015. By improving engagement in HHS, coordinating analysis and reporting on real-time threats, and building partnerships among the healthcare sector, we can strengthen & improve healthcare industry cybersecurity.

11

Goals of the HCCIC

Reporting

! Strengthen reporting and increase awareness of healthcare cyber threats across the HHS enterprise

! Support the Secretary, ASPR, ONC and OSSI through coordination of cyber information sharing with the sector

! 360-degree view of HHS cyber operations

Partnerships

! Enhance public-private partnerships among Federal, private sector, and academic partners through regular engagement and consistency in message

Engagement

! Strengthen engagement across HHS Operating Divisions and the HPH Sector

12

Authorities for the HCCIC Section 405 of The Cybersecurity Act of 2015 (CISA), Improving Cybersecurity in the Healthcare Industry requires a plan for implementing CISA so Federal Government and healthcare industry stakeholders may share actionable cyber threat indicators and defensive measures in real time.

IT Security Risk & Challenges

13

Capability

Risks

•  Inappropriate and unauthorized use of devices, data, and networks

•  Disclosure of confidential records, personally identifiable information (PII)

•  Theft of electronic medical data

BusinessIm

pact •  Interruption to operational, functional and critical activities

•  Massive data breach (OPM) – due to

-  neglected networks which allowed adversaries in the network

-  Older systems that needed to be modernized

•  Damage to reputation/ public relations crises

•  Financial losses -  Post-breach customer protection -  Attorney fees and litigation -  Fines

Identify Prevent Detect Respond AssetManagement

BusinessEnvironment

Governance

RiskAssessment

RiskManagementStrategy

AccessControl

AwarenessandTraining

DataSecurity

InformationProtection

Maintenance

AnomaliesandEvents

ContinuousMonitoring

DetectionProcesses

ResponsePlanning

Communications

Analysis

Mitigation

Improvements

RecoveryPlanning

Improvements

Communications

Recover

ProtectiveTechnology

How do I identify my assets?

How do I protect my assets?

How do I detect an incident has occurred?

What is my response plan?

How do I get back to normal ?

Cybersecurity Partnerships HHS developed a strategic approach to HPH Sector Cybersecurity through public-private partnership engagements

Engagement Forums

Internal HHS Planning and Collaboration Forums

HHS CSWG

Lead

HHS CISO Council

Inform

Bi-Lateral Internal HHS Collaboration Relationships

OCIO-ONC Bi-Weekly

Lead

OCIO-ASPR Bi-Weekly

Lead

OCIO-DHS Bi-Weekly

Lead

HPH Sector WGs to Coordinate Cybersecurity Initiatives

HPH SCC and GCC

Inform

Joint HPH Cybersecurity

WG Participate

Risk Management

Participate

CISA 405(d) Task

Lead

Information Sharing

Participate

HPH Sector Risk Assessment Tool

Participate

Future Gazing Efforts

Participate

Cybersecurity Partnerships

16

Resilient People. Healthy Communities. A Nation Prepared.

HHS ASPR Role in Cyber Response

§  ASPR leads Emergency Support Function (ESF) 8, Public Health and Medical Services, in the National Response Framework

§  ASPR also leads partnership engagement activities according to the National Cybersecurity Incident Response Plan (NCIRP)

§  Monitoring potential impacts to Sector that could require ESF-8 response

Resilient People. Healthy Communities. A Nation Prepared.

18

CIP’s Role in the Response

§  As EMG activated, we managed the Secretary’s priority to support private sector

[CELLRANGE]

[CELLRANGE]

[CELLRANGE]

[CELLRANGE][CELLRANGE

]

0500

100015002000250030003500

§  Held daily sector-wide call §  Held daily call with key trade association partners §  Identified contacts at facilities that were reported as

affected on our calls, in media, or by other agencies §  Coordinated messaging across sector §  Expanded contact lists for the event §  Partner reach expanded into the hundreds of thousands

Resilient People. Healthy Communities. A Nation Prepared.

On-going work §  CISA Healthcare Industry Cybersecurity Task Force

Report Implementation §  Joint Sector Cybersecurity Working Group

§  CISA 405d- resources for NIST CSF Implementation §  Cooperative agreements between HHS ONC, ASPR,

and NH-ISAC to support information-sharing and AIS with small- and medium-sized businesses

§  Building out HCCIC Capacity and CONOPs §  Exercises

§  HHS exercises §  Cyberstorm VI, Spring 2018 §  Partnership Activities Fall 2017 §  Sector exercises- state/coalition level

CRITICAL INFRASTRUCTURE PARTNERSHIP ADVISORY COUNCIL

HEALTHCARE AND PUBLIC HEALTH SECTOR

JOINT CYBERSECURITY WORKING GROUP

GCC CO-CHAIRS Dr. Suzanne Schwartz, MD, MBA Emergency Preparedness/Operations & Medical Countermeasures (EMCM) Director (Acting), FDA Ms. Nickol Todd, MPH, PMP Deputy Director, Division of Resilience HHS/ASPR/OEM

SCC CO-CHAIRS Mr. Scott Cormier VP Emergency Management, EC, & Safety Medxcel Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP, CIPP/US VP Standards & Analytics HITRUST

Three things you can do

Join Forces

Treat your Patching Report like your P&L Report

Consider multifactor authentication

chris.wlaschin@hhs.gov hhshccic@hhs.gov