Oct 06 2020

Q&A: Bryan Ware on Healthcare’s Changing Threat Landscape

New federal efforts are boosting protection for organizations increasingly at risk, a Department of Homeland Security official explains.

Editor’s note: Bryan Ware left his job at CISA on Nov. 13. This interview was conducted while he was still with the agency.

The race to provide care for COVID-19 patients — and to make progress toward an effective vaccine — puts the medical industry front and center for cybercriminals seeking to disrupt operations and hold critical data hostage.

Those concerns have greatly elevated federal protective efforts, says Bryan Ware, who in January was named assistant director for cybersecurity for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

“Traditionally, the healthcare and pharma sectors haven’t been at the top of our list of critical infrastructures,” Ware told HealthTech. “Not that we’ve ignored it, but we’ve been very focused on pipelines and the energy sector, the financial sector and so forth.

“Well, this year, right there with elections infrastructure, healthcare infrastructure is a major priority and a really new priority for us.”

Ware spoke about the changing threat landscape and a new federal initiative designed to target and close vulnerabilities for organizations at risk:

HEALTHTECH: How has the pandemic put more focus on healthcare security?

WARE: One of the things about CISA that’s unique is that we are designed to protect critical infrastructure broadly. It’s in our DNA to think about what kinds of critical infrastructure would be affected if there were, say, a big earthquake and then deliver services to that region.

In the same way, very early on in the February time frame as we were watching the pandemic, which was largely overseas at that time, we started to ask ourselves, “Well, what’s going to be impacted in the United States as this pandemic emerges?”

So, we started a program called Project Taken in March to address the risks of any kind of disruption of the COVID response. Not just for healthcare, but also for certain parts of the supply chain, such as PPE, medical devices and lab companies that do testing.

And then, as we went into May and June, that focus also included — and is now our primary focus — the vaccine manufacturers, the anti-viral manufacturers, those that are going to be responsible for getting us a vaccine for COVID.

HEALTHTECH: Where do the biggest risks come from in healthcare?

WARE: The healthcare sector has the same risks as every other sector. All of a sudden, we’re doing so many more things online, remotely and via telework. All of those teleworking vulnerabilities apply to them just like they do to us, and maybe more so in the sense of telemedicine.

Second, ransomware could impact critical health and hospital care. From 2017 to 2019, half of all ransomware attacks were in the healthcare sector. When lives are on the line and timing is critical, from the perspective of a malicious criminal actor, that’s someone who’s more likely to pay the ransom.

Bryan Ware
We started a program called Project Taken in March to address the risks of any kind of disruption of the COVID response. Not just for healthcare, but also for certain parts of the supply chain."

Bryan Ware Assistant Director, Cybersecurity Division, CISA

But the newer issue — and by newer, I mean just in the past three months or so — is that the foreign intelligence services, the nation-state adversaries, have been targeting medical research and the pharmaceutical research to understand how we are approaching a vaccine, how we are approaching treatment, and that is an espionage threat.

We’ll see a continuous evolution, potentially, of those threats and risks as we go from early research and development through testing, and then as we head into manufacturing of the vaccine and distribution. We will be concerned about different kinds of supply chain risks, and ransomware always rears its head with the potential to impact or disrupt the manufacturing process.

HEALTHTECH: What is motivating these ransomware threat actors?

WARE: There are a number of nation-states, as well as criminal actors, that are just trying to find ways to pay the bills. This is what they do for a living, so to speak.

So, if you can ransom something that’s important — no matter whether it causes loss of life or huge global setbacks — it doesn’t matter, as long as they pay their bills.

It’s also industrial espionage, the transfer of technology that’s developed in the U.S. to manufacturers and labs in other countries. That is a concern, but maybe not the greatest concern; the greater concern is that in some way, either through their espionage activities or through other ways, they’re trying to exert enough power that they interfere with, delay, corrupt or disrupt our ability to get a vaccine to a global production scale.

READ MORE: Learn how to address IT security concerns in a post-COVID-19 world.

HEALTHTECH: Could you explain how Project Taken works?

WARE: Yeah, the original idea came from the line in the movie Taken, with Liam Neeson, where he says that he has a “particular set of skills.”

So, the idea was that CISA would try to develop a broad understanding of the various kind of threats and risks faced by all the stakeholders, and CISA would lead the charge of providing enhanced cybersecurity services — security offerings to pharmaceutical companies and hospitals and so forth.

But we would also coordinate with our defense and law enforcement colleagues, so that when we saw malicious activities, we enabled them to exact consequences, to deter an adversary or to go after an adversary that was interfering with our COVID response.

Most of our effort has been focused on identifying the most critical companies and working with them to scan their internet-connected presence to identify potential vulnerabilities. Then we work with them to close and prioritize those vulnerabilities and make sure that we know where those companies live on the internet so that we can provide that information to our colleagues in law enforcement and intelligence.

Many of these companies are very, very sophisticated from a cybersecurity perspective, but companies versus nation-states is not a fair fight, right? As the U.S. government, we can come in and provide them with additional protections and additional assistance.

vichie81/Getty Images