BreachExchange mailing list archives
After a Data Breach, Who You Gonna Call? FBI Steps Up With an Offer of Assistance
From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Wed, 16 Dec 2015 18:31:50 -0600
http://aishealth.com/archive/hipaa1215-02 The FBI might not be the first (or even second) agency that covered entities (CEs) think about when they plan their HIPAA compliance programs, including how to prevent breaches and violations of privacy and security rules, or ways to mitigate damage after an incident or breach occurs. John Riggi, whose duties with the FBI the past three decades have included pursuing financial crimes and managing undercover operations into the Russian mob, wants to change that perception. Since June 2014, Riggi has been the chief of the Outreach Section of the FBI’s Cyber Division. Although the division has been in existence since 2002, the Outreach Section was created just two years ago. Riggi is dedicated to spreading the gospel that the FBI is “here to help” health care organizations in particular, as they are among those most heavily targeted by hackers. In an exclusive, wide-ranging interview with *RPP*, Riggi describes how the FBI approaches organizations as “victims,” offers links and other resources for contacting the FBI, and stresses that CEs would be well-served by contacting their local agency office and establishing a relationship in advance of a breach or problem. The FBI also benefits from collaborations with CEs because it, alone, cannot stop cyber attacks without the help of the private sector, Riggi says. *RPP:* I did not realize that the FBI is proactively involved in health care data breaches. *Riggi:* We actually wouldn’t make a distinction between one sector or type of business over another. The issue is that the private corporations’ networks have been intruded upon and that’s a violation of federal statute Title 18, Section 1030, which the FBI has investigative authority over. So, regardless of whether it is health care or manufacturing or defense or financial services, we would have the same jurisdiction. What we do is run a general outreach program across all sectors, and specifically we try to emphasize outreach with sectors which we know are being targeted by all types of adversaries. And that’s part of our reason to emphasize outreach with health care. *RPP:* Of the data breaches that the FBI has been involved in, what percentage have been health care or how many have there been? *Riggi:* What I would say is there is a substantial number of cases that we have at this point involving health care intrusions. Clearly, there have been some very highly publicized incidents and although the numbers may not be staggering, it is the volume and loss of data associated with some of these major health care breaches which has become a concern. *RPP:* So even if it’s one breach, it’s 8 million people, that sort of thing. *Riggi:* Correct. *RPP:* When do you want to hear about a health care incident or breach? When do you feel you can be of value? Is there a size or a type or a timing issue? *Riggi:* Well, there is. Ideally we always stress to certainly major health care providers, whether it’s insurance or hospitals, to try to have a pre-existing relationship at least with their local FBI field office, and, simply, if they do become of a victim of intrusion, they’ll know who to call directly and immediately and kind of have that personal trust built up, and know what to expect. Generally, when there’s an actual loss of records, loss of data, or intrusions into the company’s networks [the FBI wants to know]. What often happens is that there are all types of malicious traffic out there on the Internet, probing private companies’ networks, probing, scanning, which happens, literally, thousands of times a day to a company’s network. That’s unfortunately what we call routine scanning and routine malicious activity, which would not really rise to the level of notification to FBI or law enforcement. So, in sum, again, when there’s an actual intrusion into the corporate networks or an actual loss of data. *RPP:* Are you recommending that covered entities and business associates contact their local office, and those folks are set up to expect those calls? Are they on their own doing any outreach? *Riggi:* They are. Some offices absolutely do outreach with major corporations and health care entities in their jurisdictions, their local field office jurisdiction, and many [organizations] are members of our what’s called InfraGard. And we certainly encourage entities, health care providers and entities to join their local InfraGard chapters. [It’s] a great way to meet the FBI and also to share information with other private sector entities, whether it’s health care or across multiple sectors. (See https://www.infragard.org.) *RPP:* What should that first call be like when they contact that local office? Just say, “Hi, I’m a covered entity and want to get to know you?” *Riggi:* They should call the local FBI field office and ask to speak to the cyber taskforce supervisor. Make an introduction and say, “I am XYZ health care provider…and I’d just like to introduce myself and let you know my points of contact” and perhaps [ask] ... if they had an issue, who they should reach out to directly. In all 56 field offices there are cyber taskforces. And if a company is located in some region where it’s not clear which field office, they should [search] by Zip code [at] www.fbi.gov/contact-us/field. If they’re just not sure who to call in an emergency