The Defense Health Agency looks to collapse multiple legacy health IT networks used by military hospitals and clinics into a single modern network called the Medical Community of Interest (MedCOI). It includes more than 240,000 users worldwide and will serve as a “key enabler” for greater health IT security.

The project enables a single security context across the agency, and allows DHA to standardize its virtual local area networks into a new 13-zone architecture, with each zone designed for a different level of security to segment network traffic.

“Since we’ll have that same design at each facility, it’s going to allow inheritance of security controls, reduced variants in configuration, and is going to greatly reduce the time to complete our risk management framework processes for each enclave and the associated systems,” Pat Flanders, DHA’s Chief Information Officer, said in an interview.

Tom Hines, DHA’s director of engineering and technology transformation and a senior advisor to Flanders, said the agency’s zone architecture, combined with its risk management and system monitoring processes, can track real-time events on its network or adversely impacted devices.

“This allows us to flag any suspicious activity, identify its source, and isolate the system or systems that may have been affected,” Hines said.

This allows the agency to defend against all instances of malicious code, including ransomware. Hines said the agency has seen instances of ransomware, but has not been affected by those instances because of its network defenses.

Hines also attributed that success to DHA’s advanced forensics capability, which allows the agency to analyze attacks and their effect on a device or system.

He said these methods, to some extent, allow DHA to “reverse-engineer” those attacks.

“We have the capability to map that into our systems to then detect something that looked like the last thing that occurred and also stop it from affecting our devices,” Hines said.

To mitigate the risk of malicious code entering the network through users accessing websites, DHA is working with the Defense Information Security Agency on a web browser pilot called Cloud-Based Internet Isolation (CBII).

Hines said the pilot provisions a web browser in the cloud that doesn’t reside on the end-user’s device. “Any malicious activity only affects the virtual browser that gets de-provisioned at the end of the user’s session,” Hines said. “In this way, we are managing and securing anyone or anything connecting from the internet to a DHA system or from a DHA system to the internet.”

Meanwhile, the Defense Department expects to further reduce its cyber-attack surface area through its ongoing migration of its medical records systems to an electronic format.

The rollout of the Military Health System’s GENESIS e-health records program began with one military base in 2017, then spread to four bases in 2018 and an additional four in 2019.

GENESIS is expected to fully deploy by 2023, and will provide electronic health records to more than 9.5 million DoD beneficiaries.

Flanders said the MHS GENESIS rollout will replace hundreds of instances of legacy health record systems across the globe that have previously operated under separate chains of command and separate cybersecurity policies.

“If you understand the real challenge, the opportunity and benefits of MHS GENESIS become more obvious. I think most obvious is the opportunity for consolidation of legacy infrastructure and systems and the associated costs,” Flanders said. “We have a long list of systems that will be shut off and others that are going to be gradually sunset.”

Moving to a single network with standardized equipment and processes, he added, will “greatly reduce” the network’s attack surface to cyber attacks, and will ensure a continuity of care for patients.

“When we’re using more of the same types of devices, it’s easier to secure them. GENESIS will be using the same record every place in the DoD,” Flanders said. “And so if I’m seen at a hospital at Fort Bragg and I then moved to the D.C. area and I’m seen at Walter Reed, you’re seeing the exact same system, the exact same data, and the exact same record.”

The Department of Health and Human Services’ employees protect the personally identifiable information of more than 100 million people, and as one of the largest bureaucracies in the federal government, must defend a sprawling network against a growing number of intrusion attempts.

The National Institutes of Health, however, is taking a “people-centric approach” to this cybersecurity challenge, Jothi Dugar, the chief information security officer of NIH’s Center for Information Technology, said in an interview with Federal News Network. That approach, she said, exists as the central theme of the agency’s new Optimize IT Security initiative, which views NIH’s workforce as its greatest asset – not its greatest liability – in combatting cyber threats.

“When we look at people, often you hear in the cybersecurity world [that] people are your weakest link, and I take great offense to that,” Dugar said. “We’re looking at people through the Optimize program as our biggest assets. Because why are we focused on cybersecurity anyway? It’s to protect our people, our science and the data.”

The Optimize IT Security effort, one of eight programs launched throughout HHS to increase the efficiency and effectiveness of its operations, looks to empower employees with the information they need to identify suspicious behavior, such as phishing emails, and make employees feel comfortable reporting these anomalous activities to cyber personnel.

