Building a Health Security FrameworkWorkshops Planned for Drafting Detailed Cybersecurity Plan
Workshops are being held this summer to gather ideas for a National Healthcare Cybersecurity Response Framework aimed at protecting critical infrastructure, says Deborah Kobza, who's coordinating the effort.
"This is really about connecting the dots on a national level to get the health sector to work together to build a cybersecurity protection framework," says Kobza, executive director and CEO of the National Health Information Sharing & Analysis Center.
More information about the workshops is available at the NH-ISAC website.
NH-ISAC is one of many ISACs formed in the wake of the 9/11 attacks to address security issues in various sectors. The not-for-profit, public/private partnership works in collaboration with the Department of Health and Human Services and other agencies, Kobza explains in an interview with Information Security Media Group's Howard Anderson (transcript below).
Representatives of healthcare organizations, technology companies and other organizations can attend workshops to help develop the framework, which is intended to help prevent both internal and external information breaches. The framework will include guidelines for information sharing, situational awareness, threat countermeasures and incident response. It also will outline educational initiatives.
In the interview, Kobza:
- Describes NH-ISAC's mission and structure;
- Previews the workshops;
- Points out that a draft of the framework will be available for public comment by October 1 and the final framework is slated for release early in 2013;
- Outlines ongoing efforts to develop cybersecurity education for healthcare, including both online and instructor-led courses, as well as a healthcare cybersecurity certification program.
Kobza heads the National Health Information Sharing & Analysis Center based at the Global Situational Awareness Center at Kennedy Space Center. She is certified in the Governance of Enterprise Information Technology and National Information Exchange (U.S. Department of Justice). She has more than 30 years of experience in risk-based enterprise technology, security, information assurance, data governance, research and workforce education for government, academia, and healthcare organizations. She also serves as president of the Global Institute for Cybersecurity + Research, or GICSR.
National Health ISAC
HOWARD ANDERSON: Please describe the mission of the National Health Information Sharing & Analysis Center.
DEBORAH KOBZA: The National Health ISAC is part of a national infrastructure. After 9/11, President Bush identified 18 national critical infrastructures, and as part of that presidential directive, there were federal agencies that were assigned to be ... responsible for writing a protection plan for their respective critical infrastructures - like ... the Department of Health and Human Services [for the healthcare sector.] And within each one of those agencies, there's a coordinating council that has a government sub-council and a private industry sub-council within it that work together with private industry and government to define what that infrastructure protection plan is. That's an annex to the National Infrastructure Protection Plan, or NIPP.
Now as part of that presidential directive, in order to support that, there are private industry information sharing and analysis centers, or ISACs, whose primary mission is to [work with] private industry for 24/7 cybersecurity - monitoring all hazards, threats and vulnerabilities [and addressing] information sharing and situational awareness. ISACs are not just pushing information out to their respected sectors but getting information back. That's very, very important.
I know there's a lot in the news right now and in the [proposed] cyber bills about information sharing. That's going to be very important ... so we can get to more of a proactive stance on cybersecurity then a reactive stance.
But each of these ISACs are formally recognized by their respected federal agency and the sector coordinating council, and then all of the ISACs are part of the national council of ISACs and work together on a daily basis. ...
For the national health ISAC ... membership is open to those organizations that are part of that critical infrastructure: owner/operators, technology companies ... security companies ... etc. ...
ANDERSON: You recently announced a national healthcare cybersecurity protection and education initiative. What's the purpose of that project and what are its components?
KOBZA: One of the things that we really have a lack of in this country is a qualified cybersecurity workforce. It's very, very difficult to find people with the expertise in cybersecurity. There's a national initiative that's led by NIST, the National Initiative for Cybersecurity Education. It includes over 20 federal agencies. ... The whole goal of the NICE initiative as they call it - which stands for National Initiative for Cybersecurity Education - is to address nationwide cybersecurity awareness, education and training in professional development, and to build a national cybersecurity workforce ...
Working with NIST and all those federal agencies that are part of that and with the Department of Health and Human Services, the health sector really needs to implement a health sector-defined and sustained cybersecurity response framework so we can work together as a critical infrastructure and not work in silos.
