Cybersecurity and Hospitals

Four Questions Every Hospital Leader Should Ask in Order to Prepare for and Manage Cybersecurity Risks This resource was prepared exclusively for American Hospital Association members by Mary Ellen Callahan of Jenner & Block.

©2013 American Hospital Association Introduction need to have an awareness of cybersecurity risks, as well as a clear understanding of what their cybersecurity responsibilities are (and how they might intersect with other statutory and regulatory Cybersecurity has been a hot topic, both within requirements). This paper provides an overview the government and the private sector, for several of what cybersecurity is and addresses four ques- years. However, the issue recently has taken on tions that hospital leaders should consider when even greater prominence. Many organizations, thinking about cybersecurity and how it impacts from private media companies to the U.S. Depart- their organization: ment of Defense, recently disclosed cybersecurity (1)  intrusions. Private sector chief executive officers Why should hospitals and hospital leaders (CEOs) and general counsels have consistently care about cybersecurity? identified cybersecurity threats as one of their (2) What should hospitals do in response to the top concerns.1 And in February 2013, President 2013 Executive Order on Cybersecurity? Obama issued an Executive Order on Improving Critical Infrastructure Cybersecurity with the goal (3) How can hospitals best protect their assets of improving cybersecurity and reducing cyber and manage cybersecurity risks? threats to the nation’s “critical infrastructure sec- (4)  tors,” including the Healthcare and Public Health What are the roles of hospital leadership Sector. Despite the attention cybersecurity has and how can leadership stay informed received, not everyone knows what cybersecurity about cybersecurity threats to the hospital? is or what it really means for American businesses, This paper is intended to make the cybersecurity particularly for those in the critical infrastructure issues specifically facing hospitals concrete, iden- sectors referenced in the president’s executive tifiable and actionable. It includes an appendix order.2 that provides an overview of the 2013 Executive Hospitals and health care organizations fall into Order on Cybersecurity and a glossary of the the Healthcare and Public Health Critical Infra- cybersecurity terms used in general discussions structure Sector under federal law and policy; the of cybersecurity and in this paper. executive order uses the same critical infrastruc- ture classifications when identifying the potential impact on the U.S. economy by cybersecurity threats. In other words, the executive order and other government policies collectively identify hospitals’ systems and assets as so vital to the U.S. that their impairment would severely threaten public health and safety.3 As a result, hospitals

1 I. Why should hospitals and hospital leaders care about cybersecurity?

Cybersecurity vulnerabilities and in the attached glossary. Whatever the cause intrusions pose risks for every of the intrusion, the reputational, structural and, potentially, financial impacts for a hospital may be hospital and its reputation. the same. Industrial espionage intrusions against The expanded use of networked technology, hospitals, for example, have resulted in the theft Internet-enabled medical devices and electronic of information about innovations in medical databases in administrative, financial and clini- technology, including system documentation, cal arenas not only brings important benefits for beta and pilot testing reports, and research notes. care delivery and organizational efficiency, it also Other cyber criminals, whether part of crimi- increases exposure to possible cybersecurity nal organizations or acting independently, have threats. Many medical devices and other hospital attempted to penetrate hospitals and health care assets now access the Internet – both in encrypted companies to steal employee data and personally and unencrypted fashion. Billing systems use identifiable information and PHI of patients to sell electronic transfers, medical devices upload vital in online black markets. There even exists the statistics in real time to electronic health records, threat of cyber terrorism against a hospital, which hospitals allow patients and visitors access to might include attempts to disable medical devic- hospital WiFi as a courtesy, patients are being es and other systems needed for the provision of provided access to protected health information health care. (PHI) via authentication on the Internet – all of The Food and Drug Administration (FDA) recently these are important and vital aspects of a modern acknowledged this medical device vulnerability hospital ecosystem. In addition, email systems are when it issued an alert and draft guidance rec- subject to common threats like “spear-phishing.” ommending that medical device manufacturers The number of cyber attacks on American assets and health care facilities take measures to protect has been increasing, particularly in the critical against cybersecurity intrusions that could com- 4 infrastructure sectors such as information tech- promise device performance and patient safety. nology and communications. Although not as This could take the form of a direct attack or could prominently discussed in the media, attacks be used to multiply the impact of more convention- against the Healthcare and Public Health Sector al types of terrorism that result in mass casualties. also are increasing. There are several different Members of the Healthcare and Public Health types and causes of cybersecurity threats, the Sector to some extent already have a unique per- names and descriptions of which can be found

