national health information sharing & analysis center the nation’s healthcare & public...

NATIONAL HEALTH INFORMATION SHARING & ANALYSIS CENTER

THE NATION’S

HEALTHCARE & PUBLIC HEALTH SECTOR

INFORMATION SHARING & ANALYSIS CENTER

Information & Cybersecurity

Threat & Vulnerability Protection,

Best Practice & Education

NH-ISAC

HEALTHCARE & PUBLIC HEALTH CRITICAL INFRASTRUCTURE PROTECTION

EXECUTIVE OVERVIEW

1. National Critical Infrastructure and Key Resources (CIKR) Protection – Public/Private Partnership

2. Cybersecurity Overview – Threats/Vulnerabilities/Attacks

3. Protecting the Health & Public Health Sector

US Department of Health & Human Services, US DHS

Health Sector Coordinating Council – Government/Private Sector

National Health Information Sharing & Analysis Center (NH-ISAC)

4. NH-ISAC Membership – Value Proposition

Executive Overview Agenda

Homeland Security Presidential Directive 7 (HSPD-7) – National CIKR Protection

Sector-Specific Agency (SSA) Critical Infrastructures & Key Resources

Department Of AgricultureDepartment of Health & Human Services Agriculture & Food

Department of Defense Defense Industrial Base

Department of Energy Energy

Department of Health & Human Services Healthcare & Public Health

Department of the Interior National Monuments and Icons

Department of the Treasury Banking & Finance

Environmental Protection Agency Water

Department of Homeland Security (DHS)Office of Infrastructure Protection

Chemical / Commercial Facilities / DamsCritical Manufacturing /Emergency Services

Nuclear Reactors, Materials and Waste

DHS Office of Cybersecurity & Communications Information TechnologyCommunications

DHS Transportation Security Administration Postal and Shipping

DHS Transportation Security AdministrationUnited States Coast Guard Transportation Systems

DHS Immigration & Customs Enforcement, Federal Protective Service Government Facilities

National Infrastructure Protection Plan (NIPP) - After 9/11, 18 National Critical Infrastructures and Key Resources (CIKR) were identified for protection.

Presidential Directive (HSPD-7) – Established national Policy to identify and prioritize US critical infrastructures and key resources – protecting from terrorist attacks.

Recognizing that each infrastructure possessed its own unique characteristics and operating models, Sector-Specific Agencies (SSAs) were identified to develop sector CIKR protection plans.

Information Sharing & Analysis Centers (ISACs) - Federal departments (US DHS, FBI, etc.) and SSAs collaborate in a public/private partnership with sector-specific ISACs to encourage sector-specific mechanisms to monitor, identify, prioritize, analyze and coordinate sector protection (physical and cyber).

1 – CIKR Protection

DHS Information Sharing Environment (ISE) CIKR Components

Coordination & Governance / Risk MitigationRelationship Management / Information Exchange

Content Identification & Development

INFORMATION SHARING & ANALYSIS CENTERS (ISACs)

The definition of an ISAC is "a trusted, sector-specific entity which provides to its constituency a 24/7 Secure Operating Capability

that establishes the sector’s specific information/intelligence requirements for incidents, threats and vulnerabilities (two-2ay

information sharing). Based on its sector-focused subject-matter analytical expertise, the ISAC then collects, analyzes and

disseminates alerts and incident reports to its membership and helps the government understand impacts for its sector.”

ISAC Characteristics: Trusted Information Sharing & Analysis, Trusted Sector and Cross-Sector Relationships, Trusted Private

Sector Subject Matter Experts, International Reach

Protection Partnership / 2-Way Information Sharing - ISACs


Coordinating Council

Federal Sector-Specific Agency (SSA)

Government Coordinating Council (GCC)

Critical Infrastructure

Sector Coordinating Council (SCC)

Information Sharing & Analysis Center (ISAC)

GCC/Government – Federal Depts. (DHS, etc.), Federal Agencies, State, City, County

SCC/Private Sector - Industry, Owner/Operators, Trade Associations, Standards Organizations, Academia, etc.

