Post on 28-May-2020
Cybercrime: A New Kind of Disaster
HealthcareSecurityForum.com/Boston/2017 #HITsecurity
SEPTEMBER 11–13, 2017 BOSTON, MA
HIMSS Security Presentation
September 2017
3
Chris Wlaschin Chief Information Security Officer and Executive Director, Information Security Office of the Chief Information Officer Department of Health and Human Services Chris Wlaschin oversees cybersecurity for the Department of Health and Human Services, a cabinet level department with a $1.1 trillion dollar budget including $14 billion in IT spending. HHS has 11 Operating Divisions including the FDA, CDC, CMS, NIH and others. As the Executive Director for Information Security and Chief Information Security Officer, he is responsible for leading cybersecurity efforts across HHS, as well as building collaborative relationships and sharing best practices for cybersecurity across the healthcare and public health sectors. Before joining the HHS team, Chris served as the Senior Director for Information Security and Infrastructure for NRC Health, and as the CISO for the University of Nebraska system. Prior to that, Chris was the Associate Deputy Assistant Secretary for Security Operations, Information Security for the Department of Veterans Affairs. Chris also served as Chief Information Officer (CIO) for the US Navy’s Military Sealift Command. Chris is a member of the Executive Committee of the American Council on Technology (ACT), and is a Fellow at the Institute for Critical Infrastructure Technology (ICIT) Chris served with distinction in the US Navy for over 28 years in a variety of leadership roles.
Healthcare and Public Health Subsectors
4
Resilient People. Healthy Communities. A Nation Prepared. 5
Healthcare and Public Health Critical Infrastructure Throughcollabora,on
withgovernmentandprivatesectorpartners,CIPenhancesthesecurityandresilienceofHealthcareandPublicHealthCri,calInfrastructure
SECURITY OPERATION
S IT OPERATIONS
CDC
CMS
FDA
IHS
NIH
OS
ACF
AHRQ
SAMHSA
HRSA
LARG
E O
PDIV
s SM
ALL
OPD
IVs
ASA
ASFR
OASH
ASL
ASPE
ASPR
ASPA
OCR
DAB
OGC
OGA
OIG
OMHA
ONC
OCIO
OBMT
OHR
OSSI
PSC
OIS
OEAD
OSPG
ITIO
HHS OIS
OS OIS
ESS
ACF
ACL
ACL
AHRQ
HRSA
SAMHSA
HHS is a large, complex and highly federated environment. It consists of both large and small OpDivs, StaffDivs, and capability specific support groups managing infrastructure at varying levels. Each component has a specific focus alongside varying missions,
visions and goals. These inform how those components view information security and data overall.
De
pa
rtm
ent
of H
ea
lth
and
Hum
an
Serv
ice
s
PIM
6
HHS Organizational Structure
Office of Information Security
The HHS Office of Information Security (OIS) is tasked with implementing a comprehensive, enterprise-wide cybersecurity program to protect the critical information with which the HHS is entrusted. To accomplish this, HHS provides and engages in:
• Implementing specific cybersecurity capabilities
• Cultivating cybersecurity partnerships in the public and private sectors
• Engaging in HHS-wide security collaboration activities
• Enhancing HHS’ security capabilities through current and future programs and projects
Healthcare delivery – IHS cares for 80,000 patients in 34 states
Financial - CMS pays out $1M every minute in benefits 24/7/365.
FDA protects Intellectual Property for medicine and medical devices
NIH and CDC conducting critical research with world-wide partners requiring open sharing of
information
What does HHS Cybersecurity Protect?
HHS Cyber Facts
2016 Highlights ! 9,047 cybersecurity incidents in FY 2016
! Joint Federal Healthcare Threat Operation Center led 465 investigations and 14 identifiable threats leading to actionable case for prosecution.
! Biggest threats Phishing & Ransomware
Last Month ! FDA had over 1.6 billion security breach
attempts
! HHS investigated 5,226 incidents of spam; 450 were found to be malicious.
! HHS ran over 600 vulnerability scans covering over 120,000 HHS web pages
2017 $1.1T $12.6 billion IT budget
$315.5 million for cybersecurity 2.5% of budget Average is 6-8%
Opera,ngdivisionseachwithuniqueini,a,ves,focusesandcapabili,es• 350separateinforma1onsystems–somewithhundredsofsub-systems,componentsfor• Morethan280,000hardwareassetsacrossthe
Awards • ISC22016ChiefInforma1onSecurityOfficer–IHS• ISC22016BestCyberprogram–HHSCyberCarerunner-up PartnersandCollaboratorsprotec,ng
HealthcareSectorThreatsharinginforma1onthatisac1onable
andmakessense
Committees ChairISC2 CHIME
HIMSS
Healthcare Cybersecurity Communications Integration Center (HCCIC)
HCCIC seeks to strengthen and improve healthcare cybersecurity through the implementation of the Cybersecurity Act of 2015. By improving engagement in HHS, coordinating analysis and reporting on real-time threats, and building partnerships among the healthcare sector, we can strengthen & improve healthcare industry cybersecurity.