2 spective on data security because of the security which recommends that publicly traded com- requirements of the Health Insurance Portability panies disclose to the public both cybersecurity and Accountability Act (HIPAA) and the Health vulnerabilities and intrusions.6 Prior to the SEC’s Information Technology for Economic and Clinical release of this guidance, even companies without Health Act (HITECH). These laws not only require HITECH reporting requirements often would pub- hospitals and other health care organization to licly disclose a data breach after it had occurred; keep patient PHI secure, but also include data but companies were less consistent about report- breach notification requirements, which mandate ing a cybersecurity vulnerability in the absence breaches be reported to the Department of Health of a data breach or intrusion. The SEC is revis- and Human Services (HHS). iting whether the 2011 guidance is sufficient. Of particular note, during the two and a half years But cybersecurity encompasses much more than following the initial SEC guidance, agency staff what is required by these laws. Notably, cyberse- contacted several companies that had not dis- curity intrusions are not limited to data breaches closed adequately (in staff’s opinion) cyberse- involving PHI. Rather, as noted above, the intent curity vulnerabilities or intrusions. In light of this of the intrusion may be to seek information about fact and the heightened interest in cybersecurity, medical innovations or technologies or may seek publicly traded hospitals should consider whether to harm patients by remotely disabling or modi- to make any disclosures in their SEC filings con- fying medical devices. Indeed, certain “hacktiv- cerning cybersecurity vulnerabilities and breach- ists” may seek to disrupt a hospital’s network or es, in addition to notifying HHS, as appropriate, systems merely for their own personal or political when there is a data breach involving PHI. reasons. As a result, the hospital’s cybersecurity investigation and incident response plan, dis- In short, every hospital should care about cyber- cussed in more detail below, should be developed security. As hospitals benefit from networked broadly to protect all of a hospital’s assets and technology and greater connectivity, they also devices. must ensure that they evaluate and manage new risks. Taking steps to improve the security of In addition to HIPAA and HITECH, hospitals also each device and the ecosystem, such as docu- need to keep in mind additional recommenda- menting the way the devices interact with each tions and guidance. For example, the Centers other and raising the audit trail capability of the for Medicare & Medicaid Services (CMS) has hospital infrastructure, can mitigate the threat to provided a series of information security policies the hospital’s overall infrastructure and reduce 5 for hospitals and is expected to update those cybersecurity risks. policies to expressly include cybersecurity recom- mendations. Moreover, publicly traded hospitals should keep in mind the Securities and Exchange Commission’s (SEC) October 2011 guidance,

3 II. What should hospitals do in response to the 2013 Executive Order on Cybersecurity?

In response to the president’s When completed early next year, the Cyberse- Executive Order on Cybersecurity curity Framework will be voluntary for critical infrastructure-sector organizations such as hos- (and as a corporate best prac- pitals; for federal departments and agencies, in tice), hospitals should develop contrast, it will be required. Importantly, although a cybersecurity investigation the framework is designated as “voluntary” for private-sector owners and operators of critical and incident response plan or infrastructure, hospitals should anticipate that review their existing plans. the framework will likely be considered a de facto baseline for general cybersecurity compliance. Ideally, the plan should be based at least in part Significant non-conformity with the framework, on the framework that the National Institute of therefore, may increase the likelihood of litigation Standards and Technologies (NIST) is drafting. and enforcement risk. The executive order instructs the director of the National Institute of Standards and Technology The executive order also directs the creation of (NIST) of the Department of Commerce to finalize a “Voluntary Critical Infrastructure Cybersecurity by Feb. 12, 2014, a “Cybersecurity Framework” Program,” which will provide incentives for pri- to help owners and operators of critical infrastruc- vate-sector organizations to adopt the framework. ture identify, assess and manage the risk of cyber Owners and operators of critical infrastructure, threats. such as hospitals who participate in the Voluntary Critical Infrastructure Cybersecurity Program, The framework will include general standards will be responsible for identifying, assessing and and considerations for all entities establishing managing their cyber risks in accordance with the cybersecurity plans. As a result, the standards standards set out in the Cybersecurity Framework and considerations in the framework will need to under development. Because the framework will be fine-tuned for hospital-specific requirements, provide participants with flexible baseline stan- such as incorporating accountability for medi- dards for addressing cyber risks, rather than a cal devices. NIST has been conducting public comprehensive list of requirements, hospitals par- outreach on a draft Cybersecurity Framework, ticipating in the program will need to determine including town halls and working sessions. how best to implement the standards through