One of the things we hear a lot from health sector CIOs and CISOs is that everything's so fragmented. If I have a cyber-attack or vulnerability and we have a counter-measure solution that works, who do we call? Or if we don't know what to do, who do we call? How do we know what other hospitals or health organizations are experiencing? What's going on at the federal level for critical infrastructure protection? This is really about connecting the dots on a national level to get the health sector to work together and to build a cybersecurity protection framework that includes protocols around information sharing, situational awareness, counter-measure solutions, incident response - and to support all of this with a national healthcare and public health cybersecurity education framework that has supporting educational curriculum. [It also involves] establishing health sector-specific cybersecurity certification.
... We've been working on it for quite a while, getting everything in place. And we're having nationwide workshops around the country in 10 regions for healthcare owner-operators, hospitals, healthcare organizations, the government and security and technology organizations. ...
Cybersecurity Response Framework
ANDERSON: Let's talk a bit about that framework. Can you describe the National Healthcare Cybersecurity Response Framework, what it will include and how it's being developed?
KOBZA:The National Initiative for Cybersecurity Education has developed a national cybersecurity education framework out of the NICE initiative. Like I mentioned, it's being led by NIST, the National Institute for Standards and Technology. Now we're using that as a foundational baseline to develop the health sector-specific protection and education framework. That framework really puts forth a working taxonomy and a common lexicon that's organized into high-level categories, each comprising a cybersecurity specialty area. ...
Within those common specialty areas, we will be working with the health sector to make it health sector-specific, recognizing that cybersecurity 70 percent of the time is the same across all critical infrastructures, but that last 30 percent is very different when you look at the work flows and the application and regulatory compliance of security. We'll be looking at the health sector-specific side from a role-based perspective. For example, "securely provision" will include information, assurance, software engineering, enterprise architecture, test and evaluation, focusing around the whole software development lifecycle. "Protect and defend," for example, will address computer network defense, incident response, security program management, vulnerability assessment and management. "Operate and collect" will be on collections and operations and then "analyze" will go on all forces of intelligence, cyberthreat analysis and information sharing.
It's an all encompassed framework, not just on cybersecurity protection, situational awareness, information sharing and counter-measure solutions and incident response, but also around the education with the functions, roles, responsibilities, skills, sample job descriptions and career planning and everything that goes along with this.
ANDERSON: That framework will be made available for people online eventually? At what point?
KOBZA: We will have the draft framework completed by the first of October and nationwide regional workshops are starting in June. We will complete the draft framework by the first of October and release that for publication, for public comments and review. And then after we get all that review in and refine and update the framework, the whole framework will be released the first of the year. And there will be supporting education available, online training as well as we'll work with academia across the country ... so the health sector can have the pipeline of cybersecurity specialist coming into the industry. This is a whole encompassing framework, and it will be freely available out to the health sector and the education will be available online. They'll also be some instructor-led training available if the organizations want to do in-house type of training. And then the National Health ISAC will be implementing health sector-specific cyber certifications that will support these cybersecurity responsibilities.
Workshops on Framework
ANDERSON: The series of workshops - is the intention of those to gather suggestions for what should be included in the framework? And how can people go about attending?
KOBZA: They are two-day workshops. We will be breaking everyone into groups around those functional areas that I spoke about previously, and look at the different roles within the healthcare sector that are in each one of those functional groups. The first day of the workshop will also include a small cyber-exercise to get the creative thinking going with the people that are part of this workshop. Then we will break off into workgroups and then come back together on the same day and present to the group as a whole. And we'll start to put that [information] into a framework and then review that from workshop to workshop and continually refine that and give those organizations that participated a continuing opportunity to call into the other workshops as we go around the country.
ANDERSON: If someone wants to sign up to attend a workshop, how do they do that?
KOBZA: Just go to NHISAC.org. There will be information out there on the website and you can click on the link to register for any of the workshops around the country. It's really a great opportunity for the healthcare and public health critical infrastructures to have a defining voice and to have something in place that they developed and will support what their cybersecurity needs are.