Uploaded as a courtesy by: Dave Sweigert Marriage of-emergency management-and-cyber-security

1. 1
“Worlds Colliding”
Cybersecurity and Emergency Management
May 2017
Co-authors:
Kristina Freas, M.Sci., RN, EMT-P, CEM
And
Dave Sweigert, M.Sci., CEH, CISA, CISSP, EMT-B, HCISPP, PCIP, PMP, SEC+
ABSTRACT
In historic fashion, the federal government managed a nation-wide healthcare
sector response to the WannaCry ransomware virus. Understanding horizontal
connections between diverse stakeholder groups involved in the emergency
management of a cyber event is the focus of this article. Note: this document is
scholarly research and does not present legal, operations or management advice.
Background
On May 12, 2017 the viability of Britain’s
National Health Service (NHS) was
questionable. NHS cyberinfrastructure
was severely compromised by an
untargeted random ransomware
outbreak, spreading in 99 other
countries. Initial reports claimed the
impact of the virus on NHS was
“catastrophic” and “crippling1”.
The virus was known as “WannaCry”.
This ransomware virus, that demanded
$300 USD in Bitcoin, would galvanize a
response from the $3.2 trillion2
healthcare sector.
The U.S. Department of Health and
Human Services (DHHS) was suddenly
confronted with the possibility that the US
healthcare system could suffer the same
fate as NHS.
1
http://www.telegraph.co.uk/news/2017/05/12/nhs
-hit-major-cyber-attack-hackers-demanding-ransom/
The healthcare cyberinfrastructure, with
its cyber interdependencies that link so
many entities (direct patient healthcare,
health plans and payers, medical
materials, laboratories, public health,
emergency medical services, etc.) is
considered critical infrastructure to this
nation.
WannaCry was considered a direct threat
to this critical infrastructure (C.I.).
Here comes the cyber militia
In the hours that followed initial DHHS
activation, thousands of private-public
hospitals and healthcare organizations
(HCO) would mobilize to confront the
virus outbreak.
2
In annual transactions

2. 2
This self-organized private-public “cyber-
militia” had mobilized (almost overnight)
to receive guidance from the emergency
managers at DHHS.
Nationwide teleconference calls provided
daily situational reports with top-level
relevant officials from key agencies
available to provide immediate feedback
(U.S. Food and Drug Administration, U.S.
Department of Homeland Security, etc.).
DHHS Office of Civil Rights (OCR)
provided updates on classification of
security and privacy incidents, then
dropped off the call to allow free and
open communications.
Caveat: Understanding the vocabulary of
the Hospital Incident Command System
(HICS) was an advantage that helped
many callers discuss their alignment
challenges with the DHHS unity of effort.
Who is ASPR?
Medical personnel might recognize two
programs guided by the Assistant
Secretary for Preparedness and
Response (ASPR): the Medical Reserve
Corps (MRC) and the Disaster Medical
Assistance Teams, which are part of the
National Disaster Medical System,
designed “to augment state and local
capabilities during an emergency or
disaster.”3
ASPR was commissioned more than a
decade ago “to strengthen the
capabilities of hospitals and health care
systems in public health emergencies
3
https://www.phe.gov/about/aspr/pages/default.as
px
4
https://www.phe.gov/about/oem/Pages/default.asp
x
and medical disasters.” ASPR also
maintains the Office of Emergency
Management (OEM).
OEM “continuously supports direct and
open communication with federal, state,
local, tribal, territorial and NGO
stakeholders.”4
Activation of Incident Command
WannaCry virus was now officially known
as the “International Cyber Threat to
Healthcare Organizations”.
DHHS, known as a Sector Specific
Agency (SSA) during such emergencies,
publicly acknowledged the threat,
spawning a viral nationwide notification
to the healthcare sector.
“HHS is aware of a significant cyber
security issue in the UK and other
international locations affecting hospitals
and healthcare information systems,”
announced DHHS, ASPR5, OEM Critical
Infrastructure Protection Lead Laura
Wolf explained in an email.
As Ms. Wolf would later remark in one of
the national teleconference calls (with as
many as 3,000 participants), “It appears
worlds are colliding – cyber security and
emergency management.”
They were indeed.
5
HHS-ASPR-OEM: Health and Human Services,
Assistant Secretary for Preparedness and Response,
Office of Emergency Management.

