Title: U.S. Department of Homeland Security Cyber Tabletop Exercise for the Healthcare Industry
1U.S. Department of Homeland Security Cyber
Tabletop Exercise for the Healthcare Industry
- Organization Represented
- Exercise Date
- Presenters Name
2Operational Security (OPSEC)
- This briefing contains exercise, operational, and
potentially business sensitive material which,
while not classified, should be safeguarded as
deemed appropriate.
3Agenda
- 0830 0900 Welcome and Introductions
- 0900 0930 Vignette I
- 0930 1005 Vignette II
- 1005 1020 Break (at Facilitator discretion)
- 1020 1055 Vignette III
- 1055 1130 Vignette IV
- 1130 1200 Hot Wash / Closing Comments
4Exercise Purpose
- The purpose of this tabletop exercise (TTX) is to
create an opportunity for stakeholders within the
Healthcare and Public Health critical
infrastructure sector to enhance their
understanding of key issues associated with a
focused cyber attack, including coordination and
information sharing amongst private entities and
government agencies in response to such an
attack.
5Exercise Scope
- This exercise focuses on healthcare facility
incident response and coordination with other
internal and external entities to a potential
cyber attack. The intent is to improve the
overall cyber response posture and collective
decision-making processes. - It is designed to be an open, thought-provoking
exchange of ideas to help develop and expand
existing knowledge of policies and procedures
within the framework of cyber incident response.
It is not a test of detailed response procedures,
but rather emphasizes cyber and physical response
coordination, resource integration, and problem
identification and resolution during the event.
6Exercise Objectives
- Explore inter-organizational information sharing
and collaboration mechanisms within the
Healthcare and Public Health sector during a
cyber incident. - Improve the understanding of potential impacts
and cascading effects cyber that intrusions can
have within the Healthcare and Public Health
sector. - Examine organizational cyber incident response
policies, plans and protocols, and identify
potential gaps. - Insert additional facility specific objectives
here
7Exercise Personnel
- Players/Participants respond to the scenario as
presented - Observers watch the exercise and preparedness
processes - Facilitators lead, focus, and moderate group
discussions - Data Collectors observe and record discussions
during the exercise, and also participate in data
analysis
8Exercise Structure
- This exercise is a facilitated, scenario driven
discussion that allows Participants to interact
in accordance with their respective
responsibilities and expertise to coordinate
their response to a significant cyber event - The exercise will be conducted as a four hour
exercise where Players will be presented with one
or more of the four exercise vignettes below - Vignette I Compromise of electronic Protected
Health Information (ePHI) - Vignette II Electronic Health Records/Electronic
Medical Records (EHRs/EMRs) - Vignette III Cash Out - Billing System
Disruption - Vignette IV Medical Device Malfunction
9Exercise Structure (Contd)
- Each vignette opens with a scenario that provides
the general context for Participants to identify
and discuss major concerns and formulate
responses to the situation described. - Using information provided in the scenario or
situational injects, Participants respond to
cybersecurity issues related to the specific
theme of the presented vignette. These
discussions are guided by the exercise
Facilitator who will also manage the time
allotted for each vignette.
10Exercise Guidelines
- This is an open, low-stress, no-fault
environment. Varying viewpoints, even
disagreements, are expected. - Respond based on your knowledge of current plans
and capabilities (i.e., exclusive use of existing
assets), and insights derived from training. - Decisions are not precedent-setting and may not
reflect your organizations final position on a
given issue. This is an opportunity to discuss
and present multiple options and possible
solutions.
11Exercise Guidelines (Contd)
- Assume cooperation and support from other
responders and agencies. - Problem-solving efforts should be the focus of
your discussions. Identifying issues is not as
valuable as suggestions and recommended actions. - The scenarios and situational injects, written
materials, and resources provided are the basis
for discussions.
12Assumptions and Artificialities
- The scenario is plausible and events occur as
they are presented. - There is no hidden agenda, nor any trick
questions. - All Players receive information at the same time.
- The scenario is not derived from current
intelligence.
13Vignette ICompromise of electronic Protected
Health Information (ePHI)
14Vignette I Opening Scenario
- The nursing staff at your healthcare facility has
noticed that over the past several months a
part-time security guard has repeatedly shown up
at least an hour earlier than his shift is
scheduled to begin. The guard is well-liked and
has worked at the facility for over five years.
