After a Data Breach, Who You Gonna Call? FBI Steps Up With an Offer of Assistance

[Inga Goddijn <inga () riskbasedsecurity com>]

http://aishealth.com/archive/hipaa1215-02

The FBI might not be the first (or even second) agency that covered
entities (CEs) think about when they plan their HIPAA compliance programs,
including how to prevent breaches and violations of privacy and security
rules, or ways to mitigate damage after an incident or breach occurs.

John Riggi, whose duties with the FBI the past three decades have included
pursuing financial crimes and managing undercover operations into the
Russian mob, wants to change that perception. Since June 2014, Riggi has
been the chief of the Outreach Section of the FBI’s Cyber Division.
Although the division has been in existence since 2002, the Outreach
Section was created just two years ago. Riggi is dedicated to spreading the
gospel that the FBI is “here to help” health care organizations in
particular, as they are among those most heavily targeted by hackers.

In an exclusive, wide-ranging interview with *RPP*, Riggi describes how the
FBI approaches organizations as “victims,” offers links and other resources
for contacting the FBI, and stresses that CEs would be well-served by
contacting their local agency office and establishing a relationship in
advance of a breach or problem. The FBI also benefits from collaborations
with CEs because it, alone, cannot stop cyber attacks without the help of
the private sector, Riggi says.

*RPP:* I did not realize that the FBI is proactively involved in health
care data breaches.

*Riggi:* We actually wouldn’t make a distinction between one sector or type
of business over another. The issue is that the private corporations’
networks have been intruded upon and that’s a violation of federal statute
Title 18, Section 1030, which the FBI has investigative authority over. So,
regardless of whether it is health care or manufacturing or defense or
financial services, we would have the same jurisdiction. What we do is run
a general outreach program across all sectors, and specifically we try to
emphasize outreach with sectors which we know are being targeted by all
types of adversaries. And that’s part of our reason to emphasize outreach
with health care.

*RPP:* Of the data breaches that the FBI has been involved in, what
percentage have been health care or how many have there been?

*Riggi:* What I would say is there is a substantial number of cases that we
have at this point involving health care intrusions. Clearly, there have
been some very highly publicized incidents and although the numbers may not
be staggering, it is the volume and loss of data associated with some of
these major health care breaches which has become a concern.

*RPP:* So even if it’s one breach, it’s 8 million people, that sort of
thing.

*Riggi:* Correct.

*RPP:* When do you want to hear about a health care incident or breach?
When do you feel you can be of value? Is there a size or a type or a timing
issue?

*Riggi:* Well, there is. Ideally we always stress to certainly major health
care providers, whether it’s insurance or hospitals, to try to have a
pre-existing relationship at least with their local FBI field office, and,
simply, if they do become of a victim of intrusion, they’ll know who to
call directly and immediately and kind of have that personal trust built
up, and know what to expect. Generally, when there’s an actual loss of
records, loss of data, or intrusions into the company’s networks [the FBI
wants to know]. What often happens is that there are all types of malicious
traffic out there on the Internet, probing private companies’ networks,
probing, scanning, which happens, literally, thousands of times a day to a
company’s network. That’s unfortunately what we call routine scanning and
routine malicious activity, which would not really rise to the level of
notification to FBI or law enforcement. So, in sum, again, when there’s an
actual intrusion into the corporate networks or an actual loss of data.

*RPP:* Are you recommending that covered entities and business associates
contact their local office, and those folks are set up to expect those
calls? Are they on their own doing any outreach?

*Riggi:* They are. Some offices absolutely do outreach with major
corporations and health care entities in their jurisdictions, their local
field office jurisdiction, and many [organizations] are members of our
what’s called InfraGard. And we certainly encourage entities, health care
providers and entities to join their local InfraGard chapters. [It’s] a
great way to meet the FBI and also to share information with other private
sector entities, whether it’s health care or across multiple sectors. (See
https://www.infragard.org.)

*RPP:* What should that first call be like when they contact that local
office? Just say, “Hi, I’m a covered entity and want to get to know you?”

