HIMSSCast: What are hospitals' obligations for sharing cybersecurity info with the FBI?

Speaker A: We should be sharing malicious IP addresses. We should be talking about specific attack vectors.

Speaker B: Hello, everyone, and welcome to himscast. My name is Mike Milliard. I'm executive editor of Healthcare IT News, a HIMSS media publication. With me this week is Amy Worley, Managing Director and Data Protection Officer at BRG and leader of its Privacy and information compliance practice group. Amy is the author of the book the Confidence Optimizing Privacy, Cybersecurity, and AI Governance for Growth. And she works directly with healthcare organizations on issues such as breach response and data governance. Amy, thanks for being here.

Speaker A: Hey, Mike, thanks for having me.

Speaker B: It's great to meet you.

Speaker A: Likewise.

Speaker B: So a top official at the FBI, uh, in April, uh, told some hospital executives that they should increase threat intelligence sharing with the Bureau in order to, quote, go on offense and disrupt the ecosystem that allows perpetrators to exist. Um, I write a lot about cyber security. Um, you know, we're used to FBI issuing warnings to hospitals about this or that hacker group or a new strain of ransomware, but it's not often that they urge private sector organizations to kind of join them and quote, unquote, go, go on offense. What are your thoughts as a privacy attorney on the FBI's calls for hospitals to join them in that battle? And are there pros and cons?

Speaker A: Yeah. So I think it's interesting. I have some sympathy to the FBI's position here. Um, healthcare is a sector that's being attacked at a higher rate, um, than most other sectors. Um, the damage economically and frankly to patient privacy is, Is big. So I understand what's motivating the FBI's request. I agree, though, that, um, health care organizations really need to be careful in thinking about how can we support law enforcement attempts to get in front of and reduce cybersecurity threats facing the healthcare sector. And also how do we make sure that in doing that, we're still maintaining patient privacy, privacy, employee privacy. So it's balancing, um, and I think there are ways to do both. But I also wanted to agree with sort of what I think was implied in your question. This is new. Normally, the FBI is sometimes contacted after a cyber incident to help investigate and to help in breach response. Um, this affirmative call to get in front is a bit more aggressive language than we're used to hearing from the FBI.

Speaker B: Yeah, you know, at Healthcare IT News, we've written often about the kind of value of threat intelligence in general, you know, and sharing, you know, this or that, you know, tip that could help, um, you know, stave off an attack, uh, one way or the Other. But it's interesting to hear this. You know, the call for hospitals to kind of share directly with the Feds is doing so potentially in tension with HIPAA or other privacy laws.

Speaker A: It really depends on how you do it. So what. What I like to see in a really mature program is some guidelines on what you share to make sure that what you're sharing is really related to threat intelligence and doesn't slide into something that could be considered phi. So, um, without to give you the acronym Soup, you know, IOCs, TTPs, it's. It's one thing to share indicators of compromise, IOCs or, um, tactics. Um, procedures. I just lost the second T. Sorry, it's the end of my day. Um, um, and those should be things like IP address, um, the tactics that the threat actor used, um, the procedures that they followed, like, was there lateral movement, et cetera. All of that can be shared in most cases without disclosing things like patient identifiers, patient names, encounter IDs, et cetera. But the reason I say you kind of want to have some guidance like this in place ahead of time is to make sure that everybody along this communication chain understands what's okay to share and what might be problematic to share.

Speaker B: But as of this moment, there's no such clarity.

Speaker A: Uh, it would have to be internally generated. That's right. It would be something that, um, you know, that the, that the security operations center or the IT security team puts together, um, as an internal document. But no, there's no federal guidance on if you share this, you're safe. And if you don't share this, you know, it's. It's not that clear.

Speaker B: Uh, have you ever worked with a client that's faced a situation similar to this? I know it's a new scenario, but have you worked in analogous situations perhaps?

Speaker A: Yes and no. Uh, mostly. Uh, generally, my practice when working a cyber incident is to encourage that the client share with the FBI. Um, but when doing that, I'm very specific. We should be sharing malicious IP addresses. We should be talking about specific attack vectors, um, and should not necessarily be sharing information that would fall within the realm of protected health information under hipaa. Um, I haven't seen a situation where, in the absence of an attack, uh, a healthcare organization says this is the type of threat activity that we're seeing. Um, there are other vehicles available to do that that are not like, direct communication with the FBI. Um, you know, you can, um, for example, go through like, Health, isac, Health, isoc. Um, and that is, frankly, more what I would Expect, um, and share their, you know, your, your mitre, ATT and ck, ttps.

