[BreachExchange] 'Data Guardians' Now On Watch After Hack at Medicare Agency

[Audrey McNeil]

http://www.nextgov.com/cybersecurity/2016/05/centers-medicare-and-medicaid-services-hack-spawns-data-guardian-volunteer-corps/128501/

Last summer, deceptive emails began targeting employees at the Centers for
Medicare and Medicaid Services, according to the agency. The messages were
crafted to look like official business, but they actually were from
attackers seeking agency passwords. The influx of "spearphishing" emails
spiked in June and July.

CMS quickly grasped the gravity of the situation, in part because the
federal government was still reeling from a hack at the Office of Personnel
Management that netted 21.5 million government-held background check
records.

Concerns in the C-suite peaked. The tentacles of that earlier campaign had
gained a stranglehold on OPM, the Interior Department, and two contractors.

So, CMS went into containment mode quickly. Still, a few laptops contracted
malware when employees clicked on the messages, and some personnel
unknowingly gave up their credentials, CMS Chief Information Officer David
Nelson told Nextgov in an interview.

"Rather than dealing with this sort of whack-a-mole style," he said, CMS
decided to "really, really sensitize our employees" to the risk of
compromising the most private information of Americans.

The agency handles medical and other personal data on more than 100 million
people through Medicare, Medicaid, the Obamacare insurance marketplace and
other programs.

Nelson, top management and the rest of the 6,000-person CMS workforce
arranged a big conference call, where leadership introduced a new job, the
"data guardian." Today, 27 volunteers hold this position -- one for each
CMS component.

And 99 percent of the agency's staff does not clink on links anymore.
That's thanks to the data guardians, their champion CMS Administrator Andy
Slavitt, and bimonthly spearphishing exercises, Nelson said.

"You need to get this sponsored from the top, if you are going to change
the culture in an organization," he added. "This program is really designed
to make the most use of not just our security people, but to make use of
all of our employees."

Mental reflexes can be more crucial for outwitting a persistent attacker
than automated defenses sometimes. There are tools for scanning email
attachments, “but those links are really deadly," Nelson said.

In April of 2015, OPM discovered the monumental theft of records on
personnel who had been screened to access classified information. That was
around the time a number of health insurers realized their networks were
under attack.

Reportedly, the OPM and health care hacks were the work of Chinese
cyberspies who have been compiling a Rolodex of Americans. A heist of 78.8
million records at Blue Cross Blue Shield Anthem was detected that
February, followed by intrusions at Premera and other BCBS companies.

In more recent months, financially-motivated crooks have barraged medical
centers, like Hollywood Presbyterian Hospital, with malicious "ransomware"
programs that encrypt data and trigger messages demanding money in exchange
for a decryption code.

"We're basically feeling that we're very, very exposed and we need to
address this and come up with a better way of protecting ourselves," Nelson
said of his health care-focused agency.

"We've certainly had spearphishing, and we've certainly had very targeted
attacks on CMS," he said of last summer’s incident.

That is where the data guardians come in.

The role of the guardians, according to an agency planning documents, is to
"serve on the front-lines of their respective center/office as the stewards
of CMS privacy and security policy."

Among other things, a guardian’s duties include training coworkers and
contractors on security protocols, as well as ensuring they collect only a
minimum amount of personal information on citizens.

During the all-hands-on-deck call last summer, employees were asked to
imagine the aftermath of a hack on beneficiaries and users of the
HealthCare.gov marketplace.

HealthCare.gov has reported suffering more than 300 breaches of personal
data, but they were all caused by accidents like misdirected emails, not
malicious actors, according to an April Government Accountability Office
audit.

Today, at CMS, the default mindset is: Do not share personal information in
email, if at all possible, Nelson said.

"You don't even want it exchanged in an encrypted manner through an email
with a password that was given through a separate channel if it's not
necessary," he said. "Because why risk it?”

Whatever the motive for robbing health care networks, the bounty is
valuable. About $500 is the going price for one Medicare or Medicaid record
on the Dark Web. It is estimated that health records sell for up to 10
times more than credit card numbers on the black market.

Data breaches are costing the medical industry an estimated $6.2 billion,
according to a May 12 Ponemon Institute study on the privacy and security
of health care data.

At CMS, the data guardians meet every two weeks to reduce the risk of such
breaches.

The volunteers are briefed by agency executives on the latest threats,
including ransomware, Nelson said. When the guardians initially took their
posts, about 15 percent of the workforce was clicking on test phishing
emails. There have been 27 phishing exercises since.

"When we get real phishing attacks now, everybody knows what to do with
it," Nelson said. Questionable emails go to spam at hhs.gov.

In April, Nelson was named a finalist for the annual U.S. Government
Information Security Leadership Awards for his work on the CMS beneficiary
data protection initiative.

As for that real attack last summer, the IT staff changed the stolen
credentials and cleaned the infected devices immediately, he said.

“Now, we don't have to do that," Nelson said. "We’re not having that issue
with people installing that on their laptops or giving up their credentials
to real phishing attacks."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160523/9eea382a/attachment.html>