4 concrete internal rules and protocols tailored for their specific organization. Top Six Actions to Hospitals also should consider engaging in regional or national information-sharing organi- Manage Hospital zations such as the Healthcare and Public Health Sector Coordinating Council (HPH SCC),7 the Cybersecurity Risks National Health Information Sharing and Analysis 1. Establish procedures and a core cybersecurity Center (NH-ISAC)8 and the Health Information team to identify and mitigate risks, including Trust Alliance (HITRUST).9 As appropriate, hos- board involvement as appropriate. pitals also can consider having a representa- tive regularly attend local and state emergency 2. Develop a cybersecurity investigation and planning committees to provide awareness and incident response plan that is mindful of the continuing education of the evolving threats. Cybersecurity Framework being drafted by the Hospitals’ participation is consistent with the National Institute of Standards and Technology. executive order’s emphasis on the importance of 3. information sharing. Investigate the medical devices used by the hospital in accordance with the June 2013 FDA The focus of the executive order largely is on guidance to ensure that the devices include intra-government activities, such as how feder- intrusion detection and prevention assistance al government departments and agencies can and are not currently infected with malware. improve internal cybersecurity infrastructure and 4. sharing classified and unclassified information Review, test, evaluate and modify, as appro- with each other, and with organizations in critical priate, the hospital’s incident response plans infrastructure sectors. However, the executive and data breach plans to ensure that the plans order and the accompanying Presidential Policy remain as current as possible in the changing Directive 21 also designate specific federal agen- cyber threat environment. cies, referred to as “Sector-Specific Agencies,” 5. Consider engaging in regional or national to coordinate cybersecurity efforts within each information-sharing organizations to learn more critical infrastructure sector and to share informa- about the cybersecurity risks faced by hospitals. tion about cybersecurity threats with the owners and operators within the sectors. HHS is the 6. Review the hospital’s insurance coverage to Sector-Specific Agency directed to work with and determine whether the current coverage is provide guidance to hospitals and health care adequate and appropriate given cybersecurity organizations, as part of the Healthcare and Public risks. Health Sector (see Appendix for brief overview of the executive order and the related Presidential Policy Directive 21).

5 III. How can hospitals best protect their assets and manage cybersecurity risks?

Cybersecurity is not an abso- Specifically, hospitals should: lute, immobile standard – it is • Create a hospital-wide cybersecurity an evolving one that changes investigation and incident response plan. with the newest threats and This will be similar to the HITECH plan you likely already have in place for any data vulnerabilities. breach involving patients’ PHI. In fact, you A hospital’s cybersecurity plan, therefore, must be can incorporate many of the elements from just as flexible and resilient in the face of multi- your data breach plan into your cybersecurity pronged cybersecurity threats. The inter-con- plan. In addition to those elements, however, nectivity of hospital assets and services, and the the cybersecurity investigation and incident information security infrastructure, have created response plan should address other elements, a constantly evolving network with ever-changing including system-wide impacts, responding to threats and vulnerabilities to discover, evaluate spear-phishing or penetration attacks, auditing and manage. A resourceful and resilient hospital log files and other records, and identifying will prepare for these risks as it does the other all exfiltrated data and inappropriate access, risks it faces – with planning, testing and response. regardless of whether the breach involves patients’ PHI. One key to managing cybersecurity risks is to make cybersecurity part of the hospital’s overall • Evaluate and document the medical devices governance, risk management and business con- that use WiFi/Internet services to transmit tinuity framework. For example, a hospital may PHI and ensure they are secure. As the FDA want to integrate the cybersecurity investigation recommended in June 2013, medical devices and incident response plan into its overall all-haz- should be investigated to determine whether ards emergency operations plan and ensure that they have intrusion detection and prevention staff are informed about cybersecurity and their assistance on them or whether malware already roles in mitigating risks. Given already-existing exists on hospital assets including computers, robust statutory and industry standards, cyberse- tablets and databases. In addition, hospitals curity should be viewed not as a novel issue but should consider how best to ensure critical as an additional hazard that should be taken into functionality of medical devices in the event account in the hospital’s inclusive hazards vulner- of a cyber attack and how to restrict unautho- ability analysis. rized access to the hospital’s network through