15Vignette I Opening Scenario (Contd)
- Six months ago the guards fiancé (also an
employee at your facility), along with 25 other
support employees, were laid off. Three months
later, several administrative and finance
employees at your facility received an email from
the guards fiancé with an invitation to check
out her latest vacation pictures from Tahiti by
clicking on a link to www.SeeMyVacationPhoto.com.
Upon clicking the link, an error message 404
Error File Not Found was displayed. Some
employees replied to the sender that there was an
error message others did nothing.
16Vignette I Inject 1
- Two nights ago your Information Technology (IT)
operationsmanager received the daily report
from his team stating that their anti-virus
software had quarantined several unrecognizable
files. Additionally, the security events log
showed unusual activity by several night shift
employees recorded earlier in the day. - Yesterday, your Chief Information Security
Officer (CISO) returned from his vacation to a
report of three lost laptops.
17Vignette I Inject 2
- This morning, your Chief Information Officer
(CIO) receives an untraceable email with a file
containing ePHI and credit card data of 1,000
former and current patients. The email states
that this information, and that of over 5,000
other patients, will be made available to the
highest bidder and invites your organization to
make a bid. Bids close tonight at midnight.
18Vignette IICorrupted Electronic Health
Records/Electronic Medical Records
19Vignette II Opening Scenario
- Your healthcare organization is a major trauma
center in a metropolis that triages and treats
patients. Patient care is captured, tracked, and
reviewed via a remotely accessible electronic
health records/electronic medical records
(EHR/EMR) system that provides real-time,
point-of-care, patient-specific clinical data. - Several weeks ago the software on your EHR/EMR
system was updated and despite some very minor
initial problems, the system has been operating
well. Today it is not.
20Vignette II Opening Scenario (Contd)
- You are experiencing clinical support computers
that are receiving data slowly, do not respond,
or freeze. Patient care is increasingly delayed
as physicians and clinicians authenticate and
verify patient EHR/EMR information through labor
intensive and time-consuming, downtime manual
paper procedures. (e.g., patient questioning,
contacting families). - Amidst the treatment of patients with corrupt
EHRs/EMRs, the center becomes rapidly overwhelmed
and as new patients arrive, only life-threatening
emergencies are accepted for emergency department
treatment. Trauma staff members are complaining
that the EHR/EMR system has virtually ground to a
halt and is unusable. Administrator priorities
shift to reaffirming EHR/EMR data integrity.
21Vignette II Inject 1
- In response to a high number of complaints of
suspicious events and slow network speed, an
investigation by the centers off-site IT
services contractor discovers malware. The
technicians determine that malicious code has
infected multiple network-level servers, and
possibly desktop and mobile work stations.
22Vignette II Inject 2
- IT support concludes that the Web and main
network servers are infected with a worm that has
altered or erased an indeterminate quantity of
data fields containing relevant patient health
and treatment plan information.
23Break
24Vignette IIICash Out Billing System Disruption
25Vignette III Opening Scenario
- Six months ago, three administrative employees in
your healthcare organization receive an email
from the facilities Human Resources (HR)
department. The email contains what seems to be
an attachment that will not open employees do
not report this problem to anyone. Other
employees also receive seemingly legitimate
emails from HR/payroll requesting that they
update their password-protected, personal
information through hyperlinks embedded in the
emails.
26Vignette III Opening Scenario (Contd)
- During a routinely scheduled financial audit this
week, significant discrepancies are discovered
and immediately reported to your Chief Financial
Officer (CFO). A quick internal investigation by
the CFO exonerates your employees. This
investigation determines that an external network
intruder has exploited a known but unpatched
billing system vulnerability, and now controls
key components of your billing and receivables
capabilities. It is determined that the money
cannot be recovered, nor can the intruder be
identified.
27Vignette III Inject 1
- Your healthcare organization hires a third party
cyber remediation service to repair the
vulnerability, secure the system, and conduct a
forensic analysis. This vendor completes the
work and states that they believe the intruder is
now prevented from further access to your system.
You continue efforts to resolve business, legal,
and regulatory damages caused by the breach.
28Vignette III Inject 2
- Your Chief Executive Officer (CEO) receives an
untraceable email from the hacker who claims
credit for the fraudulent billing and attempts to
extort money from your organization to avert
public disclosure. The email includes real-time,
dated, time-stamped screen shots of your billing
system where she declares her continued control
of your billing system. The email states that
your CEO has 24 hours to pay a ransom of 1
million or she will delete a portion of your
billing database, and will post patient credit
card information for sale on the Internet.
