Category: Health & Social Care

Health & Social Care

National Security Memorandum on Critical Infrastructure Security and Resilience

Agency News, Cyber Security CII sector, Health & Social Care, Industry News, Power/Energy/Oil & Gas sector, Space Sector, Telecomms sector, Transport sector, Water sector
On April 30, 2024, the White House National Security Council (NSC) published the National Security Memorandum (NSM) on Critical Infrastructure Security and Resilience. This memo builds on the important work that the Cybersecurity and Infrastructure Security Agency (CISA) and agencies across the federal government have been undertaking in partnership with America’s critical infrastructure communities for more than a decade. It also replaces Presidential Policy Directive 21 (PPD-21) on Critical Infrastructure Security and Resilience, which was issued more than a decade ago to establish national policy on critical infrastructure security and resilience.
Why Now?
Image of infrastructure-related icons over glowing, streaks of blue and white  lights
The threat environment has significantly changed since PPD-21 was issued, shifting from counterterrorism to strategic competition, advances in technology like Artificial Intelligence, malicious cyber activity from nation-state actors, and the need for increased international coordination. This change in the threat landscape, along with increased federal investment in U.S. critical infrastructure, prompted the need to update PPD-21 and issue the new memo.
The NSM will help ensure U.S. critical infrastructure can provide the nation a strong and innovative economy, protect American families, and enhance our collective resilience to disasters before they happen, strengthening the nation for generations to come. This NSM specifically:
- Empowers the Department of Homeland Security to lead a whole-of-government effort to secure U.S. critical infrastructure, with CISA acting as the National Coordinator for the Security and Resilience of U.S. Critical Infrastructure. The Secretary of Homeland Security will be required to submit to the President a biennial National Risk Management Plan that summarizes U.S. government efforts to mitigate risk to the nation’s critical infrastructure.
- Reaffirms the designation of 16 critical infrastructure sectors and establishes a federal department or agency responsible for managing risk within each of these sectors.
- Elevates the importance of minimum security and resilience requirements within and across critical infrastructure sectors, consistent with the National Cyber Strategy, which recognizes the limits of a voluntary approach to risk management in the current threat environment.
PPD-21 pre-dates the establishment of CISA. CISA actively engaged in updating the framework established by PPD-21 to detail how the U.S. government secures and protects critical infrastructure from cyber and physical threats.
CISA has already been working toward the goals of the NSM. We have already re-established the Federal Senior Leadership Council, which has made impressive strides through the FSLC’s robust collaboration model toward meeting our shared goals. When the FSLC was re-chartered, the group not only took on new authorities, but a heavy lift to inform how we define, modernize, and protect our critical infrastructure sectors.
Leave a comment

CISA Releases Key Risk and Vulnerability Findings for Healthcare and Public Health Sector

Agency News, Cyber Security CII sector, Health & Social Care, Industry News

Report provides recommended actions and mitigation strategies for HPH sector, critical infrastructure and software manufacturers

The Cybersecurity and Infrastructure Security Agency (CISA) published a Cybersecurity Advisory (CSA), Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment, detailing the agency’s key findings and activities during a Risk and Vulnerability Assessment (RVA) conducted at a healthcare and public health (HPH) organization in early 2023. The advisory also provides network defenders and software manufacturers recommendations for improving their organizations’ and customers’ cyber posture, which reduces the impact of follow-on activity after initial access.

The CISA assessments team identified several findings as potentially exploitable vulnerabilities that could compromise the confidentiality, integrity, and availability of the tested environment. Tailored for HPH organizations of all sizes as well as for all critical infrastructure organizations, the advisory provides several recommended mitigations mapped to 16 specific cybersecurity weaknesses identified during the RVA. Also, the advisory provides three mitigation strategies that all organizations should implement: (1) Asset management and security, (2) Identity management and device security, and (3) Vulnerability, patch, and configuration management. Each strategy has specific focus areas with details and steps on how HPH entities can implement them to strengthen their cybersecurity posture.