6 networked medical devices. In addition, and are limited only to issues that are not already laboratory systems and networks, hospital addressed by HIPAA and HITECH. Sector- and treatment center information systems, Specific Agencies, including HHS, are required department–specific information systems, to coordinate with the Sector Coordinating patient databases, hardware components Councils (such as the Healthcare and Public and software should all be part of the hospi- Health Sector Coordinating Council) to review tal’s cybersecurity investigation and incident the Cybersecurity Framework and, if necessary, response plan. develop implementation guidance or supplemental materials to address sector-specific risks and • Periodically test the plan response and pro- operating environments. Hospitals, among the cesses both theoretically and as a table-top other sector participants, may be in a unique exercise. The hospital also should adopt a position to describe the threats and vulnerabilities proactive approach to identifying and investi- that they face every day with respect to gating incidents, even when they appear minor. cybersecurity. The required coordination provides Although an incident may be determined not a perfect opportunity for hospitals to ensure to be a cybersecurity incident, the more train- that HHS addresses all the known threats and ing and familiarity hospital staff have with the narrowly tailors any additional recommendations processes, the more smoothly the response or requirements on hospitals to those that are not will go, if and when there is a cybersecurity otherwise covered by law. intrusion.

• Develop an information sharing process (after consultation with cybersecurity or antitrust counsel) for sharing cybersecurity incidents with the regional or national information-sharing organizations with whom your hospital participates.

With respect to the Cybersecurity Framework under which hospitals and other critical infrastructure sectors will soon be operating, hospitals should work through their associations (including the AHA or state hospital associations) to design a strategy to collaborate with HHS to ensure any sector-specific rules both cover each threat or vulnerability that needs to be covered

7 IV. What are the roles of hospital leadership and how can leadership stay informed about cybersecurity threats to the hospital?

Another benefit of incorporating The hospital’s CEO should have regularly cybersecurity risk into the hos- scheduled meetings with the chief information pital’s overall governance, risk officer (CIO) and/or other members of the hospital’s cybersecurity team. This team may management and business con- include the CIO, who generally has responsibility tinuity framework is that hospital for the information technology and computer leadership will stay informed systems that support enterprise goals, including information security; the chief technology about cybersecurity threats to officer, who generally oversees the development the hospital and its assets. and integration of new technologies, a chief information security officer, who often reports Much of the cybersecurity plan will fit into the to the CIO or chief operating officer and whose leadership and management rubric already in responsibilities include developing a strategy and place at the hospital. For example, the hospital approach to protect hospital electronic assets, board should be briefed periodically on the cyber- including medical devices;10 a chief security security threats and responses, with cybersecurity officer with responsibilities for physical security assigned to the relevant committee of the board at the hospital; and leaders of the clinical team. for more detailed oversight and governance. The These meetings may cover development of and cybersecurity investigation and incident response compliance with the cybersecurity investigation plan should be shared with the board commit- and incident response plan, the results of any tee, and periodic review should be scheduled. If table-top exercises performed by the hospital there is a cybersecurity intrusion, particularly one staff, and the evolving nature of the threats, of significant magnitude, the board or oversight vulnerabilities and risks that the hospital faces. committee should be briefed on any “lessons learned,” as well as proposed plan modifications, In addition to the core cybersecurity team, the with appropriate follow up. The board’s audit hospital’s legal department, human resources de- committee also should have insight and oversight partment and training staff should have an active into cybersecurity vulnerabilities and potential role in developing and implementing the cyber- exposures (such as insurance coverage). security investigation and incident response plan.

8 While the cybersecurity investigation and in- Endnotes cident response plan is being developed, the team also should review information security 1 See, e.g., June 17 interview with Honeywell CEO David Cote, policies and procedures generally as part of “[cybersecurity] is the one that scares me the most”; in the 2012 the all-hazards emergency operations plan. Consero survey of private sector general counsels, 28% of companies The hospital’s general counsel or insurance had experienced a cybersecurity breach over the last 12 months, and counsel also should review its insurance 30% did not believe they were prepared for a cybersecurity incident. coverage to plan and evaluate its cybersecu- http://consero.com/2012-general-counsel-data-survey/ rity risk profile, to determine what insurance 2 “Critical Infrastructure” was first codified in the U.S. in 1996, and then coverage is available and appropriate. There added in the USA Patriot Act in 2011; the 16 sectors are listed at: are a wide range of coverage options available http://www.dhs.gov/critical-infrastructure-sectors for cybersecurity vulnerabilities and incidents, 3 The Executive Order defines “critical infrastructure” as “systems and including new cyber risk policy forms. assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

