The Department of Health and Human Services (HHS) is embracing a new cybersecurity routine after the ongoing public health crisis placed a new target on the agency and malicious actors boosted their efforts to infiltrate the agency and access sensitive data, HHS CISO Janet Vogel said this week.
Vogel said the agency’s cybersecurity benefitted from the department’s under-the-radar status prior to the coronavirus pandemic. The health crisis, however, brought unwelcomed attention from adversaries.
“When it comes to cybersecurity, HHS wasn’t thought of as a premier area and we really enjoyed that type of anonymity in the past, just a bit under the radar,” Vogel said at MeriTalk’s August 18 Protect and Secure: Proactive Strategies to Manage Vulnerabilities webinar. “But that’s all over now with COVID-19 and we are strengthening our program in many ways every day,” she said.
In March, HHS faced a distributed denial of service attack that forced the agency to up its cyber protocol. According to Vogel, HHS “doubled down” on cybersecurity activities and collaboration during the pandemic to keep its networks and data protected.
“The denial of service attack came on us very quickly and it ramped up faster than we really anticipated it could or would,” Vogel admitted. Since then, HHS has implemented new cyber programs and procedures to mitigate the possibility of a future attack. “We learned we need to do simple things like be very aware of the thresholds we have on our network traffic. Also, any data that could be exfiltrated, we want to manage that and manage the size so that we can see it,” Vogel explained.
Cyber forensics – powered by technology such as machine learning and other algorithms – have been put in place to analyze traffic quickly and improve the agency’s response, Vogel said. The expanded view of the network, combined with other tools and procurement activities to defend the perimeter, are giving HHS employees a new perspective on its cyber defense.
“Cybersecurity went way up in people’s minds and people have been very responsive with a speed that we hadn’t seen before,” she said. HHS has increased its education and outreach efforts to keep every worker vigilant to cyberthreats, including through vectors like phishing and spam.
On agencywide strategic tactics, Vogel added, “Crowdsourced penetration testing offers measurable results for reducing our risk.” She continued, “Our crowdsourced pen-testing has been the main component of our response. Over 14,000 hours of testing – that measures out to 350 full days each year that someone somewhere is doing crowdsourced pen-testing on us.”
Mark Kuhr, CTO and co-founder of Synack, emphasized the importance of combatting threats like the ones Vogel mentioned. Since the switch to widespread remote work in March, according to Kuhr, there’s been an uptick in email-based threats and malicious phishing attempts that strategies like network transparency and remote authentication can help protect against.
“Hackers are trying to get in through your network devices and your external applications, but we’ve definitely seen in the last January to April period a huge spike in the number of spam messages and emails with malicious URLs that mimic either health authorities or impersonating government or impersonating partners,” Kuhr warned. “It’s certainly a common attack vector.”
At HHS specifically, Vogel and her team have also noticed new trends in the motivations behind cyberattacks. She said that adversaries are now targeting sensitive health information. “Protecting that information and making sure that we can execute our mission is very critical,” Vogel asserted, “and this healthcare pandemic has really focused that.”
Vogel also said that the pandemic and cyberthreats have led to a new cybersecurity perspective across the agency. Cybersecurity is now a necessity, she said, and HHS has implemented a risk prioritization strategy that keeps it up to date on the latest threats. As Kuhr predicts that remote work and the use of internet-connected devices will only increase, he recommended Federal agencies take a “fresh look” at all cybersecurity lines of effort.
“It’s important that we take a fresh look at how we’re approaching vulnerability management, how we’re approaching IT and asset management,” he said. “Everything up and down the stack needs a fresh look to set us up for the future. It’s 2020 – going into 2021 shortly – and we need to prepare for more devices on the internet than ever before and more remote work.”
For more, view the on-demand webinar.