- The government, private sector, and international network defense communities all need to work toward stronger collaboration and information sharing to combat the increasing amount of healthcare cybersecurity threats, the Office for Civil Rights (OCR) stated in its February Cyber Awareness Newsletter.
Healthcare is part of the national infrastructure, and is becoming a more common target for cyber attacks, OCR explained.
The Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC) is one organization that could be a critical asset for improving healthcare cybersecurity measures. OCR stated that NCCIC operates “at the intersection of government, private sector, and international network defense communities.”
Furthermore, the United States Computer Emergency Readiness Team (US-CERT) is part of NCCIC.
“US-CERT is in a unique position to inform covered entities and business associates about their cybersecurity efforts as well as benefit from information sharing when a covered entity or business associate experiences a cybersecurity incident,” OCR noted. “Covered entities should report to USCERT any suspicious activity, including cybersecurity incidents, cyber threat indicators and defensive measures, phishing incidents, malware, and software vulnerabilities.”
OCR added that covered entities and business associates should monitor the US-CERT website for any cybersecurity reports or vulnerabilities. There are also US-CERT emailing lists, which can include Weekly Vulnerability bulletins, Technical Alerts, Current Activity Entries, and Tips.
“Covered entities and business associates can leverage this information as part of their Security Management Process 1 under HIPAA (see 45 CFR § 164.308(a)(1)) to help ensure the confidentiality, integrity and availability of electronic protected health information,” advised OCR.
On February 10, 2017, NCCIC reported on Grizzly Steppe activity, which could affect healthcare cybersecurity. Along with recommendations for detecting and mitigating against Grizzly Steppe, NCCIC also advised how organizations can defend against webshell attacks and spear phishing attacks.
“GRIZZLY STEPPE actors use various reconnaissance methods to determine the best attack vector for compromising their targets,” the report stated. “These methods include network vulnerability scanning, credential harvesting, and using ‘doppelganger’ (also known as ‘typo-squatting’) domains to target victim organizations.”
OCR argued that this is just one example of “timely and actionable information” that covered entities and business associates can receive from US-CERT notifications.
Toward the end of 2016, US-CERT announced its new cybersecurity incident notification guidelines, which will go into effect on April 1, 2017.
All federal departments and agencies, along with state, local, tribal, and territorial government entities will be affected. Information Sharing and Analysis Organizations and foreign, commercial, and private-sector organizations will also need to adhere to the new notification requirements.
"Agencies must report information security incidents, where the confidentiality, integrity, or availability of a federal information system of a civilian, Executive Branch agency is potentially compromised, to the [National Cybersecurity and Communications Integration Center]/US-CERT with the required data elements, as well as any other available information, within one hour of being identified by the agency’s top-level Computer Security Incident Response Team (CSIRT), Security Operations Center (SOC), or information technology department," the notification explained.
Congress must be notified within seven days of a major incident taking place, US-CERT stated. It is up to the affected agency to determine if an incident should be “major,” and it may also consult with US-CERT to help make the final decision.
“All major incidents are also considered significant cyber incidents, meaning they are likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties or public health and safety of the American people,” the guidance explained, citing Presidential Policy Directive 41 (PPD-41) - United States Cyber Incident Coordination,” the guidance reported.