3. 3
Risk Management of Cyber Incidents
Many hospitals and HCOs simply don’t
have the staff to develop a mature cyber-
security incident response and recovery
team. Sometimes known as Computer
Emergency Response Teams (CERT).
Thus, these facilities may rely on threat
warnings issued by US-CERT; U.S.
Computer Emergency Readiness Team6
(a component of DHS) or other groups.
However, teams, like CERT, are a
requirement of the HIPAA Security Rule.
Observe excerpts below from the DHHS
Security Risk Assessment Tool:
A46 - §164.308(a)(6)(ii) Required Does your
practice identify members of its incident
response team and assure workforce members
are trained and that incident response plans are
tested?
A47 - §164.308(a)(6)(ii) Required Does your
practice’s incident response plan align with its
emergency operations and contingency plan,
especially when it comes to prioritizing system
recovery actions or events to restore key
processes, systems, applications, electronic
device and media, and information (such as
ePHI)?7
Cybersecurity practitioners are well
advised to consider the above and work
toward the harmonization of emergency
response plans, emergency operations
plans, cyber incident response plans, etc.
The effect of downstream consequences
caused by cyber incident should be
addressed, just as any other threat.
6
https://www.us-cert.gov/
7
8STATE OF CYBERSECURITY & CYBER THREATS IN
HEALTHCARE ORGANIZATIONS Applied
This is especially true in a regulated
environment that maintains a regulatory
requirement to harmonize cyber incident
response and recovery plans with
emergency management plans.
“In order to assess health sector cyber
risks, it is paramount to understand the
systems to be defended, their key assets
and the impacts a successful attack may
have on them. In addition, potential
adversaries also need to be identified
along with their intentions and
capabilities. That way, threats can be
better evaluated as well as healthcare
systems vulnerabilities.8”
DHS Risk Management Cycle
The protection and prevention of
incidents to the operation of hospitals
and HCOs is addressed in the DHS
National Infrastructure Protection Plan
(N.I.P.P.).
Developing an understanding of DHS risk
management techniques helps align the
response and recovery activities of a
particular institution with many others to
help create unity of effort.
DHS offers a risk management baseline
designed specifically for C.I. resources
(like hospitals and HCOs). It is one of the
horizontal linkages that develops a
pathway amongst all responders
(supporting unity of effort).
Cybersecurity Strategy for Managers by Aurore LE
BRIS, Walid EL ASRI

4. 4
The DHS risk approach establishes a
common framework and vocabulary
which cyber practitioners’ and the
emergency management community
should share.
The DHS risk management process
provides this sequence:
1. Defining the context: what decision
might be based on this assessment?
2. Identifying potential risk: develop a
preliminary list of risk risks.
3. Assess and Analyze Risk:
determine methodology, gather data,
validate data, and analyze outputs.
4. Developing alternatives: provide a
structured way for decision makers to
view data.
5. Decide upon a risk management
strategy: support decision making of
the right alternatives.
9
On August 24, 2009, the US Department of Health
and Human Services (HHS) published 45 CFR Parts
160 and 164 Breach Notification for Unsecured
Protected Health Information; Interim Final Rule to
6. Evaluation and monitoring: monitor
performance of risk alternatives
7. Risk communication: risk
management decisions must be
communicated.
The DHS risk management process can
be categorized as an operational
approach, designed to address
dynamic/fluid events with a wide variety
of risks.
In DHS parlance a “jurisdiction specific
risk assessment” that is a targeted risk
assessment. Targeted risk assessments
of this nature have been promoted by the
DHHS Office of Civil Rights to evaluate
whether a data breach has occurred.
Known as a “breach risk assessment”9 it
requires a risk assessment that shall
address the following (with regards to a
data breach):
1. Nature and Extent
2. Unauthorized person involved
3. Acquisition of PHI
4. Extent risk has been mitigated
In certain cases, a risk assessment such
as (see above) will eliminate the need for
a formal data breach notification to HHS
OCR.
This abbreviated, lightweight “specific
risk assessment” is a great example of a
targeted risk assessment to address a
narrow scope of threats and
vulnerabilities.
implement the breach notification provisions of the
Health Information Technology for Economic and
Clinical Health (HITECH) Act of 2009

5. 5
Similarities of the two models:
DHS HHS/OCR
Context,
circumstances
Nature and extent
Identify potential risks Pre-identified “threat”
– unauthorized
person
Analyze and assess
the risk
Acquisition of PHI
Develop alternatives Extent risk has been
mitigated
Implementing,
evaluating,
monitoring
Not specifically
addressed
Communicating the
risk
Decision point –
formal HHS/OCR
data breach
notification or not
Leveraging unique aspects of the DHS
risk approach
The reader should now understand a
fundamental doctrine of DHS risk
management. That risk assessments
tend to be:
 Threat-focused risk assessments
 Operations-oriented assessments
Restated:
 Wider variety of threats
 Concept of fluidity
Response and recovery activities to
cyber incidents are also fluid/dynamic
and make need to address a wider
variety of threats. These actions should
be measured and improved upon.
Where to start – threat modeling
The wide variety of risk categories posed
by this sector-wide cyber-attack include:
 Risk to Critical Infrastructure and
Key Resources (CIKR): risk to
assets and systems.
 Risk to Population: Size and density
of population impacted by hospital
diversion and cancelation of services.
 Social Risk: individuals that depend
on the system under threat (hospital
and HCOs).
Here is an example of a threat list.
CIKR Corruption of medical records
Loss of access to records
Corruption of medical records
POP Elective surgeries cancelled
ER/ED on diversion
Wards evacuated
SOC Fear, loss of confidence
Confused, angst, anger
Frustration in loss of service
Conducting a threat-focused risk
assessment is one of the best ways to
examine an institution’s emergency and
cyber incident response plans for
completeness and alignment.
About the co-authors:
Kristna Freas, RN, EMT-P, CEM, is an
experienced emergency management
professional and Certified Emergency
Manager (CEM) specializing in the public
health and healthcare critical infrastructure
sector.
Dave Sweigert, EMT-B, is a Certified
Ethical Hacker. An Air Force veteran, he
holds advanced practitioner status
conferred by FEMA and CalOES. He has
written the Field Operations Guide to
Ethical Hacking to empower cyber
security professionals during emergency
incident response.