H-ISAC’s Chief Security Officer, Errol Weiss, was recently interviewed by Federal News Network

Article by Jory Heckman March 3, 2020

While federal agencies guard against cyber attacks and fend off potential data breaches on a daily basis, they also work closely with industry partners to front-line threats and emerging trends.

The Department of Health and Human Services, for example, works alongside the Health Information Sharing and Analysis Center (H-ISAC) to keep tabs on the threat landscape for health IT.

Errol Weiss, the H-ISAC’s chief security officer, told Federal News Network the organization primarily exists to keep medical devices manufacturers and health care providers – such as clinics and hospitals – appraised of known IT vulnerabilities.

“One of the main functions that the Health ISAC serves today with its members is to be that hub of information sharing … We’re able to take some of that pretty raw information that’s being shared and the other members’ comments and put together what I’ll call a final, polished narrative that we can share with the rest of the membership broadly,” Weiss said in an interview.

While Weiss acknowledged “some natural tensions” exist between the two factions of the H-ISAC membership – device manufacturers and health care providers – bringing those groups together proved essential in October 2019, when a security firm identified 11 zero-day vulnerabilities in third-party medical device software.

Those vulnerabilities, the Food and Drug Administration warned in a memo, could “allow anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function.”

“There were challenges in terms of how to find those devices on your own network. And then, once you did find those, how you were going to secure those, tighten those down?” Weiss said.

The H-ISAC, however, brought together affected medical device manufacturers and health care organizations to issue recommendations and remediation plans to counter the zero-day vulnerability threats.

To remain vigilant against upcoming vulnerabilities, Weiss said the H-ISAC maintains a list of web pages with security contacts for medical device manufacturers.

“It’s sort of a convenient way for members to find the security web page for those particular medical device manufacturing firms. And when it comes to the responsible disclosure notification, [we] work with those organizations to gather the appropriate information, and make sure it’s distributed to the appropriate parties,” he said.

Prior to joining the H-ISAC in 2019, Weiss helped stand up the ISAC model for the financial services sector in 1999, and served as a board member for the Financial Services ISAC.

So when a manufacturer notifies customers about a vulnerability and a patch to remedy the problem, Weiss said the stakes can often be higher in the health IT world, compared to his experience with the financial sector.

“Sometimes we’re seeing in the media articles that, [with] a medical device, if a hacker had discovered that vulnerability and exploited it, it could have resulted in a negative impact to a patient, including death,” he said. “So there tends to be very sensationalized types of coverage when the manufacturer is trying to do the right thing and responsibly disclose the vulnerability and issue patches to that device.”

In that scenario, the H-ISAC works with manufacturers to ensure they’re prepared for the immediate response that follows when they disclose a vulnerability.

Read the full article here: https://federalnewsnetwork.com/combating-healthcare-data-breaches-with-intelligence/2020/03/h-isac-provides-polished-narrative-to-tackle-medical-device-cyber-gaps/  Copyright © 2020 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.