4 FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks, (June 13, 2013) available at: http://www.fda.gov/ medicaldevices/safety/alertsandnotices/ucm356423.htm. In conjunc- tion with the FDA’s alert, the U.S. Department of Homeland Security issued a separate alert warning that an estimated 300 medical devices from 40 vendors could be vulnerable to hacking and that “the vulnerability could be exploited to potentially change critical settings and/or modify device firmware.”

5 https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS- Information-Technology/InformationSecurity/Downloads/IS_Policy-.pdf.

6 http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.

7 http://www.dhs.gov/xlibrary/assets/nppd/nppd-ip-healthcare-and- public-health-snapshot-2011.pdf

8 http://www.nhisac.org/nh-isac/

9 http://www.hitrustalliance.net/

10 The incorporation of a chief information security officer (CISO) into hospital leadership is a recent trend among larger hospitals that demonstrates the need for integrating specialists addressing information security and cybersecurity. If the hospital has a CISO, he/she will be essential to the cybersecurity team.

9 Appendix 1) Information Sharing To improve information sharing among February 12, 2013 Executive Order on Cyber government agencies and the owners and Security Summary and Presidential Policy operators of critical infrastructure, the executive Directive 21 order directs the Attorney General, Secretary of the Department of Homeland Security (DHS) and the Director of National Intelligence to establish On Feb. 12, 2013, President Barack Obama a process for declassifying information about issued an executive order titled, “Improving Crit- cyber threats and disseminating it quickly to the ical Infrastructure Cybersecurity.” Although the appropriate stakeholders, including hospitals. executive order lacks the force of law (such as On the same day the president issued the ex- that of a statute enacted by Congress or a formal ecutive order, he also signed Presidential Pol- regulation issued by a government agency), it icy Directive 21, Critical Infrastructure Security makes substantial advancements to the nation’s and Resilience. The directive aims to improve cybersecurity monitoring and response systems. information sharing and responses regarding In general, the executive order gives four cybersecurity threats. The directive defines 16 directives to federal agencies to protect the nation’s “critical infrastructure” from cyber threats: 1) facilitate increased and improved Presidential Policy Directive-21 identifies 16 critical sharing of cybersecurity information among infrastructure sectors: federal agencies and the owners and operators • Chemical of critical infrastructure (which includes hospitals • Commercial Facilities and other health care organizations); 2) establish • Communications a framework to reduce the risk of cyber threats; • Critical Manufacturing 3) identify the nation’s critical infrastructure most • Dams at risk for cyber attacks; and 4) allow Sector- • Defense Industrial Base Specific Agencies to establish voluntary Critical • Emergency Services Infrastructure Cybersecurity Programs. The • Energy executive order defines “critical infrastructure” as • Financial Services “systems and assets, whether physical or virtual, • Food and Agriculture so vital to the United States that the incapacity • Government Facilities or destruction of such systems and assets would • Healthcare and Public Health have a debilitating impact on security, national • Information Technology economic security, national public health or • Nuclear Reactors, Materials and Waste safety, or any combination of those matters.” • Transportation Systems • Water and Wastewater Systems

