The Healthcare and Public Health Sector Coordinating Council (HSCC) conducted their biannual Joint Cybersecurity Working Group (JCWG) All-Hands Meeting on April 3-4, 2019. As a member of HSCC, Coalfire participated in the JCWG meeting with other security leaders from across the healthcare industry and was able to take part in their cybersecurity disaster preparedness exercise. The meeting is designated as a Critical Infrastructure Partnership Advisory Council (CIPAC) meeting under the authority of the Department of Homeland Security.
Some of the key initiatives coming from the HSCC include the development and circulation of the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients publication and the Medical Device and Health IT Joint Security Plan (JSP). These publications were developed through assigned task groups of government and industry partners to provide salient recommendations and best practices for the respective communities.
The JCWG leadership has initiated the use of table-top cybersecurity exercises to facilitate a best practices discussion between members about scenarios and real-world events as well as share recommendations and other problem-solving approaches.
The facilitated event was initiated with an “injection” of a ransomware attack that, initially, only affected one hospital system. The injection identified the status of the security incident, and the facilitator leveraged this to gather information from the participants on best practices from a diverse group of healthcare organizations including Healthcare Delivery Organizations (HDOs), pharmaceutical companies, medical device manufacturers, federal government, cybersecurity researchers, H-ISAC and HIMSS.
The injections created a cybersecurity incident scenario that quickly escalated outside of the individual hospital and required assessments about information sharing and response across a broader portion of the healthcare sector. Data collectors gathered information from the breakout sessions, and the team gathered to share results.
The first “Move” (as designated by the exercise team) was to establish initial indicators and containment strategies, including implementing existing processes, policies, procedures, and plans such as a Security Incident Response Plan, a Business Continuity Plan or a Disaster Recovery Plan.
The second “Move” focused on recovery and resiliency. The same process conducted for Move One was facilitated for Move Two, but the emphasis was on transitioning from containment response to recovery operations.
This is the second table top conducted by the HSCC JCWG, with each one showing improved maturity, additional participation by the membership, and an impressive opportunity to crosscut within the healthcare sector. The exercise showcases the importance of cybersecurity disaster preparedness across the healthcare industry and the need for healthcare systems and vendors to conduct similar exercises to inform their ability to identify, respond, and recover from a significant cybersecurity event.