29Vignette III Inject 3 (Contd)
- After notifying law enforcement, your board of
directors tries to negotiate with the hacker and
delays paying the ransom the hacker subsequently
deletes 10 of the billing database. In addition
to this damage, the intruders malware has also
caused you to lose the ability to quickly verify
patient insurance payment through electronic
means. This results in significant delay, and in
some cases outright denial, of medical services
to non-emergency and all elective-surgery
patients. Those individuals denied services are
referred to nearby healthcare providers. Despite
continued attempts, IT technicians are unable to
regain control of your databases. The intruder
then substantively raises the ransom to 5
million and threatens to erase 50 of your
remaining database if you fail to make full
payment within 24 hours.
30Vignette III Inject 3 (Contd)
- The significant loss of data and increase in
patient load at nearby healthcare facilities
prompts your organization to disclose and
communicate the breach with other providers in
the region. Your limited ability to share data
with federal and state service providers service
payroll and manage bills, brings your facility
close to temporarily shutting down operations.
Your incident management team coordinates their
response with law enforcement, regulators, and
appropriate authorities. Based on the information
you provide, some regional healthcare providers
also discover similar fraudulent billing
activities, seemingly due to actions by the same
intruder. The hacker appears to be is attempting
to extort money from these other providers as
well.
31Vignette III Inject 3 (Contd)
- Your organization becomes non-compliant with
Payment Card Industry (PCI) requirements and
therefore is subject to penalties and fines. It
is estimated that your healthcare organization
may have to spend in excess of 3 million to make
notification to those patients whose credit card
information was stolen, and to provide them with
credit monitoring for a year.
32Vignette IVMedical Device Malfunction
33Vignette IV Opening Scenario
- The medical device industry has experienced
substantial growth in the past decade owing
primarily to changes in patient demographics and
rapid globalization. Nevertheless, the industry
continues to face pressures to cut costs and
increase product development. A variety of cost
reducing measures, including global outsourcing,
continue to play a major role in medical device
development and manufacture.
34Vignette IV Opening Scenario (Contd)
- Medical device activities that are outsourced
include product design, prototyping,
manufacturing, and supply chain management.
Alongside these are challenges in regulatory
compliance and certification that all components
and products are authentic. The reliability and
surety of devices are becoming an increasingly
public issue. In the wake of several
high-profile safety incidents, many manufacturers
are taking additional steps to ensure that their
products are both safe and effective. It has
been reported that several devices with the
ability to be reprogrammed remotely via wireless
technology are used within your healthcare
organization with suspect reliability.
35Vignette IV Inject 1
- A new generation of implantable cardioverter
defibrillators (ICDs) manufactured by multiple
companies with components made in the United
States, Asia, and Europe are now used by many
healthcare organizations, including your own.
The new generation of ICDs is intended to offer
improved reliability and safety over older
models, and a reasonable assurance of safety and
effectiveness is touted by the manufacturers.
36Vignette IV Inject 1 (Contd)
- Failure rates of the newer ICDs across all
manufactures have been tracked as below
traditional averages. The United States Food and
Drug Administration (FDA) has identified firmware
as the primary cause of device problems. To gain
a competitive advantage, one manufacturer decides
to update the firmware of its in-stock ICDs, and
incentivizes physicians and suppliers to replace
the non-updated implants with the safer, more
reliable ICDs. - Several weeks after undergoing replacement of an
implanted device, three very similar reports of
adverse events including one death are
reported by patients who received the updated ICD
at your hospital.
37Conclusion and Hot Wash
- Participants describe overall strengths and
weaknesses - Determine recommendations
- Participants complete feedback forms
38Points of Contact
- For questions about the DHS Cyber Tabletop
Exercise for the Healthcare Industry or
recommendations for improvement, contact the DHS
Cyber Exercise Program at CEP_at_HQ.DHS.GOV - For questions concerning health information
technology standards, regulation, policies, and
guidelines, contact the U.S. Department of Health
and Human Services (HHS) CIP_at_HHS.Gov -
- For questions or comments related to National
Health Information Sharing and Analysis Center
contact the NH-ISAC via e-mail at
contact_at_nhisac.org - Insert your own company/contact information
39U.S. Department of Homeland Security Cyber
Tabletop Exercise for the Healthcare Industry