Building Resilient Health Infrastructure with ASPR

[Music]

MICHAEL ELTRINGHAM: You’re listening to “Building Resilient Health Infrastructure with ASPR,” a podcast from the HHS ASPR Critical Infrastructure Protection Division. If you have any questions about this episode, please email us at [email protected].

ME: Hey everyone! Thanks for listening. I'm Michael Eltringham I'll turn him an analyst within the HHS ASPR Critical Infrastructure Protection Division or the CIP Division as we like to call it. I'm joined by our division director Dr. Laura Wolf. How are you Dr. Wolf?

DR. LAURA WOLF: Great! Thanks Mike.

ME: we're back again with another episode. Today's question that we'll be tackling: why do we care about cybersecurity? so I think today we want to kind of talk about how that relates to HPH critical infrastructure, because I think to a lot of folks it might not be an obvious connection. But can you kind of touch on first of all just how it's connected to the various sub sectors within our partnership?

LW: Absolutely, so it is so critical to the functioning of health care and public health infrastructure. We rely on connections to the internet and connections between devices, to pull up information when we need it, to help devices work, to record images, really a majority of the work that we do relies on cyber systems. Even the functioning of a building relies on industrial control systems or ICS systems that are just as vulnerable as other types of cyber systems.

ME: What about the concept of PHI? Can you talk about that a little bit? personal health information.

LW: Sure. So it used to be that different types of personal information was at risk to cyberattacks. There used to be your social security number, or insurance information that was sought after for fraud. Now it's becoming more apparent that your personal health information, which is often stored on the web, is a target. It is more lucrative for individuals to steal health information and use that for Medicare benefits or other types of insurance benefits and fraud than other types of information.

So that's a risk, but also other personal devices are a risk to us because they're connected to cyber systems. So if you think about insulin pumps or pacemakers or other types of medical devices, they're also a risk that we hadn’t considered so seriously in years past. It's not only the information, it's the devices themselves and one of the challenges is if there were a cyber attack on devices, we may not recognize it for a while. We may not know that it's happening and that sort of insidious attack may cause us to lose trust in some of the devices that we have or the systems that we use

We've talked about the cyber attacks and there were several of them that impacted our sector and specifically health care facilities within our sector and one of the specific types of attacks was a ransomware attack. Without getting into too much detail, just to give a kind of general overview, ransomware is basically is where a malicious actor a hacker or some kind of cyber security expert who is like I said a malicious actor, will hack into the system of a health care facility and tell the operators of that facility that until they pay a ransom they won't have access to it and that includes patient records, electronic health records, all that kind of stuff, so can you talk about that a little bit?

LW: Sure and it's not always being hacked into to, have these ransomware attacks! Sometimes it's a phishing email that starts this all out.

So an individual receives in an email and it may have a malicious link in it and clicking that link allows the bad actor to have access to those systems. So there's a variety of way this can move forward. The attacks in 2017 were international. They didn't start in the United States. Healthcare in the United States was not targeted. It was a malicious worm that self-propagated throughout systems starting in foreign countries and made it's way to the US through connected systems and infrastructure.

ME: So there are a couple myths and we'll talk a little bit, we'll touch on the response aspect of that, and how our partnership and our division responds to a cyber attack, but can you touch on some of the kind of common myths that you've heard in dealing with these responses and kind of the truth behind them?

LW: Absolutely. So we always hear, “Well I'm not a target. No one wants my information. They're going to go to bigger systems.” So the myth would be that large systems are always the target, and as I mentioned before, there may not be a specific target. There certainly sometimes our targets, but when you see these large international incidents, you may be the unfortunate victim of the attack without even being targeted. So don't think because of the size of your organization or the specificity or connection to some other large entity, don't think you're immune, if you will, because you're smaller. Everyone is vulnerable to a lot of the threats that are out there.

ME: What about the idea that, let's say you get approached by that bad actor and they say, “Pay this ransom” and then someone wants to say, “Okay, we'll pay that,” you know, and just right away that's the easiest solution. What about that kind of concept?

LW: Sure. Well, that has worked in the past. The government certainly does not recommend that, because when you pay ransom that's exactly what the perpetrators want, and that encourages them to perform further attacks. So we don't encourage that, but that is a business decision up to the entity that's being attacked.

I do want it to be very clear though that paying ransom is not always going to be a solution. In several instances, we've seen that it's not really the goal of the actor to get ransom. It's really to do something else: to wipe systems or to cause other sorts of mayhem. And so we've seen instances where ransom was paid and the key was not given, so it is not always a given that paying ransom will help you in any way.

ME: And what about the idea that there will always be a patch?

LW: Right: so for both WannaCry and Petya/Not Petya, the incident utilized a vulnerability in a Microsoft system for which there was a patch. And so we didn't see a lot of impacts in the U.S. because many systems had had done that patching and updated those systems ahead of time. But there are what are called “zero day events.” That's where the actors use a vulnerability that hasn't been considered before and hasn't been patched. So it may take days to patch or it may be an incident that takes weeks to patch you may have to think of how to use how to get around systems that aren't functioning or that have to be taken offline if those patches can't be found.

ME: So it's an important field and it's obviously getting more and more important every day as the world becomes more and more digital, so it's something that we'll keep our eye on continue to work with and like you said work with that subject matter expertise who can help us, really you know help secure that cyber infrastructure within the health care public health sector

LW: That's right Mike, and I before we close, I do want to give a plug that one of our more active working groups in the partnership is our Cybersecurity Working Group. The executive director of that is Greg Garcia, and so hopefully we'll have him on a future podcast as well to talk about the work of that group.

ME: Absolutely, that would be great. So that's our episode for today thank you everyone for listening. Again, if you have any questions about anything you heard on the podcast today or if you have just, you know, general questions or feedback about the HPH Sector Partnership or the ASPR CIP Division, please email us at [email protected].

[Music]