“Exposure of common vulnerabilities and insecure configurations can result in detrimental cyber activity for U.S. healthcare organizations, such as ransomware, data breaches, or denial-of-service. The intent of this advisory is to help organizations maintain the availability, confidentiality, and integrity of their critical healthcare and public health systems, functions, and data,” said CISA Deputy Director Nitin Natarajan. “Adversaries and criminals will continue to target organizations seen as target rich, cyber poor. To reduce the burden of cybersecurity on customers, manufacturers of HPH technology products should implement the recommended actions in the advisory that are aligned to our Principles and Approaches for Secure by Design Software white paper. Also, we strongly encourage healthcare entities and all organizations to review this advisory, implement the mitigations and enroll in our vulnerability scanning service which can further help reduce cyber risk.”

This advisory builds on the CISA and Health and Human Services Healthcare Cybersecurity Toolkit and CISA’s Mitigation Guide for HPH Sector that were recently released. The recommended mitigations for network defenders are mapped to the Cross-Sector Cybersecurity Performance Goals (CPGs).

The recommended actions for software manufacturers are aligned to the recently updated, Principles and Approaches for Secure by Design Software, a joint guide co-sealed by 18 U.S. and international agencies. It urges software manufacturers to take urgent steps necessary to design, develop, and deliver products that are secure by design.

Leave a comment

Ransomware Accounts for 54% of Cybersecurity Threats

Agency News, Cyber Security CII sector, Health & Social Care, Industry News

The European Union Agency for Cybersecurity (ENISA) released its first cyber threat landscape for the health sector. The report found that ransomware accounts for 54% of cybersecurity threats in the health sector.

The comprehensive analysis maps and studies cyberattacks, identifying prime threats, actors, impacts, and trends for a period of over 2 years, providing valuable insights for the healthcare community and policy makers. The analysis is based on a total of 215 publicly reported incidents in the EU and neighbouring countries.

Executive Director of the European Union Agency for Cybersecurity (ENISA), Juhan Lepassaar, said: “A high common level of cybersecurity for the healthcare sector in the EU is essential to ensure health organisations can operate in the safest way. The rise of the covid-19 pandemic showed us how we critically depend on health systems. What I consider as a wake-up call confirmed we need to get a clear view of the risks, the attack surface and the vulnerabilities specific to the sector. Access to incident reporting data must therefore be facilitated to better visualise and comprehend our cyber threat environment and identify the appropriate mitigation measures we need to implement.”

The findings

The report reveals a concerning reality of the challenges faced by the EU health sector during the reporting period.

- Widespread incidents. The European health sector experienced a significant number of incidents, with healthcare providers accounting for 53% of the total incidents. Hospitals, in particular, bore the brunt, with 42% of incidents reported. Additionally, health authorities, bodies and agencies (14%), and the pharmaceutical industry (9%) were targeted.
- Ransomware and data breaches. Ransomware emerged as one of the primary threats in the health sector (54% of incidents). This trend is seen as likely to continue. Only 27% of surveyed organisations in the health sector have a dedicated ransomware defence programme. Driven by financial gain, cybercriminals extort both health organisations and patients, threatening to disclose data, personal or sensitive in nature. Patient data, including electronic health records, were the most targeted assets (30%). Alarmingly, nearly half of all incidents (46%) aimed to steal or leak health organisations' data.
- Impact and lessons learned by the COVID-19 Pandemic. It is essential to note that the reporting period coincided with a significant portion of the COVID-19 pandemic era, during which the healthcare sector became a prime target for attackers. Financially motivated threat actors, driven by the value of patient data, were responsible for the majority of attacks (53%). The pandemic saw multiple instances of data leakage from COVID-19-related systems and testing laboratories in various EU countries. Insiders and poor security practices, including misconfigurations, were identified as primary causes of these leaks. The incidents serve as a stark reminder of the importance of robust cybersecurity practices, particularly in times of urgent operational needs.
- Vulnerabilities in Healthcare Systems. Attacks on healthcare supply chains and service providers resulted in disruptions or losses to health organisations (7%). Such types of attacks are expected to remain significant in the future, given the risks posed by vulnerabilities in healthcare systems and medical devices. A recent study by ENISA revealed that healthcare organisations reported the highest number of security incidents related to vulnerabilities in software or hardware, with 80% of respondents citing vulnerabilities as the cause of more than 61% of their security incidents.
- Geopolitical Developments and DDoS Attacks. Geopolitical developments and hacktivist activity led to a surge in Distributed Denial of Service (DDoS) attacks by pro-Russian hacktivist groups against hospitals and health authorities in early 2023, accounting for 9% of total incidents. While this trend is expected to continue, the actual impact of these attacks remains relatively low.
- The incidents examined in the report had significant consequences for health organisations, primarily resulting in breaches or theft of data (43%) disrupted healthcare services (22%) and disrupted services not related to healthcare (26%). The report also highlights the financial losses incurred, with the median cost of a major security incident in the health sector estimated at €300,000 according to the ENISA NIS Investment 2022 study.
- Patient safety emerges as a paramount concern for the health community, given potential delays in triage and treatment caused by cyber incidents.

