HHS CISO on Healthcare CybersecurityKevin Charest Discusses Cyberdrill, Threats and HealthCare.gov
Many healthcare organizations need to improve their basic cybersecurity "blocking and tackling," and most also need to improve their willingness to share cyber-security information, says Kevin Charest, chief information security officer at the U.S. Department of Health and Human Services.
Those are among early findings from a "distributed" cybersecurity drill conducted on April 1 by HHS and the Health Information Trust Alliance, or HITRUST. In an exclusive interview with Information Security Media Group, Charest also discusses emerging cybersecurity threats facing the healthcare sector and ongoing security efforts of HealthCare.gov.
"When you look across the healthcare ecosystem you see many of the same challenges that are facing others, like organized crime, state-sponsored threats, hacktivism, and employee bad behavior - both intentional and unintentional," he says. "But where healthcare runs into an additional challenge is that there's a lot of resistance to information security best practices, as a whole," he says. That resistance ranges from clinicians shunning technologies like multi-factor authentication to an unwillingness of organizations to share information about their cybersecurity incidents, he says.
The recent CyberRX drill involved information security teams at 13 unnamed healthcare sector companies, including a large nationwide retail pharmacy chain, several healthcare providers, including hospitals, and health insurance companies. Two of the four cybersecurity exercises conducted over a seven-hour period included an exercise involving a "compromised" medical device and also a simulated attack involving a state health insurance exchange connected to HHS' HealthCare.gov federally-facilitated insurance marketplace, Charest says.
"The healthcare sector is comprised of a complex web...a massive conglomerate of interconnected systems, including hundreds of thousands of providers, devices, the government, the Affordable Care Act," Charest says. "That's added risk" compared with other sectors, he says.
Details of the lessons learned from the first of two healthcare sector CyberRX drills will be formally revealed at a conference planned for April 21 by HITRUST, which is coordinating the drills with HHS, says Charest, who has the role of "exercise captain," for the cyber activities. A second drill is planned for summer (see Healthcare Cybersecurity Drills Slated).
Although more findings and observations from the first drill will be revealed at the HITRUST conference later in April, the first set of exercises showed that an overall challenge in the healthcare sector is a reluctance to share information about threats and attacks with the rest of the sector due to concerns about liability, Charest says.
"It is clear that one of the conundrums is 'what do I share, and how can I share' so it doesn't cause me liability,'" he says. "If you've got a breach or other problem, and you share that [information], what liability have you introduced into your environment?" he says. "Not liability from a cybersecurity standpoint, but liability from a company standpoint," he says.
"President Obama's [recent cybersecurity] executive order is encouraging sharing between the public and private sector and the federal government for purposes of cybersecurity and situational awareness, and improving security for all - but the fact is that is not going on in a lot of industries because they haven't solved this conundrum," Charest says.
Back to Basics
Beyond the reluctance to share information about cybersecurity threats and incidents, another finding from the first drill is that some health-related entities still need to iron out "basic blocking and tackling," he says.
"Organizations are realizing their internal playbooks are not as complete as they need to be," he says. That includes fundamentals such as "knowing who to call" when dealing with an incident, he says.
"This small pool of participants included some organizations that had mature programs and they exercised them, but others realized some gaps," he says. In the next exercise, as the sample size grows, "you'll see some striation within segments of the healthcare sector, so that it can be examined why some are better prepared than others," he says.
So far, more than 300 healthcare related organizations have expressed interest in participating in the next CyberRX event, he says. The drills give participants an opportunity to exercise their internal "handbooks" for incident response, Charest says.
Overall, "healthcare has resisted information security best practices as a whole," Charest says. "For instance, when you talk to physician practices and you talk to them about the need to use two-factor authentication, you get a lot of resistance," he says.
Because of that resistance, "you really need to do things like CyberRX, and communication and education to make people understand that these threats are not something out of a spy novel, " he says. "But you have to make it real for them," he says.
When it comes to the ongoing scrutiny over the security of HealthCare.gov, Charest says "there's been a lot of fear mongering, but there have been no successful malicious attacks on the site or systems."
Additionally, HealthCare.gov is undergoing "end-to-end" security testing every quarter, even though the federal government requires such testing every three years.
The quarterly testing will likely continue for the next year or two, "then move to a reasonable cycle" he says. Recent testing was done in December and March, and is next slated for June. Also, before the next open enrollment period begins on Oct. 1, the HealthCare.gov technical and security team will be busy at work updating the site and systems with new health plans being offered by insurers. "We're continually improving the site," he says. "There's no lack of understanding that the launch wasn't what we desired," he says.
"We continue to be vigilant; that's not a boast. It's simply saying we've done the things needed to protect the site," he says. "Anything can be compromised, I'm not trying to say we will never have a problem because that would be foolish, too. But I will say that we take this very seriously."
As for emerging cyber threats facing the healthcare sector, many are similar to those found in other industries, Charest says. Those include threats posed by insiders and organized crime circles involving the theft of data to commit fraud. However, the healthcare sector also faces other threats, such as those posed by nation-states, where attacks are more focused on stealing intellectual property.
"We have the best technologies, drugs, devices, and software like electronic medical records that are being developed here" by the U.S. healthcare sector, he says. "Why do your own research if you can steal someone else's," he says. "Nation states aren't interested in protected health information; that's what organized crime is interested in," he says. Nation states are interested in IP, he says.