10 “Critical Infrastructure Sectors” and assigns each 3) Identify the Most Critical Infrastructure sector a “Sector-Specific Agency.” For health The executive order also directs DHS to care and public health, the Department of Health identify at-risk critical infrastructure “where a and Human Services (HHS) is the Sector-Specific cybersecurity incident could reasonably result in Agency. catastrophic regional or national effects on public The information-sharing entities created by the health or safety, economic security or national directive are examples of Information Security and security.” DHS will then notify the owners and Analysis Centers (ISACs). These entities, which operators of that infrastructure confidentially and already exist at various levels of government and will provide them with relevant information on among private industries, are created by a group cybersecurity risks. of members, such as a group of corporations with similar data and cybersecurity needs 4) Voluntary Critical Infrastructure and challenges, to facilitate collaboration in Cybersecurity Program responding to cybersecurity threats. Sector-Specific Agencies, including HHS, 2) The Cybersecurity Framework are required to coordinate with the Sector Coordinating Councils (such as the Healthcare The executive order also instructs the and Public Health Sector Coordinating Council) director of the National Institute of Standards to review the Cybersecurity Framework and, if and Technology (NIST) of the Department necessary, develop implementation guidance or of Commerce to create a “Cybersecurity supplemental materials to address sector-specific Framework” to help owners and operators of risks and operating environments. Participation critical infrastructure identify, assess and manage in the program will be voluntary; the executive the risk of cyber threats. The framework will order directs the secretaries of DHS, Treasury consist of various policies and procedures for and Commerce (but not HHS) to determine what addressing cyber risks based on voluntary incentives will be provided to participants within consensus standards and industry practices. the critical infrastructure sectors. NIST has been conducting public outreach on a draft Cybersecurity Framework, including town halls and working sessions. NIST is required by the executive order to finalize the framework by Feb. 12, 2014.

11 Expectations of Owners and Operators of Critical Infrastructure under the Executive Order

The executive order directs the creation of a Cybersecurity Framework, in part, to provide owners and operators of critical infrastructure with guidance on how to identify and address cyber risks. Although the framework will not be binding on private-sector companies, it will aim to reflect industry standards and best practices as much as possible. The executive order also directs the creation of a Voluntary Critical Infra- structure Cybersecurity Program, which will pro- vide incentives for private-sector organizations to adopt the framework. Owners and operators of critical infrastructure such as hospitals that participate in the Voluntary Critical Infrastructure Cybersecurity Program will be responsible for identifying, assessing and managing their cyber risks in accordance with the standards set out in the Cybersecurity Framework. Because the framework will provide participants with flexible baseline standards for addressing cyber risks, rather than a comprehensive list of requirements, hospitals participating in the program will need to determine how to implement the standards through concrete internal rules and protocols.

12 Glossary of Key Cybersecurity Terms

What is “cybersecurity,” or a “cyber attack”? as “advanced” and “persistent” because the large resources and sophistication of To understand the scope and effects of the the attackers allow the attacks to take a executive order, one must be familiar with several variety of forms over an extended period key cybersecurity terms: of time.

• Cybersecurity: A broad term that is frequent- - Organized Cyber Crime: A cyber attack ly used but infrequently defined; in general, perpetrated by a criminal organization “cybersecurity” refers to a set of standards in order to defraud or steal from victims. and practices employed to prevent unwanted Such attacks often take the form of large- intrusions into computer systems, sometimes scale efforts to steal financial or other referred to as “cyber attacks.” The executive sensitive information from individuals or order does not define these terms, but uses from large organizations such as banks them repeatedly. Cybersecurity can be seen and retailers. as the “process of preventing unauthorized modification, misuse or denial of use, or the - Individual Interests: A cyber attack unauthorized use of information that is stored, perpetrated by small groups or individu- accessed, or transferred from a medical de- als, such as “hacktivists” or a disgruntled vice to an external recipient” (FDA definition, former employee. June 2013 Alert).

• Cyber Attack (or “cybersecurity threat”): Other Key Cybersecurity Terms Another common term that is often left unde- fined in the cybersecurity literature; the most • Critical Infrastructure: Defined in the exec- useful way to understand a cyber attack is utive order as “systems and assets, whether to consider the three general forms of cyber physical or virtual, so vital to the United States attacks: that the incapacity or destruction of such - Advanced, Persistent Threats: A cyber systems and assets would have a debilitating attack perpetrated or facilitated by a impact on security, national economic secu- foreign government (or sometimes other rity, national public health or safety, or any sophisticated organizations) against the combination of those matters.” Directive 21 government or industry of another na- identifies “Healthcare and Public Health” as a tion, typically for geopolitical or strategic Critical Infrastructure Sector. reasons. Such attacks are referred to

13 • Critical Infrastructure Partnership Advisory • Cybersecurity Vulnerability (also known Council (CIPAC): An entity of DHS responsible as Cybersecurity Risks): Weakness or flaws for facilitating coordination between federal, in information security systems and system state, local and tribal governments, and the architecture. private sector, to protect critical infrastructure. Among the membership of CIPAC are the • Distributed Denial of Service (DDoS) Attack: members of each of the 16 critical infrastruc- A type of cyber attack in which the attacker ture sectors, including the Healthcare and overwhelms the resources of the targeted Public Health Sector Coordinating Council. computer system in order to prevent others The executive order instructs the director of from using the system normally (for example, DHS to consider the advice of the CIPAC in by flooding a website with excessive visits un- coordinating public-private partnerships to til it crashes and cannot accept new visitors). manage cybersecurity risk. CIPAC will have a • Exfiltration: Sometimes referred to as “extru- primary coordinating role in the Voluntary sion,” the unauthorized removal of data from a Critical Infrastructure Cybersecurity Program. computer system.

