The CyberPHIx Roundup: Industry News & Trends, 5/26/21

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:10] Good day. Welcome to the CyberPHIx Health Care Security Roundup, your quick source for keeping up with the latest cybersecurity news trends and industry leading practices specifically for health care. I'm your host, Brian Selfridge. We have a very special edition of the CyberPHIx today, wherein I will be giving you a rundown of the executive order signed by President Biden. This may be the executive order is titled Improving the Nation's Cybersecurity and is the second and most comprehensive of the two executive orders that were issued by President Biden on cybersecurity topics this year. We'll provide a summary of the order and discuss some of the implications for health care entities in particular. Of course, always talk about health care here, so let's dive into it.

Brian Selfridge: [00:00:53] President Biden issued this second executive order for the year called Improving the Nation's Cybersecurity, and it covers a wide range of topics. We're going to go through all of the sections. There's 11 sections in the document. There's a handful that are more pertinent to health care than others. So I'm going to spend a little more time on those. So I'll begin with the preamble for the executive order, which is in Section one of the order. And I think that does a pretty good job of summing up the purpose of this directive. So I'll start to quote, The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector and ultimately the American people's security and privacy.

Brian Selfridge: [00:01:29] The federal government must improve its efforts to identify, deter, protect against, detect and respond to these actions and actors. The federal government must also carefully examine what occurred during any major cyber incident and apply lessons learned. But cybersecurity requires more than government action. Protecting the nations from malicious cyber actors requires the federal government to partner with the private sector. That's us. Thank you. The private sector must adapt the continuously changing threat environment, ensure its products are built to operate securely and partner with the federal government to foster a more secure cyberspace. In the end, we the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is and to the consequences we will incur if that trust is misplaced. And quote. So there's a lot to that. But I think that covers the gist of what we're going to talk about today. I think certainly the purpose. So health care has been consistently designated as one of the nation's critical infrastructure industries, and this executive order applies across industries and specifically to government owned and managed entities and departments and agencies. But in many ways, it's tailored to address the needs of health care and the cyber attacks like ransomware and supply chain attacks that have plagued our industry these past couple of years. So that's all. Section one is more so the preamble, the overview step, section two of the order is all about enabling the sharing of threat, intelligence and protection mechanisms.

Brian Selfridge: [00:02:53] You may have noticed in our CyberPHIx updates the last year or two that there's been joint reporting of cyber threats and alerts and guidance from the FBI, the CIA and the intelligence community generally for events like large scale ransomware and supply chain attacks that we saw late last year. This year, of course, this is no accident that we're seeing that joint reporting as the government's really been working hard to share intel and coordinate communications across federal sectors, as well as with the private sector in an organized way. So that's really what Section two of this executive order is all about, kind of continuing that movement. The section provides the requirements for the Office of Management, Management and Budget, or OMB, which is essentially the procurement arm for the federal government. I forget what. This section provides requirements from the Office of Management and Budget, or OMB, which is essentially the procurement arm for the federal government, and it requires contracts with suppliers to include requirements for sharing threat intelligence from those service providers, and that those service providers must collect and preserve and share such data and support investigations as they arise. So that's sort of one element of this. The sharing of threat intelligence across agencies will most certainly be a welcome practice for health care entities as the quality and timeliness of these alerts that we're getting and the guidance that comes out from these these entities like the CISA and Homeland Security have been improving already in the last six months, eight months, nine months.

Brian Selfridge: [00:04:25] And since these practices have really begun in earnest and we expect to see that continue with this executive order, for example, this specific technical exploits that we saw come out of the Russian ransomware attacks that were happening recently. And there was an advisory released that gave specific details about those exploits. What are the technologies in play which which systems need to be patched down to very, very granular detail? I think that is really a game changer to get that kind of not only that level of depth of intelligence, but timely as the attacks are happening. So we can make those those changes. And if you want to learn more about those we know, you can check out our prior CyberPHIx episodes where I walk through those specific exploits in detail. And we also have a recorded webinar on ransomware from last month on Meditology Services Dotcom, where I give an overview of those as well. So I don't want to leave you hanging on those inciting them, but you can check those out for more detail so that Section two, Section three of the president's executive order for improving cyber security is all about modernizing the federal government's cybersecurity program. The recent supply chain and ransomware attacks have exposed some lax security practices and postures from some departments and agencies within and around the federal government.

Brian Selfridge: [00:05:39] So this is really about tuning, tuning those up and getting to a place where you have better consistency in cybersecurity protections across the federal government. So citing an increasingly sophisticated cyber threat environment, Section three of the order states that the federal government must take decisive steps to modernize its approach to cybersecurity, including by increasing the federal government's visibility into threats while protecting privacy and civil liberties. The federal government must adopt security best practices, advance toward zero trust architecture, accelerate movement to secure cloud services, including software as a service, infrastructure as a service and platform as a service or cloud stuff in general. Centralize and streamline access to cybersecurity data and drive analytics for identifying and managing cybersecurity risks, and then finally to invest in both technology and personnel to match these modernization goals. So a lot, a lot are very ambitious S.. And I think one one thing that's interesting to note about Section three is that they also issue a mandate that within 180 days of signing this order, agencies must adopt multifactor authentication. There are also some requirements for agencies to conduct coordinated incident response exercises as well. So that's relatively new, all within 180 day timeframe. Now, looking at Section four of the directive, it provides a sweeping updates to supply chain risk requirements. Now, this is a critical area. This is one that I'll spend a little more time on because I think this is really important for health care, given the volume of vendors we deal with.

