The document discusses establishing Medical Computer Emergency Response Teams (MedCERT) to coordinate responses to cybersecurity incidents affecting medical devices and networks. It argues that healthcare cybersecurity is currently unprepared for emergencies and that response and recovery need to be emphasized in addition to prevention and protection. The document recommends that MedCERT teams receive training in the National Incident Management System and Incident Command System to effectively respond to incidents. It also calls for improved information sharing across the healthcare industry regarding cyber threats.

1. 1
Medical Computer Emergency Response Teams (MedCERT) and
Risks to Networked Medical Devices and Connected IT Networks
June 2017
Co-authors:
Kristina Freas, M.Sci., RN, EMT-P, CEM
And
Dave Sweigert, M.Sci., CEH, CISA, CISSP, EMT-B, HCISPP, PCIP, PMP, SEC+
ABSTRACT
The concept of a Medical Computer Emergency Response Team has been
proposed by the Health Care Industry Cybersecurity Task Force. This research
paper provides a contextual backdrop to reduce the delay in implementing such
teams. Note: this document is considered scholarly research and distributed for
discussion purposes only.
Hospital emergency operations
Many hospital Emergency Managers will
appreciate this observation: ironically,
volunteer amateur radio operators that
support the auxiliary communications
component of a hospital’s Emergency
Operations Plans (EOP) have more
training in Emergency Management than
an entire hospital cyber security
department. Translation: radio operators
have received the appropriate
standardized training -- as required for
various levels of first responders.
Result: healthcare sector cybersecurity
may be unprepared to interface with
Emergency Management (E/M) during a
sector-wide cyber-attack.
Such potential catastrophic attacks are
no longer a presumed low probability.
Moderate probability may be more
accurate. Healthcare cybersecurity
incident response – within the E/M
context – may be disjointed from overall
response and needs improvement.
Cyber Task Force calls for MedCERT
The Health Care Industry Cybersecurity
Task Force, commissioned by the federal
Computer Information Sharing Act
(CISA), released a recommendation
report (6/2/17) with a special section
devoted to “Risks to Networked Medical
Devices and Connected IT Networks”.
Imperative recommendations included:
 Establish a Medical Computer
Emergency Readiness Team (MedCERT)
to coordinate medical device-specific
responses to cybersecurity incidents and
vulnerability disclosures (2.6).
 Broaden the scope and depth of
information sharing across the health
care industry and create more effective
mechanisms for disseminating and
utilizing data (6.2).
 Encourage annual readiness exercises
by the health care industry (6.3).
See: Report on Improving Cybersecurity
in the Health Care Industry, 6/2/17, U.S.
Department of Health and Human
Services [DHHS].

2. 2
These findings indicate that new
awareness is needed to expand a semi-
monolithic “protect and prevent (P&P)”
cybersecurity paradigm to a “respond
and recover (R&R)” paradigm.
DHS modernizes approach
The U.S. Department of Homeland
Security (DHS) added cybersecurity to a
foundational document that addresses
the incident life cycle.
In October 2015 the DHS modified their
National Preparedness Goals (NPG) to
provide greater visibility to cybersecurity.
Originally released in 2011, the NPG did
not address cybersecurity.
The NPG promotes five core Homeland
Security mission areas. These mission
areas are:
 Prevention
 Protection
 Mitigation
 Response
 Recovery
Each mission area contained at least
seven core capabilities that function as
critical markers of success in each area.
Cybersecurity is only addressed within
the PROTECT NPG mission area.
"The second edition of the National
Preparedness Goal incorporates critical
edits identified through real world events,
lessons learned and implementation of the
National Preparedness System". -National
Preparedness Goal, Second Edition 2015
Cybersecurity does not appear in the
RESPONSE and RECOVERY mission
areas of the 2015 NPG. It should.