New report from the NIS Cooperation Group

The NIS Cooperation Group releases today its report on “Threats and risk management in the health sector – Under the NIS Directive”. As a first assessment on the measures currently in place, the study sheds light on the different cybersecurity challenges in risk mitigation faced by the EU health sector. Together with relevant threat taxonomies and cyber incident data, the report discloses business continuity and mitigation recommendations to limit the likelihood and impacts of a cyber related incident.

Leave a comment , , ,

IRC warns damaged infrastructure is hampering critical aid supply to catastrophic disaster as it launches emergency response

Agency News, Health & Social Care, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector, Transport sector

As the full scale of the disaster in Syria and Turkey following the 7.8 magnitude earthquake becomes apparent, the International Rescue Committee (IRC) is warning of catastrophic humanitarian needs in both countries. Unfettered humanitarian access to those affected is now absolutely critical. As humanitarian needs soar during freezing temperatures, in both Turkey and Syria, the IRC is launching an integrated response to affected populations in both countries.

Tanya Evans, Syria Country Director for IRC said:

“The scale of the disaster is catastrophic. We are still in the first 36 hours of one of the largest earthquakes to hit the region this century. Multiple earthquakes and aftershocks yesterday and today have damaged roads, border crossings, and critical infrastructure, severely hampering aid efforts.

“IRC’s main priority is finding safe spaces for our staff to operate from in Gaziantep and across northwest Syria. Many buildings have been severely damaged in the earthquake, including at least one of our field offices in northwest Syria. It is almost impossible to know the full extent of the disaster right now but everything we are hearing from our teams suggests it is truly devastating.

“Electricity across the affected area remains intermittent. In Turkey we have seen improvements since the earthquake but in northern Syria there are still so many areas off the grid. This also includes mobile and internet outages making the response and coordination even more difficult. It is not just electricity and phone lines affected. Gas supplies, for which many rely on to heat their homes, have also been severely impacted meaning that even if people are able to return to their homes they will have to endure freezing temperatures.

“With the response in its infancy the need for humanitarian aid is stark. Roads and infrastructure, like bridges, have been damaged meaning it will likely prove challenging to get supplies to those who need it most. Even before the earthquake, humanitarian access was constrained in northwest Syria, with most aid coming in via one crossing point with Turkey. In this time of increased need it is critical that the levels of aid crossing also increase at pace too.”

The IRC’s response to the earthquake will be in both Turkey and northern Syria, and will include the provision of immediate cash, basic items such as household kits, dignity kits for women and girls and hygiene supplies. Through partners, the IRC will support essential health services in earthquake-affected areas, and set up safe spaces for women and children affected by the crisis.

In light of the catastrophic humanitarian needs emerging, the IRC is calling on the international community to urgently increase critical funding to both Syria and Turkey to ensure that those affected by this emergency get the lifesaving support they need before it is too late.

[image: DENIZ TEKIN/EPA-EFE/Shutterstock]

Leave a comment , , , ,

IOM joins Making Cities Resilient 2030 as supporting entity

Agency News, Health & Social Care, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector

The International Organization for Migration’s (IOM) Regional Office for the Middle East and North Africa (MENA) has joined the MCR2030 initiative as a supporting entity. MCR2030 is UNDRR’s flagship program, building on the achievement of the Making Cities Resilient Campaign that began in 2010. It welcomes cities, local governments, and all parties who wish to support cities along the resilience roadmap.

