HHS Announces Health Sector Cybersecurity Coordination Center – On October 29, Deputy Secretary of the Department of Health and Human Services (“HHS”) Eric Hargan announced the official opening of the Health Sector Cybersecurity Coordination Center (“HC3”). Deputy Secretary Hargan commented that “HHS is proud to work with the health community to better protect Americans’ health data and confidential information.”
The HC3 is designed to support and improve cybersecurity information sharing within the healthcare sector, provide timely and actionable cybersecurity intelligence to healthcare organizations, and promote a cybersecurity community through strategic partnerships. The announcement was made at HHS headquarters in Washington, D.C., and supports the Trump Administration’s National Cyber Strategy, announced in September. According to the National Cyber Strategy, the Department of Homeland Security (“DHS”) is the lead organization to protect against cyberattacks and develop preventive strategies, with HHS directed to focus on the healthcare and public health (“HPH”) sector.
According to Jeanette Manfra, DHS Assistant Secretary for Cybersecurity and Communications, “[w]e know that the majority of the cybersecurity attacks that occurred over the past year could have been prevented with quality and timely information—and the heightened importance of sharing information cannot be stressed enough. The HC3 is a vital capability for the early detection and coordination of information between the private sector and the federal government, and with cyber professionals across the federal government.”
The HC3 replaces the Healthcare Cybersecurity and Communications Integration Center (“HCCIC”), which was announced in April 2017 with few details and drew scrutiny from Congress. Bipartisan leaders of the House Energy and Commerce Committee, as well as of the Senate Health, Education, Labor, and Pensions Committee, wrote a letter in June 2018 to HHS Secretary Alex Azar, seeking clarity about the role and status of the HCCIC and citing concerns about leadership changes. The letter noted that “[s]takeholders have informed our staffs that they no longer understand whether the HCCIC still exists, who is running it, or what capabilities and responsibilities it has.” In contrast to the perception of the HCCIC among HPH stakeholders, Deputy Secretary Hargan emphasized the involvement of these stakeholders in the development of the HC3, stating, “[t]oday’s announcement is a recognition of the importance we place on stakeholder engagement as part of our cybersecurity work.”
FCC Commissioner Comments On Privacy Implications Of “Smart Cities” – On October 30, 2018, Federal Communications Commission (“FCC”) member Michael O’Rielly spoke at a policy event in Washington, D.C., on the topic of “smart cities,” defined by Commissioner O’Rielly as “the collection, use, and analysis of enormous amounts of data from sensors, other devices, and the like, to improve functionality, cost, and efficiencies of local governments and the surrounding communities.” In addition to remarks on the FCC’s logistical facilitation of the infrastructure necessary to make smart cities a reality, Commissioner O’Rielly cautioned that with smart cities, “the level of data available on individual citizens will be astronomical” and that the collection, use, and analysis of such data is a significant privacy and surveillance concern.
Smart cities function by pulling data from sensors and other devices set up by local governments to help them run more efficiently and cost-effectively, and might be found embedded in anything from traffic lights to trash cans. The ultimate benefits of these advancements, according to the Commissioner, include “more mobility and transportation synergies, greater health care solutions, public safety improvements, superior productivity, and so much more.” But Commissioner O’Rielly remarked that on the flip side, a significant concern is “what happens if [the information collected] is used for mischievous purposes, or worse, to increase the surveillance of innocent Americans.” He noted that such concern was not a “blind hypothetical” because there are known examples of governments across the world using new technologies to surveil, control, or punish citizens engaging in unapproved conduct.
Commissioner O’Rielly commented that the “real worry for privacy advocates and the public should be the combination of data with police and military powers, and the state’s potential to use data for the purpose of controlling or punishing its citizenry.” He added that governments’ ability to create a “comfort level” in the face of the privacy implications of smart cities “remains to be seen.”
Earlier in his speech, Commissioner O’Rielly highlighted that much of the work to be done on smart cities will occur in the private sector and emphasized the FCC’s desire to deregulate service providers, such as cable companies, to “unleash new technology” and remove state and local barriers to the deployment of wired and wireless broadband networks. “For our part, the FCC has been centered on ensuring that the proper regulatory framework exists for providers to offer services and expand infrastructure deployments to meet consumer demand.” He noted that the smart city applications will require “enormous and instantaneous cooperation among the moving technological pieces,” demanding “the next level of high-tech, scientific capabilities.” Commissioner O’Rielly further stated that “[i]f we get things right, not only can smart cities be a benefit to local communities, but they can also serve as a catalyst for new technology advancements and problem-solving,” comparing smart cities to “the dawn of the next microprocessor or fiber-optic cable.”
Cybersecurity Threat In Germany Rises To A New Level – On October 11, 2018, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, “BSI”) published its annual Report on the State of IT Security in Germany 2018 (“Security Report”). The Security Report shows an alarming increase in cybersecurity attacks against state agencies, critical infrastructure, and private companies, as well as against individuals, during the reporting period of July 1, 2017 to May 31, 2018. In its press statement from the same date, the BSI noted that “the combination of new attack quality and increasing digitalization raises the threat situation to a new level.”
During the reporting period, the BSI received 145 reports of attacks against critical infrastructure alone, in particular in the telecommunication and energy sectors. The Security Report further reveals that, according to a cybersecurity survey, in 2016 and 2017 approximately 70 percent of the 900 responding companies and institutions reported that they were subjected to cyber-attacks. Fifty percent of attacks were successful, and of those successful attacks, 50 percent led to production downtimes. Moreover, in about 57 percent of the reported attacks, IT systems were infected by ransomware; 19 percent of the companies became victims of hackers; and in 18 percent of the successful incidents, the systems were forced down by Distributed Denial-of-Service attacks (“DDoS”), i.e., overwhelming internet traffic.
The BSI further advised that Industrial Control Systems (“ICS”) are particularly vulnerable to ransomware because they are often run with outdated software. While specific manipulations of machines and plants remain the exception, the BSI expects to see more targeted attacks of this nature in the future, as attackers gain a better understanding of the production processes. There are also indications that several groups are developing specific malware for attacks against ICS. Connected vehicles are on the BSI’s radar as well. While no concrete incidents have been reported yet, the BSI wants to conduct a more detailed risk analysis of On-Board Diagnostic (“OBD”) interfaces in vehicles to gain a better understanding of the associated cybersecurity risks.
Generally, the threat landscape seems to have become more diverse in recent months. While ransomware attacks caused by malware like “WannaCry” and “NotPetya” are continuing to a lesser degree, the BSI has seen a shift to more targeted attacks, increasing the pressure on companies to develop appropriate response strategies. This observation is in line with security reports of other cybersecurity firms issued earlier this year (we reported here). Attacks against Internet of Things applications also continue. Typically, hijacked devices are connected to botnets, allowing attackers to access foreign IT systems on a large scale. The botnets can then be used for multiple purposes, such as stealing or manipulating data or using the combined processing power of the botnet for other activities, such as illegal crypto mining.
For companies, the increase of targeted attacks should certainly be the most alarming aspect of the Security Report, as sophisticated social-engineering attacks are hard to fight. Raising employees’ cybersecurity awareness by appropriate training should therefore be a cornerstone of any cybersecurity risk program.