or to reach out to for a local contact, we here at FBI headquarters run a 24/7 cyber operations center. We call it CyWatch 24/7. The number is 1-855-292-3937, or cywatch () ic fbi gov. To report internet enabled frauds [go to the] Internet Crime Complaint Center, located at www.ic3.gov. *RPP:* How quickly should they contact the FBI if they have an incident? When do you want to hear something? *Riggi:* If they have an incident, we always recommend that they contact us as soon as possible, and there are multiple reasons for that. One is that we can assist not only in the investigative role but perhaps help them mitigate and contain the breach and prevent further loss of data. The other reason is that, since cyber evidence is electronic in nature, it is very perishable. That evidence may literally dissipate, the electronics may dissipate and we will lose evidence, or potentially lose evidence, the longer they wait…to contact us. *RPP:* Can you go into some detail on what you can provide for them? *Riggi:* So, normally we would provide an investigative response and a technical response where we would help the victim company –– and I do want to emphasize that we always treat the victim companies as victims first, and so our job there is to assist them, not to find blame or lay blame on the cause of the intrusion. We would provide a technical/investigative response both at the local level first. We have resources at all 56 local field offices, technical resources which would respond, and can help try to identify what happened and, of course, help the company, the victim, contain, mitigate the effects of a breach. Although that’s not our primary role, as part of the investigation we would be assisting [them]. And then we would try to make some attribution on who did this. Was it a criminal organization or was it potentially a nation-state? And, ultimately, we would look to disrupt the threat, whether through prosecution or other means possible. But if it’s a major breach, such as, I won’t name names, but with some of the largest health care breaches, we’ve learned that the victim company needs more than just a technical response. And, in that sense, we also will dispatch attorneys from our Office of General Counsel to help them navigate how to deal with government and law enforcement [regarding] some of the many legal issues which could arise. For instance, we are very aware of the HIPAA requirements and the need to maintain patient privacy during our investigations. One thing to note is that we, when we conduct an investigation, really don’t need the patient records to see what was exfiltrated. What we really need are what we call the indicators of compromise –– the copy of the malware and some of the other technical data surrounding the breach, but we don’t need to actually possess the patient records. We certainly prefer if they can be separated from the evidence, that that be done. *RPP:* But I am assuming that you comply with all of the privacy and security requirements and that turning the records over to you wouldn’t expose them to any kind of risk. *Riggi:* Correct. We certainly would maintain all investigative information segregated and confidential. And if it was a classified investigation, all of the records would be classified in our possession. *RPP:* Would the FBI send people to a site? *Riggi:* Yes. Often that is the case. We dispatch FBI agents right to the scene, to the victim company and it will be necessary for us to work with the information security personnel of the victim entity. And we do look at it as a team approach. Because, in the end, no one knows the company or entity’s network better than the company themselves. Getting back on the services we provide, besides the legal response, if necessary, we would also provide media assistance, too. We dispatched our media representatives on some of the largest breaches that have occurred to help the victim company manage both the internal and external communications and the messaging. And we certainly would not issue any public statements without, at a minimum, [consulting with the] company. *RPP:* How many people might be there and for how long? *Riggi:* It really just depends on what happened and the size of the breach. I can tell you in some of the largest, highly publicized breaches, we’ve had agents on the ground there for months....It may be a much shorter term if the victim company had actually called a third-party-managed cyber security system firm to assist them. They [the firm] may be providing us the data that we need. But again we always stress it’s best to call the FBI as soon as possible. *RPP:* What happens if you uncover something that shows the organization was negligent related to the breach? Would you act on that information or pass it along? *Riggi:* That’s a very difficult question to answer because we do not have a regulatory role over the industry. We would suspect that if we were queried, we would cooperate with a regulator but that is not our primary role. If we uncover criminal acts, [they] will be investigated. If there is evidence of a crime, we will pursue the evidence. Our primary role is to look at a victim company as a victim of a crime and to treat them as such. *RPP:* If the covered entity were making that call to the FBI, how would it communicate that internally and externally? Or should they not disclose that the FBI is now involved? *Riggi:* What we’ll do is we’ll work with the company, with the victim, and try to understand what their preference is and we will certainly