The IOM Regional Office for the MENA region has developed the Urban Diagnostic Toolkit to map gaps in migrants’ integration in urban settings, aimed at increasing urban resilience of migrants, refugees, displaced persons, host societies and local governments by strengthening migrants’ social cohesion in the spatial, institutional, economic, climate and resilience city systems.

Increasingly, IOM and UNDRR collaborate across a range of workstreams from high level policy engagement related to the Sendai Framework for DRR’s Midterm Review process, the Global Platform for DRR and Regional DRR Platforms, and more recently on the Early Warning for All Initiative, COP27 and the Center of Excellence for Disaster and Climate Resilience, which IOM recently joined as a member of the Steering Committee. Partnership also extends to technical cooperation on the implementation of the annual workplan of the Senior Leadership Group for DRR for Resilience inclusive of work to mainstream DRR into humanitarian action. IOM is also supporting UNDRR’s leadership on the development and roll out of Risk Information Exchange and the creation of a second-generation disaster loss accounting platform to replace DesInventar. The latter was recently dialogued under the leadership of UNDRR-UNDP-WMO at the Bonn Technical Expert Forum meeting in late November.

This is the beginning of a new collaboration between the two UN agencies. UNDRR warmly welcomes the new MCR partner to work jointly on paving the road for increasing migrants’ resilience in urban contexts.

MRC2030 is a unique cross-stakeholder initiative for improving local resilience through advocacy, sharing knowledge and experiences, establishing mutually reinforcing city-to-city learning networks, injecting technical expertise, connecting multiple layers of government, and building partnerships. Through delivering a clear roadmap to urban resilience, providing tools, access to knowledge, and monitoring and reporting tools, MCR2030 will support cities on their journey to reduce risk and build resilience.

Leave a comment , ,

Your latest issue of Critical Infrastructure Protection & Resilience News has arrived

Agency News, Association News, Cyber Security CII sector, Health & Social Care, Industry News, Power/Energy/Oil & Gas sector, Space Sector, Telecomms sector, Transport sector, University/Research/Academia sector, Water sector

Please find here your downloadable copy of the Winter 2022-23 issue of Critical Infrastructure Protection & Resilience News for the latest views and news at www.cip-association.org/CIPRNews.

- A Standard to help protect Critical Infrastructure
- Government and Industry Cooperation: More Important Than Ever for Cybersecurity Awareness
- Help2Protect: an eLearning program to counter Insider Threats
- Testing Environments Help S&T and CISA Secure Transportation Infrastructure
- Can responsible AI guidelines keep up with the technology?
- Infrastructure Resilience Planning Framework (IRPF)
- An Interview with Port of New Orleans
- Critical Infrastructure Protection & Resilience North America Preview
- Industry and Agency Reports and News

Download your Critical Infrastructure Protection & Resilience News at www.cip-association.org/CIPRNews

Critical Infrastructure Protection and Resilience News is the official magazine of the International Association of Critical Infrastructure Protection Professionals (IACIPP), a non-profit organisation that provides a platform for sharing good practices, innovation and insights from Industry leaders and operators alongside academia and government and law enforcement agencies.

#CriticalInfrastructureProtection #CriticalInfrastructure #cybersecurity #help2protect #cisa #ciprna #resilience #cooperation

Leave a comment ,

CIPRNA Update Conference Agenda

Cyber Security CII sector, Health & Social Care, Industry News, Power/Energy/Oil & Gas sector, Space Sector, Telecomms sector, Transport sector

Critical Infrastructure Protection and Resilience North America will be held in Baton Rouge on 7th-9th March 2023, supported by IACIPP and Infragard Louisiana.

A fanstastic conference agenda addressing some of the big challenges facing CI operator/owners, government, agencies and the broader CI community.

A range of Workshops and Mini-Symposiums help drill deeper into specific sector challenges.

Download the latest CIPRNA agenda at www.ciprna-expo.com/PSG.

Register online at www.ciprna-expo.com/onlinereg

#criticalinfrastructure #criticalinfrastructureprotection #emergencymanagement #cisa #fema #tsa #emergencyresponse #disasterriskreduction #transportsecurity #energysecurity #telecomssecurity #cbrne #cybersecurity #security

Leave a comment

Security by Design: Protection of public spaces from terrorist attacks

Agency News, Health & Social Care, Industry News

In a handbook from the Joint Research Centre brings together scientists, experts and academia for a book that dives deep into how open public spaces can be planned and built in a more secure way, through security by design.

