FBI to examine ways to communicate cyber threat information more quickly

In the wake of the Community Health Systems (CHS) disclosure that hackers breached its computer system and accessed personal but not health data it held on 4.3 million people, a representative of the Federal Bureau of Investigations (FBI) joined the monthly Health Information Trust Alliance (HITRUST) cyber threat information call to discuss work being done to build a better public-private partnership on cyber threats facing the healthcare industry.

FBI Supervisory Special Agent Michael Rosanova told attendees on the call that he could understand “frustration” they may have faced as news of the CHS data breach broke. Many fielded calls from their own boards, investors and organizational leadership seeking to know how a data security breach like the CHS one could happen and if their own organizations were at risk. In the CHS case, the hackers appear to have exploited a known vulnerability (possibly the Heartbleed internet security flaw), so the message to chief medical information officers was simply to stay the course and continue doing what they were doing to protect their networks. There was no specific new action to take.

However, because of the care the FBI and the Department of Homeland Security must exercise in the release of information to protect ongoing investigations, as well as their data gathering methods, they were unable to even issue the “stay the course” message through organizations like HITRUST until well after the breach became national news.

“We are trying to build that [communications] conduit so that the chances of this type of PR incident occurs is reduced,” Rosanova told attendees.

He also cautioned, however, that the FBI and Department of Homeland Security exist to first of all protect national security and ensure the successful prosecution of criminals. It takes time between when the FBI learns of a possible threat and when it can share information about that threat with industry because it has make sure releasing the information will not compromise its main purpose. For example, it has to check in with prosecutors working cases related to the information to ensure that releasing information that may immediately help some will also not destroy a case against criminals posing an ongoing threat.

“If it is classified and we can’t give it to you, that is just the nature of the beast,” Rosanova said.

In the finance and energy sectors, there are individuals who have FBI security clearance going all the way up to top secret, Rosanova said, and HITRUST and the FBI may work together to help expedite security clearances for certain individuals from healthcare organizations that demonstrate a high level of preparedness. However, having access to top-secret information is not the same as being able to act on that information. In fact, Rosanova explained that it often means being explicitly prohibited from doing anything with the information because taking action would reveal what you knew.

The better solution may therefore be developing ways to get information that is classified as secret downgraded to a less secret status more quickly. That would allow sharing the information with the healthcare sector in a way that allows action. 

Speaking of the CHS case, Rosanova said, “We [the FBI] did make every effort to get the information to industry to answer the questions that were being asked of you.”

Possible future improvements Rosanova pointed to might include web briefings to members of the healthcare sector with certain security clearances on the threats the FBI was seeing, as well as better channels for healthcare sector information technology chief executives to alert the FBI to unusual activity they might see on their networks. Such activity could lead to the uncovering of a sophisticated cyber security threat and aid the FBI's law enforcement efforts.

However, collaborating with industry is a change for organizations like the FBI, Rosanova said. Traditionally, the FBI took information in. It didn’t exist to give information out.

“Cyber threat and how we interact with the private sector is new to us,” Rosanova said. “Now we are realizing that it is a partnership. It is 50-50. We have to build that bridge … we are trying to determine how best to do that while also maintaining the integrity of the information we have now.“

Lena Kauffman,

Contributor

Lena Kauffman is a contributing writer based in Ann Arbor, Michigan.

Trimed Popup
Trimed Popup