*Riggi:* They should call the local FBI field office and ask to speak to
the cyber taskforce supervisor. Make an introduction and say, “I am XYZ
health care provider…and I’d just like to introduce myself and let you know
my points of contact” and perhaps [ask] ... if they had an issue, who they
should reach out to directly. In all 56 field offices there are cyber
taskforces. And if a company is located in some region where it’s not clear
which field office, they should [search] by Zip code [at]
www.fbi.gov/contact-us/field. If they’re just not sure who to call in an
emergency or to reach out to for a local contact, we here at FBI
headquarters run a 24/7 cyber operations center. We call it CyWatch 24/7.
The number is 1-855-292-3937, or cywatch () ic fbi gov. To report internet
enabled frauds [go to the] Internet Crime Complaint Center, located at
www.ic3.gov.

*RPP:* How quickly should they contact the FBI if they have an incident?
When do you want to hear something?

*Riggi:* If they have an incident, we always recommend that they contact us
as soon as possible, and there are multiple reasons for that. One is that
we can assist not only in the investigative role but perhaps help them
mitigate and contain the breach and prevent further loss of data. The other
reason is that, since cyber evidence is electronic in nature, it is very
perishable. That evidence may literally dissipate, the electronics may
dissipate and we will lose evidence, or potentially lose evidence, the
longer they wait…to contact us.

*RPP:* Can you go into some detail on what you can provide for them?

*Riggi:* So, normally we would provide an investigative response and a
technical response where we would help the victim company –– and I do want
to emphasize that we always treat the victim companies as victims first,
and so our job there is to assist them, not to find blame or lay blame on
the cause of the intrusion. We would provide a technical/investigative
response both at the local level first. We have resources at all 56 local
field offices, technical resources which would respond, and can help try to
identify what happened and, of course, help the company, the victim,
contain, mitigate the effects of a breach. Although that’s not our primary
role, as part of the investigation we would be assisting [them]. And then
we would try to make some attribution on who did this. Was it a criminal
organization or was it potentially a nation-state? And, ultimately, we
would look to disrupt the threat, whether through prosecution or other
means possible. But if it’s a major breach, such as, I won’t name names,
but with some of the largest health care breaches, we’ve learned that the
victim company needs more than just a technical response. And, in that
sense, we also will dispatch attorneys from our Office of General Counsel
to help them navigate how to deal with government and law enforcement
[regarding] some of the many legal issues which could arise. For instance,
we are very aware of the HIPAA requirements and the need to maintain
patient privacy during our investigations. One thing to note is that we,
when we conduct an investigation, really don’t need the patient records to
see what was exfiltrated. What we really need are what we call the
indicators of compromise –– the copy of the malware and some of the other
technical data surrounding the breach, but we don’t need to actually
possess the patient records. We certainly prefer if they can be separated
from the evidence, that that be done.

*RPP:* But I am assuming that you comply with all of the privacy and
security requirements and that turning the records over to you wouldn’t
expose them to any kind of risk.

*Riggi:* Correct. We certainly would maintain all investigative information
segregated and confidential. And if it was a classified investigation, all
of the records would be classified in our possession.

*RPP:* Would the FBI send people to a site?

*Riggi:* Yes. Often that is the case. We dispatch FBI agents right to the
scene, to the victim company and it will be necessary for us to work with
the information security personnel of the victim entity. And we do look at
it as a team approach. Because, in the end, no one knows the company or
entity’s network better than the company themselves. Getting back on the
services we provide, besides the legal response, if necessary, we would
also provide media assistance, too. We dispatched our media representatives
on some of the largest breaches that have occurred to help the victim
company manage both the internal and external communications and the
messaging. And we certainly would not issue any public statements without,
at a minimum, [consulting with the] company.

*RPP:* How many people might be there and for how long?

*Riggi:* It really just depends on what happened and the size of the
breach. I can tell you in some of the largest, highly publicized breaches,
we’ve had agents on the ground there for months....It may be a much shorter
term if the victim company had actually called a third-party-managed cyber
security system firm to assist them. They [the firm] may be providing us
the data that we need. But again we always stress it’s best to call the FBI
as soon as possible.

*RPP:* What happens if you uncover something that shows the organization
was negligent related to the breach? Would you act on that information or
pass it along?

*Riggi:* That’s a very difficult question to answer because we do not have
a regulatory role over the industry. We would suspect that if we were
queried, we would cooperate with a regulator but that is not our primary
role. If we uncover criminal acts, [they] will be investigated. If there is
evidence of a crime, we will pursue the evidence. Our primary role is to
look at a victim company as a victim of a crime and to treat them as such.