try to cause the least amount of disruption possible, and as far as our presence being known, we would try to minimize that as much as possible. And we may be able to provide advice to the victim company as far as messaging internally and some may not want to, or have the need to [disclose FBI involvement]. There were very high profile incidents like Sony. We did assist them managing their communications. Obviously that was a highly publicized event in which some messaging had to be made to the workforce. And as far as public release, again, we would leave that to the victim entity, of course, in consultation with us. There may be instances where we prefer there be no publicity because it may alert the adversary that we are aware of the intrusion and that we’re actively investigating and tracking them. *RPP:* In the case of HIPAA breaches, entities are under a 60-day clock to notify OCR, patients and the media, depending on the size of the breach. Does involving the FBI extend that notification period? *Riggi:* It may, but we would have to work that out with the victim entity and whatever regulators they would be subject to for that reporting requirement. *RPP:* So you wouldn’t want them to assume, for example, that getting the FBI involved automatically gives them more notification time? *Riggi:* That’s correct. That would have to be worked out and, as you know, the reporting requirements vary from state to state. Ultimately we would leave that decision on what their reporting obligations are and regulatory requirements are with the victim’s general counsel and their regulatory authority. If we feel there is a need to delay notification, we actually may work with the regulator and express our concerns on why there should be a delay of public notification. *RPP:* Are there some instances where you are sharing information proactively with an organization? *Riggi:* Yes. If we become aware through our investigative or national security authorities that a victim entity, a certain company has been targeted. Most importantly, what we try to do is proactive outreach, giving information to companies to help defend themselves against breaches and [at times] we will do sector-wide, unclassified and classified briefings, if necessary. Generally, we would contact them or it would be through certain associations that we work with that would identify the most at-risk corporations or the largest providers. And [work] through certain associations that would identify the most at risk or the largest providers in that sector. There’s the National Healthcare and Public Health Information Sharing and Analysis Center — NH-ISAC — which is an entity under the Department of Homeland Security. (See http://www.nhisac.org.) It would be appropriate to mention HITRUST, along with the NH-ISAC, as public health and health care-specific cyber threat information sharing organizations we have worked closely with. (See https://hitrustalliance.net/content-spotlight.) *RPP:* Some covered entities and health care attorneys report having a difficult time gaining the interest and assistance of local law enforcement agencies for what might not be a “national” event, such as an employee stealing data. Can the FBI step in when this happens? Is there a bright line for when you would not get involved? *Riggi:* Often the local authorities may not have the capacity or resources to conduct major cyber intrusion [investigations] on a national level. The way we get local law enforcement involved is actually through our cyber task forces; all of them have a state and local presence. All corporations should be conscious of the potential for what we call an insider threat, [which can lead to] an intrusion and theft of data. That still would be, potentially, investigated by the FBI if there is a loss of data affecting patients across the country or financial data, depending upon the volume. The FBI should at least be notified of that. We would look to see what was the motivation of that individual who conducted that theft of data? Was it for personal gain, personal profit, are they part of a larger, organized criminal network? Or could they have been sponsored by a nation-state to steal intellectual property? *RPP:* As you’ve been discussing proactive involvement of the FBI with health care organizations, have you found them to be receptive? *Riggi:* The health care sector has been very forward leaning in cooperating with us. *RPP:* The House and Senate recently passed separate bills that would facilitate the reporting of cyber incidents and breaches to the federal government. Would this affect FBI relationships with CEs? *Riggi:* We really can’t comment on pending legislation. But generally we support anything that supports information sharing between the private sector and the government. *RPP:* Is there anything you would like to add that we did not discuss? *Riggi:* The one thing I would say is that, really, we need the industry’s partnership to help mutually defend against this common cyber threat. The same cyber threats that are facing the health care industry are also facing government. And, quite frankly, we will not be able to defeat those threats on our own. We really do need the assistance of the private sector. It is incumbent upon us to make sure we share information readily with the private sector and encourage that cooperation and exchange of information.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- After a Data Breach, Who You Gonna Call? FBI Steps Up With an Offer of Assistance Inga Goddijn (Dec 17)