U.S. Department of Homeland Security Cyber Tabletop Exercise for the Healthcare Industry

1
U.S. Department of Homeland Security Cyber
Tabletop Exercise for the Healthcare Industry

• Organization Represented
• Exercise Date
• Presenters Name

2
Operational Security (OPSEC)

• This briefing contains exercise, operational, and
  potentially business sensitive material which,
  while not classified, should be safeguarded as
  deemed appropriate.

3
Agenda

• 0830 0900 Welcome and Introductions
• 0900 0930 Vignette I
• 0930 1005 Vignette II
• 1005 1020 Break (at Facilitator discretion)
• 1020 1055 Vignette III
• 1055 1130 Vignette IV
• 1130 1200 Hot Wash / Closing Comments

4
Exercise Purpose

• The purpose of this tabletop exercise (TTX) is to
  create an opportunity for stakeholders within the
  Healthcare and Public Health critical
  infrastructure sector to enhance their
  understanding of key issues associated with a
  focused cyber attack, including coordination and
  information sharing amongst private entities and
  government agencies in response to such an
  attack.

5
Exercise Scope

• This exercise focuses on healthcare facility
  incident response and coordination with other
  internal and external entities to a potential
  cyber attack. The intent is to improve the
  overall cyber response posture and collective
  decision-making processes.
• It is designed to be an open, thought-provoking
  exchange of ideas to help develop and expand
  existing knowledge of policies and procedures
  within the framework of cyber incident response.
  It is not a test of detailed response procedures,
  but rather emphasizes cyber and physical response
  coordination, resource integration, and problem
  identification and resolution during the event.

6
Exercise Objectives

• Explore inter-organizational information sharing
  and collaboration mechanisms within the
  Healthcare and Public Health sector during a
  cyber incident.
• Improve the understanding of potential impacts
  and cascading effects cyber that intrusions can
  have within the Healthcare and Public Health
  sector.
• Examine organizational cyber incident response
  policies, plans and protocols, and identify
  potential gaps.
• Insert additional facility specific objectives
  here

7
Exercise Personnel

• Players/Participants respond to the scenario as
  presented
• Observers watch the exercise and preparedness
  processes
• Facilitators lead, focus, and moderate group
  discussions
• Data Collectors observe and record discussions
  during the exercise, and also participate in data
  analysis

8
Exercise Structure

• This exercise is a facilitated, scenario driven
  discussion that allows Participants to interact
  in accordance with their respective
  responsibilities and expertise to coordinate
  their response to a significant cyber event
• The exercise will be conducted as a four hour
  exercise where Players will be presented with one
  or more of the four exercise vignettes below
• Vignette I Compromise of electronic Protected
  Health Information (ePHI)
• Vignette II Electronic Health Records/Electronic
  Medical Records (EHRs/EMRs)
• Vignette III Cash Out - Billing System
  Disruption
• Vignette IV Medical Device Malfunction

9
Exercise Structure (Contd)

• Each vignette opens with a scenario that provides
  the general context for Participants to identify
  and discuss major concerns and formulate
  responses to the situation described.
• Using information provided in the scenario or
  situational injects, Participants respond to
  cybersecurity issues related to the specific
  theme of the presented vignette. These
  discussions are guided by the exercise
  Facilitator who will also manage the time
  allotted for each vignette.

10
Exercise Guidelines

• This is an open, low-stress, no-fault
  environment. Varying viewpoints, even
  disagreements, are expected.
• Respond based on your knowledge of current plans
  and capabilities (i.e., exclusive use of existing
  assets), and insights derived from training.
• Decisions are not precedent-setting and may not
  reflect your organizations final position on a
  given issue. This is an opportunity to discuss
  and present multiple options and possible
  solutions.

11
Exercise Guidelines (Contd)

• Assume cooperation and support from other
  responders and agencies.
• Problem-solving efforts should be the focus of
  your discussions. Identifying issues is not as
  valuable as suggestions and recommended actions.
• The scenarios and situational injects, written
  materials, and resources provided are the basis
  for discussions.

12
Assumptions and Artificialities

• The scenario is plausible and events occur as
  they are presented.
• There is no hidden agenda, nor any trick
  questions.
• All Players receive information at the same time.
• The scenario is not derived from current
  intelligence.

13
Vignette ICompromise of electronic Protected
Health Information (ePHI)
14
Vignette I Opening Scenario

• The nursing staff at your healthcare facility has
  noticed that over the past several months a
  part-time security guard has repeatedly shown up
  at least an hour earlier than his shift is
  scheduled to begin. The guard is well-liked and
  has worked at the facility for over five years.