CIKR / SSA / Coordinating Council / ISAC – Collaborative Partnership

For each National Critical Infrastructure, a Federal Sector-Specific Agency (SSA) has a Coordinating Council

(Government/Private) working in a collaborative partnership with sector-specific Information Sharing & Analysis Centers

(ISACs).

Private Sector Critical Infrastructure & Key Resources(Owner/Operators, Industry, Academia, etc.)


Communications ISAC (NCC), Electric Sector ISAC (IS-ISAC), Emergency Management & Response

ISAC (EMR-ISAC), Financial Services, ISAC, Health ISAC (NH-ISAC), Highway ISAC (First Observer), IT ISAC

NATIONAL COUNCIL OF ISACs

Maritime Security Council ISAC, Multi-State ISAC, Nuclear ISAC (NEI), Public Transportation ISAC (APTA), Real Estate ISAC, Research & Education Networking ISAC (REN-ISAC), Supply Chain ISAC

(SC-ISAC)

Surface Transportation ISAC (ST-ISAC), Water ISAC, Chemical Sector Coordinating Council, Defense Security Information Exchange, Oil and Natural Gas Coordinating Council, Partnership for Critical

Infrastructure Security, Regional Consortium Coordinating Council

National Council of ISACs

The mission of the Information

Sharing and Analysis Centers

Council (National Council of ISACs)

is to advance the physical and

cyber security of the critical

infrastructures of North America by

establishing and maintaining a

framework for valuable interaction

between and among the ISACs and

with government.


http://www.isaccouncil.com/

National Health ISAC (NH-ISAC) – National Council of ISACs Member


WHAT IS INFORMATION AND CYBER SECURITY?

•Prevents exploitation of information either in paper-based or electronic information systems

•Ensures confidentiality, integrity and availability of systems and data

•Includes restoring electronic information and communications systems in the event of a terrorists attack or natural disaster

WHAT IS CYBER INFRASTRUCTURE?

• Physical assets and virtual systems and networks that enable key capabilities and services in both the public and private sectors

IMPORTANCE OF CYBER INFRASTRUCTURE

• Information technology (IT) supports three (3) types of cyber infrastructures across the various CIKR sectors

1. Business Systems – Mission essential systems that are used to manage or support common business process and operations

2. Control Systems – Cyber systems used to monitor and control sensitive processes and physical functions (SCADA, HVAC, Environment Control Systems, Lab-Based Surveillance, Healthcare – Medical Devices, Monitors, Medical Equipment, etc. )

3. Safety, Security, Support and Other Specialty Systems – Cyber systems used to manage physical access or for alerting and notification purposes (Computerized alarm systems, electronic card readers, biometrics, radio frequency, identification (RFID), emergency alert systems, HAZMAT systems, etc.

• Protection of physical and cyber assets and interoperability is problematic due to the interconnected and interdependent nature of the nation’s critical infrastructures – especially the nation’s Healthcare and Public Health Sector.

Cybersecurity is much more than “User Names” and “Passwords”

Business Management Holds Responsibility for Security (Both Physical/Cyber)……………Technology Enables It.

2 – Cybersecurity

CYBER THREAT ISSUES / TRENDS

• Threats evolve quickly – as soon as one is identified and counter measures put in place, the threat can change or expand into new or multiple threats

• Hackers quickly acquire skills to launch attacks on US cyber infrastructures. Emergence of “hacker schools” online and abroad

• Hackers are selling their services to a wide variety of actors (criminals, terrorists, criminal organizations, nation states, disgruntled employees, contractors, etc. Anonymity of the Internet – Allows “hacker for hire services” into a complex black market

• Hacking techniques previously required specialized coding and programming knowledge. NOT ANY MORE – Less skilled users can now access free and commercially available hacking automated programs and tools

• The number of malicious hackers with the necessary skills continues to increase while the knowledge required for counter measures has decreased

Cyber Threats

2 – Cybersecurity

CYBER THREAT

Via an information system, any circumstance or event with the potential to adversely impact organizational

operations, assets (both physical and informational), individuals, other organizations, other critical infrastructures or

the Nation through an information system .

