In a recent post introducing the preparedness efforts that the National Health Information Sharing and Analysis Center (NH-ISAC) is taking to support increased member awareness and preparedness relating to blended threats, we addressed the importance of developing a threat-informed, risk-based approach to analysis, preparedness and operationsand how NH-ISAC is at the forefront of that for their community and more broadly. Leading this effort is Denise Anderson, President of NH-ISAC and current Chair for the National Council of ISACs (NCI). Denise kindly agreed to an interview to share her thoughts on critical infrastructure, the threat environment, and other relevant topics.
Q: Denise, I’ve had the chance to work around you for over ten years and have always appreciated your leadership, forward-leaning approach, and the way you anticipate threats and where ISACs need to go to support their communities (among many other things!). You know our team’s mantra, “Understand the Threats, Assess the Risks, Take Action.” In the world of critical infrastructure, broadly, what are the current and emerging threats that you’re focusing on?
A: I’m not sure that I’m focused on any particular current or emerging threat. If anything I’m focused on threat actor motivation and capability. If a threat actor wants what your organization has, he will come after it through any combination of ways such as social engineering, software and hardware vulnerabilities and exploits and then privilege escalation and persistence once in. Basically organizations should focus on enterprise risk management; understanding what the crown jewels are in the organization and what an organization can live without over graduating periods of time, understanding and staying on top of the motivations of threat actors as well as attack trends, knowing the organization’s threat surface and then building in layers of defense accordingly.
Another focus area is understanding that while an organization may not be a direct target, it can suffer indirect consequences of an attack as was seen in the WannaCry and Petya/Not Petya attacks in 2017. Numerous large organizations were impacted to the tune of millions if not billions of dollars and are still recovering a year later. It is important to stay abreast of geopolitical events and threats and understand that organizations can be affected even if they were not the target.
A Blended Threat is a natural, accidental, or purposeful physical or cyber danger that has or indicates the potential to have crossover impacts and harm life, information, operations, the environment, and/or property.
Q: When you look at those threats, and when you consider the idea of “Blended Threats,” does anything pop out to you in particular? Are there tactics and attacks you’ve seen that stand out or emerging threats you think the infrastructure community needs to be thinking about?
A: Again, not necessarily any specific thing but just to be thinking about all potential scenarios and to be thinking, exercising and preparing for black swan events. In many organizations, physical and cyber security teams often work independently of each other and are siloed. It is important to bring all teams within an organization together to look at all potential scenarios, consequences and impacts. For example, what if a cyberattack disabled the water and temperature systems of an organization’s data center? What would happen if a hurricane knocked out the water treatment systems so that manufacturing plants could not discharge their waste during processing? What if a camera system was used as a way to gain access to critical operational cyber networks? What if the master boot records of 30,000 machines were completely destroyed in mere seconds thereby rendering the machines useless? What if a dirty bomb or chemical attack prohibited access to a facility for a long period of time? Organizations need to look at all possibilities - thinkable and unthinkable - understand all potential impacts and draw up plans and procedures to help prevent such situations, or at a minimum, to remain resilient in the face of them.
Q: I love the consideration to dependencies and critical lifelines, the cascading effects and the non-traditional threats. Taking those varied threats, as you look at healthcare specifically, are there risks you assess as most relevant and of greatest concern for your Sector?
A: While the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a noble concept, it unfortunately puts the focus and the burden of compliance in my mind on data security and not on patient safety. As we’ve seen in the recent ransomware attacks and in WannaCry and Petya/Not Petya, when a healthcare organization cannot perform surgeries because it cannot access images or equipment, that becomes a patient safety issue with, potentially, lives at stake. I also think data manipulation can have severe consequences in healthcare. For example, if a patient record or history is altered that can potentially have dire consequences. There are myriad instances where there would be severe consequences if data manipulation or destruction occurred.
"when a healthcare organization cannot perform surgeries because it cannot access images or equipment, that becomes a patient safety issue with, potentially, lives at stake" - NH-ISAC President, Denise Anderson
Perhaps the biggest threat in healthcare is ourselves. There is a large amount of finger-pointing and blame tossed around between healthcare delivery organizations (HDOs) – think hospitals – and medical device manufacturers (MDMs) – think pacemakers. I think both sides need to come together to work out the issues and understand the complications each side faces. Hopefully through the NH-ISAC and our Medical Device Cyber Security Information Sharing Council, a community of HDOs and MDMs, we can bridge those gaps through regular meetings and initiatives designed to educate and innovate.
"Perhaps the biggest threat in healthcare is ourselves..."
Q: The Medical Device Cyber Security Information Sharing Council and the Blended Threats preparedness initiative are great ways to encourage forward-leaning security thinking. Additionally, NH-ISAC is doing a lot more to support members and help them “prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk .” Can you talk about some of things NH-ISAC does to help members and broader community preparedness?
A: First and foremost we provide a forum for the community to share with each other and we foster networking to build the relationships that enhance and drive value in the sharing. We also provide a number or educational opportunities for our members, including webinars, conferences, exercises and workshops, and a suite of tools that they can use to help them build cyber security programs, among other things. I’m particularly proud that during the WannaCry and Petya/Not Petya attacks we came together as a community, quickly sorting ground truth from fiction, determining the threat vector and propagation method and in the case of Petya/Not Petya, developing a “vaccine” to stop the spread of the attack. The community shared this information broadly within the membership, the Sector, and other ISACs, as well as with the public. It was truly ground breaking and exciting to be a part of.
