While federal agencies guard against cyber attacks and fend off potential data breaches on a daily basis, they also work closely with industry partners to front-line threats and emerging trends.
The Department of Health and Human Services, for example, works alongside the Health Information Sharing and Analysis Center (H-ISAC) to keep tabs on the threat landscape for health IT.
Errol Weiss, the H-ISAC’s chief security officer, told Federal News Network the organization primarily exists to keep medical devices manufacturers and health care providers – such as clinics and hospitals – appraised of known IT vulnerabilities.
“One of the main functions that the Health ISAC serves today with its members is to be that hub of information sharing … We’re able to take some of that pretty raw information that’s being shared and the other members’ comments and put together what I’ll call a final, polished narrative that we can share with the rest of the membership broadly,” Weiss said in an interview.
While Weiss acknowledged “some natural tensions” exist between the two factions of the H-ISAC membership – device manufacturers and health care providers – bringing those groups together proved essential in October 2019, when a security firm identified 11 zero-day vulnerabilities in third-party medical device software.
Those vulnerabilities, the Food and Drug Administration warned in a memo, could “allow anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function.”
“There were challenges in terms of how to find those devices on your own network. And then, once you did find those, how you were going to secure those, tighten those down?” Weiss said.
The H-ISAC, however, brought together affected medical device manufacturers and health care organizations to issue recommendations and remediation plans to counter the zero-day vulnerability threats.
To remain vigilant against upcoming vulnerabilities, Weiss said the H-ISAC maintains a list of web pages with security contacts for medical device manufacturers.
“It’s sort of a convenient way for members to find the security web page for those particular medical device manufacturing firms. And when it comes to the responsible disclosure notification, [we] work with those organizations to gather the appropriate information, and make sure it’s distributed to the appropriate parties,” he said.
Prior to joining the H-ISAC in 2019, Weiss helped stand up the ISAC model for the financial services sector in 1999, and served as a board member for the Financial Services ISAC.
So when a manufacturer notifies customers about a vulnerability and a patch to remedy the problem, Weiss said the stakes can often be higher in the health IT world, compared to his experience with the financial sector.
“Sometimes we’re seeing in the media articles that, [with] a medical device, if a hacker had discovered that vulnerability and exploited it, it could have resulted in a negative impact to a patient, including death,” he said. “So there tends to be very sensationalized types of coverage when the manufacturer is trying to do the right thing and responsibly disclose the vulnerability and issue patches to that device.”
In that scenario, the H-ISAC works with manufacturers to ensure they’re prepared for the immediate response that follows when they disclose a vulnerability.
While the rise of electronic health records could hold the key to delivering seamless patient care across health care providers – or even promote wider adoption of telehealth and remote diagnosing – Weiss said the health IT community first needs to address foundational concepts like identity management to ensure that only physicians and other authorized user have access to sensitive medical records.
“I know a lot of organizations are certainly dealing with the complexities of it. We don’t have a very interoperable way to authenticate people,” he said.
Challenges with authentication in health IT, he added, aren’t necessarily technology problems, but actually come down to people and processes.
“There is wonderful technology and hardware available today. We need to get agreement that this is going to be the way that we’re going to go, this is the standard that we’re going to use and this is the process that we’re shooting for,” Weiss said. “Do we get the government to regulate that? Do we get the private sector to jump in to offer solutions to that before it gets regulated? I don’t know which is the right way to go, but we’ve got the pieces of the puzzle we need. We just need somebody to help put all that together and make it available.”