Cyber threats can affect and immediately impact – hospital operations to admit/treat patients, security systems,

environmental controls, insurance and medical billing claims technology, electronic records and personal data, supply

delivery and stockpiles, functionality of life sustaining equipment, public health data and emergency management

systems.

CYBER VULNERABILITIES

Weaknesses in physical or information systems, system security procedures, internal

controls, or implementation that could be exploited or triggered by a threat source.

CYBER THREAT ISSUES / TRENDS

Cyber vulnerabilities fall into three (3) categories:

People (Employees or those external to the organization)

Processes (Security Procedures)

Technology (Software, Additional Programs, Shared Networks, Badging Systems, etc.

IDENTIFYING VULNERABILITIES

Both the U.S. Computer Emergency Readiness Team, or the US-CERT, and the Information Sharing and Analysis Centers (ISACs), help stakeholders across all sectors identify and address vulnerabilities

Cyber Vulnerabilities

2 – Cybersecurity

Types of Cyber Attacks

Physical Facilities (Unauthorized Access, Environment/Emergency/Hospital Systems Disruption)

Denial of Service, Penetration Attacks, BotNET (Malicious Software Robots, Scareware ($$$ or Attack), Malicious Code, Unknown Program Installation, Database Attacks, Website Defacements, Multiple Coordinated Attacks, Wireless Network Exploits, Domain Name Server (DNS Attacks), Pirated Software/Intellectual Property, Unauthorized Access, etc.

Types of Cyber Attacks

Cyber Attack Categories

Natural or Inadvertent Attack – Accidents from Natural Disasters

Intentional Threats – Illegal or Criminal Acts (Insiders or Outsiders, Recreational/Criminal Hackers

Human Blunders – Errors, Omissions, Unintentional Human Actions

Hardware (Computers, Printers, Scanners, Servers, Communication Media)

Software (Applications, Special Programs, System Backups, Diagnostic Programs, Operating Systems, etc.

Data – In Storage (Rest), Transition (Transit) or Undergoing Modification (Change)

Medical Devices – Hacking into medical devices and injecting malicious code to disrupt lifesaving devices.

Smart Phone Attacks – Hacking personal information, emails, documents, applications

People – Users, Systems Administrators, Hardware and Software Manufacturers, Disgruntled Employees, Unauthorized Personnel

Documentation – User Information for Hardware/Software, Administrative Procedures, Policy Documents

Business and Personal Social Network Attacks – Stealing information about your behavior and lifestyle 2 – Cybersecurity

Cybersecurity – Protecting the Healthcare & Public Health (HPH) Sector

The HPH Sector is not only a domestic critical infrastructure, but a foreign one as well (i.e. supply chain dependencies, etc.)

The HPH Sector is diverse with no single impenetrable security system.

Attacks can impact organizational integrity, loss of business and financial systems, loss of data, medical equipment and device corruption, loss of

environmental systems, facility shutdown, etc.

Attacks can result in lawsuits, criminal, or regulatory compliance actions and fines for not having protective cybersecurity policies, measures and

technologies in place.

Measures (defined and documented plans, procedures, protective solutions/collaborative partnership) must be taken and implemented to

protect technologies, processes, computer networks, equipment, facilities, and the workforce from authorized access, threats, attacks or

vulnerabilities.

PROTECTING THE HPH SECTOR

The HPH Sector utilizes numerous technologies to provide the delivery of care and to

respond to emergencies and perform surveillance. Cybersecurity is increasingly becoming

more critical due to attacks to healthcare and other critical infrastructures and key

resources (CIKR) sectors.

