390 likes | 401 Views
U.S. Department of Homeland Security Cyber Tabletop Exercise for the Healthcare Industry. Organization Represented Exercise Date Presenter’s Name. Operational Security (OPSEC).
E N D
U.S. Department of Homeland Security Cyber Tabletop Exercise for the Healthcare Industry Organization Represented Exercise Date Presenter’s Name Healthcare Industry Exercise Sensitive
Operational Security (OPSEC) This briefing contains exercise, operational, and potentially business sensitive material which, while not classified, should be safeguarded as deemed appropriate. Healthcare Industry Exercise Sensitive
Agenda 0830 – 0900 Welcome and Introductions 0900 – 0930 Vignette I 0930 – 1005 Vignette II 1005 – 1020 Break (at Facilitator discretion) 1020 – 1055 Vignette III 1055 – 1130 Vignette IV 1130 – 1200 Hot Wash / Closing Comments Healthcare Industry Exercise Sensitive
Exercise Purpose The purpose of this tabletop exercise (TTX) is to create an opportunity for stakeholders within the Healthcare and Public Health critical infrastructure sector to enhance their understanding of key issues associated with a focused cyber attack, including coordination and information sharing amongst private entities and government agencies in response to such an attack. Healthcare Industry Exercise Sensitive
Exercise Scope This exercise focuses on healthcare facility incident response and coordination with other internal and external entities to a potential cyber attack. The intent is to improve the overall cyber response posture and collective decision-making processes. It is designed to be an open, thought-provoking exchange of ideas to help develop and expand existing knowledge of policies and procedures within the framework of cyber incident response. It is not a test of detailed response procedures, but rather emphasizes cyber and physical response coordination, resource integration, and problem identification and resolution during the event. Healthcare Industry Exercise Sensitive
Exercise Objectives Explore inter-organizational information sharing and collaboration mechanisms within the Healthcare and Public Health sector during a cyber incident. Improve the understanding of potential impacts and cascading effects cyber that intrusions can have within the Healthcare and Public Health sector. Examine organizational cyber incident response policies, plans and protocols, and identify potential gaps. [Insert additional facility specific objectives here] Healthcare Industry Exercise Sensitive
Exercise Personnel Players/Participants respond to the scenario as presented Observers watch the exercise and preparedness processes Facilitators lead, focus, and moderate group discussions Data Collectors observe and record discussions during the exercise, and also participate in data analysis Healthcare Industry Exercise Sensitive
Exercise Structure • This exercise is a facilitated, scenario driven discussion that allows Participants to interact in accordance with their respective responsibilities and expertise to coordinate their response to a significant cyber event • The exercise will be conducted as a four hour exercise where Players will be presented with one or more of the four exercise vignettes below: • Vignette I: Compromise of electronic Protected Health Information (ePHI) • Vignette II: Electronic Health Records/Electronic Medical Records (EHRs/EMRs) • Vignette III: Cash Out - Billing System Disruption • Vignette IV: Medical Device Malfunction Healthcare Industry Exercise Sensitive
Exercise Structure (Cont’d) Each vignette opens with a scenario that provides the general context for Participants to identify and discuss major concerns and formulate responses to the situation described. Using information provided in the scenario or situational “injects,” Participants respond to cybersecurity issues related to the specific theme of the presented vignette. These discussions are guided by the exercise Facilitator who will also manage the time allotted for each vignette. Healthcare Industry Exercise Sensitive
Exercise Guidelines This is an open, low-stress, no-fault environment. Varying viewpoints, even disagreements, are expected. Respond based on your knowledge of current plans and capabilities (i.e., exclusive use of existing assets), and insights derived from training. Decisions are not precedent-setting and may not reflect your organization’s final position on a given issue. This is an opportunity to discuss and present multiple options and possible solutions. Healthcare Industry Exercise Sensitive
Exercise Guidelines (Cont’d) Assume cooperation and support from other responders and agencies. Problem-solving efforts should be the focus of your discussions. Identifying issues is not as valuable as suggestions and recommended actions. The scenarios and situational injects, written materials, and resources provided are the basis for discussions. Healthcare Industry Exercise Sensitive
Assumptions and Artificialities • The scenario is plausible and events occur as they are presented. • There is no “hidden agenda,” nor any trick questions. • All Players receive information at the same time. • The scenario is not derived from current intelligence. Healthcare Industry Exercise Sensitive
Vignette I:Compromise of electronic Protected Health Information (ePHI) Healthcare Industry Exercise Sensitive
Vignette I: Opening Scenario • The nursing staff at your healthcare facility has noticed that over the past several months a part-time security guard has repeatedly shown up at least an hour earlier than his shift is scheduled to begin. The guard is well-liked and has worked at the facility for over five years. Healthcare Industry Exercise Sensitive