15
Vignette I Opening Scenario (Contd)

• Six months ago the guards fiancé (also an
  employee at your facility), along with 25 other
  support employees, were laid off. Three months
  later, several administrative and finance
  employees at your facility received an email from
  the guards fiancé with an invitation to check
  out her latest vacation pictures from Tahiti by
  clicking on a link to www.SeeMyVacationPhoto.com.
  Upon clicking the link, an error message 404
  Error File Not Found was displayed. Some
  employees replied to the sender that there was an
  error message others did nothing.

16
Vignette I Inject 1

• Two nights ago your Information Technology (IT)
  operationsmanager received the daily report
  from his team stating that their anti-virus
  software had quarantined several unrecognizable
  files. Additionally, the security events log
  showed unusual activity by several night shift
  employees recorded earlier in the day.
• Yesterday, your Chief Information Security
  Officer (CISO) returned from his vacation to a
  report of three lost laptops.

17
Vignette I Inject 2

• This morning, your Chief Information Officer
  (CIO) receives an untraceable email with a file
  containing ePHI and credit card data of 1,000
  former and current patients. The email states
  that this information, and that of over 5,000
  other patients, will be made available to the
  highest bidder and invites your organization to
  make a bid. Bids close tonight at midnight.

18
Vignette IICorrupted Electronic Health
Records/Electronic Medical Records
19
Vignette II Opening Scenario

• Your healthcare organization is a major trauma
  center in a metropolis that triages and treats
  patients. Patient care is captured, tracked, and
  reviewed via a remotely accessible electronic
  health records/electronic medical records
  (EHR/EMR) system that provides real-time,
  point-of-care, patient-specific clinical data.
• Several weeks ago the software on your EHR/EMR
  system was updated and despite some very minor
  initial problems, the system has been operating
  well. Today it is not.

20
Vignette II Opening Scenario (Contd)

• You are experiencing clinical support computers
  that are receiving data slowly, do not respond,
  or freeze. Patient care is increasingly delayed
  as physicians and clinicians authenticate and
  verify patient EHR/EMR information through labor
  intensive and time-consuming, downtime manual
  paper procedures. (e.g., patient questioning,
  contacting families).
• Amidst the treatment of patients with corrupt
  EHRs/EMRs, the center becomes rapidly overwhelmed
  and as new patients arrive, only life-threatening
  emergencies are accepted for emergency department
  treatment. Trauma staff members are complaining
  that the EHR/EMR system has virtually ground to a
  halt and is unusable. Administrator priorities
  shift to reaffirming EHR/EMR data integrity.

21
Vignette II Inject 1

• In response to a high number of complaints of
  suspicious events and slow network speed, an
  investigation by the centers off-site IT
  services contractor discovers malware. The
  technicians determine that malicious code has
  infected multiple network-level servers, and
  possibly desktop and mobile work stations.

22
Vignette II Inject 2

• IT support concludes that the Web and main
  network servers are infected with a worm that has
  altered or erased an indeterminate quantity of
  data fields containing relevant patient health
  and treatment plan information.

23
Break
24
Vignette IIICash Out Billing System Disruption
25
Vignette III Opening Scenario

• Six months ago, three administrative employees in
  your healthcare organization receive an email
  from the facilities Human Resources (HR)
  department. The email contains what seems to be
  an attachment that will not open employees do
  not report this problem to anyone. Other
  employees also receive seemingly legitimate
  emails from HR/payroll requesting that they
  update their password-protected, personal
  information through hyperlinks embedded in the
  emails.

26
Vignette III Opening Scenario (Contd)

• During a routinely scheduled financial audit this
  week, significant discrepancies are discovered
  and immediately reported to your Chief Financial
  Officer (CFO). A quick internal investigation by
  the CFO exonerates your employees. This
  investigation determines that an external network
  intruder has exploited a known but unpatched
  billing system vulnerability, and now controls
  key components of your billing and receivables
  capabilities. It is determined that the money
  cannot be recovered, nor can the intruder be
  identified.

27
Vignette III Inject 1

• Your healthcare organization hires a third party
  cyber remediation service to repair the
  vulnerability, secure the system, and conduct a
  forensic analysis. This vendor completes the
  work and states that they believe the intruder is
  now prevented from further access to your system.
  You continue efforts to resolve business, legal,
  and regulatory damages caused by the breach.

28
Vignette III Inject 2

• Your Chief Executive Officer (CEO) receives an
  untraceable email from the hacker who claims
  credit for the fraudulent billing and attempts to
  extort money from your organization to avert
  public disclosure. The email includes real-time,
  dated, time-stamped screen shots of your billing
  system where she declares her continued control
  of your billing system. The email states that
  your CEO has 24 hours to pay a ransom of 1
  million or she will delete a portion of your
  billing database, and will post patient credit
  card information for sale on the Internet.