3 – Protecting the HPH Sector

Health Coordinating Council

US Department of Health & Human Services (HHS)

Health Government Coordinating Council (HGCC) Health Sector Coordinating Council (HSCC)

National Health Sector Coordinating Council (HSCC)

WHAT IS THE HSCC?

The HSCC represents private sector interests and perspectives in the public-private effort to protect the national healthcare infrastructure. It is made up of representatives, organizations, trade associations, and professional societies who operate within the healthcare sector.

The HSCC has a dual mission to meet the specific needs of owners and operators and to also inform and influence government policies and actions with regard to infrastructure protection.

MISSION OF THE HSCC

To serve the needs of sector owners/operators and associations (constituent customers) in regard to preparing for responding to, and recovering from both significant hazards, including natural and manmade disasters, as well as national or regional health crises.

To advocate the interests of sector owner/operators and associations (constituent customers) to state and federal agencies and legislators in order to enhance government policies, plans and actions regarding infrastructure protection, preparedness, response and resilience.


Organization of the HSCC

Executive Committee or Chairs

Tri-Chair Council – Encompasses a broad spectrum of leadership capabilities for the HSCC; full rotation every three (3) years

Sub-Councils/Members

All HSCC members fit into one of the six (6) of the following current sub-councils. Members can then be referred tom ore easily for input into working group projects or additional sectors initiatives

Direct Patient Healthcare Health Information and Medical Technology

Technology Health Plans and Payers Laboratories, Blood and Pharmaceuticals

Mass Fatality Management Services Medical Materials Coordinating Group

Working Groups

There are four (4) active working groups within the HSCC.

Joint Advisory Working Group (JAWG) Information Sharing Working Group (ISWG)

Risk Assessment Working Group (RAWG) Cybersecurity Working Group (GSWG)

Each of these groups address critical issues for the sector and interests of the HSCC members resulting in best practice deliverables.


Cybersecurity Working Group (CSWG)

Directs the HPH sector’s cybersecurity analysis, education and awareness efforts, to include coordinating with other Critical Infrastructure Protection (CIP)

workgroups to provide cybersecurity expertise for the sector’s risk management objectives. Helps develop and vet cybersecurity situational reports,

determines best practices and makes recommendations toward cybersecurity standards for the HPH Sector.

CSWG Membership –

•US Health Human Services (HHS) –

Office of the Assistance Secretary for Preparedness and Response (ASPR), Centers for Disease Control and Prevention (CDC), Office of the National Coordinator (ONC)

•Department of Homeland Security –

Office of Infrastructure Protection (IP), National Cybersecurity Division ( NCSD)

•Department of Transportation

•National Health Information Sharing & Analysis Center (NH-ISAC)

•Private Sector Stakeholders within the HSCC

•Telecom Companies

•Other: State, Local and Tribal Healthcare Partners

NH-ISAC

Chair, Cybersecurity Working Group

Health Sector Coordinating Council (HSCC) – Cybersecurity Working Group (CSWG)


Coordinating Council

National Health ISAC

US Department of Health & Human Services (HHS)

Health Government Coordinating Council (HGCC) Health Sector Coordinating Council (HSCC)

Private Sector Critical Infrastructure & Key Resources(Owner/Operators, Industry, Academia, etc.)


Healthcare & Public Health Critical Infrastructure Protection

NH-ISAC MISSION

The mission of the NH-ISAC is to enable, ensure and preserve

the public trust by advancing protection of the nation’s public

health and healthcare sector’s critical infrastructure via

trusted cybersecurity threat and vulnerability monitoring,

analysis, notification, countermeasure solutions, incident

response and to foster and enable the availability of proven

security and privacy governance, security awareness and

workforce education.

