In May 2015, the FBI hosted a classified video teleconference regarding prominent cyber breaches that had recently occurred in the healthcare sector. The teleconference was broadcast to all 56 FBI field offices, and healthcare sector partners in each office’s area of responsibility (AOR) were invited to attend. The Washington Field Office (WFO) charged its InfraGard coordinators, FBI Special Agents Amylynn Errera and Kara Sidener, to identify WFO’s partners and hosted approximately 25 individuals from a variety of healthcare-related entities in their office in Manassas, Va.
At the conclusion of the meeting, it was obvious to Errera and Sidener that the attendees hadn’t previously been in touch with each other – and clearly wanted to continue the conversation in order to share best practices, concerns, threat mitigation strategies and more.
Intermittently over the next year, Errera and Sidener hosted in-person meetings for the newly named Cyber Health Working Group (CHWG), inviting subject matter experts to speak to the group on a variety of relevant cyber/IT threats and issues. Recognizing the need to share real-time information regarding a continually evolving cyber threat landscape, Errera and Sidener realized intermittent, in-person meetings were not going to meet the needs of the group.
Errera, in one of her previous assignments in the FBI’s Cyber Division, had worked closely with the National Cyber Forensics and Training Alliance (NCFTA), a nonprofit partnership between industry and government for the sole purpose of providing a neutral, trusted environment for the two-way cooperation and collaboration to identify, mitigate, and disrupt cyber crime. While in the Cyber Division, Errera witnessed firsthand the benefit of real-time, two-way information-sharing between industry and the FBI that resulted in criminals being arrested, intelligence being shared and networks being better protected. Seeing that as a replicable model for the healthcare and IT sectors, Errera consulted with NCFTA to determine how best to facilitate a similar effort with the local group. NCFTA jumped at the opportunity to get into this space – the intersection of healthcare and IT – and offered to host a list server for the group to provide a forum for real-time sharing.
Errera and Sidener invited any InfraGard member across the country who met the group’s criteria (i.e., in an IT-related role in the healthcare sector with the ability to share threat information and intelligence) to join. The group launched on April 1, 2016, and, in short order, became very active – and NCFTA realized this might be too much for their entity to voluntarily support.
The InfraGard National Members Alliance, through board member Sam Khashman, CEO of Imagine Software, stepped in to support the technical infrastructure and take over function of the list server and a dedicated, secure portal for the group. Since late summer 2016, the CHWG has grown to more than 875 individuals from across the country. The group contains cyber practitioners in a variety of roles to include CISOs, CIOs, network administrators, cyber threat hunters, cyber engineers, cyber infrastructure architects, SOC analysts and more. In addition the group contains a wide-range of healthcare-related organizations and companies: from hospitals and insurance companies, to EHR and medical device companies, to academic and research institutions, the cross-sector representation is impressive.
In addition to the daily, real-time information sharing that occurs, the CHWG has a dedicated portal that archives the list server threads for easy searching, maintains a library of member submissions of best practices and other documents, and hosts a monthly webinar on a topic of interest (some very technical, others more “big picture” focused), which is also recorded and archived on the portal.
To date, the CHWG has contributed to numerous FBI-written intelligence products that have been shared with industry, government, and the U.S. intelligence community. Indicators of compromise and threat information have been shared with multiple FBI field offices, which have identified victim companies, enhanced ongoing investigations, and identified new points of contact for cyber agents and analysts across the country. In one instance, information shared on the CHWG list server actually prevented a company from falling victim to a known cyber actor.
It should be noted that the CHWG does not exist in a vacuum. Since its inception, Special Agents Errera and Sidener have queried the members to ensure the CHWG is not duplicating other similar efforts and, in fact, have regular communication with entities like the National Health Information Sharing and Analysis Center, the Health Information and Management Systems Society, HITRUST and the Department of Health and Human Services.
Anecdotally, the members have said things like this about the CHWG:
- “Very informative and I will be implementing a lot of things I have seen here. Great info.”
- “Excellent information being shared already and building out a folder for all of it as we speak. There is a huge need for this in our industry and truly appreciate those who have put this together.”
- “I would like to say that I am new to this group and have been very impressed with the information that has been shared thus far. Looking forward to more of the same and the opportunity to learn and share.”
- “Your working group is working!”
- “I appreciate this type of information instead. I suggested to my manager that if we showed more of this type of information to the board, maybe they would make sure that security resources were a priority.”
- “This is, without a doubt some of the most valuable intel I’ve gotten in years, please keep it coming.”
- “I just wanted to say thank you for all of the work that you’re doing to keep the Cyber Health group growing strong. I really appreciate the sense of community that I feel like we’re growing, which is something that I’ve noticed we’re lacking in healthcare, especially when compared to the financial services folks. So, huge thank you for everything that you’re doing!”
At the request of the members, the CHWG is hosting its first (and hopefully annual) Healthcare CyberGard conference Oct. 25-26 in Charlotte, N.C. Open to members and non-members alike, the agenda promises to have in-depth looks at medical device security, incident response, building a cybersecurity awareness program, authentication and identity, when to call the FBI, how to communicate with your board of directors and more. Find out more here.
Questions about the CHWG? Contact Special Agents Errera and Sidener at [email protected].