“Security by Design: Protection of public spaces from terrorist attacks” introduces the concept and practical implementation of building security in the design and redesign of public spaces. It does so while providing information on terrorism risk assessment, project planning and management. It proposes innovative technical solutions for the protection of public spaces against terrorist attacks. Security by design is built upon the principles of proportionality, multi-functionality, sustainability, accessibility and aesthetics. It is the complete opposite of the creation of urban fortresses.

Public spaces are vulnerable because they are open, easily accessible and attract a great number of people. They are often referred to as « soft targets ». Their vulnerability lies in the fact that they usually lack specialised protective measures and can then be attacked using simple tactics. Such targets are often chosen by terrorists willing to maximise casualties, attain media coverage and inflict fear in the population. Independent of the rarity of such attacks, their psychological, economic and political impact on society can be disproportionally high. In recent years, public spaces such as shopping centres, markets, places of worship, public transport and entertainment venues have become the target of terrorist attacks across Europe.

The action plan to support the protection of public spaces set out a concrete list of measures to pave the way for effective EU Member State cooperation in the protection of public spaces, while the 2020 Counter-terrorism Agenda for the EU focused on the support to Member States in better anticipating, preventing, protecting and responding to the terrorist threats.

In the Counter-Terrorism Agenda, the book is mentioned as a virtual architectural book on urban design, which can assist authorities in incorporating security aspects in the design or renovation public spaces. While the handbook is not legally binding it does contains relevant information and expert advice. It aims to help address practical concerns of integrating security measures for project teams, security operators, urban planners and anyone involved in public space projects. It will help readers answer questions whether and, if yes, to what extent they may wish to implement protective solutions through design.

You can read the handbook to find out more on how to make public spaces not only safer but also multifunctional, sustainable, beautiful and accessible for all people.

Leave a comment , , ,

Forest fires: €170 million to reinforce rescEU fleet

Agency News, Health & Social Care, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector, Transport sector, Water sector

Following a record-breaking forest fire season in Europe, the Commission is proposing today €170 million from the EU budget to reinforce its rescEU ground and aerial assets  starting from the summer of 2023. The rescEU transitional fleet would therefore have a total of 22 planes, 4 helicopters as well as more pre-positioned ground teams. As from 2025, the fleet would be further reinforced through an accelerated procurement of airplanes and helicopters.

Commissioner for Crisis Management Janez Lenarčič said: "Due to climate change the number of regions affected by wildfires is increasing, going beyond the traditionally affected Mediterranean countries. The last summers have clearly shown that more firefighting assets are needed at EU-level. By building up our fleet of aerial means and ground forces, the EU will be able to ensure a prompt, flexible response, including in situations where fires are burning in multiple Member States at the same time.”

Commissioner for Budget and Administration, Johannes Hahn said: “While the record-breaking forest fires this summer may have been overshadowed by other crises, today's proposal to reinforce rescEU shows that the EU budget will continue to support those in need. European solidarity across EU Member States remains strong and we are ready to support this solidarity with financial means.”

Wildfires in the EU are increasing in scope, frequency, and intensity. By 1 October, the data for 2022 reveal a 30% increase in the burnt area over the previous worst year recorded (2017) and a more than 170% increase over the average burnt area since EU-level recording started in 2006.

This season, the Emergency Response Coordination Centre  received 11 requests for assistance for forest fires. 33 planes and 8 helicopters were deployed across Europe via the EU Civil Protection Mechanism, which were joined by over 350 firefighters on the ground. In addition, the EU's emergency Copernicus satellite provided damage assessment maps of the affected areas.

Leave a comment , , ,

Public Health Emergencies: Data Management Challenges Impact National Response

Agency News, Cyber Security CII sector, Health & Social Care, Industry News

Public health emergencies evolve quickly, but public health entities lack the ability to share new data and potentially life-saving information in real-time—undermining the nation's ability to respond quickly.