NH-ISAC - The Nation’s Healthcare & Public Health ISAC

NH-ISAC

Nationally Recognized ISAC for the Nation’s Healthcare & Public Health Critical Infrastructure

Member of the National Council of Information Sharing & Analysis Centers (ISACs) – Representing all critical infrastructures

Member of the National Healthcare Sector Coordinating Council (HSCC)

Chairs the HSCC, Cybersecurity Working Group

4 – NH-ISAC Value Proposition


NH-ISAC

• Trusted entity established and sustained by the healthcare and public health owners and operators

addressing critical infrastructure protection (physical/cyber), best practice and education

• Helps government understand impacts for the HPH sector (policy, protection, education)

• Provides to its constituency a 24/7 secure operating capability (information sharing/intelligence

requirements for incidents, threats and vulnerabilities) responding to all aspects of security and “all

hazards” including cross-sector interdependencies.

• Collects and provides comprehensive analysis and dissemination of alerts and incident reports, actual

or potential sector disruptions extensively within the HPH sector membership, across sectors and

with government

• Support national level exercises and sector-specific exercises

• During events of national significance, NH-ISAC provides operation services such as risk mitigation,

incident response and information sharing that protects the nation’s HPH critical infrastructure

• NH-ISAC empowers business resiliency through security planning, disaster response and execution.

(24/7 threat warning, incident reporting capabilities critical to the success of protecting national

critical infrastructures.

• Working together, all ISACs have a track record of responding to and sharing actionable and relevant

information more quickly than DHS and doing so in an accurate manner.

NH-ISAC

NH-ISAC Organizational Capacity


NH-ISAC National Advisory Council

Membership Collaboration / Defining Voice

NH-ISAC Framework

Cybersecurity Research -

NH-ISAC Partnership - Global Institute Cyber Security Research)

Critical Information Security Notification System (NH-ISAC CISNS)

Increased Sector-Wide Knowledge via Early Notifications

Two-Way Information Sharing

Countermeasure Solutions

Secure Member Portal – In-Depth Analysis/Support

National and Sector-Specific Cybersecurity Exercises

Cybersecurity Best Practice Consulting

Health IT Information& Cyber Security Workforce Development & Certification

NH-ISAC Health IT Information Security Test Bed

AuditManagement

PolicyManagement

RiskManagement

ComplianceManagement

BusinessContinuity

ThreatManagement

IncidentResponse

WorkforceEducation

Best PracticeResearch

NH-ISACFramework

CYBERSECURITY EDUCATION – SHAPING THE FUTURE

NATIONAL INITIATIVE

FOR CYBERSECURITY EDUCATION (NICE)

A national campaign to promote cybersecurity awareness,

workforce education and digital literacy from our boardrooms to

our classrooms – building and sustaining a cybersecurity

workforce for the 21st century.

This is your opportunity to have a defining voice and benefit

from the resulting project education framework, curriculum, etc.

http://www.nist.gov/nice

Healthcare & Public Health CIKR Cybersecurity Education

In collaboration with NIST, US DHS, NSA, HHS, The National Healthcare Sector

Coordinating Council (HSCC), The Global Institute for Cybersecurity + Research is leading

development of National Critical Infrastructure (CIKR) Cybersecurity Education

Frameworks. NH-ISAC is the lead for the Healthcare & Public Health sector.


http://www.nist.gov/nice

NH-ISAC Membership


Who Can Join the NH-ISAC?

H-ISAC Membership is open to organizations who are in the healthcare and public health sector, are a US firm or corporation and have been accepted by the NH-ISAC Board of Directors.

How is the NH-ISAC Funded?

The NH-ISAC is 100% funded through the ISAC membership model.

How do I Join the NH-ISAC?

Contact NH-ISAC directly or access the Membership Application: http://www.nh-isac.org/NH-ISAC_Membership.html

National Health ISAC (NH-ISAC)

Exploration Park/Kennedy Space Center

One Spaceport Way

Cape Canaveral, FL 32902

Direct: 904-827-0290

http://www.nh-isac.org/NH-ISAC_Membership.html

national health information sharing & analysis center the nation’s healthcare & public...

Documents

trusted sector

sector protection physical

sectorspecific isacs

sector cikr protection

sectorspecific entity

sectorspecific mechanisms

sector specific agencies

sectorfocused subject