'Data Guardians' Now On Watch After Hack at Medicare Agency

Last summer, deceptive emails began targeting employees at the Centers for Medicare and Medicaid Services, according to the agency. The messages were crafted to look like official business, but they actually were from attackers seeking agency passwords. The influx of "spearphishing" emails spiked in June and July.

CMS quickly grasped the gravity of the situation, in part because the federal government was still reeling from a hack at the Office of Personnel Management that netted 21.5 million government-held background check records.

Concerns in the C-suite peaked. The tentacles of that earlier campaign had gained a stranglehold on OPM, the Interior Department, and two contractors.

So, CMS went into containment mode quickly. Still, a few laptops contracted malware when employees clicked on the messages, and some personnel unknowingly gave up their credentials, CMS Chief Information Officer David Nelson told Nextgov in an interview.

"Rather than dealing with this sort of whack-a-mole style," he said, CMS decided to "really, really sensitize our employees" to the risk of compromising the most private information of Americans.

The agency handles medical and other personal data on more than 100 million people through Medicare, Medicaid, the Obamacare insurance marketplace and other programs.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Nelson, top management and the rest of the 6,000-person CMS workforce arranged a big conference call, where leadership introduced a new job, the "data guardian." Today, 27 volunteers hold this position -- one for each CMS component.

And 99 percent of the agency's staff does not click on links anymore. That's thanks to the data guardians, their champion CMS Administrator Andy Slavitt, and bimonthly spearphishing exercises, Nelson said.

"You need to get this sponsored from the top, if you are going to change the culture in an organization," he added. "This program is really designed to make the most use of not just our security people, but to make use of all of our employees."

Mental reflexes can be more crucial for outwitting a persistent attacker than automated defenses sometimes. There are tools for scanning email attachments, “but those links are really deadly," Nelson said.

In April of 2015, OPM discovered the monumental theft of records on personnel who had been screened to access classified information. That was around the time a number of health insurers realized their networks were under attack.

Reportedly, the OPM and health care hacks were the work of Chinese cyberspies who have been compiling a Rolodex of Americans. A heist of 78.8 million records at Blue Cross Blue Shield Anthem was detected that February, followed by intrusions at Premera and other BCBS companies.

In more recent months, financially-motivated crooks have barraged medical centers, like Hollywood Presbyterian Hospital, with malicious "ransomware" programs that encrypt data and trigger messages demanding money in exchange for a decryption code.

"We're basically feeling that we're very, very exposed and we need to address this and come up with a better way of protecting ourselves," Nelson said of his health care-focused agency.

"We've certainly had spearphishing, and we've certainly had very targeted attacks on CMS," he said of last summer’s incident.

That is where the data guardians come in.

The role of the guardians, according to an agency planning documents, is to "serve on the front-lines of their respective center/office as the stewards of CMS privacy and security policy."

Among other things, a guardian’s duties include training coworkers and contractors on security protocols, as well as ensuring they collect only a minimum amount of personal information on citizens.

During the all-hands-on-deck call last summer, employees were asked to imagine the aftermath of a hack on beneficiaries and users of the HealthCare.gov marketplace.

HealthCare.gov has reported suffering more than 300 breaches of personal data, but they were all caused by accidents like misdirected emails, not malicious actors, according to an April Government Accountability Office audit.

Today, at CMS, the default mindset is: Do not share personal information in email, if at all possible, Nelson said.

"You don't even want it exchanged in an encrypted manner through an email with a password that was given through a separate channel if it's not necessary," he said. "Because why risk it?”

Whatever the motive for robbing health care networks, the bounty is valuable. About $500 is the going price for one Medicare or Medicaid record on the Dark Web. It is estimated that health records sell for up to 10 times more than credit card numbers on the black market.

Data breaches are costing the medical industry an estimated $6.2 billion, according to a May 12 Ponemon Institute study on the privacy and security of health care data.

At CMS, the data guardians meet every two weeks to reduce the risk of such breaches.

The volunteers are briefed by agency executives on the latest threats, including ransomware, Nelson said. When the guardians initially took their posts, about 15 percent of the workforce was clicking on test phishing emails. There have been 27 phishing exercises since.

"When we get real phishing attacks now, everybody knows what to do with it," Nelson said. Questionable emails go to spam@hhs.gov.  

In April, Nelson was named a finalist for the annual U.S. Government Information Security Leadership Awards for his work on the CMS beneficiary data protection initiative.

As for that real attack last summer, the IT staff changed the stolen credentials and cleaned the infected devices immediately, he said.

“Now, we don't have to do that," Nelson said. "We’re not having that issue with people installing that on their laptops or giving up their credentials to real phishing attacks."