HHS cybersecurity leader describes the active threats on agency's radar
BOSTON – At the HIMSS Healthcare Security Forum on Monday morning, Greg Singleton, director of the Health Sector Cybersecurity Coordination Center at the U.S. Department of Health and Human Services, described how HC3 sees the current threat landscape – and explained how HHS can help the private sector manage myriad cyber risks.
Singleton acknowledged that some folks in attendance might be wondering what the government is doing at an event like this one.
"You regulate us. Why would I talk with you?" he said, imagining the question of a provider-side attendee.
But Singleton had handy a bit of regulatory language, U.S. Code 6 U.S.C. subsection 1501(3), which holds that "any non-federal organization that shares cyber threat indicators with an appropriate federal entity is deemed voluntary data sharing."
That shared information cannot be further shared for specific regulatory purposes, he explained – meaning that HC3 would not report any vulnerability information shared with it from a private-sector health system to the Office of Civil Rights.
"Voluntary information sharing is separate and apart from regulatory information sharing," said Singleton.
Indeed, HC3 is dependent on robust threat intelligence sharing as it works on "building a bi-directional network of private sector entities for continuous sharing and refinement of data," he said.
HC3's mission statement: "To support the defense of the healthcare and public health sector’s information technology infrastructure by strengthening coordination and information sharing within the sector and by cultivating cybersecurity resilience, regardless of organizations’ technical capacity."
It works toward this goal, Singleton said, by pursuing trust building, engagement and robust defense. Just in 2019, it has published a series of white papers and intelligence briefs on telehealth cybersecurity; AI threats, the dark web PHI marketplace, supply chain risk management and more.
Singleton likened it to a "neighborhood watch" tasked with keeping an eye out for the data security and technological integrity of a healthcare sector that happens to account for 18 percent of U.S. gross domestic product.
Among just some of its success stories: help with a multi-agency engagement that led to the arrest of a suspect charged with "knowingly causing the transmission of a program, information, code and command, and as a result of such conduct, intentionally causing damage to a protected computer."
In another case, HHS security teams also identified infected network traffic from the website of a surgeon that was trying to communicate with the agency; unbeknownst to this physician, the website was trying to load propagate TrickBot malware onto the computers it connected to. HC3 worked with HHS Office of Inspector General to let the surgeon know that their site had been hacked.
(Singleton says HC3 broke the news gently and non-confrontationally: "You don't know it, we're not mad at you, but your website has an issue and we'd really appreciate it if you take care of it.")
In still another instance, a partner organization noticed an entity’s master login credentials being sold on the dark web – reached out to HHS to let them know. Within four hours of informing HC3, said Singleton, his group had helped notify the CIO and security teams for that organization, who were able to stop an imminent cyber attack.
Active threats on radar
As part of its work shoring up the defenses of U.S. health networks, HC3 keeps tabs on all the emerging vulnerabilities vexing security teams, and he he described for HSF attendees some of active threats it's currently tracking:
- Virtual private network vulnerabilities. Security researchers have identified vulnerabilities in enterprise grade VPN services from Palo Alto Networks GlobalProtects; Pulse Secure’s Pulse Connect Secure and Pulse Policy Secure, and Fortinet FortiGate, said Singleton. "Since the announcement, updates were released to mitigate the vulnerabilities for these VPN products," he said, but bad actors continue to target vulnerable devices." He noted that "we have seen bad actors continuing to attack unpatch systems and looking to post holes in others."
- The Blues. Singleton pointed to three ongoing vulnerabilities impacting Windows Services: BlueKeep vulnerability (affects Windows 7, Server 2008, Server 2003, XP, and embedded variations), DejaBlue (Windows 7 SP1, Server 2008 R2 SP1, Server 2012, 8.1, Server 2012 R2, and all supported versions of Windows 10) and EternalBlue (older versions of Windows file sharing SMB service). He noted that Researchers have discovered roughly 68,000 machines in the U.S. remain unpatched for BlueKeep, while worldwide more than 1,000,000 RDP connections still remain unpatched. As for mitigation, the advices is unsurprising: patches and updates, disable RDP, block RDP ports, network segmentation.
- Urgent/11. As we've shown here, this vulnerability could impact real-time operating system used for devices such as MRI machines, firewalls and printers – there are more than 2 billion such RTOS devices worldwide. "VxWorks is among the most widely used OS for these devices," Singleton explained, and there are 11 vulnerabilities in underlying network software used by VxWorks devices. "As a group, URGENT/11 affect VxWorks’ versions 6.5 and above, or all versions since 2006," he said, and pose "significant risk to VxWorks connected devices currently in use. Possible protections: patching, exploit detection, network segmentation.
- PACS and DICOM imaging servers. Right now there are roughly 200 open and exposed imaging systems and devices hosting millions of patient records and personally identifiable information, said Singleton. And many hospitals may not realize they have them.
"Understand your environment and make sure you don't have something that's inadvertently exposed that could pose a risk," he said.
In the meantime, it's also key for healthcare organizations to get more comfortable with communication and info sharing with groups such as HC3, enlisting them as a valuable ally in the cybersecurity battles.
"It's important that people reach out," he said. "We can do good stuff together."