Vignette I: Opening Scenario (Cont’d) Six months ago the guard’s fiancé (also an employee at your facility), along with 25 other support employees, were laid off. Three months later, several administrative and finance employees at your facility received an email from the guard’s fiancé with an invitation to check out her latest vacation pictures from Tahiti by clicking on a link to www.SeeMyVacationPhoto.com. Upon clicking the link, an error message – 404 Error File Not Found – was displayed. Some employees replied to the sender that there was an error message; others did nothing. Healthcare Industry Exercise Sensitive
Vignette I: Inject 1 Two nights ago your Information Technology (IT) operationsmanager received the daily report from his team stating that their anti-virus software had quarantined several unrecognizable files. Additionally, the security event’s log showed unusual activity by several night shift employees recorded earlier in the day. Yesterday, your Chief Information Security Officer (CISO) returned from his vacation to a report of three lost laptops. Healthcare Industry Exercise Sensitive
Vignette I: Inject 2 • This morning, your Chief Information Officer (CIO) receives an untraceable email with a file containing ePHI and credit card data of 1,000 former and current patients. The email states that this information, and that of over 5,000 other patients, will be made available to the highest bidder and invites your organization to make a bid. Bids close tonight at midnight. Healthcare Industry Exercise Sensitive
Vignette II:Corrupted Electronic Health Records/Electronic Medical Records Healthcare Industry Exercise Sensitive
Vignette II: Opening Scenario Your healthcare organization is a major trauma center in a metropolis that triages and treats patients. Patient care is captured, tracked, and reviewed via a remotely accessible electronic health records/electronic medical records (EHR/EMR) system that provides real-time, point-of-care, patient-specific clinical data. Several weeks ago the software on your EHR/EMR system was updated and despite some very minor initial problems, the system has been operating well. Today it is not. Healthcare Industry Exercise Sensitive
Vignette II: Opening Scenario (Cont’d) You are experiencing clinical support computers that are receiving data slowly, do not respond, or freeze. Patient care is increasingly delayed as physicians and clinicians authenticate and verify patient EHR/EMR information through labor intensive and time-consuming, downtime manual paper procedures. (e.g., patient questioning, contacting families). Amidst the treatment of patients with corrupt EHRs/EMRs, the center becomes rapidly overwhelmed and as new patients arrive, only life-threatening emergencies are accepted for emergency department treatment. Trauma staff members are complaining that the EHR/EMR system has virtually ground to a halt and is unusable. Administrator priorities shift to reaffirming EHR/EMR data integrity. Healthcare Industry Exercise Sensitive
Vignette II: Inject 1 In response to a high number of complaints of suspicious events and slow network speed, an investigation by the center’s off-site IT services contractor discovers malware. The technicians determine that malicious code has infected multiple network-level servers, and possibly desktop and mobile work stations. Healthcare Industry Exercise Sensitive
Vignette II: Inject 2 IT support concludes that the Web and main network servers are infected with a worm that has altered or erased an indeterminate quantity of data fields containing relevant patient health and treatment plan information. Healthcare Industry Exercise Sensitive
Break Healthcare Industry Exercise Sensitive
Vignette III:Cash Out – Billing System Disruption Healthcare Industry Exercise Sensitive
Vignette III: Opening Scenario Six months ago, three administrative employees in your healthcare organization receive an email from the facilities’ Human Resources (HR) department. The email contains what seems to be an attachment that will not open; employees do not report this problem to anyone. Other employees also receive seemingly “legitimate” emails from HR/payroll requesting that they update their password-protected, personal information through hyperlinks embedded in the emails. Healthcare Industry Exercise Sensitive
Vignette III: Opening Scenario (Cont’d) During a routinely scheduled financial audit this week, significant discrepancies are discovered and immediately reported to your Chief Financial Officer (CFO). A quick internal investigation by the CFO exonerates your employees. This investigation determines that an external network intruder has exploited a known – but unpatched – billing system vulnerability, and now controls key components of your billing and receivables capabilities. It is determined that the money cannot be recovered, nor can the intruder be identified. Healthcare Industry Exercise Sensitive
Vignette III: Inject 1 Your healthcare organization hires a third party cyber remediation service to repair the vulnerability, secure the system, and conduct a forensic analysis. This vendor completes the work and states that they believe the intruder is now prevented from further access to your system. You continue efforts to resolve business, legal, and regulatory damages caused by the breach. Healthcare Industry Exercise Sensitive
Vignette III: Inject 2 Your Chief Executive Officer (CEO) receives an untraceable email from the hacker who claims credit for the fraudulent billing and attempts to extort money from your organization to avert public disclosure. The email includes real-time, dated, time-stamped screen shots of your billing system where she declares her continued control of your billing system. The email states that your CEO has 24 hours to pay a ransom of $1 million or she will delete a portion of your billing database, and will post patient credit card information for sale on the Internet. Healthcare Industry Exercise Sensitive
