COVID-19 and Information Security

We came together before.  We need to make this continuous and not reserve it for large events.

One of the most important lessons that I learned from taking the FEMA Incident Command System ICS-300 and ICS-400 classes were the concepts of Mutual Aid and Area Command.  The idea behind these exercises and the corresponding tabletop exercises and tests was that different organizations worked together to address the numerous issues behind an incident, with objectives that could change every operating period.

I took these courses at the Philadelphia Police Academy in 2010.  Our instructors were retired NYPD and FDNY with experience during the 9/11 terrorist attacks.  My classmates included Philadelphia police officers, someone from one of the local ambulance companies, and an ED physician.  Being as I was the only person there from a health system, and the class was taught by native New Yorkers, I got a nickname, “Hospital Guy”. 

What these classes taught me was the necessity of looking outside the IT bubble when working with emergency management, and how to reframe my point of view to focus on mission objectives, even if the mission itself changes.  You cannot expect everything to follow a playbook.

Ransomware in 2016 provided a very important lesson in collaboration.  Organizations realized that they were experiencing the same existential threats.  There was an unmet need for information security teams at different organizations to collaborate and share information.  The Healthcare Information Sharing and Advisory Center (H-ISAC), Infragard, and the FBI stepped up, along with representatives from larger organizations such as Temple Health, Penn Medicine, Christiana Care, Ascension, Aurora Healthcare, and Epic. 

The main driver for this collaboration was that many of the security vendors out there were caught as flat-footed as we were, and that the solutions being proposed did not address the needs of health systems. 

2020 has changed the dynamic significantly.  We are facing a pandemic of titanic proportions.  The last time one of this severity occurred was 1918.  The effects of this event extend from the threat to personal safety and life to also include significant financial effects.  We have the potential for 20 percent unemployment by the end of the year.  Many of our workforce members are working remotely.  Workforces have had to move from local to remote in less than two weeks in many cases.  We must deal with the challenges of a remote workforce, financial scams, phishing, charity scams, significant remote workers, and criminals seeking opportunity all at the same time.

It is out of this that we need to extend our collaboration to include security vendors.  Traditionally, the vendor/customer arrangement has not extended to this level of partnership outside of a select few.  They are more infamous for their sales teams sniping at each other, not collaborating.  Many organizations rely upon their research, however.  The interoperability and vendor lock-in have caused many a CIO agita over the years.

Health systems are increasingly performing their own security research.  Several of the larger ones have in-house teams working to address third-party risk, specifically with cloud computing, medical device security, and emerging threats.  The academic health systems now partner with their cybersecurity counterparts on the educational side.  You are just as likely to see presenters at major hacker conferences from health systems as you are from security firms.  This includes such mainstays as DEFCON, Black Hat, and the BSides conferences. 

The medical device and EMR vendors also get heavily involved.  Cerner now co-sponsors the BSidesKC security conference.  The Institute of Electrical and Electronics Engineers (IEEE) and Underwriters’ Laboratories (UL) security standards groups have a mix of academia, researchers, engineers and product design teams from device and software companies, and now the security companies and academic health systems participating and actively contributing.  The same goes for the Healthcare Information Sharing and Advisory Center (H-ISAC).

The incredible Health Sector Council work led by Greg Garcia has also brought together numerous groups to help address critical cybersecurity needs.  However, that has not been enough given the current unforeseen situation.

We need to close the gap between the security companies and have one approach that works, despite who we pay the bills to.  We needed to organize to address the myriad of threats the current pandemic presents.  The COVID-19 Cyber Threat Coalition, https://www.cyberthreatcoalition.org/, is taking a standard approach that includes participants from across industries and spectrums.

When I first found out about it, it was from a collaborator, Sean Gallagher, who now works as a researcher at Sophos.  When we saw that numerous companies from across the spectrum were coming together in a forum to collaboratively address emerging threats and work together on solutions, we saw opportunity. 

This group has developed significant materials and threat intelligence that others can use to defend themselves.  The information coming from here has been significant, useful, and beneficial to all organizations.  Most importantly, there is not the lock-in of having vendors keep the information away so they can claim to have something that other organizations do not.  We have discussed the benefits of this collaboration with our leaders, who are in full support.  This is because this coalition aligns with our mission and values, and provides examples of Purpose, Excellence, Team, and Compassion that we can demonstrate.  We can provide tangible proof to our team that we are not just talking, we’re doing, and this group shows results.

What this group has done is a model that we need to continue to follow.  COVID-19 has exposed the interdependencies between us all.  The ISAC model worked incredibly well when it was conceived, however, the world evolves and changes at a rate greater than at any other time in human history.  It is not enough to look at security through the lens of a specific ISAC.  In the case of this coalition, it’s multiple representatives from across different companies.

We should adopt the model we learned about in the ICS 300 and 400 classes.  We need to focus on the incidents and utilize facilitation between the various industries and players where needed to address them.  This is familiar to us, as many of us work together already on security and standards work.  We need to extend this to incident response, which this group has done incredibly well.

If there is anything we can do, it is to keep this group going after the initial bow shock as an ongoing effort supported by the current participants.  After all, the medical device companies, academic health centers, academia, and researchers are already collaborating under the auspices of IEEE and UL.  We should extend this model to be continuous.  Let us not reserve this collaboration for large events.  Let us keep it going and provide benefits to all participants.  We need to be vigilant and ready to collaborate, even when the objectives continually change, to support the mission of better security and protection.

MITCH PARKER
CISO
INDIANA UNIVERSITY HEALTH

I am a results-oriented leader who focuses on the processes behind why we implement systems to augment businesses, and the infrastructure required to support them successfully. I believe that we cannot have security without a concrete idea of what the business needs are, how information systems meet them, and how their implementation and maintenance processes are managed to achieve these goals. I believe that security is an integral part of the business process, whether it is evident or not. I believe in security that makes sense, not security for security’s sake. Proper design, planning, timing, and execution are what make projects successful and build long-lasting customer relationships. I have spent the past 16 years working to build unique systems that meet customers’ business and security needs through the entire systems development lifecycle. I encourage others to bring that forth, with the goals of continual improvement, reusability, security that makes sense, and planning for the future.