Brian Selfridge: [00:07:08] The recent high profile supply chain attacks have heightened the awareness of third party vendor risk, cybersecurity, privacy and health care and our dependency on them. I think we've always sort of known that, but it's getting critical now. Both patient safety operations are impacting all those all those things. So this particular section is called enhancing software supply chain security. And it says the security of software used by the federal government is vital to the federal government's ability to perform its critical functions, same as health care. Right. The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack and add adequate controls to prevent tampering by malicious actors. So it's really kind of written around that solar winds type of situation, right? There's a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, the order states, and they use this term critical software that I'll put in quotes, which is really where they're of particular concern, the order says. So that's, you know, the understanding you have to prioritize certain types of vendors and products over others as critical. And it says the federal government must take action to rapidly improve the security integrity of the software supply chain with a priority on addressing critical software. So some of the key provisions of Section four of the order. I'm going to give a rundown because I think these are all really, really important and also kind of guideposts for health care.

Brian Selfridge: [00:08:35] Third party risk management programs and supply chain risk programs going forward. So the first piece is identifying existing or develop new standards, tools and best practices to evaluate software security, including the criteria. So this we may be able to take this work product from the federal government puts together and apply those standards that come out to our own software and third party vetting processes so they'll have to develop new standards or cobble together existing ones. And then there's actually a requirement in the order to publish guidance for secure software development environments. So that whole SDLC security model, which includes making sure that the SDLC process includes separate build environments for administrative production and production environments, auditing trust relationships, establishing multifactor. There's multifactor again. We're going to hear that a couple of times in the executive order. Risk based authentication, employing encryption of data. OK, kind of saw that one coming and monitoring operations and alerts and responding to attempted attempted an actual cyber incident sets audit, logging and monitoring one to one. And we'll talk later about the section in this executive order that provides requirements for audit, logging and monitoring more broadly outside of just software development and third party tools. This that's the third party risk sort of supply chain aspect of this order also goes on to require the employment of automated tools or comparable processes to remain maintain trusted source code for supply chain software to check for known and potential vulnerabilities.

Brian Selfridge: [00:10:07] So vulnerability scanning, patching and remediation and remediate them. It says they want to make sure we maintain up to date data and software code components so we know where the code has come from. And I think that sort of between the lines speaks to a lot of these third party breaches where third party developers are taking chunks of pre cande code, just blocks of code and using it for bringing into functions from the Internet. And the malware folks are kind of just saying, hey, here's all this great code we're going to write for you for free. But then they've embedded back doors and malware into those. So I think that's what that's speaking to. And then a huge requirement that I think is going to be a game changer here in this section is around requiring a software bill of materials or SBOM. And if you're if you're not too familiar with that, we actually we did a podcast where I interviewed Susan Ramonat and I've done a couple of others where anywhere we talk about medical device and Iot security, this topic of software bill of materials is really, really important because it's the way in which software and product providers could be medical devices, could be other things have to provide a consistent listing of what what is this system running on? What's the operating system, what's the security capabilities, just what is this thing? So we don't have to dig that up every time and we can compare apples to apples.

Brian Selfridge: [00:11:27] And that's just one of the things that the software bill of materials does for us. That whole idea and initiative is something that that we've been the industry's been working on with this executive order requires third party vendors to to provide that and to on a consistent basis. So that's going to help drive the industry to be able to produce those. And then, of course, for our own selfish purposes, we will we will gladly take that information and apply it to our medical device, IoT third party risk programs as well. There are a number of other third party risk provisions in this section around vulnerability, disclosure, around the definition of critical software. We talked about that earlier, as well as information for the government purchasing decisions to incorporate compliance with Supply-Chain risk requirements into the contracting and selection process. So that's great, very much like our own procurement processes that we should all be doing so. And some product labeling they're talking about which which would indicate the security capabilities of IoT devices and software development best practices. So that's a lot there. And that's what we spent a lot of time in that section. But I think third party risk is going to be and supply chain risk is going to be the core of what we do in the next five to 10 years.

Brian Selfridge: [00:12:38] And this executive order gets us a step in the right direction. It's also worth noting that this section of the executive order is a follow on set of requirements to President Biden's companion executive order, which was issued in February, so issued one in February, one in May, the one in February was all about supply. Only, so I'll just give you a quick hint of what that was all about, because I think that's also pertinent here. So President Biden issued a supply chain executive order in February called America's Supply Chains, and it states that the United States needs resilient, diverse and secure supply chains to ensure economic prosperity and national security. And this one was very much a direct response to to solar winds, the Microsoft tax and other Supply-Chain attacks that have threatened our national security. So that executive order highlights cyber attacks in particular and calls for renewing the National Security Council system. It mandates that the government entities must conduct supply chain risk assessments in the next hundred days across several departments including Commerce, Energy, Defense, Agriculture and Health and Human Services. Our favorite and the Department of Health Human Services assessment in particular, is required to focus on the risks to the pharmaceutical supply chain, given the vaccine development COVID distribution that is going on at present and will continue throughout this year for sure. So there's a lot of requirements around conducting a risk assessment. And, you know, here for me and here at Meditology, we think this is a long overdue response from the federal government to to these attacks that we've been seeing.