To address this, the federal government must overcome three major challenges—specifically, the lack of:

- Common standards for collecting data (e.g., patient characteristics)
- "Interoperability" (meaning not all data systems work together)
- Public health IT infrastructure (the hardware, software, networks, and policies that would enable the reporting and sharing of data)

This snapshot discusses our related work and recommendations.

Public health emergencies evolve quickly, but public health entities lack the ability to share new data and potentially life-saving information in near real-time. To address this, the federal government must overcome 3 major challenges in how it manages public health data. GAO has made a number of recommendations to help address these challenges. However, many of these recommendations have not been implemented.
The Big Picture

Longstanding challenges in the federal government’s management of public health data undermine the nation’s ability to quickly respond to public health emergencies like COVID-19 and monkeypox. These challenges include the lack of:

- common data standards—requirements for public health entitles to collect certain data elements, such as patient characteristics (e.g., name, sex, and race) and clinical information (e.g., diagnosis and test results) in a specific way;
- interoperability—the ability of data collection systems to exchange information with and process information from other systems; and
- public health IT infrastructure—the computer software, hardware, networks, and policies that enable public health entities to report and retrieve data and information.

Over 15 years ago, federal law mandated that the Department of Health and Human Services (HHS) establish a national public health situational awareness network with a standardized data format. This network was intended to provide secure, near real-time information to facilitate early detection of and rapid response to infectious diseases.

However, the federal government still lacks this needed network and has not yet overcome the challenges identified in previous GAO reviews. Having near real-time access to these data could significantly improve our nation’s preparedness for public health emergencies and potentially save lives.

Without the network, federal, state, and local health departments, hospitals, and laboratories are left without the ability to easily share health information in real-time to respond effectively to diseases.

GAO’s prior work identified three broad challenges to public health data management and recommended actions for improvement.

1. Common Data Standards

To ensure that information can be consistently reported, compared, and analyzed across jurisdictions, public health entities need a standardized data format. Due to the lack of common data standards, information reported by states about COVID-19 case counts was inconsistent. This in turn complicated the ability of the Centers for Disease Control and Prevention (CDC) to make comparisons. Public health representatives also noted challenges in collecting complete demographic data. This made it difficult to identify trends in COVID-19 vaccinations and the number of doses administered. Although CDC had intended to implement data standards, its strategic plan did not articulate specific actions, roles, responsibilities, and time frames for doing so.

- Re recommended that HHS establish an expert committee for data collection and reporting standards by engaging with stakeholders (e.g., health care professionals from public and private sectors). This committee should review and inform the alignment of ongoing data collection and reporting standards related to key health indicators.
- Recommended that CDC define specific action steps and time frames for its data modernization efforts.

2. Interoperability among Public Health IT Systems

The inability to easily exchange information across data collection and other data systems creates barriers to data sharing and additional burdens on entities that collect and transmit data. During the early stages of COVID-19, the lack of IT system interoperability caused health officials and their key stakeholders (e.g., hospitals) to manually input data into multiple systems. In addition, some state health departments could not directly exchange information with CDC via an IT system. This led to longer time frames for CDC to receive the data they needed to make decisions on the COVID-19 response.

- Recommended that, as part of planning for the public health situational awareness network, HHS should ensure the plan includes how standards for interoperability will be used.

3. Lack of a Public Health IT Infrastructure

The timeliness and completeness of information that is shared during public health emergencies can be impeded by the absence of a public health IT infrastructure. During the early stages of COVID-19, some states had to manually collect, process, and transfer data from one place to another. For example, a state official described having to fax documents, make copies, and physically transport relevant documents. The official noted by establishing a public health IT infrastructure, such as the network HHS was mandated to create, errors would be reduced. To help mitigate challenges in data management for COVID-19, HHS launched the HHS Protect platform in April 2020. However, we reported that public health and state organizations raised questions about the completeness and accuracy of some of the data.

- Recommended that HHS prioritize the development of the network by, in part, establishing specific near-term and long-term actions that can be completed to show progress.
- Recommended that HHS identify an office to oversee the development of the network.
- Recommended that HHS identify and document information-sharing challenges and lessons learned from the COVID-19 pandemic.

Leave a comment , , ,
1 2 3 4