“ISACs serve as operational and dissemination arms for many sectors and subsectors, and facilitate sharing of information between government and the private sector. ISACs work closely with SCCs in the sectors where they are recognized... Government agencies also may rely on ISACs for situational awareness and to enhance their ability to provide timely, actionable data to targeted entities.” – NIPP
Q: Shifting gears, you’ve been a leader across critical infrastructure, first with Financial Services and now leading the NH-ISAC and as Chair of the NCI. What has made ISACs so successful and is the ISAC model, and the collaboration of ISACs with public sector partners as part of the National Partnership Structure  something you think will continue in the future?
A: What many don’t realize is that ISACs have been around for almost 20 years, before the creation of the Department of Homeland Security, and the NCI has been around for 15 years. We now have 22 ISACs who are members of the NCI and many ISACs have experienced robust growth and success. There is a reason for that. Trusted sharing within communities is a vital and cost effective part of security where one organization’s defense becomes everyone else’s offense. There are a number of successful instances to illustrate this collaboration and the 2012/2013 DDoS (Distributed Denial of Service) attacks certainly come to mind. The financial institutions came together and shared broadly, so much so, that the attackers moved on as the attacks became less effective when mitigation strategies were implemented as a result of the information sharing.
The National Partnership Structure has grown over the years and I think we are in a better place than we were when the structure was implemented but there is still so much more we can do together. I definitely believe that government and private sector need to work with and support each other and we each have something to bring to the table. So yes, I think it will and must continue in the future but I would like to see us resolve the issues that have plagued the partnership since almost inception and prevent us from being true partners.
“Formed in 2003, the NCI today comprises 24 organizations. It is a coordinating body designed to maximize information flow across the private sector critical infrastructures and with government. ”
Q: President Trump’s Administration, and some key leadership, like the DHS National Protection and Programs Directorate (NPPD) Undersecretary for the Office of Infrastructure Protection and the Assistant Secretary Office of Cybersecurity and Communications, have been in place for around a year now (be it in varying roles), but we have a still relatively new DHS Secretary, no permanent Assistant Secretary for the Office of Infrastructure Protection, and some ongoing changes at the FBI. If you were offering some ideas for your US Government partners in relation to ISACs, any words of wisdom come to mind?
A: One of our biggest challenges with our government partners is dealing with staff turnover in government agencies. This forces ISACs to constantly re-educate staff on the importance of ISACs and their role in critical infrastructure protection and resilience as well as rebuild relationships developed over time. There needs to be some codified process for turnover so that the work done over the years is not lost, particularly if there is an incident or attack taking place.
On another note, a big challenge for ISACs is educating industry and government that ISACs exist and have a lot to offer. Having the support of government would be a huge help in this area. Government can encourage industry and stakeholders to join their appropriate ISACs as a good best practice, and ideally can offer tax incentives to encourage membership in ISACs.
Q: Any final thoughts you’d like to share?
A: I think Pink Floyd says it best when they say, “Together we stand, divided we fall.” Cyber and Physical security should not be competitive or liability concerns. Sometimes we are our own worst enemy and we come up with excuses for why we can’t share or work together. We need to eliminate the excuses and realize we are a team and that we are all in this together.
"Pink Floyd says it best when they say, 'Together we stand, divided we fall.' Cyber and Physical security should not be competitive or liability concerns… We need to eliminate the excuses and realize we are a team and that we are all in this together." - NH-ISAC President, Denise Anderson
Denise, It is really amazing to see what NH-ISAC has been doing under your leadership and the way you engaging on these and other key issues domestically and increasingly with international partners. Thank you for your time and more, thank you for your leadership – not just in the healthcare community, but across critical infrastructure and in private-public partnership. Your hard work and dedication are truly commendable and very much appreciated!
About Denise Anderson: “Denise Anderson is President of the National Health Information Sharing and Analysis Center (NH-ISAC). Prior to NH-ISAC, she was a Vice President of FS-ISAC where for almost nine years she helped the ISAC grow and achieve its successful status in the information sharing community. She has over 25 years of executive management level experience in the private sector. Denise currently serves as Chair of the National Council of ISACs (NCI). She was instrumental in implementing a CI/KR industry initiative to establish a private sector liaison seat at the National Infrastructure Coordinating Center (NICC) to enhance information sharing between the private sector, CI/KR community and the federal government and serves as one of the liaisons. She is a health sector representative to the National Cybersecurity and Communications Integration Center (NCCIC) — a Department of Homeland Security-led coordinated watch and warning center that improves national efforts to address threats and incidents affecting the nation’s critical information technology and cyber infrastructure.” Read more about Denise and the NH-ISAC Board.
About NH-ISAC: “NH-ISAC is a trusted community of critical infrastructure owners and operators within the Health Care and Public Health sector (HPH). The community is primarily focused on sharing timely, actionable and relevant information with each other including intelligence on threats, incidents and vulnerabilities that can include data such as indicators of compromise, tactics, techniques and procedures (TTPs) of threat actors, advice and best practices, mitigation strategies and other valuable material. Sharing can occur via machine to machine or human to human. NH-ISAC also fosters the building of relationships and networking through a number of educational events in order to facilitate trust. Working groups and committees focus on topics and activities of importance to the sector and services such as CYBERFIT® offer enhanced services to leverage the NH-ISAC community for the benefit of all. NH-ISAC’s mission is to enable and preserve the public trust by advancing the global health sector’s cyber and physical security protection and resilience as well as enabling the ability to prepare for and respond to cyber and physical threats and vulnerabilities.” Read more.