• Cybersecurity Investigation and Incident • Exploitation: The use of a software program Response Plan: Such a plan will identify or other piece of computer code to take steps to investigate, ameliorate, remedy and advantage of a vulnerability in a computer respond to cybersecurity intrusions. This plan system, typically in order to disrupt or prevent will incorporate hospitals’ data breach plan normal use of that system. The software pro- under the Health Information Technology for gram or code used in such an attack is often Economic and Clinical Health Act (HITECH), referred to as an “exploit.” but will need to address other elements such as system-wide impacts, spear-phishing or • Healthcare and Public Health Sector penetration, auditing log files and other records, Coordinating Council (HPH SCC): Orga- and identifying exfiltration and inappropriate nization established by HHS that comprises access, even if it is not related to protected six sub-councils representing private sector health information (PHI). industries and interest areas within the sector. The six sub-councils represent many health- • Cybersecurity Intrusion (also known as care sectors including direct health care, Cybersecurity Incident): An unauthorized health information and medical technology, access to computer systems, databases health plans and payers, mass fatality man- or electronic files. Intrusions can be accom- agement, medical materials, and pharmaceuti- plished by spear-phishing. cals, laboratories and blood banks. The SCC is a self-governing body that provides a forum for the private sector to discuss infrastructure protection issues and communicate with

14 government. The SCC, along with the Gov- • Malware: A general term for a malicious soft- ernment Coordinating Council (GCC), which ware program (including a computer virus, a includes representatives from all levels of gov- worm, spyware, adware, etc.) used to disrupt ernment, has created a variety of work groups the normal operation of a computer system or including work groups related to information to exfilrate information from that system. sharing and cybersecurity. • Phishing: A type of cyber attack that seeks to • Honey Pot: A “trap” used to detect and thwart install malware and gain access to corporate cyber attacks, typically in the form of a com- computer systems by posing as a familiar or puter system or website that appears to be otherwise trustworthy website or entity: part of a particular network but which is actu- ally isolated and monitored. Certain sophisti- - Spear-Phishing: A type of phishing that is cated types of honey pots can be used to gain targeted at a specific individual. Perpetra- information about the motives and tactics of tors may first gather personal information perpetrators of cyber attacks. about the target, such as what websites the individual frequents or which bank he • Insider Threat: An attack on a computer sys- or she uses, in order to make the decep- tem perpetrated by someone on the “inside” of tion more believable and increase the an organization—often an employee or former chance of success. employee, or independent contractor—who may possess confidential information about - Whale-Phishing: A spear-phishing attack the organization’s data security and manage- directed at a high-profile individual, such ment systems which facilitates the exploitation as a senior corporate executive. of proprietary systems. - Smishing: A combination of SMS texting • Information Security and Analysis Centers and phishing (ISACs): Associations of various member - Vishing: Voice and phishing entities, including government agencies and private corporations, with similar or related • United States Computer Emergency Read- cybersecurity needs and challenges, formed iness Team (US-CERT or CERT): An entity to facilitate collaboration in identifying and within DHS responsible for coordinating infor- responding to cybersecurity threats. ISACs, mation sharing and responses to cyber threats. such as the National Health ISAC (NH-ISAC), CERT regularly issues alerts and bulletins typically serve as public-private partnerships regarding current cyber threats and provides between federal, state and local governments recommendations for addressing those threats. and a particular private industry sector. The partnerships identified in Directive 21 between the Critical Infrastructure Sectors and their corresponding Sector-Specific Agencies are examples of ISACs.

15 Chicago Office: 155 N. Wacker Drive Chicago, Illinois 60606 312.422.3000

Washington Office: 325 7th Street, N.W. Washington, DC 20004 202.638.1100 www.aha.org/cybersecurity

9/2013