11
Goals of the HCCIC
Reporting
! Strengthen reporting and increase awareness of healthcare cyber threats across the HHS enterprise
! Support the Secretary, ASPR, ONC and OSSI through coordination of cyber information sharing with the sector
! 360-degree view of HHS cyber operations
Partnerships
! Enhance public-private partnerships among Federal, private sector, and academic partners through regular engagement and consistency in message
Engagement
! Strengthen engagement across HHS Operating Divisions and the HPH Sector
12
Authorities for the HCCIC Section 405 of The Cybersecurity Act of 2015 (CISA), Improving Cybersecurity in the Healthcare Industry requires a plan for implementing CISA so Federal Government and healthcare industry stakeholders may share actionable cyber threat indicators and defensive measures in real time.
IT Security Risk & Challenges
13
Capability
Risks
• Inappropriate and unauthorized use of devices, data, and networks
• Disclosure of confidential records, personally identifiable information (PII)
• Theft of electronic medical data
BusinessIm
pact • Interruption to operational, functional and critical activities
• Massive data breach (OPM) – due to
- neglected networks which allowed adversaries in the network
- Older systems that needed to be modernized
• Damage to reputation/ public relations crises
• Financial losses - Post-breach customer protection - Attorney fees and litigation - Fines
Identify Prevent Detect Respond AssetManagement
BusinessEnvironment
Governance
RiskAssessment
RiskManagementStrategy
AccessControl
AwarenessandTraining
DataSecurity
InformationProtection
Maintenance
AnomaliesandEvents
ContinuousMonitoring
DetectionProcesses
ResponsePlanning
Communications
Analysis
Mitigation
Improvements
RecoveryPlanning
Improvements
Communications
Recover
ProtectiveTechnology
How do I identify my assets?
How do I protect my assets?
How do I detect an incident has occurred?
What is my response plan?
How do I get back to normal ?
Cybersecurity Partnerships HHS developed a strategic approach to HPH Sector Cybersecurity through public-private partnership engagements
Engagement Forums
Internal HHS Planning and Collaboration Forums
HHS CSWG
Lead
HHS CISO Council
Inform
Bi-Lateral Internal HHS Collaboration Relationships
OCIO-ONC Bi-Weekly
Lead
OCIO-ASPR Bi-Weekly
Lead
OCIO-DHS Bi-Weekly
Lead
HPH Sector WGs to Coordinate Cybersecurity Initiatives
HPH SCC and GCC
Inform
Joint HPH Cybersecurity
WG Participate
Risk Management
Participate
CISA 405(d) Task
Lead
Information Sharing
Participate
HPH Sector Risk Assessment Tool
Participate
Future Gazing Efforts
Participate
Cybersecurity Partnerships
16
Resilient People. Healthy Communities. A Nation Prepared.
HHS ASPR Role in Cyber Response
§ ASPR leads Emergency Support Function (ESF) 8, Public Health and Medical Services, in the National Response Framework
§ ASPR also leads partnership engagement activities according to the National Cybersecurity Incident Response Plan (NCIRP)
§ Monitoring potential impacts to Sector that could require ESF-8 response
Resilient People. Healthy Communities. A Nation Prepared.
18
CIP’s Role in the Response
§ As EMG activated, we managed the Secretary’s priority to support private sector
[CELLRANGE]
[CELLRANGE]
[CELLRANGE]
[CELLRANGE][CELLRANGE
]
0500
100015002000250030003500
§ Held daily sector-wide call § Held daily call with key trade association partners § Identified contacts at facilities that were reported as
affected on our calls, in media, or by other agencies § Coordinated messaging across sector § Expanded contact lists for the event § Partner reach expanded into the hundreds of thousands
Resilient People. Healthy Communities. A Nation Prepared.
On-going work § CISA Healthcare Industry Cybersecurity Task Force
Report Implementation § Joint Sector Cybersecurity Working Group
§ CISA 405d- resources for NIST CSF Implementation § Cooperative agreements between HHS ONC, ASPR,
and NH-ISAC to support information-sharing and AIS with small- and medium-sized businesses
§ Building out HCCIC Capacity and CONOPs § Exercises
§ HHS exercises § Cyberstorm VI, Spring 2018 § Partnership Activities Fall 2017 § Sector exercises- state/coalition level
CRITICAL INFRASTRUCTURE PARTNERSHIP ADVISORY COUNCIL
HEALTHCARE AND PUBLIC HEALTH SECTOR
JOINT CYBERSECURITY WORKING GROUP
GCC CO-CHAIRS Dr. Suzanne Schwartz, MD, MBA Emergency Preparedness/Operations & Medical Countermeasures (EMCM) Director (Acting), FDA Ms. Nickol Todd, MPH, PMP Deputy Director, Division of Resilience HHS/ASPR/OEM
SCC CO-CHAIRS Mr. Scott Cormier VP Emergency Management, EC, & Safety Medxcel Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP, CIPP/US VP Standards & Analytics HITRUST
Three things you can do
Join Forces
Treat your Patching Report like your P&L Report
Consider multifactor authentication
chris.wlaschin@hhs.gov hhshccic@hhs.gov