Vignette III: Inject 3 (Cont’d) After notifying law enforcement, your board of directors tries to negotiate with the hacker and delays paying the ransom; the hacker subsequently deletes 10% of the billing database. In addition to this damage, the intruder’s malware has also caused you to lose the ability to quickly verify patient insurance payment through electronic means. This results in significant delay, and in some cases outright denial, of medical services to non-emergency and all elective-surgery patients. Those individual’s denied services are referred to nearby healthcare providers. Despite continued attempts, IT technicians are unable to regain control of your databases. The intruder then substantively raises the ransom to $5 million and threatens to erase 50% of your remaining database if you fail to make full payment within 24 hours. Healthcare Industry Exercise Sensitive
Vignette III: Inject 3 (Cont’d) The significant loss of data and increase in patient load at nearby healthcare facilities prompts your organization to disclose and communicate the breach with other providers in the region. Your limited ability to share data with federal and state service providers; service payroll; and manage bills, brings your facility close to temporarily shutting down operations. Your incident management team coordinates their response with law enforcement, regulators, and appropriate authorities. Based on the information you provide, some regional healthcare providers also discover similar fraudulent billing activities, seemingly due to actions by the same intruder. The hacker appears to be is attempting to extort money from these other providers as well. Healthcare Industry Exercise Sensitive
Vignette III: Inject 3 (Cont’d) Your organization becomes non-compliant with Payment Card Industry (PCI) requirements and therefore is subject to penalties and fines. It is estimated that your healthcare organization may have to spend in excess of $3 million to make notification to those patients whose credit card information was stolen, and to provide them with credit monitoring for a year. Healthcare Industry Exercise Sensitive
Vignette IV:Medical Device Malfunction Healthcare Industry Exercise Sensitive
Vignette IV: Opening Scenario The medical device industry has experienced substantial growth in the past decade owing primarily to changes in patient demographics and rapid globalization. Nevertheless, the industry continues to face pressures to cut costs and increase product development. A variety of cost reducing measures, including global outsourcing, continue to play a major role in medical device development and manufacture. Healthcare Industry Exercise Sensitive
Vignette IV: Opening Scenario (Cont’d) Medical device activities that are outsourced include product design, prototyping, manufacturing, and supply chain management. Alongside these are challenges in regulatory compliance and certification that all components and products are authentic. The reliability and surety of devices are becoming an increasingly public issue. In the wake of several high-profile safety incidents, many manufacturers are taking additional steps to ensure that their products are both safe and effective. It has been reported that several devices with the ability to be reprogrammed remotely via wireless technology are used within your healthcare organization with suspect reliability. Healthcare Industry Exercise Sensitive
Vignette IV: Inject 1 • A new generation of implantable cardioverter defibrillators (ICDs) manufactured by multiple companies with components made in the United States, Asia, and Europe are now used by many healthcare organizations, including your own. The new generation of ICDs is intended to offer improved reliability and safety over older models, and a “reasonable assurance of safety and effectiveness” is touted by the manufacturers. Healthcare Industry Exercise Sensitive
Vignette IV: Inject 1 (Cont’d) Failure rates of the newer ICDs across all manufactures have been tracked as below traditional averages. The United States Food and Drug Administration (FDA) has identified firmware as the primary cause of device problems. To gain a competitive advantage, one manufacturer decides to update the firmware of its in-stock ICDs, and incentivizes physicians and suppliers to replace the non-updated implants with the safer, more reliable ICDs. Several weeks after undergoing replacement of an implanted device, three very similar reports of “adverse events” – including one death – are reported by patients who received the updated ICD at your hospital. Healthcare Industry Exercise Sensitive
Conclusion and Hot Wash Participants describe overall strengths and weaknesses Determine recommendations Participants complete feedback forms Healthcare Industry Exercise Sensitive
Points of Contact For questions about the DHS Cyber Tabletop Exercise for the Healthcare Industry or recommendations for improvement, contact the DHS Cyber Exercise Program at CEP@HQ.DHS.GOV For questions concerning health information technology standards, regulation, policies, and guidelines, contact the U.S. Department of Health and Human Services (HHS) CIP@HHS.Gov For questions or comments related to National Health Information Sharing and Analysis Center contact the NH-ISAC via e-mail at contact@nhisac.org [Insert your own company/contact information] Healthcare Industry Exercise Sensitive
U.S. Department of Homeland Security Cyber Tabletop Exercise for the Healthcare Industry Healthcare Industry Exercise Sensitive