Speaker B: Yes, I think that makes sense. And I was going to ask you about Health isac. Um, you know, there's a lot of organizations out there that might be able to help health systems put some of this stuff in perspective perhaps. I mean, I know AHA has a lot of resources. Uh, HC3 at HHS perhaps, or you know, CISA, of course. Um, you know, there's a lot of resources out there and I think some providers may not always be aware of them or may not avail themselves of some of the literature and guidance that they offer. So, I mean, that's probably a good place to start, would you say?

Speaker A: Absolutely. Um, all of those organizations are excellent resources. I also point people to owasp, um, but in the healthcare space specifically, um, I think as far as threat intelligence goes, that's kind of the all star team. Um, one thing I do want to point out about the FBI specifically. Um, so in practice, um, and unfortunately there's not like a public document that I'm aware of that states that this is the FBI's policy. But in practice, when the FBI is working with a healthcare organization, um, their position is typically to view the healthcare organization, uh, that's been impacted by an event as the victim of a cybercrime.

Speaker B: Right.

Speaker A: And they don't typically consider themselves part of regulatory enforcement. So if the hospital, um, has an incident, you know, they may have a HIPAA obligation to report under the HIPAA Data Breach Reporting Rule. Um, or, you know, they may have a situation where, where a vendor or patient or someone else reports them. In my experience, I have never seen the FBI do it. They typically work with a hospital as if they're a victim. Unfortunately, that's an unofficial and observed position. Um, it's not one, at least that I'm aware of, that you could, you know, actually enforce against should the agency decide. Should the FBI decide to change tax. Although, ah, to be very clear, I don't see any evidence that they are doing so.

Speaker B: Right, yes. Yeah, I think that's very to say, um, you know, so back to the point that there's no, you know, definition in place at the moment of what should be shared and what's. Okay and what's, you know, what questions should health systems perhaps be asking themselves if they were to get a knock on the door from a special agent, you know, asking for, for this or that, you know, these are questions they should probably start thinking about now, I'm saying.

Speaker A: Right, exactly, exactly. Ideally, um, they would be preparing a document that says, we will share these tactics, we will share these techniques and sub techniques. Um, we will share these threats and it will be technical data that has any patient identifiers removed. Um, we worry about things like, um, a URL that could have a patient identifier in it or a URL that could have a patient name or condition. Especially if you're talking about, um, a threat to an electronic health record or other hospital system. And you can share those log files, um, and perhaps anonymize or de. Identify, um, the patient information. Now, there is a HIPAA exception, um, for uses and disclosures for law enforcement in some cases, but you still have to apply the minimum necessary rule. Um, and I have seen some hospitals kind of get a little bit out over their skis relying on, oh, HIPAA doesn't apply because there's this law enforcement exception. Um, and I just want it to be understood that that's a narrow exception and even when it is available, the minimum necessary rule still applies. And so we really want to be deciding ahead of time what we're sharing. And again, IP addresses, log files. And if the log files don't contain any of this information, great. If they do, maybe look at how your log files are configured and see is that information that we actually need to capture in a way that could be considered phi, or could we log it in another equally effective way that doesn't include phi? Um, if you have a URL that could disclose phi, that's generally not a best practice. Um, and so I would say let's look at that, um, and see. Also, is there a way that we could describe this without, if it's, um, an issue that still needs to be fixed? Is there a way that we could describe the threat activity to the FBI or to law enforcement without disclosing the sensitive patient information involved?

Speaker B: We've, uh, been talking a lot about hipaa, but there's, let's not forget, a whole lot of state laws out there.

Speaker A: Some, uh, of which 21 of them.

Speaker B: Yeah, uh, and some of them are more stringent, in fact. Um, so that's something to consider as well.

Speaker A: Absolutely. So, um, one thing I will say is where HIPAA applies, so where you're talking about phi, then the state laws generally do not apply. But that still leaves a gap of information where it's not, it's information about people that is not related to, um, providing healthcare services, um, or is not otherwise covered under the HIPAA rule. And this looks like marketing information, like website marketing information. It can include hits on patient education sites. It can also in some states include employee information or information about the healthcare providers themselves. And so, um, if it is covered by hipaa, then HIPAA is the rule that you pay attention to. But there is plenty of personal information contained in a hospital environment that is not covered by, by hipaa and that, depending on where the hospital is located, may in fact be covered by one of the 21 state, um, privacy rules.

