HHS Ramps Up Cyber Threat Information SharingWere Recent WannaCry Alerts a Sign of What's to Come?
A series of email alerts from the Department of Health and Human Services about the WannaCry ransomware campaign - and a number of related daily conference calls with industry stakeholders - appear to be part of a ramped-up push to improve cyber information sharing in the healthcare sector.
The Cybersecurity Information Sharing Act, signed into law in late 2015, was designed to be a catalyst for information sharing. Now, some of the groundwork that's been laid by HHS and the healthcare sector since the legislation was signed into law finally appears to be paying off.
Next up: HHS plans to activate a Cybersecurity and Communication Integration Center that will share healthcare specific threat information with other government agencies and the private sector. It's modeled after the Department of Homeland Security's National Cybersecurity and Communications Integration Center.
HHS' new center will "establish the mechanism to provide proactive and anticipatory analysis of cyber threats to both HHS and the healthcare and public health sector," an HHS spokesman tells Information Security Media Group. The center, which will begin operations in the summer, "will act as a clearinghouse to drive healthcare-relevant cyber indicators, briefings, and actionable intelligence to and from a wide variety of stakeholders, both public and private," he adds.
HHS also plans to release a report by its cyber task force that was created under CISA. The report will contain an analysis of the cyber challenges faced by the healthcare sector and offer recommendations for best practices to improve cyber preparedness and response.
But the alerts that HHS began sending out within hours after news of the WannaCry ransomware attacks broke on May 12 foreshadow the ramped-up HHS effort to keep healthcare entities in the cyber loop, especially in the wake of fast-moving crises like the ransomware attacks that hit the National Health System in the United Kingdom.
"HHS alerts - like the WannaCry ransomware wave alerts - are good for the industry," says Kate Borten, founder of privacy and security consulting firm, The Marblehead Group. "They raise awareness for organizations that might not get this news, or not as promptly."
Indeed, the early alerts by HHS, as well as those from other government agencies, including DHS' U.S. Computer Emergency Readiness Team, may have led many U.S. healthcare organizations to take steps to ensure their Windows systems were up to date with patches, says security expert and former healthcare CISO Doug Copley. "Organizations that got hit [by WannaCry] were the ones that didn't do patching," he notes.
Infected Medical Devices
In the U.S, DHS reports that only about 10 organizations in all sectors, including FedEx, were impacted by WannaCry. The unpatched Windows-based radiology devices from manufacturer Bayer used at two unidentified U.S. hospitals also were affected, a Bayer spokeswoman confirmed to ISMG.
"The latest global malware attack exploiting vulnerabilities in Microsoft Windows is affecting companies and institutions, including some hospitals," she says. "If a hospital's network is compromised, this may affect Bayer's Windows-based devices connected to that network."
The vulnerable devices include: Medrad Stellant and Medrad MRXperion control room units (Certegra Workstations); Certegra and VirtualCare devices; Medrad Intego RDMS; and Certegra Connect.CT, she says. "As of May 16, Bayer has received two reports [of ransomware infections] from customers in the U.S. with impacted Bayer devices. Operations at both sites were restored within 24 hours."
Bayer is issuing guidance to customers and will provide a Bayer-certified Microsoft Windows security patch soon for deployment on Bayer's Windows-based devices, she says. In the interim, Bayer recommends that hospitals contact Bayer's Technical Assistance Center for steps to take to ensure continued support of contrast-enhanced radiology procedures that use Bayer power injectors.
But the handful of more urgent alerts sent out by HHS in the days following the WannaCry outbreak, which also provided healthcare entities with an array of links for more technical details from US-CERT and others, look like something new for HHS.
HHS issued these urgent alerts "perhaps because Britain's NHS was so seriously affected, especially its hospitals," Borten notes.
Included in a WannaCry alert sent on May 17 were links to previous OCR guidance about ransomware attacks being a reportable breach under HIPAA in most cases.
In addition to the alerts, HHS' Office of the Assistant Secretary for Preparedness and Response hosted daily conference calls for healthcare sector participants following the WannaCry attacks.
"They started out somewhat haphazard, but by the third call [ASPR] had gone a great job pulling in support from other HHS operating divisions, like the Food and Drug Administration, and had strong numbers listening in," says Mac McMillan, president of the security consulting firm CynergisTek, who listened in on some calls.
"It was basic information but still very useful, particularly for those organizations that don't have a lot of or any cybersecurity expertise," he says. "HHS deserves an 'atta boy' for this one. They demonstrated the value of outreach and sharing information."