29
Vignette III Inject 3 (Contd)

• After notifying law enforcement, your board of
  directors tries to negotiate with the hacker and
  delays paying the ransom the hacker subsequently
  deletes 10 of the billing database. In addition
  to this damage, the intruders malware has also
  caused you to lose the ability to quickly verify
  patient insurance payment through electronic
  means. This results in significant delay, and in
  some cases outright denial, of medical services
  to non-emergency and all elective-surgery
  patients. Those individuals denied services are
  referred to nearby healthcare providers. Despite
  continued attempts, IT technicians are unable to
  regain control of your databases. The intruder
  then substantively raises the ransom to 5
  million and threatens to erase 50 of your
  remaining database if you fail to make full
  payment within 24 hours.

30
Vignette III Inject 3 (Contd)

• The significant loss of data and increase in
  patient load at nearby healthcare facilities
  prompts your organization to disclose and
  communicate the breach with other providers in
  the region. Your limited ability to share data
  with federal and state service providers service
  payroll and manage bills, brings your facility
  close to temporarily shutting down operations.
  Your incident management team coordinates their
  response with law enforcement, regulators, and
  appropriate authorities. Based on the information
  you provide, some regional healthcare providers
  also discover similar fraudulent billing
  activities, seemingly due to actions by the same
  intruder. The hacker appears to be is attempting
  to extort money from these other providers as
  well.

31
Vignette III Inject 3 (Contd)

• Your organization becomes non-compliant with
  Payment Card Industry (PCI) requirements and
  therefore is subject to penalties and fines. It
  is estimated that your healthcare organization
  may have to spend in excess of 3 million to make
  notification to those patients whose credit card
  information was stolen, and to provide them with
  credit monitoring for a year.

32
Vignette IVMedical Device Malfunction
33
Vignette IV Opening Scenario

• The medical device industry has experienced
  substantial growth in the past decade owing
  primarily to changes in patient demographics and
  rapid globalization. Nevertheless, the industry
  continues to face pressures to cut costs and
  increase product development. A variety of cost
  reducing measures, including global outsourcing,
  continue to play a major role in medical device
  development and manufacture.

34
Vignette IV Opening Scenario (Contd)

• Medical device activities that are outsourced
  include product design, prototyping,
  manufacturing, and supply chain management.
  Alongside these are challenges in regulatory
  compliance and certification that all components
  and products are authentic. The reliability and
  surety of devices are becoming an increasingly
  public issue. In the wake of several
  high-profile safety incidents, many manufacturers
  are taking additional steps to ensure that their
  products are both safe and effective. It has
  been reported that several devices with the
  ability to be reprogrammed remotely via wireless
  technology are used within your healthcare
  organization with suspect reliability.

35
Vignette IV Inject 1

• A new generation of implantable cardioverter
  defibrillators (ICDs) manufactured by multiple
  companies with components made in the United
  States, Asia, and Europe are now used by many
  healthcare organizations, including your own.
  The new generation of ICDs is intended to offer
  improved reliability and safety over older
  models, and a reasonable assurance of safety and
  effectiveness is touted by the manufacturers.

36
Vignette IV Inject 1 (Contd)

• Failure rates of the newer ICDs across all
  manufactures have been tracked as below
  traditional averages. The United States Food and
  Drug Administration (FDA) has identified firmware
  as the primary cause of device problems. To gain
  a competitive advantage, one manufacturer decides
  to update the firmware of its in-stock ICDs, and
  incentivizes physicians and suppliers to replace
  the non-updated implants with the safer, more
  reliable ICDs.
• Several weeks after undergoing replacement of an
  implanted device, three very similar reports of
  adverse events including one death are
  reported by patients who received the updated ICD
  at your hospital.

37
Conclusion and Hot Wash

• Participants describe overall strengths and
  weaknesses
• Determine recommendations
• Participants complete feedback forms

38
Points of Contact

• For questions about the DHS Cyber Tabletop
  Exercise for the Healthcare Industry or
  recommendations for improvement, contact the DHS
  Cyber Exercise Program at CEP_at_HQ.DHS.GOV
• For questions concerning health information
  technology standards, regulation, policies, and
  guidelines, contact the U.S. Department of Health
  and Human Services (HHS) CIP_at_HHS.Gov
• For questions or comments related to National
  Health Information Sharing and Analysis Center
  contact the NH-ISAC via e-mail at
  contact_at_nhisac.org
• Insert your own company/contact information

39
U.S. Department of Homeland Security Cyber
Tabletop Exercise for the Healthcare Industry