*RPP:* If the covered entity were making that call to the FBI, how would it
communicate that internally and externally? Or should they not disclose
that the FBI is now involved?

*Riggi:* What we’ll do is we’ll work with the company, with the victim, and
try to understand what their preference is and we will certainly try to
cause the least amount of disruption possible, and as far as our presence
being known, we would try to minimize that as much as possible. And we may
be able to provide advice to the victim company as far as messaging
internally and some may not want to, or have the need to [disclose FBI
involvement]. There were very high profile incidents like Sony. We did
assist them managing their communications. Obviously that was a highly
publicized event in which some messaging had to be made to the workforce.
And as far as public release, again, we would leave that to the victim
entity, of course, in consultation with us. There may be instances where we
prefer there be no publicity because it may alert the adversary that we are
aware of the intrusion and that we’re actively investigating and tracking
them.

*RPP:* In the case of HIPAA breaches, entities are under a 60-day clock to
notify OCR, patients and the media, depending on the size of the breach.
Does involving the FBI extend that notification period?

*Riggi:* It may, but we would have to work that out with the victim entity
and whatever regulators they would be subject to for that reporting
requirement.

*RPP:* So you wouldn’t want them to assume, for example, that getting the
FBI involved automatically gives them more notification time?

*Riggi:* That’s correct. That would have to be worked out and, as you know,
the reporting requirements vary from state to state. Ultimately we would
leave that decision on what their reporting obligations are and regulatory
requirements are with the victim’s general counsel and their regulatory
authority. If we feel there is a need to delay notification, we actually
may work with the regulator and express our concerns on why there should be
a delay of public notification.

*RPP:* Are there some instances where you are sharing information
proactively with an organization?

*Riggi:* Yes. If we become aware through our investigative or national
security authorities that a victim entity, a certain company has been
targeted. Most importantly, what we try to do is proactive outreach, giving
information to companies to help defend themselves against breaches and [at
times] we will do sector-wide, unclassified and classified briefings, if
necessary. Generally, we would contact them or it would be through certain
associations that we work with that would identify the most at-risk
corporations or the largest providers. And [work] through certain
associations that would identify the most at risk or the largest providers
in that sector. There’s the National Healthcare and Public Health
Information Sharing and Analysis Center — NH-ISAC — which is an entity
under the Department of Homeland Security. (See http://www.nhisac.org.) It
would be appropriate to mention HITRUST, along with the NH-ISAC, as public
health and health care-specific cyber threat information sharing
organizations we have worked closely with. (See
https://hitrustalliance.net/content-spotlight.)

*RPP:* Some covered entities and health care attorneys report having a
difficult time gaining the interest and assistance of local law enforcement
agencies for what might not be a “national” event, such as an employee
stealing data. Can the FBI step in when this happens? Is there a bright
line for when you would not get involved?

*Riggi:* Often the local authorities may not have the capacity or resources
to conduct major cyber intrusion [investigations] on a national level. The
way we get local law enforcement involved is actually through our cyber
task forces; all of them have a state and local presence. All corporations
should be conscious of the potential for what we call an insider threat,
[which can lead to] an intrusion and theft of data. That still would be,
potentially, investigated by the FBI if there is a loss of data affecting
patients across the country or financial data, depending upon the volume.
The FBI should at least be notified of that. We would look to see what was
the motivation of that individual who conducted that theft of data? Was it
for personal gain, personal profit, are they part of a larger, organized
criminal network? Or could they have been sponsored by a nation-state to
steal intellectual property?

*RPP:* As you’ve been discussing proactive involvement of the FBI with
health care organizations, have you found them to be receptive?

*Riggi:* The health care sector has been very forward leaning in
cooperating with us.

*RPP:* The House and Senate recently passed separate bills that would
facilitate the reporting of cyber incidents and breaches to the federal
government. Would this affect FBI relationships with CEs?

*Riggi:* We really can’t comment on pending legislation. But generally we
support anything that supports information sharing between the private
sector and the government.

*RPP:* Is there anything you would like to add that we did not discuss?

*Riggi:* The one thing I would say is that, really, we need the industry’s
partnership to help mutually defend against this common cyber threat. The
same cyber threats that are facing the health care industry are also facing
government. And, quite frankly, we will not be able to defeat those threats
on our own. We really do need the assistance of the private sector. It is
incumbent upon us to make sure we share information readily with the
private sector and encourage that cooperation and exchange of information.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!