HHS and health care sector expand cybersecurity info sharing
Connecting state and local government leaders
The Computer Security Incident Response Center, the centerpiece of HHS's cybersecurity program, helps provide situational awareness across the enterprise and strengthens functional relationships within the health care community that it oversees to help improve security.
The Department of Health and Human Services takes cybersecurity seriously. As one of the world’s largest repositories of personal information, it has to.
“We’re a big target for that,” said HHS Chief Information Security Officer Kevin Charest. “We’ve got a lot of very rich targets.”
The Food and Drug Administration, Centers for Disease Control and the National Institutes of Health, to name a few, also oversee a broad range of research programs that could provide a wealth of intellectual property to hackers.
Protecting these far flung operational divisions is not a simple task. Until recently, collaboration and sharing depended on personal relationships. Individual CISOs understood their own divisions, and if a program was successful, it was a local program. “There was no situational awareness at the department,” Charest said.
The department’s response to this fragmentation was to create a federated security environment in which operating divisions retain control of local operations but are overseen by a central organization with budget authority.
“We’ve been working to build this program since 2009,” Charest said. The centerpiece of the effort, the HHS Computer Security Incident Response Center, opened in 2011 to provide a single site for the collection, analysis and dissemination of threat information.
“That has vastly improved our security system,” Charest said. “But we didn’t stop there.” The CISO built on the federated model to address security governance and policy so that all divisions are working on the same page.
A security council was formed that meets monthly to decide what enterprise security tools are needed and to select the best solutions. This allows CISOs not only to take advantage of the economies of departmentwide buying, but it has improved information sharing within the department.
“Now our taxonomies match,” Charest said. “We’re talking the same language. Everyone is working together.” And when people are working together, “you have extended yourself manyfold.”
Industry outreach
HHS also is a sector-specific agency charged with assisting the health care industry with cybersecurity, and it has partnered with the Health Information Trust Alliance (HITRUST) to share threat information with the private sector. “We’re trying to elevate the dialog and bring together real actionable security data,” Charest said.
HITRUST is collaboration of health care, business, technology and information security leaders that work to create a common security framework for health care information.
HHS and HITRUST provide a monthly threat briefing for the industry, the only one of its kind offered to the private sector by a regulating agency. The partnership has been beneficial to the agency as well as to the health care industry, said HITRUST CEO Daniel Nutkis.
“It’s a functional relationship,” he said, with information flowing in both directions, coming from HHS as well as to it. “It has worked well.”
Establishing an information-sharing relationship with the agency was not an easy thing to do. Companies in the health care industry were reluctant to share threat information that could be construed negatively with an agency that oversees their activities.
But the stakes were too high not to pursue cooperation, Nutkis said. The health care industry depends on IT not just in its business systems, but increasingly for maintaining personal records, administering care, collecting sensitive data and controlling and maintaining medical devices.
“In this case one plus one equals three,” Nutkis said of cooperation. “We couldn’t afford suspicion” of a federal regulator.
Banking still is the model for information sharing within a regulated industry and with the government, Nutkis said. “They deal with financial loss. We deal with loss of life.” That has spurred a sense of urgency in the industry to collaborate on cybersecurity. “We are maturing at a different pace, playing catch-up at an impressive pace. HHS has played a positive role in moving forward.”
One result of this collaboration is the Cyber Threat Intelligence and Incident Coordination Center, created by HITRUST and co-located at the HHS Computer Incident Response Center. It provides early identification, alerts and analysis of attacks to the industry. It also helps coordinate response and provides a broad look at the industry’s security posture.
The coordinated center, which the Homeland Security Department participates in along with HHS, is expected to become fully operational this summer.
“We’re trying to elevate the dialog and bring together actionable security data,” Charest said.
Not only did HITRUST have to overcome industry reluctance to collaboration with HHS, but “government had a lot of challenges, as well,” Nutkis said.
One of the largest challenges was simply how to share information with 430,000 organizations in the health care industry. A Coordination Center provides a tool for HHS to connect with industry and for industry to provide anonymized information to government. To date, both sides are happy with the relationship, and companies have seen no negative repercussions from HHS because of security information they have provided.
Leveraging the enterprise
One of the advantages of federating security for the enterprise is the economy of scale. It is more efficient for HHS to procure products, services and licenses than for each operating division to go into the marketplace on its own. But each division had to be convinced that this model actually would work for it.
“Everyone is unique – that is the hue and cry,” Charest said. “That is why we bring them together in this governance model.”
While variations and special needs exist within each agency, these account for only a small percentage of the security needs, he said. So it makes sense to standardize on tools across the department and accommodate special needs as needed.
“That’s legitimate; but it’s only for five or 10 percent.” And because of the “bigger bang for the buck” everyone is getting through departmentwide buys, there is more money available for special tools when they are needed.
For example, HHS was one of the first agencies to use the FireEye security platform, which operates on a continuous threat protection model that includes prevention, detection, containment and resolution. As a managed service it provides visibility into security posture and proactive defenses against aggressive attackers. It also offers remediation support during attacks and containment of initial exploits to minimize the cost and complexity of incident response.
The bottom line: Has the HHS program improved security?
“I believe that it has,” Charest said. But because the results of successful security are mostly negative – if you do it right, nothing happens – it is hard to say how much it has improved. “Metrics is a fundamental challenge of cybersecurity.”
Even so, HHS is not seeing fewer attacks with the new response center, it is seeing more. Charest likens the situation to turning on the light in a kitchen and seeing cockroaches disappear under the stove. It’s not pleasant, but at least you know what you’re dealing with.
“We’ve turned the light on, and we’re seeing a lot of things.” One of the things they see now is “fewer and fewer successful attempts.”
But there are some positive metrics that indicate improvement. The mean time to fix problems and patch vulnerabilities has been shortened, and the ability to respond to zero-day exploits has improved.
By creating a holistic view of the enterprise and its security, “you build an understanding of what you’re network is doing,” Charest said. “We have our challenges, but I feel we are much better prepared to deal with these things going forward based on what we have done.”