As part of this approach, NIH identified 13 different user groups across the enterprise with access its networks, and is tailoring cyber-awareness approaches to positions such as clinicians, researchers, scientists and emergency management personnel.

“It’s not just one-size-fits-all – and that’s generally the approach that’s used in cyber — that if it works for one person, then it should work for everyone,” Dugar said. “What we found was when you have these different types of stakeholder groups, especially at an organization such as ours … we have a whole slew of stakeholders who have different roles. We want to tailor the approach to each of these groups, so that it really resonates with them.”

The Optimize project also will rethink cybersecurity training from an employee engagement perspective, and move away from check-the-box experiences like the annual cybersecurity awareness training most federal employees go through.

“Most people, if they don’t see any relevance to it in their role, will probably just click ‘next’ 100 times and get a certificate, and then that’s it. They feel like their role in cyber is just that half an hour that it took to take the exam, and they don’t have to think about it again for the rest of the year,” Dugar said, adding that all NIH employees should consider cybersecurity and cyberawareness part of their day-to-day responsibilities.

“We’re trying to change the culture to engage our employees [and] all of these different stakeholder groups, not just our IT department, and really communicate with them,” she added.

While the Optimize IT Security program invites employees to participate and crowdsource ideas of how to improve cyber practices at the agency, Dugar said leadership also will hold employees and staff accountable for working in a cyber-safe manner.

“It’s always the balance between the carrot and the stick, so we’re providing them multiple opportunities for growth, knowledge and awareness [and] understanding their pain points. But at the end of the day, we also have to ensure that everyone’s aware that this is a requirement – it’s not an optional thing anymore for cyber to be to be looked at as, ‘OK, I’m a clinician or scientist, I’m just going to take my course and I’ll be done with it now,’” Dugar said. “They’re going to be expected to incorporate cyber-safe behaviors into the role that they play.”

Sandra Scarbrough, the chief of strategic planning and business transformation at NIH, said more than 100 employees have volunteered to play an active role in improving the agency’s IT security, even if they don’t work in IT or cyber positions.

“We feel that that the non-IT staff members are really valuable and important. They’re there to support the science,” Scarbrough said.

Out of those 100 volunteers, a dozen officials, including the agency’s human resources director, have volunteered to serve as cyber champions, who will serve as points of contact for cybersecurity questions that employees may have.

“Being a cyber champion is being that person [who] everybody can go to within your organization if they have any questions. You are out there and providing information to people so that they understand what the dangers are of spear-phishing, or [helping them understand] how to report something,” Dugar said. “That’s really part of that sustainment piece; to ensure that this continues on, even after this huge campaign is over. They’re still going to be meeting and they’re still going to be sending out the message to NIH about cybersafe behaviors.”

The Government Accountability Office raised some of these concerns in 2016, when it identified gaps between what the Department of Health and Human Services recommended in its EHR guidance to covered entities – such as health care plans and care providers – and what the Commerce Department’s National Institute of Standards and Technology recommended.

In addition, HHS made recommendations to covered entities to improve the security of their electronic health records. GAO also found the agency did not follow up to see if, in fact, those entities were implementing their recommended actions.

Greg Wilshusen, GAO’s director of information security issues, told Federal News Network that so far this year, HHS has yet to implement the recommendations from the watchdog’s report.

And in the years since GAO first issued that report, the threat of health IT data breaches has only increased.

HHS’s Office of Inspector General, for example, maintains through its breach portal a list of health IT data breaches that impact 500 or more people. The portal, which dates back to February 2018, includes more than 600 breaches that meet those criteria.

“We have found several threats to this type of data, because it does contain personally identifiable information … that can, if not adequately protected, lead to such adverse impacts as identity theft, insurance fraud, as well as the loss of personal privacy and potentially even blackmail of the individuals whose information may have been compromised,” Wilshusen said in an interview.

When migrating electronic health records, Wilshusen said agencies should inventory the devices on their network, identify where PII exists on the network and who has access to it.

“The first step is to identify your crown jewels, so to speak, for this medical information and any sensitive information that the agency may have, and then assess the risk associated with that information,” he said. “What are the key threats? Who might be interested in gaining access to that information that shouldn’t have access to it?”

From there, Wilshusen said agencies should manage access to the PII and devices on the network through identity management tools like multi-factor authentication.

