NH-ISAC: Taking a Proactive Approach to Blended Threats

By Andy Jabbour

 

There is a tremendous amount of information that analysts, security and risk leaders, executives, and others try to process daily. In the abundance of noise, we strive to promote a simple idea to developing a threat-informed, risk-based approach to analysis, preparedness and operations: Understand the Threats, Assess the Risks, Take Action. We are extremely excited to see this approach being taken in a critical infrastructure community through the leadership of NH-ISAC.

In Brief:

• The National Health Information Sharing and Analysis Center (NH-ISAC) continuously assesses the threats facing its members, the US (and global) healthcare community and the broader threat environment.
• Assessing those threats, and the potential risks members need to anticipate and prepare for, NH-ISAC recognizes the rapidly increasing threats and risks associated with cyber-physical systems, dependencies, and related threats.
• In an effort to support increased member awareness and preparedness relating to blended threats, NH-ISAC is leading a coordinated, multi-part exercise series around the United States to advance opportunities for members to interact with one another and discuss issues, concerns, best practices, potential gaps, and other salient points relating to blended threats and to help inform organizational preparedness.

 

---

In our 24 Jan post, “Blended Threats: Understanding an Evolving Threat Environment,” our team elaborated on a term we have been using for some time in a variety of efforts and relating to a broad array of issues, the idea of Blended Threats.

A Blended Threat is a natural, accidental, or purposeful physical or cyber danger that has or indicates the potential to harm life, information, operations, the environment, and/or property.

That post includes some examples and additional background. Recent reports and incidents have further underscored our increasingly intertwined, and blended, threat environment. For example, on 27 Jan, security investigator Brian Krebs discussed “jackpotting” attacks on ATMs where an initial physical compromise, followed by use of malware, can take control of the machines, turning them into cash Pez dispensers. The following day, news broke about the inadvertent information sharing of the location of classified facilities by data acquired from personal fitness devices and the popular Strava app. Physical devices, cyber threats… and a wide array of Blended Threats.

The potential for blended threats has been observed in the Healthcare and Public Health Sector in both security research efforts and actual events. A few samplings from The Register over the last few years, for example:

• “DHS warns of vulns in hospital medical equipment; Has your doctor’s anasthesia machine been hacked?” 14 Jun 2013;
• “Thousands of ‘directly hackable’ hospital devices exposed online; Hackers make 55,416 logins to MRIs, defibrillator honeypots,” 29 Dec 2015;
• “Accept for a second that robot surgeons exist. Who will check they’re up to the job – and how? Let us level with you…” 20 Apr 2017;
• “Docs ran a simulation of what would happen if really nasty malware hit a city’s hospitals. RIP; Equipment still taking too long to patch, leaving systems exposed,” 26 Sep 2017;

But besides El Reg’s clever headlines, there is abundant security work and research being done relating to healthcare, from looking at medical device security preparedness – like pacemakers – to understanding how recently exposed vulnerabilities such as Meltdown and Spectre can impact the Sector, to new research, such as that recently shared by researchers from Israel’s Ben-Gurion University who have looked at vulnerabilities in medical imaging devices. And NH-ISAC and its members have been engaged in a number of educational forums to address these and other emerging issues.

Following the ransomware outbreaks of 2017, the UK’s National Audit Office noted in October that, “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.” Oof! And 2017 saw much more than just the ransomware incidents. In part three of this series focusing on NH-ISAC’s Blended Threats initiative, our team will provide a broader overview of some of what we’ve seen in 2017, the increasing potential of blended attacks, and real risks to cyber-physical systems in healthcare.

Understand the Threats. Assess the Risks. Take Action.

NH-ISAC understands the current and evolving threat environment and the ongoing and emerging issues facing its members. Appreciating the possible consequences of some of the potential blended threats, NH-ISAC has determined that action is required. Under the leadership of NH-ISAC’s President, Denise Anderson, NH-ISAC is leading a coordinated, multi-part exercise series around the United States to advance opportunities for members to interact with one another and discuss issues, concerns, best practices, potential gaps, and other salient points relating to blended threats, and to help inform organizational security preparedness. Over the coming months, members will further explore blended threats in relation to their organizations – the people, facilities, and operations – to enhance the Sector’s understanding while working to a higher level of preparedness, security and resilience.

This is an awesome effort and a tremendous example of leadership and proactive engagement in security for the healthcare community. In the next installment of this series, we’ll interview Denise Anderson to better understand her perspective and vision. Our team at Gate 15 is humbled and excited to be a small part of what NH-ISAC is doing to help lead in critical infrastructure!

 

---

About NH-ISAC: “NH-ISAC is a trusted community of critical infrastructure owners and operators within the Health Care and Public Health sector (HPH). The community is primarily focused on sharing timely, actionable and relevant information with each other including intelligence on threats, incidents and vulnerabilities that can include data such as indicators of compromise, tactics, techniques and procedures (TTPs) of threat actors, advice and best practices, mitigation strategies and other valuable material. Sharing can occur via machine to machine or human to human. NH-ISAC also fosters the building of relationships and networking through a number of educational events in order to facilitate trust. Working groups and committees focus on topics and activities of importance to the sector and services such as CYBERFIT® offer enhanced services to leverage the NH-ISAC community for the benefit of all. NH-ISAC’s mission is to enable and preserve the public trust by advancing the global health sector’s cyber and physical security protection and resilience as well as enabling the ability to prepare for and respond to cyber and physical  threats and vulnerabilities.” Read more.

 

---

This blog was written by Andy Jabbour, Gate 15’s Co-Founder and Managing Director. Andy leads Gate 15’s risk management and critical infrastructure operations with focus on Information Sharing, Threat Analysis, Operational Support & Preparedness Activities (Planning, Training & Exercise). Andy has years of experience working with partners across the critical infrastructure and homeland security enterprise to support national security and client business needs.

---

Maintain security and threat awareness via Gate 15’s free daily paper, the Gate 15 SUN and learn more about Hostile Events Preparedness and our HEPS Program here. Gate 15 provides intelligence and threat information to inform