Defending critical infrastructure from cyber attacks

NH-ISAC, the nation's Healthcare and Public Health Information Sharing and Analysis Center, is hard at work securing critical infrastructure in all sectors of the U.S., including healthcare, Deborah Kobza, the organization's executive director and CEO, said during the National Institute of Standards and Technology and the Office of Civil Rights’ joint conference, “Safeguarding Health Information: Building Assurance through HIPAA Security,” on Sept. 24.

Ninety percent of the nation’s critical infrastructure is owned by the privacy industry, underscoring the need to work as a public-private trusted community to secure physical and virtual asset, she said.

“A lot of folks in healthcare sectors are like deer in the headlights right now when it comes to cybersecurity. They have all the regulations and guidelines but don’t know where to start first,” she said.

As a nonprofit, NH-ISAC is working with each sector, including healthcare, to develop a national infrastructure protection plan, she said. NH-ISAC serves as the operational and tactical arms, where information is shared regularly on the latest threats and vulnerabilities.

Coordinating councils, which include private industry representatives, and local and federal government agencies are just starting to update plans for the healthcare environment. This entails updating emergency support functions that allow for protocols surrounding cybersecurity response.

A working group of healthcare providers are looking to customize a framework around medical devices, which includes analyzing how mature they are in terms of cybersecurity protections, Kobza said. In conjunction with this, the FDA is planning a public hearing on October 21 and 22 to drive this process.

Complementing NIST’s cybersecurity framework, NH-ISAC also increasingly is working with organizations at no cost to help them determine their current profile around cyber security, she said. “It will give them an opportunity to know where they are and where they need to fill in gaps."

The organization, headquartered at the NASA Kennedy Center, is working with federal agencies to build a trusted community where information is shared rapidly. “One organization’s incident is another’s defense,” she said. The organization previously sent out alerts and advisories on a daily basis on possible threats, which were distributed through an online service or email—but now is utilizing automated intelligence that shares information in a standardized fashion at “machine speed,” she said.

“The only way to get ahead of the bad guys is to share intelligence at machine speed and ensure everybody is together to protect the networks,” she said.

NH-ISAC also implemented a technology called ReadyOp, which lets organizations communicate at a push of a button to hundreds or thousands of organizations about cyber threats. In addition, it has developed Cyber First Responder, which is coordinated at the state level in partnership with federal health agencies, which includes response protocols so organizations can assist each other with staff during emergency scenarios, she said.