“Agencies are taking identity management and authentication very seriously, and I think there is a movement for moving towards more of a zero trust approach,” Wilshusen said. “In some instances, particularly with the movement to cloud computing, it may be a bit further along, but that’s something that we will be looking at going forward.”

In addition to preventing unauthorized access to electronic health records and avoiding data breaches, Wilshusen said agencies and industry also face challenges mitigating threats to Internet of Things-enabled medical devices.

IoT medical devices can provide a more complete picture of a patient’s health and identify particular problems or trends that a health care provider can address. These devices can especially benefit rural communities that have limited access to nearby health care facilities.

“There [are] a lot of benefits with using these types of devices and using the internet to help transmit medical information about an individual, either to the medical facility or providing that information to the patient,” Wilshusen said.

But IoT medical devices also face a slew of cybersecurity challenges. In many cases, these devices can’t easily update their software, making it difficult to patch known IT vulnerabilities.

“They need to be updated to help address those security threats on the software and often there’s not a meaningful way of doing that,” Wilshusen said.

In addition, agencies and industry also need to secure data in-transit to prevent malicious actors from intercepting that data to commit identity theft or even modify the data to cause harm to the medical device user.

On a related note, the public and private sectors have worked together on steps to secure the supply chain of health IT product to reduce the cybersecurity threats baked into devices.

Wilshusen said agencies could better ensure the safety of these products by integrating their cybersecurity requirements into the acquisition process and the contracts they hold with vendors.

“When you are considering different contractors or suppliers, conduct your due diligence to ensure that they have the appropriate controls in place,” Wilshusen said.

Those controls can include having vendors conduct background investigations on their personnel and robust quality control testing of the products – including software vetting and documentation to assure there aren’t malicious bugs in the software code.

The Department of Health and Human Services, for example, works alongside the Health Information Sharing and Analysis Center (H-ISAC) to keep tabs on the threat landscape for health IT.

Errol Weiss, the H-ISAC’s chief security officer, told Federal News Network the organization primarily exists to keep medical devices manufacturers and health care providers – such as clinics and hospitals – appraised of known IT vulnerabilities.

“One of the main functions that the Health ISAC serves today with its members is to be that hub of information sharing … We’re able to take some of that pretty raw information that’s being shared and the other members’ comments and put together what I’ll call a final, polished narrative that we can share with the rest of the membership broadly,” Weiss said in an interview.

While Weiss acknowledged “some natural tensions” exist between the two factions of the H-ISAC membership – device manufacturers and health care providers – bringing those groups together proved essential in October 2019, when a security firm identified 11 zero-day vulnerabilities in third-party medical device software.

Those vulnerabilities, the Food and Drug Administration warned in a memo, could “allow anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function.”

“There were challenges in terms of how to find those devices on your own network. And then, once you did find those, how you were going to secure those, tighten those down?” Weiss said.

The H-ISAC, however, brought together affected medical device manufacturers and health care organizations to issue recommendations and remediation plans to counter the zero-day vulnerability threats.

To remain vigilant against upcoming vulnerabilities, Weiss said the H-ISAC maintains a list of web pages with security contacts for medical device manufacturers.

“It’s sort of a convenient way for members to find the security web page for those particular medical device manufacturing firms. And when it comes to the responsible disclosure notification, [we] work with those organizations to gather the appropriate information, and make sure it’s distributed to the appropriate parties,” he said.

Prior to joining the H-ISAC in 2019, Weiss helped stand up the ISAC model for the financial services sector in 1999, and served as a board member for the Financial Services ISAC.

So when a manufacturer notifies customers about a vulnerability and a patch to remedy the problem, Weiss said the stakes can often be higher in the health IT world, compared to his experience with the financial sector.

“Sometimes we’re seeing in the media articles that, [with] a medical device, if a hacker had discovered that vulnerability and exploited it, it could have resulted in a negative impact to a patient, including death,” he said. “So there tends to be very sensationalized types of coverage when the manufacturer is trying to do the right thing and responsibly disclose the vulnerability and issue patches to that device.”

In that scenario, the H-ISAC works with manufacturers to ensure they’re prepared for the immediate response that follows when they disclose a vulnerability.