3. 3
Risks to Networked Medical Devices
and Connected IT Networks
The thorny issues of nearly unpatchable
medical devices have created challenges
for a successful P&P strategy. The P&P
approach should be augmented by
developing mature R&R strategies for
cybersecurity within the E/M framework.
R&R strategies are manifested in EOPs,
training sessions, table-top exercises
(TTX), disaster workshops, etc.
Presently, many of these tools do not
even mention cybersecurity issues. As
noted by the Task Force there is an
urgent need of refinement and
modernization of these tools – to include
cybersecurity – as this is a patient safety
issue.
As explained in previous papers by the
co-authors, E/M practitioners in the
healthcare sector should continue to
operationalize the use cybersecurity
R&R with the aegis of the National
Incident management System and the
Incident Command System (NIMS/ICS).
This prevents disjointed alignment
amongst multiple responders involved
within an incident response.
MedCERT
Classified as Response Personnel
(Cyber), the MedCERT unit would serve
as an R&R “go team” to respond to
cyber-attacks. Such “go teams” require
training in the NIMS/ICS to become more
effective in the R&R paradigm. The point
of NIMS/ICS is to help operationalize
teams – like MedCERT -- quickly adjust
to the incident management structure in
hectic emergency environments.
The MedCERT team, it is believed, will
have more opportunities for positive
outcomes, operating within the E/M
NIMS/ICS environment.
Healthcare institutions would be wise to
begin the “mobilization” of MedCERT
teams. It is highly recommended that
such teams received basic NIMS/ICS
training, shown below.
 IS-100.b Introduction to Incident
Command System, I-100
 IS-200.b ICS for Single Resources and
Initial Action Incidents
 IS-700.a National Incident Management
System (NIMS), An Introduction
 IS-800.b National Response Framework,
An Introduction
Information Sharing
E/M practitioners in the healthcare sector
should also consider operationalizing
cyber threat intelligence collection within
an NIMS/ICS framework to prevent
disjointed alignment amongst multiple
responders involved within an incident.
In the P&P space, automated Bi-
directional and/or unidirectional feeds of
cyber threat intelligence provide network
appliances malware signatures of new
threats. This threat information is
distributed electronically by vendors,
threat sharing consortiums and
government intelligence centers.
Sharing agreements, in many cases, are
reviewed by a Chief Counsel and/or legal
officer prior to the event (P&P). It may be
necessary for institutions to work out
justification statements that can be
provided to the legal staff to address
questions about liability (see 2015
federal CISA law).

4. 4
Readiness exercises
Attention should be given to pre-incident
planning. Untested incident response
plans should be tested with walk-troughs,
dry-runs, testing, etc.
The end-game is to identify what types of
information are needed by various
decision makers to form an accurate
common operation picture – sometimes
called situational awareness.
Situational awareness is dependent on
appropriate communications pathways.
These critical communication pathways
and protocols need to be established and
tested prior to an incident providing a
coordinated and streamlined approach to
gathering information.
These pathways are typically identified in
workshops, trainings and table top
exercises (TTX) that develop and test
incident response plans.
Emergency Mangers should invite
counterparts in cybersecurity to attend
such events. Understanding what types
of information each party needs to help
the decision-making process is the goal
of these activities.
These activities help the healthcare
organization meet its obligations under
various compliance frameworks (The
Joint Commission [TJC] and Centers for
Medicare and Medicaid Services [CMS]).
There are many opportunities for
healthcare organizations to participate in
Cyber TTX events sponsored by DHS.
These TTX events are conducted
nationwide 2-3 times a year.
Summary
Healthcare organizations that aspire to
implement some of the Task Force
recommendations should begin to
ensure a common baseline of knowledge
and understanding to the NIMS/ICS
framework. This should be a requirement
articulated in the EOP.
The entire healthcare sector should
adopt a forward learning position and
expect a sector-wide cyber-attack, with a
moderate probability that it may be
directed at the most vulnerable medical
devices that offer the cyber adversary an
opportunity to pivot deeper into the
connected network.
The sector should broaden the scope
and depth of information sharing across
the health care industry and create more
effective mechanisms for disseminating
and utilizing data.
Formalizing information gathering and
sharing is a planning consideration which
should not be overlooked.
About the co-authors:
Kristina Freas, M.Sci., RN, EMT-P,
CEM, is an experienced emergency
management professional and Certified
Emergency Manager (CEM) specializing in
the public health and healthcare critical
infrastructure sector.
Dave Sweigert, M.Sci., EMT-B, is a
Certified Ethical Hacker and holds
advanced emergency management
practitioner status conferred by FEMA
and CalOES. His passion is to enable
cybersecurity practitioners. Author of
Field Operations Guide to Ethical
Hacking.