Speaker B: Okay, so you know, what else, uh, you know, who should be involved, uh, perhaps in putting together this document in absence of concrete guidance from the feds. I mean, obviously, you know, Chief Privacy Officer or the legal team or, you know, cisa, uh, I mean, the ciso, um, people like that, who else?

Speaker A: That would be my dream team. Right. So I want my security official, my privacy official, um, somebody from legal, also, um, if you have a lot of web properties that might not necessarily be the security official's main focus, I might want somebody from marketing, um, to at least be a part of that so that this, not phi personal information is clearly understood to be a part of, of, um, the attack surface and a part of the discussions. And then I, um, think that using these resources that we discussed, um, CISA and others, they have sort of standard ways that they disclose threat activity. And you can look at the way that they do those disclosures as a good model. Um, you're rarely going to see one of these threat intelligence agencies say, okay, you need to turn on this control. You must configure your servers in this way. Instead they describe what the threat looks like and how the threat typically appears and allow the business to make those specific determination, allow the hospital to make those specific determinations on its own. The same thing is true for threat reporting out. You want to give enough information about threat actors, indicators of compromises and techniques to help inform threat so that law enforcement can take preventative measures, um, can work with cisa, um, to make sure that these are getting reported out across the healthcare environment. Um, but there's no need to get into the weeds of everything that's going on on your incident response.

Speaker B: This is a bit off topic perhaps, but while I have you here, I might as well ask. Uh, we're speaking at the tail end of April. Uh, in May, we're expecting an update to the HIPAA security rule. Um, do you have any thoughts, um, about what might be in there and what organizations should be taking, you know, what steps organizations should be taking maybe to get ready for that?

Speaker A: Yeah, so I will say I'm a big Fan. Um, so in large part what it does is take some of the ambiguity out of the old security role, things that were considered addressable and make it clear that they're mandatory MFA encryption. Those sorts of things that um, have been a part of the guidance and many M of us have understood them to be required to comply with the rule. But you could read the rule in such a way as they were not required. I like the fact that it's reducing some of the ambiguity and making some of the best practices, you know, password requirements, multi factor authentication, encryption at rest, making that all very clear. The other part that may be new for some organizations is the requirements for risk assessments. Um, I would argue that those were already required under the old security rule, but it wasn't clear how often they needed to be done and for what. And now it is, they need to be done annually or anytime there's a material change to a system containing phi. And so I think we're going to see um, as a part of enforcement after it security incidents. OCR asking to see, let me see your risk assessments, let me see, um, did you consider these types of risks in designing your information security program? And so they've already done that in the past, but there was less specificity about what is required. And so I definitely recommend that the security officials for organizations sit down and spend some time with the rule. It's actually very readable for a regulation, um, and then start thinking about how to operationalize those risk assessment processes. There's a real focus on accountability, you know, um, the organ who's accountable for accepting risks and for documenting the mitigating measures that you've taken to reduce them. And I do think we're going to see that as a big focus of enforcement, um, after incidents.

Speaker B: All right, uh, in closing, maybe one more go round on this FBI intelligence sharing. Any closing thoughts or anything I haven't asked you that you think is important for providers to know as some of this stuff comes into focus, because we know that the security threats are not going to go away, uh, anytime soon.

Speaker A: Um, yeah, and I really think we need an all hands on deck approach to make sure that everyone is armed with information about what types of threats are out there. And so as I mentioned at the top, I'm sympathetic to the FBI trying to encourage information sharing, um, so that we're not seeing the same attack be successful over and over and over again. And I think the path forward is making sure that um, when you choose to share information with the FBI that you're doing so in this way that we've talked about that takes into consideration and balances the requirements in the various privacy rules. Um, and I also think hospitals should take advantage of CISA, of HHS, HC3, of, uh, Health ISOC, um, to stay on top of the reporting that these services provide. Um, they really can help you, um, in planning your defenses. And in thinking about these new security rule risk assessments, I think I could see the OCR saying, you know, hey, this was reported by cisa. This was reported by Health isoc. I'm not seeing it in your risk assessment. Why not? Um, and so a more holistic approach to both providing information on threat intelligence and incorporating it into your risk assessments is going to be a combined way that we can try to put a dent in this really awful environment of threat, um, actors focusing on the healthcare industry specifically.

Speaker B: All right, this is great stuff. Uh, thank you so much, Amy, for your insights. Uh, this is really, um, terrific, informative conversation. Uh, thanks, of course, to the audience for joining us today. Just a reminder that if you like what you hear, please subscribe to hymns cast on Apple Podcasts, Spotify or Amazon Music. Thanks again, Amy.

Speaker A: Awesome. Thank you, Mike.