While the rise of electronic health records could hold the key to delivering seamless patient care across health care providers – or even promote wider adoption of telehealth and remote diagnosing – Weiss said the health IT community first needs to address foundational concepts like identity management to ensure that only physicians and other authorized user have access to sensitive medical records.

“I know a lot of organizations are certainly dealing with the complexities of it. We don’t have a very interoperable way to authenticate people,” he said.

Challenges with authentication in health IT, he added, aren’t necessarily technology problems, but actually come down to people and processes.

“There is wonderful technology and hardware available today. We need to get agreement that this is going to be the way that we’re going to go, this is the standard that we’re going to use and this is the process that we’re shooting for,” Weiss said. “Do we get the government to regulate that? Do we get the private sector to jump in to offer solutions to that before it gets regulated? I don’t know which is the right way to go, but we’ve got the pieces of the puzzle we need. We just need somebody to help put all that together and make it available.”

While these technologies have enabled agencies to accelerate delivery and improve their front-line customer experience, a more connected health IT landscape also increases the cyber threat landscape and introduces new challenges for security professionals.

Stu Solomon, Recorded Future’s chief strategy and corporate development officer, told Federal News Network that health IT systems face a growing number of data security and cybersecurity challenges because of two trends.

Health IT systems, for one, hold a treasure trove of valuable data, whether it’s personal health data, biometrics or intellectual property valuable to the future of medical devices.

Meanwhile, the pace of IT modernization – the second trend — has accelerated faster than what most cybersecurity officials can anticipate.

“They’re in a digital transformation today, moving very rapidly to keep pace with the rest of society’s desires and needs — from paper-based scenarios and unconnected medical devices and techniques — and moving into scenarios whereby the digital transformation of their operations themselves necessitate a completely different view into the attack surface,” Solomon said in an interview.

While government and industry both face a variety of health IT and cybersecurity challenges, Solomon identified three emerging threats:

• Ransomware
• Data breaches and exposed personally identifiable information (PII)
• Malicious actors gaining a foothold into the network for further intrusion.

The rise of ransomware impacts more than just the health IT sector, but Solomon said it’s an industry uniquely vulnerable to this threat. Defending against ransomware, he said, often comes down to workforce-centric challenges such as identifying spear-phishing attempts to prevent malware from entering networks in the first place.

“It’s really important to keep an eye out [and] not just for potentially anomalous activity that would be a deviation from the baseline of what you expect to see,” Solomon said.

While employees often serve as the first line of defense against threats like ransomware, health IT personnel must also take steps to ensure that if malware does enter their networks, the threat has limited opportunities to spread.

“How susceptible are the data stores within the network to being locked out or blocked out? Do you have the ability to rapidly recover or to roll back to a last known good environment? Do you have the ability to unlock data stores from recovery environments to be able to very quickly mitigate, or do you have the ability to stop the infection from spreading across multiple components of your network as quickly as possible?” Solomon said.

In order to defend against phishing attacks and malicious attempts to access PII, Solomon said agencies must also develop insider threat programs that include the scenario of an unintentional breach of data coming from an employee.

“It really does boil down to that first mile, which is the user who is tricked into or in some way coaxed into introducing the malware into the environment in an unwitting fashion,” he said. “Fishing techniques are as old as time in the security industry, but malicious actors will do what works, and they’ll follow the path of least resistance to be able to create the impact that they want.”

In order to prevent malicious actors from acting on vulnerabilities in IoT-connected medical devices, or using a successful phishing attack to burrow deeper into a network, Solomon said agencies should approach the problem from an identity management approach, as they would with any other potential security deficiency.

“When you talk about the IoT components in medical devices in particular, it becomes very scary very quickly, because it’s personal. These are things that are touching our bodies, these are things that are dealing with our health care needs,” Solomon said. “There’s a lot of passion that’s solicited immediately when thinking about these kinds of threats. However, the opportunity lies in treating them in a very normal fashion, the way that any security professional would any other aspect of their network in their overall attack surface.”

That ID management strategy includes getting complete map of devices on a network and better understanding what’s on those devices. That strategy should also include regularly patching and updating the software and firmware devices, as well as changing hard-coded passwords.

Another component to this defense strategy, Solomon said, is identifying how the devices normally behave on the network, in order to detect abnormalities faster.

“What does a normal baseline of activity look like when one device talks to another device? What kind of data should flow from one device to another device? What kind of data is exposed when devices interact with databases?” Solomon said.