HHS and health care sector expand cybersecurity info sharing

 

Connecting state and local government leaders

The Computer Security Incident Response Center, the centerpiece of HHS's cybersecurity program, helps provide situational awareness across the enterprise and strengthens functional relationships within the health care community that it oversees to help improve security.

The Department of Health and Human Services takes cybersecurity seriously. As one of the world’s largest repositories of personal information, it has to.

“We’re a big target for that,” said HHS Chief Information Security Officer Kevin Charest. “We’ve got a lot of very rich targets.”

The Food and Drug Administration, Centers for Disease Control and the National Institutes of Health, to name a few, also oversee a broad range of research programs that could provide a wealth of intellectual property to hackers.

Protecting these far flung operational divisions is not a simple task. Until recently, collaboration and sharing depended on personal relationships. Individual CISOs understood their own divisions, and if a program was successful, it was a local program. “There was no situational awareness at the department,” Charest said.

The department’s response to this fragmentation was to create a federated security environment in which operating divisions retain control of local operations but are overseen by a central organization with budget authority.

“We’ve been working to build this program since 2009,” Charest said. The centerpiece of the effort, the HHS Computer Security Incident Response Center, opened in 2011 to provide a single site for the collection, analysis and dissemination of threat information.

“That has vastly improved our security system,” Charest said. “But we didn’t stop there.” The CISO built on the federated model to address security governance and policy so that all divisions are working on the same page.

A security council was formed that meets monthly to decide what enterprise security tools are needed and to select the best solutions. This allows CISOs not only to take advantage of the economies of departmentwide buying, but it has improved information sharing within the department.

“Now our taxonomies match,” Charest said. “We’re talking the same language. Everyone is working together.” And when people are working together, “you have extended yourself manyfold.”

Industry outreach

HHS also is a sector-specific agency charged with assisting the health care industry with cybersecurity, and it has partnered with the Health Information Trust Alliance (HITRUST) to share threat information with the private sector. “We’re trying to elevate the dialog and bring together real actionable security data,” Charest said.

HITRUST is collaboration of health care, business, technology and information security leaders that work to create a common security framework for health care information.

HHS and HITRUST provide a monthly threat briefing for the industry, the only one of its kind offered to the private sector by a regulating agency. The partnership has been beneficial to the agency as well as to the health care industry, said HITRUST CEO Daniel Nutkis.

“It’s a functional relationship,” he said, with information flowing in both directions, coming from HHS as well as to it. “It has worked well.”

Establishing an information-sharing relationship with the agency was not an easy thing to do. Companies in the health care industry were reluctant to share threat information that could be construed negatively with an agency that oversees their activities.

But the stakes were too high not to pursue cooperation, Nutkis said. The health care industry depends on IT not just in its business systems, but increasingly for maintaining personal records, administering care, collecting sensitive data and controlling and maintaining medical devices.

“In this case one plus one equals three,” Nutkis said of cooperation. “We couldn’t afford suspicion” of a federal regulator.

Banking still is the model for information sharing within a regulated industry and with the government, Nutkis said. “They deal with financial loss. We deal with loss of life.” That has spurred a sense of urgency in the industry to collaborate on cybersecurity. “We are maturing at a different pace, playing catch-up at an impressive pace. HHS has played a positive role in moving forward.”

One result of this collaboration is the Cyber Threat Intelligence and Incident Coordination Center, created by HITRUST and co-located at the HHS Computer Incident Response Center. It provides early identification, alerts and analysis of attacks to the industry. It also helps coordinate response and  provides a broad look at the industry’s security posture.

The coordinated center, which the Homeland Security Department participates in along with HHS, is expected to become fully operational this summer.

“We’re trying to elevate the dialog and bring together actionable security data,” Charest said.

Not only did HITRUST have to overcome industry reluctance to collaboration with HHS, but “government had a lot of challenges, as well,” Nutkis said.

One of the largest challenges was simply how to share information with 430,000 organizations in the health care industry. A Coordination Center provides a tool for HHS to connect with industry and for industry to provide anonymized information to government. To date, both sides are happy with the relationship, and companies have seen no negative repercussions from HHS because of security information they have provided.

Leveraging the enterprise

One of the advantages of federating security for the enterprise is the economy of scale. It is more efficient for HHS to procure products, services and licenses than for each operating division to go into the marketplace on its own. But each division had to be convinced that this model actually would work for it.

“Everyone is unique – that is the hue and cry,” Charest said. “That is why we bring them together in this governance model.”

While variations and special needs exist within each agency, these account for only a small percentage of the security needs, he said. So it makes sense to standardize on tools across the department and accommodate special needs as needed.

“That’s legitimate; but it’s only for five or 10 percent.” And because of the “bigger bang for the buck” everyone is getting through departmentwide buys, there is more money available for special tools when they are needed.

For example, HHS was one of the first agencies to use the FireEye security platform, which operates on a continuous threat protection model that includes prevention, detection, containment and resolution. As a managed service it provides visibility into security posture and proactive defenses against aggressive attackers. It also offers remediation support during attacks and containment of initial exploits to minimize the cost and complexity of incident response.

The bottom line: Has the HHS program improved security?

“I believe that it has,” Charest said. But because the results of successful security are mostly negative – if you do it right, nothing happens – it is hard to say how much it has improved. “Metrics is a fundamental challenge of cybersecurity.”

Even so, HHS is not seeing fewer attacks with the new response center, it is seeing more. Charest likens the situation to turning on the light in a kitchen and seeing cockroaches disappear under the stove. It’s not pleasant, but at least you know what you’re dealing with.

“We’ve turned the light on, and we’re seeing a lot of things.” One of the things they see now is “fewer and fewer successful attempts.”

But there are some positive metrics that indicate improvement. The mean time to fix problems and patch vulnerabilities has been shortened, and the ability to respond to zero-day exploits has improved.

By creating a holistic view of the enterprise and its security, “you build an understanding of what you’re network is doing,” Charest said. “We have our challenges, but I feel we are much better prepared to deal with these things going forward based on what we have done.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.