Brian Selfridge: [00:14:07] And I think, again, the the one two punch of the executive orders here will allow us to really keep focus on this arena, take some of the work product that comes out of this, apply it to health care, as well as to the supporting infrastructure and vendors. So if if the federal government is pushing this hard on supply chain requirements and risks, we know that's going to push the vendors that want to play in the federal space, which is all of them. You know, frankly, everybody wants to be able to sell to to the federal government agencies. So I'm pushing them to to tighten up their security commitments will will benefit us in the health care setting as a downstream impact. All right. That's enough about Section four.

Brian Selfridge: [00:14:45] Let's talk about Section five, which requires the establishment of a cyber safety review board. The board shall, within 90 days of the board's establishment, provide recommendations to the secretary of Homeland Security for improving cybersecurity, an incident response practices as outlined, yada, yada, yada. Elsewhere in this document, this basically provides a governance and oversight function across agencies for cybersecurity to coordinate the cybersecurity program overall, much like you would see in any of our large scale health care organizations or large organizations that have multiple locations, business units, high degrees of complexity. Having that board oversight and governance model is critical to making sure security is applied consistently, consistently across those.

Brian Selfridge: [00:15:30] So I think this is a great step forward and certainly some of that's happening already. But I think this this helps it take it to the next level of maturity.

Brian Selfridge: [00:15:38] Section six of the directive is all about standardizing the federal government's playbook for responding to cybersecurity incidents and vulnerabilities, says the playbook must incorporate NIST guidance and include relevant agencies like NSA, CISA and the FBI. So would love to see incident response playbooks. If we can get a look at those, they'll become public and we can steal some best practices from those as well.

Brian Selfridge: [00:16:02] And then Section seven is called improving detection of cybersecurity vulnerabilities and incidents on federal government networks. So this section requires the deployment of what they call end point detection and response capabilities. And using that data requires the use of that data for coordinated threat, intelligence and response. So this is kind of the big the big kind of honeypot of collecting vulnerability and infinite data. And by having every agency have not only protection mechanisms but but detection and listening capabilities of what type of attacks are happening and be able to report and coordinate that is going to provide, given the footprint of the federal government, a really good Real-Time sense of the attacks that are going on and be able to provide more timely alerts, more timely protections, all those things as the as it requires to coordinate that information more efficiently.

Brian Selfridge: [00:16:53] Section eight, and we're almost done here is two more sections is titled Improving the Federal Government's Investigative and Remediation Capabilities, which is basically an initiative around log aggregation and monitoring. If I had to sort of sum it up, making sure we collect the right logs, that we aggregate them, that we can do analysis, that they can be shared and reviewed for incidents and detection and in response activities, as you might expect, again, classic cybersecurity domain. But the challenges, the scale here and applying it across the board, across agencies, and that's really what this this is all about.

Brian Selfridge: [00:17:26] Section nine is called the National Security systems, and discusses a requirement for assets deemed, quote unquote, national security systems to provide protections equivalent or exceeding those provided in this executive order. So basically, they're saying there's a special category of systems that are super secret, super important, and you darn well better at least meet the requirements of this executive order in addition to, you know, above and beyond requirements for something that would be sort of national security level sensitivity. So that doesn't surprise me much. It's good that they're calling that out. I would hope that they would have some additional threshold for four critical systems. But this, I guess, puts that puts that front and center. The final sections of the executive order, sections 10 and 11 have some things like definition of terms for which I will spare you, dear listener, from having to read out the different definitions.

Brian Selfridge: [00:18:20] You can check it out if you want to, but that is the extent of the order. In a nutshell, you can read the whole thing in the Federal Register, you can search for it and you can read through it, or you can reach out to me and I will get it to you. Whatever is easier for you.

Brian Selfridge: [00:18:34] That's all for this special episode of the CyberPHIx, where we walked through each of the major sections of President Biden's executive order for improving the nation's cybersecurity, and we talked about another executive order, America's supply chains, as well as a tangent to that or a corollary to that. These new mandates in the executive order are all very welcome advances and federal protections that I think will result in much better threat intelligence and response across the nation's critical infrastructures, including health care. So we expect to see a lot of downstream benefits from this and appreciative of this coming out there and the hard work that will go into implementing these requirements, all of which have timelines, 90 days, 180 days to days, respectively. So there's some there's some reason to hustle to get things done. So we hope this has been informative for you. And I would love to hear from you. If you want to talk about any of this, just reach out to us at CyberPHIx@meditologyservices.com. So long. And thanks for everything you do to keep our health care systems and organizations safe.