CISA Leader Puts Health Sector Project on the Level of Election Security Initiative

shutter_o/Shutterstock

A senior adviser brought in to boost the pandemic-driven effort says new materials are coming and stresses the importance of organizations acting on the agency’s advisories as part of their risk calculus.

With the presidential election underway, the head of the agency that describes itself as the nation’s risk adviser said protecting the health care sector as it comes under ransomware attacks during the public health crisis is right up there with safeguarding democracy.

“Seeing how much ransomware was affecting the public health sector, we could absorb within the system a hospital or two hospitals prior to COVID, but with COVID, you know, New York City could not lose any capacity at all in April or May,” CISA Director Christopher Krebs said. “We brought in a whole range of folks that are just allowing us to really jump start a new initiative that, as I look at it ... is as important as our election security initiative.”

Krebs spoke Tuesday during an event to observe Cybersecurity Awareness Month. He reiterated his confidence in the preparations his agency has been working to put in place over the last three and a half years, following Russia’s attempt to interfere with the 2016 election. 

“Our protect 2020 slogan is not something that we kicked off a month ago or even January of 2020,” he said. “We have a community where we can share information and make sure we’re on top of the latest threats.” 

Krebs added that he feels better about the election security initiative—working with partners in the intelligence community and state and local governments—than anything else he’s worked on as part of the government.    

He remains concerned, however, about the ability of the nation’s health care facilities to support a population especially in need of their services while suffering a barrage of debilitating cyberattacks.  

“The concept we’ve taken is that whether it was therapeutic development, vaccine development, patient care, [personal protective equipment], that we had to make sure that we were providing all the support we could and extending the umbrella, the overwatch over the public health sector,” he said.

CISA used hiring authorities provided by the CARES Act to bring in experts that have been pushing for better cybersecurity hygiene in the sector for years, particularly in relation to connected medical devices, which increase the attack surface and could cause physical harm if disrupted. One of those experts was Josh Corman. He founded IamtheCavalry.org, which empowers health care consumers to advocate for the safety of such devices and has pushed for their manufacturers to build them in ways that facilitate security fixes.

Corman participated in another event for cybersecurity awareness month last Thursday along with Jane Harper, senior director of information security risk management and business engagement at Eli Lilly and Company.

While CISA would like the industry to patch any vulnerabilities it alerts organizations to with haste, businesses’ risk management practices may push them to adhere to schedules designed to keep operations humming, creating some tension.

“As risk and security professionals, we have to be mindful that we are here to enable and protect the organization,” Harman said. “We have to be innovative, we have to figure out how to leverage technology and really just process so we don’t drag the business down or grind it to a halt. We have to be consistent. We can’t have these firefighting all the time patch management exercises. What you do is you wear your business partners down and they don’t want to see you, they don’t want to hear you come talk about patch management because it’s a problem, it’s work for them.” 

Corman was sympathetic to organizations needing to make tough choices with limited resources, but noted that the average time it takes an attacker to exploit a vulnerability from when it’s disclosed is down to single digit days. Sometimes they can exploit vulnerabilities within three or four days of them being discovered, he said, suggesting organizations need to be even faster in fixing them. 

He added that while more organizations are taking advantage of a free CISA offering that scans their perimeters for vulnerabilities, the agency has noticed a marked decline in patching diligence over the last few months.

“The need is more important than it ever has been and we want to cause and enable those hard risk management trade off decisions with you and your executive staff and we’re going to be increasingly publishing things now in light of...new attacks occurring in the U.S. in real time as we speak,” Corman said. “It’s really incredibly important that we patch at least the [vulnerabilities] that CISA and the government put their weight behind. There have been some very exploitable and actively exploited vulnerabilities and when we stick our head above the parapet, please pay attention because we’re trying to help you.”